Android 12 removed support of IPSec Xauth and L2TP

There is no IKEv2 client support in XG. When I have raised this in the past, there has been no appetite from Sophos to add it (although it is supported in site to site VPN).

Maybe they will reconsider if Android has removed it from future OS but I wouldn't hold your breath. One alternative is to switch to SSL VPN and use OpenVPN client. Sophos seem to support SSL VPN better than IPSec for client access.

Thank you for the info.

The standard built in android client has the advantage that one can distribute predefined VPN connections under numerous clients through a MDM solution. I don't know if this is feasible with OpenVPN, I need to test this.

I agree, it is a little bit strange that Sophos XG, as a security appliance, uses an old key exchange mechanism (vulnerable for example against a Bleichenbacher attack if not well implemented) in favour of a more secure and widely available better alternative.

Their response is that their IKEv1 implementation is not vulnerable. That may be the case but ignores the requirement to interoperate with other systems, as this case shows. This won't be the only third party that drops IKEv1 support over time. Sophos' refusal to support IKEv2 for client VPNs seems doubly strange when they already support IKEv2 for site to site.

Sophos are busy developing and trying to push their own proprietary remote connection solution (at an additional cost). I can't remember what it is called. I just wish they would keep the basic stuff up to date but Sophos aren't a 'listening' company and seem to just plough on with what they want rather than what their customers want/need.

Their response is that their IKEv1 implementation is not vulnerable. That may be the case but ignores the requirement to interoperate with other systems, as this case shows. This won't be the only third party that drops IKEv1 support over time. Sophos' refusal to support IKEv2 for client VPNs seems doubly strange when they already support IKEv2 for site to site.

Sophos are busy developing and trying to push their own proprietary remote connection solution (at an additional cost). I can't remember what it is called. I just wish they would keep the basic stuff up to date but Sophos aren't a 'listening' company and seem to just plough on with what they want rather than what their customers want/need.

The own solution is ZTNA and it is actually the replacement of VPN for the future (according to most analysts). Implementing IKEv2 into Remote Access would take more time. Implementing it in SitetoSite was a effort in V17.0, which Sophos take and using it for Remote Access is actually not that simple. It would mean to completely replace the entire module. 

Looking at implementing IKEv2 would give a broader grade of devices support but most customers will move to another solution like ZTNA anyway in the future. The point is, ZTNA as a product would give you the possibility to authenticate per Application and use device management systems as well. That is currently not possible with a VPN solution. 

Maybe in the future the IKEv2 solution could be implemented. But looking at SSLVPN, most of this stuff is already possible with Clientbased VPN, if you really want to do this. So SSLVPN for smaller customers seems to give you the solution you are looking for. 

i can see the advantages of ZTNA for larger organisations where you need that level of control but it is expensive solution for small businesses who just want or need a simple VPN solution.

12 months ZTNA for 10 users is £900. As a comparison, just as an example, 12 months Standard Protection on an XGS 116 (good for at least 50 users with 100Mb connection is £203. How do you justify £900 a year for just 10 users to a company that are paying £203 for their whole firewall solution including 'free' VPN for all the staff?

It will have its place, but at that pricing, ZTNA is never going to be a general purpose replacement for IPSec or SSL VPNs

I would also add, that I hope Sophos aren't going to go down the Cisco route. Many years ago, Cisco said they were dropping their IPSec VPN client software as AnyConnect (SSL VPN) was the future. Then, a little while later, they announced that you could no longer buy a permanent AnyConnect client license but had to buy it by subscription which, naturally, ended up working out significantly more expensive.

I certainly won't claim this is the only reason, but it was certainly a factor in us starting to look at other firewall solutions and now we don't sell any Cisco kit.

Likely you can do for small businesses SSLVPN in a better performance and user experience anyway? 

We're talking about two different things. My later post was comparing current VPN solutions with ZTNA. Yes, for small businesses, generally speaking we implement SSL rather than IPSec, partly just because it is better supported with a Sophos XG. But you said...

LuCar Toni said:

The own solution is ZTNA and it is actually the replacement of VPN for the future

and I was pointing out that the cost means it isn't "the replacement of VPN for the future" for a lot of customers. Only those people that have a requirement for the additional functionality are going to implement it.

The OP was specifically talking about IPSec IKEv2 because of Android dropping IKEv1 support and they find it easier to mass deploy an IPSec solution to Android phones (rather than SSL). So they have a valid reason for wanting Sophos' IPSec solution kept up to date.

For me, the takeaway from this is their are valid reasons for using all three technologies and none of them are going to be 'dead' for the foreseeable future. From what you have said, it isn't a trivial change to implement IKEv2 support for client VPNs but clearly there are still good reasons why it is some peoples preferred VPN technology and it would be good to have it available on the XG in a 'full' implementation, i.e. with IKEv2 support.

But you are comparing two different aspects. 

Smaller customers can and will likely still using VPN. But using VPN for 10 clients is easy with SSLVPN or IPsec. It does not matter for them, likely they not even have a management solution.

Bigger customers want to have a handy solution, which protects them. ZTNA is a protection solution, VPN is a network solution. Bigger costumers likely will migrate away from IPsec/SSLVPN because of multiple reasons. 

I am mostly agreeing with you LuCar Toni! I understand the benefits for large organisations (and furthermore the licensing becomes significantly cheaper if you looking at 100s or 1000s of licences).

What I disagree with is when you say that ZNTA  is "the replacement of VPN for the future". It isn't a replacement, it is an alternative with more capabilities. But, there will still be a need for IPSec and SSL for a lot of people and that is why Sophos should continue supporting and developing them.