I am getting tired of dealing with this issue and the lack of response from SOPHOS. Your IPsec implementation is, and has been broken due to your choice to NOT allow Anti-Replay configuration. The reality is that throughout this forum there are numerous threads regarding IPsec instability between UTM and other firewalls. Thread after thread of troubleshooting but no answers or resolutions! Many (most) of these issues are very likely attributable to the fact that SOPHOS has hard coded the OpenSwan module to force Anti-Replay and furthermore decided that there is absolutley NO NEED to log anything to do with Anti-Replay. The FACTS: Not all VPN endpoints handle replay protection the same. In MANY cases the ONLY way to get two dissimilar firewalls to negotiate a stable tunnel is to FULLY DISABLE replay protection. It is common practice to fully disable REPLAY protection due to the stability issues it creates. OpenSwan has recognized the issue and enabled a switch to disable replay SOPHOS has repeatedly opted to not implement the ability via WebAdmin or SHELL to adjust or disable replay. SOPHOS has refused to log replay protection messages. When the UTM OpenSwan replay protection triggers, the TUNNEL still is shown (at both ends) as UP but the UTM drops all data packets in both directions (other than the keep-alive, etc for the tunnel itself). THERE IS ZERO LOGGING OF ANY OF THIS ANYWHWERE!!!!! So here in the real world, most net admins build tunnels WITHOUT replay. This means that in many (most) cases Sophos UTMs are not going to be able to negotiate a stable tunnel. This also means that in most of those cases, both the admin and Sophos support are not even going to be able to diagnose the issue, let alone fix it. We have a customer with several UTMs that utilize tunnels to a data center. SOPHOS built a version specific patch for our customer (after I had to repeatedly explain the replay issue to both support and development over a 1 month period). The problem is that that the customer has been stuck on 9.107 for over a year now and I am unable to deploy IPSec tunnels to that (and 2 other) data centers for other customers unless I opt for the OLD firmware. This is a HUGE problem and I can't fathom why it has not been addressed, period.

This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Anti Replay - Is this EVER going to be addressed?

I am getting tired of dealing with this issue and the lack of response from SOPHOS.

Your IPsec implementation is, and has been broken due to your choice to NOT allow Anti-Replay configuration.

The reality is that throughout this forum there are numerous threads regarding IPsec instability between UTM and other firewalls. Thread after thread of troubleshooting but no answers or resolutions! Many (most) of these issues are very likely attributable to the fact that SOPHOS has hard coded the OpenSwan module to force Anti-Replay and furthermore decided that there is absolutley NO NEED to log anything to do with Anti-Replay.

The FACTS:

Not all VPN endpoints handle replay protection the same.
In MANY cases the ONLY way to get two dissimilar firewalls to negotiate a stable tunnel is to FULLY DISABLE replay protection.
It is common practice to fully disable REPLAY protection due to the stability issues it creates.
OpenSwan has recognized the issue and enabled a switch to disable replay
SOPHOS has repeatedly opted to not implement the ability via WebAdmin or SHELL to adjust or disable replay.
SOPHOS has refused to log replay protection messages.
When the UTM OpenSwan replay protection triggers, the TUNNEL still is shown (at both ends) as UP but the UTM drops all data packets in both directions (other than the keep-alive, etc for the tunnel itself). THERE IS ZERO LOGGING OF ANY OF THIS ANYWHWERE!!!!!

So here in the real world, most net admins build tunnels WITHOUT replay. This means that in many (most) cases Sophos UTMs are not going to be able to negotiate a stable tunnel. This also means that in most of those cases, both the admin and Sophos support are not even going to be able to diagnose the issue, let alone fix it.

We have a customer with several UTMs that utilize tunnels to a data center. SOPHOS built a version specific patch for our customer (after I had to repeatedly explain the replay issue to both support and development over a 1 month period). The problem is that that the customer has been stuck on 9.107 for over a year now and I am unable to deploy IPSec tunnels to that (and 2 other) data centers for other customers unless I opt for the OLD firmware.

This is a HUGE problem and I can't fathom why it has not been addressed, period.

This thread was automatically locked due to age.

Parents

0 Scott_Klassen over 10 years ago

I am getting tired of dealing with this issue and the lack of response from SOPHOS.

Your IPsec implementation is, and has been broken due to your choice to NOT allow Anti-Replay configuration.

You do realize that this is a user to user forum and not a means of contacting Sophos. Those that you see assisting and troubleshooting in threads are other end users and resellers. If you need to contact Sophos staff, as Bob mentions, you need to open a ticket with Support.

__________________
ACE v8/SCA v9.3

...still have a v5 install disk in a box somewhere.

http://xkcd.com
http://www.tedgoff.com/mb
http://www.projectcartoon.com/cartoon/1
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Scott_Klassen over 10 years ago

I am getting tired of dealing with this issue and the lack of response from SOPHOS.

Your IPsec implementation is, and has been broken due to your choice to NOT allow Anti-Replay configuration.

You do realize that this is a user to user forum and not a means of contacting Sophos. Those that you see assisting and troubleshooting in threads are other end users and resellers. If you need to contact Sophos staff, as Bob mentions, you need to open a ticket with Support.

__________________
ACE v8/SCA v9.3

...still have a v5 install disk in a box somewhere.

http://xkcd.com
http://www.tedgoff.com/mb
http://www.projectcartoon.com/cartoon/1
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 BeanAnimal over 10 years ago in reply to Scott_Klassen

You do realize that this is a user to user forum and not a means of contacting Sophos. Those that you see assisting and troubleshooting in threads are other end users and resellers. If you need to contact Sophos staff, as Bob mentions, you need to open a ticket with Support.

Scott... I am very aware of what this forum is and that is exactly why I posted here, to make other resellers and and end users aware of the issue.

Regards,

Bill
Cancel
Vote Up 0 Vote Down

Cancel