Upgrade to modern version of StrongSWAN which uses charon instead of pluto
Astaro still uses StrongSWAN ipsec version 4.4.1 which is from 2010.
The latest build of ver 4 is 4.6.4 in mid 2012.
But with today's times.. they are up to version 5.0.4! Version 5 started in mid 2012 when they ditched the old Pluto package and updated Charon to handle both IKE 1 and 2.
For a router boasting support, I'd think that would be a priority to at least be on-par with the open source technology.
Then after you do this, you can update the GUI maybe also to handle exposing some of the ipsec.conf settings that it's hiding right now, or allow a "advanced users" section in the GUI to manually edit the ipsec.conf for each VPN uniquely.

58 comments
-
Scott commented
I am losing yet another client (2nd) to another vendor implementing a Cisco ASA for IKEv2 connection to Azure. They don't want to hear about XG, if the Sophos UTM won't do what they need they are migrating to Cisco.
-
frank commented
Just opened a support ticket about this, and he replies saying they've "included it on a roadmap", and sends me to this 6-year old "feature request" thread. What a horrible way to treat your customers.
-
Patrick commented
Vital so that site to site VPNs can stay running stably on more modern connections!
-
Kipland Iles commented
No plans to migrate to XG as I like my SG's. I'm voting for this. Give me some IKEv2, please, so I can better connect (and stay connected) to Google Cloud.
-
Humberto M. commented
Please make everything to get listed on the Azure compatibility list:
https://azure.microsoft.com/en-us/documentation/articles/vpn-gateway-about-vpn-devices/ -
Anonymous commented
-
Thomas commented
The same procedure as every year, SOPHOS!
-
Erroll Marchais commented
Cannot connect resources accross an IkeV1 tunnel to Azure Apps (only Azure servers). This is a huge issue. Need a resolution to this ASAP!!! The is not an issue you realize you have until you have the issue and we can't just throw out the firewall. This is requiring us to route Azure VPN through a completely separate appliance. Shouldn't be forced to do this. XG is not as baked and doesn't have all the features I need so please don't say "just use SFOS"
-
Matthew commented
50 comments, years later and still no IKEv2 support....
-
Matthew commented
I have to say this is ridiculous, a company like Sophos that is not new to the industry still using an ancient form of IKE with everything that is going to the cloud and site-2-site links becoming more popular.
How hard could it be to add this functionality?
Because of Sophos lack of caring about this we have a project we can not move forward with due to a provider using Sophos devices for managed router / devices for one clients location.
Get with the time Sophos, I almost want to say your now of the last providers who does not support IKEv2 yet...
-
Mark M. commented
Seriously, get to version 5.x. Having an L2TP server behind NAT is not working because of the older Strongswan version, and yet isn't a terribly complicated thing to ask for.
-
Greg Campion commented
If this upgrade were made, modern android users would be able to use the L2TP VPN natively which would be wonderful!
-
Andre commented
With no IKEv2 Support on our XG Firewalls we will change UTMs next year. Please implements it. UTM still a nice Firewall.
-
Stephane commented
IKEv2 seems like a must nowadays. Please implements it
-
Adrien Belcourt commented
IKE v2 support is critical to increasing numbers of customers and this feature request is required for implementing this.
See "VPN: IKE V2 Support" feature request which if combined with this feature would make it the 4 highest voted for feature.
Vote for both.
-
Eric commented
This is a must have because the current version with active directory authentication (probably most users) is vulnerable to CVE-2015-8023!
-
c commented
Astaro Sohpos UTM - The VPN router for the 90's.
-
Bob Alfson commented
Two of my votes are here and I've none left. There was a rumor that this was planned for 9.4. It would be a shame if this were not true.
Cheers - Bob
-
Peter Helfer commented
Lack of this security standard we are currently not able to connect our customers to Azure dynamic routing gateway. So actually its a deal-breaker and we are really thinking to move away from Sophos due to this if it is not implemented shortly!
Sophos is a great firewall! I do not understand why this security standard was not implemented a long time ago!
Please make everything to get listed on the Azure compatibility list:
https://azure.microsoft.com/en-us/documentation/articles/vpn-gateway-about-vpn-devices/ -
c commented
Unless you want to spend the big bucks on those solutions or it makes sense for you, you can ask me for help on setting up your own router. It seems like a daunting task, but it's really not, it's just not well advertised. It then gives you the freedom to update components as often as you need, and manage the whole configuration in simple text files that you can store in some software revision like Git.