Upgrade to modern version of StrongSWAN which uses charon instead of pluto
Astaro still uses StrongSWAN ipsec version 4.4.1 which is from 2010.
The latest build of ver 4 is 4.6.4 in mid 2012.
But with today's times.. they are up to version 5.0.4! Version 5 started in mid 2012 when they ditched the old Pluto package and updated Charon to handle both IKE 1 and 2.
For a router boasting support, I'd think that would be a priority to at least be on-par with the open source technology.
Then after you do this, you can update the GUI maybe also to handle exposing some of the ipsec.conf settings that it's hiding right now, or allow a "advanced users" section in the GUI to manually edit the ipsec.conf for each VPN uniquely.
Sophos not making this the #1 priority of any VPN modifications (or the Astaro team from the start) to me is a conflict of interest.
We have already moved 25% of our VPN's from Astaro to a home-built Linux instance running the latest StrongSWAN software. The result is higher stability and superb support; very technical feedback and almost instant bug fixes when problems are found. We have a plan in place to move 100% of our VPN's off Astaro within a few weeks. It's sad because the Astaro UI is really nice and everything else it does is OK, but I guess it's all meant to be like a Wal-mart: just barely good enough for the average Joe, but if you need something solid gotta shop elsewhere.
Bob Alfson commented
This might facilitate two other suggestions:
Just added references on problems with the old pluto version and reasons to upgrade.
Those other feature requests relating to ipsec.conf access:
Exactly, Bob.. in "Advanced" section it should allow setting LEFTID or any other ipsec setting that exists. To be least amount of effort on Sophos part, with the most amount of features and flexibility, I envision this:
Advanced section would display a table-like list of all the ipsec.conf settings for a selected VPN Connection that the GUI already puts in there.
Then allowing you to add and edit others.
Very simple design, not worrying about having to add bunch of UI logic or whatever to handle things that ipsec can already do.
LEFTID is not the only one. There are several other options that are simply not possible due to the lag of the UI. The only real super benefit to the UI is how it forces you to create a Named Network definition for everything. But with just a little bit of work, that can be done for this Advanced thing also by just maintaining a list of ipsec.conf settings whos input is some IP address or whatever. When those values are added/changed the UI could restrict to first creating a Network Definition.
Bob Alfson commented
1. Android and Microsoft use IKEv2 and not IKEv1, so this suggestion seems to be a must-have.
2. I'm not sure what, specifically, you'd like to see in an 'Advanced' section. At least a way to indicate a leftid in the 'IPsec Connection' just as the rightid can be given in the 'Remote Gateway' definiton as you suggested in the User BB over a year ago..