IPSEC VPN

A standard protocol, IPSec (IP Security) enables the creation of VPN tunnels between two hosts, between a host and a network, between two networks and any type of object that supports the protocol.

The services that Stormshield Network’s IPSec offers provide access control, integrity in offline mode, authentication of data source, protection against replay, confidentiality in encryption and on traffic.

You can for example, create a tunnel between two firewalls, or between the firewall and mobile clients on which VPN clients would be installed.

IPSec VPN policies now allow editing their configurations in Global mode. To enable the option, select “Display global policies” in the Preferences module.

NOTE

There is no specific privilege for "vpn_global".

 

The IPSec VPN module consists of 4 tabs:

  • Encryption policy – Tunnels: this tab allows creating your IPSec tunnels between two firewalls (Site to site – Gateway- Gateway) or between a Stormshield Network multi-function firewall and a mobile user (Anonymous – Mobile users). 10 blank encryption policies can be configured, activated and edited. The anonymous policy also allows configuring tunnels with another firewall, but which does not have a fixed IP address. It will therefore have the same problem as a “classic” mobile workstation: an unpredictable IP address
  • Peers: here, you can create new peers (remote site or anonymous mobile peer) by entering their IKE profiles, their negotiation method, as well as the specific parameters for each negotiation method.
  • Identification: this tab allows listing your approved certificate authorities in the tunnels using PKI methods as well as the pre-shared keys (PSK) of your mobile tunnels in two tables.
  • Encryption profiles: here, define your IKE (phase 1) and IPsec (phase 2) encryption profiles, add new ones or set their maximum lifetime (in seconds). You can also define negotiation proposals for authentication and encryption algorithms.