IPSEC VPN

A standard protocol, IPsec (IP Security) enables the creation of VPN tunnels between two hosts, between a host and a network, between two networks and any type of object that supports the protocol.

The services that Stormshield Network’s IPsec offers provide access control, integrity in offline mode, authentication of data source, protection against replay, confidentiality in encryption and on traffic. You can for example, create a tunnel between two firewalls, or between the firewall and mobile clients on which VPN clients would be installed.

The IPsec service has a mechanism to optimize the distribution of encryption and decryption operations. Its purpose is to significantly improve IPsec throughput, especially in configurations that contain a single IPsec tunnel.

This optimization feature is only available on SN510, SN2000, SN2100, SN3100 and SN6100 models.

It offers three configuration modes:

Disabled mode (0) This is the default mode, which continuously disables the optimization mechanism. 
Automatic mode (auto)

The optimization mechanism activates automatically and transparently only when the active IPsec policy has a single active VPN tunnel.

Enabled mode (1) The optimization mechanism is continuously activated even when the active IPsec policy has more than one active VPN tunnel.

This mode is not recommended when an IPsec policy has many active VPN tunnels. Ensure that using this mode does not affect the general quality of your service.

This mode can be configured only with the following CLI/serverd command:

CONFIG IPSEC UPDATE slot=<n> CryptoLoadBalance=<0|1|auto>

NOTES
  • IPsec VPN policies now allow editing their configurations in Global mode. To enable the option, select “Display global policies” in the Preferences module.
  • There is no specific privilege for "vpn_global".

The IPsec VPN module consists of 4 tabs:

  • Encryption policy – Tunnels: this tab allows creating your IPsec tunnels between two firewalls (Site to site – Gateway- Gateway) or between a Stormshield Network multi-function firewall and a mobile user (Anonymous – Mobile users).
    10 blank encryption policies can be configured, activated and edited. The anonymous policy also allows configuring tunnels with another firewall, but which does not have a fixed IP address. It will therefore have the same problem as a “classic” mobile workstation: an unpredictable IP address
  • Peers: here, you can create new peers (remote site or anonymous mobile peer) by entering their IKE profiles, their negotiation method, as well as the specific parameters for each negotiation method.
  • Identification: this tab makes it possible to list your approved certification authorities in the tunnels using PKI methods as well as the pre-shared keys (PSK) of your mobile tunnels in two tables.
  • Encryption profiles: here, define your IKE (phase 1) and IPsec (phase 2) encryption profiles, add new ones or set their maximum lifetime (in seconds). You can also define negotiation proposals for authentication and encryption algorithms.