“Encryption policy – Tunnels” tab

From version 2 of the firmware onwards, Stormshield Network firewalls support IPSec tunnels based on IKEv1 or IKEv2 protocols.

Peers that use different versions of the IKE protocol can now be defined in the same IPSec policy.

 

Profile bar

The drop-down menu offers 10 IPSec profiles numbered from (1) to (10).

 

To select a profile in order to configure it, click on the arrow to the right of the field.

Activate this policy

Immediately activates the selected IPSec policy: parameters saved in this slot will overwrite current parameters in force.

Edit

This function allows performing 3 operations on profiles:

 

  • Rename: by clicking on this option, a window comprising two fields will appear. It will allow you to modify the name and add comments. Once the operation has been performed, click on “Update”. This operation can also be cancelled.
  • Reinitialize: Deletes all changes made to the profile. The configuration will therefore be lost.
  • Copy to: This option allows copying a profile to another, with all the information from the copied profile transmitted to the receiving profile. It will also have the same name.
Last modification

This icon allows finding out the date and time of the last modification. The time displayed is the appliance’s time instead of your workstation’s time.

Disable policy

This button allows immediately deactivating the selected IPSec policy.

Site to site (Gateway-Gateway)

This tab will allow creating a VPN tunnel between two network devices that support IPSec. This procedure is also called: Gateway to Gateway VPN tunnel or Gateway to Gatewaytunnel

Some How To's will guide you step by step in the configuration of a secure connection between your sites. Click on one of the the links to access to these How To's:

 

The Add button will be covered in the following section.

Search

Searches will be performed on the name of the object and its various properties, unless you have specified in the preferences of the application that you would like to restrict this search to object names only.

Delete

Select the IPSec VPN tunnel to be removed from the table and click on this button.

Move up

Places the selected line before the line just above it.

Move down

Places the selected line after the line just below it.

Cut

Cut the selected line in order to paste it.

Copy

Copy the selected line in order to duplicate it.

Paste

Duplicate the selected line after having copied it.

Add

In order to configure the tunnel, select the VPN policy in which you wish to set it up. The IPSec VPN policy wizard will guide you through the configuration.

Site to site tunnel

Here, you will define each of the endpoints for your tunnel as well as for your peer.

Peer selection

This is the object that corresponds to the public IP address of the tunnel endpoint, or of the remote VPN peer.

 

The drop-down list displays “None” by default. You can create peers in the following option or select an existing peer from the list.

Create an IKEv1 peer

Define the parameters for your peer. Several steps are necessary:

 

Selecting the gateway:

 

Remote gateway: select the object corresponding to the IP address of the tunnel endpoint from the drop-down list.

You can also add gateways using the button .

 

Name: you can specify a name for your gateway or keep the peer’s original name, which will be prefixed with “Site_” (“Site_<name of object>“).

 

Selecting None as a peer allows generating policies without encryption. The aim is to create an exception to the following rules of the encryption policy. Traffic matching this rule will be managed by the routing policy.

 

Click on Next.

 

Identifying the peer:

 

2 choices are possible, identification via Certificate or by Pre-shared key (PSK). Select the desired option.

  1. If you have selected Certificate, you will need to select it from those you have previously created in the Certificates and PKI module.

The certificate to enter here is the one presented by the firewall and not the one presented by the remote site. A certificate authority can also be added.

  1. If you have selected Pre-shared key (PSK), you will need to define the secret that both peers of the IPSec VPN tunnel will share, in the form of a password to be confirmed in a second field.

You can Enter the key in ASCII characters (every character in ASCII text is stored in a byte whose 8th is 0) by selecting the relevant option.

Unselect the option to view the key in hexadecimal characters (which is based on 16 digits: the letters A to F and numbers 0 to 9).

 

  NOTE

To define an ASCII pre-shared key that is sufficiently secure, it is absolutely necessary to follow the same rules for user passwords set out in the section Welcome, under the section User awareness, sub-section User password management.

 

Click on Next.

 

Finish creating the peer:

 

The screen will show you a window summarizing the configuration that was made, the Parameters of the remote site and the Pre-shared key.

You can also add a backup peer by clicking on the link provided. You will need to define a remote gateway.

 

Click on Finish.

Create an IKEv2 peer

The steps are the same as the ones in creating an IKEv1 peer.

Local network

Host, host group, network or network group that will be accessible via the IPSec VPN tunnel.

Remote network

Host, host group, network or network group accessible through the IPSec tunnel with the peer.

Star configuration

This procedure consists of directing several VPN tunnels to a single point. It allows, for example, linking agencies to a central site.

 

Local network

Select the host, host group, network or network group that will be accessible via the IPSec VPN tunnel, from the drop-down list of objects.

Remote sites

Define the parameters for your remote sites: select your peer from the list of those already created or click on the icon to create a new one and select the remote networks from the objects in the drop-down list.

You can Add or Delete peers by clicking on the relevant buttons.

Treat IPSec interfaces as internal interfaces checkbox (applies to all tunnels).

If this option is selected, IPSec interfaces will become internal - and therefore protected - interfaces.

 

All networks that are able to go through IPSec tunnels must therefore be legitimized and static routes allowing them to be contacted must be specified. Otherwise, the firewall will reject the IPSec traffic.

IMPORTANT

When this checkbox is selected, the option will apply to all IPSec tunnels defined on the firewall.
If you have selected this option by mistake in the IPSec VPN tunnel installation wizard, it can be disabled by unselecting Treat IPSec interfaces as internal interfaces (applies to all tunnels - remote networks will need to be explicitly legitimized) found in the Advanced properties panel in the Application protection > Inspection profiles module.

Create policies without encryption (none) for internal networks

This option allows automatically generating policies without encryption (none) dedicated to internal networks (Network_internals to Network_internals). If the policy already exists, a warning message will appear indicating that these policies have already been created.

Click on Finish.

 

Separator – rule grouping 

This option allows inserting a separator above the selected line. This allows the administrator to create a hierarchy for his tunnels according to his needs.

The table

Line

This column indicates the number of the line treated in order of appearance on the screen.

State

This column shows the status On/ Off of the tunnel. When you create tunnels, they are active by default. Click twice to disable them.

To ease the configuration of the tunnel with a remote device (gateway or mobile client), click on this icon to view information on the IPSec policy:

  • - Tunnel endpoints: local object / remote object
  • - Traffic endpoints: local object / destination object
  • Authentication: Mode / Type / Certificate / Pre-shared key
  • - Encryption profiles (phase 1 & 2): algorithms, Diffie Hellman group, lifetime

This information can be selected, and can therefore be copied.

Local network

Select the host, host group, network or network group that will be accessible via the IPSec VPN tunnel, from the drop-down list of objects.

Peer

Configuration of the peer, which can be viewed in the tab of the same name in the IPSec VPN module.

Remote network

Select from the drop-down list of objects, the host, host group, network or network group accessible through the IPSec tunnel with the peer.

Encryption profile

This option allows selecting the protection model associated with your VPN policy, from 3 preconfigured profiles: StrongEncryption, GoodEncryption and Mobile. Other profiles can be created or modified in the tab Encryption profiles.

Comments

Description given of the VPN policy.

 

The additional option Keepalive allows artificially maintaining mounted tunnels. This mechanism sends packets that initialize the tunnel and force it to be maintained. This option is disabled by default to avoid wasting resources, especially in the case of a configuration containing many tunnels set up at the same time without any real need for them.

This option is only valid for site-to-site tunnels. It can be enabled by selecting the value Keepalive in the Columns menu, which appears when you move the mouse over the header of the columns in the table.

Keepalive

To enable this option, assign a value other than 0, corresponding to the interval in seconds, between each UDP packet sent.

Checking the policy in real time

The window for editing IPSec policy rules has a “Check policy” field (located below the table), which warns the administrator whenever there are inconsistencies or errors in the rules created.

Example: [gateway policy at line 2] - Different IKE versions cannot be used in the same IPSec policy.

Anonymous – Mobile users

The IPSec VPN has two endpoints: the tunnel endpoint and the traffic endpoint. For anonymous or mobile users, the IP address of the tunnel’s endpoint is not known in advance.

As for the IP address of the traffic endpoint, it can either be chosen by the peer (“classic” case) or given by the gateway (“Config mode”).

Note that from version 3.8.0 onwards it is possible to build a nomad IPSec policy including several peers if those peers use the same IKE encryption profile. When authenticating with certificates, all peers'certificates must be issued from the same CA.

Add

Select the VPN policy in which you wish to set up a tunnel. Policy creation wizards will guide you in this configuration. If you wish to create the mobile peer through the wizard, please refer to the section “Creating a mobile peer” below.

It is possible to define VPN client settings (Config mode) for mobile users through the Config mode policy creation wizard.

New Policy

This policy makes local networks accessible to authorized users via an IPSec tunnel. In this configuration, remote users log on with their own IP addresses.

Enter the details of the mobile peer to be used. Then add the accessible local resources to the list.

New Config mode policy

This policy with Config mode makes a single local network accessible to authorized users through an IPSec tunnel. With Config mode, remote users log on with an IP address assigned in a set defined as a “Mobile network”.

Once it is created, the cell corresponding to the Config mode column will contain a Modify button, allowing you to enter the parameters of the IPSec Config mode, described in the section The table.

You can enter a particular DNS server and specify the domains that this server uses. These indications are indispensable if an Apple® (iPhone, iPad) mobile client is used for example. This feature is paired with Config mode, and is not used by all VPN clients on the market.

Creating a mobile peer

The procedure for creating a peer through these wizards is described below. You can also create it directly from the Peer tab.

Click on the button “Add” a “New policy” (VPN), then on “Create a mobile peer” via the mobile IPSec VPN policy wizard.

Name your mobile configuration, and click on Next.

Select the authentication method of the peer.

Certificate

If you select this authentication method, you will need to select the Certificate (server) to be presented to the peer, from the list of those you have already created previously (Certificates and PKI module).

 

You can also enter details about the Certificate authority (CA) that signed your peer’s certificate so that it is automatically added to the list of trusted authorities.

Hybrid

If you select this hybrid method, you will need to provide the Certificate (server) to be presented to the peer and probably its CA.

 

The server is authenticated by certificate in Phase 1, and the client by XAuth immediately after Phase 1.

Certificate and XAuth (iPhone)

This option allows mobile users (roadwarriors) to connect to your company’s VPN gateway via their mobile phones, using a certificate in Phase 1. The server is also authenticated by certificate during this Phase 1. Additional authentication of the client is carried out by XAuth after Phase 1.

 NOTE

This is the only mode compatible with iPhones.

Pre-shared key (PSK)

If you have chosen this authentication method, you will need to edit your key in a table, by providing its ID and its value to be confirmed.

 

To do so, click on Add.

 

The ID may be in an IP address (X.Y.Z.W), FQDN (monserver.domain.com), or e-mail address format (toto.dupont@domain.com). It will then occupy the “Identity” column in the table and the pre-shared key will occupy a column of the same name with its value displayed in hexadecimal.

  NOTE

To define an ASCII pre-shared key that is sufficiently secure, it is absolutely necessary to follow the same rules for user passwords set out in the section Welcome, under the section User awareness, sub-section User password management.

Click on Next.

Check the summary of you mobile configuration and click on Finish.

Next, enter the local resource, or “local network" to which the mobile user will have access.

 

Other operations can also be performed:

Search

Searches will be performed on the name of the object and its various properties, unless you have specified in the preferences of the application that you would like to restrict this search to object names only.

Delete

Select the IPSec VPN tunnel to be removed from the table and click on this button.

Move up

Places the selected line before the line just above it.

Move down

Places the selected line after the line just below it.

The table

Line

This column indicates the number of the line treated in order of appearance on the screen.

State

This column shows the status On/ Off of the tunnel. When you create tunnels, they are active by default. Click twice to disable them.

To ease the configuration of the tunnel with a remote device (gateway or mobile client), click on this icon to view information on the IPSec policy:

  • - Tunnel endpoints: local object / remote object
  • - Traffic endpoints: local object / destination object
  • Authentication: Mode / Type / Certificate / Pre-shared key
  • - Encryption profiles (phase 1 & 2): algorithms, Diffie Hellman group, lifetime

This information can be selected, and can therefore be copied.

Local network

Select the host, host group, address range, network or network group that will be accessible via the IPSec VPN tunnel, from the drop-down list of objects.

Peer

Configuration of the peer, which can be viewed in the tab of the same name in the IPSec VPN module.

Remote network

Select from the drop-down list of objects, the host, host group, address range, network or network group accessible through the IPSec tunnel with the peer.

 NOTE

When creating a new mobile IPSec VPN policy via the wizard, you will be asked to enter details about the local network, and not the remote network, since the IP address is unknown. The object “Any” will therefore be selected by default.

Encryption profile

This option allows selecting the protection model associated with your VPN policy, from the choice of 3 preconfigured profiles: StrongEncryption, GoodEncryption and Mobile. Other profiles can be created or modified in the tab Encryption profiles.

Config mode

This column makes it possible to activate “Config mode”, which is disabled by default. This allows distributing the traffic endpoint IP address to the peer

 NOTES

  1. If you choose to activate this mode, you will need to select an object other than “Any” as the remote network.
  2. With config mode, only one policy can be applied per profile.

The Edit button allows entering the parameters of the IPSec Config mode:

DNS Server

This field determines the host (DNS server) that will be used by mobile clients, for DNS resolutions. You can select it or create it in the object database. This field is empty by default.

List of domains used in Config mode

The client will use the DNS server selected earlier, only for domains specified in this table. For other domains, the client will continue to use its DNS server(s). Therefore generally internal domain names are involved.

 

Example: In the case of the domain "company.com", if an iPhone attempts to connect to "www.company.com" or "intranet.company.com" it will use the DNS server specified above. However, if it attempts to contact "www.google.fr", it will continue to use its older DNS servers.

 

Comments

Description given of the VPN policy.

 

 REMARK

You can only use and create a single mobile (roadwarrior) configuration per IPSec profile. Peers can be applied to all profiles. As a result, only one authentication type can be used at a time for the mobile configuration.

Checking the policy in real time

The window for editing IPSec policy rules has a “Check policy” field (located below the table), which warns the administrator whenever there are inconsistencies or errors in the rules created.

Example: [gateway policy at line 2] - Different IKE versions cannot be used in the same IPSec policy.