“Peers” tab

This tab consists of two sections:

  • Left: the list of IPSec VPN and mobile IPSec VPN peers.
  • Right: Information about the selected peer.

List of peers

Search in peers

This field allows performing searches on the name of the object and its various properties, by occurrence, letter or word.

Filter

3 choices are possible:

 


You can view "All peers" in the lists, including gateways and mobile users.

 

You can also choose to view only "Gateways” or only “Mobile peers”.

Add

Peers can be added to this area. To do so, select the type of peer to create from the drop-down list: a “New remote site”, a “New IKEv2 remote site“, a “New anonymous (mobile) peer” or a “New anonymous IKEv2 (mobile) peer”.

 

You can also “Copy from the selection” – the copied peer will be duplicated.

 

To do this, click on the peer to be copied and enter its new name in the window that appears.

Delete

Select the peer to be deleted from the list and click on Delete.

Rename Select the peer from the list and click on Rename.
Name

Name given to the peer during the creation phase.

Peer information

“Gateway” peer

Comments

Description given of the local peer.

Remote address

Object selected to represent the remote IP address during the creation of the peer via the wizard.

Backup configuration

This field indicates whether you have defined a backup configuration during the creation of the peer. “None” will appear by default if you have not created any.

 

However, you can define one by selecting it in the drop-down list containing your other remote peer.

IKE profile

This option allows selecting the protection model associated with Phase 1 of your VPN policy, from the choice of 3 preconfigured profiles: StrongEncryption, GoodEncryption and Mobile. Other profiles can be created or modified in the tab Encryption profiles.

IKE version

This option allows selecting the version of the IKE protocol (IKEv1 or IKEv2) that the peer uses.

 

Identification

Authentication method

This field will show the authentication method selected during the creation of your peer via the wizard.

 

You may modify your choice by selecting another method from the drop-down list.

NOTE

For a “gateway” peer, you have the choice of Certificate or Pre-shared key (PSK).

Certificate

If you have chosen the certificate authentication method, this field will display your certificate.

 

If you had opted for the pre-shared key method, this field will be grayed out.

Local ID (Optional)

This field represents an IPSec VPN tunnel endpoint, sharing the “secret” or the PSK with the “Peer ID”, the other endpoint. You are represented by the “Local ID”.

 

This identifier must be in the form of an IP address, a domain name (FQDN: Full Qualified Domain Name) or an e-mail address (user@fqdn).

Peer ID (Optional)

This field represents an IPSec VPN tunnel endpoint, sharing the “secret” or the PSK with the “Local ID”, the other endpoint. The “Peer ID” represents your peer.

 

The format is the same as the previous field.

Pre-shared key (ASCII)

In this field your PSK appears in the format you had selected earlier when creating the peer via the wizard: ASCII or hexadecimal characters (the format can be selected in the checkboxes below the field if you wish to change formats).

Confirm

Confirmation of you pre-shared key (PSK).

Advanced properties

Negotiation mode

In IPSec, 2 negotiation modes are possible: main mode and aggressive mode. They have particular influence over Phase 1 of the IKE protocol (authentication phase).

 

This mode is automatically determined according to the configuration parameters; aggressive mode is used only in the case of an anonymous configuration by pre-shared keys. This mode can nonetheless be modified by CLI.

 

Main mode: In this mode, Phase 1 takes place in 6 exchanges. The remote host can only be identified by its IP address with pre-shared key authentication.

In PKI mode, the identifier is the certificate. Main mode guarantees anonymity.

 

Aggressive mode: In this mode, Phase 1 takes place in 3 exchanges between the Firewall and the remote host. Peer identities can either be an IP address, an FQDN or an e-mail address but not a certificate. Authentication is carried out with pre-shared keys. Aggressive mode does not guarantee anonymity.

WARNING

The use of the aggressive mode + pre-shared keys (especially for VPN tunnels to mobile workstations) may be less safe than other modes in the IPSec protocol. Stormshield Network recommends using the main mode and especially main mode + certificates for tunnels to mobile workstations. In fact, the Firewall’s internal PKI is capable of providing the certificates needed for such use.

NOTE

To define an ASCII pre-shared key that is sufficiently secure, it is absolutely necessary to follow the same rules for user passwords set out in the section Welcome, under the section User awareness, sub-section User password management.

Backup mode

The backup mode is the switch mode for the IPSec failover – if a server becomes unreachable, another will take over transparently.

 

When the tunnel switches to the backup peer, two choices are possible:

temporary” mode: once the main peer becomes contactable again, the tunnel will switch back to it.

 

permanent” mode: the tunnel stays on the backup peer as long as it is operational, even if the main peer is contactable again.

NOTE

This field can only be edited in expert mode (CLI). Please refer to the article in the technical support’s Knowledge Base for further information (How can I modify the backup mode for a specific IPSec peer?).

Local address

Object selected as the local IP address used for IPSec negociations with this peer.

 

This field is set to “Any” by default, corresponding to the automatic choice of interface, based on the outing table.

Do not initiate the tunnel (Responder only)

If this option is selected, the IPSEC server will be put on standby.

 

It won't initiate tunnel negotiation. This option is used in the case where the peer is a mobile host.

DPD

This field allows configuring the DPD (Dead Peer Detection) VPN feature. This would allow checking whether a peer is still operational.

When DPD is enabled on a peer, requests (R U there) are sent to test the availability of the other peer , who will need to acknowledge the requests in order to validate his availability (R U there ACK).

 

These exchanges are secured via ISAKMP (Internet Security Association and Key Management Protocol) SAs.

If it is detected that a peer is no longer responding, the negotiated SAs will be destroyed.

WARNING

This feature provides stability to the VPN service on Stormshield Network Firewalls on the condition that the DPD has been correctly configured.

 

Four choices are available for configuring DPD:

 

Inactive: DPD requests from the peer are ignored.

 

Passive: DPD requests sent by the peer get a response from the firewall. However, the firewall does not send any.

 

Low: the frequency of DPD packets being sent is low and the number of failures tolerated is higher (delay 600, retry 10, maxfail 5).

 

High: the frequency of DPD packets being sent is high and the number of failures relatively low (delay 30, retry 5, maxfail 3).

 

The value delay defines the period after a response is received before the next request is sent.

The value retry defines the time to wait for a response before sending the request again.

The value maxfail is the number of requests sent without receiving responses before the peer is considered absent.

 

NOTE

For each field that contains “Gateway” and the icon , you can add an object to the existing database by specifying its name, DNS resolution, IP address and then clicking on Apply.

When the negotiation mode (main or aggressive) has been imposed, it will be preserved when the configuration of an IPSec peer is modified.

Peer (nomad/"mobile peer")

Comments

Description given of the remote peer.

Remote gateway

This field is grayed out for mobile peers.

Backup configuration

This field is grayed out for mobile peers.

IKE profile

This option allows selecting the protection model associated with your VPN policy, from the choice of 3 preconfigured profiles: StrongEncryption, GoodEncryption and Mobile. Other profiles can be created or modified in the tab Encryption profiles.

IKE version

This option allows selecting the version of the IKE protocol (IKEv1 or IKEv2) that the peer uses.

 

Identification

Authentication method

This field will show the authentication method selected during the creation of your peer via the wizard.

You may modify your choice by selecting another method from the drop-down list.

NOTE

For “mobile” peers, you have a choice between Certificate, Pre-shared key (PSK), Hybrid, Certificate and XAuth (iPhone).

 

Certificate

If you have chosen the Certificate, Hybrid or Certificate and XAuth authentication method, this field will display your certificate or will suggest that you select it from the drop-down list.

 

If you had opted for the pre-shared key method, this field will be grayed out.

Local ID (Optional)

This field represents an IPSec VPN tunnel endpoint, sharing the “secret” or the PSK with the “Peer ID”, the other endpoint. You are represented by the “Local ID”.

 

Full Qualified Domain Name) or an e-mail address (user@fqdn). This identifier must be in the form of an IP address, a domain name (FQDN:

NOTE

This field can only be accessed if you have selected the Pre-shared key authentication method.

Click here to edit the PSK list

By clicking on this link, you will switch to the “Identification” tab in the IPSec VPN module.

You can add you Approved certificate authorities as well as your Mobile tunnels: pre-shared keys.

Advanced properties

Negotiation mode

In IPSec, 2 negotiation modes are possible: main mode and aggressive mode. They have particular influence over Phase 1 of the IKE protocol (authentication phase).

 

Main mode: In this mode, Phase 1 takes place in 6 exchanges. The remote host can only be identified by its IP address with pre-shared key authentication.

In PKI mode, the identifier is the certificate. Main mode guarantees anonymity.

 

Aggressive mode: In this mode, Phase 1 takes place in 3 exchanges between the Firewall and the remote host. The remote host can be identified by an IP address, FQDN or e-mail address but not by a pre-shared key certificate. Aggressive mode does not guarantee anonymity.

NOTE

Stormshield Network automatically configures the use of certificate, hybrid or XAuth authentication methods in main mode.

If the client wishes to use the PSK, he has to use the aggressive mode.

WARNING

The use of the aggressive mode + pre-shared keys (especially for VPN tunnels to mobile workstations) may be less safe than other modes in the IPSec protocol. Stormshield Network therefore recommends the use of main mode for mobile peers, either with authentication by certificate or by using hybrid mode.

In an authentication by certificate, the firewall’s internal PKI is fully capable of providing the certificates needed for such use.

NOTE

To define an ASCII pre-shared key that is sufficiently secure, it is absolutely necessary to follow the same rules for user passwords set out in the section Welcome, under the section User awareness, sub-section User password management.

Backup mode

The backup mode is the switch mode for the IPSec failover – if a server becomes unreachable, another will take over transparently.

 

Nonetheless, the field is grayed out here as the backup configuration cannot be applied to a mobile configuration.

NOTE

This field can only be edited in expert mode (CLI). Please refer to the article in the technical support’s Knowledge Base for further information (How can I modify the backup mode for a specific IPSec peer?).

Local address

Object selected as the local IP address used for IPSec negociations with this peer.

This field is set to “Any” by default.

Do not initiate the tunnel (Responder only)

This option is grayed out and validated, as a tunnel to a mobile client with an unknown IP address cannot be set up. In this configuration, the firewall is therefore in “responder only” mode.

 

DPD

This field allows configuring the DPD (Dead Peer Detection) VPN feature. This would allow checking whether a peer is still operational.

When DPD is enabled on a peer, requests (R U there) are sent to test the availability of the other peer , who will need to acknowledge the requests in order to validate his availability (R U there ACK).

 

These exchanges are secured via ISAKMP (Internet Security Association and Key Management Protocol) SAs.

If it is detected that a peer is no longer responding, the negotiated SAs will be destroyed.

 

WARNING

This feature provides stability to the VPN service on Stormshield Network Firewalls on the condition that the DPD has been correctly configured.

 

Four choices are available for configuring DPD:

 

Inactive: DPD requests from the peer are ignored.

 

Passive: DPD requests sent by the peer get a response from the firewall. However, the firewall does not send any.

 

Low: the frequency of DPD packets being sent is low and the number of failures tolerated is higher (delay 600, retry 10, maxfail 5).

 

High: the frequency of DPD packets being sent is high and the number of failures relatively low (delay 30, retry 5, maxfail 3).

 

The value delay defines the period after a response is received before the next request is sent.

The value retry defines the time to wait for a response before sending the request again.

The value maxfail is the number of requests sent without receiving responses before the peer is considered absent.