Gateway peer information

Select a peer from the list to display information about it.

Comments Description given of the local peer.
Remote address Object selected to represent the remote IP address during the creation of the peer via the wizard.
Backup configuration This field indicates whether you have defined a backup configuration during the creation of the peer. “None” will appear by default if you have not created any.
However, you can define one by selecting it in the drop-down list containing your other remote peer.

IMPORTANT
The use of backup peers (referred to as the “Backup configuration”) is obsolete and will be phased out in a future version of SNS. A warning message now appears from SNS version 3.11.x onwards to encourage administrators to modify their configurations.
IKE profile This option offers three preconfigured profiles as the protection model associated with Phase 1 of your VPN policy: StrongEncryption, GoodEncryption and Mobile. Other profiles can be created or modified in the tab Encryption profiles.
IKE version This option allows selecting the version of the IKE protocol (IKEv1 or IKEv2) that the peer uses.

Identification

Authentication method This field will show the authentication method selected during the creation of your peer via the wizard.
You may modify your choice by selecting another method from the drop-down list.

NOTE
For a “gateway” peer, you have the choice of Certificate or Pre-shared key (PSK).
Certificate

If you have chosen the certificate authentication method, this field will display your certificate. You can select a certificate with a TPM-protected private key, unless IKEv1 is used (tunnels can no longer be set up in IKEv1 if the private key in the certificate used is protected by the TPM). For more information on the TPM, see the section Trusted Platform Module.

If you had opted for the pre-shared key method, this field will be grayed out.
Local ID (Optional)

This field represents an IPsec VPN tunnel endpoint, and shares the “secret” or the PSK with the “Peer ID”, the other endpoint. You are represented by the “Local ID”.

This identifier must be in the form of an IP address, a domain name (FQDN: Full Qualified Domain Name) or an e-mail address (user@fqdn).
Peer ID (Optional) This field represents an IPsec VPN tunnel endpoint, and shares the “secret” or the PSK with the “Local ID”, the other endpoint. The “Peer ID” represents your peer.
The format is the same as the previous field.
Pre-shared key (ASCII) In this field your PSK appears in the format you had selected earlier when you created the peer via the wizard: ASCII or hexadecimal characters (the format can be selected in the checkboxes below the field if you wish to change formats).
Confirm Confirmation of your pre-shared key (PSK).

Advanced properties

Negotiation mode In IPsec, two negotiation modes are possible: main mode and aggressive mode. They have particular influence over Phase 1 of the IKE protocol (authentication phase).
This mode is automatically determined according to the configuration parameters; aggressive mode is used only in the case of an anonymous configuration by pre-shared keys. This mode can nonetheless be modified by CLI.
  • Main mode: In this mode, Phase 1 takes place in 6 exchanges. The remote host can only be identified by its IP address with pre-shared key authentication.
    In PKI mode, the identifier is the certificate. Main mode guarantees anonymity.
  • Aggressive mode: In this mode, Phase 1 takes place in 3 exchanges between the Firewall and the remote host. Peer identities can either be an IP address, an FQDN or an e-mail address but not a certificate. Peers authenticate with pre-shared keys. Aggressive mode does not guarantee anonymity.

IMPORTANT
The use of the aggressive mode + pre-shared keys (especially for VPN tunnels to mobile workstations) may be less safe than other modes in the IPsec protocol. Stormshield recommends using the main mode and especially main mode + certificates for tunnels to mobile workstations. The Firewall’s internal PKI is capable of providing the certificates needed for such use.

NOTE
To define an ASCII pre-shared key that is sufficiently secure, you must follow the same rules for user passwords set out in the section Welcome, under the section User awareness, sub-section User password management.
Backup mode The backup mode is the switch mode for the IPsec failover –
if a server becomes unreachable, another will take over transparently.
When the tunnel switches to the backup peer, two choices are possible:
  • temporary” mode: once the main peer becomes contactable again, the tunnel will switch back to it.
  • permanent” mode: the tunnel stays on the backup peer as long as it is operational, even if the main peer is contactable again.

NOTE
This field can only be edited in expert mode (CLI). Refer to the article in the technical support’s Knowledge Base for further information (How can I modify the backup mode for a specific IPsec peer?).
Local address Object selected as the local IP address used for IPsec negotiations with this peer.
This field is set to “Any” by default, corresponding to the automatic choice of interface, based on the outing table.
Do not initiate the tunnel (Responder only) If this option is selected, the IPsec server will be put on standby.
It won't initiate tunnel negotiation. This option is used in the case where the peer is a mobile host.
DPD This field makes it possible to configure the DPD (Dead Peer Detection) feature on VPNs, which checks whether a peer is still operational.
When DPD is enabled on a peer, requests (R U there) are sent to test the availability of the other peer , which will need to acknowledge the requests in order to confirm its availability (R U there ACK).

 

These exchanges are secured via ISAKMP (Internet Security Association and Key Management Protocol) SAs (Security Associations). When it is detected that a peer is no longer responding, the negotiated SAs will be destroyed.

IMPORTANT
This feature provides stability to the VPN service on Stormshield Network Firewalls on the condition that the DPD has been correctly configured.


Four choices are available for configuring DPD:
  • Inactive: DPD requests from the peer are ignored.
  • Passive: DPD requests sent by the peer get a response from the firewall. However, the firewall does not send any.
  • Low: the frequency of DPD packets being sent is low and the number of failures tolerated is higher (delay 600, retry 10, maxfail 5).
  • High: the frequency of DPD packets being sent is high and the number of failures relatively low (delay 30, retry 5, maxfail 3).

The value delay defines the period after a response is received before the next request is sent.
The value retry defines the time to wait for a response before sending the request again.
The value maxfail is the number of requests sent without receiving responses before the peer is considered absent.
DSCP In this field, you can specify the value of the DSCP field assigned to IKE network packets sent to this peer.
Select one of the proposed values or specify a customized DSCP field (integer between 0 and 63 inclusive).

NOTE
For every field that contains “Gateway” and the icon , you can add an object to the existing database by specifying its name, DNS resolution, IP address and then clicking on Apply.

When the negotiation mode (main or aggressive) has been imposed, it will be preserved when the configuration of an IPsec peer is modified.