Submit Search

IMPORTANT
SNS 3.x versions have reached End of Maintenance since July 1st, 2024.
We recommend that you update your SNS firewalls to a version with maintenance to guarantee the protection of your infrastructure.

Mobile peer information

Beginning in SNS v3.10.0, several mobile policies can be supported within the same anonymous encryption policy, with peers distinguished by their IDs.

Select a peer from the list to display information about it.

Comments	Description given of the remote peer.
Remote gateway	This field is grayed out for mobile peers.
Backup configuration	This field is grayed out for mobile peers.
IKE profile	This option makes it possible to select the protection model associated with your VPN policy, from three preconfigured profiles: StrongEncryption, GoodEncryption and Mobile. Other profiles can be created or modified in the tab Encryption profiles.
IKE version	This option allows selecting the version of the IKE protocol (IKEv1 or IKEv2) that the peer uses.

Identification

Authentication method	This field will show the authentication method selected during the creation of your peer via the wizard. You may modify your choice by selecting another method from the drop-down list. NOTE For “mobile” peers, you have a choice between Certificate, Pre-shared key (PSK), Hybrid, Certificate and XAuth (iPhone).
Certificate	If you have chosen the Certificate, Hybrid or Certificate and XAuth authentication method, this field will display your certificate or will suggest that you select it from the drop-down list. You can select a certificate with a TPM-protected private key, unless IKEv1 is used (tunnels can no longer be set up in IKEv1 if the private key in the certificate used is protected by the TPM). For more information on the TPM, see the section Trusted Platform Module. If you had opted for the pre-shared key method, this field will be grayed out.
Local ID (Optional)	This field represents an IPsec VPN tunnel endpoint, and shares the “secret” or the PSK with the “Peer ID”, the other endpoint. You are represented by the “Local ID”. This identifier must be in the form of an IP address, a domain name (FQDN: Full Qualified Domain Name) or an e-mail address (user@fqdn). NOTE This field can only be accessed if you have selected the Pre-shared key authentication method.This identifier must be in the form of an IP address, a domain name (FQDN: Full Qualified Domain Name) or an e-mail address (user@fqdn).
Peer ID (Optional)	This field represents an IPsec VPN tunnel endpoint, and shares the “secret” or the PSK with the “Local ID”, the other endpoint. The “Peer ID” represents your peer. The format is the same as the previous field. Do note that if you choose to indicate a peer ID, you must indicate the PSK associated with this peer in order to validate your configuration.
Pre-shared key (hexadecimal)	Enter your pre-shared key (PSK) in the desired format (hexadecimal or ASCII if you select Enter the key in ASCII characters). This field appears only when pre-shared keys are chosen as the authentication method.
Confirm	Confirm your pre-shared key (PSK).
Click here to edit the PSK list	By clicking on this link, you will switch to the Identification tab in the IPsec VPN module. You can add you Approved certification authorities as well as your Mobile tunnels: pre-shared keys.

Advanced properties

Negotiation mode	In IPsec, two negotiation modes are possible: main mode and aggressive mode. They have particular influence over Phase 1 of the IKE protocol (authentication phase). Main mode: In this mode, Phase 1 takes place in 6 exchanges. The remote host can only be identified by its IP address with pre-shared key authentication. In PKI mode, the identifier is the certificate. Main mode guarantees anonymity. Aggressive mode: in this mode, Phase 1 takes place in 3 exchanges between the firewall and the remote host. The remote host can be identified by an IP address, FQDN or e-mail address but not by a pre-shared key certificate. Aggressive mode does not guarantee anonymity. NOTES Stormshield Network automatically configures the use of certificate, hybrid or XAuth authentication methods in main mode. If the client wishes to use the PSK, aggressive mode must be used. To define an ASCII pre-shared key that is sufficiently secure, you must follow the same rules for user passwords set out in the section Welcome, under the section User awareness, sub-section User password management. IMPORTANT The use of the aggressive mode + pre-shared keys (especially for VPN tunnels to mobile workstations) may be less safe than other modes in the IPsec protocol. Stormshield Network therefore recommends the use of main mode for mobile peers, either with authentication by certificate or by using hybrid mode. In an authentication by certificate, the firewall’s internal PKI is fully capable of providing the certificates needed for such use.
Backup mode	The backup mode is the switch mode for the IPsec failover – if a server becomes unreachable, another will take over transparently. Nonetheless, the field is grayed out here as the backup configuration cannot be applied to a mobile configuration. NOTE This field can only be edited in expert mode (CLI). Refer to the article in the technical support’s Knowledge Base for further information (How can I modify the backup mode for a specific IPsec peer?).
Local address	Object selected as the local IP address used for IPsec negotiations with this peer. This field is set to “Any” by default.
Do not initiate the tunnel (Responder only)	This option is grayed out and validated, as a tunnel to a mobile client with an unknown IP address cannot be set up. In this configuration, the firewall is therefore in “responder only” mode.
DPD	This field makes it possible to configure the DPD (Dead Peer Detection) feature on VPNs, This would allow checking whether a peer is still operational. When DPD is enabled on a peer, requests (R U there) are sent to test the availability of the other peer , which will need to acknowledge the requests in order to confirm its availability (R U there ACK). These exchanges are secured via ISAKMP (Internet Security Association and Key Management Protocol) SAs (Security Associations). If it is detected that a peer is no longer responding, the negotiated SAs will be destroyed. IMPORTANT This feature provides stability to the VPN service on Stormshield Network Firewalls on the condition that the DPD has been correctly configured. Four choices are available for configuring DPD: Inactive: DPD requests from the peer are ignored. Passive: DPD requests sent by the peer get a response from the firewall. However, the firewall does not send any. Low: the frequency of DPD packets being sent is low and the number of failures tolerated is higher (delay 600, retry 10, maxfail 5). High: the frequency of DPD packets being sent is high and the number of failures relatively low (delay 30, retry 5, maxfail 3). The value delay defines the period after a response is received before the next request is sent. The value retry defines the time to wait for a response before sending the request again. The value maxfail is the number of requests sent without receiving responses before the peer is considered absent.
DSCP	In this field, you can specify the value of the DSCP field assigned to IKE network packets sent to this peer. Select one of the proposed values or specify a customized DSCP field (integer between 0 and 63 inclusive).