Key exchange and authentication

IKE protocol

The level of protection provided by an IPsec VPN tunnel depends on the robustness of the cryptographic suite implemented and the reliability of the key exchange mechanism. Keys can be exchanged via the IKEv2 protocol on SNS firewalls in version 2.0.0 and higher. The use of recent protocols complies with the Security recommendations relating to IPsec (in French).

R39 | SNS-SMC | Use version 2 of the IKE protocol
If all the IPsec VPN tunnel peers are compatible, IKE in version 2 is recommended.

Authentication

To prevent the peer’s identity from being spoofed, regardless of the type of tunnel configured (site to site or client to site), the remote peer must authenticate when the tunnel is created. In this step, which goes through IKE, the peer can authenticate using a pre-shared key or certificate. When pre-shared keys are used, peers cannot be differentiated and adapted privileges cannot be applied individually to them. Moreover, if a key must be renewed (e.g., when remote appliances have been compromised, or a user loses privileges), the key must be renewed on all configured SNS firewalls. Only when a PKI is used can each peer be identified, and privileges and revocations can be more easily managed.

R40 | SNS-SMC | Use mutual certificate-based authentication
The mutual authentication of IPsec VPN tunnel peers via certificate is recommended, by entering the accepted certification authorities in Configuration > VPN > IPsec VPN > Identification on SNS firewalls and in the Configuration > VPN topologies menu on the SMC server.

R40 ⁃ | SNS-SMC | Use a robust pre-shared key
If pre-shared key authentication is selected for an IPsec VPN, it should be chosen in compliance with the recommendations in Appendix B3 of the RGS (in French) and the Recommendations relating to multifactor authentication and passwords (in French).