Key exchange and authentication
IKE protocol
The level of protection provided by an IPsec VPN tunnel depends on the robustness of the cryptographic suite implemented and the reliability of the key exchange mechanism. Keys can be exchanged via the IKEv2 protocol on SNS firewalls in version 2.0.0 and higher. The use of recent protocols complies with the Security recommendations relating to IPsec (in French).
R39 | SNS-SMC | Use version 2 of the IKE protocol
If all the IPsec VPN tunnel peers are compatible, IKE in version 2 is recommended.
Authentication
To prevent the peer’s identity from being spoofed, regardless of the type of tunnel configured (site to site or client to site), the remote peer must authenticate when the tunnel is created. In this step, which goes through IKE, the peer can authenticate using a pre-shared key or certificate. When pre-shared keys are used, peers cannot be differentiated and adapted privileges cannot be applied individually to them. Moreover, if a key must be renewed (e.g., when remote appliances have been compromised, or a user loses privileges), the key must be renewed on all configured SNS firewalls. Only when a PKI is used can each peer be identified, and privileges and revocations can be more easily managed.
R40 | SNS-SMC | Use mutual certificate-based authentication
The mutual authentication of IPsec VPN tunnel peers via certificate is recommended, by entering the accepted certification authorities in Configuration > VPN > IPsec VPN > Identification on SNS firewalls and in the Configuration > VPN topologies menu on the SMC server.
R40 ⁃ | SNS-SMC | Use a robust pre-shared key
If pre-shared key authentication is selected for an IPsec VPN, it should be chosen in compliance with the recommendations in Appendix B3 of the RGS (in French) and the Recommendations relating to multifactor authentication and passwords (in French).
If pre-shared key authentication is selected, the following requirements must be met:
The entropy of the secret must be at least 128 bits (22 random characters including uppercase and lowercase characters and numbers). Refer to Appendix B1 of the RGS for further detail,
The secret must comply with the rules regarding passwords set out Relating to multifactor authentication and passwords (in French),
A different secret must be used for each site-to-site VPN tunnel,
The secret must renewed regularly, and its cryptoperiod (maximum amount of time for which the breach of traffic integrity and confidentiality is accepted if the secret is compromised) must be set according to the organization’s security policy.