Enabling DR mode on an SNS firewall that does not have an existing IPsec configuration

To enable DR mode on a firewall in an SNS version that complies with the ANSSI's IPsec DR recommendations, and which is in factory configuration or does not have an existing IPsec policy:

  1. First, read the section Assessing the impact of enabling DR mode.

  2. Ensure the compliance of the SNS firewall's configuration with DR mode,
  3. If you are using Stormshield IPsec VPN clients, ensure that you use SN VPN Client Exclusive in version 7.4.018 or higher, then check their configuration. For more information, refer to the section Ensuring the compliance of a mobile IPsec client's configuration with DR mode".

  4. In Configuration > General configuration tab > Cryptographic settings section, select Enable "Diffusion Restreinte (DR)" 2021 version compliance mode to enable DR mode.
  5. Restart the SNS firewall to apply the choice of enabling DR mode.

If the newly configured IPsec policy on the firewall uses parameters that are not compatible with DR mode, enabling DR mode will disable this IPsec policy and show the warning message: “‘Diffusion Restreinte' mode disabled the non-compliant VPN configuration”.