Ensuring the compliance of an IPsec policy with DR mode
Checking/changing the IKE version used by peers
On firewalls in an SNS version that complies with the ANSSI's IPsec DR recommendations:
- Go to Configuration > VPN > IPsec VPN > Peers tab.
- Select a peer used in the IPsec policy, to make it compatible with DR mode (Remote gateways and Mobile peers).
- In the General section, ensure that the IKE version field is set to IKEv2.
If this is not the case, change the peer's IPsec configuration so that IKEv2 is selected for this field.
Repeat this procedure for each peer concerned (gateways and mobile peers).
Checking/changing the authentication method used by peers
On firewalls in an SNS version that complies with the ANSSI's IPsec DR recommendations:
- Go to Configuration > VPN > IPsec VPN > Peers tab.
- Select a peer used in the IPsec policy, to make it compatible with DR mode (Remote gateways and Mobile peers).
- In the Identification section, ensure that the Authentication method field is set to Certificate.
If this is not the case, change the peer's IPsec configuration so that Certificate is selected for this field. - In the Identification section, ensure that the Peer ID is entered.
This field must use one of the following formats: - Distinguished Name (DN). This is the subject of the peer certificate (e.g., C=FR,ST=Nord,L=Lille,O=Stormshield,OU=Doc,CN=DR-Firewall),
- Subject Alternative Name (SAN). This is one of the aliases that may be defined when the peer certificate is created (e.g., DR-Firewall.stormshield.eu).
NOTE
The possible length of a certificate's subject may cause compatibility issues with third-party devices (encryption mechanisms encryption mechanisms, VPN gateways, etc. that are not SNS firewalls). In this case, you are strongly advised to define a SAN when creating the peer certificate, and to use this SAN as the Peer ID.
Repeat this procedure for each peer concerned (gateways and mobile peers).
Adding the CA that signs certificates to the list of trusted certification authorities
On every peer concerned (gateways only):
- Go to Configuration > VPN > IPsec VPN > Identification tab.
- In the Approved certification authorities grid, ensure that the certification authority that will be used to sign DR mode certificates is present (CA-DR in this example).
- If this is not the case, click on Add and select the certification authority in question.
Checking/changing the authentication and encryption algorithms
On firewalls in an SNS version that complies with the ANSSI's IPsec DR recommendations:
- Go to Configuration > VPN > IPsec VPN > Peers tab.
- Select a peer used in the IPsec policy, to make it compatible with DR mode (Remote gateways and Mobile peers).
- In the General section, ensure that the IKE profile field is set to a DR mode-compatible profile (DR profile provided by default of custom profile - CUSTOM-DR-COMPLIANT in this example).
If this is not the case, change the peer's IPsec configuration and select a DR mode-compatible profile (DR profile provided by default of custom profile - CUSTOM-DR-COMPLIANT in this example) for this field.
Repeat this procedure for each peer concerned (gateways and mobile peers).
Setting DR encryption profiles as default profiles
This procedure makes it possible to set DR profiles as the profiles suggested by default for all future peers that must be created on the firewall.
On all peers concerned (gateways only):
- Go to Configuration > VPN > IPsec VPN > Encryption profiles tab.
- In the menu on the left, under the IKE section, select the DR profile.
The characteristics of the profile will be shown:- Two Diffie-Hellman profiles are offered: DH28 Brainpool Elliptic Curve Group (256-bits), selected by default, and DH19 NIST Elliptic Curve Group (256-bits).
- The AES_GCM_16 algorithm is selected as the default proposal, and AES_CTR as the second proposal.
The Encryption strength of the chosen algorithm must not be modified.
- Two Diffie-Hellman profiles are offered: DH28 Brainpool Elliptic Curve Group (256-bits), selected by default, and DH19 NIST Elliptic Curve Group (256-bits).
- Click on the Actions menu.
- Select Define the default profile.
The IKE DR profile is now used by default for new IPsec tunnels added to the firewall's configuration. - In the menu on the left, under the IPsec section, select the DR profile.
The characteristics of the profile will be shown:- The HMAC_SHA256 algorithm is selected as the authentication proposal.
- The AES_GCM_16 algorithm is selected as the default encryption proposal, and AES_CTR as the second proposal.
The Encryption strength of the chosen algorithm must not be modified.
- The HMAC_SHA256 algorithm is selected as the authentication proposal.
- Click on the Actions menu.
- Select Define the default profile.
The IPsec DR profile is now used by default for IPsec tunnels defined in the firewall's configuration.