IPsec policy

Verifying the IKE version used by peers

In Configuration > VPN > IPsec VPN > Peers tab, for each peer listed on the left (Remote gateways and Mobile peers):

  1. Select each peer used in the active IPsec policy.
  2. In the General section, ensure that the IKE version field is set to IKEv2.
    If it is not, the peer’s IPsec configuration must be changed by selecting IKEv2 for this field.

Verifying the authentication method used by peers

In Configuration > VPN > IPsec VPN > Peers tab, for each peer listed on the left (Remote gateways and Mobile peers):

  1. Select each peer used in the active IPsec policy.
  2. In the identification section, ensure that the Authentication method field is set to Certificate.
    If it is not, the peer’s IPsec configuration must be changed by selecting Certificate for this field.
  3. In the Identification section, ensure that the Peer ID is entered.
    This field represents your peer: the ID entered must be in the form of an IP address, a domain name (FQDN or Fully Qualified Domain Name), an e-mail address (user@fqdn) or the subject of the peer’s certificate, if it is known (C=country, ST=state, O=organization, OU=organizational unit, Cn=common name [the CN can be an e-mail address]).

Selecting authentication and encryption algorithms

DR mode requires the use of encryption algorithms that belong to Diffie-Hellman groups 19 and 28. Two preconfigured encryption profiles can be selected for easier configuration.

In Configuration > VPN > IPsec VPN > Encryption profiles tab:

  1. In the menu on the left, under IKE, select the DR profile.
    The properties of the profile appear.
    Two Diffie-Hellman profiles are offered: DH28 Brainpool Elliptic Curve Group (256 bits), selected by default, and DH19 NIST Elliptic Curve Group (256 bits).
    AES_GCM_16 is selected as the default proposal, and AES_CTR is the second. The Encryption strength of each algorithm can be increased.
  2. Click on the Actions menu.
  3. Select Define the default profile.
    The IKE DR profile is now used by default for all new IPsec tunnels added in the firewall’s configuration.
  4. In the menu on the left, under IPsec, select the DR profile.
    The properties of the profile appear.
    HMAC_SHA256 is selected as the authentication proposal.
    AES_GCM_16 is selected as the default encryption proposal, and AES_CTR is the second. The Encryption strength of each algorithm can be increased.
  5. Click on the Actions menu.
  6. Select Define the default profile.
    The IPsec DR profile is now used by default for all IPsec tunnels created in the firewall’s configuration.