Assessing the impact of implementing DR mode (SNS v4.2 and higher)

When the ANSSI Diffusion Restreinte (DR) mode is enabled in version 4.2 upwards, the following constraints must be met.

Impact on the network

ESP packets must be encapsulated in UDP/4500 and NAT Traversal mechanisms must be implemented as soon as negotiation begins.

If the firewall that will be configured in DR mode is separated from its peer by other security devices, UDP port 4500 must be allowed on these devices between the SNS firewall and its peer.

Interoperability

When DR mode is enabled on SNS 4.2 and higher versions:

  • Firewalls in DR mode in SNS version 4.2 (or higher) cannot set up IPsec tunnels with SNS firewalls in DR mode in a 4.1 or older version,
  • Firewalls in DR mode in SNS version 4.2 (or higher) cannot set up IPsec tunnels with SNS firewalls or third-party devices in IPsec standard mode.

Peer authentication

Peers are allowed to authenticate only with certificates, and the certificates used (from the end user certificate to the common trusted CA) must comply with the following specifications:

  • ECDSA or ECSDSA signature on an ECP 256 or BP 256 curve,
  • SHA256 as the hash algorithm.

The Peer ID field must also be filled in.

Certificates

The feature that verifies the revocation status of peer certificates must be enabled.

IKE protocol

Only version 2 of the IKE protocol is allowed.

IKE/IPsec encryption profiles

Encryption algorithms must belong to either the DH19 NIST Elliptic Curve Group (256-bit) or DH28 Brainpool Elliptic Curve Group (256-bit).

The IPsec encryption algorithm used must be:

  • AES_GCM_16 (AEAD: Authenticated Encryption with Associated DATA. AES_GCM_16 is therefore not associated with any authentication algorithm), or
  • AES_CTR, which must be associated with SHA256.

Negotiation and anti-replay through the use of ESNs must be supported for sending and receiving. The size of the anti-replay window cannot be zero.

The Pseudo-Random Function (PRF) algorithm must be SHA256.

IMPORTANT
If the newly configured IPsec policy on the firewall uses parameters that are not compatible with DR mode in SNS 4.2 (or higher), enabling DR mode will disable this IPsec policy and show the warning message:
“ANSSI ‘Diffusion Restreinte' mode disabled the non-compliant VPN configuration”.

Hardware

On firewalls equipped with Intel (SNi20, SNi40, SN510, SN710, SN910, SN2000, SN2100, SN3000, SN3100, SN6000 et SN6100) processors, the ANSSI Diffusion Restreinte (DR) mode allows the use of the coprocessor's cryptographic hardware instruction sets. On firewalls equipped with other types of processors (SN160, SN160W, SN210, SN210W et SN310), the ANSSI Diffusion Restreinte (DR) mode will force such instruction sets to be disabled, causing performance to slow down during encryption.

IMPORTANT
If the ANSSI Diffusion Restreinte (DR) mode is enabled, the firewall must be restarted to apply the change.

Stormshield IPsec VPN client

Only SN VPN Client Exclusive is compatible with DR mode in SNS 4.2 and higher versions. If you are using SN VPN Client Standard, SN VPN Client Exclusive must be installed instead in order to enable DR mode (requires the purchase of a new license).