Optimizing ISAKMP traffic during IPsec tunnel negotiations and securing authentication

You are advised to modify several parameters on the firewall in order to optimize ISAKMP traffic during IPsec tunnel negotiation and secure PSK authentication against denial of service (DoS) attacks.

Requirements

For the purposes of illustration, the recommended optimizations and security measures assume that the IPsec policy used on the firewall for mobile users is IPsec_01, regardless of whether Config mode or standard mode is used (Configuration > VPN > IPsec VPN]:

Optimizing ISAKMP negotiation traffic by restricting IP datagrams

The maximum packet size allowed may vary widely depending on your ISP.

Stormshield recommends that you restrict IP datagrams in ISAKMP negotiations to 1280 bytes:

  1. Log in to the web administration interface of the firewall.
  2. Go to the Configuration > System > CLI module.
  3. Enable IKE fragmentation by typing:
    CONFIG IPSEC PEER UPDATE name=IPsec_Mobile_Profile_Name ike_frag=1
    where IPsec_Mobile_Profile_Name represents the name given to the IPsec peer profile (IKEv2_Mobile_Users in the example).
  4. Set the maximum size of ISAKMP datagrams to 1280 bytes using the command:
    CONFIG IPSEC UPDATE slot=xy FragmentSize=1280
    where xy represents the number of the mobile IPsec policy.
    In the example, this would be IPsec 01: the value of xy is therefore 01.
  5. Apply these changes by typing:
    CONFIG IPSEC ACTIVATE

Securing PSK authentication against brute force attacks

To prevent DoS attacks during an attempt to connect via an IPsec VPN tunnel:

  1. Go to the Configuration > System > CLI console module.
  2. Enter the command:
    CONFIG IPSEC UPDATE slot=xy global=0 CookieThreshold=10 BlockThreshold=5
    where xy represents the number of the mobile IPsec policy.
    In the example, this would be IPsec 01: the value of xy is therefore 01.
  3. Apply these changes by typing:
    CONFIG IPSEC ACTIVATE

Reloading the IPsec policy to apply changes made earlier

  1. Go to the Configuration > System > CLI console module.
  2. Reload the IPsec policy by typing:
    CONFIG IPSEC RELOAD

    Warning: this command will reset tunnels that have already been set up.

Optimizing tunnel traffic: restricting MSS

Since packets are encapsulated in the tunnel, ESP headers add several dozen bytes of data to the full size of each packet.

The size of segments (MSS: Maximum Segment Size) exchanged between the client and the firewall must therefore be automatically restricted.

With this option, packet fragmentation can be avoided or kept to a minimum. For packets exchanged between the client and the firewall, MSS imposes a packet size below the MTU (Maximum Transmission Unit) on the various network devices that intercept these packets.

Modifying a TCP-UDP inspection profile

In the Application protection > Protocols > TCP-UDP module:

  1. Select the TCP-UDP inspection profile in which you wish to apply this change (tcpudp_03 in the example).
    This inspection profile will then be selected in a global profile, which in turn will be applied to the filter rule that grants access to VPN mobile clients.
  2. Select the Impose MSS limit checkbox.
    Enter the value 1300 (bytes) (recommended by Stormshield).
  3. Confirm the change by clicking on Apply.
  4. Confirm by clicking on Save.

Integrating this TCP-UDP inspection profile into a global inspection profile

In the Application protection > Inspection profile module:

  1. Click on Go to profiles.
  2. From the drop-down list, select the profile that you wish to associate with the TCP-UDP profile that was modified earlier with the MSS option. The profile IPS_03 is selected in the example.
  3. In the row TCP-UDP, click on the application profile suggested and select the modified profile (tcpudp_03 in the example).
  4. Confirm the change by clicking on Apply.
  5. Confirm by clicking on Save.
    This is the IPS profile that must be selected for incoming traffic in the filter rule that allows traffic from mobile IPsec tunnels.