Optimizing ISAKMP traffic during the negotiation of IPsec tunnels and securing authentication

You are advised to modify several parameters on the firewall in order to optimize ISAKMP traffic during the negotiation of IPsec tunnels, and to secure the authentication process.

Requirements

For the purposes of illustration, the recommended optimizations and security measures assume that the IPsec policy used on the firewall for mobile users is IPsec_01 (Configuration > VPN > IPsec VPN):

Optimizing tunnel traffic by restricting IP datagrams

The maximum packet size allowed may vary widely depending on your ISP.

Stormshield recommends that you restrict IP datagrams in ISAKMP negotiations to 1280 bytes:

  1. Log in to the web administration interface of the firewall.
  2. Go to Configuration > System > CLI console.
  3. Enable IKE fragmentation by typing:
    CONFIG IPSEC PEER UPDATE name=IPsec_Mobile_Profile_Name ike_frag=1
    where IPsec_Mobile_Profile_Name represents the name given to the IPsec peer profile (mobile_IKEv2_EAP_CERT in the example).
  4. Set the maximum size of ISAKMP datagrams to 1280 bytes using the command:
    CONFIG IPSEC UPDATE slot=xy FragmentSize=1280
    where xy represents the number of the mobile IPsec policy.
    In the example, this would be IPsec 01: the value of xy is therefore 01.
  5. Apply these changes by typing:
    CONFIG IPSEC ACTIVATE

Reloading the IPsec policy to apply changes made earlier

  1. Go to Configuration > System > CLI console.
  2. Reload the IPsec policy by typing:
    CONFIG IPSEC RELOAD
    Warning: this command will reset tunnels that have already been set up.

Optimizing tunnel traffic: restricting MSS

Since packets are encapsulated in the tunnel, ESP headers add several dozen bytes of data to the full size of each packet.

The size of segments (MSS: Maximum Segment Size) exchanged between the client and the firewall must therefore be automatically restricted.

With this option, packet fragmentation can be avoided or kept to a minimum. For packets exchanged between the client and the firewall, MSS imposes a packet size below the MTU (Maximum Transmission Unit) on the various network devices that intercept these packets.

Modifying a TCP-UDP inspection profile

In the Application protection > Protocols > IP protocols > TCP-UDP module:

  1. Select the TCP-UDP inspection profile in which you wish to apply this change (tcpudp_03 in the example). This inspection profile is automatically selected in the global profile that has the same index (03 in the example), and which is applied in the rule Allowing IPsec VPN access in filter policies.
  2. Select the Impose MSS limit checkbox.
    Enter the value 1300 (bytes) (recommended by Stormshield).
  3. Confirm the change by clicking on Apply.
  4. Confirm by clicking on Save.