IPsec VPN

A standard protocol, IPsec (IP Security) enables the creation of VPN tunnels between two hosts, between a host and a network, between two networks and any type of object that supports the protocol.

The services that Stormshield Network’s IPsec offers provide access control, integrity in offline mode, authentication of data source, protection against replay, confidentiality in encryption and on traffic. You can for example, create a tunnel between two firewalls, or between the firewall and mobile clients on which VPN clients would be installed.

Recommendations

When you configure an IPsec VPN, you are advised to:

  • Configure a static route to the local loopback (black hole) to reach remote networks accessible via IPsec VPN tunnels,

  • Ensure that the IPsec policy is never enabled, even during transitional phases,

  • Ensure that filter rules are always more specific than NAT before IPsec rules,

  • Ensure that traffic (source and destination IP addresses) after translation (NAT) matches the IPsec policy,

  • Ensure that in the absence of NAT rules, filter rules are always more specific than the IPsec policy.

Optimization of encryption and decryption operations

The IPsec service has a mechanism to optimize the distribution of encryption and decryption operations. Its purpose is to significantly improve IPsec throughput, especially in configurations that contain a single IPsec tunnel.

It offers three configuration modes:

Automatic mode (auto)

This is the default mode, which allows the optimization mechanism to activate automatically and transparently when both of the following conditions are met:

  • The active IPsec policy has a single active VPN tunnel.

  • The firewall model supports Automatic mode.

These models support Automatic mode: SN510, SN710, SN2000, SN2100, SN3000, SN3100, SN6000, SN6100 and SNi40. On other models, the optimization mechanism can run only in Enabled mode.
Enabled mode (1) Makes it possible to run the optimization mechanism continuously without any particular conditions. It can be configured on all firewall models.

This mode is not recommended when an IPsec policy has many active VPN tunnels. Ensure that using this mode does not affect the general quality of your service.
Disabled mode (0) Makes it possible to disable the optimization mechanism continuously. 

This mode can be configured only with the following CLI/serverd command:

CONFIG IPSEC UPDATE slot=<n> CryptoLoadBalance=<0|1|auto>

These commands are explained in detail in the CLI SERVERD Commands Reference Guide.

IPsec VPN module screen

The IPsec VPN module consists of 4 tabs:

  • Encryption policy – Tunnels: create IPsec tunnels between two firewalls (Site to site – Gateway- Gateway) or between a Stormshield Network multi-function firewall and a mobile user (Anonymous – Mobile users).
    10 blank encryption policies can be configured, activated and edited. The anonymous policy also makes it possible to configure tunnels with another firewall, but which does not have a fixed IP address. It will therefore have the same problem as a “classic” mobile workstation: an unpredictable IP address
  • Peers: create new peers (remote site or anonymous mobile peer) by entering their IKE profiles, their negotiation method, as well as the specific parameters for each negotiation method.
  • Identification: list your approved certification authorities in the tunnels using PKI methods as well as the pre-shared keys (PSK) of your mobile tunnels.
  • Encryption profiles: define your IKE (phase 1) and IPsec (phase 2) encryption profiles, add new ones or set their maximum lifetime (in seconds). You can also define negotiation proposals for authentication and encryption algorithms.
NOTES
  • IPsec VPN policies now make it possible to edit their configurations in Global mode. To enable the option, select “Display global policies” in the Preferences module.
  • There is no specific privilege for "vpn_global".