A standard protocol, IPsec (IP Security) enables the creation of VPN tunnels between two hosts, between a host and a network, between two networks and any type of object that supports the protocol.
The services that Stormshield Network’s IPsec offers provide access control, integrity in offline mode, authentication of data source, protection against replay, confidentiality in encryption and on traffic. You can for example, create a tunnel between two firewalls, or between the firewall and mobile clients on which VPN clients would be installed.
The IPsec service has a mechanism to optimize the distribution of encryption and decryption operations. Its purpose is to significantly improve IPsec throughput, especially in configurations that contain a single IPsec tunnel.
It offers three configuration modes:
|Automatic mode (auto)||
This is the default mode, which allows the optimization mechanism to activate automatically.
Only Enabled mode makes it possible to manually activate the optimization mechanism.
|Enabled mode (1)||Makes it possible to activate the optimization mechanism continuously. It can be configured on all firewall models.
This mode is not recommended when an IPsec policy has many active VPN tunnels. Ensure that using this mode does not affect the general quality of your service.
|Disabled mode (0)||Makes it possible to disable the optimization mechanism continuously.|
This mode can be configured only with the following CLI/serverd command:
CONFIG IPSEC UPDATE slot=<n> CryptoLoadBalance=<0|1|auto>
These commands are explained in detail in the CLI SERVERD Commands Reference Guide.
- IPsec VPN policies now make it possible to edit their configurations in Global mode. To enable the option, select “Display global policies” in the Preferences module.
- There is no specific privilege for "vpn_global".
The IPsec VPN module consists of 4 tabs:
- Encryption policy – Tunnels: create IPsec tunnels between two firewalls (Site to site – Gateway- Gateway) or between a Stormshield Network multi-function firewall and a mobile user (Anonymous – Mobile users).
10 blank encryption policies can be configured, activated and edited. The anonymous policy also makes it possible to configure tunnels with another firewall, but which does not have a fixed IP address. It will therefore have the same problem as a “classic” mobile workstation: an unpredictable IP address
- Peers: create new peers (remote site or anonymous mobile peer) by entering their IKE profiles, their negotiation method, as well as the specific parameters for each negotiation method.
- Identification: list your approved certification authorities in the tunnels using PKI methods as well as the pre-shared keys (PSK) of your mobile tunnels.
- Encryption profiles: define your IKE (phase 1) and IPsec (phase 2) encryption profiles, add new ones or set their maximum lifetime (in seconds). You can also define negotiation proposals for authentication and encryption algorithms.