Identification tab
Approved certification authorities
This table will allow you to list authorities to identify your peers within the IPsec VPN module.
Add | When you click on this button, a window will open showing the CAs and sub-CAs that you have created earlier. Select the authorities that will enable you to check the identities of your peers, by clicking on Select. The CA or sub-CA selected will be added to the table. |
Delete | Select the CA to be removed from the list and click on Delete. |
CA
Below this field, the added and approved certification authorities will be displayed.
Mobile tunnels: pre-shared keys (PSK)
If you had created a mobile peer using the Pre-shared key (PSK) authentication method, this table will be pre-entered.
You would have edited a key by assigning it an ID and a value (in hexadecimal or ASCII characters).
Search | Even though the table displays all the pre-shared keys of your mobile tunnels by default, you can search by occurrence, letter or word, so that only the desired keys are displayed. |
Add | When you click on this button, a key editor window will appear: you need to provide it with an ID, a value and confirm it. You can choose to edit characters in hexadecimal or ASCII. |
Delete | Select the key to be removed from the list and click on Delete. |
Identity
This column displays the IDs of your pre-shared keys, which may be represented by a domain name (FQDN), an e-mail address (USER_FQDN) or an IP address.
Key
This column displays the values of your pre-shared keys in hexadecimal characters.
- An unlimited number of pre-shared keys can be created.
- Deleting a pre-shared key that belongs to an IPsec VPN tunnel will cause this tunnel to malfunction.
- To define an ASCII pre-shared key that is sufficiently secure, you must follow the same rules for user passwords set out in the section Welcome, under the section User awareness, sub-section User password management.
Post-quantum pre-shared keys (PPK)
The computing power of quantum computers will very likely allow it to decrypt keys that were negotiated using the Diffie-Hellman (DH) and Elliptic Curve Diffie-Hellman (ECDH) methods, therefore endangering the security of the IKEv2 protocol.
Malicious users would now be able to carry out "store now, decrypt later" attacks, by intercepting IPsec communications and storing them in order to decrypt them later using a quantum computer.
Clients who wish to protect themselves against such attacks can already use post-quantum pre-shared keys (PPK) to protect the exchange of data encryption keys.
To find out more on the use of post-quantum pre-shared keys for the IKEv2 protocol, please refer to RFC 8784.
In line with these recommendations, SNS versions 4.8 and higher offer the option of setting post-quantum pre-shared keys for peers using the IKEv2 protocol with certificate-based authentication.
NOTE
To be effective, these PPKs must have a sufficiently high entropy (minimum 256 bits according to RFC 8784).
IMPORTANT
If you have created or modified mobile peers earlier to create a PPK for them that had not yet existed, this PPK will not automatically be added to the grid.
Possible operations
Find key | You can search by occurrence, letter or word, so that only the desired keys are displayed. |
Add |
When you click on this button, a key editor window will appear.
You can enter/edit the key value in hexadecimal or ASCII. |
Delete | Select the key to be removed from the list and click on Delete. |
Edit selection | Select the key to edit and apply the desired changes. |
Export the list of PPKs | This button allows you to export the list of PPKs in CSV format, and download it to your workstation. |
NOTE
PPKs that are directly created on the peer will not appear in this grid.
Advanced configuration
Enable searching in several LDAP directories (pre-shared key or certificate modes) | When several LDAP directories have been defined, selecting this checkbox will allow the firewall to browse these directories sequentially to authenticate mobile peers. This method is available regardless of the authentication type chosen (pre-shared key or certificate). If this checkbox is not selected, the firewall will only query the directory defined by default. |
List of directories
The various directories listed will be queried according to their order in the table.
Add | Clicking on this button will add a line to the table in the form of a drop-down list that allows selecting one of the directories defined on the firewall. This button is grayed out when all of the firewall's directories are selected. |
Delete | Select the key to be removed from the list and click on Delete. |
Move up | This button makes it possible to move the selected directory up the list to raise its priority when the firewall queries the list of directories. |
Move down | This button makes it possible to move the selected directory up the list to lower its priority when the firewall queries the list of directories. |