Gateway peer information

Select a peer from the list to display information about it.

Comments Description given of the local peer.
Remote gateway Object selected to represent the remote IP address during the creation of the peer via the wizard.
Local address External interface presented to set up the tunnel with the peer shown.
IKE profile This option offers three preconfigured profiles as the protection model associated with Phase 1 of your VPN policy: StrongEncryption, GoodEncryption and Mobile. Other profiles can be created or modified in the tab Encryption profiles.
IKE version This option allows selecting the version of the IKE protocol (IKEv1 or IKEv2) that the peer uses.

Identification

Authentication method This field will show the authentication method selected during the creation of your peer via the wizard.
You may modify your choice by selecting another method from the drop-down list.

NOTE
For a “gateway” peer, you have the choice of Certificate or Pre-shared key (PSK).
Certificate

If you have chosen certificate-based authentication, this field will display the certificate to display to the peer to set up the IPsec tunnel.

The icon indicates certificates with a TPM-protected private key. For more information on the TPM, see the section Trusted Platform Module.

If you had opted for the pre-shared key method, this field will not appear.
Local ID (Optional) This field represents an IPsec VPN tunnel endpoint, and shares the “secret” or the PSK with the “Peer ID”, the other endpoint. You are represented by the “Local ID”.
This identifier must be in the form of an IP address, a domain name (FQDN: Full Qualified Domain Name) or an e-mail address (user@fqdn).
Peer ID (Optional) This field represents an IPsec VPN tunnel endpoint, and shares the “secret” or the PSK with the “Local ID”, the other endpoint. The “Peer ID” represents your peer.
The format is the same as the previous field.
Pre-shared key (ASCII) In this field your PSK appears in the format you had selected earlier when creating the peer via the wizard: ASCII or hexadecimal characters (the format can be selected in the checkboxes below the field if you wish to change formats).
Edit This button makes it possible to directly edit the pre-shared key that was used to set up the IPsec tunnel with this peer.

Advanced properties

Do not initiate the tunnel (Responder only) If this option is selected, the IPsec server will be put on standby.
It won't initiate tunnel negotiation. This option is used in the case where the peer is a mobile host.
IKE fragmentation With this checkbox, IKE fragmentation can be enabled when IKE packets exceed the standard packet size configured on the firewall.
DPD This field makes it possible to configure the DPD (Dead Peer Detection) feature on VPNs, which checks whether a peer is still operational.
When DPD is enabled on a peer, requests (R U there) are sent to test the availability of the other peer , which will need to acknowledge the requests in order to confirm its availability (R U there ACK).

These exchanges are secured via ISAKMP (Internet Security Association and Key Management Protocol) SAs (Security Associations).

If it is detected that a peer is no longer responding, the negotiated SAs will be destroyed.

IMPORTANT
This feature provides stability to the VPN service on Stormshield Network Firewalls on the condition that the DPD has been correctly configured.


Four choices are available for configuring DPD:
  • Inactive: DPD requests from the peer are ignored.
  • Passive: DPD requests sent by the peer get a response from the firewall. However, the firewall does not send any.
  • Low: the frequency of DPD packets being sent is low and the number of failures tolerated is higher (delay 600, retry 10, maxfail 5).
  • High: the frequency of DPD packets being sent is high and the number of failures relatively low (delay 30, retry 5, maxfail 3).

The value delay defines the period after a response is received before the next request is sent.
The value retry defines the time to wait for a response before sending the request again.
The value maxfail is the number of requests sent without receiving responses before the peer is considered absent.
DSCP In this field, you can specify the value of the DSCP field assigned to IKE network packets sent to this peer.
Select one of the proposed values or specify a customized DSCP field (integer between 0 and 63 inclusive).
Encapsulate ESP traffic in UDP This field appears only when DR mode compatibility is enabled.
In this field, ESP traffic encapsulation can be enabled/disabled in UDP for each peer to comply with ANSSI recommendations.

NOTE
For every field that contains “Gateway” and the icon , you can add an object to the existing database by specifying its name, DNS resolution, IP address and then clicking on Apply.