Table of Contents
Advertisement
Advanced properties
Negotiation mode
Backup mode
Local gateway
Do not initiate the
tunnel (Responder
only)
Page 174/448
In IPSec, 2 negotiation modes are possible: main mode and aggressive mode. They
have particular influence over Phase 1 of the IKE protocol (authentication phase).
Main mode: In this mode, Phase 1 takes place in 6 exchanges. The remote host can
only be identified by its IP address with pre-shared key authentication.
In PKI mode, the identifier is the certificate. Main mode guarantees anonymity.
Aggressive mode: In this mode, Phase 1 takes place in 3 exchanges between the
Firewall and the remote host. The remote host can be identified by an IP address,
FQDN or e-mail address but not by a pre-shared key certificate. Aggressive mode does
not guarantee anonymity.
NOTE
Stormshield Network automatically configures the use of certificate, hybrid or
XAuth authentication methods in main mode.
If the client wishes to use the PSK, he has to use the aggressive mode.
Warning
The use of the aggressive mode + pre-shared keys (especially for VPN tunnels
to mobile workstations) may be less safe than other modes in the IPSec
protocol. Stormshield Network therefore recommends the use of main mode for
mobile peers, either with authentication by certificate or by using hybrid mode.
In an authentication by certificate, the firewall's internal PKI is fully capable of
providing the certificates needed for such use.
NOTE
To define an ASCII pre-shared key that is sufficiently secure, it is absolutely
necessary to follow the same rules for user passwords set out in the chapter
Welcome, under the section User awareness, sub-section User password
management.
The backup mode is the switch mode for the IPSec failover – if a server becomes
unreachable, another will take over transparently.
Nonetheless, the field is grayed out here as the backup configuration cannot be
applied to a mobile configuration.
NOTE
This field can only be edited in expert mode (CLI). Please refer to the article in
the technical support's Knowledge Base for further information (How can I
modify the backup mode for a specific IPSec peer?), accessible from your
private area.
Object selected as the local gateway.
This field is set to "Any" by default.
This option is grayed out and validated, as a tunnel to a mobile client with an unknown
IP address cannot be set up. In this configuration, the firewall is therefore in
"responder only" mode.
SNS - USER CONFIGURATION MANUAL V.3
sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016
IPSEC VPN
- Quick Links:
- Administrator Management
Hide quick links:
Advertisement
Table of Contents
