Advanced IPsec Settings¶
The Advanced Settings tab under VPN > IPsec contains options to control, in general, how the IPsec daemon behaves and how traffic is handled with IPsec.
- IPsec Logging Controls
These options control which areas of the IPsec daemon generate log messages and their level of detail. For information on viewing the log, see IPsec Logs.
In most cases the optimal settings are the default: IKE SA, IKE Child SA, and Configuration Backend set to Diag, and all others set to Control.
- Configure Unique IDs as
Controls how the IPsec daemon treats new connections with an identifier which matches an existing connection. In most cases a new connection is intended to replace an older connection, but certain use cases such as mobile clients may require multiple connections from the same remote identifier.
- Yes (Replace)
The new connection is accepted by the IPsec daemon and it replaces the old connection, which is disconnected.
The new connection is accepted and the old connection is replaced only if the peer sends an
The new connection is always allowed, and
INITIAL_CONTACTnotifications are ignored.
The new connection is rejected and the old connection remains active.
- IPsec Filter Mode
Experimental. Controls how the firewall will filter IPsec traffic.
- Filter IPsec Tunnel and VTI on IPsec tab (enc0)
The default behavior. Rules on the IPsec tab filter all IPsec traffic, including both tunnel mode and VTI mode.
This is limited in that it does not allow for filtering on assigned VTI interfaces, and does not allow for NAT or
reply-toto function for VTI rules.
- Filter IPsec VTI on assigned interfaces, block all tunnel mode traffic
Enables firewall rules for assigned VTI interfaces, NAT on VTI interfaces, and
reply-tofor rules on assigned VTI interface tabs. However, when set to filter on assigned VTI interfaces, all tunnel mode traffic is blocked.
Do not set this option unless all IPsec tunnels are using VTI. This is incompatible with mobile IPsec as it is only capable of using tunnel mode.
- IP Compression
Propose support for IPComp compression.
Though the option is present in the GUI, the underlying operating system does not yet fully support IP compression.
- Strict Interface Binding
When set, the IPsec daemon configuration binds only to the interfaces required by the configuration, rather than binding to all interfaces.
This option is more secure but is known to break with interfaces which have dynamic IP addresses. Only enable this option in environments where it has been lab tested and proven to work as intended.
- Unencrypted Payloads in IKEv1 Main Mode
Some IPsec implementations send the third Main Mode message unencrypted, probably to find the PSKs for the specified ID for authentication. This is similar to Aggressive Mode, and has the same security implications: A passive attacker can sniff the negotiated Identity, and start brute forcing the PSK using the HASH payload. The best practice is to keep this option disabled unless the implications are fully understood and compatibility to such devices is required (for example, some SonicWall devices).
- Maximum IKEv1 Phase 2 Exchanges
IKEv1 phase 2 rekeying for one VPN gateway can be initiated in parallel. By default only
3parallel rekeys are allowed. Undersized values can break VPN connections with many phase 2 definitions. If unsure, set this value to match the largest number of phase 2 entries on any phase 1.
- MSS Clamping
Enable maximum segment size clamping on TCP flows over IPsec tunnels. This helps overcome problems with path MTU discovery (PMTUD) on IPsec VPN links.
This is useful is large TCP packets have problems traversing the VPN, or if slow/choppy connections across the VPN are observed by users. Ideally it should be set to the same value on both sides of the VPN, but traffic will have MSS clamping applied in both directions.
When set, the Maximum MSS option is available and its value is used by the firewall configuration.
- Maximum MSS
The maximum segment size set in TCP packets flowing across IPsec VPN tunnels. Defaults to
1400. Must be low enough to account for the overhead of IPsec and the MTU of the link, but no so low that unnecessarily small segments are sent as that can be inefficient.
- Enable Cisco Extensions
Enables the Unity plugin which provides support for Cisco Extensions such as
Split-DNSfor IKEv1 XAuth mobile clients. This allows clients which support these extensions to obtain values automatically when connecting to a mobile IPsec VPN.
- Strict CRL Checking
When set, the IPsec daemon requires availability of a fresh CRL for peer authentication based on certificate signatures to succeed. Primarily useful when the CRL is obtained dynamically (e.g. OCSP).
If there is no CRL available for a CA, validation will fail.
- Make Before Break
Controls whether IKEv2 Reauthentication uses Make-before-Break or Break- before-Make when an IKE Security Association (SA) expires. Must be supported by both peers.
Only relevant for IKEv2 tunnels using reauthentication, it does not affect IKEv1 tunnels or IKEv2 tunnels set to rekey.
- Break-before-Make (Unchecked, Default)
Deletes IKE and Child SAs before reauthenticating and making a new set of SAs. This behavior is standard and well-supported, but disruptive as there is a small gap between the old and new SA set in which IPsec connectivity is unavailable.
- Make-before-Break (Checked)
Reauthenticates and makes a new SA set before deleting the old SA set. This eliminates the connectivity disruption, but requires that both endpoints support overlapping IKE and Child SA entries.
- Asynchronous Cryptography
Allows cryptographic framework jobs to be dispatched in a multi-threaded manner to increase performance. Jobs are handled in the order they are received so that packets will be reinjected in the correct order.
This option can increase performance, but may be unstable on certain hardware. When enabling this option, test connectivity during a maintenance window to ensure proper behavior. See Bug #8964 for details.
- Custom Ports
Rare situations may require the firewall to listen for inbound IPsec packets on alternate port numbers for IKE and NAT-T. These settings can accommodate such cases, but affect every tunnel on the firewall.
Leave empty for the default behavior, which is to use UDP port
500for IKE and
- Auto-exclude LAN Address
Set up an automatic IPsec bypass for traffic to and from the LAN subnet, so it does not get captured by policy-based IPsec.
- Additional IPsec Bypass
Configures additional manual IPsec bypass behavior. When set, the GUI exposes the IPsec Bypass Rules control.
- IPsec Bypass Rules
Custom rules which allow traffic matching combinations of Source Address and Destination Address pairs to be excluded from IPsec policies.
- Source Address
The source address or network to exclude, and its mask.
- Destination Address
The corresponding destination address or network to exclude, and its mask.
These values are considered together. A packet must match both the source and destination to bypass IPsec policies.
These rules are useful to exclude traffic between multiple local networks, especially when a policy-based IPsec tunnel is set to use
0.0.0.0/0as the remote network.