Advanced IPsec Settings

The Advanced Settings tab under VPN > IPsec contains options which control IPsec daemon behavior and how traffic is handled with IPsec.

IPsec Logging Controls:

These options control which areas of the IPsec daemon generate log messages and their level of detail. For information on viewing the log, see IPsec Logs.

In most cases the optimal settings are the default: IKE SA, IKE Child SA, and Configuration Backend set to Diag, and all others set to Control.

Configure Unique IDs as:

Controls how the IPsec daemon treats new connections with an identifier which matches an existing connection. In most cases a new connection is intended to replace an older connection, but certain use cases such as mobile clients may require multiple connections from the same remote identifier.

Yes (Replace):

The new connection is accepted by the IPsec daemon and it replaces the old connection, which is disconnected.

No:

The new connection is accepted and the old connection is replaced only if the peer sends an INITIAL_CONTACT notification.

Never:

The new connection is always allowed, and INITIAL_CONTACT notifications are ignored.

Keep:

The new connection is rejected and the old connection remains active.

IPsec Filter Mode:

Experimental. Controls how the firewall filters IPsec traffic.

Filter IPsec Tunnel, Transport, and VTI on IPsec tab (enc0):

The default behavior. Rules on the IPsec tab filter all IPsec traffic, including tunnel mode, transport mode, and VTI mode.

This is limited in that it does not allow for filtering on assigned VTI or transport mode interfaces, and does not allow for NAT or reply-to to function for VTI rules. It can also cause problems with connection state tracking for transport mode traffic.

Warning

This mode mode requires special changes to the rules to work around incompatibilities between the default firewall state policy and the way VTI traffic is handled by the OS. See IPsec VTI Filtering for details.

Filter IPsec VTI and Transport on assigned interfaces, block all tunnel mode traffic:

Enables firewall rules for assigned VTI and transport mode interfaces, NAT on VTI interfaces, and reply-to for rules on assigned VTI interface tabs. This also allows transport mode to properly filter traffic in both directions, such as with GRE tunnels protected by transport mode IPsec.

However, when set to filter on assigned VTI interfaces, all tunnel mode traffic is blocked.

Warning

Do not set this option unless all IPsec tunnels are using VTI or Transport Mode.

This option is incompatible with mobile IPsec as mobile IPsec is only capable of using tunnel mode.

IP Compression:

Propose support for IPComp compression.

Warning

Though the option is present in the GUI, the underlying operating system does not yet fully support IP compression.

Enable PKCS#11 Support:

When set, enables support for PKCS#11 tokens in IPsec. This includes activating the pcscd daemon and enabling GUI controls in IPsec phase 1 for activating PKCS#11 authentication.

Strict Interface Binding:

When set, the IPsec daemon configuration binds only to the interfaces required by the configuration, rather than binding to all interfaces.

This option is more secure but is known to break with interfaces which have dynamic IP addresses. Only enable this option in environments where it has been lab tested and proven to work as intended.

Unencrypted Payloads in IKEv1 Main Mode:

Some IPsec implementations send the third Main Mode message unencrypted, probably to find the PSKs for the specified ID for authentication. This is similar to Aggressive Mode, and has the same security implications: A passive attacker can sniff the negotiated Identity, and start brute forcing the PSK using the HASH payload. The best practice is to keep this option disabled unless the implications are fully understood and compatibility to such devices is required (for example, some SonicWall devices).

Maximum IKEv1 Phase 2 Exchanges:

IKEv1 phase 2 rekeying for one VPN gateway can be initiated in parallel. By default only 3 parallel rekeys are allowed. Undersized values can break VPN connections with many phase 2 definitions. If unsure, set this value to match the largest number of phase 2 entries on any phase 1.

Enable Cisco Extensions:

Enables the Unity plugin which provides support for Cisco Extensions such as Split-Include, Split-Exclude, and Split-DNS for IKEv1 XAuth mobile clients. This allows clients which support these extensions to obtain values automatically when connecting to a mobile IPsec VPN.

Strict CRL Checking:

When set, the IPsec daemon requires availability of a fresh CRL for peer authentication based on certificate signatures to succeed. Primarily useful when the CRL is obtained dynamically (e.g. OCSP).

Warning

If there is no CRL available for a CA, validation will fail.

Make Before Break:

Controls whether IKEv2 Reauthentication uses Make-before-Break or Break-before-Make when an IKE Security Association (SA) expires. Must be supported by both peers.

Only relevant for IKEv2 tunnels using reauthentication, it does not affect IKEv1 tunnels or IKEv2 tunnels set to rekey.

Break-before-Make (Unchecked, Default):

Deletes IKE and Child SAs before reauthenticating and making a new set of SAs. This behavior is standard and well-supported, but disruptive as there is a small gap between the old and new SA set in which IPsec connectivity is unavailable.

Make-before-Break (Checked):

Reauthenticates and makes a new SA set before deleting the old SA set. This eliminates the connectivity disruption, but requires that both endpoints support overlapping IKE and Child SA entries.

Asynchronous Cryptography:

Allows cryptographic framework jobs to be dispatched in a multi-threaded manner to increase performance. Jobs are handled in the order they are received so that packets will be reinjected in the correct order.

Warning

This option can increase performance, but may be unstable on certain hardware. When enabling this option, test connectivity during a maintenance window to ensure proper behavior. See Bug #8964 for details.

Custom Ports:

Rare situations may require the firewall to listen for inbound IPsec packets on alternate port numbers for IKE and NAT-T. These settings can accommodate such cases, but affect every tunnel on the firewall.

Leave empty for the default behavior, which is to use UDP port 500 for IKE and 4500 for NAT-T.

Auto-exclude LAN Address:

Set up an automatic IPsec bypass for traffic to and from the LAN subnet, so it does not get captured by policy-based IPsec.

Additional IPsec Bypass:

Configures additional manual IPsec bypass behavior. When set, the GUI exposes the IPsec Bypass Rules control.

IPsec Bypass Rules:

Custom rules which allow traffic matching combinations of Source Address and Destination Address pairs to be excluded from IPsec policies.

Source Address:

The source address or network to exclude, and its mask.

Destination Address:

The corresponding destination address or network to exclude, and its mask.

Note

These values are considered together. A packet must match both the source and destination to bypass IPsec policies.

These rules are useful to exclude traffic between multiple local networks, especially when a policy-based IPsec tunnel is set to use 0.0.0.0/0 as the remote network.