Getting started
Products concerned: SNS v5 and later versions
In Diffusion Restreinte (DR) mode, which was introduced in SNS version 4.2, policies that comply with IPsec DR specifications set by the ANSSI are not allowed to coexist with policies that comply with the IPsec standard (RFC 7292 IKEv2bis).
Refer to the SNS user guide for more information on Diffusion Restreinte (DR) mode.
In SNS version 5, IPsec VPN tunnels that comply with DR mode requirements can be configured, while retaining the possibility of setting up IPsec VPN tunnels that do not comply with these requirements. This feature applies to complex architectures in which the process of making them DR-compliant has to go through a transitional phase, during which IPsec DR and standard (non-DR) policies are made to coexist.
To do so, a configuration option, which was introduced in version 5, makes it possible to determine on the IPsec peer whether tunnels that are negotiated with this peer have to comply with DR mode requirements. The constraints that are imposed by this configuration option are the same as those in DR mode, and the configuration of a DR-compliant IPsec VPN tunnel has to follow the requirements described in the section Assessing the impact of enabling DR mode.
As soon as all peers have been modified to be DR compliant, full DR mode can be enabled on the version 5 SNS firewall, and on its peers.
This option is referred to as "DR transition mode" in the rest of this technical note.
| Date | Description |
|---|---|
|
September 22, 2025 |
New document |