We use cookies on our website to ensure we provide you with the best experience on our website. By using our website, you agree to the use of cookies for analytics and personalized content.This website uses cookies. More Information
It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda NextGen Firewall X

Barracuda NG Firewall IPSec implementation and PFS

  • Type: Knowledgebase
  • Date changed: 8 years ago

Solution #00005104

 

Scope:
This solution replies to:
- NG Firewall firmware versions 4.2.x, 5.0.x, 5.2.x
- netfence firmware versions 4.2.x

 
Symptoms:

Most IPSec gateways use PFS (Perfect Forward Secrecy) for tunnel establishment. The Barracuda NG Firewall as well supports this feature. PFS is activated by default and is configured in the IPSec Tunnel configuration dialogue.

If a 3rd party IPSec gateway tries to establish a tunnel without using PFS, errors alike the following ones will be generated on the Barracuda NG Firewall gateway and will be written to the "ike.log" (at the VPN service logfiles):

 

Notice dropped message from 194.39.131.169 port 500 due to notification type INVALID_PAYLOAD_TYPE
Notice message_parse_payloads: reserved field non-zero: 18
Notice dropped message from 194.39.131.169 port 500 due to notification type PAYLOAD_MALFORMED
Notice message_parse_payloads: reserved field non-zero: 20
Notice dropped message from 194.39.131.169 port 500 due to notification type PAYLOAD_MALFORMED

 
Solution:

Usage of PFS must be activated or deactivated on both gateways likewise. Activate PFS in the IPSec Tunnel configuration dialogue through the parameter DH-Group of Phase 2. To deactivate PFS set the value of the parameter DH-Group in Phase 2 to "none".

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

What is Perfect Forward Secrecy (PFS)?
Perfect Forward Secrecy (PFS) provides additional security by means of a Diffie-Hellman shared secret value. With PFS, if one key is compromised, previous and subsequent keys are secure because they are not derived from previous keys.
Main keys should only be used with great care, as they will require further authentications. This can lead to additional administration effort for the domain controllers in the network. The main key does not have to be active on both gateways.

  

 

Link to This Page:
https://campus.barracuda.com/solution/50160000000IKYLAA4