IPsec overview

IPsec is an extension to the IP protocol that provides secure traffic tunneling by authenticating and encrypting information sent over a network.

The IPsec protocol uses Internet Key Exchange (IKE) to establish session keys for encryption and decryption, and Encapsulating Security Payload (ESP) to provide data confidentiality and integrity.

Traffic to the Forcepoint ONE SSE Cloud SWG service can be fully encapsulated in tunnel mode, providing complete traffic encryption.

IPsec connectivity also supports sites that connect to the Internet with a dynamic IP address, using a fully qualified domain name (FQDN) as the device IKE ID.

By default, two Forcepoint data centers are provided for Cloud SWG. Forcepoint strongly recommends configuring your edge devices to fail over to second data center for geographic redundancy. Tunnels should be configured with automatic failover. Each data center has a tunnel monitoring address that can be used to monitor the status of the connection.

Note: Connection redundancy is a requirement for the Forcepoint ONE SSE SLA. Redundancy can be achieved by configuring connections to both data centers addresses provided and configuring your edge device to fail over in the event of network disruption.

This guide describes how to configure the Cisco ASA/FTD version 9.8 or later version using the Forcepoint ONE SSE Cloud IPsec tunnel configurations.