Configure IKEv2 proposal
Configure the IKEv2 proposal for the Forcepoint ONE SSE service.
Steps
-
Configure an IKEv2 proposal with a supported encryption algorithm, integrity, and DH group:
crypto ikev2 proposal <proposal_name> encryption <supported_IPsec_cipher> integrity <supported_IPsec_cipher> group <supported_dh_group>
-
Configure the IKEv2 policy:
crypto ikev2 policy <policy name>
-
Associate the proposal that you configured:
proposal <proposal_name>
-
Configure a keyring and define IP address, pre-shared key for each tunnel:
-
Enter an IKEv2 key ring name for the primary IPsec tunnel:
crypto ikev2 keyring <key ring name>
-
Enter a peer name for the primary IPsec tunnel:
peer <Peer 1 Name>
-
Enter the cloud FQDN for the primary IPsec tunnel:
hostname <primary_Cloud_FQDN>
If you want to use the IP address of the primary IPsec tunnel instead of cloud FQDN, then use the corresponding line:
address <primary_destination_address>
-
Enter the PSK for the peer:
pre-shared-key <pre-shared_key>
-
Enter a peer name for the secondary IPsec tunnel:
peer <Peer 2 Name>
-
Enter the cloud FQDN for the secondary IPsec tunnel:
hostname <secondary_Cloud_FQDN>
If you want to use the IP address of the secondary IPsec tunnel instead of cloud FQDN, then use the corresponding line:
address <secondary_destination_address>
-
Enter the PSK for the peer:
pre-shared-key <pre-shared_key>
-
Enter an IKEv2 key ring name for the primary IPsec tunnel:
-
Configure a IKEv2 profile and associate the following:
- The keyring that you created.
- The IKE ID sent by the service (of type FQDN)
- The IKE ID sent by the edge device (of type FQDN or of type IP address).
- Local and remote authentications using pre-share
-
Enter an IKEv2 profile name:
crypto ikev2 profile <IKEv2 Profile Name>
-
Define the match statement for the primary IKEv2 profile:
match identity remote fqdn <primary_cloud_ike_id>
-
Define the match statement for the secondary IKEv2 profile:
match identity remote fqdn <secondary_cloud_ike_id>
-
If you want to use a local IKE ID of type FQDN, enter the local IKEv2 identity:
identity local fqdn <local_fqdn_id>
If you want to use a local IKE ID of type IP address, you can replace the corresponding line as follows:
identity local address <public_egress_IP>
-
Define the local authentication method:
authentication local pre-share
-
Define the remote authentication method:
authentication remote pre-share
-
Enter the IKEv2 key ring name you configured:
keyring local <Key Ring Name>
-
Configure a transform set and define the encryption algorithm:
crypto IPsec transform-set <Transform Set Name> <supported_IPsec_cipher>
-
Configure an access-list to allow port 80 and 443 traffic from specific subnets or traffic types to the tunnel:
access-list <access_list_number> permit tcp <internal_subnet> <subnet_mask> any eq www access-list <access_list_number> permit tcp <internal_subnet> <subnet_mask> any eq 443