Configure IKE proposal

Configure the IKE proposal for the Private Access service.

Steps

  1. Configure an IKEv2 proposal with a supported encryption algorithm, integrity, and DH group: 
    crypto ikev2 proposal <proposal_name>
encryption <supported_ipsec_cipher>
integrity <supported_ipsec_cipher>
group <supported_dh_group>
exit
    Example:
    crypto ikev2 proposal PA_proposal
encryption aes-cbc-256
integrity sha256
group 19
exit
  2. Configure the IKEv2 policy and associate the proposal that you configured: 
    crypto ikev2 policy forcepoint
proposal <proposal_name>
exit
  3. Configure two keyrings and define IP address, pre-shared key for each tunnel: 
    crypto ikev2 keyring PA_keyring1
peer gateway1
address <tunnel1_destination_address>
pre-shared-key <pre-shared_key>
exit
exit

crypto ikev2 keyring PA_keyring2
peer gateway2
address <tunnel2_destination_address>
pre-shared-key <pre-shared_key>
exit
exit
  4. Configure a separate IKEv2 profile for each tunnel and associate the following:
    • The keyring that you created.
    • The IKE ID sent by the service (of type FQDN)
    • The IKE ID sent by the edge device (of type FQDN or of type IP address).
    crypto ikev2 profile PA_profile1
match identity remote fqdn <forcepoint_ike_id>
identity local fqdn <local_fqdn_id>
authentication local pre-share
authentication remote pre-share
keyring local PA_keyring1
dpd 10 2 periodic
exit
    crypto ikev2 profile PA_profile2
match identity remote fqdn <forcepoint_ike_id>
identity local fqdn <local_fqdn_id>
authentication local pre-share
authentication remote pre-share
keyring local PA_keyring2
dpd 10 2 periodic
exit

    The example instructions provided above use a local IKE ID of type FQDN. If you want to use a local IKE ID of type IP address, you can replace the corresponding line as follows:

    identity local address <public_ip>
  5. Configure a transform set and define the encryption algorithm. 
    crypto ipsec transform-set PA_set <supported_ipsec_cipher>
exit
    Example:
    crypto ipsec transform-set PA_set esp-aes esp-sha256-hmac
exit
  6. Configure two access lists to match return traffic for private applications to the cloud gateway source IP addresses.

    Private Access gateways apply network address translation (NAT) to remote traffic before forwarding it to the hosting site. The first tunnel uses 116.50.59.232 as the source NAT IP address, and the second tunnel uses 116.50.59.234 as the source NAT IP address.

    In the following example access lists, the private applications are on the 192.168.122.0/24 private IP network on the hosting site. Each access list captures the traffic that is sent back from this private application network to the corresponding gateway source IP address.

    Example:
    
access-list 120 permit tcp 192.168.122.0 0.0.0.255 116.50.59.232 0.0.0.0
access-list 125 permit tcp 192.168.122.0 0.0.0.255 116.50.59.234 0.0.0.0