IPsec tunnel configuration overview

To configure IPsec tunneling to the service, you must configure your edge device to connect to the Forcepoint gateways.

1. Ensure the site and connection(s) have been configured in the Private Access management portal.
   Note: Forcepoint support will create 2 tunnel connections for each site. To add new sites or connections, contact your account manager or on-boarding specialist.
2. On your device, create a connection profile for your tunnel, using the supported settings.

   The following generic steps are required for any supported device:

   1. Create an IKEv2 proposal.
   2. Create an IPsec proposal (AES-GCM algorithm is recommended).
   3. For authentication, configure your device with the pre-shared key configured for the connection. (This key is provided by Forcepoint support, or specified by you as part of on-boarding.)
   4. Define an external VPN gateway, specifying the Forcepoint gateway address. Use the Forcepoint gateway IP address that is displayed in the management portal if your device does not support using a hostname as the tunnel destination address.
   5. For the IKE ID of the local edge device, use either an FQDN or the egress IP address.
      Note: If your site has a dynamic IP address, you must use an FQDN as the IKE ID. The IKE ID configured on the device must match the IKE ID that is configured in the management portal for your device.
   6. Repeat this process to configure a second tunnel for geographic redundancy.
3. Depending on your device, add a policy, filters, or access lists to route traffic to the tunnel.
4. When you have completed the rest of the Private Access configuration steps for private application access, test that you can access a private application at your hosting site. See the Getting Started section for more information.