IPsec tunnel configuration

IPsec tunnels are used to connect private application hosting sites to provide remote access to internal applications.

IPsec is an extension to the IP protocol that provides secure traffic tunneling by authenticating and encrypting information sent over a network. Traffic to your private application hosting sites is fully encapsulated in tunnel mode, providing traffic encryption between the service and your sites.

The IPsec protocol uses Internet Key Exchange (IKE) to establish session keys for encryption and decryption, and Encapsulating Security Payload (ESP) to provide data confidentiality and integrity.

IPsec connectivity supports hosting sites with a dynamic IP address, using a fully qualified domain name (FQDN) as the device IKE ID.

Tunnel capacity for IPsec tunnels

Forcepoint IPsec supports up to 1Gbps throughput per tunnel. If you need to scale beyond 1Gbps for your site, please contact Forcepoint Support.

Tunnel redundancy

For connection redundancy, we recommend using 2 tunnel connections from your site. Tunnels should be configured in an active-active, always on configuration.

Note: Connection redundancy is a requirement for the Forcepoint Cloud Services SLA.

By default, 2 connections are provided for your site.

Your edge device must be configured to allow traffic to/from Private Access at these addresses:

  • Tunnel 1: 116.50.59.232
  • Tunnel 2: 116.50.59.234

Verified devices

The following devices have been tested and verified for use with Private Access:

  • Forcepoint NGFW SMC 6.5 or later
  • Cisco ISR version 15.5 (3) or later
  • Juniper SRX version 12.1 R9 or later