Tunnel configuration

The basic steps to configure IPsec Advanced tunneling to the cloud service are as follows.
  1. Define the device in the cloud portal via the Web > Device Management page. See the Forcepoint Web Security Cloud Help - Managing Network Devices for instructions on adding devices.
    Note: By default, you can create 200 tunnel connections for your account. To add more connections, contact your sales account manager to discuss your requirements.
  2. On your device, create a connection profile for your tunnel, using the supported settings documented in Recommended settings and best practices.

    The following generic steps are required for any supported device:

    1. Create an IKE proposal (IKEv2 is recommended).
    2. Create an IPsec proposal (AES-GCM algorithm is recommended).
    3. For authentication, configure the pre-shared key configured in the cloud portal.
    4. For the IKE ID, use the egress IP address, or DNS hostname of the device, as selected in the cloud portal.
    5. Add a policy or filters to route port 80 and 443 traffic to the tunnel.
    6. Set up an IKE gateway, specifying the Forcepoint point of presence (data center or local PoP) IP address, as selected in the cloud portal. IP addresses for IPsec Advanced are listed in the article IP addresses for GRE and IPsec Advanced connectivity.
    7. Ensure you configure your device for geographic redundancy, using both the primary and secondary tunnel addresses. See Redundancy and failover.
  3. If required, configure NAT exemptions to ensure that network address translation is not applied to traffic from client networks that is to be routed through the tunnel.
  4. Browse to the proxy query URL to make sure that the appropriate policy is being applied to your tunnel. (Also see Test your policies.)
    The query URL is:
    http://query.webdefence.global.blackspider.com/?with=all