Recommended settings and best practices
The following tunnel negotiation and encryption settings are supported for IPsec Advanced. Recommended settings are shown in bold.
| Setting | Supported (recommended settings in bold) |
|---|---|
| IKE version |
IKEv2 IKEv1 |
| IKE cipher |
AES-128 AES-256 |
| IKE message digest |
SHA2 SHA1 |
| DH groups |
14 19 2 5 |
| IPsec type | ESP |
| IPsec cipher |
AES-GCM-128 AES-GCM-256 AES-128 AES-256 Null |
| IPsec message digest |
SHA2 SHA1 |
| Authentication method | PSK only |
| IKE lifetime | 24 hours |
| IPsec lifetime | 8 hours |
|
Perfect Forward Secrecy (PFS) |
No |
Forcepoint recommends the following best practices when configuring your IPsec solution:
- For devices with dynamic IP addresses, you must use IKEv2, using the DNS hostname as the IKE ID.
- Traffic routing: Forcepoint IPsec Advanced supports web traffic only (HTTP and HTTPS). Other traffic, such as SMTP and FTP, must be routed outside of the tunnel, directly to the relevant destination.
- If your IPsec edge device is behind another device in your network that is performing network address translation (NAT), NAT-traversal (NAT-T) must be enabled on your IPsec edge device.