Recommended settings and best practices

The following tunnel negotiation and encryption settings are supported for IPsec Advanced. Recommended settings are shown in bold.
Setting Supported (recommended settings in bold)
IKE version

IKEv2

IKEv1

IKE cipher

AES-128

AES-256

IKE message digest

SHA2

SHA1

DH groups

14

19

2

5

IPsec type ESP
IPsec cipher

AES-GCM-128

AES-GCM-256

AES-128

AES-256

Null

IPsec message digest

SHA2

SHA1

Authentication method PSK only
IKE lifetime 24 hours
IPsec lifetime 8 hours

Perfect Forward Secrecy (PFS)

No
Forcepoint recommends the following best practices when configuring your IPsec solution:
  • For devices with dynamic IP addresses, you must use IKEv2, using the DNS hostname as the IKE ID.
  • Traffic routing: Forcepoint IPsec Advanced supports web traffic only (HTTP and HTTPS). Other traffic, such as SMTP and FTP, must be routed outside of the tunnel, directly to the relevant destination.
  • If your IPsec edge device is behind another device in your network that is performing network address translation (NAT), NAT-traversal (NAT-T) must be enabled on your IPsec edge device.