Recommended settings and best practices
The following tunnel negotiation and encryption settings are supported for IPsec Advanced. Recommended settings are shown in bold.
Setting | Supported (recommended settings in bold) |
---|---|
IKE version |
IKEv2 IKEv1 |
IKE cipher |
AES-128 AES-256 |
IKE message digest |
SHA2 SHA1 |
DH groups |
14 19 2 5 |
IPsec type | ESP |
IPsec cipher |
AES-GCM-128 AES-GCM-256 AES-128 AES-256 Null |
IPsec message digest |
SHA2 SHA1 |
Authentication method | PSK only |
IKE lifetime | 24 hours |
IPsec lifetime | 8 hours |
Perfect Forward Secrecy (PFS) |
No |
Forcepoint recommends the following best practices when configuring your IPsec solution:
- For devices with dynamic IP addresses, you must use IKEv2, using the DNS hostname as the IKE ID.
- Traffic routing: Forcepoint IPsec Advanced supports web traffic only (HTTP and HTTPS). Other traffic, such as SMTP and FTP, must be routed outside of the tunnel, directly to the relevant destination.
- If your IPsec edge device is behind another device in your network that is performing network address translation (NAT), NAT-traversal (NAT-T) must be enabled on your IPsec edge device.