Skip to main content
Skyhigh Security

IPsec Tunnel Settings for Network Device or SD-WAN

You need these Internet Key Exchange (IKE) and Internet Protocol Security (IPsec) values when configuring the primary and secondary IPsec tunnels on your networking device or in your SD-WAN service.

You enter the IP address of the best and second best available points of presence (PoPs) when you configure the primary and secondary IPsec tunnels, respectively.

NOTE: The configured Web Policy is applied on the traffic forwarded from the IPsec tunnel. You can choose location name (configured under Infrastructure | WSGS Setup | Configure Locations) as the top filtering criteria in your Web Policy.

IKE settings

IKE setting Supported values (recommended values are shown in bold)
IKE version 1 or 2
Remote Gateway IP address of the best or second best available PoP. For information about routing traffic, see Routing Traffic to PoPs.
Lifetime 28800 seconds (8 hours)
Authentication
  • Method — Mutual pre-shared key (PSK)
  • Identifier — The client ID that you configured for IPsec in Skyhigh CASB
  • Peer identifier — The same IP address as the remote gateway
  • Pre-shared key — The key that you configured for IPsec in Skyhigh CASB
Encryption
  • Encryption algorithm — AES-128 bits, AES-192 bits, or AES-256 bits
  • Hashing algorithm — SHA-1, SHA-256, SHA-384, or SHA-512
  • Diffie-Hellman (DH) Group — Select a group:
    • 2 (1024-bit key)
    • 5 (1536-bit key)
    • 14 (2048-bit key)
    • 16 (4096-bit key)

 

IPsec settings

IPsec setting Supported values (recommended values are shown in bold)
Local network Your local subnet
Remote network 0.0.0.0/0 (Ports 80 and 443)
Perfect Forward Secrecy (PFS) Enabled
Lifetime <28800 seconds (8 hours)
Security association (SA)
  • Protocol — ESP
  • Encryption algorithm — AES-128 bits, AES-192 bits, or AES-256 bits
  • Hashing algorithm — SHA-1, SHA-256, SHA-384, or SHA-512
  • Diffie-Hellman (DH) Group — Select a group:
    • 2 (1024-bit key)
    • 5 (1536-bit key)
    • 14 (2048-bit key)
    • 16 (4096-bit key)
  • Was this article helpful?