IPsec Tunnel Settings for Network Device or SD-WAN

Last updated
Save as PDF

You need these Internet Key Exchange (IKE) and Internet Protocol Security (IPsec) values when configuring the primary and secondary IPsec tunnels on your networking device or in your SD-WAN service.

You enter the IP address of the best and second best available points of presence (PoPs) when you configure the primary and secondary IPsec tunnels, respectively.

NOTE: The configured Web Policy is applied on the traffic forwarded from the IPsec tunnel. You can choose location name (configured under Infrastructure | WSGS Setup | Configure Locations) as the top filtering criteria in your Web Policy.

IKE settings

IKE setting	Supported values (recommended values are shown in bold)
IKE version	1 or 2
Remote Gateway	IP address of the best or second best available PoP
Lifetime	28800 seconds (8 hours)
Authentication	Method — Mutual pre-shared key (PSK) Identifier — The client ID that you configured for IPsec in Skyhigh CASB Peer identifier — The same IP address as the remote gateway Pre-shared key — The key that you configured for IPsec in Skyhigh CASB
Encryption	Encryption algorithm — AES-128 bits, AES-192 bits, or AES-256 bits Hashing algorithm — SHA-1, SHA-256, SHA-384, or SHA-512 Diffie-Hellman (DH) Group — Select a group: 2 (1024-bit key) 5 (1536-bit key) 14 (2048-bit key) 16 (4096-bit key)

IPsec settings

IPsec setting	Supported values (recommended values are shown in bold)
Local network	Your local subnet
Remote network	0.0.0.0/0 (Ports 80 and 443)
Perfect Forward Secrecy (PFS)	Enabled
Lifetime	<28800 seconds (8 hours)
Security association (SA)	Protocol — ESP Encryption algorithm — AES-128 bits, AES-192 bits, or AES-256 bits Hashing algorithm — SHA-1, SHA-256, SHA-384, or SHA-512 Diffie-Hellman (DH) Group — Select a group: 2 (1024-bit key) 5 (1536-bit key) 14 (2048-bit key) 16 (4096-bit key)