Skip to main content
Skyhigh Security

Configuring an IPsec Tunnel on Your Network Device or in Your SD-WAN Service

Configure the following Internet Key Exchange (IKE) and Internet Protocol Security (IPsec) settings to build primary and secondary IPsec tunnels on your networking device or in your SD-WAN service.

This includes the IP addresses of the best and second-best available Points of Presence (PoPs).

The web policy that you have configured is applied to web traffic when it is forwarded from an IPsec tunnel. You can choose the location name as filtering criteria in your web policy.
 

IKE Settings

IKE setting Supported values (recommended values are shown in bold)
IKE version 1 or 2
Remote Gateway IP address of the best or second best available PoP. For information about routing traffic, see Routing Traffic to PoPs.
Lifetime 86400 seconds (24 hours)
Authentication
  • Method — Mutual pre-shared key (PSK)
  • Identifier — The client ID that you configured for IPsec in Skyhigh CASB
  • Peer identifier — The same IP address as the remote gateway
  • Pre-shared key — The key that you configured for IPsec in Skyhigh CASB
Encryption
  • Encryption algorithm — AES-128 bits, AES-192 bits, or AES-256 bits
  • Hashing algorithm — SHA-1, SHA-256, SHA-384, or SHA-512
  • Diffie-Hellman (DH) Group — Select a group:
    • 2 (1024-bit key)
    • 5 (1536-bit key)
    • 14 (2048-bit key)
    • 16 (4096-bit key)

 

IPsec Settings

IPsec setting Supported values (recommended values are shown in bold)
Local network Your local subnet
Remote network 0.0.0.0/0 (Ports 80 and 443)
Perfect Forward Secrecy (PFS) Enabled
Lifetime <28800 seconds (8 hours)
Security association (SA)
  • Protocol — ESP
  • Encryption algorithm — AES-128 bits, AES-192 bits, or AES-256 bits
  • Hashing algorithm — SHA-1, SHA-256, SHA-384, or SHA-512
  • Diffie-Hellman (DH) Group — Select a group:
    • 2 (1024-bit key)
    • 5 (1536-bit key)
    • 14 (2048-bit key)
    • 16 (4096-bit key)
  • Was this article helpful?