Supported IPsec settings
For IPsec connectivity to the service, your edge device must be configured to use Forcepoint supported IKE tunnel negotiation and IPsec encryption settings.
| Setting | Supported (recommended in bold) |
|---|---|
| IKE version | IKE v2 (RFC 7296, October 2014) |
| IKE cipher |
AES-128 AES-256 |
| IKE message digest | SHA2, length 256 |
| DH groups |
14 19 20 |
| IPsec type | ESP |
| IPsec ciphers |
AES-GCM-128 AES-GCM-256 AES-128 AES-256 |
| IPsec message digest | Pre-shared key |
| Authentication method | SHA2, length 256 |
| IKE lifetime | 24 hours |
| IPsec lifetime | 8 hours |
| IKE ID support |
FQDN (hostname) Public IP address |
| Perfect forward secrecy (PFS) | Not supported |
Note: For guidance on configuring your edge device to connect to the service via IPsec tunneling, including details of verified devices, best practice guidance, and configuration examples, refer
to the following guides:
- IPsec Connectivity Guide for Forcepoint Dynamic Edge Protection
- How to connect Forcepoint NGFW to Dynamic Edge Protection over a VPN