Documentation | Support

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Recommended settings and best practices
Recommended settings and best practices
Forcepoint IPsec Advanced Guide | Forcepoint Web Security Cloud
The following tunnel negotiation and encryption settings are supported for IPsec Advanced. Recommended settings are shown in bold.
 
Setting
Supported
(recommended settings in bold)
IKE version
IKEv2
IKEv1
IKE cipher
AES-128
AES-256
IKE message digest
SHA2
SHA1
DH groups
14
19
2
5
IPsec type
ESP
IPsec cipher
AES-GCM-128
AES-GCM-256
AES-128
AES-256
Null
IPsec message digest
SHA2
SHA1
Authentication method
PSK only
IKE lifetime
24 hours
IPsec lifetime
8 hours
Perfect Forward Secrecy (PFS)
No
Forcepoint recommends the following best practices when configuring your IPsec solution:
*
For devices with dynamic IP addresses, you must use IKEv2, using the DNS hostname as the IKE ID.
*
Traffic routing: Forcepoint IPsec Advanced supports web traffic only (HTTP and HTTPS). Other traffic, such as SMTP and FTP, must be routed outside of the tunnel, directly to the relevant destination.
*
If your IPsec edge device is behind another device in your network that is performing network address translation (NAT), NAT-traversal (NAT-T) must be enabled on your IPsec edge device.
Maximum Segment Size
The encapsulation overhead of the IPsec Advanced tunnel means that TCP sessions sent over the tunnel must be limited to a lower Maximum Segment Size (MSS) than usual. Most TCP clients will propose an MSS value of 1460 bytes when connecting over an Ethernet network.
Forcepoint recommends setting an MSS value of no more than 1360 bytes in order to leave overhead for IPsec encapsulation. This can often be achieved by using the MSS clamping feature of a firewall or router, to ensure that any TCP traffic sent down the tunnel is limited to an MSS value of 1360.
Where the WAN connection to Forcepoint's points of presence is using the IPoE or PPPoE protocol, the MSS value may need to be lower still, to account for the encapsulation overhead of the WAN connection.
To display the current MSS setting for your tunnel interface, use the appropriate "show interface" command on your edge device.
Google QUIC protocol
As a best practice, Forcepoint recommends adding a firewall rule to block UDP on port 443. This prevents Google Chrome browsers from accessing Google services directly via the experimental QUIC protocol. For further information, see the knowledge base article Google QUIC protocol is not supported by the Forcepoint cloud service.

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Recommended settings and best practices
Copyright 2022 Forcepoint. All rights reserved.