Following are IKE and IPsec parameters which must be set on SASE gateway to avoid any frequent disconnects or connectivity issues from SASE client
IKE parameters:
ike {
version v2;
groups [ mod1 mod2 mod5 mod14 mod15 mod16 mod19 mod20 mod21 mod25 mod26 ];
encryption-algorithms [ 3des aes128 aes256 ];
hash-algorithms [ md5 sha1 sha256 sha384 sha512 ];
lifetime 21600;
}
IPsec Parameters:
ipsec {
force-nat-t disable;
mode tunnel;
encryption-algorithms [ 3des aes128 aes128-ctr aes128-gcm aes256 aes256-gcm ];
hash-algorithms [ md5 xcbc sha1 sha256 sha384 sha512 ];
pfs-groups [ mod-none mod1 mod2 mod5 mod14 mod15 mod16 mod19 mod20 mod21 mod25 mod26 ];
anti-replay enable;
life {
duration 12600;
}
}
SASE IKE Parameters:
admin@HE-DC-Branch-1-cli(config)% show orgs org-services Corp-Inline-Customer-1 secure-access servers Fremont-DC ike
dpd-timeout 30;
pfs-group mod2;
lifetime 28800;
ike-transform aes256-sha256;
ike-version v2;
SASE IPsec Parameters:
admin@HE-DC-Branch-1-cli(config)% show orgs org-services Corp-Inline-Customer-1 secure-access servers Fremont-DC ipsec
pfs-group mod2;
lifetime 3600;
ipsec-transform esp-aes256-sha1;