Following are IKE and IPsec parameters which must be set on SASE gateway to avoid any frequent disconnects or connectivity issues from SASE client


IKE parameters:


ike {

    version               v2;

    groups                [ mod1 mod2 mod5 mod14 mod15 mod16 mod19 mod20 mod21 mod25 mod26 ];

    encryption-algorithms [ 3des aes128 aes256 ];

    hash-algorithms       [ md5 sha1 sha256 sha384 sha512 ];

    lifetime              21600;

}


IPsec Parameters:

ipsec {

    force-nat-t           disable;

    mode                  tunnel;

    encryption-algorithms [ 3des aes128 aes128-ctr aes128-gcm aes256 aes256-gcm ];

    hash-algorithms       [ md5 xcbc sha1 sha256 sha384 sha512 ];

    pfs-groups            [ mod-none mod1 mod2 mod5 mod14 mod15 mod16 mod19 mod20 mod21 mod25 mod26 ];

    anti-replay           enable;

    life {

        duration 12600;

    }

}


SASE IKE Parameters:

admin@HE-DC-Branch-1-cli(config)% show orgs org-services Corp-Inline-Customer-1 secure-access servers Fremont-DC ike
dpd-timeout 30;
pfs-group mod2;
lifetime 28800;
ike-transform aes256-sha256;
ike-version v2;


SASE IPsec Parameters:

admin@HE-DC-Branch-1-cli(config)% show orgs org-services Corp-Inline-Customer-1 secure-access servers Fremont-DC ipsec
pfs-group mod2;
lifetime 3600;
ipsec-transform esp-aes256-sha1;