IKE and IPsec parameters on SASE gateway

Following are IKE and IPsec parameters which must be set on SASE gateway to avoid any frequent disconnects or connectivity issues from SASE client

IKE parameters:

ike {

    version               v2;

    groups                [ mod1 mod2 mod5 mod14 mod15 mod16 mod19 mod20 mod21 mod25 mod26 ];

    encryption-algorithms [ 3des aes128 aes256 ];

    hash-algorithms       [ md5 sha1 sha256 sha384 sha512 ];

    lifetime              21600;

}

IPsec Parameters:

ipsec {

    force-nat-t           disable;

    mode                  tunnel;

    encryption-algorithms [ 3des aes128 aes128-ctr aes128-gcm aes256 aes256-gcm ];

    hash-algorithms       [ md5 xcbc sha1 sha256 sha384 sha512 ];

    pfs-groups            [ mod-none mod1 mod2 mod5 mod14 mod15 mod16 mod19 mod20 mod21 mod25 mod26 ];

    anti-replay           enable;

    life {

        duration 12600;

    }

}

SASE IKE Parameters:

admin@HE-DC-Branch-1-cli(config)% show orgs org-services Corp-Inline-Customer-1 secure-access servers Fremont-DC ike
dpd-timeout 30;
pfs-group mod2;
lifetime 28800;
ike-transform aes256-sha256;
ike-version v2;

SASE IPsec Parameters:

admin@HE-DC-Branch-1-cli(config)% show orgs org-services Corp-Inline-Customer-1 secure-access servers Fremont-DC ipsec
pfs-group mod2;
lifetime 3600;
ipsec-transform esp-aes256-sha1;