IKE and IPsec parameters on SASE gateway

Modified on: Fri, 17 Feb, 2023 at 11:12 PM

Following are IKE and IPsec parameters which must be set on SASE gateway to avoid any frequent disconnects or connectivity issues from SASE client

IKE parameters:

ike {

version v2;

groups [ mod1 mod2 mod5 mod14 mod15 mod16 mod19 mod20 mod21 mod25 mod26 ];

encryption-algorithms [ 3des aes128 aes256 ];

hash-algorithms [ md5 sha1 sha256 sha384 sha512 ];

lifetime 21600;

}

IPsec Parameters:

ipsec {

force-nat-t disable;

mode tunnel;

encryption-algorithms [ 3des aes128 aes128-ctr aes128-gcm aes256 aes256-gcm ];

hash-algorithms [ md5 xcbc sha1 sha256 sha384 sha512 ];

pfs-groups [ mod-none mod1 mod2 mod5 mod14 mod15 mod16 mod19 mod20 mod21 mod25 mod26 ];

anti-replay enable;

life {

duration 12600;

}

SASE IKE Parameters:

admin@HE-DC-Branch-1-cli(config)% show orgs org-services Corp-Inline-Customer-1 secure-access servers Fremont-DC ike
dpd-timeout 30;
pfs-group mod2;
lifetime 28800;
ike-transform aes256-sha256;
ike-version v2;

SASE IPsec Parameters:

admin@HE-DC-Branch-1-cli(config)% show orgs org-services Corp-Inline-Customer-1 secure-access servers Fremont-DC ipsec
pfs-group mod2;
lifetime 3600;
ipsec-transform esp-aes256-sha1;

Did you find it helpful? Yes No

IKE and IPsec parameters on SASE gateway

Modified on: Fri, 17 Feb, 2023 at 11:12 PM

More articles in SASE