This article details recommended settings for DHCP IPSec tunnel (IKEv2)
Supported IPSec VPN Parameters
Components |
Phase 1 |
Phase 2 |
Confidentiality |
AES-256 |
AES-256 |
Integrity |
SHA-512 |
SHA-512 |
Authentication |
Pre-Shared Key (PSK) |
X |
Protocol |
X |
AH ESP |
Encapsulation Mode |
X |
Tunnel Mode |
Key Exchange Method |
Diffie-Hellman |
|
Diffie-Hellman Group |
14 (modp2048) |
PFS enabled 14 (modp2048) |
Total Child SAs Supported |
N/A |
8 |
IKE Lifetime |
3 Hours |
- |
SA Lifetime |
- |
1 Hour |
SA Lifebytes |
Unlimited |
Unlimited |
NAT-Traversal |
If behind NAT |
X |
NAT Keepalive Interval |
30 Seconds |
X |
Dead Peer Detection (DPD) |
Enabled |
X |
DPD Timeout Interval |
30 Seconds |
X |
DPD Maximum Retries |
5 |
X |
Maximum Transmission Unit (MTU) |
1400 Bytes |
|
Maximum Segment Size (MSS) |
1360 Bytes |