This article details recommended settings for DHCP IPSec tunnel (IKEv2)
Components |
Phase 1 |
Phase 2 |
Confidentiality |
AES-256 |
AES-256 |
Integrity |
SHA-512 |
SHA-512 |
Authentication |
Pre-Shared Key (PSK) |
N/A |
Protocol |
N/A |
AH ESP |
Encapsulation Mode |
N/A |
Tunnel Mode |
Key Exchange Method |
Diffie-Hellman |
Diffie-Hellman |
Diffie-Hellman Group |
2 (modp1024) |
2 (modp1024) |
Total Child SAs Supported |
N/A |
8 |
IKE Lifetime |
3 Hours |
- |
SA Lifetime |
- |
1 Hour |
SA Lifebytes |
Unlimited |
Unlimited |
NAT-Traversal |
Enabled |
N/A |
NAT Keepalive Interval |
30 Seconds |
N/A |
Dead Peer Detection (DPD) |
Enabled |
N/A |
DPD Timeout Interval |
30 Seconds |
N/A |
DPD Maximum Retries |
5 |
N/A |
Perfect Forward Secrecy (PFS) |
N/A |
Disabled |
Maximum Transmission Unit (MTU) |
N/A |
1400 Bytes |
Maximum Segment Size (MSS) |
N/A |
1360 Bytes |