If you use the recommended address mask, some routes assumed by the VPN configuration might be ignored. It’s recommend that rekeying times on the server be set to one hour.ĪSA address mask: Make sure all device address pool masks are either not set, or set to 255.255.255.255. Rekeying of phase 1: Not currently supported.
Load balancing: Supported and can be enabled.
Standard NAT traversal: Supported and can be enabled (IPsec over TCP isn’t supported). Perfect Forward Secrecy (PFS): For IKE phase 2, if PFS is used, the Diffie-Hellman Group must be the same as was used for IKE phase 1.
IKE exchange modes: Aggressive mode for preshared key and hybrid authentication, or Main mode for certificate authentication.Įncryption algorithms: 3DES, AES-128, or AES256.Īuthentication algorithms: HMAC-MD5 or HMAC-SHA1.ĭiffie-Hellman Groups: Group 2 is required for preshared key and hybrid authentication, group 2 with 3DES and AES-128 for certificate authentication, and group 2 or 5 with AES-256. You can specify these settings to define how IPsec is implemented:
