Cisco Umbrella uses the IPsec protocol for tunneling traffic. IPsec has multiple components and one of the core components is Internet Key Exchange (IKE). IKE manages negotiation with the peers, authenticating, certificate exchanges, and also maintains the session by using the TCP Keepalive mechanism. Umbrella only supports IKEv2, which is faster and more secure than IKEv1.
VPN Tunnel Restrictions
Several countries restrict VPNs including IPsec tunnels, which may prevent Umbrella Secure Internet Gateway (SIG) connectivity. For more information, see Countries with VPN Tunnel Restrictions.
Umbrella supports the configuration of certain IPsec parameters to deploy a network tunnel. Even if a device can establish an IPsec tunnel to Umbrella, we do not guarantee that the tunnel is compatible. For example, if the tunnel enables Perfect Forward Secrecy (PFS), you can establish a tunnel, but in the event of reconnection, the tunnel fails to rekey and loses service. Thorough testing is recommended before putting any tunnel into production.
|Components||IKEv2 (Phase I) (no IKEv1 support)||ESP (Phase II)|
|Encryption||AES-128 (GCM), AES-256 (GCM) |
|AES-128 (GCM), AES-256 (GCM)|
NULL(CBC) - SHA1
NULL(GCM) - AES-128/256 GMAC
|Hashing||SHA1, SHA256||SHA1, SHA256|
|Diffie-Hellman (DH) Group||5*, 14, 19, 20||N/A|
|Authentication||Pre-Shared Key (PSK)||N/A|
|Protocol||N/A||ESP in UDP (NAT-T)|
|Total Child SAs Supported||N/A||1|
|Lifetime||Based on Client Settings|
(IKE default is 4 hours)
|Based on Client Settings|
(child_SA default is 1 hour)
|Perfect Forward Secrecy (PFS)||N/A||Disabled|
|(Dead Peer Detection) DPD Timeouts||10 seconds|
(with three retries)
Recommendations are in BOLD.
Note: Cisco Umbrella and Cisco routing platforms are optimized for Galois/Counter Mode (GCM) encryption. Thus, we recommend that you use GCM encryption for maximum throughput. Using cipher block chaining (CBC) may result in lower throughput. Performance is subject to hardware and configurations.
Updated about 1 month ago