The Umbrella User Guide Developer Hub

Welcome to the Umbrella User Guide developer hub. You'll find comprehensive guides and documentation to help you start working with Umbrella User Guide as quickly as possible, as well as support if you get stuck. Let's jump right in!

Get Started    

Supported IPsec Parameters

Cisco Umbrella uses the IPsec protocol for tunneling traffic. IPsec has multiple components and one of the key components is IKE, which manages negotiation with the peers, authenticating, certificate exchanges and also maintains the session by using the keepalive mechanism. Umbrella only supports IKEv2, which is faster and more secure than IKEv1.

Note: There are several countries that restrict VPNs including IPsec tunnels, which may prevent SIG connectivity. For more information, see Countries with VPN Tunnel Restrictions.

Device Compatibility with Tunnels

Even if your device can establish a tunnel, it is not guaranteed to be compatible. For example, if Perfect Forward Secrecy (PFS) is enabled, you can establish a tunnel, but in the event of reconnection, it will fail to rekey and there will be a loss of service. Additionally, vendors have differences in IPsec implementation that may not be covered in these parameters. Thorough testing is recommended before putting any tunnel into production. The following device(s) have known issues:

  • AWS Site-to-Site VPN: Incompatible because PFS cannot be disabled

Supported IPsec Parameters

Components
IKEv2 (Phase I) (no IKEv1 support)
ESP (Phase II)

Encryption

AES-128 (GCM), AES-256 (GCM)
AES-128(CBC), AES-256(CBC)

AES-128 (GCM), AES-256 (GCM)
AES-128(CBC), AES-256(CBC)
NULL(CBC) - SHA1
NULL(GCM) - AES-128/256 GMAC

Hashing

SHA1, SHA256

SHA1, SHA256

DH Group

5*, 14, 19, 20

N/A

Authentication

Pre-Shared Key (PSK)

N/A

Protocol

N/A

ESP in UDP (NAT-T)

Total Child SAs Supported

N/A

1

Lifetime

Based on Client Settings
(IKE default is 4 hours)

Based on Client Settings
(child_SA default is 1 hour)

Perfect Forward Secrecy (PFS)

N/A

Disabled

DPD Timeouts

10 seconds
(with three retries)

N/A

IKE Fragmentation

Enabled

N/A

* Deprecated.
Recommendations are in BOLD.

Note: Cisco Umbrella and Cisco routing platforms are optimized for GCM encryption. Therefore, we recommend you use GCM encryption for maximum throughput. Other options, such as CBC, may result in lower throughput. Performance is also subject to hardware and configurations and should be tested.

Supported Devices

Platform
Software

Cisco ISR-G2

15.4M3

Cisco ISR-4K/Cisco 1000v

16.7.1, 16.8.1a

Viptela vEdge

18.4.5+, 19.2.3+

Viptela cEdge

17.2

Cisco ASA

9.8

Cisco FTD

6.4+ ( 6.7 when using VTI)

Cisco Meraki MX

15.3

Device Compatibility

Umbrella is intended to be compatible with many different types of network devices. If you have a device that isn’t listed here, feel free to try it, but we may not be able to provide thorough assistance.

IPsec tunnels for Secure Internet Access must have an Maximum Transmission Unit (MTU) no larger than 1400 bytes, with an MSS no larger than 1360 bytes. Fragmented packets in underlay or overlay are dropped. Slightly larger MTU and MSS may work depending on your specific IPsec configuration.

For some examples on where we have offered suggestions to customers on unsupported devices, see the following:


IPsec Configuration < Supported IPsec Parameters > Network Tunnel Configuration

Updated 18 days ago

Supported IPsec Parameters


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.