Cisco Umbrella uses the IPsec protocol for tunneling traffic. IPsec has multiple components and one of the core components is Internet Key Exchange (IKE). IKE manages negotiation with the peers, authenticating, certificate exchanges, and also maintains the session by using the TCP Keepalive mechanism. Umbrella only supports IKEv2, which is faster and more secure than IKEv1.
VPN Tunnel Restrictions
Several countries restrict VPNs including IPsec tunnels, which may prevent Umbrella Secure Internet Gateway (SIG) connectivity. For more information, see Countries with VPN Tunnel Restrictions.
Supported IPsec Parameters
Umbrella supports the configuration of certain IPsec parameters to deploy a network tunnel. Even if a device can establish an IPsec tunnel to Umbrella, we do not guarantee that the tunnel is compatible. For example, if the tunnel enables Perfect Forward Secrecy (PFS), you can establish a tunnel, but in the event of reconnection, the tunnel fails to rekey and loses service. Thorough testing is recommended before putting any tunnel into production.
Encryption
AES-128 (GCM), AES-256 (GCM)
AES-128(CBC), AES-256(CBC)
AES-128 (GCM), AES-256 (GCM)
AES-128(CBC), AES-256(CBC)
NULL(CBC) - SHA1
NULL(GCM) - AES-128/256 GMAC
Hashing
SHA1, SHA256
SHA1, SHA256
Diffie-Hellman (DH) Group
5*, 14, 19, 20
N/A
Authentication
Pre-Shared Key (PSK)
N/A
Protocol
N/A
ESP in UDP (NAT-T)
Total Child SAs Supported
N/A
1
Lifetime
Based on Client Settings
(IKE default is 4 hours)
Based on Client Settings
(child_SA default is 1 hour)
Perfect Forward Secrecy (PFS)
N/A
Disabled
(Dead Peer Detection) DPD Timeouts
10 seconds
(with three retries)
N/A
IKE Fragmentation
Enabled
N/A
* Deprecated.
Recommendations are in BOLD.
Note: Cisco Umbrella and Cisco routing platforms are optimized for Galois/Counter Mode (GCM) encryption. Thus, we recommend that you use GCM encryption for maximum throughput. Using cipher block chaining (CBC) may result in lower throughput. Performance is subject to hardware and configurations.
Add Network Tunnel Identity < Supported IPsec Parameters > Connect to Cisco Umbrella Through Tunnel
Updated 2 months ago