Supported IPsec Parameters

Cisco Umbrella uses the IPsec protocol for tunneling traffic. IPsec has multiple components and one of the core components is Internet Key Exchange (IKE). IKE manages negotiation with the peers, authenticating, certificate exchanges, and also maintains the session by using the TCP Keepalive mechanism. Umbrella only supports IKEv2, which is faster and more secure than IKEv1.


VPN Tunnel Restrictions

Several countries restrict VPNs including IPsec tunnels, which may prevent Umbrella Secure Internet Gateway (SIG) connectivity. For more information, see Countries with VPN Tunnel Restrictions.

Supported IPsec Parameters

Umbrella supports the configuration of certain IPsec parameters to deploy a network tunnel. Even if a device can establish an IPsec tunnel to Umbrella, we do not guarantee that the tunnel is compatible. For example, if the tunnel enables Perfect Forward Secrecy (PFS), you can establish a tunnel, but in the event of reconnection, the tunnel fails to rekey and loses service. Thorough testing is recommended before putting any tunnel into production.

ComponentsIKEv2 (Phase I) (no IKEv1 support)ESP (Phase II)
EncryptionAES-128 (GCM), AES-256 (GCM) AES-128 (GCM), AES-256 (GCM)
HashingN/ASHA1, SHA256
Diffie-Hellman (DH) GroupDH Group 19, DH Group 20 DH Group 5, DH Group 14, DH Group 15,
DH Group 19, DH Group 20
AuthenticationPre-Shared Key (PSK)N/A
ProtocolN/AESP in UDP (NAT-T)
Total Child SAs SupportedN/A1
LifetimeBased on Client Settings
(IKE default is 4 hours)
Based on Client Settings
(child_SA default is 1 hour)
Perfect Forward Secrecy (PFS)N/ADisabled
(Dead Peer Detection) DPD Timeouts10 seconds
(with three retries)
IKE FragmentationEnabledN/A

* Deprecated.
Recommendations are in BOLD.

Note: Cisco Umbrella and Cisco routing platforms are optimized for Galois/Counter Mode (GCM) encryption. Thus, we recommend that you use GCM encryption for maximum throughput. Using cipher block chaining (CBC) may result in lower throughput. Performance is subject to hardware and configurations.

Add Network Tunnel Identity < Supported IPsec Parameters > Connect to Cisco Umbrella Through Tunnel