Umbrella SIG User Guide

The Umbrella User Guide Developer Hub

Welcome to the Umbrella User Guide developer hub. You'll find comprehensive guides and documentation to help you start working with Umbrella User Guide as quickly as possible, as well as support if you get stuck. Let's jump right in!

Get Started    

Supported IPsec Parameters

Suggest Edits

Cisco Umbrella uses the IPsec protocol for tunneling traffic. IPsec has multiple components and one of the core components is Internet Key Exchange (IKE). IKE manages negotiation with the peers, authenticating, certificate exchanges, and also maintains the session by using the TCP Keepalive mechanism. Umbrella only supports IKEv2, which is faster and more secure than IKEv1.

VPN Tunnel Restrictions

Several countries restrict VPNs including IPsec tunnels, which may prevent Umbrella Secure Internet Gateway (SIG) connectivity. For more information, see Countries with VPN Tunnel Restrictions.

Supported IPsec Parameters

Umbrella supports the configuration of certain IPsec parameters to deploy a network tunnel. Even if a device can establish an IPsec tunnel to Umbrella, we do not guarantee that the tunnel is compatible. For example, if the tunnel enables Perfect Forward Secrecy (PFS), you can establish a tunnel, but in the event of reconnection, the tunnel fails to rekey and loses service. Thorough testing is recommended before putting any tunnel into production.

Components
IKEv2 (Phase I) (no IKEv1 support)
ESP (Phase II)

Encryption

AES-128 (GCM), AES-256 (GCM)
AES-128(CBC), AES-256(CBC)

AES-128 (GCM), AES-256 (GCM)
AES-128(CBC), AES-256(CBC)
NULL(CBC) - SHA1
NULL(GCM) - AES-128/256 GMAC

Hashing

SHA1, SHA256

SHA1, SHA256

Diffie-Hellman (DH) Group

5*, 14, 19, 20

N/A

Authentication

Pre-Shared Key (PSK)

N/A

Protocol

N/A

ESP in UDP (NAT-T)

Total Child SAs Supported

N/A

1

Lifetime

Based on Client Settings
(IKE default is 4 hours)

Based on Client Settings
(child_SA default is 1 hour)

Perfect Forward Secrecy (PFS)

N/A

Disabled

(Dead Peer Detection) DPD Timeouts

10 seconds
(with three retries)

N/A

IKE Fragmentation

Enabled

N/A

* Deprecated.
Recommendations are in BOLD.

Note: Cisco Umbrella and Cisco routing platforms are optimized for Galois/Counter Mode (GCM) encryption. Thus, we recommend that you use GCM encryption for maximum throughput. Using cipher block chaining (CBC) may result in lower throughput. Performance is subject to hardware and configurations.

Add Network Tunnel Identity < Supported IPsec Parameters > Connect to Cisco Umbrella Through Tunnel

Updated 2 months ago

Supported IPsec Parameters

Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.