DHCP - recommended settings for IPSec tunnel (IKEv2) – Cloudi-Fi Knowledge Base

This article details recommended settings for DHCP IPSec tunnel (IKEv2)

Supported IPSec VPN Parameters

Components	Phase 1	Phase 2
Confidentiality	AES-256 AES-128	AES-256 AES-128
Integrity	SHA-256 SHA-512	SHA-256 SHA-512
Authentication	Pre-Shared Key (PSK)	X
Protocol	X	AH ESP
Encapsulation Mode	X	Tunnel Mode
Key Exchange Method Diffie-Hellman (Group)	modp1024 (2) modp2048 (14) ECP256 (19) ECP521 (21)	Optional modp1024 (2) modp2048 (14) ECP256 (19) ECP521 (21)
PRF	prfsha256 prfsha512	X
Total Child SAs Supported	N/A	8
IKE Lifetime	24 hours 86400 seconds	-
SA Lifetime	-	12 hours 43200 seconds
SA Lifebytes	Unlimited	Unlimited
NAT-Traversal	If behind NAT	X
NAT Keepalive Interval	30 Seconds	X
Dead Peer Detection (DPD)	Enabled	X
DPD Timeout Interval	30 Seconds	X
DPD Maximum Retries	5	X
Maximum Transmission Unit (MTU)	1400 Bytes
Maximum Segment Size (MSS)	1360 Bytes