General recommendations for local sites
When you configure the local sites for your Multi-site IPsec VPN connectivity, consider the following recommendations:
-
For each IKE Phase, set at least one of the values that are configured in the cloud site for the following parameters: Encryption algorithm, Hash algorithm, and Diffie-Hellman group numbers.
-
Enable Perfect forward secrecy with at least one of the values for Diffie-Hellman group numbers that is configured in the cloud site for IKE Phase 2.
-
Configure the same value for the Lifetime for IKE Phase 1 and IKE Phase 2 as in the cloud site.
-
Note that the Startup action configuration defines which side initiates the connection. The default value Add means that the local site initiates the connection, and cloud site is waiting for the connection initiation. Change the value to Start if you want the cloud site to initiate the connection, or to Route if you want both sides to be able to initiate the connection (suitable for firewalls that support the route option).
For more information and configuration examples for different solutions, see: