...
Algorithm Type | Supported Algorithms |
Encryption | "AES128-GCM, AES256-GCM, AES-128, AES-256" |
Integrity | SHA2-256 SHA2-384 SHA2-512 |
Diffie-Hellman Groups | 14 (2048-bit MODP) |
Lifetime | 48 hours |
On Palo Alto Networks, PFS must be set to “None” rather than 14 if Encryption is set to use the Grid Master Candidate.
Authentication Options: sha512, sha384, sha256
Encryptions Options: aes-256-cbc, aes-192-cbc, aes-128-cbc
DH Group : Group14
Lifetime: 8 hours
...
Algorithm Type | Supported Algorithms |
Encryption | "AES128-GCM, AES256-GCM, AES-128, AES-256" |
Integrity | SHA2-256 SHA2-384 SHA2-512 |
Diffie-Hellman Groups | 14 (2048-bit MODP) |
Lifetime | 23 hours |
On Palo Alto Networks, PFS must be set to “None” rather than 14 if Encryption is set to use the Grid Master Candidate.
Authentication Options: sha512, sha384, sha256, sha1
Encryptions Options: aes-256-cbc, aes-192-cbc, aes-128-cbc
DH Group : None (no PFS)
Lifetime: 1 hour
...
Only IKEv2 is supported. IKEv1 is not supported.
It is important that NAT Traversal (NAT-T) is enabled even if your firewall is at the edge with public IP and doesn’t need NAT. Without it, the VPN will be established but data will not work over the VPN. This is because the NIOS-XaaS cloud side uses NAT.
The “Peer ID” in Phase 1 IKE is going to be a FQDN with value WAN.infoblox.com where WAN is replaced with your public IP address that you (the customer) initiate the VPN from to the Infoblox cloud. (e.g. 1.2.3.4.infoblox.com). Some firewall/router vendors (e.g. OPNSense) may not require Peer ID to be configured. Other vendors (e.g. Palo Alto Networks, Cisco, etc) do require Peer ID to be configured correctly.
The “Local ID” in Phase 1 IKE is going to be a FQDN with value found in the Infoblox Portal labeled as “Identity”. It is a string of random characters (e.g. zx4fstsqyni5yxub)
...