Use only IKEv2 for newly established connections.

Authenticate connections using certificates. For all IPSec connections, use only a single own certificate on the Intra2net system.

If authentication via certificate is not possible on a peer and therefore a pre-shared key must be used, an IKE ID of type ID_RFC822_ADDR / email should be used and not the IP address as ID.

When using a pre-shared key, it should be generated by a random generator and be at least 32 full bytes long. If full bytes are not used, but only ASCII-encoded ones, the key should be correspondingly longer. Each connection should use its own, unique pre-shared key.

It is recommended to use a Post-Quantum Pre-Shared Key (PPK). This also applies when authenticating via pre-shared key. In this case, the PPK and the pre-shared key for authentication should be different.

AES-256-GCM with an integrity check value (ICV) of 16 bytes is recommended as the encryption and signature algorithm (AEAD).

Curve-25519 is recommended as the Diffie Hellman group for IKE_SA and data tunnels (CHILD_SAs). If this is not yet supported by the peer, ECP-521 is the next best alternative.