We recommend connecting to your VNS3 Controllers with tunnels using AES256 encryption and SHA authentication for both IKE and ESP.
IPsec Configuration: Extra Parameters
VNS3's IPSec subsystem is good at autodiscovery on IKE and ESP choices with a wide range of boxes. We recommend being as specific as possible when entering tunnel parameters. Match the algorithm, hash and DiffieH group for your gateway settings by specifying them in the "Extra Params" text field.
We support combinations algorithms:
- 3DES, AES128, or AES256
- hashes SHA1, MD5, SHA2-256, or SHA2-512
- DH groups 2, 5, 14, 15, 16, 17, 18
Example entries for IKE (Phase 1) and ESP (Phase 2) in the extra params box: phase1=aes128-sha1
phase1=aes256-sha2_256
phase1=3des-md5-dh2
phase1=aes256-sha2_512-dh5
phase2=aes256-sha1
phase2=3des-sha1
PFS Group
Extra params entry for PFS Group is technically required only when it must be different from pfs group in phase1. If that is the case, then use:pfsgroup=dh2
pfsgroup=dh14
IKE and ESP Lifetimephase1-lifetime=3600s
phase2-lifetime=28800s
NOTE: Both are default lifetime setting on VNS3
Dead Peer Detection
Disabled by default, to enable DPD to attempt to re-connect during periods of no response use the following:dpdaction=restart
dpddelay=30s
dpdtimeout=90s
Other DPD options are “hold” meaning just wait, or “clear” meaning drop the security association.
dpdaction=hold
dpdaction=clear
Other, less frequently used options available are:
Other options are “receive” meaning to not initiate connections, only receive them. This is the default:connection=bidirectional
Other options are “no” meaning no Phase1 or Phase2 re-key operations are done:connection-rekey=yes
This option allows underlying parameters of the IPSec, BGP, Routing, Firewall, or SSL VPN subsystems to be passed straight into the environment with no parsing or validation.
NOTE: This option should only be used at the instruction of Cohesive. It is only used in a small fraction of interoperability situations. compat:some-text
Here is an example IPsec tunnel setup with extra parameters: 
Watch the video guide on YouTube