What parameters does IKEv2 Mode use in regards to DH Group, Encryption, and Authentication?

afishyfella · February 24

What parameters does IKEv2 Mode use in regards to DH Group, Encryption, and Authentication? Are there defaults? When I choose IKEv2 Mode when setting up a site-to-site VPN, the settings are greyed out. I've been working to learn more about the security settings and protocols involved with site-to-site VPNs. My understanding is that IKEv2 is a preferred exchange to use over main mode and aggressive mode. Can someone help me understand what is happening when I choose IKEv2 mode in regards to the DH Group, Encryption, and Authentication?

BWC · February 25

I assume that the configured Primary Gateway Address for that VPN Policy is 0.0.0.0? In that case the "defaults" for dynamic endpoints are configured at Network → IPSec VPN → Advanced. Click on the Configure button next to "IKEv2 Dynamic Client Proposal".

—Michael@BWC

afishyfella · February 27

Michael@BWC

Could I prevail upon you to ask what would be the behavior of the existing site to site vpn connections that are not IKEv2 when I change the defaults?

I interpret this message as saying that this will only affect the policies that are configured as dynamic IKEv2. I have a number of site-to-site connections that are not dynamic. I am working on updating and I wouldn't want them to go down until I am ready to get to them.

BWC · February 27

You have to make sure that ALL IKEv2 Policies with a dynamic Peer IP (0.0.0.0) are configured identical on Phase 1.

All other IKEv2 connections with static IP addresses are not affected, your hunch was right.

—Michael@BWC

afishyfella · February 26

Michael@BWC,

Thank you for your well illustrated response. It has been very helpful.

afishyfella · February 27

Michael@BWC

Thank you very much. :-)

Join the Conversation

What parameters does IKEv2 Mode use in regards to DH Group, Encryption, and Authentication?

Best Answers

Answers