IKEv2 Settings

•

Send IKEv2 Cookie Notify - Sends cookies to IKEv2 peers as an authentication tool. This option is not selected by default.

•

Send IKEv2 Invalid SPI Notify – Sends an invalid SPI to IKEv2 peers when the active IKE SA exists. This option is selected by default.

•

IKEv2 Dynamic Client Proposal - SonicOS Enhanced firmware versions 4.0 and higher provide IKEv2 Dynamic Client Support, which provides a way to configure the Internet Key Exchange (IKE) attributes rather than using the default settings. Clicking the Configure button launches the Configure IKEv2 Dynamic Client Proposal dialog.

Previously, only the default settings were supported: Diffie-Hellman (DH) Group 2, the 3DES encryption algorithm, and the SHA1 authentication method. SonicOS now allows the following IKE Proposal settings:

•

DH Group: Group 1, Group 2, Group 5, or Group 14

•

Encryption: DES, 3DES, AES-128, AES-192, AES-256

•

Authentication: MD5, SHA1, SHA256, SHA384, SHA512

However, if a VPN Policy with IKEv2 exchange mode and a 0.0.0.0 IPsec gateway is defined, you cannot configure these IKE Proposal settings on an individual policy basis.

NOTE: The VPN policy on the remote gateway must also be configured with the same settings.