Configuring IKEv2 Settings

IKEv2 Settings affect IKE notifications and allow you to configure dynamic client support.

•	Send IKEv2 Cookie Notify - Sends cookies to IKEv2 peers as an authentication tool.

•	Send IKEv2 Invalid SPI Notify – Sends an invalid Security Parameter Index (SPI) notification to IKEv2 peers when an active IKE security association (SA) exists. This option is selected by default.

•	IKEv2 Dynamic Client Proposal - SonicOS provides IKEv2 Dynamic Client Support, which provides a way to configure the Internet Key Exchange (IKE) attributes rather than using the default settings.

Clicking the Configure button launches the Configure IKEv2 Dynamic Client Proposal dialog.

SonicOS supports these IKE Proposal settings:

•	DH Group: Group 1, Group 2 (default), Group 5, Group 14, and the following five Diffie Hellman groups that are included in Suite B cryptography:

•	256-bit Random ECP Group

•	384-bit Random ECP Group

•	521-bit Random ECP Group

•	192-bit Random ECP Group

•	224-bit Random ECP Group

•	Encryption: DES, 3DES (default), AES-128, AES-192, AES-256

•	Authentication: MD5, SHA1 (default), SHA256, SHA384, or SHA512

If a VPN Policy with IKEv2 exchange mode and a 0.0.0.0 IPSec gateway is defined, however, you cannot configure these IKE Proposal settings on an individual policy basis.

NOTE: The VPN policy on the remote gateway must also be configured with the same settings.