Configure Remote Access VPN IPsec/IKEv2 Parameters

Step 1

Choose Devices > VPN > Remote Access.

Step 2

From the list of available VPN policies, select the policy for which you want to modify the settings.

Step 3

Click Advanced > IPsec> IPsec/IKEv2 Parameters.

Step 4

Select the following for IKEv2 Session Settings:

Identity Sent to Peers—Choose the identity that the peers will use to identify themselves during IKE negotiations:
- Auto—Determines the IKE negotiation by connection type: IP address for preshared key, or Cert DN for certificate authentication (not supported).
- IP address—Uses the IP addresses of the hosts exchanging ISAKMP identity information.
- Hostname—Uses the fully qualified domain name (FQDN) of the hosts exchanging ISAKMP identity information. This name comprises the hostname and the domain name.
Enable Notification on Tunnel Disconnect—Allows an administrator to enable or disable the sending of an IKE notification to the peer when an inbound packet that is received on an SA does not match the traffic selectors for that SA. Sending this notification is disabled by default.
Do not allow device reboot until all sessions are terminated—Check to enable waiting for all active sessions to voluntarily terminate before the system reboots. This is disabled by default.

Step 5

Select the following for IKEv2 Security Association (SA) Settings:

Cookie Challenge—Whether to send cookie challenges to peer devices in response to SA initiated packets, which can help thwart denial of service (DoS) attacks. The default is to use cookie challenges when 50% of the available SAs are in negotiation. Select one of these options:
- Custom—Specify Threshold to Challenge Incoming Cookies, the percentage of the total allowed SAs that are in-negotiation. This triggers cookie challenges for any future SA negotiations. The range is zero to 100%. The default is 50%.
- Always— Select to send cookie challenges to peer devices always.
- Never— Select to never send cookie challenges to peer devices.
Number of SAs Allowed in Negotiation—Limits the maximum number of SAs that can be in negotiation at any time. If used with Cookie Challenge, configure the cookie challenge threshold lower than this limit for an effective cross-check. The default is 100 %.
Maximum number of SAs Allowed—Limits the number of allowed IKEv2 connections.

Step 6

Select the following for IPsec Settings:

Enable Fragmentation Before Encryption—This option lets traffic travel across NAT devices that do not support IP fragmentation. It does not impede the operation of NAT devices that do support IP fragmentation.
Path Maximum Transmission Unit Aging—Check to enable PMTU (Path Maximum Transmission Unit) Aging, the interval to Reset PMTU of an SA (Security Association).
Value Reset Interval—Enter the number of minutes at which the PMTU value of an SA (Security Association) is reset to its original value. Valid range is 10 to 30 minutes, default is unlimited.

Step 7

Select the following for NAT Settings:

Keepalive Messages Traversal—Select whether to enable NAT keepalive message traversal. NAT traversal keepalive is used for the transmission of keepalive messages when there is a device (middle device) located between a VPN-connected hub and spoke, and that device performs NAT on the IPsec flow. If you select this option, configure the interval, in seconds, between the keepalive signals sent between the spoke and the middle device to indicate that the session is active. The value can be from 10 to 3600 seconds. The default is 20 seconds.
Interval—Sets the NAT keepalive interval, from 10 to 3600 seconds. The default is 20 seconds.

Step 8

Click Save.

Step 1	Choose Devices > VPN > Remote Access.
Step 2	From the list of available VPN policies, select the policy for which you want to modify the settings.
Step 3	Click Advanced > IPsec> IPsec/IKEv2 Parameters.
Step 4	Select the following for IKEv2 Session Settings: Identity Sent to Peers—Choose the identity that the peers will use to identify themselves during IKE negotiations: Auto—Determines the IKE negotiation by connection type: IP address for preshared key, or Cert DN for certificate authentication (not supported). IP address—Uses the IP addresses of the hosts exchanging ISAKMP identity information. Hostname—Uses the fully qualified domain name (FQDN) of the hosts exchanging ISAKMP identity information. This name comprises the hostname and the domain name. Enable Notification on Tunnel Disconnect—Allows an administrator to enable or disable the sending of an IKE notification to the peer when an inbound packet that is received on an SA does not match the traffic selectors for that SA. Sending this notification is disabled by default. Do not allow device reboot until all sessions are terminated—Check to enable waiting for all active sessions to voluntarily terminate before the system reboots. This is disabled by default.
Step 5	Select the following for IKEv2 Security Association (SA) Settings: Cookie Challenge—Whether to send cookie challenges to peer devices in response to SA initiated packets, which can help thwart denial of service (DoS) attacks. The default is to use cookie challenges when 50% of the available SAs are in negotiation. Select one of these options: Custom—Specify Threshold to Challenge Incoming Cookies, the percentage of the total allowed SAs that are in-negotiation. This triggers cookie challenges for any future SA negotiations. The range is zero to 100%. The default is 50%. Always— Select to send cookie challenges to peer devices always. Never— Select to never send cookie challenges to peer devices. Number of SAs Allowed in Negotiation—Limits the maximum number of SAs that can be in negotiation at any time. If used with Cookie Challenge, configure the cookie challenge threshold lower than this limit for an effective cross-check. The default is 100 %. Maximum number of SAs Allowed—Limits the number of allowed IKEv2 connections.
Step 6	Select the following for IPsec Settings: Enable Fragmentation Before Encryption—This option lets traffic travel across NAT devices that do not support IP fragmentation. It does not impede the operation of NAT devices that do support IP fragmentation. Path Maximum Transmission Unit Aging—Check to enable PMTU (Path Maximum Transmission Unit) Aging, the interval to Reset PMTU of an SA (Security Association). Value Reset Interval—Enter the number of minutes at which the PMTU value of an SA (Security Association) is reset to its original value. Valid range is 10 to 30 minutes, default is unlimited.
Step 7	Select the following for NAT Settings: Keepalive Messages Traversal—Select whether to enable NAT keepalive message traversal. NAT traversal keepalive is used for the transmission of keepalive messages when there is a device (middle device) located between a VPN-connected hub and spoke, and that device performs NAT on the IPsec flow. If you select this option, configure the interval, in seconds, between the keepalive signals sent between the spoke and the middle device to indicate that the session is active. The value can be from 10 to 3600 seconds. The default is 20 seconds. Interval—Sets the NAT keepalive interval, from 10 to 3600 seconds. The default is 20 seconds.
Step 8	Click Save.

Configure Remote Access VPN IPsec/IKEv2 Parameters

Procedure