Configure IKEv2 Shared Settings

IKEv2 shared settings apply to all manual BOVPN tunnels and BOVPN virtual interfaces that use IKEv2 and have at least one remote gateway that has a dynamic IP address. Mobile VPN with IKEv2 also uses the IKEv2 shared settings, and uses the highest priority of the Phase 1 transform settings in its configuration.

These authentication options are supported:

  • MD5
  • SHA1
  • SHA2-256
  • SHA2-384
  • SHA2-512

These encryption options are supported:

  • DES
  • 3DES
  • AES (128-bit)
  • AES (192-bit)
  • AES (256-bit)
  • AES-GCM (128-bit) — Fireware v12.2 or higher
  • AES-GCM (192-bit) — Fireware v12.2 or higher
  • AES-GCM (256-bit) — Fireware v12.2 or higher

Diffie-Hellman Groups 1, 2, 5, 14, 15, 19, 20, and 21 are supported.

Fireware v12.10 and higher supports Diffie-Hellman Group 21.

For IKEv2, NAT traversal is always enabled, but you can change the NAT keep-alive interval in the Phase 1 Options.

For information about how to configure a branch office VPN to use IKEv2, go to Configure IPSec VPN Phase 1 Settings.

  1. Select VPN > IKEv2 Shared Settings.
    The IKEv2 Shared Settings page appears.

Screen shot of the IKEv2 Shared Settings page

  1. To change the NAT Traversal Keep-alive interval, in the Keep-alive Interval text box, type or select the number of seconds that pass before the next NAT keep-alive message is sent.
  2. In the Phase 1 Transform Settings section you can add, edit or remove Phase 1 transforms. For more information about Phase 1 Transform settings, go to Add a Phase 1 Transform.
  3. Click Save.
  1. Select VPN > IKEv2 Shared Settings.
    The IKEv2 Shared Settings dialog box appears.

Screen shot of the IKEv2 Shared Settings dialog box

  1. To change the NAT Traversal Keep-alive interval, in the Keep-alive Interval text box, type or select the number of seconds that pass before the next NAT keep-alive message is sent.
  2. In the Phase 1 Transform Settings section you can add, edit or remove Phase 1 transforms. For more information about Phase 1 Transform settings, go to Add a Phase 1 Transform.
  3. Click OK.

You can also edit the IKEv2 shared settings when you edit a BOVPN gateway or BOVPN virtual interface that uses them. These settings appear in the BOVPN configuration only if the gateway uses IKEv2 and has at least one remote gateway endpoint with a dynamic IP address. These settings appear in the Shared Settings tab within the Phase 1 Settings tab for the BOVPN gateway or virtual interface.

To edit the shared settings from within a gateway or BOVPN virtual interface:

  1. Select the Phase 1 Settings tab.
  2. From the Version drop-down list, select IKEv2.
    If the Gateway has a remote gateway endpoint that has a dynamic IP address, the IKEv2 shared settings are in the Shared Settings tab.
  3. Select the Shared Settings tab.

Screen shot of the IKEv2 settings, Shared Settings tab

  1. Configure the IKEv2 shared settings as described in the previous procedure.

Related Topics

Configure IPSec VPN Phase 1 Settings

About Manual IPSec Branch Office VPNs