Where Can I Use
This? | What Do I Need? |
IKEv2
supports Hash and URL certificate exchange as a method of having the peer at the remote
end of the tunnel fetch the certificate from a server where you’ve exported the
certificate.IKEv2 supports Hash and URL certificate exchange, which is used
during an IKEv2 negotiation of an SA. You store the certificate on an HTTP server,
which is specified by a URL. The peer fetches the certificate from the server based
on receiving the URL to the server. The hash is used to check whether the content of
the certificate is valid or not. Thus, the two peers exchange certificates with the
HTTP CA rather than with each other.
The hash part of Hash and URL reduces the
message size and thus Hash and URL is a way to reduce the likelihood of packet
fragmentation during IKE negotiation. The peer receives the certificate and hash
that it expects, and thus IKE Phase 1 has validated the peer. Reducing fragmentation
occurrences helps protect against DoS attacks.
You can enable the Hash and URL
certificate exchange when configuring an IKE gateway by selecting HTTP
Certificate Exchange and entering the Certificate
URL. The peer must also use the Hash and URL certificate exchange
for the exchange to be successful. If the peer can’t use Hash and URL, X.509
certificates are exchanged similarly to how they’re exchanged in IKEv1.
If you
enable the Hash and URL certificate exchange, you must export your certificate to
the certificate server if it isn’t already there. When you export the certificate,
the file format should be Binary Encoded Certificate
(DER).
Perform
this task to export your certificate to that server. You must have already created a
certificate using .