IKEv2 supports Hash and URL certificate exchange, which is used during an IKEv2 negotiation of an
SA. You store the certificate on an HTTP server, which is specified by a URL. The peer
fetches the certificate from the server based on receiving the URL to the server. The
hash is used to check whether the content of the certificate is valid or not. Thus, the
two peers exchange certificates with the HTTP CA rather than with each other.
The hash part of Hash and URL reduces the message size and thus
Hash and URL is a way to reduce the likelihood of packet fragmentation
during IKE negotiation. The peer receives the certificate and hash
that it expects, and thus IKE Phase 1 has validated the peer. Reducing
fragmentation occurrences helps protect against DoS attacks.
You can enable the Hash and URL certificate exchange when configuring an IKE gateway by selecting
HTTP Certificate Exchange
and entering the
. The peer must also use the Hash and URL
certificate exchange for the exchange to be successful. If the peer can’t use Hash and
URL, X.509 certificates are exchanged similarly to how they’re exchanged in IKEv1.
If you enable the Hash and URL certificate exchange, you must export your certificate to the
certificate server if it isn’t already there. When you export the certificate, the file
format should be