IKE Gateway Advanced Options Tab

  • Network > Network Profiles > IKE Gateways > Advanced Options
Configure advanced IKE gateway settings such as passive mode, NAT Traversal, and IKEv1 settings such as dead peer detection.
IKE Gateway Advanced Options
Description
Enable Passive Mode
Click to have the firewall only respond to IKE connections and never initiate them.
Enable NAT Traversal
Click to have UDP encapsulation used on IKE and UDP protocols, enabling them to pass through intermediate NAT devices.
Enable NAT Traversal if Network Address Translation (NAT) is configured on a device between the IPSec VPN terminating points.
IKEv1 Tab
Exchange Mode
Choose auto, aggressive, or main. In auto mode (default), the device can accept both main mode and aggressive mode negotiation requests; however, whenever possible, it initiates negotiation and allows exchanges in main mode. You must configure the peer device with the same exchange mode to allow it to accept negotiation requests initiated from the first device.
IKE Crypto Profile
Select an existing profile, keep the default profile, or create a new profile. The profiles selected for IKEv1 and IKEv2 can differ.
For information on IKE Crypto profiles, see Network > Network Profiles > IKE Crypto.
Enable Fragmentation
Click to allow the local gateway to receive fragmented IKE packets. The maximum fragmented packet size is 576 bytes.
Dead Peer Detection
Click to enable and enter an interval (2 - 100 seconds) and delay before retrying (2 - 100 seconds). Dead peer detection identifies inactive or unavailable IKE peers and can help restore resources that are lost when a peer is unavailable.
IKEv2 Tab
IKE Crypto Profile
Select an existing profile, keep the default profile, or create a new profile. The profiles selected for IKEv1 and IKEv2 can differ.
For information on IKE Crypto profiles, see Network > Network Profiles > IKE Crypto.
Strict Cookie Validation
Click to enable Strict Cookie Validation on the IKE gateway.
  • When you enable Strict Cookie Validation, IKEv2 cookie validation is always enforced; the initiator must send an IKE_SA_INIT containing a cookie.
  • When you disable Strict Cookie Validation (default), the system will check the number of half-open SAs against the global Cookie Activation Threshold, which is a VPN Sessions setting. If the number of half-open SAs exceeds the Cookie Activation Threshold, the initiator must send an IKE_SA_INIT containing a cookie.
Liveness Check
The IKEv2 Liveness Check is always on; all IKEv2 packets serve the purpose of a liveness check. Click this box to have the system send empty informational packets after the peer has been idle for a specified number of seconds. Range: 2-100. Default: 5.
If necessary, the side that is trying to send IKEv2 packets attempts the liveness check up to 10 times (all IKEv2 packets count toward the retransmission setting). If it gets no response, the sender closes and deletes the IKE_SA and CHILD_SA. The sender starts over by sending out another IKE_SA_INIT.

Related Documentation