Jump to content


Photo

IKEv2 with dynamic peer

IKEv2 IKE IPsec isakmp dynamic VPN

  • Please log in to reply
1 reply to this topic

#1 Daniel Hüppe

Daniel Hüppe
  • Members
  • 1 posts

Posted 14 March 2018 - 05:29 AM

Hello,

 

is it possible to set up IKEv2 in response only mode with a dynamic remote peer IP address?

In the "IPsec IKEv2 Tunnel" you can configure 0.0.0.0/0 as the remote peer when you set "Initiates Tunnel" to no. But then I always get a "no proposal chosen" failure from the NG Firewall when the remote peer tries to connect.

Other vendors can manage this and I think the problem is, that the NG-Firewall can not match the Initiator Request to any existing tunnel configuration because it does not know the peer ID at this Moment. But in IKev2 it should response with one of the requested and supported proposals, so that the SA_AUTH is possible and the remote client can send its ID, so the NG-Firewall can match the connection to a configured tunnel configuration.

Has anyone got such a scenario working yet?

 



#2 Michael Zoller

Michael Zoller
  • Barracuda Team Members
  • 205 posts

Posted 14 March 2018 - 06:36 AM

Using 0.0.0.0/0 as the Local or Remote Gateway when dynamic IP addresses are used is supported for IKEv2 Site-to-site VPN tunnels. Please open a case with our technical support to troubleshoot the issues you are having.

https://login.barrac...support/newcase