IMPORTANT
SNS 3.x versions have reached End of Maintenance since July 1st, 2024.
We recommend that you update your SNS firewalls to a version with maintenance to guarantee the protection of your infrastructure.
Read carefully before proceeding
This document is intended for administrators who wish to add mobile IKEv2 policies to their existing IKEv2 site-to-site IPsec tunnel configurations.
The ANSSI, France’s Network and Information Security Agency, recommends the use of IKEv2-based solutions for optimal security.
If your existing IPsec configuration already contains IKEv1 site-to-site IPsec tunnels and you wish to add a mobile IKEv2 policy to it, do note that there are several restrictions when IKEv1 and IKEv2 peers are used in the same IPsec policy:
- "Aggressive" negotiation mode is not allowed for IKEv1 peers using pre-shared key authentication. An error message appears when there is an attempt to enable the IPsec policy.
- The hybrid authentication method does not function for IKEv1 mobile peers.
- Backup peers are ignored. A warning message appears when the IPsec policy is enabled.
- The "non_auth" authentication algorithm is not supported for IKEv1 peers. In such cases, the IPsec policy cannot be enabled.
- In configurations that implement NAT-T (NAT-Traversal - transporting the IPsec protocol through a network that performs dynamic address translation), the translated IP address must be defined as the ID of a peer that uses pre-shared key authentication and for which a local ID in the form of an IP address had been forced.
In this case, we recommend that you refer to the tutorial IKEv1 mobile IPsec VPN - Pre-shared key authentication.