Read carefully before proceeding

This document is intended for administrators who wish to add mobile IKEv2 policies to their existing IKEv2 site-to-site IPsec tunnel configurations.

The ANSSI, France’s Network and Information Security Agency, recommends the use of IKEv2-based solutions for optimal security.

If your existing IPsec configuration already contains IKEv1 site-to-site IPsec tunnels and you wish to add a mobile IKEv2 policy to it, do note that there are several restrictions when IKEv1 and IKEv2 peers are used in the same IPsec policy:

  • "Aggressive" negotiation mode is not allowed for IKEv1 peers using pre-shared key authentication. An error message appears when there is an attempt to enable the IPsec policy.
  • The hybrid authentication method does not function for IKEv1 mobile peers.
  • Backup peers are ignored. A warning message appears when the IPsec policy is enabled.
  • The "non_auth" authentication algorithm is not supported for IKEv1 peers. In such cases, the IPsec policy cannot be enabled.
  • In configurations that implement NAT-T (NAT-Traversal - transporting the IPsec protocol through a network that performs dynamic address translation), the translated IP address must be defined as the ID of a peer that uses pre-shared key authentication and for which a local ID in the form of an IP address had been forced.

In this case, we recommend that you refer to the tutorial IKEv1 mobile IPsec VPN - Pre-shared key authentication.