Read carefully before proceeding

This document is intended for administrators who wish to add mobile IKEv2 policies to their existing IKEv2 site-to-site IPsec tunnel configurations.

The ANSSI, France’s Network and Information Security Agency, recommends the use of IKEv2-based solutions for optimal security.

If your existing IPsec configuration already contains IKEv1 site-to-site IPsec tunnels and you wish to add a mobile IKEv2 policy to it, do note that there are several restrictions when IKEv1 and IKEv2 peers are used in the same IPsec policy:

  • "Aggressive" negotiation mode is not allowed for IKEv1 peers using pre-shared key authentication. An error message appears when there is an attempt to enable the IPsec policy (is no longer supported from SNS version 4.2).
  • The hybrid authentication method does not function for IKEv1 mobile peers (is no longer supported from SNS version 4.2).
  • Backup peers are ignored. A warning message appears when the IPsec policy is enabled (is no longer supported from SNS version 4.2).
  • In configurations that implement NAT-T (NAT-Traversal - transporting the IPsec protocol through a network that performs dynamic address translation), the peer local ID must be defined with the translated public IP adress that it presents to the remote peer during the negotiations. This identity must match the one associated to the pre-shared key configured for the remote peer.

In this case, we recommend that you refer to the tutorial IKEv1 mobile IPsec VPN - Pre-shared key authentication.


Date Description
April 11, 2024

Section Optimizing tunnel traffic and securing PSK authentication replaced by section Optimizing ISAKMP traffic during IPsec tunnel negotiations and securing authentication

April 2020 New document