Digi IX40 User Manual page 373

Virtual Private Networks (VPN)
15. Configure IKE settings:
a. Set the IKE version:
(config vpn ipsec tunnel ipsec_example)> ike version value
(config vpn ipsec tunnel ipsec_example)>
where value is either ikev1 or ikev2. This setting must match the peer's IKE version.
b. Determine whether the device should initiate the key exchange, rather than waiting for an
incoming request. By default, the device will initiate the key exchange. This must be
disabled if
(config vpn ipsec tunnel ipsec_example)> ike initiate false
(config vpn ipsec tunnel ipsec_example)>
c. Set the IKE phase 1 mode:
(config vpn ipsec tunnel ipsec_example)> ike mode value
(config vpn ipsec tunnel ipsec_example)>
where value is either aggressive or main.
d. Set the IKE fragmentation:
(config vpn ipsec tunnel ipsec_example)> ike fragmentation value
(config vpn ipsec tunnel ipsec_example)>
where value is one of:
n
n
n
n
The default is always.
e. Padding of IKE packets is enabled by default and should normally not be disabled except
for compatibility purposes. To disable:
(config vpn ipsec tunnel ipsec_example)> ike pad false
(config vpn ipsec tunnel ipsec_example)>
f. Set the amount of time that the IKE security association expires after a successful
negotiation and must be re-authenticated:
(config vpn ipsec tunnel ipsec_example)> ike phase1_lifetime value
(config vpn ipsec tunnel ipsec_example)>
where value is any number of weeks, days, hours, minutes, or seconds, and takes the
format number{w|d|h|m|s}.
For example, to set phase1_lifetime to ten minutes, enter either 10m or 600s:
IX40 User Guide
remote hostname is set to any. To disable:
if_supported: Send oversized IKE messages in fragments, if the peer supports
receiving them.
always: Always send IKEv1 messages in fragments. For IKEv2, this option is
equivalent to if supported.
never: Do not send oversized IKE messages in fragments.
accept: Do not send oversized IKE messages in fragments, but announce support
for fragmentation to the peer.
IPsec
373