IKEv2 Configuration Payload Tidbit

In this tidbit I want to cover what IKEv2 configuration payloads are & why they are needed. So it is sometimes desirable for the hub in hub & spoke topologies to provide configuration data to the spokes. Note that the use of the configuration payload feature is completely optional.


To start, these configuration payloads are a part of messages 3 & 4 during IKE_AUTH. If using the config payload, note that this feature this occurs prior to creating any child SAs.


Now let's cover config payload types so we have an understanding of how communication works:

  • CFG_REQUEST: Sent by the initiator, when the initiator is the FlexVPN client.

  • CFG_REPLY: Sent by the responder, when the responder receives the CFG_REQUEST.

  • CFG_SET: Sent by the initiator when you enable the config-exchange set send command in the IKEv2 profile. Sent by the responder when the CFG_REQUEST is not received, the configuration data is available, and the config-exchange set send command is enabled in the IKEv2 profile.

  • CFG_ACK: Sent by the initiator when you enable the config-exchange set accept command in the IKEv2 profile. Sent by the responder when you enable the config-exchange set accept command in the IKEv2 profile.

Here is a brief overview:

To see the IKEv2 Configuration feature in action see other IKEv2 related posts.

Cheers!

0 comments

Recent Posts

See All

Email Security - S/MIME Tidbit

So it has definitely been a minute since I produced a tidbit. Lately I have been investing personal time into email security. The topics that I have covered thus far are in no particular order, but

November 21 Update Tidbit

Sharing some quick personal news as well as an update with where my head is currently at. I recently invested most of my time with VPNs the last couple of months. So I finally decided to take a stab

Personal Tidbit - Oct 2021

Sharing some exciting news. I recently participated in a Cisco Championship Content competition, & actually claimed first place! Pretty excited to receive the news since I frequently spend time on Ci