IKEv2 Configuration Payload Tidbit

In this tidbit I want to cover what IKEv2 configuration payloads are & why they are needed. So it is sometimes desirable for the hub in hub & spoke topologies to provide configuration data to the spokes. Note that the use of the configuration payload feature is completely optional.


To start, these configuration payloads are a part of messages 3 & 4 during IKE_AUTH. If using the config payload, note that this feature this occurs prior to creating any child SAs.


Now let's cover config payload types so we have an understanding of how communication works:

  • CFG_REQUEST: Sent by the initiator, when the initiator is the FlexVPN client.

  • CFG_REPLY: Sent by the responder, when the responder receives the CFG_REQUEST.

  • CFG_SET: Sent by the initiator when you enable the config-exchange set send command in the IKEv2 profile. Sent by the responder when the CFG_REQUEST is not received, the configuration data is available, and the config-exchange set send command is enabled in the IKEv2 profile.

  • CFG_ACK: Sent by the initiator when you enable the config-exchange set accept command in the IKEv2 profile. Sent by the responder when you enable the config-exchange set accept command in the IKEv2 profile.

Here is a brief overview:

To see the IKEv2 Configuration feature in action see other IKEv2 related posts.

Cheers!

0 comments

Recent Posts

See All

In this tidbit I want to cover some high level notes on general trustsec items as well as some good-to-knows. A brief overview of what trustsec is: TrustSec provides scalable access controls by uniqu

In this tidbit I will cover some ESA nice-to-know CLI commands & their purposes: > status = view counters/gauges; counters are a total of various events in the system; gauges show current utilization