Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2951
Views
0
Helpful
1
Replies

IKEv2 Responder Only Mode

fadisakkal
Level 1
Level 1

‎04-12-2019 01:51 AM - edited ‎02-21-2020 09:37 PM

Hello,

 

I built a handful of VPN for a company using this guide: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-firewalls/212478-configure-asa-virtual-tunnel-interfaces.html 

 

in the IPsec profile section (2nd point) it mentions that one side needs to be in responder-only mode.

 

in my case I want any side to be able to initiate the tunnel. is there any reason for this specific command or I can simply drop it? 

 

Thanks in advance :)

 

Labels:
0 Helpful
1 Reply 1

ngkin2010
Level 7
Level 7

‎04-13-2019 10:30 AM

Hello,

 

It's not a strict IKE requirement that you may ignore it. However, defining the IKE responder and initiator may receive a little benefit that reduce the chance of 'duplicated' IKE SA created. 

 

Cisco has mentioned that IKE have no mechanism to check if the IKE negotiations is already exist or not, therefore, bi-directional negotiation may create duplicated IKE SA. It may consume unnecessary computing resource on both of the VPN devices. 

 

0 Helpful
Customers Also Viewed These Support Documents