cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
461
Views
0
Helpful
1
Replies
Beginner

IKEv2 Responder Only Mode

Hello,

 

I built a handful of VPN for a company using this guide: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-firewalls/212478-configure-asa-virtual-tunnel-interfaces.html 

 

in the IPsec profile section (2nd point) it mentions that one side needs to be in responder-only mode.

 

in my case I want any side to be able to initiate the tunnel. is there any reason for this specific command or I can simply drop it? 

 

Thanks in advance :)

 

1 REPLY 1
Highlighted
Beginner

Re: IKEv2 Responder Only Mode

Hello,

 

It's not a strict IKE requirement that you may ignore it. However, defining the IKE responder and initiator may receive a little benefit that reduce the chance of 'duplicated' IKE SA created. 

 

Cisco has mentioned that IKE have no mechanism to check if the IKE negotiations is already exist or not, therefore, bi-directional negotiation may create duplicated IKE SA. It may consume unnecessary computing resource on both of the VPN devices.