cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
918
Views
5
Helpful
5
Replies

Ikev2 Policy preference

ryancisco01
Level 1
Level 1

Hi we have a situation where the remote party device has a bug and can't handle a large SA proposal, even though our default proposal contains matching parameters it also contains multiple other encryp/integrity/pfs methods. I was able to get the vpn up by creating a dedicated ikev2 policy with just the exact settings needed, however that stopped our other dozen vpns from working due to them also selecting this new dedicated policy which doesnt match their requirements.

The fvrf is the same for all, and local interface is the same. I cant see any way to bind this specific policy to this tunnel.

I have tried putting both the default proposal and this specific proposal under the same policy and tried alternating the order but I can only either get all my existing ikev2 tunnels up or this problematic tunnel up, never all at the same time.

Any suggestions would be appreciated, again its not the proposal not matching, its the number of parameters sent that stops it from working - when the remote side initiates to us it works perfect, when local side initiates we get errors on the reply "Received an IKE msg id outside supported window" or " ikev2 Response is outside of window received"