Hash
and URL Certificate Exchange
IKEv2 supports Hash and URL Certificate Exchange, which
is used during an IKEv2 negotiation of an SA. You store the certificate
on an HTTP server, which is specified by a URL. The peer fetches
the certificate from the server based on receiving the URL to the
server. The hash is used to check whether the content of the certificate is
valid or not. Thus, the two peers exchange certificates with the
HTTP CA rather than with each other.
The hash part of Hash and URL reduces the message size and thus
Hash and URL is a way to reduce the likelihood of packet fragmentation
during IKE negotiation. The peer receives the certificate and hash
that it expects, and thus IKE Phase 1 has validated the peer. Reducing
fragmentation occurrences helps protect against DoS attacks.
You can enable the Hash and URL certificate exchange when configuring
an IKE gateway by selecting HTTP Certificate Exchange and
entering the Certificate URL. The peer must
also use Hash and URL certificate exchange in order for the exchange
to be successful. If the peer cannot use Hash and URL, X.509 certificates are
exchanged similarly to how they are exchanged in IKEv1.