Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
flachance
MVP Silver
MVP Silver
Jump to solution

migrating remote access client to IKEv2

So we want to move or client from using IKEv1 to v2.

On the gateways we've selected Prefer IKEv2, support IKEv1.

We've started pushing registry changes to set disable_ikev2 to 0. I can't seem to find a way to verify if people connect with IKEv1 or v2.  

vpn tu tlist doesn't show that info. I tried fw tab -t userc_key -f and it shows Schema: IKE(3). Anyone knows what IKE(3) means?

Or any other way to show which IKE version clients are using?

 

thanks

0 Kudos
1 Solution

Accepted Solutions
Lesley
MVP Gold
MVP Gold

can I have a vpn tu tlist output of a few clients? Just remove the external IP info, dont need that.

Also anything in cpview? There should a global counter for ikev1 and ikve2 tunnels to give you a global idea what is mostly used

-------
Please press "Accept as Solution" if my post solved it 🙂

View solution in original post

0 Kudos
6 Replies
PhoneBoy
Admin
Admin

I believe it will show in the log entry when the user connects.
That said, I've seen reports that suggest the registry change on clients will cause the clients to use IKEv2 only.

0 Kudos
Lesley
MVP Gold
MVP Gold

Indeed try to filter with: action:Connect AND "Remote Access" or action:Login AND "Remote Access"

-------
Please press "Accept as Solution" if my post solved it 🙂
0 Kudos
flachance
MVP Silver
MVP Silver

I can filter with action:"Log In" AND blade:"Mobile Access". All I see in the details is 

Data Protocol IPSec

Data Encryption AES-256 + SHA256 + Group 14, Certificate

Nothing about IKEv1 or v2

0 Kudos
Lesley
MVP Gold
MVP Gold

can I have a vpn tu tlist output of a few clients? Just remove the external IP info, dont need that.

Also anything in cpview? There should a global counter for ikev1 and ikve2 tunnels to give you a global idea what is mostly used

-------
Please press "Accept as Solution" if my post solved it 🙂
0 Kudos
flachance
MVP Silver
MVP Silver

Didn't think to look at cpview. It does show the Concurrent IKEv1 SAs and IKEv2 SAs.

Unfortunately for me IKEv2 SAs shows 0. ☹️

So with the gateway set to  Prefer IKEv2, support IKEv1 and the registry change on the client it' s still using IKEv1. Or it fails IKEv2 and reverts to v1.

 

0 Kudos
dunkelmorten
Contributor
Contributor

Yes, indeed to be found at cpview: software-blades > VPN > Overview

An additional indicator could be the FW log for 'action:"Key Install" which is showing information like:
VPN Feature: IKE

or in section "More":
Ike: Quick Mode completion (which is in indicator for IKEv1) as there ain't no Quick Mode on IKEv2.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    Wed 21 Oct 2026 @ 09:00 AM (BST)

    AI Security Workshop - Glasgow
    CheckMates Events