oMM Configuration and Deployment Behaviour for SHA2 Support

oMG 3.14.4+ and MG90 provide support for sha2_256 and sha2_512, and dh_group 14,15,16, and 17.

This article describes the oMM's behaviour when deploying VPNs/configurations to MG90 and oMG 3.14.4+ devices where the master (template) configuration version is newer than the target configuration(s) or vice versa, and the older configuration(s) don't support SHA2.

Scenario 1: changing a master gateway in a fleet where the new master gateway has older configuration software version that either doesn't contain the aforementioned settings, or has a newer configuration software where its VPN uses SHA2 algorithms.
If there is any gateway in the fleet with an older configuration software version that doesn't support these settings, the VPN(s) in the new master gateway will be used as the group template. The gateways in the fleet will see the VPN(s) in the group template, but these VPN(s) are not automatically enabled for inheritance.

Scenario 2: adding/moving a gateway into a fleet where the gateway has an older configuration software version that doesn't support the aforementioned settings, the fleet's configuration does support them, and the fleet VPN(s) use SHA2 algorithm. The user would like to inherit the fleet's VPN(s).
This operation is currently allowed and will result in the gateway automatically inheriting all VPN(s) from the group template, regardless of its configuration version. SHA2 will be applied to gateways with older software, even though the software does not support it.

Scenario 3: Use the Config->Copy functionality to copy a config from a device with a configuration that supports the aforementioned settings to a device with an older configuration that doesn't.
If "Skip version check" is enabled, this operation is allowed. SHA2 will be applied to gateways with older software.

If "Skip version check" is not enabled, this operation is not allowed.