>
    Strata Copilot
    Define IPSec Crypto Profiles (Strata Cloud Manager)
    Focus
    Download PDF
    Focus
    1. Home
    2. Network Security
    3. Configure IPSec VPN Tunnels (Site-to-Site)
    4. Define Cryptographic Profiles
    5. Define IPSec Crypto Profiles (Strata Cloud Manager)
    Download PDF
    Network Security

    Define IPSec Crypto Profiles (Strata Cloud Manager)

    Table of Contents

    Define IPSec Crypto Profiles (Strata Cloud Manager)

    Based on the IPSec device type you selected, Prisma Access provides a recommended set of IPSec protocol and key lifetime settings to secure data within the IPSec tunnel between your:
    • the private apps at your data center or headquarters location and Prisma Access in IKE Phase 2 for the Security Association (SA)—for a service connection
    • branch device and Prisma Access in IKE Phase 2 for the Security Association (SA)—for a remote network site
    You can use the recommended settings, or customize the settings as needed for your environment.
    • Customize the IPSec Crypto Profile to define how data is secured within the tunnel when Auto Key IKE automatically generates keys for the IKE SAs during IKE Phase 2.
      Prisma Access automatically configures a default IPSec crypto profile based on the Branch Device Type vendor. You can either use the default profile or create a custom profile.
      • IPSec Protocol—Secure the data that traverses the VPN tunnel. The Encapsulating Security Payload (ESP) protocol encrypts the data, authenticates the source, and verifies the data integrity. The Authentication Header (AH) protocol authenticates the source and verifies the data integrity.
        If you use ESP as the IPSec protocol, also specify the Encryption algorithm used in the IPSec SA negotiation.
        Prisma Access supports the following encryption algorithms: aes-256-gcm (256 bits), aes-256-cbc (256 bits), aes-192-cbc (192 bits), aes-128-gcm (128 bits), aes-128-cbc (128 bits), 3des (168 bits), and des (56 bits). You can also select null (no encryption).
    • Authentication—Specify the authentication algorithm used in the IPSec SA negotiation.
      Prisma Access supports the following authentication algorithms: sha1 (160 bits), sha256 (256 bits), sha384 (384 bits), sha512 (512 bits), and md5 (128 bits). If you set the IPSec Protocol to ESP, you can also select none (no authentication).
    • DH Group—Specify the Diffie-Hellman (DH) groups for IKE in the IPSec security association (SA) negotiation.
      Prisma Access supports the following DH groups: Group 1 (768 bits), Group 2 (1024 bits—default), Group 5 (1536 bits), Group 14 (2048 bits), Group 19 (256-bit elliptic curve group), and Group 20 (384-bit elliptic curve group). For the strongest security, select the group with the highest number. If you don’t want to renew the key that Prisma Access creates during IKE phase 1, select no-pfs (no perfect forward secrecy). If you select this option, Prisma Access reuses the current key for the IPSec SA negotiation.
    • Lifetime—Specify the unit and amount of time during which the negotiated key is valid (default is one hour).
    • Lifesize—Specify the unit and amount of data that the key can use for encryption.

    © 2026 Palo Alto Networks, Inc. All rights reserved.