Focus

IKE Phase 2

Table of Contents

Filter

Expand All | Collapse All

Next-Generation Firewall Docs

Getting Started
Administration
Version
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
Networking
Version
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
Incidents & Alerts
Release Notes
Version
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)

IKE Phase 1

Methods of Securing IPSec VPN Tunnels (IKE Phase 2)

IKE Phase 2

After the tunnel is secured and authenticated, in Phase 2 the channel is further secured for the transfer of data between the networks. IKE Phase 2 uses the keys that were established in Phase 1 of the process and the IPSec Crypto profile, which defines the IPSec protocols and keys used for the SA in IKE Phase 2.

The IPSEC uses the following protocols to enable secure communication:

Encapsulating Security Payload (ESP)—Allows you to encrypt the entire IP packet, and authenticate the source and verify integrity of the data. While ESP requires that you encrypt and authenticate the packet, you can choose to only encrypt or only authenticate by setting the encryption option to Null; using encryption without authentication is discouraged.
Authentication Header (AH)—Authenticates the source of the packet and verifies data integrity. AH does not encrypt the data payload and is unsuited for deployments where data privacy is important. AH is commonly used when the main concern is to verify the legitimacy of the peer, and data privacy is not required.

Algorithms Supported for IPSEC Authentication and Encryption
ESP	AH
Diffie Hellman (DH) exchange options supported
Group 1—768 bits Group 2—1024 bits (the default) Group 5—1536 bits Group 14—2048 bits. Group 19— 256-bit elliptic curve group Group 20—384-bit elliptic curve group no-pfs—By default, perfect forward secrecy (PFS) is enabled, which means a new DH key is generated in IKE phase 2 using one of the groups listed above. This key is independent of the keys exchanged in IKE phase1 and provides better data transfer security. If you select no-pfs, the DH key created at phase 1 is not renewed and a single key is used for the IPSec SA negotiations. Both VPN peers must be enabled or disabled for PFS.
Encryption algorithms supported
3des	Triple Data Encryption Standard (3DES) with a security strength of 112 bits
aes-128-cbc	Advanced Encryption Standard (AES) using cipher block chaining (CBC) with a security strength of 128 bits
aes-192-cbc	AES using CBC with a security strength of 192 bits
aes-256-cbc	AES using CBC with a security strength of 256 bits
aes-128-ccm	AES using Counter with CBC-MAC (CCM) with a security strength of 128 bits
aes-128-gcm	AES using Galois/Counter Mode (GCM) with a security strength of 128 bits
aes-256-gcm	AES using GCM with a security strength of 256 bits
des	Data Encryption Standard (DES) with a security strength of 56 bits
Authentication algorithms supported
md5	md5
sha 1	sha 1
sha 256	sha 256
sha 384	sha 384
sha512	sha 512

IKE Phase 1

Methods of Securing IPSec VPN Tunnels (IKE Phase 2)

Next-Generation Firewall Docs

IKE Phase 2

Next-Generation Firewall Docs

IKE Phase 2

Activation & Onboarding

Next-Generation Firewalls

Cloud-Delivered Security Services

Network Security

Visibility & Monitoring

Best Practices

Experts Corner