Define IPSec Crypto Profiles
Focus
Focus
Network Security

Define IPSec Crypto Profiles

Table of Contents

Define IPSec Crypto Profiles

The IPSec Crypto profile is used in IKE Phase 2 to secure data within a tunnel, and requires matching parameters between VPN peers for successful negotiation.
Where Can I Use This?
What Do I Need?
  • Prisma Access
  • PAN-OS
No license required
The IPSec Crypto profile is invoked in IKE Phase 2. It specifies how the data is secured within the tunnel when Auto Key IKE is used to generate keys automatically for the IKE SAs.
Regardless of whether your VPN peer is from the same vendor or not, the VPN peers must have the same IPSec parameters configured in order to perform a successful IPSec negotiation.
IPSec negotiation will be successful when the following parameters match between the VPN peers:
  • IPSec Protocol (ESP or AH)
  • DH Group (or PFS) for key exchange
  • Encryption algorithms
  • Authentication algorithms
For example, if you've configured VPN peer 1 with
ESP
for IPSec protocol,
group20
for DH group,
sha384
for authentication, and
aes-256-gcm
for encryption. Then, VPN peer 2 with which you want to establish the IPSec tunnel also should be configured exactly with the same values.
By default, perfect forward secrecy (PFS) is enabled on IPSec tunnels to generate a more randomized key. PFS does this by performing an additional key exchange during IPSec SA negotiation to generate a new shared secret and combines it into the new IPSec SA keys. When configuring PFS, ensure that both the VPN peers have the same PFS configuration. Any failure in IPSec SA negotiation will result in failure to establish the IPSec tunnel.

PAN-OS 10.1 and Later &
Prisma Access (Panorama Managed)

  1. Create a new IPSec profile.
    1. Select
      Network
      Network Profiles
      IPSec Crypto
      and select
      Add
      .
    2. Enter a
      Name
      for the new profile.
    3. Select the
      IPSec Protocol
      —ESP or AH—that you want to apply to secure the data as it traverses across the tunnel.
      As a best practice, select ESP (Encapsulating Security Payload) over AH (Authentication Header) because ESP offers both confidentiality and authentication for the connection whereas AH offers only authentication.
    4. Click
      Add
      and select the
      Authentication
      and
      Encryption
      algorithms for ESP, and
      Authentication
      algorithms for AH, so that the IKE peers can negotiate the keys for the secure transfer of data across the tunnel.
      If you aren’t certain of what the IKE peers support, add multiple algorithms in the order of most-to-least secure as follows; the peers negotiate the strongest supported algorithm to establish the tunnel:
      • Encryption—
        aes-256-gcm
        ,
        aes-256-cbc
        ,
        aes-192-cbc
        ,
        aes-128-gcm
        ,
        aes-128-ccm
        (the VM-Series firewall doesn’t support this option),
        aes-128-cbc
        ,
        des
        ,
        3des
        .
        PAN-OS 10.1.0 and earlier releases support the Data Encryption Standard (DES) encryption algorithm.
        As a best practice, choose the strongest authentication and encryption algorithms the peer can support. For the authentication algorithm, use SHA-256 or higher (SHA-384 or higher preferred for long-lived transactions). Don’t use SHA-1, MD5, or none. For the encryption algorithm, use AES; 3DES is weak and vulnerable.
      • Authentication—
        sha512
        ,
        sha384
        ,
        sha256
        ,
        sha1
        ,
        md5
        .
  2. Select the DH Group to use for the IPSec SA negotiations in IKE phase 2.
    From
    DH Group
    , select the key strength you want to use:
    group1
    ,
    group2
    ,
    group5
    ,
    group14
    ,
    group15
    ,
    group16
    ,
    group19
    ,
    group20
    , or
    group21
    . For the highest security, choose the group with the highest number.
    Beginning with PAN-OS 10.2.0 and later releases,
    group15
    ,
    group16
    , and
    group21
    Diffie-Hellman (DH) groups are supported.
    If you don’t want to renew the key that the firewall creates during IKE phase 1, select
    no-pfs
    (no perfect forward secrecy); the firewall reuses the current key for the IPSec security association (SA) negotiations.
  3. Specify the duration of the key—time and volume of traffic.
    Using a combination of time and traffic volume allows you to ensure safety of data.
    Select the
    Lifetime
    or time period for which the key is valid in seconds, minutes, hours, or days (range is 3 minutes to 365 days). When the specified time expires, the firewall will renegotiate a new set of keys.
    Select the
    Lifesize
    or volume of data after which the keys must be renegotiated.
  4. Commit your IPSec profile.
    Click
    OK
    and click
    Commit
    .
  5. Attach the IPSec Profile to an IPSec tunnel configuration.

Prisma Access (Cloud Management)

Based on the IPSec device type you selected,
Prisma Access
provides a recommended set of IPSec protocol and key lifetime settings to secure data within the IPSec tunnel between your:
  • the private apps at your data center or headquarters location and
    Prisma Access
    in IKE Phase 2 for the Security Association (SA)—for a service connection
  • branch device and
    Prisma Access
    in IKE Phase 2 for the Security Association (SA)—for a remote network site
You can use the recommended settings, or customize the settings as needed for your environment.
  • Customize the
    IPSec Crypto Profile
    to define how data is secured within the tunnel when Auto Key IKE automatically generates keys for the IKE SAs during IKE Phase 2.
    Prisma Access
    automatically configures a default IPSec crypto profile based on the
    Branch Device Type
    vendor. You can either use the default profile or create a custom profile.
    • IPSec Protocol
      —Secure the data that traverses the VPN tunnel. The Encapsulating Security Payload (
      ESP
      ) protocol encrypts the data, authenticates the source, and verifies the data integrity. The Authentication Header (
      AH
      ) protocol authenticates the source and verifies the data integrity.
      If you use
      ESP
      as the IPSec protocol, also specify the
      Encryption
      algorithm used in the IPSec SA negotiation.
      Prisma Access
      supports the following encryption algorithms: aes-256-gcm (256 bits), aes-256-cbc (256 bits), aes-192-cbc (192 bits), aes-128-gcm (128 bits), aes-128-cbc (128 bits), 3des (168 bits), and des (56 bits). You can also select null (no encryption).
  • Authentication
    —Specify the authentication algorithm used in the IPSec SA negotiation.
    Prisma Access
    supports the following authentication algorithms: sha1 (160 bits), sha256 (256 bits), sha384 (384 bits), sha512 (512 bits), and md5 (128 bits). If you set the IPSec Protocol to ESP, you can also select none (no authentication).
  • DH Group
    —Specify the Diffie-Hellman (DH) groups for IKE in the IPSec security association (SA) negotiation.
    Prisma Access
    supports the following DH groups: Group 1 (768 bits), Group 2 (1024 bits—default), Group 5 (1536 bits), Group 14 (2048 bits), Group 19 (256-bit elliptic curve group), and Group 20 (384-bit elliptic curve group). For the strongest security, select the group with the highest number. If you don’t want to renew the key that
    Prisma Access
    creates during IKE phase 1, select
    no-pfs
    (no perfect forward secrecy). If you select this option,
    Prisma Access
    reuses the current key for the IPSec SA negotiation.
  • Lifetime
    —Specify the unit and amount of time during which the negotiated key is valid (default is one hour).
  • Lifesize
    —Specify the unit and amount of data that the key can use for encryption.

Recommended For You