Ciphers Used to Set Up IPSec Tunnels
GlobalProtect can restrict and/or set preferential order
for what encryption and authentication algorithm the GlobalProtect
agent can use for the IPSec tunnel. The algorithms and preferences
are defined in the GlobalProtect IPSec Crypto Profile that you configure
when you set up the tunnel settings of the GlobalProtect gateway.
When the GlobalProtect agent sets up an SSL session with GlobalProtect
gateway. The cipher suite used for this SSL session is governed by
the SSL/TLS profile configured on the gateway and the type of algorithm
used by the gateway certificate. After the SSL session is established,
the GlobalProtect agent initiates a VPN tunnel setup by requesting
the configuration over SSL.
Using the same SSL session, the GlobalProtect gateway responds
with the encryption and authentication algorithms, keys, and SPIs
the agent should use to set up the IPSec tunnel.
AES-GCM is recommended for more secure
requirements. To provide data integrity and authenticity protection,
the aes-128-cbc cipher requires the SHA1 authentication algorithm.
Because AES-GCM encryption algorithms (aes-128-gcm and aes-256-gcm)
natively provide ESP integrity protection, the SHA1 authentication
algorithm is ignored for these ciphers even though it is required
during configuration.
The GlobalProtect IPSec Crypto Profile that you configured on
the gateway determines the encryption and authentication algorithm
used to set up the IPSec tunnel. The GlobalProtect gateway responds
with the first matching encryption algorithm listed in the IPSec
Crypto Profile that matches the agent’s proposal.
The GlobalProtect agent then attempts to set up a tunnel based
on the response from the gateway.
