Ciphers Used to Set Up IPSec Tunnels

GlobalProtect can restrict and/or set preferential order for what encryption and authentication algorithm the GlobalProtect agent can use for the IPSec tunnel. The algorithms and preferences are defined in the GlobalProtect IPSec Crypto Profile that you configure when you set up the tunnel settings of the GlobalProtect gateway.
ipsec-crypto-profile.png
When the GlobalProtect agent sets up an SSL session with GlobalProtect gateway. The cipher suite used for this SSL session is governed by the SSL/TLS profile configured on the gateway and the type of algorithm used by the gateway certificate. After the SSL session is established, the GlobalProtect agent initiates a VPN tunnel setup by requesting the configuration over SSL.
Using the same SSL session, the GlobalProtect gateway responds with the encryption and authentication algorithms, keys, and SPIs the agent should use to set up the IPSec tunnel.
AES-GCM is recommended for more secure requirements. To provide data integrity and authenticity protection, the aes-128-cbc cipher requires the SHA1 authentication algorithm. Because AES-GCM encryption algorithms (aes-128-gcm and aes-256-gcm) natively provide ESP integrity protection, the SHA1 authentication algorithm is ignored for these ciphers even though it is required during configuration.
The GlobalProtect IPSec Crypto Profile that you configured on the gateway determines the encryption and authentication algorithm used to set up the IPSec tunnel. The GlobalProtect gateway responds with the first matching encryption algorithm listed in the IPSec Crypto Profile that matches the agent’s proposal.
The GlobalProtect agent then attempts to set up a tunnel based on the response from the gateway.

Related Documentation