Ciphers Used to Set Up IPsec Tunnels

GlobalProtect can restrict and/or set preferential order for what encryption and authentication algorithm the GlobalProtect app can use for the IPsec tunnel. The algorithms and preferences are defined in the
GlobalProtect IPSec Crypto
profile that you configure when you set up the tunnel for the GlobalProtect gateway (
Network
GlobalProtect
Gateways
<gateway-config>
GlobalProtect Gateway Configuration
Agent
Tunnel Settings
).
ipsec-crypto-profile.png
When the GlobalProtect app sets up an SSL session with a GlobalProtect gateway, the cipher suite used for this SSL session is governed by the SSL/TLS profile configured on the gateway and the type of algorithm used by the gateway certificate. After the SSL session is established, the GlobalProtect app initiates a VPN tunnel setup by requesting the configuration over SSL.
Using the same SSL session, the GlobalProtect gateway responds with the encryption and authentication algorithms, keys, and SPIs that the app should use to set up the IPsec tunnel.
AES-GCM is recommended for more secure requirements. To provide data integrity and authenticity protection, the aes-128-cbc cipher requires the SHA1 authentication algorithm. Because AES-GCM encryption algorithms (aes-128-gcm and aes-256-gcm) natively provide ESP integrity protection, the SHA1 authentication algorithm is ignored for these ciphers even though it is required during configuration.
The
GlobalProtect IPSec Crypto
profile that you configure on the gateway determines the encryption and authentication algorithm used to set up the IPsec tunnel. The GlobalProtect gateway responds with the first matching encryption algorithm listed in the profile that matches the app’s proposal.
The GlobalProtect app then attempts to set up a tunnel based on the response from the gateway.

Related Documentation