IKE Phase 1

Network Security

IKE Phase 1

Table of Contents

IKE Phase 1

Where Can I Use This?
What Do I Need?
  • PAN-OS
No license required
In this phase, the firewalls use the parameters defined in the IKE Gateway configuration and the IKE Crypto profile to authenticate each other and set up a secure control channel. IKE Phase supports the use of pre-shared keys or digital certificates (which use public key infrastructure, PKI) for mutual authentication of the VPN peers. Pre-shared keys are a simple solution for securing smaller networks because they don’t require the support of a PKI infrastructure. Digital certificates can be more convenient for larger networks or implementations that require stronger authentication security.
When using certificates, make sure that the CA issuing the certificate is trusted by both gateway peers and that the maximum length of certificates in the certificate chain is 5 or less. With IKE fragmentation enabled, the firewall can reassemble IKE messages with up to five certificates in the certificate chain and successfully establish a VPN tunnel.
The IKE Crypto profile defines the following options that are used in the IKE SA negotiation:
  • Diffie-Hellman (DH) group for generating symmetrical keys for IKE.
    The Diffie-Hellman algorithm uses the private key of one party and the public key of the other to create a shared secret, which is an encrypted key that both VPN tunnel peers share. The DH groups supported on the firewall are:
    Group Number
    Number of Bits
    Group 1
    768 bits
    Group 2
    1,024 bits (default)
    Group 5
    1,536 bits
    Group 14
    2,048 bits
    Group 15
    PAN-OS 10.2.0 and later releases
    ) 3072-bit modular exponential group
    Group 16
    PAN-OS 10.2.0 and later releases
    ) 4096-bit modular exponential group
    Group 19
    256-bit elliptic curve group
    Group 20
    384-bit elliptic curve group
    Group 21
    PAN-OS 10.2.0 and later releases
    ) 512-bit random elliptic curve group
  • Authentication algorithms—sha1, sha 256, sha 384, sha 512, or md5.
  • Encryption algorithms—aes-256-gcm, aes-128-gcm, 3des, aes-128-cbc, aes-192-cbc, aes-256-cbc, or des.
    • PAN-OS 10.0.3 and later releases support the aes-256-gcm and aes-128-gcm algorithms.
    • PAN-OS 10.1.0 and earlier releases support the des encryption algorithm.

Recommended For You