Focus

Network Security

Define IKE Crypto Profiles

Table of Contents

Define IKE Crypto Profiles

The IKE Crypto profile is used to set up encryption and authentication algorithms for the key exchange process in IKE Phase 1. It must be configured identically on all IKE gateways.

Where Can I Use This?	What Do I Need?
Prisma Access PAN-OS	No license required

The IKE Crypto profile is used to set up the encryption and authentication algorithms used for the key exchange process in IKE Phase 1, and lifetime of the keys, which specifies how long the keys are valid. To invoke the profile, you must attach it to the IKE Gateway configuration.

All IKE gateways configured on the same interface or local IP address must use the same crypto profile when the IKE gateway’s

Peer IP Address Type

is configured as

Dynamic

and IKEv1 main mode or IKEv2 is applied. If the crypto profiles are the same on the gateways, although the initial connection might start off on a different gateway, the connection will shift to the proper gateway when pre-shared keys or certificates and peer IDs are exchanged.

Regardless of whether your VPN peer is from the same vendor or not, the VPN peers must have the same IKE parameters configured in order to perform a successful IKE negotiation.

The following parameters need to match for a successful IKE negotiation:

DH Group for key exchange

Encryption algorithms

Authentication algorithms

For example, if you've configured VPN peer 1 with

group20

for DH group,

sha384

for authentication, and

aes-256-gcm

for encryption. Then, VPN peer 2 with which you want to establish the IPSec tunnel also should have the same values configured.

PAN-OS 10.1 and Later & Prisma Access (Panorama Managed)

Prisma Access (Cloud Management)

Define Cryptographic Profiles

Define IPSec Crypto Profiles