Define IKE Crypto Profiles
Focus
Focus

Network Security

Define IKE Crypto Profiles

Table of Contents

Define IKE Crypto Profiles

The IKE Crypto profile is used to set up encryption and authentication algorithms for the key exchange process in IKE Phase 1. It must be configured identically on all IKE gateways.
Where Can I Use This?
What Do I Need?
  • Prisma Access
  • PAN-OS
No license required
The IKE Crypto profile is used to set up the encryption and authentication algorithms used for the key exchange process in IKE Phase 1, and lifetime of the keys, which specifies how long the keys are valid. To invoke the profile, you must attach it to the IKE Gateway configuration.
All IKE gateways configured on the same interface or local IP address must use the same crypto profile when the IKE gateway’s
Peer IP Address Type
is configured as
Dynamic
and IKEv1 main mode or IKEv2 is applied. If the crypto profiles are the same on the gateways, although the initial connection might start off on a different gateway, the connection will shift to the proper gateway when pre-shared keys or certificates and peer IDs are exchanged.
Regardless of whether your VPN peer is from the same vendor or not, the VPN peers must have the same IKE parameters configured in order to perform a successful IKE negotiation.
The following parameters need to match for a successful IKE negotiation:
  • DH Group for key exchange
  • Encryption algorithms
  • Authentication algorithms
For example, if you've configured VPN peer 1 with
group20
for DH group,
sha384
for authentication, and
aes-256-gcm
for encryption. Then, VPN peer 2 with which you want to establish the IPSec tunnel also should have the same values configured.

Recommended For You