Define IPSec Crypto Profiles

Network Security

Define IPSec Crypto Profiles

Table of Contents

Define IPSec Crypto Profiles

The IPSec Crypto profile is used in IKE Phase 2 to secure data within a tunnel, and requires matching parameters between VPN peers for successful negotiation.
Where Can I Use This?
What Do I Need?
  • Prisma Access
  • PAN-OS
No license required
The IPSec Crypto profile is invoked in IKE Phase 2. It specifies how the data is secured within the tunnel when Auto Key IKE is used to generate keys automatically for the IKE SAs.
Regardless of whether your VPN peer is from the same vendor or not, the VPN peers must have the same IPSec parameters configured in order to perform a successful IPSec negotiation.
IPSec negotiation will be successful when the following parameters match between the VPN peers:
  • IPSec Protocol (ESP or AH)
  • DH Group (or PFS) for key exchange
  • Encryption algorithms
  • Authentication algorithms
For example, if you've configured VPN peer 1 with
for IPSec protocol,
for DH group,
for authentication, and
for encryption. Then, VPN peer 2 with which you want to establish the IPSec tunnel also should be configured exactly with the same values.
By default, perfect forward secrecy (PFS) is enabled on IPSec tunnels to generate a more randomized key. PFS does this by performing an additional key exchange during IPSec SA negotiation to generate a new shared secret and combines it into the new IPSec SA keys. When configuring PFS, ensure that both the VPN peers have the same PFS configuration. Any failure in IPSec SA negotiation will result in failure to establish the IPSec tunnel.

Recommended For You