Define IKE Crypto Profiles

The IKE crypto profile is used to set up the encryption and authentication algorithms used for the key exchange process in IKE Phase 1, and lifetime of the keys, which specifies how long the keys are valid. To invoke the profile, you must attach it to the IKE Gateway configuration.
All IKE gateways configured on the same interface or local IP address must use the same crypto profile when the IKE gateway’s
Peer IP Address Type
is configured as
and IKEv1 main mode or IKEv2 is applied.
  1. Create a new IKE profile.
    1. Select
      Network Profiles
      IKE Crypto
      and select
    2. Enter a
      for the new profile.
  2. Specify the DH (Diffie–Hellman) Group for key exchange and the Authentication and Encryption algorithms.
    in the corresponding sections (DH Group, Authentication, and Encryption) and select from the menus.
    If you are not certain what the VPN peers support, add multiple groups or algorithms in the order of most-to-least secure; the peers negotiate the strongest supported group or algorithm to establish the tunnel.
    • DH Group—
      • group20
      • group19
      • group14
      • group5
      • group2
      • group1
    • Authentication—
      • sha512
      • sha384
      • sha256
      • sha1
      • md5
      • (
        PAN-OS 10.0.3 and later 10.0 releases
      If you select an AES-GCM algorithm for encryption, you must select the Authentication setting
      or the commit will fail. The hash is automatically selected based on the DH Group selected. DH Group 19 and below uses
      ; DH Group 20 uses
    • Encryption—
      • (
        PAN-OS 10.0.3 and later 10.0 releases
        (requires IKEv2; DH Group should be set to
      • (
        PAN-OS 10.0.3 and later 10.0 releases
        (requires IKEv2 and DH Group set to
      • aes-256-cbc
      • aes-192-cbc
      • aes-128-cbc
      • 3des
      • des
    Choose the strongest authentication and encryption algorithms the peer can support. For the authentication algorithm, use SHA-256 or higher (SHA-384 or higher preferred for long-lived transactions). Do not use SHA-1 or MD5. For the encryption algorithm, use AES; DES and 3DES are weak and vulnerable. AES with Galois/Counter Mode (AES-GCM) provides the strongest security and has built-in authentication, so you must set Authentication to
    if you select
  3. Specify the duration for which the key is valid and the re-authentication interval.
    1. In the
      Key Lifetime
      fields, specify the period (in seconds, minutes, hours, or days) for which the key is valid (range is 3 minutes to 365 days; default is 8 hours). When the key expires, the firewall renegotiates a new key. A lifetime is the period between each renegotiation.
    2. For the
      IKEv2 Authentication Multiple
      , specify a value (range is 0-50; default is 0) that is multiplied by the
      Key Lifetime
      to determine the authentication count. The default value of 0 disables the re-authentication feature.
  4. Commit your IKE Crypto profile.
    and click
  5. Attach the IKE Crypto profile to the IKE Gateway configuration.

Recommended For You