1. Home
    2. PAN-OS
    3. PAN-OS Web Interface Help
    4. Network
    5. Network > Network Profiles
    6. Network > Network Profiles > IKE Crypto

    Network > Network Profiles > IKE Crypto

    Use the
    IKE Crypto Profiles
     page to specify protocols and algorithms for identification, authentication, and encryption (IKEv1 or IKEv2, Phase 1).
    To change the order in which an algorithm or group is listed, select the item and then click
    Move Up
     or
    Move Down
    . The order determines the first choice when settings are negotiated with a remote peer. The setting at the top of the list is attempted first, continuing down the list until an attempt is successful.
    IKE Crypto Profile Settings
    Description
    Name
    Enter a name for the profile.
    DH Group
    Specify the priority for Diffie-Hellman (DH) groups. Click
    Add
     and select groups:
    group1
    ,
    group2
    ,
    group5
    ,
    group14
    ,
    group19
    , or
    group20
    . For highest security, select an item and then click
    Move Up
     or
    Move Down
     to move the groups with higher numeric identifiers to the top of the list. For example, move
    group14
     above
    group2
    .
    Authentication
    Specify the priority for hash algorithms. Click
    Add
     and select algorithms. For highest security, select an item and then click
    Move Up
     or
    Move Down
     to change the order (top to bottom) to the following:
    • sha512
    • sha384
    • sha256
    • sha1
    • md5
    • (
      PAN-OS 10.0.3 and later 10.0 releases
      )
      none
    If you select an AES-GCM algorithm for encryption, you must select the Authentication setting
    none
    . The hash is automatically selected based on the DH Group selected. DH Group 19 and below uses
    sha256
    ; DH Group 20 uses
    sha384
    .
    Encryption
    Select the appropriate Encapsulating Security Payload (ESP) authentication options. Click
    Add
     and select algorithms. For highest security, select an item and then click
    Move Up
     or
    Move Down
     to change the order (top to bottom) to the following:
    • (
      PAN-OS 10.0.3 and later 10.0 releases
      )
      aes-256-gcm
       (requires IKEv2; DH Group should be set to
      group20
      )
    • (
      PAN-OS 10.0.3 and later 10.0 releases
      )
      aes-128-gcm
       (requires IKEv2 and DH Group set to
      group19
      )
    • aes-256-cbc
    • aes-192-cbc
    • aes-128-cbc
    • 3des
    • des
    The
    aes-256-gcm
     and
    aes-128-gcm
     algorithms have authentication built into them; therefore, in those cases you must select the
    Authentication
     setting to be
    none
    .
    Key Lifetime
    Select unit of time and enter the length of time that the negotiated IKE Phase 1 key will be effective (default is 8 hours).
    • IKEv2—Before the key lifetime expires, the SA must be re-keyed or else, upon expiration, the SA must begin a new Phase 1 key negotiation.
    • IKEv1—Will not actively do a Phase-1 re-key before expiration. Only when the IKEv1 IPSec SA expires will it trigger IKEv1 Phase 1 re-key.
    IKEv2 Authentication Multiple
    Specify a value (range is 0-50; default is 0) that is multiplied by the Key Lifetime to determine the authentication count. The authentication count is the number of times that the gateway can perform IKEv2 IKE SA re-key before the gateway must start over with IKEv2 re-authentication. A value of 0 disables the re-authentication feature.

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2022 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo