Focus

Next-Generation Firewall

Network > Network Profiles > IPSec Crypto

Table of Contents

Filter

Expand All | Collapse All

Next-Generation Firewall Docs

Getting Started
Administration
Networking
Quick Start
Reference
Incidents & Alerts
Release Notes
Select a Document
- PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 8.1 (EoL)
Help
Select a Document
- PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 10.2
- PAN-OS 10.1

IKE Gateway Restart or Refresh

Network > Network Profiles > IKE Crypto

Network > Network Profiles > IPSec Crypto

Select NetworkNetwork ProfilesIPSec Crypto to configure IPSec Crypto profiles that specify protocols and algorithms for authentication and encryption in VPN tunnels based on IPSec SA negotiation (Phase 2).

For VPN tunnels between GlobalProtect gateways and clients, see Network > Network Profiles > GlobalProtect IPSec Crypto.

IPSec Crypto Profile Settings	Description
Name	Enter a Name to identify the profile (up to 31 characters). The name is case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and underscores.
IPSec Protocol	Select a protocol for securing data that traverses the VPN tunnel: ESP—Encapsulating Security Payload protocol encrypts the data, authenticates the source, and verifies data integrity. AH—Authentication Header protocol authenticates the source and verifies data integrity. Use ESP protocol because it provides connection confidentiality (encryption) as well as authentication.
Encryption (`ESP protocol only`)	Click Add and select the desired encryption algorithms. For highest security, use Move Up and Move Down to change the order (top to bottom) to the following: aes-256-gcm, aes-256-cbc, aes-192-cbc, aes-128-gcm, aes-128-ccm (the VM-Series firewall doesn’t support this option), aes-128-cbc, and 3des. You can also select null (no encryption). Use a form of AES encryption. (3DES is a weak, vulnerable algorithm.)
Authentication	Click Add and select the desired authentication algorithms. For highest security, use Move Up and Move Down to change the order (top to bottom) to the following: sha512, sha384, sha256, sha1, md5. If the IPSec Protocol is ESP, you can also select none (no authentication). Use sha256 or stronger authentication because md5 and sha1 are not secure. Use sha256 for short-lived sessions and sha384 or higher for traffic that requires the most secure authentication, such as financial transactions.
DH Group	Select the Diffie-Hellman (DH) group for Internet Key Exchange (IKE): group1, group2, group5, group14, group15, group16, group19, group20, or group21. For highest security, choose the group with the highest number. If you don’t want to renew the key that the firewall creates during IKE phase 1, select no-pfs (no perfect forward secrecy): the firewall reuses the current key for the IPSec security association (SA) negotiations.
Lifetime	Select units and enter the length of time (default is one hour) that the negotiated key will stay effective.
Lifesize	Select optional units and enter the amount of data that the key can use for encryption.

IKE Gateway Restart or Refresh

Network > Network Profiles > IKE Crypto

Next-Generation Firewall Docs

Network > Network Profiles > IPSec Crypto

Next-Generation Firewall Docs

Network > Network Profiles > IPSec Crypto

Activation and Onboarding

Next-Generation Firewalls

SASE

Cloud-Delivered Security Services

Network Security

Endpoints

Visibility & Monitoring

FedRAMP

Hardware Reference

Hardware Quick Start Guides

Virtual ION Deployment

3rd Party Integrations

Best Practices

Experts Corner