Network > Network Profiles > IPSec Crypto
Table of Contents
Expand all | Collapse all
-
- Firewall Overview
- Features and Benefits
- Last Login Time and Failed Login Attempts
- Message of the Day
- Task Manager
- Language
- Alarms
- Commit Changes
- Save Candidate Configurations
- Revert Changes
- Lock Configurations
- Global Find
- Threat Details
- AutoFocus Intelligence Summary
- Configuration Table Export
- Change Boot Mode
-
- Objects > Addresses
- Objects > Address Groups
- Objects > Regions
- Objects > Dynamic User Groups
- Objects > Application Groups
- Objects > Application Filters
- Objects > Services
- Objects > Service Groups
- Objects > Devices
- Objects > External Dynamic Lists
- Objects > Custom Objects > Spyware/Vulnerability
- Objects > Custom Objects > URL Category
- Objects > Security Profiles > Antivirus
- Objects > Security Profiles > Anti-Spyware Profile
- Objects > Security Profiles > Vulnerability Protection
- Objects > Security Profiles > File Blocking
- Objects > Security Profiles > WildFire Analysis
- Objects > Security Profiles > Data Filtering
- Objects > Security Profiles > DoS Protection
- Objects > Security Profiles > Mobile Network Protection
- Objects > Security Profiles > SCTP Protection
- Objects > Security Profile Groups
- Objects > Log Forwarding
- Objects > Authentication
- Objects > Packet Broker Profile
- Objects > Schedules
-
-
- Firewall Interfaces Overview
- Common Building Blocks for Firewall Interfaces
- Common Building Blocks for PA-7000 Series Firewall Interfaces
- Tap Interface
- HA Interface
- Virtual Wire Interface
- Virtual Wire Subinterface
- PA-7000 Series Layer 2 Interface
- PA-7000 Series Layer 2 Subinterface
- PA-7000 Series Layer 3 Interface
- Layer 3 Interface
- Layer 3 Subinterface
- Log Card Interface
- Log Card Subinterface
- Decrypt Mirror Interface
- Aggregate Ethernet (AE) Interface Group
- Aggregate Ethernet (AE) Interface
- Network > Interfaces > VLAN
- Network > Interfaces > Loopback
- Network > Interfaces > Tunnel
- Network > Interfaces > SD-WAN
- Network > Interfaces > PoE
- Network > Interfaces > Cellular
- Network > Interfaces > Fail Open
- Network > VLANs
- Network > Virtual Wires
-
- Network > Routing > Logical Routers > General
- Network > Routing > Logical Routers > Static
- Network > Routing > Logical Routers > OSPF
- Network > Routing > Logical Routers > OSPFv3
- Network > Routing > Logical Routers > RIPv2
- Network > Routing > Logical Routers > BGP
- Network > Routing > Logical Routers > Multicast
-
- Network > Routing > Routing Profiles > BGP
- Network > Routing > Routing Profiles > BFD
- Network > Routing > Routing Profiles > OSPF
- Network > Routing > Routing Profiles > OSPFv3
- Network > Routing > Routing Profiles > RIPv2
- Network > Routing > Routing Profiles > Filters
- Network > Routing > Routing Profiles > Multicast
- Network > Proxy
-
- Network > Network Profiles > GlobalProtect IPSec Crypto
- Network > Network Profiles > IPSec Crypto
- Network > Network Profiles > IKE Crypto
- Network > Network Profiles > Monitor
- Network > Network Profiles > Interface Mgmt
- Network > Network Profiles > QoS
- Network > Network Profiles > LLDP Profile
- Network > Network Profiles > SD-WAN Interface Profile
- Network > Network Profiles > MACsec Profile
-
-
- Device > Setup
- Device > Setup > Management
- Device > Setup > Interfaces
- Device > Setup > Telemetry
- Device > Setup > Content-ID
- Device > Setup > WildFire
- Device > Setup > ACE
- Device > Setup > DLP
- Device > Log Forwarding Card
- Device > Config Audit
- Device > Administrators
- Device > Admin Roles
- Device > Access Domain
- Device > Authentication Sequence
- Device > IoT Security > DHCP Server Log Ingestion
- Device > Device Quarantine
-
- Security Policy Match
- QoS Policy Match
- Authentication Policy Match
- Decryption/SSL Policy Match
- NAT Policy Match
- Policy Based Forwarding Policy Match
- DoS Policy Match
- Routing
- Test Wildfire
- Threat Vault
- Ping
- Trace Route
- Log Collector Connectivity
- External Dynamic List
- Update Server
- Test Cloud Logging Service Status
- Test Cloud GP Service Status
- Device > Virtual Systems
- Device > Shared Gateways
- Device > Certificate Management
- Device > Certificate Management > Certificate Profile
- Device > Certificate Management > OCSP Responder
- Device > Certificate Management > SSL/TLS Service Profile
- Device > Certificate Management > SCEP
- Device > Certificate Management > SSL Decryption Exclusion
- Device > Certificate Management > SSH Service Profile
- Device > Response Pages
- Device > Server Profiles
- Device > Server Profiles > SNMP Trap
- Device > Server Profiles > Syslog
- Device > Server Profiles > Email
- Device > Server Profiles > HTTP
- Device > Server Profiles > NetFlow
- Device > Server Profiles > RADIUS
- Device > Server Profiles > SCP
- Device > Server Profiles > TACACS+
- Device > Server Profiles > LDAP
- Device > Server Profiles > Kerberos
- Device > Server Profiles > SAML Identity Provider
- Device > Server Profiles > DNS
- Device > Server Profiles > Multi Factor Authentication
- Device > Local User Database > Users
- Device > Local User Database > User Groups
- Device > Scheduled Log Export
- Device > Software
- Device > Dynamic Updates
- Device > Licenses
- Device > Support
- Device > Policy Recommendation > IoT
- Device > Policy > Recommendation SaaS
- Device > Policy Recommendation > IoT or SaaS > Import Policy Rule
-
- Device > User Identification > Connection Security
- Device > User Identification > Terminal Server Agents
- Device > User Identification > Group Mapping Settings
- Device > User Identification> Trusted Source Address
- Device > User Identification > Authentication Portal Settings
- Device > User Identification > Cloud Identity Engine
-
- Network > GlobalProtect > MDM
- Network > GlobalProtect > Clientless Apps
- Network > GlobalProtect > Clientless App Groups
- Objects > GlobalProtect > HIP Profiles
-
- Use the Panorama Web Interface
- Context Switch
- Panorama Commit Operations
- Defining Policies on Panorama
- Log Storage Partitions for a Panorama Virtual Appliance in Legacy Mode
- Panorama > Setup > Interfaces
- Panorama > High Availability
- Panorama > Firewall Clusters
- Panorama > Administrators
- Panorama > Admin Roles
- Panorama > Access Domains
- Panorama > Device Groups
- Panorama > Plugins
- Panorama > Log Ingestion Profile
- Panorama > Log Settings
- Panorama > Server Profiles > SCP
- Panorama > Scheduled Config Export
- Panorama > Device Registration Auth Key
Network > Network Profiles > IPSec Crypto
Select NetworkNetwork ProfilesIPSec Crypto to
configure IPSec Crypto profiles that specify protocols and algorithms
for authentication and encryption in VPN tunnels based on IPSec
SA negotiation (Phase 2).
For VPN tunnels between GlobalProtect gateways and clients,
see Network
> Network Profiles > GlobalProtect IPSec Crypto.
IPSec Crypto Profile
Settings | Description |
|---|---|
|
General Tab
| |
Name | Enter a Name to identify
the profile (up to 31 characters). The name is case-sensitive and
must be unique. Use only letters, numbers, spaces, hyphens, and
underscores. |
IPSec Protocol | Select a protocol for securing data that
traverses the VPN tunnel:
Use ESP protocol
because it provides connection confidentiality (encryption) as well
as authentication. |
Encryption (ESP protocol only) | Click Add and select
the desired encryption algorithms. For highest security, use Move Up and Move
Down to change the order (top to bottom) to the following: aes-256-gcm, aes-256-cbc, aes-192-cbc, aes-128-gcm, aes-128-ccm (the
VM-Series firewall doesn’t support this option), aes-128-cbc,
and 3des. You can also select null (no
encryption). Use a form of AES encryption.
(3DES is a weak, vulnerable algorithm.) |
Authentication | Click Add and select
the desired authentication algorithms. For highest security, use Move Up and Move
Down to change the order (top to bottom) to the following: sha512, sha384, sha256, sha1, md5.
If the IPSec Protocol is ESP,
you can also select none (no authentication). Use sha256 or stronger
authentication because md5 and sha1 are
not secure. Use sha256 for short-lived sessions
and sha384 or higher for traffic that requires
the most secure authentication, such as financial transactions. |
DH Group | Select the Diffie-Hellman (DH) group for
Internet Key Exchange (IKE): group1, group2, group5, group14, group15, group16, group19, group20,
or group21. For highest security, choose
the group with the highest number. If you don’t want to renew the
key that the firewall creates during IKE phase 1, select no-pfs (no
perfect forward secrecy): the firewall reuses the current key for
the IPSec security association (SA) negotiations. |
Lifetime | Select units and enter the length of time
(default is one hour) that the negotiated key will stay effective. |
|
Lifesize
|
Select optional units and enter the amount of data that the key can
use for encryption.
|
|
Advanced Options Tab
| |
|
Post-Quantum IPSec Additional Key Exchange
|
Optionally, enable Post-Quantum IPSec Additional Key
Exchange rounds. You can add up to seven additional
rounds (Round 1-7) with only one PQC permitted per round. At a
minimum, one PQC is required to add quantum resistance. Adding
additional PQCs further raises quantum resistance, but increases the
size of the IPSec re-key packets.
Configure both sides of the IPSec tunnel with the same PQC and
security strength level in each Additional Key Exchange Round. If
there is a mismatch, the re-key operation fails.
Use the Round 1 - Round
7 drop-downs to display the supported PQCs that can
be used for each Additional Key Exchange Round. Select the PQC to be
used for the round. The PQC selected must match the other VPN
device’s IPSec crypto setting for the same Additional Key Exchange
Round. IPSec does not auto negotiate the PQC for each additional
round as only one PQC can be configured.
Do not negotiate the same PQC in more than one round as it doesn’t
provide additional quantum resistance. RFC 9370 allows additional
key exchange rounds to be skipped. Leave skipped rounds blank or set
to None.
|