IKE Phase 2
After the tunnel is secured and authenticated, in Phase 2 the channel is further secured for the transfer of data between the networks. IKE Phase 2 uses the keys that were established in Phase 1 of the process and the IPSec Crypto profile, which defines the IPSec protocols and keys used for the SA in IKE Phase 2.
The IPSEC uses the following protocols to enable secure communication:
- Encapsulating Security Payload (ESP)—Allows you to encrypt the entire IP packet, and authenticate the source and verify integrity of the data. While ESP requires that you encrypt and authenticate the packet, you can choose to only encrypt or only authenticate by setting the encryption option to Null; using encryption without authentication is discouraged.
- Authentication Header (AH)—Authenticates the source of the packet and verifies data integrity. AH does not encrypt the data payload and is unsuited for deployments where data privacy is important. AH is commonly used when the main concern is to verify the legitimacy of the peer, and data privacy is not required.
Diffie Hellman (DH) exchange options supported
Encryption algorithms supported
Triple Data Encryption Standard (3DES) with a security strength of 112 bits
Advanced Encryption Standard (AES) using cipher block chaining (CBC) with a security strength of 128 bits
AES using CBC with a security strength of 192 bits
AES using CBC with a security strength of 256 bits
AES using Counter with CBC-MAC (CCM) with a security strength of 128 bits
AES using Galois/Counter Mode (GCM) with a security strength of 128 bits
AES using GCM with a security strength of 256 bits
Data Encryption Standard (DES) with a security strength of 56 bits
Authentication algorithms supported
IKE Phase 1
IKE Phase 1 In this phase, the firewalls use the parameters defined in the IKE Gateway configuration and the IKE Crypto profile to authenticate each ...
Define IPSec Crypto Profiles
Define IPSec Crypto Profiles The IPSec crypto profile is invoked in IKE Phase 2 . It specifies how the data is secured within the tunnel ...
FIPS-CC Security Functions
FIPS-CC Security Functions When FIPS-CC mode is enabled, the following security functions are enforced on all firewalls and appliances: To log in, the browser must ...
Internet Key Exchange (IKE) for VPN
Internet Key Exchange (IKE) for VPN The IKE process allows the VPN peers at both ends of the tunnel to encrypt and decrypt packets using ...
PAN-OS 8.1 Cipher Suites Supported in FIPS-CC Mode
List of cipher suites supported on firewalls running PAN-OS® 8.1 in FIPS-CC mode. ...
PAN-OS 8.1 IPSec Cipher Suites
List of cipher suites supported for IPSec on firewalls running PAN-OS® 8.1 in normal operation mode. ...
Network > Network Profiles > IPSec Crypto
Network > Network Profiles > IPSec Crypto Select Network Network Profiles IPSec Crypto to configure IPSec Crypto profiles that specify protocols and algorithms for authentication ...
OSPFv3 Auth Profiles Tab
OSPFv3 Auth Profiles Tab Network > Virtual Router > OSPFv3 > Auth Profiles Use the following fields to configure authentication for OSPFv3. OSPFv3 – Auth ...
PAN-OS 8.1 IKE and Web Certificate Cipher Suites
List of cipher suites supported for Internet Key Exchange (IKE) and PAN-OS® web certificates on firewalls running PAN-OS 8.1 in normal operation mode. ...