Network > Network Profiles > IPSec Crypto

Select
Network
Network Profiles
IPSec Crypto
to configure IPSec Crypto profiles that specify protocols and algorithms for authentication and encryption in VPN tunnels based on IPSec SA negotiation (Phase 2).
For VPN tunnels between GlobalProtect gateways and clients, see Network > Network Profiles > GlobalProtect IPSec Crypto.
IPSec Crypto Profile Settings
Description
Name
Enter a
Name
to identify the profile (up to 31 characters). The name is case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and underscores.
IPSec Protocol
Select a protocol for securing data that traverses the VPN tunnel:
  • ESP
    —Encapsulating Security Payload protocol encrypts the data, authenticates the source, and verifies data integrity.
  • AH
    —Authentication Header protocol authenticates the source and verifies data integrity.
Use
ESP
protocol because it provides connection confidentiality (encryption) as well as authentication.
Encryption (
ESP protocol only
)
Click
Add
and select the desired encryption algorithms. For highest security, use
Move Up
and
Move Down
to change the order (top to bottom) to the following:
aes-256-gcm
,
aes-256-cbc
,
aes-192-cbc
,
aes-128-gcm
,
aes-128-ccm
(the VM-Series firewall doesn’t support this option),
aes-128-cbc
,
3des
, and
des
. You can also select
null
(no encryption).
Use a form of
AES
encryption. (DES and 3DES are weak, vulnerable algorithms.)
Authentication
Click
Add
and select the desired authentication algorithms. For highest security, use
Move Up
and
Move Down
to change the order (top to bottom) to the following:
sha512
,
sha384
,
sha256
,
sha1
,
md5
. If the
IPSec Protocol
is
ESP
, you can also select
none
(no authentication).
Use
sha256
or stronger authentication because
md5
and
sha1
are not secure. Use
sha256
for short-lived sessions and
sha384
or higher for traffic that requires the most secure authentication, such as financial transactions.
DH Group
Select the Diffie-Hellman (DH) group for Internet Key Exchange (IKE):
group1
,
group2
,
group5
,
group14
,
group19
, or
group20
. For highest security, choose the group with the highest number. If you don’t want to renew the key that the firewall creates during IKE phase 1, select
no-pfs
(no perfect forward secrecy): the firewall reuses the current key for the IPSec security association (SA) negotiations.
Lifetime
Select units and enter the length of time (default is one hour) that the negotiated key will stay effective.
Lifesize
Select optional units and enter the amount of data that the key can use for encryption.

Related Documentation