PAN-OS 11.1 IPSec Cipher Suites
Focus
Focus
Compatibility Matrix

PAN-OS 11.1 IPSec Cipher Suites

Table of Contents

PAN-OS 11.1 IPSec Cipher Suites

List of cipher suites supported for IPSec on firewalls running PAN-OS® 11.1 in normal operation mode.
The following table lists the cipher suites for IPSec that are supported on firewalls running a PAN-OS® 11.1 release in normal (non-FIPS-CC) operational mode.
If your firewall is running in FIPS-CC mode, see the list of PAN-OS 11.1 Cipher Suites Supported in FIPS-CC Mode.
Feature or Function
Ciphers Supported in PAN-OS 11.1 Releases
IPSec—Encryption
  • NULL
  • 3DES
  • AES-128-CBC
  • AES-192-CBC
  • AES-256-CBC
  • AES-128-CCM
  • AES-128-GCM
  • AES-256-GCM
IPSec—Message Authentication
  • NONE
  • HMAC-MD5
  • HMAC-SHA-1
  • HMAC-SHA-256
  • HMAC-SHA-384
  • HMAC-SHA-512
IPSec—Key Exchange
Diffie-Hellman groups with or without perfect forward secrecy (PFS):
  • No PFS—This option specifies that the firewall reuses the same key for IKE phase 1 and phase 2 instead of renewing the key for phase 2.
  • Group 1 (768-bit keys) with PFS enabled
  • Group 2 (1024-bit keys) with PFS enabled
  • Group 5 (1536-bit keys) with PFS enabled
  • Group 14 (2048-bit keys) with PFS enabled
  • Group 15 (3072-bit modular exponential group)
  • Group 16 (4096-bit modular exponential group)
  • Group 19 (256-bit elliptic curve group) with PFS enabled
  • Group 20 (384-bit elliptic curve group) with PFS enabled
  • Group 21 (512-bit random elliptic curve group)