>
    IKE Phase 1
    Focus
    Download PDF
    Focus
    1. Home
    2. Network Security
    3. IPSec VPN Basics
    4. Internet Key Exchange (IKE) for VPN
    5. IKE Phase 1
    Download PDF
    Network Security

    IKE Phase 1

    Table of Contents

    IKE Phase 1

    Where Can I Use This?What Do I Need?
    • PAN-OS
    		No license required
    In this phase, the firewalls use the parameters defined in the IKE Gateway configuration and the IKE Crypto profile to authenticate each other and set up a secure control channel. IKE Phase supports the use of pre-shared keys or digital certificates (which use public key infrastructure, PKI) for mutual authentication of the VPN peers. Pre-shared keys are a simple solution for securing smaller networks because they don’t require the support of a PKI infrastructure. Digital certificates can be more convenient for larger networks or implementations that require stronger authentication security.
    When using certificates, make sure that the CA issuing the certificate is trusted by both gateway peers and that the maximum length of certificates in the certificate chain is 5 or less. With IKE fragmentation enabled, the firewall can reassemble IKE messages with up to five certificates in the certificate chain and successfully establish a VPN tunnel.
    The IKE Crypto profile defines the following options that are used in the IKE SA negotiation:
    • Diffie-Hellman (DH) group for generating symmetrical keys for IKE.
      The Diffie-Hellman algorithm uses the private key of one party and the public key of the other to create a shared secret, which is an encrypted key that both VPN tunnel peers share. The DH groups supported on the firewall are:
      Group NumberNumber of Bits
      Group 1(Not Recommended) 768 bits
      Group 2(Not Recommended) 1,024 bits (default)
      Group 5(Not Recommended) 1,536 bits
      Group 142,048 bits
      Group 15(PAN-OS 10.2.0 and later releases) 3072-bit modular exponential group
      Group 16(PAN-OS 10.2.0 and later releases) 4096-bit modular exponential group
      Group 19256-bit elliptic curve group
      Group 20384-bit elliptic curve group
      Group 21(PAN-OS 10.2.0 and later releases) 521-bit random elliptic curve group
    • Authentication algorithms—sha1, sha 256, sha 384, sha 512, or md5.
    • Encryption algorithms—aes-256-gcm, aes-128-gcm, 3des, aes-128-cbc, aes-192-cbc, aes-256-cbc, or des.
      • PAN-OS 10.0.3 and later releases support the aes-256-gcm and aes-128-gcm algorithms.
      • PAN-OS 10.1.0 and earlier releases support the des encryption algorithm.

    © 2024 Palo Alto Networks, Inc. All rights reserved.