Network Security
IKE Phase 1
Table of Contents
Expand All
|
Collapse All
Network Security Docs
-
- Security Policy
-
- Security Profile Groups
- Security Profile: AI Security
- Security Profile: WildFire® Analysis
- Security Profile: Antivirus
- Security Profile: Vulnerability Protection
- Security Profile: Anti-Spyware
- Security Profile: DNS Security
- Security Profile: DoS Protection Profile
- Security Profile: File Blocking
- Security Profile: URL Filtering
- Security Profile: Data Filtering
- Security Profile: Zone Protection
-
- Policy Object: Address Groups
- Policy Object: Regions
- Policy Object: Traffic Objects
- Policy Object: Applications
- Policy Object: Application Groups
- Policy Object: Application Filter
- Policy Object: Services
- Policy Object: Auto-Tag Actions
- Policy Object: Devices
-
- Uses for External Dynamic Lists in Policy
- Formatting Guidelines for an External Dynamic List
- Built-in External Dynamic Lists
- Configure Your Environment to Access an External Dynamic List
- Configure your Environment to Access an External Dynamic List from the EDL Hosting Service
- Retrieve an External Dynamic List from the Web Server
- View External Dynamic List Entries
- Enforce Policy on an External Dynamic List
- Find External Dynamic Lists That Failed Authentication
- Disable Authentication for an External Dynamic List
- Policy Object: HIP Objects
- Policy Object: Schedules
- Policy Object: Quarantine Device Lists
- Policy Object: Dynamic User Groups
- Policy Object: Custom Objects
- Policy Object: Log Forwarding
- Policy Object: Authentication
- Policy Object: Decryption Profile
- Policy Object: Packet Broker Profile
-
-
-
- The Quantum Computing Threat
- How RFC 8784 Resists Quantum Computing Threats
- How RFC 9242 and RFC 9370 Resist Quantum Computing Threats
- Support for Post-Quantum Features
- Post-Quantum Migration Planning and Preparation
- Best Practices for Resisting Post-Quantum Attacks
- Learn More About Post-Quantum Security
-
-
-
- Investigate Reasons for Decryption Failure
- Identify Weak Protocols and Cipher Suites
- Troubleshoot Version Errors
- Troubleshoot Unsupported Cipher Suites
- Identify Untrusted CA Certificates
- Repair Incomplete Certificate Chains
- Troubleshoot Pinned Certificates
- Troubleshoot Expired Certificates
- Troubleshoot Revoked Certificates
IKE Phase 1
Where Can I Use This? | What Do I Need? |
---|---|
| No license required |
In this phase, the firewalls use the parameters defined in the IKE Gateway configuration and the
IKE Crypto profile to authenticate each other and set up a secure control channel. IKE
Phase supports the use of pre-shared keys or digital certificates (which use public key
infrastructure, PKI) for mutual authentication of the VPN peers. Pre-shared keys are a
simple solution for securing smaller networks because they don’t require the support of
a PKI infrastructure. Digital certificates can be more convenient for larger networks or
implementations that require stronger authentication security.
When using certificates, make sure that the CA issuing the certificate is trusted by both gateway
peers and that the maximum length of certificates in the certificate chain is 5 or less.
With IKE fragmentation enabled, the firewall can reassemble IKE messages with up to five
certificates in the certificate chain and successfully establish a VPN tunnel.
The IKE Crypto profile defines the following options that are
used in the IKE SA negotiation:
- Diffie-Hellman (DH) group for generating symmetrical keys for IKE.The Diffie-Hellman algorithm uses the private key of one party and the public key of the other to create a shared secret, which is an encrypted key that both VPN tunnel peers share. The DH groups supported on the firewall are:
Group Number Number of Bits Group 1 (Not Recommended) 768 bits Group 2 (Not Recommended) 1,024 bits (default) Group 5 (Not Recommended) 1,536 bits Group 14 2,048 bits Group 15 (PAN-OS 10.2.0 and later releases) 3072-bit modular exponential group Group 16 (PAN-OS 10.2.0 and later releases) 4096-bit modular exponential group Group 19 256-bit elliptic curve group Group 20 384-bit elliptic curve group Group 21 (PAN-OS 10.2.0 and later releases) 521-bit random elliptic curve group - Authentication algorithms—sha1, sha 256, sha 384, sha 512, or md5.
- Encryption algorithms—aes-256-gcm, aes-128-gcm, 3des, aes-128-cbc, aes-192-cbc, aes-256-cbc, or des.
- PAN-OS 10.0.3 and later releases support the aes-256-gcm and aes-128-gcm algorithms.
- PAN-OS 10.1.0 and earlier releases support the des encryption algorithm.