IKE Phase 1
Where Can I Use This? | What Do I Need? |
In this phase, the firewalls use the parameters defined in the IKE Gateway configuration and the
IKE Crypto profile to authenticate each other and set up a secure control channel. IKE
Phase supports the use of pre-shared keys or digital certificates (which use public key
infrastructure, PKI) for mutual authentication of the VPN peers. Pre-shared keys are a
simple solution for securing smaller networks because they don’t require the support of
a PKI infrastructure. Digital certificates can be more convenient for larger networks or
implementations that require stronger authentication security.
When using certificates, make sure that the CA issuing the certificate is trusted by both gateway
peers and that the maximum length of certificates in the certificate chain is 5 or less.
With IKE fragmentation enabled, the firewall can reassemble IKE messages with up to five
certificates in the certificate chain and successfully establish a VPN tunnel.
The IKE Crypto profile defines the following options that are
used in the IKE SA negotiation:
Diffie-Hellman (DH) group for generating symmetrical
keys for IKE.
The Diffie-Hellman algorithm uses the private
key of one party and the public key of the other to create a shared
secret, which is an encrypted key that both VPN tunnel peers share.
The DH groups supported on the firewall are:
Group Number | Number of Bits |
Group 1 | (Not Recommended) 768 bits |
Group 2 | (Not Recommended) 1,024 bits (default) |
Group 5 | (Not Recommended) 1,536 bits |
Group 14 | 2,048 bits |
Group 15 | (PAN-OS
10.2.0 and later releases) 3072-bit
modular exponential group |
Group 16 | (PAN-OS
10.2.0 and later releases) 4096-bit
modular exponential group |
Group 19 | 256-bit elliptic curve group |
Group 20 | 384-bit elliptic curve group |
Group 21 | (PAN-OS
10.2.0 and later releases) 521-bit
random elliptic curve group |
Authentication algorithms—sha1, sha 256, sha 384, sha 512, or
md5.
Encryption algorithms—aes-256-gcm, aes-128-gcm, 3des, aes-128-cbc, aes-192-cbc,
aes-256-cbc,
or des.
- PAN-OS 10.0.3 and later releases support the aes-256-gcm and
aes-128-gcm algorithms.
- PAN-OS 10.1.0 and earlier releases support the des encryption
algorithm.