Specify the Diffie-Hellman (DH) Group for key exchange and the Authentication
and Encryption algorithms.
Click Add in the corresponding sections (DH Group,
Authentication, and Encryption) and select from the menus.
If you aren’t certain what the VPN peers support, add multiple groups or
algorithms in the order of most-to-least secure; the peers negotiate the
strongest supported group or algorithm to establish the tunnel.
- DH Group—
- (PAN-OS 10.2.0 and later releases)
group21 (on IKEv2 only mode)
- group20
- (PAN-OS 10.2.0 and later releases)
group16 (on IKEv2 only mode)
- (PAN-OS 10.2.0 and later releases)
group15 (on IKEv2 only mode)
- group19
- group14
- group5
- group2
- group1
- Authentication—
- sha512
- sha384
- sha256
- sha1
- md5
- (PAN-OS 10.0.3 and later releases)
non-auth
If you select an AES-GCM algorithm for encryption, you must
select the Authentication setting
non-auth or the commit will fail. The
hash is automatically selected based on the DH Group selected.
DH Group 19 and below uses sha256; DH
Group 20 uses sha384.
- Encryption—
- (PAN-OS 10.0.3 and later releases)
aes-256-gcm (requires IKEv2; DH Group
should be set to group20)
- (PAN-OS 10.0.3 and later releases)
aes-128-gcm (requires IKEv2 and DH
Group set to group19)
- aes-256-cbc
- aes-192-cbc
- aes-128-cbc
- 3des
- (PAN-OS 10.1.0 and earlier releases)
des
Choose the strongest authentication and encryption algorithms that the
peer can support. For the authentication algorithm, use SHA-256 or
higher (SHA-384 or higher preferred for long-lived transactions). Don’t
use SHA-1 or MD5. For the encryption algorithm, use AES; DES and 3DES
are weak and vulnerable. AES with Galois/Counter Mode (AES-GCM) provides
the strongest security and has built-in authentication, so you must set
Authentication to non-auth if you select
aes-256-gcm or
aes-128-gcm encryption.
