IKE Phase 1
In this phase, the firewalls use the parameters defined
in the IKE Gateway configuration and the IKE Crypto profile to authenticate
each other and set up a secure control channel. IKE Phase supports
the use of preshared keys or digital certificates (which use public
key infrastructure, PKI) for mutual authentication of the VPN peers.
Preshared keys are a simple solution for securing smaller networks
because they do not require the support of a PKI infrastructure.
Digital certificates can be more convenient for larger networks
or implementations that require stronger authentication security.
When using certificates, make sure that the CA issuing the certificate
is trusted by both gateway peers and that the maximum length of
certificates in the certificate chain is 5 or less. With IKE fragmentation
enabled, the firewall can reassemble IKE messages with up to 5 certificates
in the certificate chain and successfully establish a VPN tunnel.
The IKE Crypto profile defines the following options that are
used in the IKE SA negotiation:
Diffie-Hellman (DH) group for generating symmetrical
keys for IKE.
The Diffie-Hellman algorithm uses the private
key of one party and the public key of the other to create a shared
secret, which is an encrypted key that both VPN tunnel peers share.
The DH groups supported on the firewall are: Group 1—768 bits, Group
2—1024 bits (default), Group 5—1536 bits, Group 14—2048 bits, Group
19—256-bit elliptic curve group, and Group 20—384-bit elliptic curve
group.
Authentication algorithms—sha1, sha 256, sha 384, sha 512,
or md5
Encryption algorithms—aes-256-gcm, aes-128-gcm (these
two GCM algorithms are available in PAN-OS 10.0.3 and later 10.0
releases), 3des, aes-128-cbc, aes-192-cbc, aes-256-cbc, or
des
