IKE Phase 1
Focus
Focus

IKE Phase 1

Table of Contents
End-of-Life (EoL)

IKE Phase 1

In this phase, the firewalls use the parameters defined in the IKE Gateway configuration and the IKE Crypto profile to authenticate each other and set up a secure control channel. IKE Phase supports the use of preshared keys or digital certificates (which use public key infrastructure, PKI) for mutual authentication of the VPN peers. Preshared keys are a simple solution for securing smaller networks because they do not require the support of a PKI infrastructure. Digital certificates can be more convenient for larger networks or implementations that require stronger authentication security.
When using certificates, make sure that the CA issuing the certificate is trusted by both gateway peers and that the maximum length of certificates in the certificate chain is 5 or less. With IKE fragmentation enabled, the firewall can reassemble IKE messages with up to 5 certificates in the certificate chain and successfully establish a VPN tunnel.
The IKE Crypto profile defines the following options that are used in the IKE SA negotiation:
  • Diffie-Hellman (DH) group for generating symmetrical keys for IKE.
    The Diffie-Hellman algorithm uses the private key of one party and the public key of the other to create a shared secret, which is an encrypted key that both VPN tunnel peers share. The DH groups supported on the firewall are: Group 1—768 bits, Group 2—1024 bits (default), Group 5—1536 bits, Group 14—2048 bits, Group 19—256-bit elliptic curve group, and Group 20—384-bit elliptic curve group.
  • Authentication algorithms—sha1, sha 256, sha 384, sha 512, or md5
  • Encryption algorithms—aes-256-gcm, aes-128-gcm (these two GCM algorithms are available in PAN-OS 10.0.3 and later 10.0 releases), 3des, aes-128-cbc, aes-192-cbc, aes-256-cbc, or des