GlobalProtect
Ciphers Used to Set Up IPsec Tunnels
Table of Contents
Ciphers Used to Set Up IPsec Tunnels
GlobalProtect can restrict and/or set preferential order
for what encryption and authentication algorithm the GlobalProtect
app can use for the IPsec tunnel. The algorithms and preferences
are defined in the GlobalProtect IPSec Crypto profile
that you configure when you set up the tunnel for the GlobalProtect
gateway ().
When the GlobalProtect app sets up an SSL session with a GlobalProtect gateway,
the cipher suite used for this SSL session is governed by the SSL/TLS profile
configured on the gateway and the type of algorithm used by the
gateway certificate. After the SSL session is established, the GlobalProtect
app initiates a VPN tunnel setup by requesting the configuration
over SSL.
Using the same SSL session, the GlobalProtect gateway responds
with the encryption and authentication algorithms, keys, and SPIs
that the app should use to set up the IPsec tunnel.
AES-GCM is recommended for more secure
requirements. To provide data integrity and authenticity protection,
the aes-128-cbc cipher requires the SHA1 authentication algorithm.
Because AES-GCM encryption algorithms (aes-128-gcm and aes-256-gcm)
natively provide ESP integrity protection, the SHA1 authentication
algorithm is ignored for these ciphers even though it is required
during configuration.
The GlobalProtect IPSec Crypto profile
that you configure on the gateway determines the encryption and
authentication algorithm used to set up the IPsec tunnel. The GlobalProtect
gateway responds with the first matching encryption algorithm listed
in the profile that matches the app’s proposal.
The GlobalProtect app then attempts to set up a tunnel based
on the response from the gateway.