IPSec encryption and authentication aes-128-sha1,
aes-128-cbc, aes-128-gcm, and aes-256-gcm | The session key sent from the GlobalProtect
gateway. | Used to establish the IPSec tunnel between
the GlobalProtect app and the GlobalProtect gateway. Use the strongest
algorithm supported by your network (AES-GCM is recommended). To
provide data integrity and authenticity protection, the aes-128-cbc
cipher requires the sha1 authentication algorithm. Because AES-GCM
encryption algorithms (aes-128-gcm and aes-256-gcm) natively provide ESP
integrity protection, the sha1 authentication algorithm is ignored
for these ciphers even though it is required during configuration. | 
