Network Security
IKE Phase 2
Table of Contents
Expand All
|
Collapse All
Network Security Docs
IKE Phase 2
Where Can I Use This? | What Do I Need? |
---|---|
| No license required |
After the tunnel is secured and authenticated, in Phase 2 the channel is further secured
for the transfer of data between the networks. IKE Phase 2 uses the keys that were
established in Phase 1 of the process and the IPSec Crypto profile, which defines the
IPSec protocols and keys used for the SA in IKE Phase 2.
The IPSec uses the following protocols to enable secure communication:
- Encapsulating Security Payload (ESP)—Allows you to encrypt the entire IP packet, and authenticate the source and verify the integrity of the data. While ESP requires that you encrypt and authenticate the packet, you can choose to only encrypt or only authenticate by setting the encryption option to Null; using encryption without authentication is discouraged.
- Authentication Header (AH)—Authenticates the source of the packet and verifies data integrity. AH doesn’t encrypt the data payload and is unsuited for deployments where data privacy is important. AH is commonly used when the main concern is to verify the legitimacy of the peer, and data privacy isn’t required.
ESP | AH |
---|---|
Diffie-Hellman
(DH) exchange options supported | |
| |
Encryption
algorithms supported | |
| ( PAN-OS 10.1.0 and earlier releases ) Data Encryption
Standard (DES) with the security strength of 56 bits. |
| Triple Data Encryption Standard (3DES) with a security strength of
112
bits. |
| Advanced Encryption Standard (AES) using cipher block chaining (CBC)
with a security strength of 128
bits. |
| AES using CBC with a security strength of 192
bits. |
| AES using CBC with a security strength of 256
bits. |
| AES using Counter with CBC-MAC (CCM) with a security strength of 128
bits. |
| AES using Galois/Counter Mode (GCM) with a security strength of 128
bits. |
| AES using GCM with a security strength of 256
bits. |
Authentication
algorithms supported | |
|
|
|
|
|
|
|
|
|
|
Methods of Securing IPSec VPN Tunnels (IKE Phase 2)
IPSec VPN tunnels can be secured using manual keys or auto keys. In addition, IPSec
configuration options include a Diffie-Hellman Group for key agreement, an
encryption algorithm, and a hash for message authentication.
- Manual Key—Manual key is typically used if the Palo Alto Networks firewall is establishing a VPN tunnel with a legacy device, or if you want to reduce the overhead of generating session keys. If using manual keys, the same key must be configured on both peers.Manual keys aren’t recommended for establishing a VPN tunnel because the session keys can be compromised when relaying the key information between the peers; if the keys are compromised, the data transfer is no longer secure.
- Auto Key— Auto Key allows you to generate keys automatically for setting up and maintaining the IPSec tunnel based on the algorithms defined in the IPSec Crypto profile.