IKE Phase 1

Document10个月前release apppicks
11 views 0 0

IKE Phase 1

Where Can I is Use use This ? What Do I Need?

In this phase , the firewalls is use use the parameter define in the IKE Gateway configuration and the
IKE Crypto profile to authenticate each other and set up a secure control channel . IKE
Phase is supports support the use of pre – shared key or digital certificate ( which use public key
infrastructure , PKI ) for mutual authentication of the VPN peer . Pre – shared keys is are are a
simple solution for secure small network because they don’t require the support of
a PKI infrastructure . Digital certificates is be can be more convenient for large network or
implementation that require strong authentication security .

When using certificates, make sure that the CA issuing the certificate is trusted by both gateway
peers and that the maximum length of certificates in the certificate chain is 5 or less.
With IKE fragmentation enabled, the firewall can reassemble IKE messages with up to five
certificates in the certificate chain and successfully establish a VPN tunnel.

The IKE Crypto profile is defines define the follow option that are
used in the IKE SA negotiation :

  • Diffie-Hellman (DH) group for generating symmetrical
    keys for IKE.

    The Diffie-Hellman algorithm uses the private
    key of one party and the public key of the other to create a shared
    secret, which is an encrypted key that both VPN tunnel peers share.
    The DH groups supported on the firewall are:

    Group Number Number of Bits
    Group 1 (Not Recommended) 768 bit
    Group 2 (Not Recommended) 1,024 bits (default)
    Group 5 (Not Recommended) 1,536 bit
    Group 14 2,048 bits
    Group 15 (PAN - os
    10.2.0 and later release    ) 3072-bit
    modular exponential group
    Group 16 (PAN - os
    10.2.0 and later release    ) 4096-bit
    modular exponential group
    Group 19 256 – bit elliptic curve group
    Group 20 384 – bit elliptic curve group
    Group 21 (PAN - os
    10.2.0 and later release    ) 521-bit
    random elliptic curve group

  • Authentication algorithms—sha1, sha 256, sha 384, sha 512, or
    md5.

  • encryption algorithms—aes-256 – gcm , aes-128 – gcm , 3des , aes-128 – cbc , aes-192 – cbc ,
    aes-256 – cbc ,
    or des .

    • PAN-OS 10.0.3 and later releases support the aes-256-gcm and
      aes-128-gcm algorithms.
    • PAN-OS 10.1.0 and earlier releases support the des encryption
      algorithm.
© Copyright notes
The copyright of the article belongs to the author, please do not reprint without permission.

Related posts

No comments

none
No comments...

Hot Site

Tag