DES Support for Crypto Profiles
To provide backward compatibility with legacy devices that do not use stronger encryption methods, IKE gateways and IPSec tunnels on the firewall now support Data Encryption Standard ( DES) as an encryption algorithm in crypto profiles for site-to-site VPN connections.
During tunnel negotiation, the firewall negotiates with the peer at the opposite end of the tunnel and uses the first encryption algorithm that both peers support based on the encryption list each peer has in its profile.
Palo Alto Networks does not recommend DES encryption; instead, we recommend using a stronger encryption algorithm, such as 3DES or Advanced Encryption Standard (AES) if the peer can support it. You should list the algorithms from strongest to weakest so that the firewall matches the strongest possible encryption algorithm first.
Configure DES only if the legacy devices in your network cannot support a stronger encryption type.
Configure DES for an IKE Gateway and IPSec Tunnel Profile for Site-to-Site VPN
Configure DES for an IKE gateway. Select Network > Network Profiles > IKE Crypto and select a crypto profile. For Encryption, Add the des encryption option from the drop-down. After an upgrade to PAN-OS 7.1, both the DHE and ECDHE options are selected by default. ( Not recommended ) Move Up the des encryption type to the top of the list only if you want the firewall to negotiate DES over other, stronger encryption algorithms. Click OK. See Define Cryptographic Profiles to configure the remainder of the profile. See Step 7 of Set Up an IKE Gateway to apply the profile to an IKE gateway.
Configure DES for an IPSec tunnel. Perform one of the following tasks, depending on whether you want to configure DES using an IPSec tunnel profile or using a manual key: Configure DES Using an IPSec Tunnel Profile Select Network > Network Profiles > IPSec Crypto and select a crypto profile. For Encryption, Add the des encryption option from the drop-down. If there are other encryption types in the profile, select des and Move Up the selection to the top of the list. ( Not recommended ) Move Up the des type to the top of the list only if you want the firewall to negotiate DES over other, stronger encryption algorithms. Click OK. See Define IPSec Crypto Profiles to configure the remainder of the profile. See Step 4 in Set Up an IPSec Tunnel to apply the profile to an IPSec tunnel. Configure DES Using a Manual Key Select Network > IPSec Tunnels and select a tunnel. On the General tab, select Manual Key. For Encryption, select des. Click OK.
Save the configuration. Click Commit.

Related Documentation