topic Re: Consequences of replacing CBC encryption with GCM on IPSec and IKE profiles in Next-Generation Firewall Discussions https://live.paloaltonetworks.com/t5/next-generation-firewall/consequences-of-replacing-cbc-encryption-with-gcm-on-ipsec-and/m-p/1236870#M6245 <P>Except for a little outage the moment you make the change on both sides, nothing would really change.</P> <P>&nbsp;</P> <P>I'd double check to make sure each (IKE + IPSec) profile is only used by the intended ike gateway/ipsec tunnel. If you're using the same profile for all your gateways and tunnels, start by creating a fresh one and assigning that to the gateways/tunnels you intend to switch over so you can take it step by step. in some cases the transition may be a little less smoothly if the remote end is a different vendor.</P> <P>&nbsp;</P> <P>remember to set authentication in the IKE profile to 'non-auth'</P> Thu, 28 Aug 2025 13:26:54 GMT reaper 2025-08-28T13:26:54Z Consequences of replacing CBC encryption with GCM on IPSec and IKE profiles https://live.paloaltonetworks.com/t5/next-generation-firewall/consequences-of-replacing-cbc-encryption-with-gcm-on-ipsec-and/m-p/1236780#M6242 <P>I am looking to replace all existing CBC encryption with GCM within IPSec/ IKE crypto but need to be certain that functionality will remain.</P> <P>&nbsp;</P> <P>What if any impact would this have on the existing profiles if changed?</P> <P>&nbsp;</P> <P>Unfortunately could not find a definitive answer on the forums/ elsewhere. Many thanks.</P> Wed, 27 Aug 2025 08:23:39 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/consequences-of-replacing-cbc-encryption-with-gcm-on-ipsec-and/m-p/1236780#M6242 J.Smith575107 2025-08-27T08:23:39Z Re: Consequences of replacing CBC encryption with GCM on IPSec and IKE profiles https://live.paloaltonetworks.com/t5/next-generation-firewall/consequences-of-replacing-cbc-encryption-with-gcm-on-ipsec-and/m-p/1236870#M6245 <P>Except for a little outage the moment you make the change on both sides, nothing would really change.</P> <P>&nbsp;</P> <P>I'd double check to make sure each (IKE + IPSec) profile is only used by the intended ike gateway/ipsec tunnel. If you're using the same profile for all your gateways and tunnels, start by creating a fresh one and assigning that to the gateways/tunnels you intend to switch over so you can take it step by step. in some cases the transition may be a little less smoothly if the remote end is a different vendor.</P> <P>&nbsp;</P> <P>remember to set authentication in the IKE profile to 'non-auth'</P> Thu, 28 Aug 2025 13:26:54 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/consequences-of-replacing-cbc-encryption-with-gcm-on-ipsec-and/m-p/1236870#M6245 reaper 2025-08-28T13:26:54Z