• Commit fails on the Palo Alto Firewall or Prisma Access with error as “aesgcm should choose hash value NON-AUTH” or “kmp_hash_alg NON-AUTH is not supported”
• The commit failure is specific to IPSEC tunnels IKE crypto configuration. 
• This can happen for both IKEv1 and IKEv1 type tunnels. 
• Following errors are observed for an IKEv1 tunnel.

IKE gateway site_1 ikev1 section, kmp_enc_alg AES128-GCM16 is not supported
(Module: ikemgr)
IKE gateway site_1 ikev1 section, kmp_hash_alg NON-AUTH is not supported
(Module: ikemgr)

• Following errors are observed for an IKEv2 tunnel. 

IKE gateway site_1 ikev2 section, aesgcm should choose  hash value NON-AUTH
(Module: ikemgr)

• Palo Alto Firewall with IPsec tunnel.
• PAN-OS 10.0.0 and above
• Prisma Access for remote networks
• Prisma Access service connections

• The errors are results of invalid configuration.
• aes-gcm was introduced as part of PAN-OS 10.0 release only for IKEv2 type gateways/tunnels.
• If using aes-gcm with IKEv1, the commit will fail. 
• With IKEv2 as well, The configuration requires the authentication to be set to None if the encryption is set to aes-gcm type.

Define IKE Crypto Profiles

1. If using IKEv1 crypto, do Not use aes-gcm in encryption. it is Not supported.
2. If using IKEv2 crypto and using encryption as aes-gcm the authentication shall be set to None.
3. The hash is automatically selected based on the DH Group selected. Details are present in the document above. 

• If a 9.1 firewall is being managed by Panorama running 10.0 and the configuration was working until the firewall was also upgraded to 10.0, the behaviour is expected since the AES-GCM was added as a new feature in 10.0 release and 9.1 firewall would simply ignore that encryption and select aes-cbc-256 instead.
• To use the best possible encryption and hash, Use DH group 20 which will cause the IKE gateway to use sha384