>
    Strata Copilot
    Set Up an IPSec Tunnel (Transport Mode)
    Focus
    Download PDF
    Focus
    1. Home
    2. Network Security
    3. Configure IPSec VPN Tunnels (Site-to-Site)
    4. Set Up an IPSec Tunnel
    5. Set Up an IPSec Tunnel (Transport Mode)
    Download PDF
    Network Security

    Set Up an IPSec Tunnel (Transport Mode)

    Table of Contents

    Set Up an IPSec Tunnel (Transport Mode)

    You can set up an IPSec tunnel in transport mode to encrypt control traffic or point-to-point traffic between your firewall and the tunnel endpoint.
    Where Can I Use This?What Do I Need?
    • PAN-OS
    • No license required
    • PAN-OS 11.0 and Later
    Transport mode is new beginning with the PAN-OS 11.0.0 release and supports:
    • IPv4 address only.
    • Encapsulating Security Payload (ESP) protocol only.
    • IKEv2 only.
    • DH-group 20 for Diffie-Hellman (DH) group and PFS.
    • Only AES with 256-bit keys in GCM mode.
    • (PAN-OS 11.1.5 and later 11.1 versions) Proxy ID settings (using CLI commands) for IPSec negotiation.
    You can choose the IPSec mode based on your networking requirements:
    • If you want to encrypt the management plane protocol (such as BGP) packets exchanged between your next-generation firewall and the tunnel endpoint, then you must configure IPSec transport mode. Transport mode enables you to encrypt the control traffic (such as routing protocol and signalization messages) with the most robust protocol. With transport mode, you can encrypt the point-to-point traffic belonging to the firewall’s IP address.
    • If you want to encrypt the dataplane traffic exchanged between your next-generation firewall and the tunnel endpoint, then you must configure IPSec tunnel mode.
    Important points to remember before enabling the transport mode:
    • You can't select transport mode when NAT-T is enabled.
    • You can't configure an IKE gateway on a loopback interface to an IPSec tunnel with transport mode.
    • You can use transport mode only with an auto-key key exchange.
    • If you configure an IKE gateway without an IPSec tunnel, by default IKE negotiates a tunnel mode child security association (SA).
    • In IPSec transport mode without GRE encapsulation, don't route the user traffic through the associated tunnel interface. Configure the control protocols (like BGP peering sessions) on a physical interface (for example, ethernet1/1) instead of a tunnel interface. While IPSec tunnel mode for BGP routes works with the tunnel interface, IPSec transport mode for BGP routes works with the physical interface only.
    • By default, the IPSec tunnel operates in Tunnel mode.
    • You should enable Add GRE Encapsulation in Transport mode to encapsulate multicast packets.
    Because PAN-OS 10.2 and earlier versions don’t support transport mode, any downgrades to the previous versions will result in compatibility issues. Before downgrade, you must manually remove any transport mode tunnels or switch to tunnel mode. Otherwise, the downgrade will result in a failure.
    To establish an IPSec tunnel successfully, both IKE and IPSec negotiations should be successful:
    • The IKE negotiation will be successful only when both VPN peers exchange compatible IKE parameters.
    • The IKE Phase 2 (IPSec) negotiation will be successful only when both VPN peers exchange compatible IPSec parameters.

    Set Up an IPSec Tunnel (Transport Mode) (PAN-OS 11.0 and Later)

    Step-by-step procedure to configure an IPSec tunnel in transport mode.
    1. Select NetworkIPSec Tunnels and then Add a new tunnel configuration.
    2. On the General tab, enter a Name for the tunnel.
    3. Select the Tunnel interface on which to set up the IPSec tunnel.
      To create a new tunnel interface:
      1. Select Tunnel InterfaceNew Tunnel Interface. (You can also select NetworkInterfacesTunnel and click Add.)
      2. In the Interface Name field, specify a numeric suffix, such as .2.
      3. On the Config tab, select the Security Zone list to define the zone as follows:
        Use your trust zone as the termination point for the tunnel—Select the zone. Associating the tunnel interface with the same zone (and virtual router) as the external-facing interface on which the packets enter the firewall mitigates the need to create inter-zone routing.
        Or:
        Create a separate zone for VPN tunnel termination (Recommended)—Select New Zone, define a Name for the new zone (for example vpn-corp), and click OK.
      4. For Virtual Router, select default.
      5. (Optional) If you want to assign an IPv4 address to the tunnel interface, select the IPv4 tab, and Add the IP address and network mask, for example 10.31.32.1/32.
        When you configure transport mode without GRE Encapsulation, PAN-OS ignores any tunnel interface IP address configured on the tunnel interface. Hence, you don't need to configure an IP address for the tunnel interface (even if you enable the tunnel monitoring option). When you configure transport mode with GRE Encapsulation, PAN-OS uses the tunnel interface IP address for the GRE header. Therefore, you can use this method for dynamic and multicast routing (OSPF, BGP, and PIM).
      6. Click OK.
    4. Set up key exchange.
      On the General tab, configure Auto key exchange:
      Set up Auto Key exchange
      1. Select the IKE Gateway. To set up an IKE gateway, see Set Up an IKE Gateway.
      2. (Optional) Select the default IPSec Crypto profile. To create a new IPSec Profile, see Define IPSec Crypto Profiles.
      You can use transport mode only with an auto-key exchange.
    5. Protect against a replay attack.
      Anti-replay is a sub-protocol of IPSec and is part of the Internet Engineering Task Force (IETF) Request for Comments (RFC) 6479. The anti-replay protocol is used to prevent hackers from injecting or making changes in packets that travel from a source to a destination and uses a unidirectional security association in order to establish a secure connection between two nodes in the network.
      After a secure connection is established, the anti-replay protocol uses packet sequence numbers to defeat replay attacks. When the source sends a message, it adds a sequence number to its packet; the sequence number starts at 0 and is incremented by 1 for each subsequent packet. The destination maintains the sequence of numbers in a sliding window format, maintains a record of the sequence numbers of validated received packets, and rejects all packets that have a sequence number that is lower than the lowest in the sliding window (packets that are too old) or packets that already appear in the sliding window (duplicate or replayed packets). Accepted packets, after they’re validated, update the sliding window, displacing the lowest sequence number out of the window if it was already full.
      1. On the General tab, select Show Advanced Options and select Enable Replay Protection to detect and neutralize against replay attacks.
      2. Select the Anti Replay Window to use. You can select an anti-replay window size of 64, 128, 256, 512, 1024, 2048, or 4096. The default is 1024.
    6. (Optional) Preserve the Type of Service header for the priority or treatment of IP packets.
      In the Show Advanced Options section, select Copy TOS Header. This copies the Type of Service (ToS) header from the inner IP header to the outer IP header of the encapsulated packets in order to preserve the original ToS information.
      In transport mode, the IP header before encapsulation is called the "inner," and the IP header after encapsulation is called the "outer". When you enable GRE Encapsulation, ToS is copied first to the GRE header, and then to the ESP header.
      If there are multiple sessions inside the tunnel (each with a different ToS value), copying the ToS header can cause the IPSec packets to arrive out of order.
    7. In the Show Advanced Options section, select the IPSec Mode as Transport to establish an IPSec tunnel in transport mode.
    8. (Optional) Select Add GRE Encapsulation to enable GRE over IPSec.
      Add GRE encapsulation in cases where the remote endpoint requires traffic to be encapsulated within a GRE tunnel before IPSec encrypts the traffic. For example, some implementations require multicast traffic to be encapsulated before IPSec encrypts it. Add GRE Encapsulation when the GRE packet encapsulated in IPSec has the same source IP address and destination IP address as the encapsulating IPSec tunnel.
      As IPSec transport mode reuses the packet's IP header, it can’t encapsulate multicast packets like OSPF. To encapsulate multicast packets, enable the GRE Encapsulation option of an IPSec tunnel to first convert the packet to a unicast GRE packet (the IP address of the tunnel interface will be used). Using a separate GRE tunnel to encapsulate the packet first and then forward it to the transport mode tunnel won’t work. Due to IPSec transport mode's lack of support for double encapsulation, double encapsulation can’t be used. The previously mentioned GRE Encapsulation option works because PAN-OS treats that as a single encapsulation.
    9. Enable Tunnel Monitoring.
      Tunnel monitoring in transport mode automatically uses the IP address of the physical interface (gateway interface IP), ignoring tunnel interface IP addresses. Therefore, it isn’t necessary to assign an IP address to the tunnel interface.
      To alert the device administrator to tunnel failures and to provide an automatic failover to another tunnel interface:
      1. Select Tunnel Monitor.
      2. Specify a Destination IP address on the other side of the tunnel to determine if the tunnel is working properly.
      3. Select a Profile to determine the action upon tunnel failure. To create a new profile, see Define a Tunnel Monitoring Profile.
    10. Commit your changes.
      Click OK and Commit.

    © 2026 Palo Alto Networks, Inc. All rights reserved.