Next-Generation Firewall
Configure an IPSec Tunnel
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
-
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
- PAN-OS 9.1
-
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
-
-
-
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1
Configure an IPSec Tunnel
Configure an IPSec tunnel to authenticate and/or encrypt data as it traverses a
tunnel.
Contact your account team to enable Cloud Management for NGFWs using
Strata Cloud Manager.
Where Can I Use
This? | What Do I Need? |
---|---|
|
|
The IPSec tunnel configuration allows you to authenticate, encrypt, as well as
authenticate and encrypt IP packets as they traverse the tunnel.
View the tunnel status to check whether
the valid IKE and IPSec SAs have been established and whether the IPSec tunnel is
available for passing the traffic.
- Log in toStrata Cloud Manager.
- Selectand select the Configuration Scope where you want to create the IPSec tunnel.ManageConfigurationNGFW and Prisma AccessDevice SettingsIPSec TunnelsYou can select a folder or firewall from yourFoldersor selectSnippetsto configure the IPSec tunnel in a snippet.
- Add IPSec Tunnel.
- Configure the IPSec tunnel.
- Enter a descriptiveName.
- Select theTunnel Interfaceyou configured in the previous step.
- (Optional) Enable Tunnel Monitoring.A predefined tunnel monitoring profile is associated and pushed to all managed firewalls when you configure an IPSec tunnel. The defaults are:
- Action—Default is Wait Recover.Firewall waits for the tunnel to recover. It continues to use the tunnel interface in routing decisions as if the tunnel were still active.
- Interval (sec)—Default is 3 seconds.Specifies the time (in seconds) between heartbeats.
- Threshold—Default is 5.Specifies the number of heartbeats the firewall waits before taking the default action.
- Enabletunnel monitoring for the IPSec tunnel.
- Enter theDestination IPto send the ICMP probe.
- Add Proxy IDs to identify the VPN peers.This step is required if the VPN peer uses a policy-based VPN.
- Configure and enable IPSec tunnel Advanced Settings.
- IPSec Crypto Profile—Ciphers used for authentication and encryption between IKE peers and the lifetime of the key.You can select predefined IPSec Crypto profiles orCreate New.
- Anti Replay— Subprotocol of IPSec and is part of the internet Engineering Task Force (IETF) Request for Comments (RFC) 6479 used to prevent hackers from injecting or making changes in packets that travel from a source to a destination. Uses a unidirectional security association in order to establish a secure connection between two nodes in the network.
- Copy ToS—Copies the Type of Service (TOS) header from the inner IP header to the outer IP header of the encapsulated packets to preserve the original TOS information.If there are multiple sessions inside the tunnel (each with a different TOS value), copying the TOS header can cause the IPSec packets to arrive out of order.
- Enable GRE Encapsulation—Add GRE encapsulation in cases where the remote endpoint requires traffic to be encapsulated within a GRE tunnel before IPSec encrypts the traffic.
- Configure the IPSec tunnel IKE Gateway.
- Select theIKE Interfaceto act as the local gateway endpoint.
- Enter theLocal IP Address.Specify the exact IP address of the IKE interface has multiple IP addresses.
- Select thePeer IP Address Type.
- Static—Enter aPeer Addressthat is a static IPv4 address or select an address object.
- FQDN—Enter aPeer Addressthat is an FQDN string or an address object that uses an FQDN string.
- Dynamic—Select theAuthenticationmethod if the peer IP address or FQDN is unknown.
- Pre-shared key—Enter thePre-Shared Keystring andConfirm Pre-Shared Key.
- Certificate—Select theLocal CertificateandCertificate Profileto specify how to authenticate the peer gateway.
- Select the type ofLocal Identificationand define the identification format to distinguish and identify the local gateway.The local IP address of the firewall is used if no local identification is defined.
- Select the type ofPeer Identificationand define the identification format to distinguish and identify the peer gateway.The IP address of the peer gateway is used if no peer identification is defined.
- EnableIKE Passive Modeto specify that the firewall only responds to IKE connection requests and never initiates them.
- (Optional) KeepNAT Traversalenabled to allow IPSec VPN connections to stay open when traffic goes through the gateway or devices that use NAT.Enabled by default. When an IP packet passes through a NAT device, it is changed and no longer compatible with IPSec. Enable NAT traversal to protect the original IPSec encoded packet by encapsulating it with an additional layer of UDP and IP headers.
- Configure the IKE Gateway Advanced Settings.
- Select theIKE Protocol Versionto specify the negotiation method the IKE gateway initiates with its peer (IKEv1 only mode,IKEv2 only mode, orIKEv2 preferred mode).
- Select theIKEv1 Crypto ProfileandIKEv2 Crypto Profile. The ability to configure one or both of the IKE Crypto profiles is based on the IKE Protocol Version you selected.Select a predefined crypto profile orCreate New.
- Save.
- Push Configto push your configuration changes.