Configure an IPSec Tunnel

Log in to
Strata Cloud Manager
.
Configure a Tunnel Interface.
Configure the IKE Gateway interface.
Select
Manage
Configuration
NGFW and Prisma Access
Device Settings
IPSec Tunnels
and select the Configuration Scope where you want to create the IPSec tunnel.
You can select a folder or firewall from your
Folders
or select
Snippets
to configure the IPSec tunnel in a snippet.
Add IPSec Tunnel
.
Configure the IPSec tunnel.
Enter a descriptive
Name
.
Select the
Tunnel Interface
you configured in the previous step.
(
Optional
) Enable Tunnel Monitoring.
A predefined tunnel monitoring profile is associated and pushed to all managed firewalls when you configure an IPSec tunnel. The defaults are:
Action
—Default is Wait Recover.
Firewall waits for the tunnel to recover. It continues to use the tunnel interface in routing decisions as if the tunnel were still active.
Interval (sec)
—Default is 3 seconds.
Specifies the time (in seconds) between heartbeats.
Threshold
—Default is 5.
Specifies the number of heartbeats the firewall waits before taking the default action.
Enable
tunnel monitoring for the IPSec tunnel.
Enter the
Destination IP
to send the ICMP probe.
Add Proxy IDs to identify the VPN peers.
This step is required if the VPN peer uses a policy-based VPN.
Configure and enable IPSec tunnel Advanced Settings.
IPSec Crypto Profile
—Ciphers used for authentication and encryption between IKE peers and the lifetime of the key.
You can select predefined IPSec Crypto profiles or
Create New
.
Anti Replay
— Subprotocol of IPSec and is part of the internet Engineering Task Force (IETF) Request for Comments (RFC) 6479 used to prevent hackers from injecting or making changes in packets that travel from a source to a destination. Uses a unidirectional security association in order to establish a secure connection between two nodes in the network.
Copy ToS
—Copies the Type of Service (TOS) header from the inner IP header to the outer IP header of the encapsulated packets to preserve the original TOS information.
If there are multiple sessions inside the tunnel (each with a different TOS value), copying the TOS header can cause the IPSec packets to arrive out of order.
Enable GRE Encapsulation
—Add GRE encapsulation in cases where the remote endpoint requires traffic to be encapsulated within a GRE tunnel before IPSec encrypts the traffic.
Configure the IPSec tunnel IKE Gateway.
Select the
IKE Interface
to act as the local gateway endpoint.
Enter the
Local IP Address
.
Specify the exact IP address of the IKE interface has multiple IP addresses.
Select the
Peer IP Address Type
.
Static
—Enter a
Peer Address
that is a static IPv4 address or select an address object.
FQDN
—Enter a
Peer Address
that is an FQDN string or an address object that uses an FQDN string.
Dynamic
—Select the
Authentication
method if the peer IP address or FQDN is unknown.
Pre-shared key
—Enter the
Pre-Shared Key
string and
Confirm Pre-Shared Key
.
Certificate
—Select the
Local Certificate
and
Certificate Profile
to specify how to authenticate the peer gateway.
Select the type of
Local Identification
and define the identification format to distinguish and identify the local gateway.
The local IP address of the firewall is used if no local identification is defined.
Select the type of
Peer Identification
and define the identification format to distinguish and identify the peer gateway.
The IP address of the peer gateway is used if no peer identification is defined.
Enable
IKE Passive Mode
to specify that the firewall only responds to IKE connection requests and never initiates them.
(
Optional
) Keep
NAT Traversal
enabled to allow IPSec VPN connections to stay open when traffic goes through the gateway or devices that use NAT.
Enabled by default. When an IP packet passes through a NAT device, it is changed and no longer compatible with IPSec. Enable NAT traversal to protect the original IPSec encoded packet by encapsulating it with an additional layer of UDP and IP headers.
Configure the IKE Gateway Advanced Settings.
Select the
IKE Protocol Version
to specify the negotiation method the IKE gateway initiates with its peer (
IKEv1 only mode
,
IKEv2 only mode
, or
IKEv2 preferred mode
).
Select the
IKEv1 Crypto Profile
and
IKEv2 Crypto Profile
. The ability to configure one or both of the IKE Crypto profiles is based on the IKE Protocol Version you selected.
Select a predefined crypto profile or
Create New
.
Save
.
Push Config
to push your configuration changes.