Configure an IPSec Tunnel

Table of Contents

Filter

Expand All | Collapse All

Next-Generation Firewall Docs

Getting Started
Administration
Version
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
Networking
Version
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
Incidents & Alerts
Release Notes
Version
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)

Create a Zone

DHCP

Configure an IPSec Tunnel

Configure an IPSec tunnel to authenticate and/or encrypt data as it traverses a tunnel.

Contact your account team to enable Cloud Management for NGFWs using Strata Cloud Manager.

Where Can I Use This?	What Do I Need?
NGFW, including those funded by Software NGFW Credits	One of these: AIOps for NGFW Premium or Strata Cloud Manager Pro Strata Cloud Manager Essentials (Supports only NGFWs)

The IPSec tunnel configuration allows you to authenticate and encrypt IP packets as they traverse the tunnel.

View the tunnel status to check whether the valid IKE and IPSec SAs have been established and whether the IPSec tunnel is available for passing the traffic.

Log in to Strata Cloud Manager.
Configure a tunnel interface to be used in the IPSec tunnel configuration.
Configure the layer 3 interface to be used in the IKE gateway configuration (as a local IKE endpoint).
Select ManageConfigurationNGFW and Prisma AccessDevice SettingsIPSec Tunnels and select the Configuration Scope where you want to create the IPSec tunnel.

You can select a folder or firewall from your Folders or select Snippets to configure the IPSec tunnel in a snippet.
Add IPSec Tunnel.
Configure the IPSec tunnel.
1. Enter a descriptive Name.
2. Select the Tunnel Interface you configured in step 2.
3. Select the Address Type (IPv4 or IPv6) for the IPSec tunnel based on your network's addressing scheme. Use IPv4 for legacy systems and IPv6 for modern networks requiring more address space and scalability.
4. (Optional) Enable Tunnel Monitoring.
  Enable tunnel monitoring for the IPSec tunnel.
  Enter the Destination IP to send the ICMP probe.
  
  A predefined tunnel monitoring profile is associated and pushed to all managed firewalls when you configure an IPSec tunnel. The defaults are:
  Action—Default is Wait Recover.
  The firewall waits for the tunnel to recover. It continues to use the tunnel interface in routing decisions as if the tunnel were still active.
  Interval (sec)—Default is 3 seconds.
  Specifies the time (in seconds) between heartbeats.
  Threshold—Default is 5.
  Specifies the number of heartbeats the firewall waits before taking the default action.
5. Configure Proxy IDs:
  Click Add and specify the Proxy ID name.
  Enter the local IP address or subnet for the VPN gateway in Local Proxy ID.
  Enter the remote IP address for the VPN gateway in Remote Proxy ID.
  Select the Protocol:
  Number—Specify the protocol number (used for interoperability with third-party devices).
  Any—Allows TCP and/or UDP traffic.
  TCP—Specify the local port and remote port numbers.
  UDP—Specify the local port and remote port numbers.
  Proxy IDs can be set up using either IPv4 or IPv6 address types to identify the VPN peers. A Proxy Identity, or proxy ID, represents a defined set of traffic for an IPSec VPN, which is governed by the Security Association (SA) negotiated between peers (or established after a successful negotiation). When configuring a Palo Alto Networks firewall to work with a VPN peer using a policy-based VPN, you must set up both a local and remote proxy ID for the IPSec tunnel. During IKE phase 2 negotiation, each peer compares its configured proxy IDs with those received in the packets to ensure compatibility. For multiple tunnels, assign unique proxy IDs to each tunnel interface, as each proxy ID counts toward the firewall's IPSec VPN tunnel capacity, which varies by firewall model.
6. Configure and enable IPSec tunnel Advanced Settings.
  IPSec Crypto Profile—Ciphers used for authentication and encryption between IKE peers and the lifetime of the key.
  You can select predefined IPSec Crypto profiles or Create New.
  Anti Replay— Subprotocol of IPSec and is part of the internet Engineering Task Force (IETF) Request for Comments (RFC) 6479 used to prevent hackers from injecting or making changes in packets that travel from a source to a destination. Uses a unidirectional security association to establish a secure connection between two nodes in the network.
  Copy ToS—Copies the Type of Service (ToS) header from the inner IP header to the outer IP header of the encapsulated packets to preserve the original TOS information.
  
  If there are multiple sessions inside the tunnel (each with a different ToS value), copying the ToS header can cause the IPSec packets to arrive out of order.
  
  Enable GRE Encapsulation—Add GRE encapsulation in cases where the remote endpoint requires traffic to be encapsulated within a GRE tunnel before IPSec encrypts the traffic.
Configure the IPSec tunnel IKE Gateway.
1. Select the Address Type (IPv4 or IPv6) for the IPSec tunnel based on your network's addressing scheme. Use IPv4 for legacy systems and IPv6 for modern networks requiring more address space and scalability.
2. Select the IKE Interface to act as the local gateway endpoint.
3. Enter the Local IP Address. The Local IP address lists the IPv4 or IPv6 addresses based on the Address Type that you've selected.
  
  Specify the exact IP address of the IKE interface has multiple IP addresses.
4. Select the Peer IP Address Type.
  Static—Enter a Peer Address that is a static IPv4 address or select an address object.
  FQDN—Enter a Peer Address that is an FQDN string or an address object that uses an FQDN string.
  Dynamic—Select the Authentication method if the peer IP address or FQDN is unknown.
  Pre-shared key—Enter the Pre-Shared Key string and Confirm Pre-Shared Key.
  Certificate—Select the Local Certificate and Certificate Profile to specify how to authenticate the peer gateway.
5. Select the type of Local Identification and define the identification format to distinguish and identify the local gateway.
  
  The local IP address of the firewall is used if no local identification is defined.
6. Select the type of Peer Identification and define the identification format to distinguish and identify the peer gateway.
  
  The IP address of the peer gateway is used if no peer identification is defined.
7. Enable IKE Passive Mode to specify that the firewall only responds to IKE connection requests and never initiates them.
8. (Optional) Keep NAT Traversal enabled to allow IPSec VPN connections to stay open when traffic goes through the gateway or devices that use NAT.
  
  Enabled by default. When an IP packet passes through a NAT device, it is changed and no longer compatible with IPSec. Enable NAT traversal to protect the original IPSec encoded packet by encapsulating it with an additional layer of UDP and IP headers.
9. Configure the IKE Gateway Advanced Settings.
  Select the IKE Protocol Version to specify the negotiation method the IKE gateway initiates with its peer (IKEv1 only mode, IKEv2 only mode, or IKEv2 preferred mode).
  Select the IKEv1 Crypto Profile and IKEv2 Crypto Profile. The ability to configure one or both of the IKE Crypto profiles is based on the IKE Protocol Version you selected.
  Select a predefined crypto profile or Create New.
Save.
Push Config to push your configuration changes.

Create a Zone

DHCP

Next-Generation Firewall Docs

Configure an IPSec Tunnel

Next-Generation Firewall Docs

Configure an IPSec Tunnel

Activation & Onboarding

Next-Generation Firewalls

Cloud-Delivered Security Services

Network Security

Visibility & Monitoring

Best Practices

Experts Corner