The Palo Alto Networks firewalls or a firewall and another security device that initiate and terminate VPN connections across the two networks are called the IKE Gateways. To set up the VPN tunnel and send traffic between the IKE Gateways, each peer must have an IP address—static or dynamic—or FQDN. The VPN peers use pre-shared keys or certificates to authenticate each other mutually.

(In IKEv1) The peers must also negotiate the mode—main or aggressive—for setting up the VPN tunnel and the SA lifetime in IKE Phase 1. The main mode protects the identity of the peers and is more secure because more packets are exchanged when setting up the tunnel. Main mode is the recommended mode for IKE negotiation if both peers support it. Aggressive mode uses fewer packets to set up the VPN tunnel and is hence a faster but a less secure option for setting up the VPN tunnel.

(In IKEv2) IKEv2 negotiation process between the IKE gateways is much more efficient and simplified compared to IKEv1 negotiation. IKEv2 performs three types of exchanges: initial exchanges, CREATE_CHILD_SA exchange, and INFORMATIONAL exchange. IKEv2 uses the following two exchanges during the initial exchange process each with two messages.

After the four-message initial exchanges, IKEv2 sets up one IKE SA and one pair of IPSec SAs. To set up one IKE SA and one pair of IPSec SAs, IKEv1 goes through two phases that use a minimum of six messages.

To set up one more pair of IPSec SAs within the IKE SA, IKEv2 goes on to perform an additional two-message exchange—the CREATE_CHILD_SA exchange. One CREATE_CHILD_SA exchange creates one pair of IPSec SAs. IKEv2 also uses the CREATE_CHILD_SA exchange to re-key IKE SAs and Child SAs.

IKEv2 uses the INFORMATIONAL exchange for errors and notifications.

See Set Up an IKE Gateway for configuration details.