Network Security


Table of Contents


Where Can I Use This?
What Do I Need?
  • PAN-OS
No license required
An IPSec VPN gateway uses IKEv1 or IKEv2 to negotiate the IKE security association (SA) and IPSec tunnel. IKEv2 is defined in RFC 5996.
Unlike IKEv1, which uses Phase 1 SA and Phase 2 SA, IKEv2 uses a child SA for Encapsulating Security Payload (ESP) or Authentication Header (AH), which is set up with an IKE SA.
NAT traversal (NAT-T) must be enabled on both gateways if you have NAT occurring on a device that sits between the two gateways. A gateway can see only the public (globally routable) IP address of the NAT device.
IKEv2 provides the following benefits over IKEv1:
  • Tunnel endpoints exchange fewer messages to establish a tunnel. IKEv2 uses four messages; IKEv1 uses either nine messages (in main mode) or six messages (in aggressive mode).
  • Built-in NAT-T functionality improves compatibility between vendors.
  • Built-in health check automatically reestablishes a tunnel if it goes down. The liveness check replaces the Dead Peer Detection used in IKEv1.
  • Supports traffic selectors (one per exchange). The traffic selectors are used in IKE negotiations to control what traffic can access the tunnel.
  • Supports Hash and URL certificate exchange to reduce fragmentation.
  • Resiliency against DoS attacks with improved peer validation. An excessive number of half-open SAs can trigger cookie validation.
Before configuring IKEv2, you should be familiar with the following concepts:
After you Set Up an IKE Gateway, if you chose IKEv2, perform the following optional tasks related to IKEv2 as required by your environment:

Recommended For You