IPSec Tunnel Modes
Focus
Focus
Network Security

IPSec Tunnel Modes

Table of Contents

IPSec Tunnel Modes

Overview of IPSec operation modes.
Where Can I Use This?
What Do I Need?
  • Prisma Access
    (IPSec tunnel transport mode is not yet supported for
    Prisma Access
    )
  • PAN-OS
No license required
IPSec standards define two distinct modes of IPSec operations: tunnel and transport modes. The key difference between the transport and tunnel mode is where the policy rule is applied. While in tunnel mode the original packet is encapsulated in another IP header, the packets can be protected by Authentication Header (AH), encapsulating security payload (ESP), or both in either mode.
  • AH does not work with NAT since the integrity is calculated by using some fields of IP header. The reason is that AH includes the outer IP header in the hash-based message authentication code (HMAC) calculation that causes NAT to break it.
  • IPSec transport mode is used for end-to-end communications, for example between a client and a server, or between a workstation and a gateway if the gateway is being treated as a host. A good example would be an encrypted Telnet or Remote Desktop session from a workstation to a server.
  • While PAN-OS
    ®
    supports tunnel mode by default, support for transport mode is introduced beginning with PAN-OS 11.0 release.

Recommended For You