Network Security


Table of Contents


Overview of IPSec VPN, IPSec tunnel modes, and IPSec VPN types.
Where Can I Use This?
What Do I Need?
  • Prisma Access
    (IPSec tunnel transport mode is not yet supported for
    Prisma Access
  • PAN-OS
No license required
IPSec VPN provides a private and secure IP communication over a public network infrastructure (for example, the internet). With this technology, different sites or users in different geographical areas can communicate over a network and thus safely use their resources. IPSec provides data confidentiality and integrity, including authentication, integrity check, and encryption.
IPSec VPN is one of the two common VPN protocols, or sets of standards used to establish a VPN connection. At the IP layer, IPSec provides secure, remote access to an entire network (rather than just a single device).
IPSec VPNs come in two types:
Differences between IPSec and VPN
Provides IP hosts with methods for encrypting and authenticating data sent on the IP network.
Uses encryption to obscure all data sent between the VPN client and server.
By using IPSec, entities that have IP addresses can create a secure tunnel.
Many types of VPN protocols offer varying levels of security and other features. The most commonly used tunneling protocols in the VPN industry are Point-to-Point Tunnel Protocol (PPTP), Layer Two Tunneling Protocol (L2TP), IPSec, Secure Socket Tunneling Protocol (SSTP), and OpenVPN.

IPSec Tunnel Modes

IPSec standards define two distinct modes of IPSec operations: tunnel and transport modes. The key difference between the transport and tunnel mode is where the policy rule is applied. Tunnel mode will add an ESP/AH header to the inner IP packet, and encapsulate it in a new outer IP packet. Hence, the entire inner IP packet including the IP header will be encrypted and authenticated. But, transport mode will add an ESP/AH header to the inner packet’s payload, and move the inner packet’s IP header out. This encrypts and authenticates the inner IP packet’s payload only.
  • AH does not work with NAT since the integrity is calculated by using some fields of the IP header. The reason is that AH includes the outer IP header in the hash-based message authentication code (HMAC) calculation that causes NAT to break it.
  • IPSec transport mode is used for end-to-end communications, for example between a client and a server, or between a workstation and a gateway if the gateway is being treated as a host. A good example would be an encrypted Telnet or Remote Desktop session from a workstation to a server.
  • While PAN-OS supports tunnel mode by default, support for transport mode is introduced beginning with PAN-OS 11.0 release.

IPSec VPN Types

Site-to-Site (or Gateway-to-Gateway) VPN and Remote access (client-to-site) VPN are two distinct types of VPNs. Where client-to-site VPN represents a single user connection, site-to-site VPNs deal with remote connections between entire networks.
In a site-to-site VPN, the IPSec security method is used to create an encrypted tunnel from one customer network to a remote site of the customer. Palo Alto Networks VPN tunnels can also be used between partners.
Site-to-Site VPNs do not allow for multiple endpoints.
In remote access VPN, individual endpoints are connected to a private network to access the services and resources of that private network remotely. Remote Access VPN is most suitable for the business and home users as it allows multiple endpoints.

Recommended For You