Set Up an IPSec Tunnel (Tunnel Mode)
Focus
Focus

Network Security

Set Up an IPSec Tunnel (Tunnel Mode)

Table of Contents

Set Up an IPSec Tunnel (Tunnel Mode)

Set up an IPSec tunnel for authentication and encryption of data. Define proxy IDs for policy-based VPN peers and ensure successful IKE and IPSec negotiations.
Where Can I Use This?
What Do I Need?
  • Prisma Access
  • PAN-OS
No license required
The IPSec tunnel configuration allows you to authenticate and/or encrypt the data (IP packet) as it traverses the tunnel.
If you’re setting up the firewall to work with a peer that supports policy-based VPN, you must define Proxy IDs. Devices that support policy-based VPN use specific security rules/policies or access-lists (source addresses, destination addresses, and ports) for permitting interesting traffic through an IPSec tunnel. These rules are referenced during quick mode or IKE phase 2 negotiation, and are exchanged as proxy IDs in the first or the second message of the process. So, if you’re configuring the firewall to work with a policy-based VPN peer, for a successful phase 2 negotiation you must define the proxy ID so that the setting on both peers is identical. If the proxy ID isn’t configured, because the firewall supports route-based VPN, the default values used as proxy ID are source ip: 0.0.0.0/0, destination ip: 0.0.0.0/0 and application: any; and when these values are exchanged with the peer, it results in a failure to set up the VPN connection.
To establish an IPSec tunnel successfully, both IKE and IPSec negotiations should be successful:
  • The IKE negotiation will be successful only when both VPN peers exchange compatible IKE parameters.
  • The IKE Phase 2 (IPSec) negotiation will be successful only when both VPN peers exchange compatible IPSec parameters.

Recommended For You