>
    Set Up an IPSec Tunnel (Transport Mode)
    Focus
    Download PDF
    Focus
    1. Home
    2. Network Security
    3. Configure IPSec VPN Tunnels (Site-to-Site)
    4. Set Up an IPSec Tunnel
    5. Set Up an IPSec Tunnel (Transport Mode)
    Download PDF

    Network Security

    Set Up an IPSec Tunnel (Transport Mode)

    Table of Contents

    Set Up an IPSec Tunnel (Transport Mode)

    You can set up an IPSec tunnel in transport mode to encrypt control traffic or point-to-point traffic between your firewall and the tunnel endpoint.
    Where Can I Use This?
    What Do I Need?
    • PAN-OS
    No license required
    Transport mode is new beginning with the PAN-OS 11.0.0 release and supports:
    • IPv4 address only.
    • Encapsulating Security Payload (ESP) protocol only.
    • IKEv2 only.
    • DH-group 20 for Diffie-Hellman (DH) group and PFS.
    • Only AES with 256-bit keys in GCM mode.
    You can choose the IPSec mode based on your networking requirements:
    • If you want to encrypt the management plane protocol (such as BGP) packets exchanged between your next-generation firewall and the tunnel endpoint, then you must configure IPSec transport mode. Transport mode enables you to encrypt the control traffic (such as routing protocol and signalization messages) with the most robust protocol. With transport mode, you can encrypt the point-to-point traffic belonging to the firewall’s IP address.
    • If you want to encrypt the dataplane traffic exchanged between your next-generation firewall and the tunnel endpoint, then you must configure IPSec tunnel mode.
    Important points to remember before enabling the transport mode:
    • You can’t select transport mode when NAT-T is enabled.
    • You can't configure an IKE gateway on a loopback interface to an IPSec tunnel with transport mode.
    • IPSec transport mode does not use proxy ID settings for negotiation. Hence, you cannot configure a proxy ID in transport mode. If you attempt to configure proxy ID by any other method, it will be replaced with 0.0.0.0/0 automatically.
    • You can use transport mode only with an
      auto-key
       key exchange.
    • If you configure a IKE gateway without an IPSec tunnel, by default IKE negotiates a tunnel mode child security association (SA).
    • In IPSec transport mode without GRE encapsulation, don't route the user traffic through the associated tunnel interface. Configure the control protocols (like, BGP peering sessions) on a physical interface (for example, ethernet1/1) instead of a tunnel interface. While IPSec tunnel mode for BGP routes works with the tunnel interface, IPSec transport mode for BGP routes works with the physical interface only.
    • By default, the IPSec tunnel operates in
      Tunnel
       mode.
    • You should enable
      Add GRE Encapsulation
       in
      Transport
       mode to encapsulate multicast packets.
    Because PAN-OS 10.2 and earlier versions don’t support transport mode, any downgrades to the previous versions will result in compatibility issues. Before downgrade, you must manually remove any transport mode tunnels or switch to tunnel mode. Otherwise, the downgrade will result in a failure.
    To establish an IPSec tunnel successfully, both IKE and IPSec negotiations should be successful:
    • The IKE negotiation will be successful only when both VPN peers exchange compatible IKE parameters.
    • The IKE Phase 2 (IPSec) negotiation will be successful only when both VPN peers exchange compatible IPSec parameters.

    Recommended For You

    © 2023 Palo Alto Networks, Inc. All rights reserved.