DH-group 20 for Diffie-Hellman (DH) group and PFS.
Only AES with 256-bit keys in GCM mode.
You can choose the IPSec mode based on your networking requirements:
If you want to encrypt the management plane protocol (such as BGP) packets
exchanged between your next-generation firewall and the tunnel endpoint, then
you must configure IPSec transport mode. Transport mode enables you to encrypt
the control traffic (such as routing protocol and signalization messages) with
the most robust protocol. With transport mode, you can encrypt the
point-to-point traffic belonging to the firewall’s IP address.
If you want to encrypt the dataplane traffic exchanged between your
next-generation firewall and the tunnel endpoint, then you must configure IPSec
Important points to remember before enabling the transport mode:
You can’t select transport mode when NAT-T is enabled.
You can't configure an IKE gateway on a loopback interface to an IPSec tunnel
with transport mode.
IPSec transport mode does not use proxy ID settings for negotiation. Hence, you
cannot configure a proxy ID in transport mode. If you attempt to configure proxy
ID by any other method, it will be replaced with 0.0.0.0/0 automatically.
You can use transport mode only with an
If you configure a IKE gateway without an IPSec tunnel, by default IKE
negotiates a tunnel mode child security association (SA).
In IPSec transport mode without GRE encapsulation, don't route the user traffic
through the associated tunnel interface. Configure the control protocols (like,
BGP peering sessions) on a physical interface (for example, ethernet1/1) instead
of a tunnel interface. While IPSec tunnel mode for BGP routes works with the
tunnel interface, IPSec transport mode for BGP routes works with the physical
By default, the IPSec tunnel operates in
You should enable
Add GRE Encapsulation
mode to encapsulate multicast packets.
Because PAN-OS 10.2 and earlier versions don’t support transport mode, any downgrades
to the previous versions will result in compatibility issues. Before downgrade, you
must manually remove any transport mode tunnels or switch to tunnel mode. Otherwise,
the downgrade will result in a failure.
To establish an IPSec tunnel successfully, both IKE and IPSec negotiations should be
The IKE negotiation will be successful only when both VPN peers exchange
compatible IKE parameters.
The IKE Phase 2 (IPSec) negotiation will be successful only when both VPN peers
exchange compatible IPSec parameters.