IKE Gateway General Tab
Table of Contents
Expand all | Collapse all
-
- Firewall Overview
- Features and Benefits
- Last Login Time and Failed Login Attempts
- Message of the Day
- Task Manager
- Language
- Alarms
- Commit Changes
- Save Candidate Configurations
- Revert Changes
- Lock Configurations
- Global Find
- Threat Details
- AutoFocus Intelligence Summary
- Configuration Table Export
- Change Boot Mode
-
- Objects > Addresses
- Objects > Address Groups
- Objects > Regions
- Objects > Dynamic User Groups
- Objects > Application Groups
- Objects > Application Filters
- Objects > Services
- Objects > Service Groups
- Objects > Devices
- Objects > External Dynamic Lists
- Objects > Custom Objects > Spyware/Vulnerability
- Objects > Custom Objects > URL Category
- Objects > Security Profiles > Antivirus
- Objects > Security Profiles > Anti-Spyware Profile
- Objects > Security Profiles > Vulnerability Protection
- Objects > Security Profiles > File Blocking
- Objects > Security Profiles > WildFire Analysis
- Objects > Security Profiles > Data Filtering
- Objects > Security Profiles > DoS Protection
- Objects > Security Profiles > Mobile Network Protection
- Objects > Security Profiles > SCTP Protection
- Objects > Security Profile Groups
- Objects > Log Forwarding
- Objects > Authentication
- Objects > Packet Broker Profile
- Objects > Schedules
-
-
- Firewall Interfaces Overview
- Common Building Blocks for Firewall Interfaces
- Common Building Blocks for PA-7000 Series Firewall Interfaces
- Tap Interface
- HA Interface
- Virtual Wire Interface
- Virtual Wire Subinterface
- PA-7000 Series Layer 2 Interface
- PA-7000 Series Layer 2 Subinterface
- PA-7000 Series Layer 3 Interface
- Layer 3 Interface
- Layer 3 Subinterface
- Log Card Interface
- Log Card Subinterface
- Decrypt Mirror Interface
- Aggregate Ethernet (AE) Interface Group
- Aggregate Ethernet (AE) Interface
- Network > Interfaces > VLAN
- Network > Interfaces > Loopback
- Network > Interfaces > Tunnel
- Network > Interfaces > SD-WAN
- Network > VLANs
- Network > Virtual Wires
-
- Network > Routing > Logical Routers > General
- Network > Routing > Logical Routers > Static
- Network > Routing > Logical Routers > OSPF
- Network > Routing > Logical Routers > OSPFv3
- Network > Routing > Logical Routers > RIPv2
- Network > Routing > Logical Routers > BGP
- Network > Routing > Logical Routers > Multicast
-
- Network > Routing > Routing Profiles > BGP
- Network > Routing > Routing Profiles > BFD
- Network > Routing > Routing Profiles > OSPF
- Network > Routing > Routing Profiles > OSPFv3
- Network > Routing > Routing Profiles > RIPv2
- Network > Routing > Routing Profiles > Filters
- Network > Routing > Routing Profiles > Multicast
-
- Network > Network Profiles > GlobalProtect IPSec Crypto
- Network > Network Profiles > IPSec Crypto
- Network > Network Profiles > IKE Crypto
- Network > Network Profiles > Monitor
- Network > Network Profiles > Interface Mgmt
- Network > Network Profiles > QoS
- Network > Network Profiles > LLDP Profile
- Network > Network Profiles > SD-WAN Interface Profile
-
-
- Device > Setup
- Device > Setup > Management
- Device > Setup > Interfaces
- Device > Setup > Telemetry
- Device > Setup > Content-ID
- Device > Setup > WildFire
- Device > Setup > ACE
- Device > Setup > DLP
- Device > Log Forwarding Card
- Device > Config Audit
- Device > Administrators
- Device > Admin Roles
- Device > Access Domain
- Device > Authentication Sequence
- Device > Device Quarantine
-
- Security Policy Match
- QoS Policy Match
- Authentication Policy Match
- Decryption/SSL Policy Match
- NAT Policy Match
- Policy Based Forwarding Policy Match
- DoS Policy Match
- Routing
- Test Wildfire
- Threat Vault
- Ping
- Trace Route
- Log Collector Connectivity
- External Dynamic List
- Update Server
- Test Cloud Logging Service Status
- Test Cloud GP Service Status
- Device > Virtual Systems
- Device > Shared Gateways
- Device > Certificate Management
- Device > Certificate Management > Certificate Profile
- Device > Certificate Management > OCSP Responder
- Device > Certificate Management > SSL/TLS Service Profile
- Device > Certificate Management > SCEP
- Device > Certificate Management > SSL Decryption Exclusion
- Device > Certificate Management > SSH Service Profile
- Device > Response Pages
- Device > Server Profiles
- Device > Server Profiles > SNMP Trap
- Device > Server Profiles > Syslog
- Device > Server Profiles > Email
- Device > Server Profiles > HTTP
- Device > Server Profiles > NetFlow
- Device > Server Profiles > RADIUS
- Device > Server Profiles > SCP
- Device > Server Profiles > TACACS+
- Device > Server Profiles > LDAP
- Device > Server Profiles > Kerberos
- Device > Server Profiles > SAML Identity Provider
- Device > Server Profiles > DNS
- Device > Server Profiles > Multi Factor Authentication
- Device > Local User Database > Users
- Device > Local User Database > User Groups
- Device > Scheduled Log Export
- Device > Software
- Device > Dynamic Updates
- Device > Licenses
- Device > Support
- Device > Policy Recommendation > IoT
- Device > Policy > Recommendation SaaS
-
- Network > GlobalProtect > MDM
- Network > GlobalProtect > Clientless Apps
- Network > GlobalProtect > Clientless App Groups
- Objects > GlobalProtect > HIP Profiles
-
- Use the Panorama Web Interface
- Context Switch
- Panorama Commit Operations
- Defining Policies on Panorama
- Log Storage Partitions for a Panorama Virtual Appliance in Legacy Mode
- Panorama > Setup > Interfaces
- Panorama > High Availability
- Panorama > Administrators
- Panorama > Admin Roles
- Panorama > Access Domains
- Panorama > Device Groups
- Panorama > Plugins
- Panorama > Log Ingestion Profile
- Panorama > Log Settings
- Panorama > Server Profiles > SCP
- Panorama > Scheduled Config Export
- Panorama > Device Registration Auth Key
IKE Gateway General Tab
- Network > Network Profiles > IKE Gateways > General
The following table describes the beginning settings to configure an IKE gateway. IKE is Phase
1 of the IKE/IPSec VPN process. After configuring these settings,
see IKE
Gateway Advanced Options Tab.
IKE Gateway General
Settings | Description |
---|---|
Name | Enter a Name to identify
the gateway (up to 31 characters). The name is case-sensitive and
must be unique. Use only letters, numbers, spaces, hyphens, and
underscores. |
Version | Select the IKE version that the gateway
supports and must agree to use with the peer gateway: IKEv1
only mode, IKEv2 only mode, or IKEv2
preferred mode. IKEv2 preferred mode causes the gateway
to negotiate for IKEv2 and that is what they will use if the peer
also supports IKEv2; otherwise, the gateway falls back to IKEv1. |
Address Type | Select the type of IP address the gateway
uses: IPv4 or IPv6. |
Interface | Specify the outgoing firewall interface
to the VPN tunnel. |
Local IP Address | Select or enter the IP address for the local
interface that is the endpoint of the tunnel. |
Peer IP Address Type | Select one of the following settings and
enter the corresponding information for the peer:
Using
an FQDN or FQDN address object reduces issues in environments where
the peer is subject to dynamic IP address changes (and would otherwise
require you to reconfigure this IKE gateway peer address). |
Authentication | Select the type of authentication: Pre-Shared Key or Certificate that
will occur with the peer gateway. Depending on the selection, see Pre-Shared
Key Fields or Certificate
Fields. |
Pre-Shared Key
Fields | |
Pre-Shared Key / Confirm Pre-Shared
Key | If you select Pre-Shared Key,
enter a single security key to use for symmetric authentication
across the tunnel. The Pre-Shared Key value
is a string that the administrator creates using a maximum of 255
ASCII or non-ASCII characters. Generate a key that is difficult
to crack with dictionary attacks; use a pre-shared key generator,
if necessary. |
Local Identification | Defines the format and identification of
the local gateway, which are used with the pre-shared key for both
IKEv1 phase 1 SA and IKEv2 SA establishment. Choose one of
the following types and enter the value: FQDN (hostname), IP address, KEYID (binary
format ID string in HEX), or User FQDN (email address). If
you don’t specify a value, the gateway will use the local IP address
as the Local Identification value. |
Peer Identification | Defines the type and identification of the
peer gateway, which are used with the pre-shared key during IKEv1
phase 1 SA and IKEv2 SA establishment. Choose one of the following
types and enter the value: FQDN (hostname), IP address, KEYID (binary
format ID string in HEX), or User FQDN (email address). If
you don’t specify a value, the gateway will use the IP address of
the peer as the Peer Identification value. |
Certificate Fields | |
Local Certificate | If Certificate is
selected as the Authentication type, from
the drop-down, select a certificate that is already on the firewall. Alternatively,
you could Import a certificate, or Generate a
new certificate, as follows: Import:
|
Local Certificate (cont) | Generate:
|
HTTP Certificate Exchange | Click HTTP Certificate Exchange and enter
the Certificate URL to use the Hash-and-URL
method to tell the peer where to fetch the certificate. The Certificate
URL is the URL of the remote server where you store your certificate. If
the peer indicates that it also supports Hash and URL, then certificates
are exchanged through the SHA1 Hash-and-URL exchange. When
the peer receives the IKE certificate payload, it sees the HTTP
URL and fetches the certificate from that server. Then the peer uses
the hash specified in the certificate payload to check the certificates
downloaded from the HTTP server. |
Local Identification | Identifies how the local peer is identified
in the certificate. Choose one of the following types and enter
the value: Distinguished Name (Subject), FQDN (hostname), IP address,
or User FQDN (email address). |
Peer Identification | Identifies how the remote peer is identified
in the certificate. Choose one of the following types and enter
the value: Distinguished Name (Subject), FQDN (hostname), IP address,
or User FQDN (email address). |
Peer ID Check | Select Exact or Wildcard.
This setting applies to the Peer Identification being examined to
validate the certificate. For example, if the Peer Identification
is a Name equal to domain.com, you select Exact,
and the name of the certificate in the IKE ID payload is mail.domain2.com,
the IKE negotiation will fail. But if you selected Wildcard,
then only characters in the Name string before the wildcard asterisk
(*) must match and any character after the wildcard can be different. |
Permit peer identification and certificate
payload identification mismatch | Select if you want the flexibility of having
a successful IKE SA even though the peer identification does not
match the certificate payload. |
Certificate Profile | Select a profile or create a new Certificate Profile that
configures the certificate options that apply to the certificate
that the local gateway sends to the peer gateway. See Device
> Certificate Management > Certificate Profile. |
Enable strict validation of peer’s extended
key use | Select if you want to strictly control how
the key is used. |