PAN-OS ® New Features Guide
    : IPSec Transport Mode
    Focus
    Download PDF
    Focus
    1. Home
    2. PAN-OS
    3. PAN-OS ® New Features Guide
    4. Networking Features
    5. IPSec Transport Mode
    Download PDF

    PAN-OS ® New Features Guide

    IPSec Transport Mode

    Table of Contents
    End-of-Life (EoL)

    IPSec Transport Mode

    Configure IPSec transport mode for encrypting host-to-host communications.
    While PAN-OS® supports tunnel mode by default, you can now configure IPSec tunnels to use transport mode when encrypting host-to-host communications. Transport mode encrypts only the payload while retaining the original IP header. You can use transport mode to encrypt the management traffic with the most secure protocols.
    Transport mode supports:
    • IPv4 address only.
    • Encapsulating Security Payload (ESP) protocol only.
    • IKEv2 only.
    • DH-group 20 for Diffie-Hellman (DH) group and perfect forward secrecy (PFS).
    • Only AES with 256-bit keys in GCM mode.
    Certain protocols do not provide payload encryption when exchanging information with other peer. Some protocols use MD5 authentication between peers, which is no lon4ger adequate for communication exposed to a public internetwork. By using IPSec, we can protect the content of management plane protocols. The default setting of IPSec is tunnel mode, which uses both encryption and authentication to protect a complete site. In some cases, this is not sufficient to protect management protocol peers since the cipher used may be independent of the site. Even within a single domain, management plane data may have to be confidential. In such cases, IPSec in transport mode enables you to encrypt the management traffic with the most secure protocols.
    In transport mode, data within the original IP packet is protected, but not the IP header. Transport mode sends encrypted traffic directly between two hosts that have previously established a secure IPSec tunnel. Transport mode should only be enabled when the device that generates and protects the packet is also the one that verifies and decrypts the packet.
    A transport mode process does not create a new IP header, therefore it is less complex.
    While configuring an IPSec tunnel, you can now select the IPSec Mode as Tunnel or Transport mode to establish a secure connection. That is, you can select whether to encrypt or authenticate packets in transport mode or tunnel mode.
    Differences between Tunnel and Transport Mode
    Tunnel Mode
    Transport Mode
    Encrypts the entire packet, including the IP header. A new IP header is added to the packet after encryption.
    Encrypts only the payload, while the original IP header is retained.
    Tunnel monitoring uses the tunnel interface IP address.
    Tunnel monitoring automatically uses the IP address of the physical interface (gateway interface IP address), and tunnel interface IP address is ignored.
    Supports double encapsulation.
    No support for double encapsulation.
    This mode is commonly used for site-to-site communications.
    This mode is commonly used for host-to-host communications.
    Important points to remember before enabling the transport mode:
    • You can't select transport mode when NAT-T is enabled.
    • You can't configure an IKE gateway on a loopback interface to an IPSec tunnel with transport mode.
    • IPSec transport mode does not use proxy ID settings for negotiation. Hence, you cannot configure a proxy ID in transport mode. If you attempt to configure proxy ID by any other method, it will be replaced with 0.0.0.0/0 automatically.
    • You can use transport mode only with an auto-key key exchange.
    • If you configure a IKE gateway without an IPSec tunnel, by default IKE negotiates a tunnel mode child security association (SA).
    • In IPSec transport mode without GRE encapsulation, don't route the user traffic through the associated tunnel interface. Configure the control protocols (like, BGP peering sessions) on a physical interface (for example, ethernet1/1) instead of a tunnel interface. While IPSec tunnel mode for BGP routes works with the tunnel interface, IPSec transport mode for BGP routes works with the physical interface only.
    • By default, IPSec tunnel operates in Tunnel mode.
    • You should enable Add GRE Encapsulation in Transport mode to encapsulate multicast packets.
    To enable IPSec transport mode, select NetworkIPSec Tunnel and then select Show Advanced Options. From Show Advanced Options, select the IPSec Mode as Transport mode to encrypt or authenticate packets in transport mode.

    © 2025 Palo Alto Networks, Inc. All rights reserved.