IPSec Transport Mode

Configure IPSec transport mode for encrypting host-to-host communications.
While PAN-OS
supports tunnel mode by default, you can now configure IPSec tunnels to use transport mode when encrypting host-to-host communications. Transport mode encrypts only the payload while retaining the original IP header. You can use Transport mode to encrypt the management traffic with the most secure protocols.
Transport mode supports:
  • IPv4 address only.
  • Encapsulating Security Payload (ESP) protocol only.
  • IKEv2 only.
  • DH-group 20 for Diffie-Hellman (DH) group and perfect forward secrecy (PFS).
  • Only AES with 256-bit keys in GCM mode.
Certain protocols do not provide payload encryption when exchanging information with other peer. Some protocols use MD5 authentication between peers, which is no longer adequate for communication exposed to a public internetwork. By using IPSec, we can protect the content of management plane protocols. The default setting of IPSec is tunnel mode, which uses both encryption and authentication to protect a complete site. In some cases, this is not sufficient to protect management protocol peers since the cipher used may be independent of the site. Even within a single domain, management plane data may have to be confidential. In such cases, IPSec in transport mode enables you to encrypt the management traffic with the most secure protocols.
In transport mode, data within the original IP packet is protected, but not the IP header. Transport mode sends encrypted traffic directly between two hosts that have previously established a secure IPSec tunnel. Transport mode should only be enabled when the device that generates and protects the packet is also the one that verifies and decrypts the packet.
A transport mode process does not create a new IP header, therefore it is less complex.
While configuring IPSec tunnel, you can now select the
IPSec Mode
mode to establish a secure connection. That is, you can select whether to encrypt or authenticate packets in transport mode or tunnel mode.
Differences between Tunnel and Transport Mode
Tunnel Mode
Transport Mode
Encrypts the entire packet, including the IP header. A new IP header is added to the packet after encryption.
Encrypts only the payload, while the original IP header is retained.
Tunnel monitoring uses the tunnel interface IP address.
Tunnel monitoring automatically uses the IP address of the physical interface (gateway interface IP address), and tunnel interface IP address is ignored.
Supports double encapsulation.
No support for double encapsulation.
This mode is commonly used for site-to-site communications.
This mode is commonly used for host-to-host communications.
Important points to remember before enabling the transport mode:
  • You cannot select transport mode when NAT-T is enabled.
  • You cannot configure a loopback interface to an IPSec tunnel when transport mode is enabled.
  • You can use transport mode only with an
    key exchange.
  • You should enable
    Add GRE Encapsulation
    mode to encapsulate multicast packets.
  • If you configure a IKE gateway without an IPSec tunnel, by default IKE negotiates a tunnel mode child security association (SA).
  • In IPSec transport mode, the traffic does not flow if you configure BGP routes in a tunnel interface. While using IPSec transport mode for BGP routes, configure the BGP routes on a physical interface (for example, ethernet 1/1) and not the tunnel interface. While IPSec tunnel mode for BGP routes works with the tunnel interface, IPSec transport mode for BGP routes works with the physical interface only.
  • By default, IPSec tunnel operates in
To enable IPSec transport mode, select
IPSec Tunnel
and then select
Show Advanced Options
. From
Show Advanced Options
, select the
IPSec Mode
mode to encrypt or authenticate packets in transport mode.

Recommended For You