IPSec Transport Mode
Configure IPSec transport mode for encrypting host-to-host
communications.
While PAN-OS
®
supports tunnel mode
by default, you can now configure IPSec tunnels to use transport mode when encrypting
host-to-host communications. Transport mode encrypts only the payload
while retaining the original IP header. You can use Transport mode
to encrypt the management traffic with the most secure protocols.Transport
mode supports:
- IPv4 address only.
- Encapsulating Security Payload (ESP) protocol only.
- IKEv2 only.
- DH-group 20 for Diffie-Hellman (DH) group and perfect forward secrecy (PFS).
- Only AES with 256-bit keys in GCM mode.
Certain
protocols do not provide payload encryption when exchanging information
with other peer. Some protocols use MD5 authentication between peers,
which is no longer adequate for communication exposed to a public
internetwork. By using IPSec, we can protect the content of management
plane protocols. The default setting of IPSec is tunnel mode, which
uses both encryption and authentication to protect a complete site.
In some cases, this is not sufficient to protect management protocol
peers since the cipher used may be independent of the site. Even
within a single domain, management plane data may have to be confidential.
In such cases, IPSec in transport mode enables you to encrypt the
management traffic with the most secure protocols.
In transport
mode, data within the original IP packet is protected, but not the
IP header. Transport mode sends encrypted traffic directly between
two hosts that have previously established a secure IPSec tunnel.
Transport mode should only be enabled when the device that generates
and protects the packet is also the one that verifies and decrypts
the packet.
A transport mode process does not create a new
IP header, therefore it is less complex.
While configuring
IPSec tunnel, you can now select the
IPSec Mode
as Tunnel
or Transport
mode
to establish a secure connection. That is, you can select whether
to encrypt or authenticate packets in transport mode or tunnel mode.Differences
between Tunnel and Transport Mode
Tunnel Mode | Transport Mode |
|---|---|
Encrypts the entire packet, including the IP
header. A new IP header is added to the packet after encryption. | Encrypts only the payload, while the original
IP header is retained. |
Tunnel monitoring uses the tunnel interface
IP address. | Tunnel monitoring automatically uses the IP
address of the physical interface (gateway interface IP address),
and tunnel interface IP address is ignored. |
Supports double encapsulation. | No support for double encapsulation. |
This mode is commonly used for site-to-site
communications. | This mode is commonly used for host-to-host
communications. |
Important points to remember before enabling
the transport mode:
- You cannot select transport mode when NAT-T is enabled.
- You cannot configure a loopback interface to an IPSec tunnel when transport mode is enabled.
- You can use transport mode only with anauto-keykey exchange.
- You should enableAdd GRE EncapsulationinTransportmode to encapsulate multicast packets.
- If you configure a IKE gateway without an IPSec tunnel, by default IKE negotiates a tunnel mode child security association (SA).
- In IPSec transport mode, the traffic does not flow if you configure BGP routes in a tunnel interface. While using IPSec transport mode for BGP routes, configure the BGP routes on a physical interface (for example, ethernet 1/1) and not the tunnel interface. While IPSec tunnel mode for BGP routes works with the tunnel interface, IPSec transport mode for BGP routes works with the physical interface only.
- By default, IPSec tunnel operates inTunnelmode.
To enable IPSec transport mode,
select and
then select
Show Advanced Options
. From Show Advanced
Options
, select the IPSec Mode
as Transport
mode
to encrypt or authenticate packets in transport mode.
