IPSec Transport Mode
Table of Contents
11.0 (EoL)
Expand all | Collapse all
End-of-Life (EoL)
IPSec Transport Mode
Configure IPSec transport mode for encrypting host-to-host
communications.
While PAN-OS® supports tunnel mode by default, you can now configure IPSec tunnels to
use transport mode when encrypting
host-to-host communications. Transport mode encrypts only the payload while
retaining the original IP header. You can use transport mode to encrypt the
management traffic with the most secure protocols.
Transport
mode supports:
- IPv4 address only.
- Encapsulating Security Payload (ESP) protocol only.
- IKEv2 only.
- DH-group 20 for Diffie-Hellman (DH) group and perfect forward secrecy (PFS).
- Only AES with 256-bit keys in GCM mode.
Certain protocols do not provide payload encryption when exchanging information with other peer.
Some protocols use MD5 authentication between peers, which is no lon4ger adequate
for communication exposed to a public internetwork. By using IPSec, we can protect
the content of management plane protocols. The default setting of IPSec is tunnel
mode, which uses both encryption and authentication to protect a complete site. In
some cases, this is not sufficient to protect management protocol peers since the
cipher used may be independent of the site. Even within a single domain, management
plane data may have to be confidential. In such cases, IPSec in transport mode
enables you to encrypt the management traffic with the most secure protocols.
In transport
mode, data within the original IP packet is protected, but not the
IP header. Transport mode sends encrypted traffic directly between
two hosts that have previously established a secure IPSec tunnel.
Transport mode should only be enabled when the device that generates
and protects the packet is also the one that verifies and decrypts
the packet.
A transport mode process does not create a new
IP header, therefore it is less complex.
While configuring an IPSec tunnel, you can now select the IPSec Mode as
Tunnel or Transport mode to
establish a secure connection. That is, you can select whether to encrypt or
authenticate packets in transport mode or tunnel mode.
Differences
between Tunnel and Transport Mode
Tunnel Mode | Transport Mode |
---|---|
Encrypts the entire packet, including the IP
header. A new IP header is added to the packet after encryption. | Encrypts only the payload, while the original
IP header is retained. |
Tunnel monitoring uses the tunnel interface
IP address. | Tunnel monitoring automatically uses the IP
address of the physical interface (gateway interface IP address),
and tunnel interface IP address is ignored. |
Supports double encapsulation. | No support for double encapsulation. |
This mode is commonly used for site-to-site
communications. | This mode is commonly used for host-to-host
communications. |
Important points to remember before enabling
the transport mode:
- You can't select transport mode when NAT-T is enabled.
- You can't configure an IKE gateway on a loopback interface to an IPSec tunnel with transport mode.
- IPSec transport mode does not use proxy ID settings for negotiation. Hence, you cannot configure a proxy ID in transport mode. If you attempt to configure proxy ID by any other method, it will be replaced with 0.0.0.0/0 automatically.
- You can use transport mode only with an auto-key key exchange.
- If you configure a IKE gateway without an IPSec tunnel, by default IKE negotiates a tunnel mode child security association (SA).
- In IPSec transport mode without GRE encapsulation, don't route the user traffic through the associated tunnel interface. Configure the control protocols (like, BGP peering sessions) on a physical interface (for example, ethernet1/1) instead of a tunnel interface. While IPSec tunnel mode for BGP routes works with the tunnel interface, IPSec transport mode for BGP routes works with the physical interface only.
- By default, IPSec tunnel operates in Tunnel mode.
- You should enable Add GRE Encapsulation in Transport mode to encapsulate multicast packets.
To enable IPSec transport mode,
select NetworkIPSec Tunnel and
then select Show Advanced Options. From Show Advanced
Options, select the IPSec Mode as Transport mode
to encrypt or authenticate packets in transport mode.