IKE Gateway Advanced Options Tab
Table of Contents
Expand all | Collapse all
-
- Firewall Overview
- Features and Benefits
- Last Login Time and Failed Login Attempts
- Message of the Day
- Task Manager
- Language
- Alarms
- Commit Changes
- Save Candidate Configurations
- Revert Changes
- Lock Configurations
- Global Find
- Threat Details
- AutoFocus Intelligence Summary
- Configuration Table Export
- Change Boot Mode
-
- Objects > Addresses
- Objects > Address Groups
- Objects > Regions
- Objects > Dynamic User Groups
- Objects > Application Groups
- Objects > Application Filters
- Objects > Services
- Objects > Service Groups
- Objects > Devices
- Objects > External Dynamic Lists
- Objects > Custom Objects > Spyware/Vulnerability
- Objects > Custom Objects > URL Category
- Objects > Security Profiles > Antivirus
- Objects > Security Profiles > Anti-Spyware Profile
- Objects > Security Profiles > Vulnerability Protection
- Objects > Security Profiles > File Blocking
- Objects > Security Profiles > WildFire Analysis
- Objects > Security Profiles > Data Filtering
- Objects > Security Profiles > DoS Protection
- Objects > Security Profiles > Mobile Network Protection
- Objects > Security Profiles > SCTP Protection
- Objects > Security Profile Groups
- Objects > Log Forwarding
- Objects > Authentication
- Objects > Packet Broker Profile
- Objects > Schedules
-
-
- Firewall Interfaces Overview
- Common Building Blocks for Firewall Interfaces
- Common Building Blocks for PA-7000 Series Firewall Interfaces
- Tap Interface
- HA Interface
- Virtual Wire Interface
- Virtual Wire Subinterface
- PA-7000 Series Layer 2 Interface
- PA-7000 Series Layer 2 Subinterface
- PA-7000 Series Layer 3 Interface
- Layer 3 Interface
- Layer 3 Subinterface
- Log Card Interface
- Log Card Subinterface
- Decrypt Mirror Interface
- Aggregate Ethernet (AE) Interface Group
- Aggregate Ethernet (AE) Interface
- Network > Interfaces > VLAN
- Network > Interfaces > Loopback
- Network > Interfaces > Tunnel
- Network > Interfaces > SD-WAN
- Network > Interfaces > PoE
- Network > Interfaces > Cellular
- Network > Interfaces > Fail Open
- Network > VLANs
- Network > Virtual Wires
-
- Network > Routing > Logical Routers > General
- Network > Routing > Logical Routers > Static
- Network > Routing > Logical Routers > OSPF
- Network > Routing > Logical Routers > OSPFv3
- Network > Routing > Logical Routers > RIPv2
- Network > Routing > Logical Routers > BGP
- Network > Routing > Logical Routers > Multicast
-
- Network > Routing > Routing Profiles > BGP
- Network > Routing > Routing Profiles > BFD
- Network > Routing > Routing Profiles > OSPF
- Network > Routing > Routing Profiles > OSPFv3
- Network > Routing > Routing Profiles > RIPv2
- Network > Routing > Routing Profiles > Filters
- Network > Routing > Routing Profiles > Multicast
- Network > Proxy
-
- Network > Network Profiles > GlobalProtect IPSec Crypto
- Network > Network Profiles > IPSec Crypto
- Network > Network Profiles > IKE Crypto
- Network > Network Profiles > Monitor
- Network > Network Profiles > Interface Mgmt
- Network > Network Profiles > QoS
- Network > Network Profiles > LLDP Profile
- Network > Network Profiles > SD-WAN Interface Profile
- Network > Network Profiles > MACsec Profile
-
-
- Device > Setup
- Device > Setup > Management
- Device > Setup > Interfaces
- Device > Setup > Telemetry
- Device > Setup > Content-ID
- Device > Setup > WildFire
- Device > Setup > ACE
- Device > Setup > DLP
- Device > Log Forwarding Card
- Device > Config Audit
- Device > Administrators
- Device > Admin Roles
- Device > Access Domain
- Device > Authentication Sequence
- Device > IoT Security > DHCP Server Log Ingestion
- Device > Device Quarantine
-
- Security Policy Match
- QoS Policy Match
- Authentication Policy Match
- Decryption/SSL Policy Match
- NAT Policy Match
- Policy Based Forwarding Policy Match
- DoS Policy Match
- Routing
- Test Wildfire
- Threat Vault
- Ping
- Trace Route
- Log Collector Connectivity
- External Dynamic List
- Update Server
- Test Cloud Logging Service Status
- Test Cloud GP Service Status
- Device > Virtual Systems
- Device > Shared Gateways
- Device > Certificate Management
- Device > Certificate Management > Certificate Profile
- Device > Certificate Management > OCSP Responder
- Device > Certificate Management > SSL/TLS Service Profile
- Device > Certificate Management > SCEP
- Device > Certificate Management > SSL Decryption Exclusion
- Device > Certificate Management > SSH Service Profile
- Device > Response Pages
- Device > Server Profiles
- Device > Server Profiles > SNMP Trap
- Device > Server Profiles > Syslog
- Device > Server Profiles > Email
- Device > Server Profiles > HTTP
- Device > Server Profiles > NetFlow
- Device > Server Profiles > RADIUS
- Device > Server Profiles > SCP
- Device > Server Profiles > TACACS+
- Device > Server Profiles > LDAP
- Device > Server Profiles > Kerberos
- Device > Server Profiles > SAML Identity Provider
- Device > Server Profiles > DNS
- Device > Server Profiles > Multi Factor Authentication
- Device > Local User Database > Users
- Device > Local User Database > User Groups
- Device > Scheduled Log Export
- Device > Software
- Device > Dynamic Updates
- Device > Licenses
- Device > Support
- Device > Policy Recommendation > IoT
- Device > Policy > Recommendation SaaS
- Device > Policy Recommendation > IoT or SaaS > Import Policy Rule
-
- Device > User Identification > Connection Security
- Device > User Identification > Terminal Server Agents
- Device > User Identification > Group Mapping Settings
- Device > User Identification> Trusted Source Address
- Device > User Identification > Authentication Portal Settings
- Device > User Identification > Cloud Identity Engine
-
- Network > GlobalProtect > MDM
- Network > GlobalProtect > Clientless Apps
- Network > GlobalProtect > Clientless App Groups
- Objects > GlobalProtect > HIP Profiles
-
- Use the Panorama Web Interface
- Context Switch
- Panorama Commit Operations
- Defining Policies on Panorama
- Log Storage Partitions for a Panorama Virtual Appliance in Legacy Mode
- Panorama > Setup > Interfaces
- Panorama > High Availability
- Panorama > Firewall Clusters
- Panorama > Administrators
- Panorama > Admin Roles
- Panorama > Access Domains
- Panorama > Device Groups
- Panorama > Plugins
- Panorama > Log Ingestion Profile
- Panorama > Log Settings
- Panorama > Server Profiles > SCP
- Panorama > Scheduled Config Export
- Panorama > Device Registration Auth Key
IKE Gateway Advanced Options Tab
- Network > Network Profiles > IKE Gateways > Advanced Options
Configure advanced IKE gateway settings such as passive mode and NAT Traversal, IKEv2
post-quantum VPNs, and IKEv1 dead peer detection.
IKE Gateway Advanced Options | Description |
|---|---|
Enable Passive Mode | Click to have the firewall only respond
to IKE connections and never initiate them. |
Enable NAT Traversal | Click to have UDP encapsulation used on
IKE and UDP protocols, enabling them to pass through intermediate
NAT devices. Enable NAT Traversal if Network Address Translation
(NAT) is configured on a device between the IPSec VPN terminating points. |
IKEv1 Tab | |
Exchange Mode | Choose auto, aggressive,
or main. In auto mode (default),
the device can accept both main mode and aggressive mode
negotiation requests; however, whenever possible, it initiates negotiation
and allows exchanges in main mode. You must configure
the peer device with the same exchange mode to allow it to accept
negotiation requests initiated from the first device. |
IKE Crypto Profile | Select an existing profile, keep the default
profile, or create a new profile. The profiles selected for IKEv1
and IKEv2 can differ. For information on IKE Crypto profiles,
see Network
> Network Profiles > IKE Crypto. |
Enable Fragmentation | Click to allow the local gateway to receive
fragmented IKE packets. The maximum fragmented packet size is 576
bytes. |
Dead Peer Detection | Click to enable and enter an interval (2
- 100 seconds) and retry count (2 - 100). Dead peer detection identifies
inactive or unavailable IKE peers and can help restore resources
that are lost when a peer is unavailable. |
|
IKEv2 Advanced Options General Tab
| |
|
IKE Crypto Profile
|
Select an existing profile, keep the default profile, or create a new
profile. The profiles selected for IKEv1 and IKEv2 can differ.
For information on IKE Crypto profiles, see Network > Network Profiles > IKE Crypto.
|
|
Strict Cookie Validation
|
Click to enable Strict Cookie Validation on
the IKE gateway.
|
|
IKEv2 Fragmentation
|
Enable IKEv2 Fragmentation when using PQC KEMs
to handle the large key sizes and data payloads. Both VPN
termination devices should be set to the same fragmentation values.
The default MTU values are IPv4: 576 and IPv6: 1280.
|
|
Liveness Check
|
The IKEv2 Liveness Check is always on; all
IKEv2 packets serve the purpose of a liveness check. Click this box
to have the system send empty informational packets after the peer
has been idle for a specified number of seconds. Range: 2-100.
Default: 5.
If necessary, the side that is trying to send IKEv2 packets attempts
the liveness check up to 10 times (all IKEv2 packets count toward
the retransmission setting). If it gets no response, the sender
closes and deletes the IKE_SA and CHILD_SA. The sender starts over
by sending out another IKE_SA_INIT.
|
|
IKEv2 Advanced Options PQ PPK Tab
| |
|
Enable Post-Quantum Pre-Shared Key (PPK)
|
Enable Post-Quantum Pre-Shared Key (PPK)—To
use post-quantum pre-shared keys (PPKs) to create post-quantum VPNs
that resist attacks by quantum computers, enable PPKs and configure
them in VPNs that support IKEv2. PPKs aren't supported for IKEv1.
Enable Post-Quantum Pre-Shared Key (PPK)
is disabled by default.
Negotiation Mode:
PPK KeyID—A name that identifies the
associated PPK. The initiating peer PPK transmits the PPK KeyID to
the responding peer so the responding peer can look up the
associated PPK.
Post-Quantum Pre-shared Key (PPK)—The secret
key, which is associated with its KeyID. The PPK is never
transmitted between peers, so it isn't natively vulnerable to a
Harvest Now, Decrypt Later attack and it isn't vulnerable to Shor's algorithm.
For IKEv2 peers to negotiate using a PPK,
both peers must have the exact same KeyID plus PPK pairs configured
in their IKEv2 Gateways. If an initiator attempts to peer with a
responder that doesn't have the corresponding KeyID plus PPK pair,
the attempt is aborted. Activate—Shows which PPKs the firewall can
use. You must activate at least one PPK. The firewall randomly
selects a PPK from the activated PPKs to initiate IKEv2 peering with
the responding peer. You activate and deactivate PPKs when you
Add them or when you edit them. In
accordance with RFC 8784, once the firewall selects a PPK, the
firewall uses that PPK for the duration of the IKEv2 gateway's
lifetime, including through IKE rekeys. The firewall excludes
deactivated PPKs from selection.
You can Add up to ten PPK KeyID plus PPK
pairs. In the Add Post-Quantum Pre-shared Key
dialog box:
Make sure that you guard the
PPK Secret string carefully against exposure. If you need to
communicate the string to another administrator, use a secure
mechanism such as encrypted email. If bad actors obtain the PPK
Secret, they have a better chance of cracking the encryption key
with a quantum computer and Shor's algorithm. |
|
IKEv2 Advanced Options PQ KEM Tab
| |
|
Enable Post-Quantum Key Exchange
|
Enable Post-Quantum Key Exchange to use IKEv2
KEM hybrid keys. To create post-quantum VPNs that resist attacks by
quantum computers, enable hybrid keys and configure them in VPNs
that support IKEv2. Configure the IKE Crypto profile to select the
KEMs to use for the hybrid key. Enable Post-Quantum Key
Exchange is disabled by default.
Select Block IKEv2 if vulnerable cipher is
used to block IKE peering when a known vulnerable
cipher is the only available cipher. The setting is enabled by
default.
|