Network > Network Profiles

Use this page to manage or define a gateway, including the configuration information necessary to perform Internet Key Exchange (IKE) protocol negotiation with a peer gateway. This is the Phase 1 portion of the IKE/IPSec VPN setup.

To manage, configure, restart, or refresh an IKE gateway, see the following:

IKE Gateway Management IKE Gateway General Tab IKE Gateway Advanced Options Tab IKE Gateway Restart or Refresh

IKE Gateway Management

The following table describes how to manage your IKE gateways.

Manage IKE Gateways	Description
Add	To create a new IKE gateway, click Add. See IKE Gateway General Tab and IKE Gateway Advanced Options Tab for instructions on configuring the new gateway.
Delete	To delete a gateway, select the gateway and click Delete.
Enable	To enable a gateway that has been disabled, select the gateway and click Enable, which is the default setting for a gateway.
Disable	To disable a gateway, select the gateway and click Disable.

IKE Gateway General Tab

The following table describes the beginning steps for how to configure an IKE gateway. IKE is Phase 1 of the IKE/IPSec VPN process. After performing these steps, see IKE Gateway Advanced Options Tab.

IKE Gateway General Setting	Description
Name	Enter a Name to identify the gateway (up to 31 characters). The name is case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and underscores.
Version	Select the IKE version that the gateway supports and must agree to use with the peer gateway— IKEv1 only mode, I KEv2 only mode, or IKEv2 preferred mode. IKEv2 preferred mode causes the gateway to negotiate for IKEv2, and if the peer also supports IKEv2, that is what they will use. Otherwise, the gateway falls back to IKEv1.
IPv4 / IPv6	Select the type of IP address the gateway uses.
Interface	Specify the outgoing firewall interface to the VPN tunnel.
Local IP Address	Select or enter the IP address for the local interface that is the endpoint of the tunnel.
Peer IP Type	Select Static or Dynamic for the peer on the far end of the tunnel.
Peer IP Address	If Static is selected for Peer IP Type, specify the IP address of the peer on the remote end of the tunnel.
Authentication	Select the type of Authentication, Pre-Shared Key or Certificate, that will occur with the peer gateway. Depending on the selection, see Pre-Shared Key Fields or Certificate Fields.
Pre-Shared Key Fields
Pre-Shared Key Confirm Pre-Shared Key	If Pre-Shared Key is selected, enter a single security key to use for symmetric authentication across the tunnel. The Pre-Shared Key value is a string that the administrator creates.
Local Identification	Defines the format and identification of the local gateway, which are used with the pre-shared key for both IKEv1 phase 1 SA and IKEv2 SA establishment. Choose one and enter a value— FQDN (hostname), IP address, KEYID (binary format ID string in HEX), or User FQDN (email address). If no value is specified, the local IP address will be used as the Local Identification value.
Peer Identification	Defines the type and identification of the peer gateway, which are used with the pre-shared key during IKEv1 phase 1 SA and IKEv2 SA establishment. Choose one and enter a value— FQDN (hostname), IP address, KEYID (binary format ID string in HEX), or User FQDN (email address). If no value is specified, the peer’s IP address will be used as the Peer Identification value.
Certificate Fields
Local Certificate	If Certificate is selected as the Authentication type, from the drop-down, select a certificate that is already on the firewall. Alternatively, you can Import a certificate or Generate a new certificate: Import Certificate Name —Enter a name for the certificate you are importing. Shared —Click if this certificate is to be shared among multiple virtual systems. Certificate File —Click Browse to navigate to the location where the certificate file is located. Click on the file and select Open. File Format —Select one of the following: Base64 Encoded Certificate (PEM) —Contains the certificate, but not the key. Cleartext. Encrypted Private Key and Certificate (PKCS12) —Contains both the certificate and the key. Private key resides on Hardware Security Module —Click if the firewall is a client of an HSM server where the key resides. Import private key —Click if a private key is to be imported because it is in a different file from the certificate file. Key File —Browse and navigate to the key file to import. This entry is if you chose PEM as the File Format. Passphrase and Confirm Passphrase —Enter to access the key. Generate Certificate Name —Enter a name for the certificate you are creating. Common Name —Enter the common name, which is the IP address or FQDN to appear on the certificate. Shared —Click if this certificate is to be shared among multiple virtual systems. Signed By —Select External Authority (CSR) or enter the firewall IP address. This entry must be a CA. Certificate Authority —Click if the firewall is the root CA. OCSP Responder —Enter the OSCP that tracks whether the certificate is valid or revoked. Algorithm —Select RSA or Elliptic Curve DSA to generate the key for the certificate. Number of Bits —Select 512, 1024, 2048, or 3072 as the number of bits in the key. Digest —Select md5, sha1, sha256, sha384, or sha512 as the method to revert the string from the hash. Expiration (days) —Enter the number of days that the certificate is valid. Certificate Attributes: Type —Optionally select additional attribute types from the drop-down to be in the certificate. Value —Enter a value for the attribute.
HTTP Certificate Exchange	Click HTTP Certificate Exchange and enter the Certificate URL in order to use the Hash-and-URL method to notify the peer where to fetch the certificate. The Certificate URL is the URL of the remote server where you have stored your certificate. If the peer indicates that it too supports Hash and URL, certificates are exchanged through the SHA1 Hash and URL exchange. When the peer receives the IKE certificate payload, it sees the HTTP URL, and fetches the certificate from that server. It will use the hash specified in the certificate payload to check the certificates downloaded from the http server.
Local Identification	Identifies how the local peer is identified in the certificate. Choose one of the following types and enter the value— Distinguished Name (Subject), FQDN (hostname), IP address, or User FQDN (email address).
Peer Identification	Identifies how the remote peer is identified in the certificate. Choose one of the following types and enter the value— Distinguished Name (Subject), FQDN (hostname), IP address, or User FQDN (email address).
Peer ID Check	Select Exact or Wildcard. This setting applies to the Peer Identification that is being examined to validate the certificate. Suppose the Peer Identification was a Name equal to domain.com. If you select Exact and name of the certificate in the IKE ID payload is mail.domain2.com, the IKE negotiation will fail. But if you selected Wildcard, any character in the Name string before the wildcard asterisk (*) must match and any character after the wildcard can differ.
Permit peer identification and certificate payload identification mismatch	Select this option if you want the flexibility of having a successful IKE SA even though the peer identification does not match the certificate payload.
Certificate Profile	Select a profile or create a new Certificate Profile that configures the certificate options that apply to the certificate the local gateway sends to the peer gateway. See Device > Certificate Management > Certificate Profile.
Enable strict validation of peer’s extended key use	Select this option if you want to strictly control how the key can be used.

IKE Gateway Advanced Options Tab

Select Network > Network Profiles > IKE Gateways to configure more advanced settings for an IKE gateway.

IKE Gateway Advanced Option	Description
Enable Passive Mode	Click to have the firewall only respond to IKE connections and never initiate them.
Enable NAT Traversal	Click to have UDP encapsulation used on IKE and UDP protocols, enabling them to pass through intermediate NAT devices. Enable NAT Traversal if Network Address Translation (NAT) is configured on a device between the IPSec VPN terminating points.
IKEv1 Tab
Exchange Mode	Choose auto, aggressive, or main. In auto mode (default), the device can accept both main mode and aggressive mode negotiation requests; however, whenever possible, it initiates negotiation and allows exchanges in main mode. You must configure the peer device with the same exchange mode to allow it to accept negotiation requests initiated from the first device.
IKE Crypto Profile	Select an existing profile, keep the default profile, or create a new profile. The profiles selected for IKEv1 and IKEv2 can differ. For information on IKE Crypto profiles, see Network > Network Profiles > IKE Crypto.
Enable Fragmentation	Click to allow the local gateway to receive fragmented IKE packets. The maximum fragmented packet size is 576 bytes.
Dead Peer Detection	Click to enable and enter an interval (2 - 100 seconds) and delay before retrying (2 - 100 seconds). Dead peer detection identifies inactive or unavailable IKE peers and can help restore resources that are lost when a peer is unavailable.
IKEv2 Tab
IKE Crypto Profile	Select an existing profile, keep the default profile, or create a new profile. The profiles selected for IKEv1 and IKEv2 can differ. For information on IKE Crypto profiles, see Network > Network Profiles > IKE Crypto.
Strict Cookie Validation	Click to enable Strict Cookie Validation on the IKE gateway. When you enable Strict Cookie Validation, IKEv2 cookie validation is always enforced; the initiator must send an IKE_SA_INIT containing a cookie. When you disable Strict Cookie Validation (default), the system will check the number of half-open SAs against the global Cookie Activation Threshold, which is a VPN Sessions setting. If the number of half-open SAs exceeds the Cookie Activation Threshold, the initiator must send an IKE_SA_INIT containing a cookie.
Liveness Check	The IKEv2 Liveness Check is always on; all IKEv2 packets serve the purpose of a liveness check. Click this box to have the system send empty informational packets after the peer has been idle for a specified number of seconds (range is 2-100; default is 5). If necessary, the side that is trying to send IKEv2 packets attempts the liveness check up to 10 times (all IKEv2 packets count toward the retransmission setting). If it gets no response, the sender closes and deletes the IKE_SA and CHILD_SA. The sender starts over by sending out another IKE_SA_INIT.

IKE Gateway Restart or Refresh

Network > IPSec Tunnels

Select Network > IPSec Tunnels to display status of tunnels. In the second Status column, there is a link to the IKE Info . Click the gateway you want to restart or refresh to open the IKE Info page, click one of the entries in the list, and then choose an option:

Restart —Restarts the selected gateway. A restart will disrupt traffic going across the tunnel. The restart behaviors for IKEv1 and IKEv2 are different, as follows: IKEv1—You can restart (clear) a Phase 1 SA or Phase 2 SA independently and only that SA is affected. IKEv2—Causes all child SAs (IPSec tunnels) to be cleared when the IKEv2 SA is restarted.

If you restart the IKEv2 SA, all underlying IPSec tunnels are also cleared.

If you restart the IPSec Tunnel (child SA) associated with an IKEv2 SA, the restart will not affect the IKEv2 SA.

Refresh —Shows the current IKE SA status.

Document:PAN-OS® Web Interface Reference Guide

Network > Network Profiles > IKE Gateways

Related Documentation

Document:PAN-OS® Web Interface Reference Guide

Network > Network Profiles > IKE Gateways

Related Documentation

Set Up an IKE Gateway

Site-to-Site VPN Concepts

Set Up Tunnel Monitoring

Site-to-Site VPN with Static and Dynamic Routing

Define Cryptographic Profiles

Configure a GlobalProtect Gateway

Deploy Server Certificates to the GlobalProtect Components

Network > Network Profiles > IKE Crypto

Network > GlobalProtect > Portals

Enhanced Two-Factor Authentication