In IKEv1, a firewall that has a route-based VPN needs to use a local and remote Proxy ID in order to set up an IPSec tunnel. Each peer compares its Proxy IDs with what it received in the packet in order to successfully negotiate IKE Phase 2. IKE Phase 2 is about negotiating the SAs to set up an IPSec tunnel. (For more information on Proxy IDs, see Tunnel Interface.)
In IKEv2, you can Configure IKEv2 Traffic Selectors, which are components of network traffic that are used during IKE negotiation. Traffic selectors are used during the CHILD_SA (tunnel creation) Phase 2 to set up the tunnel and to determine what traffic is allowed through the tunnel. The two IKE gateway peers must negotiate and agree on their traffic selectors; otherwise, one side narrows its address range to reach agreement. One IKE connection can have multiple tunnels; for example, you can assign different tunnels to each department to isolate their traffic. Separation of traffic also allows features such as QoS to be implemented.
The IPv4 and IPv6 traffic selectors are:
- Source IP address—A network prefix, address range, specific host, or wildcard.
- Destination IP address—A network prefix, address range, specific host, or wildcard.
- Protocol—A transport protocol, such as TCP or UDP.
- Source port—The port where the packet originated.
- Destination port—The port the packet is destined for.
During IKE negotiation, there can be multiple traffic selectors for different networks and protocols. For example, the Initiator might indicate that it wants to send TCP packets from 184.108.40.206/16 through the tunnel to its peer, destined for 220.127.116.11/16. It also wants to send UDP packets from 172.17.0.0/16 through the same tunnel to the same gateway, destined for 0.0.0.0 (any network). The peer gateway must agree to these traffic selectors so that it knows what to expect.
It is possible that one gateway will start negotiation using a traffic selector that is a more specific IP address than the IP address of the other gateway.
- For example, gateway A offers a source IP address of 172.16.0.0/16 and a destination IP address of 18.104.22.168/16. But gateway B is configured with 0.0.0.0 (any source) as the source IP address and 0.0.0.0 (any destination) as the destination IP address. Therefore, gateway B narrows down its source IP address to 22.214.171.124/16 and its destination address to 172.16.0.0/16. Thus, the narrowing down accommodates the addresses of gateway A and the traffic selectors of the two gateways are in agreement.
- If gateway B (configured with source IP address 0.0.0.0) is the Initiator instead of the Responder, gateway A will respond with its more specific IP addresses, and gateway B will narrow down its addresses to reach agreement.
Configure IKEv2 Traffic Selectors
Configure IKEv2 Traffic Selectors In IKEv2, you can configure Traffic Selectors , which are components of network traffic that are used during IKE negotiation. Traffic ...
IKEv2 An IPSec VPN gateway uses IKEv1 or IKEv2 to negotiate the IKE security association (SA) and IPSec tunnel. IKEv2 is defined in RFC 5996 ...
IPSec Tunnel Proxy IDs Tab
IPSec Tunnel Proxy IDs Tab Network > IPSec Tunnels > Proxy IDs The IPSec Tunnel Proxy IDs tab is separated into two tabs: IPv4 and ...
Site-to-Site VPN with Static and Dynamic Routing
Site-to-Site VPN with Static and Dynamic Routing In this example, one site uses static routes and the other site uses OSPF. When the routing protocol ...
IKE Gateway The Palo Alto Networks firewalls or a firewall and another security device that initiate and terminate VPN connections across the two networks are ...
Site-to-Site VPN with OSPF
Site-to-Site VPN with OSPF In this example, each site uses OSPF for dynamic routing of traffic. The tunnel IP address on each VPN peer is ...
Set Up Site-to-Site VPN
Set Up Site-to-Site VPN To set up site-to-site VPN: Make sure that your Ethernet interfaces, virtual routers, and zones are configured properly. For more information, ...
Site-to-Site VPN Overview
Site-to-Site VPN Overview A VPN connection that allows you to connect two Local Area Networks (LANs) is called a site-to-site VPN. You can configure route-based ...
GlobalProtect Gateway Satellite Configuration Tab
GlobalProtect Gateway Satellite Configuration Tab A satellite is a Palo Alto Networks firewall—typically at a branch office—that acts as a GlobalProtect app to enable it ...