Encapsulating a packet for secure transportation on the network is accomplished by
means of the IPsec protocol. For example, in the case of a site-to-site VPN, a
source host in a network transmits an IP packet. When that packet reaches the edge
of the network, it makes contact with a VPN gateway. The VPN gateway that
corresponds with that network encrypts the private IP packet and relays it over an
ESP tunnel to a peer VPN gateway at the edge of the next network, the gateway of
which decrypts the packet and delivers it to the destination host.
The policy-based VPNs have specific security rules, policy rules, or access-lists
(such as source addresses, destination addresses, and ports) that are configured for
permitting the interesting traffic through IPSec tunnels. These rules are referenced
during the quick mode (or IPSec phase 2), and are exchanged in the first or the
second messages as the proxy IDs. If the Palo Alto Networks firewall is not
configured with the proxy ID settings, then the firewall sets the proxy ID with the
default values (source ip = 0.0.0.0/0, destination ip = 0.0.0.0/0, application:any)
and exchanges it with the peer during the first or the second message of the quick
mode.