IPSec VPN
Overview of IPSec VPN, IPSec tunnel modes, and IPSec VPN types.
| Where Can I Use This? | What Do I Need? |
|---|
- Prisma Access (IPSec tunnel transport mode is not yet
supported for Prisma Access)
- PAN-OS
| No license required |
IPSec VPN provides a private and secure IP communication over a public network
infrastructure (for example, the internet). With this technology, different sites or
users in different geographical areas can communicate over a network and thus safely use
their resources. IPSec provides data confidentiality and integrity, including
authentication, integrity check, and encryption.
IPSec VPN is one of the two common VPN protocols, or sets of standards used to establish
a VPN connection. At the IP layer, IPSec provides secure, remote access to an entire
network (rather than just a single device).
IPSec VPNs come in two types:
Differences between IPSec and VPN
|
|
Provides IP hosts with methods for encrypting and authenticating data
sent on the IP network.
|
Uses encryption to obscure all data sent between the VPN client and
server.
|
|
By using IPSec, entities that have IP addresses can create a secure
tunnel.
|
Many types of VPN protocols offer varying levels of security and
other features. The most commonly used tunneling protocols in the
VPN industry are Point-to-Point Tunnel Protocol (PPTP), Layer Two
Tunneling Protocol (L2TP), IPSec, Secure Socket Tunneling Protocol
(SSTP), and OpenVPN.
|
IPSec Tunnel Modes
IPSec standards define two distinct modes of IPSec operations: tunnel and transport
modes. The key difference between the transport and tunnel mode is where the policy
rule is applied.
Tunnel
mode will add an ESP/AH header to the inner IP packet, and encapsulate it in a new
outer IP packet. Hence, the entire inner IP packet including the IP header will be
encrypted and authenticated. But, transport mode will add an ESP/AH header to the
inner packet’s payload, and move the inner packet’s IP header out. This encrypts and
authenticates the inner IP packet’s payload only.
- AH does not work with NAT since the integrity is calculated by using some
fields of the IP header. The reason is that AH includes the outer IP header
in the hash-based message authentication code (HMAC) calculation that causes
NAT to break it.
- IPSec transport mode is used for end-to-end communications, for example
between a client and a server, or between a workstation and a gateway if the
gateway is being treated as a host. A good example would be an encrypted
Telnet or Remote Desktop session from a workstation to a server.
- While PAN-OS supports tunnel mode by default, support for
transport mode is introduced
beginning with PAN-OS 11.0 release.
IPSec VPN Types
Site-to-Site (or Gateway-to-Gateway) VPN and Remote access (client-to-site) VPN are
two distinct types of VPNs. Where client-to-site VPN represents a single user
connection, site-to-site VPNs deal with remote connections between entire
networks.
In a site-to-site VPN, the IPSec security method is used to create an encrypted
tunnel from one customer network to a remote site of the customer. Palo Alto
Networks VPN tunnels can also be used between partners.
In
remote access VPN, individual endpoints
are connected to a private network to access the services and resources of that
private network remotely. Remote Access VPN is most suitable for the business and
home users as it allows multiple endpoints.
