Network Security
Set Up an IPSec Tunnel
Table of Contents
Expand All
|
Collapse All
Network Security Docs
-
- Security Policy
-
- Security Profile Groups
- Security Profile: AI Security
- Security Profile: WildFire® Analysis
- Security Profile: Antivirus
- Security Profile: Vulnerability Protection
- Security Profile: Anti-Spyware
- Security Profile: DNS Security
- Security Profile: DoS Protection Profile
- Security Profile: File Blocking
- Security Profile: URL Filtering
- Security Profile: Data Filtering
- Security Profile: Zone Protection
-
- Policy Object: Address Groups
- Policy Object: Regions
- Policy Object: Traffic Objects
- Policy Object: Applications
- Policy Object: Application Groups
- Policy Object: Application Filter
- Policy Object: Services
- Policy Object: Auto-Tag Actions
- Policy Object: Devices
-
- Uses for External Dynamic Lists in Policy
- Formatting Guidelines for an External Dynamic List
- Built-in External Dynamic Lists
- Configure Your Environment to Access an External Dynamic List
- Configure your Environment to Access an External Dynamic List from the EDL Hosting Service
- Retrieve an External Dynamic List from the Web Server
- View External Dynamic List Entries
- Enforce Policy on an External Dynamic List
- Find External Dynamic Lists That Failed Authentication
- Disable Authentication for an External Dynamic List
- Policy Object: HIP Objects
- Policy Object: Schedules
- Policy Object: Quarantine Device Lists
- Policy Object: Dynamic User Groups
- Policy Object: Custom Objects
- Policy Object: Log Forwarding
- Policy Object: Authentication
- Policy Object: Decryption Profile
- Policy Object: Packet Broker Profile
-
-
-
- The Quantum Computing Threat
- How RFC 8784 Resists Quantum Computing Threats
- How RFC 9242 and RFC 9370 Resist Quantum Computing Threats
- Support for Post-Quantum Features
- Post-Quantum Migration Planning and Preparation
- Best Practices for Resisting Post-Quantum Attacks
- Learn More About Post-Quantum Security
-
-
-
- Investigate Reasons for Decryption Failure
- Identify Weak Protocols and Cipher Suites
- Troubleshoot Version Errors
- Troubleshoot Unsupported Cipher Suites
- Identify Untrusted CA Certificates
- Repair Incomplete Certificate Chains
- Troubleshoot Pinned Certificates
- Troubleshoot Expired Certificates
- Troubleshoot Revoked Certificates
Set Up an IPSec Tunnel
Set up an IPSec tunnel in tunnel mode or transport mode. Tunnel mode encrypts the
entire packet, including the IP header, while transport mode only encrypts the payload.
Where Can I Use This? | What Do I Need? |
---|---|
| No license required |
IPSec is a suite of protocols used to secure communications between
peers. IPSec
provides strong cryptographic security services to protect sensitive data and ensures
network privacy and integrity. IPSec can be configured to provide security for a wide
range of network topologies, including site-to-site and remote access
connections.
In IPSec, you can configure various settings, such as encryption and
authentication algorithms and security associations timeouts. One such configuration is
the IPSec mode—tunnel mode or transport mode.
Tunnel mode is commonly used in site-to-site VPNs where the communication between the
complete networks or subnets needs to be protected. Transport mode is commonly used in
end-to-end encryption between hosts. You can choose a tunnel or transport mode based on
your network structure and data security requirements.
While configuring an IPSec tunnel, you can select the IPSec mode as tunnel or transport
mode to establish a secure connection. That is, you can select whether to encrypt or
authenticate packets in
tunnel
mode
or transport
mode.
PAN-OS® supports tunnel mode by default, authenticating or encrypting the
data (IP packet) as it traverses the tunnel. Beginning with PAN-OS 11.0.0, you can use
transport mode.
Differences between Tunnel and Transport Mode
Tunnel Mode
|
Transport Mode
|
---|---|
Encrypts the entire packet, including the IP header. A new IP header
is added to the packet after encryption.
|
Encrypts only the payload, while the original IP header is retained.
|
Tunnel monitoring uses the tunnel interface IP address.
|
Tunnel monitoring automatically uses the IP address of the physical
interface (gateway interface IP address), and the tunnel interface
IP address is ignored.
|
Supports double encapsulation.
|
No support for double encapsulation.
|
Commonly used for site-to-site communications.
|
Commonly used for host-to-host communications.
|