IKE
Gateway
The Palo Alto Networks firewalls or a firewall and another
security device that initiate and terminate VPN connections across
the two networks are called the IKE Gateways. To set up the VPN
tunnel and send traffic between the IKE Gateways, each peer must
have an IP address—static or dynamic—or FQDN. The VPN peers use preshared
keys or certificates to mutually authenticate each other.
The peers must also negotiate the mode—main or aggressive—for
setting up the VPN tunnel and the SA lifetime in IKE Phase 1. Main
mode protects the identity of the peers and is more secure because
more packets are exchanged when setting up the tunnel. Main mode
is the recommended mode for IKE negotiation if both peers support
it. Aggressive mode uses fewer packets to set up the VPN tunnel
and is hence faster but a less secure option for setting up the
VPN tunnel.