Methods
of Securing IPSec VPN Tunnels (IKE Phase 2)
IPSec VPN tunnels can be secured using manual keys or
auto keys. In addition, IPSec configuration options include Diffie-Hellman
Group for key agreement, and/or an encryption algorithm and a hash
for message authentication.
Manual Key—Manual key is typically used if the
Palo Alto Networks firewall is establishing a VPN tunnel with a
legacy device, or if you want to reduce the overhead of generating
session keys. If using manual keys, the same key must be configured
on both peers.
Manual keys are not recommended for establishing
a VPN tunnel because the session keys can be compromised when relaying
the key information between the peers; if the keys are compromised,
the data transfer is no longer secure.
Auto Key— Auto Key allows you to automatically generate
keys for setting up and maintaining the IPSec tunnel based on the
algorithms defined in the IPSec Crypto profile.