Palo Alto Networks Knowledgebase: Configuring the Palo Alto Networks Device as an IPSec Passthrough

Configuring the Palo Alto Networks Device as an IPSec Passthrough

Created On 09/25/18 17:27 PM - Last Updated 11/19/19 05:19 AM
IPSec VPNs 8.1 7.1 PAN-OS
Exception : PA-7000, PA-5200 and PA-3200 series



This document describes how to configure the Palo Alto Networks firewall to behave as an IPSec passthrough between VPN terminating devices.



Configure a security policy to allow the "ipsec" application traffic between the tunnel endpoints. This will enable the Palo Alto Networks firewall to act as vpn passthrough for traffic between vpn peers.


For example

The screenshot below shows devices and ( internally)  as the vpn peers. The application, "ipsec", is specified under the Application column.


ipsec passthrough.png


The ipsec application contains the following sub-apps:

  • ike
  • ipsec-ah
  • ipsec-esp
  • ipsec-esp-udp(NAT-T)

The sub-apps above are allowed implicitly when the ipsec application is configured as allowed.


owner: saryan

Additional Information
On PA-7000, PA-5200 and PA-3200 series, due to an architectural difference, we use a different technique for session creation of IPSec pass-through traffic.
Security policies must be configured to allow pass-through ESP traffic in both directions on PA-7000, PA-5200 and PA-3200 series platforms.
Please refer to this article.

  • Print
  • Copy Link

Choose Language