To successfully implement an IPSec VPN on a Palo Alto Networks NGFW, the security architect must account for two distinct types of traffic:Control Plane(tunnel negotiation) andData Plane(traffic through the tunnel).

First, for the tunnel to establish, the firewall must permit negotiation traffic. While IKE (UDP 500/4500) is the protocol used, Palo Alto Networks uses theIPSec container applicationto represent the underlying encrypted tunnel traffic. This traffic is typically destined for the firewall's own "Local" zone (the management/loopback or physical interface IP). Therefore, a policy must exist to allow theipsec-esp-udpor the broaderIPSecapplication between the external-facing zone and theLocal zone.

Second, once the tunnel is active, the decrypted traffic emerges from theTunnel Interface. This interface must be assigned to a security zone (often a dedicated "VPN" zone or an existing internal zone). Because the NGFW is a stateful, zone-based firewall, theinterzone-defaultpolicy is "Deny" by default. Consequently, a pair of security policies is required to allow data to flow: one for traffic entering the tunnel (e.g., Trust to VPN) and one for traffic exiting the tunnel (e.g., VPN to Trust). Without these specific rules, the tunnel may show as "Up" (Phase 1 and 2 complete), but no production data will pass through it.