https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-new-features/networking-features/ipsec-transport-mode
The linked documentation outlines new features for IPSec transport mode in PAN-OS 11.0 and clarifies the requirements for configuring IPSec in transport mode. Based on this:
Auto-Generated Key:
The documentation specifies that IPSec in transport mode requires an auto-generated key during the IKE negotiation process. This ensures the integrity and encryption of the communication channel.
Verdict: Correct.
NAT Traversal:
NAT Traversal is only relevant when NAT is present between the IPSec peers. It is not an inherent requirement for IPSec transport mode.
Verdict: Not correct.
IKEv1:
While IKE (v1 or v2) is required for IPSec, the question specifically asks for transport mode requirements, and IKEv1 is not listed as a strict transport mode requirement in the documentation.
Verdict: Not correct.
DH-group 20 (ECP-384 bits):
The documentation mentions that DH-group 20 (Elliptic Curve Protocol, 384-bit) is one of the required Diffie-Hellman groups for transport mode. This ensures secure key exchange.
Verdict: Correct.
Correct Answer
Based on the documentation: A. Auto Generated Key
D. DH-group 20 (ECP-384 bits)
Why This Answer is Correct
Auto-generated key is fundamental to secure communication in transport mode, as stated in the PAN-OS 11.0 documentation.
DH-group 20 ensures a high level of cryptographic strength for key exchange, making it a specific requirement for transport mode in this context.
Reference
For more details, refer to the PAN-OS 11.0 IPSec Transport Mode documentation: IPSec Transport Mode
