Enable X-Auth Support for strongSwan Endpoints

Set up the IPsec tunnel that the GlobalProtect gateway will use for communicating with a strongSwan client.
Extended authentication (X-Auth) is not supported for Prisma Access deployments.
Select
Network
GlobalProtect
Gateways
.
Select an existing gateway or
Add
a new one.
On the
Authentication
tab of the GlobalProtect Gateway Configuration dialog, select the
Authentication Profile
you want to use.
Select
Agent
Tunnel Settings
to enable
Tunnel Mode
and specify the following settings to set up the tunnel:
Select the check box to
Enable X-Auth Support
.
Enter a
Group Name
and
Group Password
if they are not yet configured.
Click
OK
to save these tunnel settings.
Verify that the default connection settings in the
conn %default
section of the IPsec tunnel configuration file (
ipsec.conf
) are correctly defined for the strongSwan client.
The
ipsec.conf
file is usually found in the
/etc
folder.
The configurations in this procedure are tested and verified for the following releases:
Ubuntu 14.0.4 with strongSwan 5.1.2 and CentOS 6.5 with strongSwan 5.1.3 for PAN-OS 6.1.
Ubuntu 14.0.4 with strongSwan 5.2.1 for PAN-OS 7.0.
The configurations in this procedure can be used for reference if you are using a different version of strongSwan. Refer to the strongSwan wiki for more information.
In the
conn %default
section of the
ipsec.conf
file, configure the following recommended settings:
ikelifetime=20m 
reauth=yes 
rekey=yes 
keylife=10m 
rekeymargin=3m 
rekeyfuzz=0% 
keyingtries=1 
type=tunnel
Modify the strongSwan client’s IPsec configuration file (
ipsec.conf
) and the IPsec password file (
ipsec.secrets
) to use recommended settings.
The
ipsec.secrets
file is usually found in the
/etc
folder.
Use the strongSwan client username as the certificate’s common name.
Configure the following recommended settings in the
ipsec.conf
file:
conn <connection name> 
keyexchange=ikev1 
ikelifetime=1440m 
keylife=60m 
aggressive=yes 
ike=aes-sha1-modp1024,aes256 
esp=aes-sha1 
xauth=client 
left=<strongSwan/Linux-client-IP-address> 
leftid=@#<hex of Group Name configured in the GlobalProtect gateway> 
leftsourceip=%modeconfig 
leftauth=psk 
rightauth=psk 
leftauth2=xauth 
right=<gateway-IP-address> 
rightsubnet=0.0.0.0/0 
xauth_identity=<LDAP username> 
auto=add
Configure the following recommended settings in the
ipsec.secrets
file:
: PSK <Group Password configured in the gateway>
	<username> : XAUTH “<user password>”
Start strongSwan IPsec services and connect to the IPsec tunnel that you want the strongSwan client to use when authenticating to the GlobalProtect gateway.
Ubuntu:

ipsec start 
ipsec up <name>

CentOS:

strongSwan start
strongswan up <name>
Verify that the tunnel is set up correctly and the VPN connection is established to both the strongSwan client and the GlobalProtect gateway.
Verify the detailed status information on a specific connection (by naming the connection) or verify the status information for all connections from the strongSwan client:
Ubuntu:

ipsec statusall [<connection name>]

CentOS:

strongswan statusall [<connection name>]
Select
Network
GlobalProtect
Gateways
. In the
Info
column, select
Remote Users
for the gateway configured for the connection to the strongSwan client. The strongSwan client should be listed under
Current Users
.