Enable Two-Factor Authentication for strongSwan Endpoints
Focus
Focus
GlobalProtect

Enable Authentication Using Two-Factor Authentication

Table of Contents

Enable Two-Factor Authentication for strongSwan Endpoints

Enable Two-Factor Authentication for strongSwan Endpoints by configuring certificate and authentication profiles for the GlobalProtect gateway.
With two-factor authentication, the strongSwan client needs to successfully authenticate using both a certificate profile and an authentication profile to connect to the GlobalProtect gateway. The following workflow shows how to enable authentication for strongSwan clients using two-factor authentication.
  1. Set up the IPsec tunnel that the GlobalProtect gateway will use for communicating with a strongSwan client.
    Extended authentication (X-Auth) is not supported for Prisma Access deployments.
    1. Select
      Network
      GlobalProtect
      Gateways
      .
    2. Select an existing gateway or
      Add
      a new one.
    3. On the
      Authentication
      tab of the GlobalProtect Gateway Configuration dialog, select the
      Certificate Profile
      and
      Authentication Profile
      that you want to use.
    4. Select
      Agent
      Tunnel Settings
      to enable
      Tunnel Mode
      and specify the following settings to set up the tunnel:
      • Select the check box to
        Enable X-Auth Support
        .
      • If a
        Group Name
        and
        Group Password
        are already configured, remove them.
      • Click
        OK
        to save these tunnel settings.
  2. Verify that the default connection settings in the
    conn %default
    section of the IPsec tunnel configuration file (
    ipsec.conf
    ) are correctly defined for the strongSwan client.
    The
    ipsec.conf
    file usually resides in the
    /etc
    folder.
    The configurations in this procedure are tested and verified for the following releases:
    • Ubuntu 14.0.4 with strongSwan 5.1.2 and CentOS 6.5 with strongSwan 5.1.3 for PAN-OS 6.1.
    • Ubuntu 14.0.4 with strongSwan 5.2.1 for PAN-OS 7.0.
    Use the configurations in this procedure as a reference if you are using a different version of strongSwan. Refer to the strongSwan wiki for more information.
    Configure the following recommended settings in the
    ipsec.conf
    file:
    ikelifetime=
    20m
    reauth=
    yes
    rekey=
    yes
    keylife=
    10m
    rekeymargin=
    3m
    rekeyfuzz=
    0%
    keyingtries=
    1
    type=
    tunnel
  3. Modify the strongSwan client’s IPsec configuration file (
    ipsec.conf
    ) and the IPsec password file (
    ipsec.secrets
    ) to use recommended settings.
    The
    ipsec.secrets
    file is usually found in the
    /etc
    folder.
    Use the strongSwan client username as the certificate’s common name.
    Configure the following recommended settings in the
    ipsec.conf
    file:
    conn <
    connection name
    > keyexchange=
    ikev1
    authby=
    xauthrsasig
    ike=
    aes-sha1-modp1024
    esp=
    aes-sha1
    xauth=
    client
    left=<
    strongSwan/Linux-client-IP-address
    > leftcert=<
    client-certificate-without-password
    > leftsourceip=
    %config
    right=<
    GlobalProtect-gateway-IP-address
    > rightid=%anyCN=<
    Subject-name-of-gateway-cert
    >” rightsubnet=
    0.0.0.0/0
    leftauth2=
    xauth
    xauth_identity=<
    LDAP username
    > auto=
    add
    Configure the following recommended settings in the
    ipsec.secrets
    file:
    <
    username
    > :XAUTH “<
    user password
    >” ::RSA <
    private key file
    > “<
    passphrase if used
    >”
  4. Start strongSwan IPsec services and connect to the IPsec tunnel that you want the strongSwan client to use when authenticating to the GlobalProtect gateway.
    • Ubuntu:
      ipsec start
      ipsec up
      <
      name
      >
    • CentOS:
      strongSwan start
      strongswan up
      <
      name
      >
  5. Verify that the tunnel is set up correctly and the VPN connection is established to both the strongSwan client and the GlobalProtect gateway.
    1. Verify the detailed status information on a specific connection (by naming the connection) or verify the status information for all connections from the strongSwan client:
      • Ubuntu:
        ipsec statusall [
        <
        connection name
        >
        ]
      • CentOS:
        strongswan statusall [
        <
        connection name
        >
        ]
    2. Select
      Network
      GlobalProtect
      Gateways
      . In the
      Info
      column, select
      Remote Users
      for the gateway configured for the connection to the strongSwan client. The strongSwan client should be listed under
      Current Users
      .

Recommended For You