Tunnel Mode | Select Tunnel Mode to
enable tunnel mode and then specify the following settings: Tunnel Interface—Choose a tunnel
interface for access to this gateway. Max User—Specify the maximum number of
users that can simultaneously access the gateway for
authentication, HIP updates, and GlobalProtect app updates.
If the maximum number of users is reached, subsequent users
are denied access with a message that indicates the maximum
number of users has been reached (range varies by platform
and is displayed when the field is empty). Enable IPSec—Select this option to
enable IPSec mode for endpoint traffic, making IPSec the
primary method and SSL-VPN the fallback method. The
remaining options are not available until IPSec is
enabled. GlobalProtect IPSec Crypto—Select a
GlobalProtect IPSec Crypto profile that specifies
authentication and encryption algorithms for the VPN
tunnels. The default profile uses
AES-128-CBC encryption and SHA1 authentication. For details,
see Network > Network Profiles >
GlobalProtect IPSec Crypto. Enable X-Auth Support—Select this
option to enable Extended Authentication (X-Auth) support in
the GlobalProtect gateway when IPSec is enabled. With X-Auth
support, third party IPSec VPN clients that support X-Auth
(such as the IPSec VPN client on Apple iOS and Android
devices and the VPNC client on Linux) can establish a VPN
tunnel with the GlobalProtect gateway. The X-Auth option
provides remote access from the VPN client to a specific
GlobalProtect gateway. Because X-Auth access provides
limited GlobalProtect functionality, consider using the
GlobalProtect App for simplified access to the full security
feature set GlobalProtect provides on iOS and Android
devices. Selecting X-Auth Support activates the
Group Name and Group
Password options: If the group name and group password are specified,
the first authentication phase requires both parties
to use this credential to authenticate. The second
phase requires a valid username and password, which
is verified through the authentication profile
configured in the Authentication section. If no group name and group password are defined, the
first authentication phase is based on a valid
certificate presented by the third-party VPN client.
This certificate is then validated through the
certificate profile configured in the authentication
section. By default, the user is not required to
re-authenticate when the key used to establish the
IPSec tunnel expires. To require the user to
re-authenticate, clear the Skip Auth on
IKE Rekey option.
Enable IKEv2—Select this option to
enable IKEv2 mode for endpoint traffic, making IKEv2 the
primary method. The remaining options are not available
until IKEv2 is enabled. Selecting Enable IKEv2 activates the
Select IKEv2 Only and
IKEv2 Preferred options: IKE Crypto Profile—Select an IKE
Crypto profile that specifies the protocol and algorithm for
identification, authentication, and encryption for IKEv2.
The default profile uses AES-128-CBC
encryption and SHA1 authentication. For details, see Network > Network Profiles > IKE Crypto. IPSec Crypto Profile—Select a IPSec
Crypto profile that specifies authentication and encryption
algorithms for the VPN tunnels. The
default profile uses AES-128-CBC
encryption and SHA1 authentication. For details, see Network > Network Profiles > IPSec Crypto. Authentication—Select either
Pre-Shared Key or
Certificate as the authentication
method. If you select Certificate, the certificate profile
specified in the Authentication tab of the gateway is
reused. Master Key—For the Pre-Shared Key
authentication method, either enter a master key or click
Generate Strong Master Key and
copy-paste the value here. Confirm Master Key—For the Pre-Shared
Key authentication method, re-enter the master key or if you
generated it, paste it here again. Master Key Length [characters]—Enter
the master key length in characters to generate a key. The
master key length must be between 32 and 128 characters.
| 
