Basic LSVPN Configuration with Static Routing

Basic LSVPN Configuration with Static Routing

This quick config shows the fastest way to get up and running with LSVPN. In this example, a single firewall at the corporate headquarters site is configured as both a portal and a gateway. Satellites can be quickly and easily deployed with minimal configuration for optimized scalability.

The following workflow shows the steps for setting up this basic configuration:

1. Configure a Layer 3 interface.
   In this example, the Layer 3 interface on the portal/gateway requires the following configuration:

   • Interface—ethernet1/11
   • Security Zone—lsvpn-tun
   • IPv4—203.0.113.11/24
2. On the firewall(s) hosting GlobalProtect gateway(s), configure the logical tunnel interface that will terminate VPN tunnels established by the GlobalProtect satellites.
   To enable visibility into users and groups connecting over the VPN, enable User-ID in the zone where the VPN tunnels terminate.

   In this example, the Tunnel interface on the portal/gateway requires the following configuration:

   • Interface—tunnel.1
   • Security Zone—lsvpn-tun
3. Create the Security policy rule to enable traffic flow between the VPN zone where the tunnel terminates (lsvpn-tun) and the trust zone where the corporate applications reside (L3-Trust).
   See Create a Security Policy Rule.
4. Assign an SSL/TLS Service profile to the portal/gateway. The profile must reference a self-signed server certificate.
   The certificate subject name must match the FQDN or IP address of the Layer 3 interface you create for the portal/gateway.
   1. On the firewall hosting the GlobalProtect portal, create the root CA certificate for signing the certificates of the GlobalProtect components. In this example, the root CA certificate, lsvpn-CA, will be used to issue the server certificate for the portal/gateway. In addition, the portal will use this root CA certificate to sign the CSRs from the satellites.
   2. Create SSL/TLS service profiles for the GlobalProtect portal and gateways.
      Because the portal and gateway are on the same interface in this example, they can share an SSL/TLS Service profile that uses the same server certificate. In this example, the profile is named lsvpnserver.
5. Create a certificate profile.
   In this example, the certificate profile lsvpn-profile references the root CA certificate lsvpn-CA. The gateway will use this certificate profile to authenticate satellites attempting to establish VPN tunnels.
6. Configure an authentication profile for the portal to use if the satellite serial number is not available.
   1. Create one type of server profile on the portal:
      • Add a RADIUS server profile.
        You can use RADIUS to integrate with a Multi-Factor Authentication service.

      • Add a TACACS+ server profile.
      • Add a SAML IdP server profile.
      • Add a Kerberos server profile.
      • Add an LDAP server profile. If you use LDAP to connect to Active Directory (AD), create a separate LDAP server profile for every AD domain.
   2. Configure an authentication profile. In this example, the profile lsvpn-sat is used to authenticate satellites.
7. Configure GlobalProtect Gateways for LSVPN.
   Select NetworkGlobalProtectGateways and Add a configuration. This example requires the following gateway configuration:

   • Interface—ethernet1/11
   • IP Address—203.0.113.11/24
   • SSL/TLS Server Profile—lsvpnserver
   • Certificate Profile—lsvpn-profile
   • Tunnel Interface—tunnel.1
   • Primary DNS/Secondary DNS—4.2.2.1/4.2.2.2
   • IP Pool—2.2.2.111-2.2.2.120
   • Access Route—10.2.10.0/24
8. Configure the Portal.
   Select NetworkGlobalProtectPortal and Add a configuration. This example requires the following portal configuration:

   • Interface—ethernet1/11
   • IP Address—203.0.113.11/24
   • SSL/TLS Server Profile—lsvpnserver
   • Authentication Profile—lsvpn-sat
9. Define the Satellite Configurations.
   On the Satellite tab in the portal configuration, Add a Satellite configuration and a Trusted Root CA and specify the CA the portal will use to issue certificates for the satellites. In this example the required settings are as following:

   • Gateway—203.0.113.11
   • Issuing Certificate—lsvpn-CA
   • Trusted Root CA—lsvpn-CA
10. Prepare the Satellite to Join the LSVPN.
    The satellite configuration in this example requires the following settings:

    Interface Configuration

    • Layer 3 interface—ethernet1/1, 203.0.113.13/24
    • Tunnel interface—tunnel.2
    • Zone—lsvpnsat

    Root CA Certificate from Portal

    • lsvpn-CA

    IPSec Tunnel Configuration

    • Tunnel Interface—tunnel.2
    • Portal Address—203.0.113.11
    • Interface—ethernet1/1
    • Local IP Address—203.0.113.13/24
    • Publish all static and connected routes to Gateway—enabled