Enable Authentication Using a Certificate Profile
The following workflow shows how to enable authentication for strongSwan clients using a certificate profile.
- Configure an IPsec tunnel for the GlobalProtect gateway for communicating with a strongSwan client.Extended authentication (X-Auth) is not supported for Prisma Access deployments.
- Select an existing gateway orAdda new one.
- On theAuthenticationtab of the GlobalProtect Gateway Configuration dialog, select theCertificate Profilethat you want to use for authentication.
- Selectto enableAgentTunnel SettingsTunnel Modeand specify the following settings to set up the tunnel:
- Select the check box toEnable X-Auth Support.
- If aGroup NameandGroup Passwordare already configured, remove them.
- ClickOKto save the settings.
- Verify that the default connection settings in theconn %defaultsection of the IPsec tunnel configuration file (ipsec.conf) are correctly defined for the strongSwan client.Theipsec.conffile is usually found in the/etcfolder.The configurations in this procedure are tested and verified for the following releases:
The configurations in this procedure can be used for reference if you are using a different version of strongSwan. Refer to the strongSwan wiki for more information.Modify the following settings in theconn %defaultsection of theipsec.conffile to these recommended settings.ikelifetime=20m reauth=yes rekey=yes keylife=10m rekeymargin=3m rekeyfuzz=0% keyingtries=1 type=tunnel
- Ubuntu 14.0.4 with strongSwan 5.1.2 and CentOS 6.5 with strongSwan 5.1.3 for PAN-OS 6.1.
- Ubuntu 14.0.4 with strongSwan 5.2.1 for PAN-OS 7.0.
- Modify the strongSwan client’s IPsec configuration file (ipsec.conf) and the IPsec password file (ipsec.secrets) to use recommended settings.Theipsec.secretsfile is usually found in the/etcfolder.Use the strongSwan client username as the certificate’s common name.Modify the following items in theipsec.conffile to these recommended settings.conn <connection name> keyexchange=ikev1 authby=rsasig ike=aes-sha1-modp1024,aes256 left=<strongSwan/Linux-client-IP-address> leftcert=<client certificate with the strongSwan client username used as the certificate’s common name> leftsourceip=%config leftauth2=xauth right=<GlobalProtect-Gateway-IP-address> rightid=“CN=<Subject-name-of-gateway-certificate>” rightsubnet=0.0.0.0/0 auto=addModify the following items in theipsec.conffile to these recommended settings.:RSA <private key file> “<passphrase if used>”
- Start strongSwan IPsec services and connect to the IPsec tunnel that you want the strongSwan client to use when authenticating to the GlobalProtect gateway.Use theconfig <name>variable to name the tunnel configuration.
- Ubuntu:ipsec start ipsec up <name>
- CentOS:strongSwan start strongswan up <name>
- Verify that the tunnel is set up correctly and the VPN connection is established to both the strongSwan client and the GlobalProtect gateway.
- Verify the detailed status information on a specific connection (by naming the connection) or verify the status information for all connections from the strongSwan client:
- Ubuntu:ipsec statusall [<connection name>]
- CentOS:strongswan statusall [<connection name>]
- Select. In theNetworkGlobalProtectGatewaysInfocolumn, selectRemote Usersfor the gateway configured for the connection to the strongSwan client. The strongSwan client should be listed underCurrent Users.
Recommended For You
Recommended videos not found.