Enable Authentication Using Two-Factor Authentication
With two-factor authentication, the strongSwan
client needs to successfully authenticate using both a certificate
profile and an authentication profile to connect to the GlobalProtect
gateway. The following workflow shows how to enable authentication
for strongSwan clients using two-factor authentication.
- Set up the IPsec tunnel that the GlobalProtect gateway will use for communicating with a strongSwan client.Extended authentication (X-Auth) is not supported for Prisma Access deployments.
- Select.NetworkGlobalProtectGateways
- Select an existing gateway orAdda new one.
- On theAuthenticationtab of the GlobalProtect Gateway Configuration dialog, select theCertificate ProfileandAuthentication Profilethat you want to use.
- Selectto enableAgentTunnel SettingsTunnel Modeand specify the following settings to set up the tunnel:
- Select the check box toEnable X-Auth Support.
- If aGroup NameandGroup Passwordare already configured, remove them.
- ClickOKto save these tunnel settings.
- Verify that the default connection settings in theconn %defaultsection of the IPsec tunnel configuration file (ipsec.conf) are correctly defined for the strongSwan client.Theipsec.conffile usually resides in the/etcfolder.The configurations in this procedure are tested and verified for the following releases:
- Ubuntu 14.0.4 with strongSwan 5.1.2 and CentOS 6.5 with strongSwan 5.1.3 for PAN-OS 6.1.
- Ubuntu 14.0.4 with strongSwan 5.2.1 for PAN-OS 7.0.
Use the configurations in this procedure as a reference if you are using a different version of strongSwan. Refer to the strongSwan wiki for more information.Configure the following recommended settings in theipsec.conffile:ikelifetime=20mreauth=yesrekey=yeskeylife=10mrekeymargin=3mrekeyfuzz=0%keyingtries=1type=tunnel - Modify the strongSwan client’s IPsec configuration file (ipsec.conf) and the IPsec password file (ipsec.secrets) to use recommended settings.Theipsec.secretsfile is usually found in the/etcfolder.Use the strongSwan client username as the certificate’s common name.Configure the following recommended settings in theipsec.conffile:conn <connection name> keyexchange=ikev1authby=xauthrsasigike=aes-sha1-modp1024esp=aes-sha1xauth=clientleft=<strongSwan/Linux-client-IP-address> leftcert=<client-certificate-without-password> leftsourceip=%configright=<GlobalProtect-gateway-IP-address> rightid=%anyCN=<Subject-name-of-gateway-cert>” rightsubnet=0.0.0.0/0leftauth2=xauthxauth_identity=<LDAP username> auto=addConfigure the following recommended settings in theipsec.secretsfile:<username> :XAUTH “<user password>” ::RSA <private key file> “<passphrase if used>”
- Start strongSwan IPsec services and connect to the IPsec tunnel that you want the strongSwan client to use when authenticating to the GlobalProtect gateway.
- Ubuntu:ipsec startipsec up<name>
- CentOS:strongSwan startstrongswan up<name>
- Verify that the tunnel is set up correctly and the VPN connection is established to both the strongSwan client and the GlobalProtect gateway.
- Verify the detailed status information on a specific connection (by naming the connection) or verify the status information for all connections from the strongSwan client:
- Ubuntu:ipsec statusall [<connection name>]
- CentOS:strongswan statusall [<connection name>]
- Select. In theNetworkGlobalProtectGatewaysInfocolumn, selectRemote Usersfor the gateway configured for the connection to the strongSwan client. The strongSwan client should be listed underCurrent Users.
Recommended For You
Recommended Videos
Recommended videos not found.
