Enable Authentication Using a Certificate Profile

The following workflow shows how to enable authentication for strongSwan clients using a certificate profile.
  1. Configure an IPSec tunnel for the GlobalProtect gateway for communicating with a strongSwan client.
    1. Select
      Network
      GlobalProtect
      Gateways
      and then select the gateway name.
    2. Select the
      Certificate Profile
      you want to use for authentication in the
      Authentication
      tab.
    3. Select
      Agent
      Tunnel Settings
      and specify the following settings to set up a tunnel:
      • Select the check box to
        Enable X-Auth Support
        .
      • If a
        Group Name
        and
        Group Password
        are already configured, remove them.
      • Click
        OK
        to save the settings.
  2. Verify that the default connection settings in the conn %default section of the IPSec tunnel configuration file (ipsec.conf) are correctly defined for the strongSwan client.
    The ipsec.conf file is usually found in the /etc folder.
    The configurations in this procedure are tested and verified for the following releases:
    • Ubuntu 14.0.4 with strongSwan 5.1.2 and CentOS 6.5 with strongSwan 5.1.3 for PAN-OS 6.1.
    • Ubuntu 14.0.4 with strongSwan 5.2.1 for PAN-OS 7.0.
    The configurations in this procedure can be used for reference if you are using a different version of strongSwan. Refer to the strongSwan wiki for more information.
    In the conn %default section of the ipsec.conf file, configure the following recommended settings.
    ikelifetime=
    20m
    reauth=
    yes
    rekey=
    yes
    keylife=
    10m
    rekeymargin=
    3m
    rekeyfuzz=
    0%
    keyingtries=
    1
    type=
    tunnel
    Code copied to clipboard
    Unable to copy due to lack of browser support.
  3. Modify the strongSwan client’s IPSec configuration file (ipsec.conf) and the IPSec password file (ipsec.secrets) to use recommended settings.
    The ipsec.secrets file is usually found in the /etc folder.
    Use the strongSwan client username as the certificate’s common name.
    Configure the following recommended settings in the ipsec.conf file:
    conn <
    connection name
    > keyexchange=
    ikev1
    authby=
    rsasig
    ike=
    aes-sha1-modp1024,aes256
    left=<
    strongSwan/Linux-client-IP-address
    > leftcert=<
    client certificate with the strongSwan client username used as the certificate’s common name
    > leftsourceip=
    %config
    leftauth2=
    xauth
    right=<
    GlobalProtect-gateway-IP-address
    > rightid=“
    CN=<Subject-name-of-gateway-cert>
    ” rightsubnet=
    0.0.0.0/0
    auto=
    add
    Code copied to clipboard
    Unable to copy due to lack of browser support.
    Configure the following recommended settings in the ipsec.secrets file:
    :RSA <
    private key file
    > “<
    passphrase if used
    >”
    Code copied to clipboard
    Unable to copy due to lack of browser support.
  4. Start strongSwan IPSec services and connect to the IPSec tunnel that you want the strongSwan client to use when authenticating to the GlobalProtect gateway.
    Use the
    config <name>
    variable to name the tunnel configuration.
    Ubuntu clients:
    ipsec start ipsec up <
    name
    >
    Code copied to clipboard
    Unable to copy due to lack of browser support.
    CentOS clients:
    strongSwan start strongswan up <
    name
    >
    Code copied to clipboard
    Unable to copy due to lack of browser support.
  5. Verify that the tunnel is set up correctly and the VPN connection is established to both the strongSwan client and the GlobalProtect gateway.
    1. Verify the detailed status information on a specific connection (by naming the connection) or verify the status information for all connections from the strongSwan client:
      • Ubuntu clients:
      ipsec statusall [<
      connection name
      >]
      Code copied to clipboard
      Unable to copy due to lack of browser support.
      • CentOS clients:
      strongswan statusall [<
      connection name
      >]
      Code copied to clipboard
      Unable to copy due to lack of browser support.
    2. Select
      Network
      GlobalProtect
      Gateways
      . Then, in the Info column, select
      Remote Users
      for the gateway configured for the connection to the strongSwan client. The strongSwan client should be listed under
      Current Users
      .

Related Documentation