Enable Authentication Using a Certificate Profile
The following workflow shows how to enable authentication for strongSwan clients using a certificate profile.
- Configure an IPSec tunnel for the GlobalProtect gateway for communicating with a strongSwan client.
- Selectand then select the gateway name.NetworkGlobalProtectGateways
- Select theCertificate Profileyou want to use for authentication in theAuthenticationtab.
- Selectand specify the following settings to set up a tunnel:AgentTunnel Settings
- Select the check box toEnable X-Auth Support.
- If aGroup NameandGroup Passwordare already configured, remove them.
- ClickOKto save the settings.
- Verify that the default connection settings in the conn %default section of the IPSec tunnel configuration file (ipsec.conf) are correctly defined for the strongSwan client.The ipsec.conf file is usually found in the /etc folder.The configurations in this procedure are tested and verified for the following releases:
The configurations in this procedure can be used for reference if you are using a different version of strongSwan. Refer to the strongSwan wiki for more information.In the conn %default section of the ipsec.conf file, configure the following recommended settings.ikelifetime=20mreauth=yesrekey=yeskeylife=10mrekeymargin=3mrekeyfuzz=0%keyingtries=1type=tunnelCode copied to clipboardUnable to copy due to lack of browser support.
- Ubuntu 14.0.4 with strongSwan 5.1.2 and CentOS 6.5 with strongSwan 5.1.3 for PAN-OS 6.1.
- Ubuntu 14.0.4 with strongSwan 5.2.1 for PAN-OS 7.0.
- Modify the strongSwan client’s IPSec configuration file (ipsec.conf) and the IPSec password file (ipsec.secrets) to use recommended settings.The ipsec.secrets file is usually found in the /etc folder.Use the strongSwan client username as the certificate’s common name.Configure the following recommended settings in the ipsec.conf file:conn <connection name> keyexchange=ikev1authby=rsasigike=aes-sha1-modp1024,aes256left=<strongSwan/Linux-client-IP-address> leftcert=<client certificate with the strongSwan client username used as the certificate’s common name> leftsourceip=%configleftauth2=xauthright=<GlobalProtect-gateway-IP-address> rightid=“CN=<Subject-name-of-gateway-cert>” rightsubnet=0.0.0.0/0auto=addCode copied to clipboardUnable to copy due to lack of browser support.Configure the following recommended settings in the ipsec.secrets file::RSA <private key file> “<passphrase if used>”Code copied to clipboardUnable to copy due to lack of browser support.
- Start strongSwan IPSec services and connect to the IPSec tunnel that you want the strongSwan client to use when authenticating to the GlobalProtect gateway.Use theconfig <name>variable to name the tunnel configuration.Ubuntu clients:ipsec start ipsec up <name>Code copied to clipboardUnable to copy due to lack of browser support.CentOS clients:strongSwan start strongswan up <name>Code copied to clipboardUnable to copy due to lack of browser support.
- Verify that the tunnel is set up correctly and the VPN connection is established to both the strongSwan client and the GlobalProtect gateway.
- Verify the detailed status information on a specific connection (by naming the connection) or verify the status information for all connections from the strongSwan client:
ipsec statusall [<connection name>]Code copied to clipboardUnable to copy due to lack of browser support.
- Ubuntu clients:
strongswan statusall [<connection name>]Code copied to clipboardUnable to copy due to lack of browser support.
- CentOS clients:
- Select. Then, in the Info column, selectNetworkGlobalProtectGatewaysRemote Usersfor the gateway configured for the connection to the strongSwan client. The strongSwan client should be listed underCurrent Users.