Enable Authentication Using an Authentication Profile

The following workflow shows how to enable authentication for strongSwan clients using an authentication profile. The authentication profile specifies which server profile to use when authenticating strongSwan clients.
  1. Set up the IPSec tunnel that the GlobalProtect gateway will use for communicating with a strongSwan client.
    1. Select NetworkGlobalProtectGateways and select the gateway name.
    2. Select the Authentication Profile you want to use in the Authentication tab.
    3. Select AgentTunnel Settings and specify the following settings to set up a tunnel:
      • Select the check box to Enable X-Auth Support.
      • Enter a Group Name and Group Password if they are not already configured.
      • Click OK to save these tunnel settings.
  2. Verify that the default connection settings in the conn %default section of the IPSec tunnel configuration file (ipsec.conf) are correctly defined for the strongSwan client.
    The ipsec.conf file is usually found in the /etc folder.
    The configurations in this procedure are tested and verified for the following releases:
    • Ubuntu 14.0.4 with strongSwan 5.1.2 and CentOS 6.5 with strongSwan 5.1.3 for PAN-OS 6.1.
    • Ubuntu 14.0.4 with strongSwan 5.2.1 for PAN-OS 7.0.
    The configurations in this procedure can be used for reference if you are using a different version of strongSwan. Refer to the strongSwan wiki for more information.
    In the conn %default section of the ipsec.conf file, configure the following recommended settings:
    ikelifetime=20m 
    reauth=yes 
    rekey=yes 
    keylife=10m 
    rekeymargin=3m 
    rekeyfuzz=0% 
    keyingtries=1 
    type=tunnel
  3. Modify the strongSwan client’s IPSec configuration file (ipsec.conf) and the IPSec password file (ipsec.secrets) to use recommended settings.
    The ipsec.secrets file is usually found in the /etc folder.
    Use the strongSwan client username as the certificate’s common name.
    Configure the following recommended settings in the ipsec.conf file:
    conn <connection name> 
    keyexchange=ikev1 
    ikelifetime=1440m 
    keylife=60m 
    aggressive=yes 
    ike=aes-sha1-modp1024,aes256 
    esp=aes-sha1 
    xauth=client 
    left=<strongSwan/Linux-client-IP-address> 
    leftid=@#<hex of Group Name configured in the GlobalProtect gateway> 
    leftsourceip=%modeconfig 
    leftauth=psk 
    rightauth=psk 
    leftauth2=xauth 
    right=<gateway-IP-address> 
    rightsubnet=0.0.0.0/0 
    xauth_identity=<LDAP username> 
    auto=add
    Configure the following recommended settings in the ipsec.secrets file:
    : PSK <Group Password configured in the gateway>
    	<username> : XAUTH “<user password>”
  4. Start strongSwan IPSec services and connect to the IPSec tunnel that you want the strongSwan client to use when authenticating to the GlobalProtect gateway.
    • Ubuntu clients:
      ipsec start 
      ipsec up <name>
    • CentOS clients:
      strongSwan start
      strongswan up <name>
  5. Verify that the tunnel is set up correctly and the VPN connection is established to both the strongSwan client and the GlobalProtect gateway.
    1. Verify the detailed status information on a specific connection (by naming the connection) or verify the status information for all connections from the strongSwan client:
      • Ubuntu clients:
        ipsec statusall [<connection name>]
      • CentOS clients:
        strongswan statusall [<connection name>]
    2. Select NetworkGlobalProtectGateways. Then, in the Info column, select Remote Users for the gateway configured for the connection to the strongSwan client. The strongSwan client should be listed under Current Users.

Related Documentation