Enable Authentication Using an Authentication Profile
The following workflow shows how to enable authentication for strongSwan clients using an authentication profile. The authentication profile specifies which server profile to use when authenticating strongSwan clients.
- Set up the IPSec tunnel that the GlobalProtect gateway will use for communicating with a strongSwan client.
- Selectand select the gateway name.NetworkGlobalProtectGateways
- Select theAuthentication Profileyou want to use in theAuthenticationtab.
- Selectand specify the following settings to set up a tunnel:AgentTunnel Settings
- Select the check box toEnable X-Auth Support.
- Enter aGroup NameandGroup Passwordif they are not already configured.
- ClickOKto save these tunnel settings.
- Verify that the default connection settings in theconn %defaultsection of the IPSec tunnel configuration file (ipsec.conf) are correctly defined for the strongSwan client.Theipsec.conffile is usually found in the/etcfolder.The configurations in this procedure are tested and verified for the following releases:
The configurations in this procedure can be used for reference if you are using a different version of strongSwan. Refer to the strongSwan wiki for more information.In theconn %defaultsection of theipsec.conffile, configure the following recommended settings:ikelifetime=20m reauth=yes rekey=yes keylife=10m rekeymargin=3m rekeyfuzz=0% keyingtries=1 type=tunnel
- Ubuntu 14.0.4 with strongSwan 5.1.2 and CentOS 6.5 with strongSwan 5.1.3 for PAN-OS 6.1.
- Ubuntu 14.0.4 with strongSwan 5.2.1 for PAN-OS 7.0.
- Modify the strongSwan client’s IPSec configuration file (ipsec.conf) and the IPSec password file (ipsec.secrets) to use recommended settings.Theipsec.secretsfile is usually found in the/etcfolder.Use the strongSwan client username as the certificate’s common name.Configure the following recommended settings in theipsec.conffile:conn <connection name> keyexchange=ikev1 ikelifetime=1440m keylife=60m aggressive=yes ike=aes-sha1-modp1024,aes256 esp=aes-sha1 xauth=client left=<strongSwan/Linux-client-IP-address> leftid=@#<hex of Group Name configured in the GlobalProtect gateway> leftsourceip=%modeconfig leftauth=psk rightauth=psk leftauth2=xauth right=<gateway-IP-address> rightsubnet=0.0.0.0/0 xauth_identity=<LDAP username> auto=addConfigure the following recommended settings in theipsec.secretsfile:: PSK <Group Password configured in the gateway> <username> : XAUTH “<user password>”
- Start strongSwan IPSec services and connect to the IPSec tunnel that you want the strongSwan client to use when authenticating to the GlobalProtect gateway.
- Ubuntu clients:ipsec start ipsec up <name>
- CentOS clients:strongSwan start strongswan up <name>
- Verify that the tunnel is set up correctly and the VPN connection is established to both the strongSwan client and the GlobalProtect gateway.
- Verify the detailed status information on a specific connection (by naming the connection) or verify the status information for all connections from the strongSwan client:
- Ubuntu clients:ipsec statusall [<connection name>]
- CentOS clients:strongswan statusall [<connection name>]
- SelectThen, in the Info column, selectNetworkGlobalProtectGateways.Remote Usersfor the gateway configured for the connection to the strongSwan client. The strongSwan client should be listed underCurrent Users.
Recommended For You
Recommended videos not found.