Enable Authentication Using Two-Factor Authentication
With two-factor authentication, the strongSwan client needs to successfully authenticate using both a certificate profile and an authentication profile to connect to the GlobalProtect gateway. The following workflow shows how to enable authentication for strongSwan clients using two-factor authentication.
- Set up the IPSec tunnel that the GlobalProtect
gateway will use for communicating with a strongSwan client.
- Select NetworkGlobalProtectGateways and select the gateway name.
- Select the Certificate Profile and Authentication Profile you want to use in the Authentication tab.
- Select AgentTunnel Settings and specify
the following settings to set up a tunnel:
- Select the check box to Enable X-Auth Support.
- If a Group Name and Group Password are already configured, remove them.
- Click OK to save these tunnel settings.
- Verify that the default connection settings in the conn
%default section of the IPSec tunnel configuration file
(ipsec.conf) are correctly defined for the
strongSwan client.The ipsec.conf file usually resides in the /etc folder.The configurations in this procedure are tested and verified for the following releases:
Use the configurations in this procedure as a reference if you are using a different version of strongSwan. Refer to the strongSwan wiki for more information.Configure the following recommended settings in the ipsec.conf file:
- Ubuntu 14.0.4 with strongSwan 5.1.2 and CentOS 6.5 with strongSwan 5.1.3 for PAN-OS 6.1.
- Ubuntu 14.0.4 with strongSwan 5.2.1 for PAN-OS 7.0.
ikelifetime=20m reauth=yes rekey=yes keylife=10m rekeymargin=3m rekeyfuzz=0% keyingtries=1 type=tunnel
- Modify the strongSwan client’s IPSec configuration file
(ipsec.conf) and the IPSec password file (ipsec.secrets)
to use recommended settings.The ipsec.secrets file is usually found in the /etc folder.Use the strongSwan client username as the certificate’s common name.Configure the following recommended settings in the ipsec.conf file:
conn <connection name> keyexchange=ikev1 authby=xauthrsasig ike=aes-sha1-modp1024 esp=aes-sha1 xauth=client left=<strongSwan/Linux-client-IP-address> leftcert=<client-certificate-without-password> leftsourceip=%config right=<GlobalProtect-gateway-IP-address> rightid=%anyCN=<Subject-name-of-gateway-cert>” rightsubnet=0.0.0.0/0 leftauth2=xauth xauth_identity=<LDAP username> auto=addConfigure the following recommended settings in the ipsec.secrets file:
<username> :XAUTH “<user password>” ::RSA <private key file> “<passphrase if used>”
- Start strongSwan IPSec services and connect to the IPSec
tunnel that you want the strongSwan client to use when authenticating
to the GlobalProtect gateway.
- Ubuntu clients:
ipsec start ipsec up <name>
- CentOS clients:
strongSwan startstrongswan up <name>
- Verify that the tunnel is setup correctly and the VPN
connection is established to both the strongSwan client and the
- Verify the detailed status information on
a specific connection (by naming the connection) or verify the status
information for all connections from the strongSwan client:
- Ubuntu clients:
ipsec statusall [<connection name>]
- CentOS clients:
strongswan statusall [<connection name>]
- Select NetworkGlobalProtectGateways. Then, in the Info column, select Remote Users for the gateway configured for the connection to the strongSwan client. The strongSwan client should be listed under Current Users.
- Verify the detailed status information on a specific connection (by naming the connection) or verify the status information for all connections from the strongSwan client:
Enable Authentication Using an Authentication Profile
Enable Authentication Using an Authentication Profile The following workflow shows how to enable authentication for strongSwan clients using an authentication profile. The authentication profile specifies ...
Enable Authentication Using a Certificate Profile
Enable Authentication Using a Certificate Profile The following workflow shows how to enable authentication for strongSwan clients using a certificate profile. Configure an IPSec tunnel ...
Set Up Authentication for strongSwan Ubuntu and CentOS Clients
Set Up Authentication for strongSwan Ubuntu and CentOS Clients To extend GlobalProtect VPN remote access support to strongSwan Ubuntu and CentOS clients, set up authentication ...
Authentication The GlobalProtect™ portal and gateway must authenticate the end-user before it allows access to GlobalProtect resources. You must configure authentication mechanisms before continuing with ...
Configure a GlobalProtect Gateway
Configure a GlobalProtect gateway to enforce security policies and provide VPN access for your users. ...
Tunnel Settings Tab
Tunnel Settings Tab Select Network GlobalProtect Gateways Agent Tunnel Settings to enable tunneling and configure the tunnel parameters. Tunnel parameters are required if you are ...
Remote Access VPN with Two-Factor Authentication
Remote Access VPN with Two-Factor Authentication If you configure a GlobalProtect portal or gateway with an authentication profile and a certificate profile (which together can ...
Determine the Ciphers Used to Setup IPSec Tunnels
Ciphers Used to Set Up IPSec Tunnels GlobalProtect can restrict and/or set preferential order for what encryption and authentication algorithm the GlobalProtect agent can use ...
Remote Access VPN with Pre-Logon
Remote Access VPN with Pre-Logon Pre-logon is a connect method that establishes a VPN tunnel before a user logs in. The purpose of pre-logon is ...