Enable Authentication Using Two-Factor Authentication
With two-factor authentication, the strongSwan client needs to successfully authenticate using both a certificate profile and an authentication profile to connect to the GlobalProtect gateway. The following workflow shows how to enable authentication for strongSwan clients using two-factor authentication.
- Set up the IPSec tunnel that the GlobalProtect gateway will use for communicating with a strongSwan client.
- Selectand select the gateway name.NetworkGlobalProtectGateways
- Select theCertificate ProfileandAuthentication Profileyou want to use in theAuthenticationtab.
- Selectand specify the following settings to set up a tunnel:AgentTunnel Settings
- Select the check box toEnable X-Auth Support.
- If aGroup NameandGroup Passwordare already configured, remove them.
- ClickOKto save these tunnel settings.
- Verify that the default connection settings in theconn %defaultsection of the IPSec tunnel configuration file (ipsec.conf) are correctly defined for the strongSwan client.Theipsec.conffile usually resides in the/etcfolder.The configurations in this procedure are tested and verified for the following releases:
Use the configurations in this procedure as a reference if you are using a different version of strongSwan. Refer to the strongSwan wiki for more information.Configure the following recommended settings in theipsec.conffile:ikelifetime=20mreauth=yesrekey=yeskeylife=10mrekeymargin=3mrekeyfuzz=0%keyingtries=1type=tunnel
- Ubuntu 14.0.4 with strongSwan 5.1.2 and CentOS 6.5 with strongSwan 5.1.3 for PAN-OS 6.1.
- Ubuntu 14.0.4 with strongSwan 5.2.1 for PAN-OS 7.0.
- Modify the strongSwan client’s IPSec configuration file (ipsec.conf) and the IPSec password file (ipsec.secrets) to use recommended settings.Theipsec.secretsfile is usually found in the/etcfolder.Use the strongSwan client username as the certificate’s common name.Configure the following recommended settings in theipsec.conffile:conn <connection name> keyexchange=ikev1authby=xauthrsasigike=aes-sha1-modp1024esp=aes-sha1xauth=clientleft=<strongSwan/Linux-client-IP-address> leftcert=<client-certificate-without-password> leftsourceip=%configright=<GlobalProtect-gateway-IP-address> rightid=%anyCN=<Subject-name-of-gateway-cert>” rightsubnet=0.0.0.0/0leftauth2=xauthxauth_identity=<LDAP username> auto=addConfigure the following recommended settings in theipsec.secretsfile:<username> :XAUTH “<user password>” ::RSA <private key file> “<passphrase if used>”
- Start strongSwan IPSec services and connect to the IPSec tunnel that you want the strongSwan client to use when authenticating to the GlobalProtect gateway.
- Ubuntu clients:ipsec startipsec up<name>
- CentOS clients:strongSwan startstrongswan up<name>
- Verify that the tunnel is setup correctly and the VPN connection is established to both the strongSwan client and the GlobalProtect gateway.
- Verify the detailed status information on a specific connection (by naming the connection) or verify the status information for all connections from the strongSwan client:
- Ubuntu clients:ipsec statusall [<connection name>]
- CentOS clients:strongswan statusall [<connection name>]
- Select. Then, in the Info column, selectNetworkGlobalProtectGatewaysRemote Usersfor the gateway configured for the connection to the strongSwan client. The strongSwan client should be listed underCurrent Users.