Enable Authentication Using a Certificate Profile
The following workflow shows how to enable authentication for strongSwan clients using a certificate profile.
- Configure an IPsec tunnel for the GlobalProtect gateway for communicating with a strongSwan client.
- Select an existing gateway orAdda new one.
- On theAuthenticationtab of the GlobalProtect Gateway Configuration dialog, select theCertificate Profilethat you want to use for authentication.
- Selectto enableAgentTunnel SettingsTunnel Modeand specify the following settings to set up the tunnel:
- Select the check box toEnable X-Auth Support.
- If aGroup NameandGroup Passwordare already configured, remove them.
- ClickOKto save the settings.
- Verify that the default connection settings in theconn %defaultsection of the IPsec tunnel configuration file (ipsec.conf) are correctly defined for the strongSwan client.Theipsec.conffile is usually found in the/etcfolder.The configurations in this procedure are tested and verified for the following releases:
The configurations in this procedure can be used for reference if you are using a different version of strongSwan. Refer to the strongSwan wiki for more information.Modify the following settings in theconn %defaultsection of theipsec.conffile to these recommended settings.ikelifetime=20m reauth=yes rekey=yes keylife=10m rekeymargin=3m rekeyfuzz=0% keyingtries=1 type=tunnel
- Ubuntu 14.0.4 with strongSwan 5.1.2 and CentOS 6.5 with strongSwan 5.1.3 for PAN-OS 6.1.
- Ubuntu 14.0.4 with strongSwan 5.2.1 for PAN-OS 7.0.
- Modify the strongSwan client’s IPsec configuration file (ipsec.conf) and the IPsec password file (ipsec.secrets) to use recommended settings.Theipsec.secretsfile is usually found in the/etcfolder.Use the strongSwan client username as the certificate’s common name.Modify the following items in theipsec.conffile to these recommended settings.conn <connection name> keyexchange=ikev1 authby=rsasig ike=aes-sha1-modp1024,aes256 left=<strongSwan/Linux-client-IP-address> leftcert=<client certificate with the strongSwan client username used as the certificate’s common name> leftsourceip=%config leftauth2=xauth right=<GlobalProtect-Gateway-IP-address> rightid=“CN=<Subject-name-of-gateway-certificate>” rightsubnet=0.0.0.0/0 auto=addModify the following items in theipsec.conffile to these recommended settings.:RSA <private key file> “<passphrase if used>”
- Start strongSwan IPsec services and connect to the IPsec tunnel that you want the strongSwan client to use when authenticating to the GlobalProtect gateway.Use theconfig <name>variable to name the tunnel configuration.
- Ubuntu:ipsec start ipsec up <name>
- CentOS:strongSwan start strongswan up <name>
- Verify that the tunnel is set up correctly and the VPN connection is established to both the strongSwan client and the GlobalProtect gateway.
- Verify the detailed status information on a specific connection (by naming the connection) or verify the status information for all connections from the strongSwan client:
- Ubuntu:ipsec statusall [<connection name>]
- CentOS:strongswan statusall [<connection name>]
- Select. In theNetworkGlobalProtectGatewaysInfocolumn, selectRemote Usersfor the gateway configured for the connection to the strongSwan client. The strongSwan client should be listed underCurrent Users.
Enable Authentication Using an Authentication Profile
Enable Authentication Using an Authentication Profile The following workflow shows how to enable authentication for strongSwan clients using an authentication profile. The authentication profile specifies ...
Enable Authentication Using Two-Factor Authentication
Enable Authentication Using Two-Factor Authentication With two-factor authentication, the strongSwan client needs to successfully authenticate using both a certificate profile and an authentication profile to ...
Set Up Authentication for strongSwan Ubuntu and CentOS Endpoints
Set Up Authentication for strongSwan Ubuntu and CentOS Endpoints To extend GlobalProtect access to strongSwan Ubuntu and CentOS endpoints, set up authentication for these endpoints. ...
Configure a GlobalProtect Gateway
Configure a GlobalProtect Gateway After you have completed the prerequisite tasks, configure the GlobalProtect Gateways : Add a gateway. Select Network GlobalProtect Gateways , and ...
Authentication The GlobalProtect™ portal and gateway must authenticate end users before allowing access to GlobalProtect resources. You must configure authentication mechanisms prior to portal and ...
Tunnel Settings Tab
Tunnel Settings Tab Select Network GlobalProtect Gateways Agent Tunnel Settings to enable tunneling and configure the tunnel parameters. Tunnel parameters are required if you are ...
Prepare the Satellite to Join the LSVPN
Prepare the Satellite to Join the LSVPN To participate in the LSVPN, the satellites require a minimal amount of configuration. Because the required configuration is ...
About GlobalProtect Cipher Selection
About GlobalProtect Cipher Selection GlobalProtect supports both IPsec and SSL tunnel modes. GlobalProtect also supports the ability to enable and require the GlobalProtect app to ...
Remote Access VPN with Pre-Logon
Remote Access VPN with Pre-Logon Pre-logon is a connect method that establishes a VPN tunnel before a user logs in. The purpose of pre-logon is ...