Enable Certificate Authentication for strongSwan Endpoints
Focus
Focus
GlobalProtect

Enable Certificate Authentication for strongSwan Endpoints

Table of Contents

Enable Certificate Authentication for strongSwan Endpoints

Learn how to enable certificate authentication for strongSwan clients using a certificate profile.
The following workflow shows how to enable authentication for strongSwan clients using a certificate profile.
  1. Configure an IPsec tunnel for the GlobalProtect gateway for communicating with a strongSwan client.
    Extended authentication (X-Auth) is not supported for Prisma Access deployments.
    1. Select NetworkGlobalProtectGateways.
    2. Select an existing gateway or Add a new one.
    3. On the Authentication tab of the GlobalProtect Gateway Configuration dialog, select the Certificate Profile that you want to use for authentication.
    4. Select AgentTunnel Settings to enable Tunnel Mode and specify the following settings to set up the tunnel:
      • Select the check box to Enable X-Auth Support.
      • If a Group Name and Group Password are already configured, remove them.
      • Click OK to save the settings.
  2. Verify that the default connection settings in the conn %default section of the IPsec tunnel configuration file (ipsec.conf) are correctly defined for the strongSwan client.
    The ipsec.conf file is usually found in the /etc folder.
    The configurations in this procedure are tested and verified for the following releases:
    • Ubuntu 14.0.4 with strongSwan 5.1.2 and CentOS 6.5 with strongSwan 5.1.3 for PAN-OS 6.1.
    • Ubuntu 14.0.4 with strongSwan 5.2.1 for PAN-OS 7.0.
    The configurations in this procedure can be used for reference if you are using a different version of strongSwan. Refer to the strongSwan wiki for more information.
    Modify the following settings in the conn %default section of the ipsec.conf file to these recommended settings.
    ikelifetime=20m 
    reauth=yes 
    rekey=yes 
    keylife=10m 
    rekeymargin=3m 
    rekeyfuzz=0% 
    keyingtries=1 
    type=tunnel 
  3. Modify the strongSwan client’s IPsec configuration file (ipsec.conf) and the IPsec password file (ipsec.secrets) to use recommended settings.
    The ipsec.secrets file is usually found in the /etc folder.
    Use the strongSwan client username as the certificate’s common name.
    Modify the following items in the ipsec.conf file to these recommended settings.
    conn <connection name> 
    keyexchange=ikev1 
    authby=rsasig 
    ike=aes-sha1-modp1024,aes256 
    left=<strongSwan/Linux-client-IP-address> 
    leftcert=<client certificate with the strongSwan client username used as the certificate’s common name> 
    leftsourceip=%config 
    leftauth2=xauth 
    right=<GlobalProtect-Gateway-IP-address> 
    rightid=“CN=<Subject-name-of-gateway-certificate>” 
    rightsubnet=0.0.0.0/0 
    auto=add 
    Modify the following items in the ipsec.conf file to these recommended settings.
    :RSA
    <private key file> “<passphrase if used>”
  4. Start strongSwan IPsec services and connect to the IPsec tunnel that you want the strongSwan client to use when authenticating to the GlobalProtect gateway.
    Use the config <name> variable to name the tunnel configuration.
    • Ubuntu:
      ipsec start  
      ipsec up <name> 
    • CentOS:
      strongSwan start 
      strongswan up <name> 
  5. Verify that the tunnel is set up correctly and the VPN connection is established to both the strongSwan client and the GlobalProtect gateway.
    1. Verify the detailed status information on a specific connection (by naming the connection) or verify the status information for all connections from the strongSwan client:
      • Ubuntu:
        ipsec statusall [<connection name>]
      • CentOS:
        strongswan statusall [<connection name>]
    2. Select NetworkGlobalProtectGateways. In the Info column, select Remote Users for the gateway configured for the connection to the strongSwan client. The strongSwan client should be listed under Current Users.