GlobalProtect
Enable Two-Factor Authentication for strongSwan Endpoints
Table of Contents
Enable Two-Factor Authentication for strongSwan Endpoints
Enable Two-Factor Authentication for strongSwan Endpoints by configuring certificate
and authentication profiles for the GlobalProtect gateway.
With two-factor authentication, the strongSwan
client needs to successfully authenticate using both a certificate
profile and an authentication profile to connect to the GlobalProtect
gateway. The following workflow shows how to enable authentication
for strongSwan clients using two-factor authentication.
- Set up the IPsec tunnel that the GlobalProtect gateway will use for communicating with a strongSwan client.Extended authentication (X-Auth) is not supported for Prisma Access deployments.
- Select .Select an existing gateway or Add a new one.On the Authentication tab of the GlobalProtect Gateway Configuration dialog, select the Certificate Profile and Authentication Profile that you want to use.Select to enable Tunnel Mode and specify the following settings to set up the tunnel:
- Select the check box to Enable X-Auth Support.
- If a Group Name and Group Password are already configured, remove them.
- Click OK to save these tunnel settings.
Verify that the default connection settings in the conn %default section of the IPsec tunnel configuration file (ipsec.conf) are correctly defined for the strongSwan client.The ipsec.conf file usually resides in the /etc folder.The configurations in this procedure are tested and verified for the following releases:- Ubuntu 14.0.4 with strongSwan 5.1.2 and CentOS 6.5 with strongSwan 5.1.3 for PAN-OS 6.1.
- Ubuntu 14.0.4 with strongSwan 5.2.1 for PAN-OS 7.0.
Use the configurations in this procedure as a reference if you are using a different version of strongSwan. Refer to the strongSwan wiki for more information.Configure the following recommended settings in the ipsec.conf file:ikelifetime=20m reauth=yes rekey=yes keylife=10m rekeymargin=3m rekeyfuzz=0% keyingtries=1 type=tunnel
Modify the strongSwan client’s IPsec configuration file (ipsec.conf) and the IPsec password file (ipsec.secrets) to use recommended settings.The ipsec.secrets file is usually found in the /etc folder.Use the strongSwan client username as the certificate’s common name.Configure the following recommended settings in the ipsec.conf file:conn <connection name> keyexchange=ikev1 authby=xauthrsasig ike=aes-sha1-modp1024 esp=aes-sha1 xauth=client left=<strongSwan/Linux-client-IP-address> leftcert=<client-certificate-without-password> leftsourceip=%config right=<GlobalProtect-gateway-IP-address> rightid=%anyCN=<Subject-name-of-gateway-cert>” rightsubnet=0.0.0.0/0 leftauth2=xauth xauth_identity=<LDAP username> auto=add
Configure the following recommended settings in the ipsec.secrets file:<username> :XAUTH “<user password>” ::RSA <private key file> “<passphrase if used>”
Start strongSwan IPsec services and connect to the IPsec tunnel that you want the strongSwan client to use when authenticating to the GlobalProtect gateway.- Ubuntu:
ipsec start ipsec up <name>
- CentOS:
strongSwan start strongswan up <name>
Verify that the tunnel is set up correctly and the VPN connection is established to both the strongSwan client and the GlobalProtect gateway.- Verify the detailed status information on a specific connection (by naming the connection) or verify the status information for all connections from the strongSwan client:
- Ubuntu:
ipsec statusall [<connection name>]
- CentOS:
strongswan statusall [<connection name>]
Select . In the Info column, select Remote Users for the gateway configured for the connection to the strongSwan client. The strongSwan client should be listed under Current Users.
