topic Re: globalprotect key in General Topics

globalprotect key

jdprovine — Tue, 29 Nov 2016 17:09:23 GMT

When I install the globalprotect client on a pc I never have to enter a key, how and when does the key get passed

Re: globalprotect key

BPry — Tue, 29 Nov 2016 17:43:03 GMT

@jdprovine can you expand by what you mean by 'key'?

Re: globalprotect key

jdprovine — Tue, 29 Nov 2016 19:02:25 GMT

security key like for cisco vpn client. There has to be a way for global protect to secure the connections

Re: globalprotect key

jdprovine — Tue, 29 Nov 2016 20:16:48 GMT

The first time you put in your password to connect, what keeps that from being clear text how is it encrypted. We have group name and password setup but that is no where on the client software that is installed on the pc

Re: globalprotect key

KotreshaMC — Wed, 30 Nov 2016 07:56:41 GMT

I hope its future of Global protect, check this configuration under

Network->Gllbal protect->gateway->selcet gateway->agent->external gateway

check is it manuall or not?

Re: globalprotect key

reaper — Wed, 30 Nov 2016 09:27:46 GMT

GlobalProtect uses certificates to secure the connection, rather than a preshared key 🙂

Re: globalprotect key

jdprovine — Wed, 30 Nov 2016 14:45:19 GMT

so if you don't put on a cert then your connection is not secure

Re: globalprotect key

reaper — Wed, 30 Nov 2016 14:46:37 GMT

then the device's default certificates will be used 😉

Re: globalprotect key

jdprovine — Wed, 30 Nov 2016 14:48:41 GMT

you mean the portal configuration not the gateway configuration right?

Re: globalprotect key

jdprovine — Wed, 30 Nov 2016 14:51:59 GMT

We are using IPSec connections not ssl does that make a difference? My main concern is the first time then connect using the VPN that their password is encrypted and then does it download the key after the first connection

Re: globalprotect key

reaper — Wed, 30 Nov 2016 14:55:02 GMT

there's several bits and pieces to it, please check out this bit in the admin guide

hopefully it helps clarify what you're looking for

Re: globalprotect key

reaper — Wed, 30 Nov 2016 14:59:51 GMT

@jdprovine wrote:

We are using IPSec connections not ssl does that make a difference? My main concern is the first time then connect using the VPN that their password is encrypted and then does it download the key after the first connection

The first time you're going to set up an ssl connection, using the server certificate attached to the portal to get to the config file, all communication will always be encrypted (ssl uses, at the least, a server and client hello where encryption is negotiated and established before any user information is transmitted)

client to server will always be encrypted even before username and password are shared

Re: globalprotect key

jdprovine — Wed, 30 Nov 2016 15:01:29 GMT

First glance at the document not sure it answers my question but I will give it another look and see. 🙂

Re: globalprotect key

jdprovine — Wed, 30 Nov 2016 15:14:23 GMT

I can always cound on good information from you reaper 🙂

Re: globalprotect key

jdprovine — Wed, 30 Nov 2016 15:17:11 GMT

Is there a log or anything where I can get the information you are talking about to show my boss that this is occuring

Re: globalprotect key

reaper — Wed, 30 Nov 2016 15:48:02 GMT

ehm

well you can slap him with the SSL rfc 😄 (rfc 6101 and 5246 , if you realy want to know 😉 )

the globalprotect ssl relies on exactly the same mechanism any website uses to establish a connection, so you do the

-3 way TCP handshake,

-client hello (i can accommodate these encryption algorythms),

-server hello (i prefer this 'ciphersuite', here is my certificate, and do you happen to have a client cert of your own)

-client key exchange w/ client certificate if you set it up (send secret key info encrypted with server's public key, based off of the server certificate)

-server verifies and finishes

-communication is encrypted

---- and here globalprotect kicks in----

globalprotect sends username/password

GP server authenticates

etc

if you do a packetcapture of the communication between the client and GP portal, that first sequence of events is visible (the client/server hellos and all), the bit where GP sends user/passwd information will not be visible as it is encrypted

hope this makes more sense ? 🙂

Re: globalprotect key

jdprovine — Wed, 30 Nov 2016 15:57:11 GMT

The real question came up when we do installs of the client on a users pc and there is no place to enter a key on the client like there is with a cisco vpn client, so it appears to them that there is no key to pass and no way to encrypt the users password

Re: globalprotect key

jdprovine — Wed, 30 Nov 2016 16:05:40 GMT

so when he says to me we aren't using ssl we are using IPsec? How do I answer that?

Re: globalprotect key

BPry — Wed, 30 Nov 2016 20:02:25 GMT

@jdprovine This page might get you what you need to know: LINK. Take a look at the Network tab under IPSec Crypto and you'll see that the default key (the one I believe reaper referenced) uses ases-128-cbc and 3des with sha1 authentication.

Re: globalprotect key

jdprovine — Wed, 30 Nov 2016 20:46:28 GMT

I did a packet capture as well as verified that the user through the GP client is connecting via SSL (no clear password) and then the key exchange occurs which is found in the configuration on the firewall. I think the fact that you can't find a place to manually enter the key on the GP client was what was tripping my coworkers up.