Connect Linux Machine to GlobalProtect

L1 Bithead

Connect Linux Machine to GlobalProtect

Hi,

 

This is my first post, so please bear with me if this is the wrong forum of if this has been answered somewhere before..

 

I am having issues connecting a Linux client to Globalprotect. I have tried to follow the following:

https://live.paloaltonetworks.com/t5/Management-Articles/Connect-Linux-Machine-to-GlobalProtect/ta-p...

 

But that did not work, the client seems to be unable to speak to the server on port 500, I am getting a timeout everythime.

 

I have also compiled strongswan for network-manager and it went well, but the client can't connect either. So here is the log:

 

 

Sep 15 12:32:52 jonathan-ThinkPad-S1-Yoga NetworkManager[20036]: <info> [1505471572.5478] audit: op="connection-activate" uuid="8006b232-f14b-47c6-b398-f392f2cb2e12" name="IKE" pid=20454 uid=1000 result="success"
Sep 15 12:32:52 jonathan-ThinkPad-S1-Yoga NetworkManager[20036]: <info> [1505471572.5500] vpn-connection[0x1bfd7c0,8006b232-f14b-47c6-b398-f392f2cb2e12,"IKE",0]: Saw the service appear; activating connection
Sep 15 12:32:52 jonathan-ThinkPad-S1-Yoga NetworkManager[20036]: <info> [1505471572.6614] vpn-connection[0x1bfd7c0,8006b232-f14b-47c6-b398-f392f2cb2e12,"IKE",0]: VPN connection: (ConnectInteractive) reply received
Sep 15 12:32:52 jonathan-ThinkPad-S1-Yoga charon-nm: 05[CFG] received initiate for NetworkManager connection IKE
Sep 15 12:32:52 jonathan-ThinkPad-S1-Yoga charon-nm: 05[CFG] C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority is not self signed
Sep 15 12:32:52 jonathan-ThinkPad-S1-Yoga charon-nm: 05[CFG] E=contacto@procert.net.ve, L=Chacao, ST=Miranda, OU=Proveedor de Certificados PROCERT, O=Sistema Nacional de Certificacion Electronica, C=VE, CN=PSCProcert is not self signed
Sep 15 12:32:52 jonathan-ThinkPad-S1-Yoga charon-nm: 05[CFG] using CA certificate, gateway identity 'vpn.gateway.com'
Sep 15 12:32:52 jonathan-ThinkPad-S1-Yoga charon-nm: 05[IKE] initiating IKE_SA IKE[4] to xxx.xxx.xxx.xxx
Sep 15 12:32:52 jonathan-ThinkPad-S1-Yoga charon-nm: 05[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Sep 15 12:32:52 jonathan-ThinkPad-S1-Yoga charon-nm: 05[NET] sending packet: from 192.168.43.118[48175] to xxx.xxx.xxx.xxx[500] (794 bytes)
Sep 15 12:32:52 jonathan-ThinkPad-S1-Yoga NetworkManager[20036]: <info> [1505471572.9543] vpn-connection[0x1bfd7c0,8006b232-f14b-47c6-b398-f392f2cb2e12,"IKE",0]: VPN plugin: state changed: starting (3)
Sep 15 12:32:56 jonathan-ThinkPad-S1-Yoga charon-nm: 10[IKE] retransmit 1 of request with message ID 0
Sep 15 12:32:56 jonathan-ThinkPad-S1-Yoga charon-nm: 10[NET] sending packet: from 192.168.43.118[48175] to xxx.xxx.xxx.xxx[500] (794 bytes)
Sep 15 12:33:04 jonathan-ThinkPad-S1-Yoga charon-nm: 09[IKE] retransmit 2 of request with message ID 0
Sep 15 12:33:04 jonathan-ThinkPad-S1-Yoga charon-nm: 09[NET] sending packet: from 192.168.43.118[48175] to xxx.xxx.xxx.xxx[500] (794 bytes)
Sep 15 12:33:17 jonathan-ThinkPad-S1-Yoga charon-nm: 13[IKE] retransmit 3 of request with message ID 0
Sep 15 12:33:17 jonathan-ThinkPad-S1-Yoga charon-nm: 13[NET] sending packet: from 192.168.43.118[48175] to xxx.xxx.xxx.xxx[500] (794 bytes)
Sep 15 12:33:40 jonathan-ThinkPad-S1-Yoga charon-nm: 06[IKE] retransmit 4 of request with message ID 0
Sep 15 12:33:40 jonathan-ThinkPad-S1-Yoga charon-nm: 06[NET] sending packet: from 192.168.43.118[48175] to xxx.xxx.xxx.xxx[500] (794 bytes)
Sep 15 12:33:53 jonathan-ThinkPad-S1-Yoga NetworkManager[20036]: <warn> [1505471633.0047] vpn-connection[0x1bfd7c0,8006b232-f14b-47c6-b398-f392f2cb2e12,"IKE",0]: VPN connection: connect timeout exceeded.
Sep 15 12:33:53 jonathan-ThinkPad-S1-Yoga NetworkManager[20036]: libnm-glib-Message: Connect timer expired, disconnecting.
Sep 15 12:33:53 jonathan-ThinkPad-S1-Yoga charon-nm: 10[IKE] destroying IKE_SA in state CONNECTING without notification
Sep 15 12:33:53 jonathan-ThinkPad-S1-Yoga NetworkManager[20036]: <info> [1505471633.0087] vpn-connection[0x1bfd7c0,8006b232-f14b-47c6-b398-f392f2cb2e12,"IKE",0]: VPN plugin: state changed: stopping (5)
Sep 15 12:33:53 jonathan-ThinkPad-S1-Yoga NetworkManager[20036]: <warn> [1505471633.0088] vpn-connection[0x1bfd7c0,8006b232-f14b-47c6-b398-f392f2cb2e12,"IKE",0]: VPN plugin: failed: login-failed (0)
Sep 15 12:33:53 jonathan-ThinkPad-S1-Yoga NetworkManager[20036]: <info> [1505471633.0089] vpn-connection[0x1bfd7c0,8006b232-f14b-47c6-b398-f392f2cb2e12,"IKE",0]: VPN plugin: state changed: stopped (6)
Community Team Member

Re: Connect Linux Machine to GlobalProtect

Hi ,

 

Is your request actually reaching the firewall ?

 

Check on the firewall end to verify if sessions are getting formed, and if packets are getting dropped. Use dataplane debugs or captures combined with global counters to check the same. Check security policies, NAT, etc. to make sure traffic is not getting dropped.

 

This might help :

https://live.paloaltonetworks.com/t5/Management-Articles/Troubleshooting-GlobalProtect/ta-p/75770

 

Cheers !

-Kiwi.

 

L1 Bithead

Re: Connect Linux Machine to GlobalProtect

Hi,

 

Thoose packets is actually not reaching the firewall for some reason, doing a "netstat addresstoportal 500" does send some packages so there is no issues with the network from what I can see. I have tested from several Linux distros, several connections and several machines. All have the same issue.

 

 

 

Is there any plans for a Linux client for GlobalProtect?

Community Team Member

Re: Connect Linux Machine to GlobalProtect

Hi ,

 

Currently there's nothing on the roadmap with regards to a Linux client for GlobalProtect.

There is however an existing feature request for it (FR #3324).

 

I recommend that you reach out to your local SE and have him add your vote to this FR !

 

Cheers !

-Kiwi.

 

L1 Bithead

Re: Connect Linux Machine to GlobalProtect

Hi again,

 

It seems like the Linux Client will arrive "very soon" according to some sources I have :)

 

 

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!