Global Protect Linux and Strongswan

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Global Protect Linux and Strongswan

L1 Bithead

 

I had to test IPSec connection on Linux using strongswan as part of a support case i was working on and i collected a lot of good information on how to get this working. So i thought i would share it with you.

 

Tested on PANOS 7.1.2, Ubuntu 16.04, Strongswan 5.3.5-1

 

Install Ubuntu Desktop or CentOS into VMWare environment and then install Strongswan application.

Strongswan can be downloaded from https://www.strongswan.org or as a package from https://launchpad.net/ubuntu/+source/strongswan used in this Lab https://launchpad.net/ubuntu/+source/strongswan/5.3.5-1ubuntu3

Note: If your using the ipsec.secrets file for Xauth you need to make sure "xauth-generic" PLUGIN is installed

https://launchpad.net/ubuntu/xenial/amd64/strongswan-plugin-xauth-generic/5.3.5-1ubuntu3

 

If you do not already have a Global Protect gateway configuration, configure it the usual way but enable X-Auth Support and provide a group name and password. I don't want to go into too much detail regarding the other aspects of GP configuration as many guides exist regarding the basics, but i created the gateway (no portal needed for Linux clients) a local user, an auth profile for local database, An IPSec Crypto with all available Encryption options.

 

Xauth Option.png

 

For testing create a local user on the PAN, and set an auth profile for Local database.

 

Linux configuration:

 

After installing strongswan you should see the conf file in the /etc/ folder.

Edit ipsec.conf and ipsec.secrets using you favorite linux editor and save changes.

Make sure it formatted the same as below.

 

ipsec.conf

 

conn %default

 

      ikelifetime=20m

      reauth=yes

      rekey=yes

      keylife=10m

      rekeymargin=3m

      rekeyfuzz=0%

      keyingtries=1

      type=tunnel

 

conn paloalto # This can be called anything for this example its paloalto.

 

      keyexchange=ikev1

      ikelifetime=1440m

      keylife=60m

      aggressive=yes

      ike=aes-sha1-modp1024,aes256

      esp=aes-sha1

      xauth=client

      left=x.x.x.x                         # Linux Client IP or you can use %defaultroute which will pick up the IP Dynamically)

      leftid=@#4c696e7578     #text to Hex 'Linux' Group name. Linux = 4c696e7578

      leftsourceip=%modeconfig

      leftauth=psk

      rightauth=psk

      leftauth2=xauth

      right=x.x.x.x                       #Remote Auth Server [The Gateway IP]

      rightsubnet=0.0.0.0/0      #Access Route - Should match Access Route in Gateway Configuration

      xauth_identity=Linux       #Username - Local/LDAP

      auto=add

 

ipsec.secrets

 

# This file holds shared secrets or RSA private keys for authentication.

 

# RSA private key for this host, authenticating it to any other host

 

# which knows the public part.

 

: PSK ****       # **** = Group Name Password

Username : XAUTH "password"        # Username name = local user on PAN or LDAP and "password" = password user of user.

 

Once completed remember to save the changes.

 

Useful Strongswan Commands:

 

sudo ipsec start      #start service

 

sudo ipsec stop      #stop service, use when editing the conf files prior to restarting

 

sudo ipsec statusall      # status of installed plugin, readiness of ipsec basic config.

 

sudo nano ipsec.conf / ipsec.secrets     # ctrl x to save

 

Errors:

[ HASH N(AUTH FAILED) ] This is the PSK entry in ipsec.secrets PSK is incorrect or entry not formatted correctly

no XAuth method found - This reports that no XAuth addon is installed such as auth-generic, xauth-pam etc..

no XAuth password found for 'Username' - Incorrect entry or password for XAuth entries in ipsec.secrets, Make sure there is a space between ': XAUTH' or Group name spelt wrong.

XAuth authentication of 'Username' (Myself) failed - This is the user password in the ipsec.secrets XAuth line.

No XAuth password found for 'Username' - username entry for auth_identity entry in ipsec.conf incorrect

No connection? Remote auth Server IP is incorrect i.e. PAN IP of the gateway in ipsec.conf 'right=' Or Client IP incorrect in the ipsec.conf 'left=' Or gateway not configured / not allow connection or some other general connectivity issue.

 

Example of Successful connection in Linux terminal:

In my example the username and group name is "Linux" Just to confuse myself 🙂

Notice the port  is 500 which means that NAT-T is not used (NAT-T uses port 4500) NAT-T in Strongswan (this version) is automatic. I'm also testing it locally from Linux VM to PAN internally, hense why no public IP seen.

 

ipsec.png

Successful Authentication in runtime information for gateway

 

Client Success.png

 

Palo Alto System Log Successful Authentication

 

system Logs.PNG

 

Regards

David

4 REPLIES 4

L5 Sessionator

Check following doc:

 

https://live.paloaltonetworks.com/t5/Management-Articles/Connect-Linux-Machine-to-Global-Protect/ta-...

 

It have been tested on ubuntu 14.04 try on ubuntu 14.0.4 it should work.

L0 Member

Hi Davyboy, I also want to share ipsec.conf file that works for me with Ubuntu 19.04, strongswan-starter 5.7.1 and PanOS 

JorgeLuisLV_2-1583423360910.png

Main problem that I had was the "ike=" line.

Greetings.

 

 

L1 Bithead

Hello DavyBoy,

 

Great info. Could you please let me know if we can do the same with ikev2 using certificates?

Hi I do not have privileges to access it, can you help me here

  • 11189 Views
  • 4 replies
  • 3 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!