VPN with built in VPN Client of OS X

Reply
L2 Linker

VPN with built in VPN Client of OS X

Hi there,

 

for a special reason I need to setup a dedicated VPN Gateway for the built in iOS/OS X VPN client. Before I start to setup a Linux System for that I would like to find out if it's possible with PaloAlto or not. In the past there was a X-Auth possibility and I also found documents for PAN-OS 4.x but it looks like these possiblities are no longer available in PAN OS 7.

 

Do you know if it's possible to reach my goal with the PaloAlto Firewall?

 

Thanks,

Stephan

L5 Sessionator

Re: VPN with built in VPN Client of OS X

Didn't check on PAN-OS 7 but on PAN-OS 6 it was still working fine with X-auth. I doubt they would take it out on 7. 

L5 Sessionator

Re: VPN with built in VPN Client of OS X

Yes it is possbile follow the same steps. If you have upgraded the firewall and then it stopped working then please delete the gateway and reconfigure with same setting it will work.

L2 Linker

Re: VPN with built in VPN Client of OS X

You are right, there is still the XAuth configuration, sorry.

Anyway, I am not able to get it up and running....

 

If I understand it right I just need to create a GlobalProtect Gateway configuration like for the GlobalProtect Clients too. The only only difference is that I need to enable X-Auth Support, set a group Name and a Group password.

On the OS X Client I simply create a new VPN connection and fill out the configured parameters on the GP Gateway, right?

 

 

L2 Linker

Re: VPN with built in VPN Client of OS X

I can see the application ike and ciscovpn in the traffic monitor on port 500 and I see the following error message in the system log

IKE phase-1 negotiation is failed. Couldn\'t find configuration for IKE phase-1 request for peer IP X.X.X.X[56335], ID keyid:63656e73686172652d6164.'

so it looks like the firewall is thinking that the client would like to create a Site2Site VPN..

L1 Bithead

Re: VPN with built in VPN Client of OS X

I have PANOS 7.1.1 on PA500. I configured VPN client IPsec with X-Auth and I try to connect by Apple IOS device with native IPsec, but the system monitor show an error: "IKE phase-1 negotiation is failed. no suitable proposal found in peer\'s SA payload". I remember that in PANOS 6.x with default crypto IPsec policy, the IPsec tunnel from Apple IOS device worked well.

Any suggestion ? Thanks.



 

 

L5 Sessionator

Re: VPN with built in VPN Client of OS X

Highlighted
L1 Bithead

Re: VPN with built in VPN Client of OS X

Hi,

I deleted the portal + gateway configuration that I had done with the PANOS 7.0 version and reconfigured them with the new PANOS version 7.1.1 and now the IPsec VPN works with iOS devices. I have to try test even with Linux client and VPN-Cisco client.

LA

L2 Linker

Re: VPN with built in VPN Client of OS X

Thanks for your reply.

I will update the Firewall to 7.1.1 on the weekend. In case that I am still not able to get everything up and running would it be possible that you send me some example screenshots of your configuration?

 

Thanks in advance

L2 Linker

Re: VPN with built in VPN Client of OS X

Hi

 

it's perfectly working with 7.1.1 - thanks for the information.

 

sd

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!