What is best way to provision Global Protect and LSVPN portal and gateway on one device?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

What is best way to provision Global Protect and LSVPN portal and gateway on one device?

L1 Bithead

This is for a lab at the moment, but want real-world advice in case I attempt it.

 

I had a portal and gateway setup for client SSL VPN and wanted to add LSVPN.  Due to complete documents for each type of GP feature, but none combining the two, I went through many iterations of mixing the two, but always having some kind of error with needed profiles, cert errors, etc.  I then tried creating two gateways, but needed to hang one (LSVPN) off of a virtual router to get an external interface/IP I could put a cert on. The single portal, two interface/cert approach didn't work for the satelite because it didn't like the shifting of the URL and gave a cert error even though the root CA cert was working for the initial cert.  I then got it all to work by creating a second portal on the other virtual router with the gateway. 

 

I later switched the two, so client SSL VPN on the second router and LSVPN on the main router. I did this because OSPF can't be established between virtual routers, so the single SSL VPN subnet can easily be statically provisioned. 

 

In the end, I could have missed something and created a complex configuration I don't actually need, so I am just aksing if someone has gone through this and has a better way or some advice.

 

Thanks.

1 accepted solution

Accepted Solutions

@ccfalkner


@ccfalkner wrote:

To make it simpler, I was just using LDAP to authenticate my users.  When I put both the users and satelites on one gateway, the verification errors out if I don't have a certificate profile.  When that is added, my users error out due to not having their own certificate.  For some reason, if I have two gateways, and only one authentication method is used on each, there is no error if there is no certificate profile. 


Right. That's because doing this on a single gateway isn't supported, you need to utilize a seperate gateway for LSVPN. 

 

As for the address and the second VR, while you are correct, there is also a less complex way of doing things. Instead of creating a second VR, you can simply setup the gateway on a Loopback interface and then configure a NAT entry so you don't have to seperate things out. This keeps the complexity of your configuration down. 

View solution in original post

4 REPLIES 4

Cyber Elite
Cyber Elite

@ccfalkner,

It actually sounds like your end configuration is exactly how you should have this configured in regards to the limitations on OSPF VR configuration. I do kind of wonder why you needed to create two VRs though to get another Public IP assigned; you either didn't actually need to do that or something with your lab required you to with the rest of your lab configuration? 

To make it simpler, I was just using LDAP to authenticate my users.  When I put both the users and satelites on one gateway, the verification errors out if I don't have a certificate profile.  When that is added, my users error out due to not having their own certificate.  For some reason, if I have two gateways, and only one authentication method is used on each, there is no configuration verification error if there is no certificate profile. 

 

There can only be one gateway on an address (you don't get the same address in the pull-down menue for the second gateway.)  and you can't put the same subnet on a different interface on the same router.  Therefore the need for the second VR.

 

This is all assuming there is no better way, which I am trying to verify there is/isn't.

@ccfalkner


@ccfalkner wrote:

To make it simpler, I was just using LDAP to authenticate my users.  When I put both the users and satelites on one gateway, the verification errors out if I don't have a certificate profile.  When that is added, my users error out due to not having their own certificate.  For some reason, if I have two gateways, and only one authentication method is used on each, there is no error if there is no certificate profile. 


Right. That's because doing this on a single gateway isn't supported, you need to utilize a seperate gateway for LSVPN. 

 

As for the address and the second VR, while you are correct, there is also a less complex way of doing things. Instead of creating a second VR, you can simply setup the gateway on a Loopback interface and then configure a NAT entry so you don't have to seperate things out. This keeps the complexity of your configuration down. 

There we go.  I was contemplating the NATing part, but didn't know how to accomplish that.  Didn't think of a loopback.  Excellent.  I will work on that right now and make it the solution as soon as it works for me.

 

Thanks alot.

  • 1 accepted solution
  • 3523 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!