there's several bits and pieces to it, please check out this bit in the admin guide
hopefully it helps clarify what you're looking for
We are using IPSec connections not ssl does that make a difference? My main concern is the first time then connect using the VPN that their password is encrypted and then does it download the key after the first connection
The first time you're going to set up an ssl connection, using the server certificate attached to the portal to get to the config file, all communication will always be encrypted (ssl uses, at the least, a server and client hello where encryption is negotiated and established before any user information is transmitted)
client to server will always be encrypted even before username and password are shared
well you can slap him with the SSL rfc :D (rfc 6101 and 5246 , if you realy want to know ;) )
the globalprotect ssl relies on exactly the same mechanism any website uses to establish a connection, so you do the
-3 way TCP handshake,
-client hello (i can accommodate these encryption algorythms),
-server hello (i prefer this 'ciphersuite', here is my certificate, and do you happen to have a client cert of your own)
-client key exchange w/ client certificate if you set it up (send secret key info encrypted with server's public key, based off of the server certificate)
-server verifies and finishes
-communication is encrypted
---- and here globalprotect kicks in----
globalprotect sends username/password
GP server authenticates
if you do a packetcapture of the communication between the client and GP portal, that first sequence of events is visible (the client/server hellos and all), the bit where GP sends user/passwd information will not be visible as it is encrypted
hope this makes more sense ? :)
The real question came up when we do installs of the client on a users pc and there is no place to enter a key on the client like there is with a cisco vpn client, so it appears to them that there is no key to pass and no way to encrypt the users password
I did a packet capture as well as verified that the user through the GP client is connecting via SSL (no clear password) and then the key exchange occurs which is found in the configuration on the firewall. I think the fact that you can't find a place to manually enter the key on the GP client was what was tripping my coworkers up.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!