VPN with built in VPN Client of OS X

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

VPN with built in VPN Client of OS X

L2 Linker

Hi there,

 

for a special reason I need to setup a dedicated VPN Gateway for the built in iOS/OS X VPN client. Before I start to setup a Linux System for that I would like to find out if it's possible with PaloAlto or not. In the past there was a X-Auth possibility and I also found documents for PAN-OS 4.x but it looks like these possiblities are no longer available in PAN OS 7.

 

Do you know if it's possible to reach my goal with the PaloAlto Firewall?

 

Thanks,

Stephan

1 accepted solution

Accepted Solutions

Hi,

I deleted the portal + gateway configuration that I had done with the PANOS 7.0 version and reconfigured them with the new PANOS version 7.1.1 and now the IPsec VPN works with iOS devices. I have to try test even with Linux client and VPN-Cisco client.

LA

View solution in original post

9 REPLIES 9

L6 Presenter

Didn't check on PAN-OS 7 but on PAN-OS 6 it was still working fine with X-auth. I doubt they would take it out on 7. 

L5 Sessionator

Yes it is possbile follow the same steps. If you have upgraded the firewall and then it stopped working then please delete the gateway and reconfigure with same setting it will work.

You are right, there is still the XAuth configuration, sorry.

Anyway, I am not able to get it up and running....

 

If I understand it right I just need to create a GlobalProtect Gateway configuration like for the GlobalProtect Clients too. The only only difference is that I need to enable X-Auth Support, set a group Name and a Group password.

On the OS X Client I simply create a new VPN connection and fill out the configured parameters on the GP Gateway, right?

 

 

I can see the application ike and ciscovpn in the traffic monitor on port 500 and I see the following error message in the system log

IKE phase-1 negotiation is failed. Couldn\'t find configuration for IKE phase-1 request for peer IP X.X.X.X[56335], ID keyid:63656e73686172652d6164.'

so it looks like the firewall is thinking that the client would like to create a Site2Site VPN..

I have PANOS 7.1.1 on PA500. I configured VPN client IPsec with X-Auth and I try to connect by Apple IOS device with native IPsec, but the system monitor show an error: "IKE phase-1 negotiation is failed. no suitable proposal found in peer\'s SA payload". I remember that in PANOS 6.x with default crypto IPsec policy, the IPsec tunnel from Apple IOS device worked well.

Any suggestion ? Thanks.



 

 

Hi,

I deleted the portal + gateway configuration that I had done with the PANOS 7.0 version and reconfigured them with the new PANOS version 7.1.1 and now the IPsec VPN works with iOS devices. I have to try test even with Linux client and VPN-Cisco client.

LA

Thanks for your reply.

I will update the Firewall to 7.1.1 on the weekend. In case that I am still not able to get everything up and running would it be possible that you send me some example screenshots of your configuration?

 

Thanks in advance

Hi

 

it's perfectly working with 7.1.1 - thanks for the information.

 

sd

  • 1 accepted solution
  • 7501 Views
  • 9 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!