VPN with built in VPN Client of OS X

Reply
L2 Linker

VPN with built in VPN Client of OS X

Hi there,

 

for a special reason I need to setup a dedicated VPN Gateway for the built in iOS/OS X VPN client. Before I start to setup a Linux System for that I would like to find out if it's possible with PaloAlto or not. In the past there was a X-Auth possibility and I also found documents for PAN-OS 4.x but it looks like these possiblities are no longer available in PAN OS 7.

 

Do you know if it's possible to reach my goal with the PaloAlto Firewall?

 

Thanks,

Stephan


Accepted Solutions
L1 Bithead

Hi,

I deleted the portal + gateway configuration that I had done with the PANOS 7.0 version and reconfigured them with the new PANOS version 7.1.1 and now the IPsec VPN works with iOS devices. I have to try test even with Linux client and VPN-Cisco client.

LA

View solution in original post


All Replies
L5 Sessionator

Didn't check on PAN-OS 7 but on PAN-OS 6 it was still working fine with X-auth. I doubt they would take it out on 7. 

L5 Sessionator

Yes it is possbile follow the same steps. If you have upgraded the firewall and then it stopped working then please delete the gateway and reconfigure with same setting it will work.

L2 Linker

You are right, there is still the XAuth configuration, sorry.

Anyway, I am not able to get it up and running....

 

If I understand it right I just need to create a GlobalProtect Gateway configuration like for the GlobalProtect Clients too. The only only difference is that I need to enable X-Auth Support, set a group Name and a Group password.

On the OS X Client I simply create a new VPN connection and fill out the configured parameters on the GP Gateway, right?

 

 

L2 Linker

I can see the application ike and ciscovpn in the traffic monitor on port 500 and I see the following error message in the system log

IKE phase-1 negotiation is failed. Couldn\'t find configuration for IKE phase-1 request for peer IP X.X.X.X[56335], ID keyid:63656e73686172652d6164.'

so it looks like the firewall is thinking that the client would like to create a Site2Site VPN..

L1 Bithead

I have PANOS 7.1.1 on PA500. I configured VPN client IPsec with X-Auth and I try to connect by Apple IOS device with native IPsec, but the system monitor show an error: "IKE phase-1 negotiation is failed. no suitable proposal found in peer\'s SA payload". I remember that in PANOS 6.x with default crypto IPsec policy, the IPsec tunnel from Apple IOS device worked well.

Any suggestion ? Thanks.



 

 

L5 Sessionator

L1 Bithead

Hi,

I deleted the portal + gateway configuration that I had done with the PANOS 7.0 version and reconfigured them with the new PANOS version 7.1.1 and now the IPsec VPN works with iOS devices. I have to try test even with Linux client and VPN-Cisco client.

LA

View solution in original post

L2 Linker

Thanks for your reply.

I will update the Firewall to 7.1.1 on the weekend. In case that I am still not able to get everything up and running would it be possible that you send me some example screenshots of your configuration?

 

Thanks in advance

L2 Linker

Hi

 

it's perfectly working with 7.1.1 - thanks for the information.

 

sd

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!