This is a tutorial on how to configure the GlobalProtect Gateway on a Palo Alto firewall in order to connect to it from a Linux computer with vpnc.
Short version: Enable IPsec and X-Auth on the Gateway and define a Group Name and Group Password. With this two values (and the gateway address), add a new VPN profile within vpnc on the Linux machine. Login with the already existing credentials.
Long version with screenshots comes here:
I assume that an already working GlobalProtect configuration is in place. The tested PAN-OS version was 6.0.1.
Configuration Palo Alto
The main step is the activation of IPsec (which is useful for the mere GlobalProtect client, too), and the X-Auth Support on the GlobalProtect Gateway. A group name and group password must be set, just like the VPN-Client settings on a Cisco ASA firewall.
Furthermore, the “from untrust to untrust” security policy must be expanded with at least the application “ciscovpn“. But due to the application dependency warnings after a successful commit on the PA, it is less annoying if “dtls” and all the other dependencies for ciscovpn are allowed, too, though they are not needed. In this way, the commit warnings can be reduced.
That is, I am permitting the following applications for the complete GlobalProtect process, incl. GlobalProtect client, etc.:
Linux: vpnc
I ran a Ubuntu 13.10 with Linux kernel 3.11.0-18 on my test machine.
The following two applications must be installed:
sudo apt-get install vpnc network-manager-vpnc
To add a VPN connection, click on the network symbol in the upper right corner: VPN-Connections -> VPN configuration -> Add -> Cisco VPN-Client (vpnc). Give it a name and fill in the gateway name/address, the username and the groupname & -password of the just configured GlobalProtect Gateway (sorry for the German screenshot):
Test
To connect to the VPN endpoint, click on the new VPN profile and type in your account name and password. After a few seconds, the VPN tunnel should be established.
Here are two listings of the IP address of my Linux test machine (
ip a s) and the routing table (
ip r s). The first two outputs reveal the values before the VPN tunnel is established:
weberjoh@JW-NB01-Ubuntu:~$ ip a s
1: lo: <loopback,up,lower_up> mtu 65536 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <no-carrier,broadcast,multicast,up> mtu 1500 qdisc pfifo_fast state DOWN qlen 1000
link/ether 00:15:c5:16:6a:d2 brd ff:ff:ff:ff:ff:ff
3: wlan0: <broadcast,multicast,up,lower_up> mtu 1500 qdisc mq state UP qlen 1000
link/ether 00:13:02:47:49:37 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.36/24 brd 192.168.1.255 scope global wlan0
valid_lft forever preferred_lft forever
inet6 fe80::213:2ff:fe47:4937/64 scope link
valid_lft forever preferred_lft forever
weberjoh@JW-NB01-Ubuntu:~$ ip r s
default via 192.168.1.1 dev wlan0 proto static
192.168.1.0/24 dev wlan0 proto kernel scope link src 192.168.1.36 metric 9
While the following shows the values within the VPN tunnel. A new tun0 interface is present and the default route points to that tun0 interface:
weberjoh@JW-NB01-Ubuntu:~$ ip a s
1: lo: <loopback,up,lower_up> mtu 65536 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <no-carrier,broadcast,multicast,up> mtu 1500 qdisc pfifo_fast state DOWN qlen 1000
link/ether 00:15:c5:16:6a:d2 brd ff:ff:ff:ff:ff:ff
3: wlan0: <broadcast,multicast,up,lower_up> mtu 1500 qdisc mq state UP qlen 1000
link/ether 00:13:02:47:49:37 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.36/24 brd 192.168.1.255 scope global wlan0
valid_lft forever preferred_lft forever
inet6 fe80::213:2ff:fe47:4937/64 scope link
valid_lft forever preferred_lft forever
4: tun0: <pointopoint,multicast,noarp,up,lower_up> mtu 1412 qdisc pfifo_fast state UNKNOWN qlen 500
link/none
inet 192.168.126.1/32 brd 192.168.126.1 scope global tun0
valid_lft forever preferred_lft forever
weberjoh@JW-NB01-Ubuntu:~$ ip r s
default dev tun0 proto static
80.154.108.228 via 192.168.1.1 dev wlan0 proto static
192.168.1.0/24 dev wlan0 proto kernel scope link src 192.168.1.36 metric 9
And by the way: the DNS server in /etc/resolv.conf is NOT changed during the VPN connection. Only the search domain (DNS suffix) correspondent to the network settings in the GlobalProtect Gateway is appended.
Here are some screenshots of the Palo Alto firewall: The first one shows the Gateway Remote Users with a client of “Linux…”, while the second screenshot shows the System Log with detailed information about the GlobalProtect session: It is recognized as a Cisco VPN Client. After the finished session, the Traffic Log shows at least two sessions with “ciscovpn”, one on port 500 (IKE) and one on port 4500 (ESP inside UDP).
And as always, I am using my http://ip.webernetz.net script to show my current Internet IP address which reveals in this case, that I am surfing through the Palo Alto ISP connection.
Links
- Similar blog post: Connecting to a Palo Alto Network GlobalProtect Gateway from Linux
- Palo Alto: Split Tunneling for VPNC Client on Linux Distributions