Have you ever tried to connect to a Palo Alto device from a linux system by using an IPSec VPN client?
Global Protect is the preferred way when you want to establish a VPN to a PA device but even when this software is available for Windows and MAC OS it isn’t for Linux.
But nevertheless is is possible with a 3rd party client when using a specific setup.
You can use certificate based authentication (highly recommended) or a PSK if you like (not recommended). Both are working fine in my tests.
Requirements
- Shrew VPN Client software
- PAN-OS version v6.0 (only tested version yet)
If you use a current version of Ubuntu you can install the shrew vpn client this way:
sudo apt-get install ike
for all other Linux distributions download shrew vpn client for linux: https://www.shrew.net/download
Certificate based authentication
- setup a Global Protect Portal & Gateway at the PA (e.g. see this guide or this for reference)
- most important step is to enable IPSec and X-Auth support!
- You do not need to specify a Group name and/or password (you can leave it empty)
- Open Shrew VPN client and add a new profile with the following settings:
PSK based authentication
- setup a Global Protect Portal & Gateway at the PA (e.g. see this guide or this for reference)
- most important step is to enable IPSec and X-Auth support!
- You need to specify a X-Auth Group name and password !
- Open Shrew VPN client and add a new profile with the following settings:
Tested PAN-OS versions
All the above was tested with PAN-OS v6.0 and may or may not work with newer versions of PAN-OS.
Comments are closed.