Palo Alto GlobalProtect for Linux with vpnc

This is a tutorial on how to configure the GlobalProtect Gateway on a Palo Alto firewall in order to connect to it from a Linux computer with vpnc.

Short version: Enable IPsec and X-Auth on the Gateway and define a Group Name and Group Password. With this two values (and the gateway address), add a new VPN profile within vpnc on the Linux machine. Login with the already existing credentials.

Long version with screenshots comes here:

I assume that an already working GlobalProtect configuration is in place. The tested PAN-OS version was 6.0.1.

Configuration Palo Alto

The main step is the activation of IPsec (which is useful for the mere GlobalProtect client, too), and the X-Auth Support on the GlobalProtect Gateway. A group name and group password must be set, just like the VPN-Client settings on a Cisco ASA firewall.

GlobalProtect vpnc - Enable X-Auth

Furthermore, the “from untrust to untrust” security policy must be expanded with at least the application “ciscovpn“.  But due to the application dependency warnings after a successful commit on the PA, it is less annoying if “dtls” and all the other dependencies for ciscovpn are allowed, too, though they are not needed. In this way, the commit warnings can be reduced.

That is, I am permitting the following applications for the complete GlobalProtect process, incl. GlobalProtect client, etc.:

GlobalProtect vpnc - Security Policy

Linux: vpnc

I ran a Ubuntu 13.10 with Linux kernel 3.11.0-18 on my test machine.

The following two applications must be installed:

To add a VPN connection, click on the network symbol in the upper right corner: VPN-Connections -> VPN configuration -> Add -> Cisco VPN-Client (vpnc). Give it a name and fill in the gateway name/address, the username and the groupname & -password of the just configured GlobalProtect Gateway (sorry for the German screenshot):

GlobalProtect vpnc - Linux VPN

Test

To connect to the VPN endpoint, click on the new VPN profile and type in your account name and password. After a few seconds, the VPN tunnel should be established.

Here are two listings of the IP address of my Linux test machine ( ip a s ) and the routing table ( ip r s ). The first two outputs reveal the values before the VPN tunnel is established:

 

While the following shows the values within the VPN tunnel. A new tun0 interface is present and the default route points to that tun0 interface:

 

And by the way: the DNS server in /etc/resolv.conf is NOT changed during the VPN connection. Only the search domain (DNS suffix) correspondent to the network settings in the GlobalProtect Gateway is appended.

Here are some screenshots of the Palo Alto firewall: The first one shows the Gateway Remote Users with a client of “Linux…”, while the second screenshot shows the System Log with detailed information about the GlobalProtect session: It is recognized as a Cisco VPN Client. After the finished session, the Traffic Log shows at least two sessions with “ciscovpn”, one on port 500 (IKE) and one on port 4500 (ESP inside UDP).

And as always, I am using my http://ip.webernetz.net script to show my current Internet IP address which reveals in this case, that I am surfing through the Palo Alto ISP connection.

Links

20 thoughts on “Palo Alto GlobalProtect for Linux with vpnc

  1. Hallo Herr Weber,

    ich nutze nur noch diese Variante, geht sehr harmonisch.
    Als Remote-Desktop nutze “rdesktop”

    Übrigens, der gleiche Weg funktioniert auch auf Android –> Smartphone sowie Tablet.

    VG
    A. Frauenkron

  2. Hello,
    I am trying to follow your guide but I keep getting connection failed when I try the upnc connection from ubuntu. also I can see any connection attemps on the palo alto from the IP address im using on ubuntu, it is like it is not trying to connect and the errror I get back is “no response from target” even though I am using the correct gateway IP address

    Any idea what could be wrong?

    1. Hi John,
      is your GlobalProtect configuration working with the normal GlobalProtect client? So, is your error only from vpnc or in general?
      –> A common error is to forget the security policy “from untrust to untrust”. Maybe your Palo Alto is blocking the requests to its own IP address? Please have a look at your traffic log, display the columns “bytes received” and “bytes sent”, and find out whether you have sessions which are blocked or have 0 bytes received.
      –> Note that you have to allow “ciscovpn” as an application for this “from untrust to untrust” policy.
      –> Otherwise search through the system logs with “( subtype eq globalprotect )”. Maybe you will find some hints there.

  3. hi ,

    don’t know if you can help but i followed this excatly and my linux client does connect, but it gets disconnected after 10 seconds or so . i’ve looked at the logs but because the client gets connected the logs are not all that helpfull. I was wondering if you had this issue and what to do about it as i’m going mad . the normal GP client works for win/osx clients.

    Thanks
    Joe

    1. Hi Joe.
      Hm, I am sorry, I did not have this issue as you are describing it. Have you tested any other Linux machines? Are you able to send traffic in both directions through the tunnel, e.g., a ping? Can you sniff on the wire (e.g., with Wireshark) to analyse the packets? Aren’t there any log entries about the disconnection?

  4. So, my question is, how does this affect my current GlobalProtect users? If I enable this, do those users then need the group name and password?

  5. Hallo,

    ich habe versucht die Cisco AnyConnect App mit der PA zu verbinden (Blackberry BB10) – erfolglos.

    Der VPN-Tunnel zwischen dem Windows-Client und der PA läuft tadellos.
    Nun habe ich die Erweiterung nach Eurer Anleitung gemacht

    Es gibt einfach zu viele Parameter bei der App zum einstellen.
    Z.B. Gateway-Typ (Cisco AnyConnect, Juniper IPsec, Microsoft IKEv2 usw..)

    Könnt Ihr eine App empfehlen, über die man einen VPN-Tunnel aufbauen kann,
    ohne GlobalProtect nutzen zu müssen?

    1. Hi Marco,
      ich kenne mich leider nicht mit Blackberry aus. Das “AnyConnect” VPN von Cisco wird definitiv nicht funktionieren, da es ein reines SSL-VPN von Cisco ist. Du brauchst schon einen IPsec Client. Vielleicht kann der Blackberry so etwas nativ, ähnlich zu Android oder iPhone (wie ich es in anderen Posts beschrieben haben).
      Rein vom Namen her könntest du auch das “Juniper IPsec” mal probieren, weil Palo Alto mit Juniper ja in gewisser Weise verwandt ist.

  6. Hallo,

    seit dem Update der PA auf 7.1 funktioniert IPSec leider nicht mehr.
    Ist da schon was bekannt, ggf. ein globales Problem mit der 7.1 OS?

    Die Einstellungen unter GlobalPrtotect Gateway Configuration –> Tunnel Settings –> Agent (bei 7.1) sind identisch mit GlobalProtect Gateway –> Tunnel Settings –> Client Configuration (bei 7.0).

    Muss eventuell nur einmal das Group Password neu eingegeben werden?

    Gruß
    Günter

  7. Hi,

    VPNC does not work when Multi Factor Authentication (Radius OTP) is enabled. Do know of a fix or work around for this?

    Thanks!
    James

  8. Hello, I found Palo Alto global protect doesn’t add the configured “access routes” (in Client configuration ->Network Setting ) to the linux client so all traffic is forced to pass by the VPN tunnel (tun0) as you said in this howto. In windows/MacOS clients the routes all perfectly added to the client machine as long the client is “preconfigured”.
    I know I can add the routes manually (or in vpnc’s script) but I want to be configured on Palo Alto to avoid noob people to make mistakes or modify their linux systems. Is this possible?

    1. I found myself the answer with “split connection” configuration adding the routes on vpnc “routes table” and “use this connection for resources on its network”.
      This way you can use the VPN only for desired networks but you must define any network on the VPN you want to acces by tun0. Is called split tunneling for vpnc.

      More info:
      https://live.paloaltonetworks.com/t5/Configuration-Articles/Split-Tunneling-for-VPNC-Client-on-Linux-Distributions/ta-p/57244

      I hope it will help some other people to configure linux VPN with Palo Alto’s VPN SSL.

  9. My workplace uses Global Protect. I have been connecting from Ubuntu at home, setting up the client side much as you show here. Now they are adding 2FA. I do not have access to the server side so I can’t say exactly how they are doing that. The standard Ubuntu “Configure VPN” doesn’t seem to have any setting related to 2FA. The IT department seems to expect that after my username/password are sent, a text message will be sent to my cell phone with a code. I have no idea where I would enter this code. They only deal with Windows/Mac and can’t help with any kind of Linux. Do you have any information on how 2FA works with GP and how a Ubuntu VPN client might be coerced to work with it?

    1. You would put the passcode after your password with a comma.

      password,passcode

      This is if they are using Duo Auth Proxy with Global Protect.

Leave a Reply

Your email address will not be published. Required fields are marked *