Scribd Logo
Upload

Welcome to Scribd!

  • GlobalProtect Config Android RevB

    Uploaded by

    JhonnySinatra
    76 views10 pages
    p

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    p

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    76 views10 pages

    GlobalProtect Config Android RevB

    Uploaded by

    JhonnySinatra
    p

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 10

    GlobalProtect Configuration for Android Devices

    Configuring IPSec VPN between Android and PAN-OS devices

    Tech Note
    PAN-OS 4.1

    Revision B ©2012, Palo Alto Networks, Inc. www.paloaltonetworks.com


    Contents
    OVERVIEW .................................................................................................................................................................3
    PREREQUISITES ........................................................................................................................................................3
    GLOBALPROTECT GATEWAY SETUP ..........................................................................................................................3
    CERTIFICATE CREATION ....................................................................................................................................................................3
    Root Certificate Authority ........................................................................................................................................................3
    Gateway Certificate ..................................................................................................................................................................4
    Identity Certificate ...................................................................................................................................................................4
    Certificate Profile.....................................................................................................................................................................5
    GLOBALPROTECT GATEWAY CONFIGURATION ......................................................................................................................................5
    GOOGLE ANDROID SETUP .........................................................................................................................................5
    Exporting and Importing Certificates .....................................................................................................................................5
    Exporting the Root Certificate Authority ................................................................................................................................6
    Importing the Root Certificate to the Android ........................................................................................................................6
    Exporting the Identity Certificate ............................................................................................................................................7
    Importing the IPSec User Certificate to the Android .............................................................................................................7
    CREATING A VPN PROFILE ...............................................................................................................................................................8
    PRE-SHARED SECRET AUTHENTICATION .................................................................................................................8
    CONFIGURING A PRE-SHARED SECRET ON THE GLOBALPROTECT GATEWAY...........................................................................................8
    CONFIGURING THE PRE-SHARED SECRET ON THE ANDROID DEVICE ......................................................................................................9
    REVISION HISTORY .................................................................................................................................................. 10

    ©2012, Palo Alto Networks, Inc. [2]


    Overview
    In its original design, IKE only addressed authentication of two devices through a pre-shared symmetric key or a
    private/public key, in which the public key needed to be exchanged between the two devices to establish a secure tunnel.
    Extended Authentication (X-Auth) describes a method of authenticating users as part of the IKE handshake between an
    IPSec client and gateway after the initial key exchange in phase 1. This concept is supported in a variety of IPSec VPN
    clients, such as the built in VPN client of Google Android devices.
    In this tech note, we describe the steps needed to configure an existing GlobalProtect Portal/Gateway environment to enable
    Google Android devices to establish VPN connectivity using the built-in Android IPSec client. There are three methods for
    authentication that will be discussed: self-signed certificate, certificate issued by a root Certificate Authority (CA), and pre-
    shared secret.

    Prerequisites
    • GlobalProtect Gateway
    Support for X-AUTH was introduced in PAN-OS 4.1 as a feature of GlobalProtect Gateway and doesn’t require
    any specific license to be activated. To support Android Devices, version 4.1.6 of PAN-OS and above is
    required.
    • Google Android
    Android OS 4.0.3 or later is supported.

    GlobalProtect Gateway Setup


    This section describes how to setup the GlobalProtect Gateway and Android OS with certificate based authentication for
    IKE phase 1 and user based authentication (X-Auth) thereafter.
    The benefit of such a setup is that you could either use certificates created in the PAN-OS management UI to reliably identify
    corporate devices, or you could use certificates issued by an external certificate authority to authenticate individual devices
    in the enterprise, prior to authenticating the user.

    Certificate Creation
    In order to setup certificate-based IKE phase 1 authentication, you need to create three certificates either in the PAN-OS
    management UI or from an external certificate authority.

    Root Certificate Authority


    Every Public Key Infrastructure requires a central source of its trust, which in an X.509 world is usually referred to as the
    Root Certificate Authority.

    Like every product leveraging certificate based authentication, GlobalProtect requires the existence of a Root Certificate,
    which can be either created within PAN-OS or from an external certificate authority (CA). If an external certificate authority
    is used, the Root Certificate needs to be imported into PAN-OS.
    1. To create a certificate locally, navigate to the Certificate page on the Device tab and select Generate.
    2. Enter a unique name for the certificate in the configuration.
    3. Leave the Signed By field empty and select the Certificate authority checkbox underneath.
    4. Click Generate.

    ©2012, Palo Alto Networks, Inc. [3]


    Gateway Certificate
    The certificate for the gateway can be created in PAN-OS or imported from an external certificate authority. This section
    only covers the steps to create a certificate in PAN-OS with a CA certificate on the device
    1. To create a certificate locally, navigate to the Certificate page on the Device tab and select Generate.
    2. Enter a unique name for the certificate in the configuration.
    3. Enter the gateway’s DNS hostname as the Common Name (CN).
    4. Enter the gateway’s IP address in the IP address field. Use the device’s internal and assigned IP address if your device
    resides behind a NAT device.
    5. Select the certificate authority created in the “Root Certificate Authority” section in the Signed By drop-down to issue
    this certificate.
    6. Click Generate.

    Identity Certificate
    In the case of certificate based authentication, the client and the gateway go through a mutual authentication. Therefore the
    Android device requires a certificate from a certificate authority trusted by the gateway. This certificate can be created in
    PAN-OS or imported from an external certificate authority. This section describes how to generate a client certificate
    (referred to as an IPSec user certificate in Android), in PAN-OS, and the process to export the certificate.
    ©2012, Palo Alto Networks, Inc. [4]
    1. To create a certificate locally, navigate to the Certificate page on the Device tab and select Generate.
    2. Enter a unique name for the certificate in the configuration.
    3. Enter any name in the Common Name (CN).
    4. Select the certificate authority to issue this certificate.
    5. Click Generate.

    Certificate Profile
    In order to validate the client certificate, a Client Certificate Profile needs to be created which includes the CA certificate
    used to create the Identity Certificate. Please refer to the corresponding section on creating Client Certificate Profiles in the
    Palo Alto Networks Administrator’s Guide.

    GlobalProtect Gateway Configuration


    The following section discusses the necessary steps to enable X-AUTH, which is required to support Google Android devices
    on an existing GlobalProtect gateway.

    Note: If there is no existing GlobalProtect Portal/Gateway, please refer to the corresponding section in the Palo Alto
    Networks Administrator’s Guide on how to configure a GlobalProtect Portal/Gateway.

    1. In the Server Certificate drop-down, select the gateway certificate created in the “Gateway Certificate” section of
    this document.
    2. In the Client Certificate Profile drop-down, select the certificate profile, which includes the CA certificate used to
    issue the client certificate in the “Client Certificate” section.
    3. Enable “Tunnel Mode” and select “Enable IPSec”.
    4. Enable “Enable X-Auth Support” to enable Extended Authentication.
    5. Leave the “Group Name” and “Group Password” fields empty to enable certificate authentication in IKE phase 1.
    6. Click OK and commit the configuration changes.

    Google Android Setup


    This section focuses on integrating Google Android devices into the GlobalProtect Gateway using certificate based
    authentication in IKE phase 1.

    Exporting and Importing Certificates


    The certificates created in the “Root Certificate Authority” and “Identity Certificate” section need to be exported from
    PAN-OS and imported into the Android device.

    ©2012, Palo Alto Networks, Inc. [5]


    Exporting the Root Certificate Authority
    1. In the PAN-OS management web interface, navigate to the certificate section in the device configuration tab.
    2. Select the Root CA certificate created in the “Root Certificate Authority” section of this document.
    3. Click Export and select “Base64 Encoded Certificate (PEM)” as the file format.
    4. Uncheck the “Export private key” checkbox and click OK.

    Importing the Root Certificate to the Android


    1. Create a new email and attach the Root Certificate exported in the section above.
    2. Send the email to yourself or the Android user.
    3. On the device, open the new email and select “Attachments”
    4. Select the root certificate attached to the email and click “load”.

    5. Select view in the certificate information.


    6. Specify a name for the root certificate and click “ok”.

    ©2012, Palo Alto Networks, Inc. [6]


    Exporting the Identity Certificate
    1. In the PAN-OS management web interface, navigate to the certificate section in the device configuration tab.
    2. Select the IPSec user certificate created in the “IPSec user certificate” section of this document.
    3. Click Export and select “Encrypted Private Key and Certificate (PKCS12)” as the file format.
    4. Enter an export password and click OK.

    Importing the IPSec User Certificate to the Android


    1. Create a new email and attach the IPSec user certificate exported in the section above.
    2. Send the email to yourself or the Android user.
    3. On the device, open the new email and select “Attachments”.
    4. Select the IPSec user certificate attached to the email and click “load”.
    5. Enter the export password specified during the export process in the previous section.
    6. Specify a name for the imported certificate and click “ok”.

    ©2012, Palo Alto Networks, Inc. [7]


    Creating a VPN Profile
    To create a VPN profile on the Android, open the system settings and navigate to the “Wireless & Networks > More > VPN
    > Add VPN Network”
    1. Define a descriptive name for this connection.
    2. Select “IPSec Xauth RSA” as the type.
    3. Enter the address of the GlobalProtect Gateway.
    4. Select the previously imported IPSec user certificate in the IPSec user certificate drop-down menu.
    5. Select the previously imported root certificate in the IPSec CA certificate drop-down menu to ensure the client can
    validate the gateway certificate with your certificate authority.
    6. Click “Save”

    Your VPN profile is now configured and you can enable the VPN connection through the VPN settings in the “Wireless &
    Network” section of your device settings. Once you click on the connection entry, a username and password dialog will
    appear and you will be prompted for your user credentials.

    Pre-Shared Secret Authentication


    As an alternative to using certificate based authentication in IKE phase 1, you can configure a pre-shared secret based
    authentication method.
    This configuration is recommended for a single gateway environment or for a small number of gateways since the
    configuration would have to be replicated on each gateway. Also, the client will not have the functionality to find the
    nearest gateway in a multi-gateway environment; it will only connect directly to the gateway that is defined on the client.

    Configuring a Pre-Shared Secret on the GlobalProtect Gateway


    1. On the GlobalProtect Gateway, navigate to Network > GlobalProtect > Gateways and create a new Gateway
    configuration or modify an existing Gateway.
    2. From the General tab, enable Tunnel Mode and then select Enable IPSec and Enable X-Auth Support.
    3. Enter a Group Name.
    4. Enter and confirm the Group Password.
    5. Click Ok and then commit the configuration.

    ©2012, Palo Alto Networks, Inc. [8]


    Configuring a Pre-Shared Secret on the Android Device
    1. On the Android device, open Settings > Wireless and networks > More > VPN.
    2. Click Add VPN network.
    3. Enter a descriptive name for the profile in the Name field.
    4. In the Type drop-down, select IPSec Xauth PSK as the type.
    5. In the Server address field, enter the address of the GlobalProtect Gateway.
    6. Enter the group name configured previously in the IPSec identifier field.
    7. Enter the group password in the IPsec pre-shared key field.
    8. Save the configuration.
    9. To establish a VPN, go to Settings > Wireless and networks > VPN and select the new VPN profile.
    10. Click Connect and you will be prompted for your username and password. Once authenticated, the VPN will be
    established.

    ©2012, Palo Alto Networks, Inc. [9]


    Revision History
    Date Revision Comment
    7/9/2012 B Added a new section named “Pre-Shared Secret
    Authentication”.
    5/23/2012 A First release of the tech note.

    ©2012, Palo Alto Networks, Inc. [10]

    You might also like