Вы находитесь на странице: 1из 10
GlobalProtect Configuration for Android Devices Configuring IPSec VPN between Android and PAN-OS devices Tech Note PAN-OS

GlobalProtect Configuration for Android Devices

Configuring IPSec VPN between Android and PAN-OS devices

Tech Note PAN-OS 4.1

Revision B

©2012, Palo Alto Networks, Inc. www.paloaltonetworks.com

Contents

3

OVERVIEW PREREQUISITES GLOBALPROTECT GATEWA Y SETUP 3 CERTIFICATE CREATION ....................................................................................................................................................................3

................................ ................................ ................................ ................................ ................................ .

................................ ................................ ................................ ................................ ........................

3

................................ ................................ ................................ ..........................

Root Certificate Authority ........................................................................................................................................................3 Gateway Certificate ..................................................................................................................................................................4 Identity Certificate ...................................................................................................................................................................4 Certificate Profile .....................................................................................................................................................................5

GLOBALPROTECT GATEWAY CONFIGURATION ......................................................................................................................................5

GOOGLE ANDROID SETUP

................................ ................................ ................................ ................................ .........

5

Exporting and Importing Certificates .....................................................................................................................................5 Exporting the Root Certificate Authority ................................................................................................................................6 Importing the Root Certificate to the Android ........................................................................................................................6 Exporting the Identity Certificate ............................................................................................................................................7 Importing the IPSec User Certificate to the Android .............................................................................................................7

CREATING A VPN PROFILE ...............................................................................................................................................................8 PRE - SHARED SECRET AUTHEN TICATION

................................ ................................ ................................ .................

8

CONFIGURING A PRE-SHARED SECRET ON THE GLOBALPROTECT GATEWAY ...........................................................................................8 CONFIGURING THE PRE-SHARED SECRET ON THE ANDROID DEVICE ......................................................................................................9

REVISION HISTORY

................................ ................................ ................................ ................................ ..................

10

©2012, Palo Alto Networks, Inc.

[2]

Overview

In its original design, IKE only addressed authentication of two devices through a pre-shared symmetric key or a private/public key, in which the public key needed to be exchanged between the two devices to establish a secure tunnel.

Extended Authentication (X -Auth) describes a method of authenticating users as part of the IKE handshake between an IPSec client and gateway after the initial key exchange in phase 1. This concept is supported in a variety of IPSec VPN clients, such as the built in VPN client of Google Android devices.

In this tech note, we describe the steps needed to configure an existing GlobalProtect Portal/Gateway environment to enable Google Android devices to establish VPN connectivity using the built-in Android IPSec client. There are three methods for authentication that will be discussed: self-signed certificate, certificate issued by a root Certificate Authority (CA), and pre- shared secret.

Prerequisites

GlobalProtect Gateway

Support for X-AUTH was introduced in PAN-OS 4.1 as a feature of GlobalProtect Gateway and doesn’t require any specific license to be activated. To support Android Devices, version 4.1.6 of PAN-OS and above is required.

Google Android

Android OS 4.0.3 or later is supported.

GlobalProtect Gateway Setup

This section describes how to setup the GlobalProtect Gateway and Android OS with certificate based authentication for IKE phase 1 and user based authentication (X-Auth) thereafter.

The benefit of such a setup is that you could either use certificates crea ted in the PAN-OS management UI to reliably identify corporate devices, or you could use certificates issued by an external certificate authority to authenticate individual devices in the enterprise, prior to authenticating the user.

Certificate Creation

In order to setup certificate-based IKE phase 1 authentication, you need to create three certificates either in the PAN-OS management UI or from an external certificate authority.

Root Certificate Authority

Every Public Key Infrastructure requires a central source of its trust, which in an X.509 world is usually referred to as the Root Certificate Authority.

Like every product leveraging certificate based authentication, GlobalProtect requires the existence of a Root Certificate, which can be either created within PAN-OS or from an external certificate authority (CA). If an external certificate authority is used, the Root Certificate needs to be imported into PAN-OS.

  • 1. To create a certificate locally, navigate to the Certificate page on the Device tab and select Generate.

  • 2. Enter a unique name for the certificate in the configuration.

  • 3. Leave the Signed By field empty and select the Certificate authority checkbox underneath.

  • 4. Click Generate.

©2012, Palo Alto Networks, Inc.

[3]

Gateway Certificate The certificate for the gateway can be created in PAN-OS or imported from an

Gateway Certificate

The certificate for the gateway can be created in PAN-OS or imported from an external certificate authority. This section only covers the steps to create a certificate in PAN-OS with a CA certificate on the device

  • 1. To create a certificate locally, navigate to the Certificate page on the Device tab and select Generate.

  • 2. Enter a unique name for the certificate in the configuration.

  • 3. Enter the gateway’s DNS hostname as the Common Name (CN).

  • 4. Enter the gateway’s IP address in the IP address field. Use the device’s internal and assigned IP address if your device resides behind a NAT device.

  • 5. Select the certificate authority created in the “Root Certificate Authority” section in the Signed By drop-down to issue this certificate.

  • 6. Click Generate.

Gateway Certificate The certificate for the gateway can be created in PAN-OS or imported from an

Identity C ertificate

In the case of certificate based authentication, the client and the gateway go through a mutual authentication. Therefore the Android device requires a certificate from a certificate authority trusted by the gateway. This certificate can be crea ted in PAN-OS or imported from an external certificate authority . This section describes how to generate a client certificate (referred to as an IPSec user certificate in Android), in PAN-OS, and the process to export the certificate.

©2012, Palo Alto Networks, Inc.

[4]

1.

To create a certificate locally, navigate to the Certificate page on the Device tab and select Generate.

  • 2. Enter a unique name for the certificate in the configuration.

  • 3. Enter any name in the Common Name (CN).

  • 4. Select the certificate authority to issue this certificate.

  • 5. Click Generate.

Certificate Profile

In order to validate the client certificate, a Client Certificate Profile needs to be created which includes the CA certificate used to create the Identity Certificate. Please refer to the corresponding section on creating Client Certificate Profiles in the Palo Alto Networks Administrator’s Guide.

GlobalProtect Gateway Configuration

The following section discusses the necessary steps to enable X-AUTH, which is required to support Google Android devices on an existing GlobalProtect gateway.

Note: If there is no existing GlobalProtect Portal/Gateway, please refer to the corresponding section in the Palo Alto Networks Administrator’s Guide on how to configure a GlobalProtect Portal/Gateway.

  • 1. In the Server Certificate drop-down, select the gateway certificate created in the “Gateway Certificate” section of this document.

  • 2. In the Client Certificate Profile drop-down, select the certificate profile, which includes the CA certificate used to issue the client certificate in the “Client Certificate” section.

  • 3. Enable “Tunnel Mode” and select “Enable IPSec”.

  • 4. Enable “Enable X-Auth Support” to enable Extended Authentication.

  • 5. Leave the “Group Name” and “Group Password” fields empty to enable certificate authentication in IKE phase 1.

  • 6. Click OK and commit the configuration changes.

To create a certificate locally, navigate to the Certificate page on the Device tab and select

Google Android Setup

This section focuses on integrating Google Android devices into the GlobalProtect Gateway using certificate based authentication in IKE phase 1.

Exporting and Importing Certificates

The certificates created in the “Root Certificate Authority” and “Identity Certificate” section need to be exported from PAN-OS and imported into the Android device.

©2012, Palo Alto Networks, Inc.

[5]

Exporting the Root Certificate Authority

  • 1. In the PAN-OS management web interface, navigate to the certificate section in the device configuration tab.

  • 2. Select the Root CA certificate created in the “Root Certificate Authority” section of this document.

  • 3. Click Export and select “Base64 Encoded Certificate (PEM)” as the file format.

  • 4. Uncheck the “Export private key” checkbox and click OK.

Importing the Root Certificate to the Android

  • 1. Create a new email and attach the Root Certificate exported in the section above.

  • 2. Send the email to yourself or the Android user.

  • 3. On the device, open the new email and select “Attachments”

  • 4. Select the root certificate attached to the email and click “load”.

Exporting the Root Certificate Authority In the PAN-OS management web interface, navigate to the certificate section
  • 5. Select view in the certificate information.

  • 6. Specify a name for the root certificate and click “ok”.

©2012, Palo Alto Networks, Inc.

[6]

Exporting the Identity Certificate In the PAN-OS management web interface, navigate to the certificate section in

Exporting the Identity Certificate

  • 1. In the PAN-OS management web interface, navigate to the certificate section in the device configuration tab.

  • 2. Select the IPSec user certificate created in the “IPSec user certificate” section of this document.

  • 3. Click Export and select “Encrypted Private Key and Certificate (PKCS12)” as the file format.

  • 4. Enter an export password and click OK.

Importing the IPSec User Certificate to the Android

  • 1. Create a new email and attach the IPSec user certificate exported in the section above.

  • 2. Send the email to yourself or the Android user.

  • 3. On the device, open the new email and select “Attachments”.

  • 4. Select the IPSec user certificate attached to the email and click “load”.

  • 5. Enter the export password specified during the export process in the previous section.

  • 6. Specify a name for the imported certificate and click “ok”.

Exporting the Identity Certificate In the PAN-OS management web interface, navigate to the certificate section in

©2012, Palo Alto Networks, Inc.

[7]

Creating a VPN Profile

To create a VPN profile on the Android, open the system settings and navigate to the “Wireless & Networks > More > VPN > Add VPN Network”

  • 1. Define a descriptive name for this connection.

  • 2. Select “IPSec Xauth RSA” as the type.

  • 3. Enter the address of the GlobalProtect Gateway.

  • 4. Select the previously imported IPSec user certificate in the IPSec user certificate drop-down menu.

  • 5. Select the previously imported root certificate in the IPSec CA certificate drop-down menu to ensure the client can validate the gateway certificate with your certificate authority.

  • 6. Click “Save”

Creating a VPN Profile To create a VPN profile on the Android, open the system settings

Your VPN profile is now configured and you can enable the VPN connection through the VPN settings in the “Wireless & Network” section of your device settings. Once you click on the connection entry, a username and password dialog will

appear and you will be prompted for your user credentials.

Pre - Shared Secret Authentication

As an alternative to using certificate based authentication in IKE phase 1, you can configure a pre-shared secret based authentication method. This configuration is recommended for a single gateway environment or for a small number of gateways since the configuration would have to be replicated on each gateway. Also, the client will not have the functionality to find the nearest gateway in a multi-gateway environment; it will only connect directly to the gateway that is defined on the client.

Configuring a Pre - Shared Secret on the GlobalProtect Gateway

  • 1. On the GlobalProtect Gateway, navigate to Network > GlobalProtect > Gateways and create a new Gateway configuration or modify an existing Gateway.

  • 2. From the General tab, enable Tunnel Mode and then select Enable IPSec and Enable X-Auth Support.

  • 3. Enter a Group Name .

  • 4. Enter and confirm the Group Password.

  • 5. Click Ok and then commit the configuration.

©2012, Palo Alto Networks, Inc.

[8]

Configuring a Pre - Shared Secret on the Android Device

  • 1. On the Android device, open Settings > Wireless and networks > More > VPN.

  • 2. Click Add VPN network.

  • 3. Enter a descriptive name for the profile in the Name field.

  • 4. In the Type drop-down, select IPSec Xauth PSK as the type.

  • 5. In the Server address field, e nter the address of the GlobalProtect Gateway.

  • 6. Enter the group name configured previously in the IPSec identifier field.

  • 7. Enter the group password in the IPsec pre-shared key field.

  • 8. Save the configuration.

  • 9. To establish a VPN, go to Settings > Wireless and networks > VPN and select the new VPN profile.

10. Click Connect and you will be prompted for your username and password. Once authenticated, the VPN will be established.

©2012, Palo Alto Networks, Inc.

[9]

Revision History

Date

Revision

Comment

7/9/2012

B

Added a new section named “Pre-Shared Secret Authentication”.

5/23/2012

A

First release of the tech note.

©2012, Palo Alto Networks, Inc.

[10]