Palo Alto: IPSec VPN client?!

Have you ever tried to connect to a Palo Alto device from a linux system by using an IPSec VPN client?

Global Protect is the preferred way when you want to establish a VPN to a PA device but even when this software is available for Windows and MAC OS it isn’t for Linux.

But nevertheless is is possible with a 3rd party client when using a specific setup.

You can use certificate based authentication (highly recommended) or a PSK if you like (not recommended). Both are working fine in my tests.

 

Requirements

  1. Shrew VPN Client software
  2. PAN-OS version v6.0 (only tested version yet)

If you use a current version of Ubuntu you can install the shrew vpn client this way:

sudo apt-get install ike

for all other Linux distributions download shrew vpn client for linux: https://www.shrew.net/download

 

 

Certificate based authentication

  1. setup a Global Protect Portal & Gateway at the PA (e.g. see this guide or this for reference)
  2. most important step is to enable IPSec and X-Auth support!
  3. You do not need to specify a Group name and/or password (you can leave it empty)
  4. Open Shrew VPN client and add a new profile with the following settings:

 

PSK based authentication

  1. setup a Global Protect Portal & Gateway at the PA (e.g. see this guide or this for reference)
  2. most important step is to enable IPSec and X-Auth support!
  3. You need to specify a X-Auth Group name and password !
  4. Open Shrew VPN client and add a new profile with the following settings:

 

Tested PAN-OS versions

All the above was tested with PAN-OS v6.0 and may or may not work with newer versions of PAN-OS.