Difference between revisions of "Palo Alto VPN for linux"

From HPC Guide
Jump to navigation Jump to search
orig>Wiki admin
 
(21 intermediate revisions by 3 users not shown)
Line 14: Line 14:
 
Choose the “1” then “2” :
 
Choose the “1” then “2” :
  
4 Then you will receive SMS with 2-minute code and enter it immediately to the filed:
+
Then you will receive SMS with 2-minute code and enter it immediately to the filed:
1
+
Then you will be redirected to the QR code for GoogleAuthenticator account setup:
2
 
1.5 Then you will be redirected to the QR code for GoogleAuthenticator account setup:
 
 
Scan it using your mobile Google Authenticator app using “+” on bottom right corner of mobile device
 
Scan it using your mobile Google Authenticator app using “+” on bottom right corner of mobile device
 
and enter the generated code from mobile GoogleAuthenticator to the field and press the green button.
 
and enter the generated code from mobile GoogleAuthenticator to the field and press the green button.
  
 
==Download==
 
==Download==
Download and install VPN client, from the browser, go to
+
Download and install VPN client, from the browser, go to:
<pre>
+
 
http://hpc-tftp.tau.ac.il/public_files/PanGPLinux-5.3.1-c9.tgz
+
 
</pre>
+
[https://hpcguide.tau.ac.il/vpn/PanGPLinux-5.3.4-c5.tgz GlobalProtect-5.3.4]
 +
 
 +
[https://hpcguide.tau.ac.il/vpn/PanGPLinux-6.0.1-c6.tgz GlobalProtect-6.0.1]
 +
 
 +
[https://hpcguide.tau.ac.il/vpn/PanGPLinux-6.1.1-c4.tgz GlobalProtect-6.1.1]
 +
 
 +
[https://hpcguide.tau.ac.il/vpn/PanGPLinux-6.2.0-c10.tgz GlobalProtect-6.2.0]
 +
 
 
Linux package should be extracted and installed appropriated version:
 
Linux package should be extracted and installed appropriated version:
  
 
'''Debian/Ubuntu'''
 
'''Debian/Ubuntu'''
<pre>
+
 
dpkg -i GlobalProtect_UI_deb-5.3.1.0-36.deb
+
<code>dpkg -i GlobalProtect_UI_deb-6.0.1.1-6.deb</code>
</pre>
+
 
 
'''Redhat/Centos'''
 
'''Redhat/Centos'''
<pre>
+
 
yum localinstall GlobalProtect_UI_rpm-5.3.1.0-36.rpm
+
<code>yum localinstall GlobalProtect_UI_rpm-6.0.1.1-6.rpm</code>
</pre>
+
 
 
==Configure==
 
==Configure==
  
Line 42: Line 47:
 
Execute and configure VPN client on Linux (another OS are similar) :
 
Execute and configure VPN client on Linux (another OS are similar) :
  
Open client by pressing “1” and enter address vpn.tau.ac.il “2” :
+
Open client by pressing on the relevant icon ("1" as in the picture on the right)
 +
 
 +
And enter address '''vpn.tau.ac.il''' ("2" as in the picture on the right)
 +
 
 +
==Errors==
 +
===SSL Error===
 +
On latest ubuntu version, ubuntu 22.04, after installing and configuring globalprotect VPN, you get this error:
 +
 
 +
[[File:784px-Vpn ssl error.png|none|thumb]]
 +
 
 +
 
 +
====Fix only for globalprotect====
 +
create new <code>ssl.conf</code> file on your pc with the following content:
 +
vim ~/ssl.conf
 +
<syntaxhighlight lang="bash">
 +
openssl_conf = openssl_init
 +
[openssl_init]
 +
ssl_conf = ssl_sect
 +
[ssl_sect]
 +
system_default = system_default_sect
 +
[system_default_sect]
 +
Options = UnsafeLegacyRenegotiation
 +
 
 +
</syntaxhighlight>
 +
Then find this file:
 +
<code>sudo find / -name PanGPUI.desktop -type f</code>
 +
or
 +
<code>locate PanGPUI.desktop</code> (may need to do sudo updatedb before running this one)
 +
there should be at least 2 path with this file, ignore this one --> <code>/opt/paloaltonetworks/globalprotect/PanGPUI.desktop</code>
 +
 
 +
On my linux, kubuntu 22.04 the file is here: <code>/etc/xdg/autostart/PanGPUI.desktop</code>
 +
enter this file and change it from:
 +
<syntaxhighlight lang="bash">
 +
[Desktop Entry]
 +
Name=PanGPUI
 +
Type=Application
 +
Exec=/opt/paloaltonetworks/globalprotect/PanGPUI
 +
Terminal=false
 +
</syntaxhighlight>
 +
 
 +
to
 +
<syntaxhighlight lang="bash">
 +
[Desktop Entry]
 +
Name=PanGPUI
 +
Type=Application
 +
Exec=OPENSSL_CONF=~/ssl.conf /opt/paloaltonetworks/globalprotect/PanGPUI
 +
Terminal=false
 +
</syntaxhighlight>
 +
 
 +
After restarting you pc, globalprotect will autostart with the custom ssl settings
 +
 
 +
====Global fix====
 +
here is how to workaround it:
 +
 
 +
open  <code>/usr/lib/ssl/openssl.cnf</code>
 +
 
 +
comment out this section:<syntaxhighlight lang="bash">
 +
# [openssl_init]
 +
 
 +
# providers = provider_sect
 +
</syntaxhighlight>add this new section under the commented one from earlier:<syntaxhighlight lang="bash">
 +
[openssl_init]
 +
ssl_conf = ssl_sect
 +
 
 +
[ssl_sect]
 +
system_default = system_default_sect
 +
 
 +
[system_default_sect]
 +
Options = UnsafeLegacyRenegotiation
 +
 
 +
</syntaxhighlight>reboot globalprotect app and the error should be fixed.
 +
 
 +
<blockquote>source:https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1960268</blockquote>
 +
 
  
 
==TAU credentials==
 
==TAU credentials==

Latest revision as of 05:46, 5 June 2024

For security reason TelAviv University starts a VPN with double authentication standard.

In order to do that users have to check/fill in their mobile phone at myTAU page (https://mytau.tau.ac.il/GetResource.php) and enroll to the service. Then you need install GoogleAuthenticator on you mobile device and register it at TAU.

After that you may download and install PaloAlto GlobalProtect VPN client on your device (all operation systems are supported: IOS, Android, Linux MAC and even Window)

The steps:

Enrollment

Go to https://mytau.tau.ac.il/GetResource.php

Choose the “1” then “2” :

Then you will receive SMS with 2-minute code and enter it immediately to the filed: Then you will be redirected to the QR code for GoogleAuthenticator account setup: Scan it using your mobile Google Authenticator app using “+” on bottom right corner of mobile device and enter the generated code from mobile GoogleAuthenticator to the field and press the green button.

Download

Download and install VPN client, from the browser, go to:


GlobalProtect-5.3.4

GlobalProtect-6.0.1

GlobalProtect-6.1.1

GlobalProtect-6.2.0

Linux package should be extracted and installed appropriated version:

Debian/Ubuntu

dpkg -i GlobalProtect_UI_deb-6.0.1.1-6.deb

Redhat/Centos

yum localinstall GlobalProtect_UI_rpm-6.0.1.1-6.rpm

Configure

Paloalto3.PNG

Execute and configure VPN client on Linux (another OS are similar) :

Open client by pressing on the relevant icon ("1" as in the picture on the right)

And enter address vpn.tau.ac.il ("2" as in the picture on the right)

Errors

SSL Error

On latest ubuntu version, ubuntu 22.04, after installing and configuring globalprotect VPN, you get this error:

784px-Vpn ssl error.png


Fix only for globalprotect

create new ssl.conf file on your pc with the following content: vim ~/ssl.conf

openssl_conf = openssl_init
[openssl_init]
ssl_conf = ssl_sect
[ssl_sect]
system_default = system_default_sect
[system_default_sect]
Options = UnsafeLegacyRenegotiation

Then find this file: sudo find / -name PanGPUI.desktop -type f or locate PanGPUI.desktop (may need to do sudo updatedb before running this one) there should be at least 2 path with this file, ignore this one --> /opt/paloaltonetworks/globalprotect/PanGPUI.desktop

On my linux, kubuntu 22.04 the file is here: /etc/xdg/autostart/PanGPUI.desktop enter this file and change it from:

[Desktop Entry]
Name=PanGPUI
Type=Application
Exec=/opt/paloaltonetworks/globalprotect/PanGPUI
Terminal=false

to

[Desktop Entry]
Name=PanGPUI
Type=Application
Exec=OPENSSL_CONF=~/ssl.conf /opt/paloaltonetworks/globalprotect/PanGPUI
Terminal=false

After restarting you pc, globalprotect will autostart with the custom ssl settings

Global fix

here is how to workaround it:

open /usr/lib/ssl/openssl.cnf

comment out this section:

# [openssl_init]

# providers = provider_sect

add this new section under the commented one from earlier:

[openssl_init]
ssl_conf = ssl_sect

[ssl_sect]
system_default = system_default_sect

[system_default_sect]
Options = UnsafeLegacyRenegotiation

reboot globalprotect app and the error should be fixed.

source:https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1960268


TAU credentials

Paloalto4.PNG

Fill in pop-upped windows with your TAU credentials:

Open your mobile GoogleAuthenticator and enter code from there


Congratulations: you are done!