Body
Linux users can download and install the GlobalProtect VPN client or choose to use another VPN client that supports IPSEC tunnels. One standard client that supports connecting to GlobalProtect is the OpenConnect VPN client. The GlobalProtect client can be downloaded from the ITC software downloads site here. The client is supported for CentOS, Red Hat Enterprise Linux, and Ubuntu. You will have to install either the downloaded .deb or .rpm file with your package manager. An example of installing the .deb file on Ubuntu is to run:
sudo dpkg -i ~/Downloads/GlobalProtect_deb-5.3.2.0-3.deb
You also need to enroll in Duo before your are able to authenticate to the VPN. If you have not yet enrolled in Duo, you may do so here. While you are on that page, you also need to set a default second factor for authentication. To do so, click on the link for My Settings & Devices.
Once you have the client installed, connect by running the command:
globalprotect connect -p vpn-linux.dartmouth.edu
You may be prompted to install the server certificate on your client the first time that you connect. Press 'y' to proceed. You will then be prompted for your username and password. After entering your username and password, your default Duo action will be taken, but there will be no prompt telling you that this is happening. After the Duo authentication completes, you will be connected.
user@linuxhost:~$ globalprotect connect --portal vpn-linux.dartmouth.edu
Retrieving configuration...
Disconnected
There is a problem with the security certificate, so the identity of 129.170.9.33 cannot be verified. Please contact the Help Desk for your organization to have the issue rectified.
Warning: The communication with 129.170.9.33 may have been compromised. We recommend that you do not continue with this connection.
Error details:Do you want to continue(y/n)?y
Retrieving configuration...
Disconnected
129.170.9.33 - portal:local:Enter login credentials
username:user1
Password:
Retrieving configuration...
Discovering network...
Connecting...
Connected
With this first authentication, your credentials are cached locally and so on subsequent connections you will not see a prompt for a username or password. Instead, in the background your default Duo action will be taken, but you won't have any notice that this is happening. You will have to be ready to confirm a Duo push, answer a phone call, or respond to whatever your default Duo action may be. After you have responded to the Duo action you will be connected.
If you are running Linux and want the split-tunnelled version that only sends traffic to 10.0.0.0/8 and 129.170.0.0/16 over the tunnel, the portal to use is vpn-linux-split.dartmouth.edu.
To disconnect, run 'globalprotect disconnect'.
If you are not running Ubuntu, CentOS or RHEL, you may be able to work around this issue. Create the file /etc/lsb-release with the contents:
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=18.04
DISTRIB_CODENAME=bionic
DISTRIB_DESCRIPTION="Ubuntu 18.04.1 LTS"
Next restart gpd.service (e.g. 'sudo systemctl restart gpd.service'). You should now be able to connect.
See Related Articles to the right for more information.