cara menggunakan openconnect untuk VPN Global Protect

By | January 1, 2026
0 Comment
Print Friendly, PDF & Email
1,585 Views

Bila kantor kalian menggunakan Global Protect dalam lingkungan kerja, maka ada solusi kok jika menggunakan linux terutama dari distro debian. Saya menggunakan lubuntu sebagai sistem operasi. Berikut cara menggunakan OpenConnect untuk konek ke VPN Palo Alto (GlobalProtect) di Linux/Ubuntu. Catatan penting: OpenConnect tidak resmi dari Palo Alto, tapi bisa dipakai untuk GlobalProtect (portal & gateway) di banyak environment.

Berikut OS saya gunakan

                 yyyyy- -yyyyyy+      OS: Ubuntu 24.04 noble
              ://+//////-yyyyyyo      Kernel: x86_64 Linux 6.14.0-37-generic
          .++ .:/++++++/-.+sss/`      Uptime: 4d 8h 33m
        .:++o:  /++++++++/:--:/-      Packages: 2646
       o:+o+:++.`..```.-/oo+++++/     Shell: bash 5.2.21
      .:+o:+o/.          `+sssoo+/    Resolution: 1366x768
 .++/+:+oo+o:`             /sssooo.   DE: LXQt 1.4.0
/+++//+:`oo+o               /::--:.   WM: OpenBox
\+/+o+++`o++o               ++////.   WM Theme: 
 .++.o+++oo+:`             /dddhhh.   GTK Theme:  Breeze [GTK3]
      .+.o+oo:.          `oddhhhh+    Disk: 1.4T / 2.0T (67%)
       \+.++o+o``-````.:ohdhhhhh+     CPU: Intel Core i5-4570T @ 4x 3.6GHz [77.0°C]
        `:o+++ `ohhhhhhhhyo++os:      GPU: Mesa Intel(R) HD Graphics 4600 (HSW GT2)
          .o:`.syhhhhhhh/.oo++o`      RAM: 5008MiB / 11758MiB
              /osyyyyyyo++ooo+++/    
                  ````` +oo+++o\:    
                         `oo++.

 

Kita install dulu

sudo apt update
sudo apt install openconnect network-manager-openconnect network-manager-openconnect-gnome

Cek versi (disarankan ≥ 8.10):

openconnect --version

Berikut hasil version yang saya gunakan

bodo@abc:~$ openconnect --version
OpenConnect version v9.12-1build5
Using GnuTLS 3.8.3. Features present: TPMv2, PKCS#11, RSA software token, HOTP software token, TOTP software token, Yubikey OATH, System keys, DTLS, ESP
Supported protocols: anyconnect (default), nc, gp, pulse, f5, fortinet, array
Default vpnc-script (override with --script): /usr/share/vpnc-scripts/vpnc-script

Oiya kalian harus jadi root ya kalau pakai VPN nya, kita test koneksi

sudo openconnect --protocol=gp https://vpn.perusahaan.com

Nanti akan diminta:

  • Username

  • Password

  • OTP (jika pakai MFA)

Berikut ketika saya jalankan openconnect

(base) root@kutil:/home/kutil# sudo openconnect --protocol=gp pagp3.bosok.com
POST https://pagp3.bosok.com/global-protect/prelogin.esp?tmp=tmp&clientVer=4100&clientos=Linux
Connected to 148.140.180.180:443
SSL negotiation with pagp3.bosok.com
Connected to HTTPS on pagp3.bosok.com with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)
Enter login credentials
Username: bosok1
Password: 
POST https://pagp3.bosok.com/global-protect/getconfig.esp
Portal reports GlobalProtect version 6.2.6-838; we will report the same client version.
Portal set HIP report interval to 60 minutes).
2 gateway servers available:
  EXT-GP-BOSOK (148.140.180.180)
  pagp3.bosok.com (pagp3.bosok.com)
Please select GlobalProtect gateway.
GATEWAY: [EXT-GP-BOSOK|pagp3.bosok.com]:pagp3.bosok.com
POST https://pagp3.bosok.com/ssl-vpn/login.esp
GlobalProtect login returned authentication-source=Authen Prof Bosok
GlobalProtect login returned portal-userauthcookie=empty
GlobalProtect login returned portal-prelogonuserauthcookie=empty
GlobalProtect login returned usually-equals-4=4
POST https://pagp3.bosok.com/ssl-vpn/getconfig.esp
Tunnel timeout (rekey interval) is 180 minutes.
Idle timeout is 180 minutes.
No MTU received. Calculated 1422 for ESP tunnel
POST https://pagp3.bosok.com/ssl-vpn/hipreportcheck.esp
WARNING: Server asked us to submit HIP report with md5sum baf9a1bf4f3b910dbf0e45609dd849ef.
    VPN connectivity may be disabled or limited without HIP report submission.
    You need to provide a --csd-wrapper argument with the HIP report submission script.
Failed to connect ESP tunnel; using HTTPS instead.
Configured as 172.16.16.67, with SSL connected and ESP unsuccessful
Session authentication will expire at Sun Dec 28 13:01:51 2025

Using vhost-net for tun acceleration, ring size 32

Bila ada error

See also  Bikin Self Hosting Remote Desktop Sendiri

Matching client config not found
Creating SSL connection failed

maka OS kalian dikenal sebagai server sehingga tidak bisa langsung masuk ke VPN. Biasanya Palo Alto membedakan profile client berdasarkan:

  • OS (Linux Desktop vs Server)

  • Ada/tidaknya GUI

  • NetworkManager

  • HIP check (Host Information Profile)

  • Versi GlobalProtect

Solusinya kalian bisa Install Desktop minimal

sudo apt update
sudo apt install ubuntu-desktop-minimal network-manager
sudo systemctl enable NetworkManager
sudo systemctl start NetworkManager
sudo reboot

atau versi GUI minimal

sudo apt install network-manager dbus-x11
sudo systemctl disable systemd-networkd
sudo systemctl enable NetworkManager
sudo reboot