As a follow-up, here is how I got it working.

I am using OpenLDAP and FreeRADIUS on FreeBSD 14. I'm not documenting here how to get LDAP authentication working with FreeRADIUS, I'm presuming that is already done. Additionally, my LDAP schema has all users under the name

ou=people, ou=domain, ou=com

and groups in

ou=groups, ou=domain, ou=com

I do not have memberof enabled. I'm using MSCHAPv2 authentication in pfsense's RADIUS configuration.

In /usr/local/etc/raddb/mods-enabled/ldap use these settings in the "group" section

base_dn = "${..base_dn}" filter = '(objectClass=posixGroup)' scope = 'sub' name_attribute = cn membership_filter = "(memberUid=%{%{Stripped-User-Name}:-%{User-Name}})" cacheable_name = 'yes'

In /usr/local/etc/raddb/sites-available/default add this in the "post-auth" section

update reply { Class += "%{exec:/bin/sh /usr/local/etc/raddb/ldap_fix.sh %{control:LDAP-Group[*]}}" }

The exec module is used. Ensure that in /usr/local/etc/raddb/mods-available/exec, "wait" is set to "yes"

wait = yes

Finally, I used tr to convert the comma-delimited list of groups in "%{control:LDAP-Group[*]}" to semi-colon delimited. The file /usr/local/etc/raddb/ldap_fix.sh looks like this

#!/bin/sh # # turn comma-delimited list of groups into semi-colon delimited list of groups # echo "${1}" | tr "," ";"

Using the pfsense authentication tester (Diagnostics > Authentication ) I can now see the list of groups users are a member of. Note that the groups need to also be present in pfsense (System > User Manager).

Confirmed this is fixed in 23.09.1-RELEASE

@keyser let me start by saying that I appreciate the time you're putting into this. Right now, it's just a matter of curiosity but it bugs me to the core as I don't know why it needs MSS clamping all of the sudden.
Now, I've ran the test and captured the packets (see the attached pcap files) but I am unable to determine why it's working / not working. I've included two pcaps, one with the non-working HTTPS connection, one with the working one. From my point of view (I'm sure I'm missing something), it doesn't look like an issue. I don't know why all the retransmissions in the non-working but as I said, I'm probably missing something.

P.S. 10.41.199.205 is the HTTPS server, 172.31.254.251 is the client.

Thank you.
working.pcap non-working.pcap

SNAT and DNAT is all you need here. Either site won’t know the real IP but that’s ok obviously you will keep track but that’s all that’s needed here to get around the overlap

Some update on this: on the A side there are attached other networks over OVPN still in shared key mode... So from site B i can reach ALL(!) other networks fine independed of the gateway i use... Only the local attached networks of site A have problem from side B if i go through the second wan line.. Does anyone has any idea on how to trace the problem?

My android will not even connect to even external AP WiFi in 23.09. Other devices connect just fine.

@anthony-breen If are trying to work with other brand, add more algo in phase 1 and phase 2, if u don't have the doc where u can see what algo he need u need to do reverse eng. Add more, maybe he is searching for less secure algorithms.

The only issue is that if u are in pfsense 2.7.x and they request less secure algorithms, U will be not be able to make work.

phase.png

@dsmoljan not possible, I ask the same!!!

@keyser is a shame, but well is a feature that will be great to have.
Any way thanks for your info!!!

@periko hi thanks for the reply, i ended up just putting the IP of the fortigate WAN ip and NAT

Got it, so is not a must to have this for reaching other side's computers :)

@HKFEVER

Confused.

Remote client's subnet is 192.168.5.0/24

Site B IP is 28.37.35.162, subnet is 192.168.2.0/24:
Tunnel B <-> C:
P1 is connect to Remote Gateway 38.37.35.162
P2 is connect to Remote Gateway's network 192.168.3.0/24 (this is Site A's subnet)
For additional 2nd P2, what network should I put in?

Tunnel B <-> A:
P1 is connect to Remote Gateway 18.37.35.162
P2 is connect to Remote Gateway's network 192.168.1.0/24 (this is Site A's subnet)
For additional 2nd P2, what network should I put in?

Site A IP 18.37.35.162, subnet is 192.168.1.0/24:
Tunnel A <-> B:
P1 is connect to Remote Gateway 28.37.35.162
P2 is connect to Remote Gateway's network 192.168.2.0/24 (this is Site A's subnet)
For additional 2nd P2, what network should I put in?

Site C IP 38.37.35.162, subnet is 192.168.3.0/24:
Tunnel C <-> B:
P1 is connect to Remote Gateway 28.37.35.162
P2 is connect to Remote Gateway's network 192.168.2.0/24 (this is Site A's subnet)
For additional 2nd P2, what network should I put in?