Errors using MacOS server LDAP as backend auth for iOS and MacOS clients
-
hey folks,
I'm in the process of moving away from —or at least having alternatives to— OpenVPN. On my PF boxes, I have my MacOS servers successfully set up as authentication servers using LDAP. (This is what I use for OpenVPN).
I'd like to replicate that setup for IPsec and am running into problems. I've attached screenshots of my setup. I followed the PF book for LDAP auth.
When I try and connect using the build in MacOS IPsec client and the Apple IPsec Profile from PF, I get the following errors:
Sep 24 15:25:30 charon 05[NET] <bypasslan|64> sending packet: from FIREWALL'S IP[4500] to 10.15.1.161[4500] (68 bytes) Sep 24 15:25:30 charon 05[ENC] <bypasslan|64> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ] Sep 24 15:25:30 charon 05[IKE] <bypasslan|64> peer supports MOBIKE Sep 24 15:25:30 charon 05[IKE] <bypasslan|64> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding Sep 24 15:25:30 charon 05[CFG] <bypasslan|64> no alternative config found Sep 24 15:25:30 charon 05[CFG] <bypasslan|64> selected peer config 'bypasslan' inacceptable: non-matching authentication done Sep 24 15:25:30 charon 05[CFG] <bypasslan|64> constraint requires public key authentication, but pre-shared key was used Sep 24 15:25:30 charon 05[IKE] <bypasslan|64> authentication of 'REMOVED FOR POSTING' with pre-shared key successful Sep 24 15:25:30 charon 05[CFG] <bypasslan|64> selected peer config 'bypasslan' Sep 24 15:25:30 charon 05[CFG] <64> looking for peer configs matching 10.15.1.1[REMOVED]...10.15.1.161[REMOVED FOR POSTING]</bypasslan|64></bypasslan|64></bypasslan|64></bypasslan|64></bypasslan|64></bypasslan|64></bypasslan|64></bypasslan|64></bypasslan|64>
For testing, I'm using the internal LAN IP of my PF box. I've replicated the same errors when trying to connect to the WAN side over cellular.
Interestingly, on MacOS the profile seems to set up auth to use a shared secret, not a user/pass. I've tried changing that with no success.
Anyone have any creative troubleshooting tips?
-
Hey gang - just a quick check in to see if anyone has experience with IPsec and LDAP or tips on where to start troubleshooting?