Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    LDAP xauth + IPSec

    Scheduled Pinned Locked Moved IPsec
    21 Posts 9 Posters 15.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      caurelio
      last edited by

      I figured I would share this with everyone since it took me a little longer to ferret out than I would have liked.
      Technically the binaries on pfsense 2.0 will support an LDAP backend for xauth connections to an IPSec VPN, but the GUI has no mechanism to actually configure it. As a result, I made some quick patches to two of the files to be able to actually use this feature.

      I modified: /etc/inc/vpn.inc and /usr/local/www/system_authservers.php to allow for an additional auth mechanism on the IPSec mobile clients configuration screen.

      The xauth source dropdowns will now hold the option "LDAP", which (when selected) will use the first configured LDAP server from your authentication servers screen.

      I put both files in a tarball for everyone, so if you feel like using it, all you have to do is replace the versions on your existing pfsense install and you're good to go (the easiest way to do that is using ssh and select the shell access option)

      Here's a link to the tarball for anyone interested:
      http://www.mediafire.com/?c85a7f7mrc1jkr9

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        We took a different path for pfSense 2.1, we patched racoon to authenticate from an external script, the same way that OpenVPN does.

        http://redmine.pfsense.org/issues/1112

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • C
          caurelio
          last edited by

          When is 2.1 scheduled for release?

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            Not sure - hoping for 6-8 weeks, not sure how feasible that is.

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • D
              dhatz
              last edited by

              @jimp:

              We took a different path for pfSense 2.1, we patched racoon to authenticate from an external script, the same way that OpenVPN does.

              http://redmine.pfsense.org/issues/1112

              jimp, talking about racoon patches, it'd great if someone who is intimately familiar with ipsec-tools would take a closer look at the discussions & proposed patches that have been submitted to the ipsec-tools-devel mailing list in the months since the release of 0.8.0 …

              E.g. one that seemed particularly interesting to me for possible inclusion into pfsense, was a fix for the DPD-cookie check, which would allow racoon 0.8.0 to interoperate with old (IOS 12.3) Cisco devices, see discussion here

              1 Reply Last reply Reply Quote 0
              • jimpJ
                jimp Rebel Alliance Developer Netgate
                last edited by

                Open a ticket in redmine with those links, I wouldn't know about the code that deep down.

                Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                1 Reply Last reply Reply Quote 0
                • D
                  dhatz
                  last edited by

                  Check http://redmine.pfsense.org/issues/1872

                  1 Reply Last reply Reply Quote 0
                  • jimpJ
                    jimp Rebel Alliance Developer Netgate
                    last edited by

                    Again… I wouldn't really know... If it's still needed even on current builds, feel free to comment on the ticket. I don't know the code in racoon that well.

                    Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                    Need help fast? Netgate Global Support!

                    Do not Chat/PM for help!

                    1 Reply Last reply Reply Quote 0
                    • D
                      dhatz
                      last edited by

                      I opened a ticket in redmine with the links, as suggested.

                      1 Reply Last reply Reply Quote 0
                      • E
                        eri--
                        last edited by

                        I will take  look at it later on since i have to do some more fixes on ipsec side

                        1 Reply Last reply Reply Quote 0
                        • J
                          jezyk
                          last edited by

                          Hi there,
                          I'm trying to test this solution on 2.0 or 2.0.1 release and it doesn’t work.
                          On the dropdown list LDAP option still not available. Only what I’ve done that was replaced two scripts (vpn.inc, system_usermanager.php). Is it enough?
                          I’ll be gratefully for any advice.
                          Kind regards.

                          1 Reply Last reply Reply Quote 0
                          • C
                            caurelio
                            last edited by

                            @jezyk:

                            Hi there,
                            I'm trying to test this solution on 2.0 or 2.0.1 release and it doesn’t work.
                            On the dropdown list LDAP option still not available. Only what I’ve done that was replaced two scripts (vpn.inc, system_usermanager.php). Is it enough?
                            I’ll be gratefully for any advice.
                            Kind regards.

                            Hey jezyk, I tried to respond to your PM before, but the site locked up and is not letting me get to your messages anymore.

                            I did this all under 2.0. Supposedly 2.1 has this built-in now, but I haven't tested 2.1 to know for sure.

                            Anyway, just replacing those two files under 2.0 should be enough. You will need to do a little configuring to get LDAP and VPN up though.
                            Try this:

                            In the menu bar, go to >  System  > User Manager
                            Then click on the "Servers" tab.
                            Configure your server there (I use the server name 'LDAP' but you could user anything)

                            Then use the menu bar again to go to > VPN  >  IPSec
                            Click on the Mobile Clients Tab.
                            On this page, you should see the User Auth and Group Auth both set to LDAP.
                            Just configure your clients and you should be good to go!
                            ;D

                            1 Reply Last reply Reply Quote 0
                            • T
                              tpuschl
                              last edited by

                              Hi.

                              I downloaded the Files from that link: http://www.mediafire.com/?c85a7f7mrc1jkr9
                              Enabled SSH on pfsense and created a new local admin user which i used for the ssh session to upload both files.
                              Then i connect over ssh with the admin account and replaced the two files with the uploaded ones (etc/inc/vpn.inc and /usr/local/www/system_authservers.php). With my new account i had not the necessary permission.
                              Then i configured my LDAP Server In the menu bar>  System  > User Manager -> Servers and tested after that the LDAP Authentication over Diagnostics -> Authentication which was successfull.
                              But under VPN  >  IPSec -> Mobile Clients i can still only select "System" in both DropDowns for Xauth. (see Screenshots).
                              I tried pfsense version 2.0 and also 2.0.2 (latest release) with same result: i can't select LDAP as Xauth for IPsec only "System" is available there.
                              Did i something wrong?
                              I hope somebody can help me with that or can tell me a working solution.
                              I read that in version 2.1 this should already be implemented (ipsec ldap xauth) but this version is still not available or should not be used in production environments right?

                              Many thanks
                              Thomas

                              ![Bildschirmfoto 2013-02-22 um 19.16.40.png](/public/imported_attachments/1/Bildschirmfoto 2013-02-22 um 19.16.40.png)
                              ![Bildschirmfoto 2013-02-22 um 19.16.40.png_thumb](/public/imported_attachments/1/Bildschirmfoto 2013-02-22 um 19.16.40.png_thumb)

                              1 Reply Last reply Reply Quote 0
                              • jimpJ
                                jimp Rebel Alliance Developer Netgate
                                last edited by

                                Many people are using 2.1 in production with success.

                                It is nearing RC1, so it's quite stable despite its Beta label.

                                Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                                Need help fast? Netgate Global Support!

                                Do not Chat/PM for help!

                                1 Reply Last reply Reply Quote 0
                                • T
                                  tpuschl
                                  last edited by

                                  Hi Jimp
                                  Thanks for the fast reply.
                                  So you mean i can already use 2.1 RC1 in a production environment?
                                  Where can i download the 2.1 iso file ? I couldn't find that…
                                  Thanks
                                  Thomas

                                  1 Reply Last reply Reply Quote 0
                                  • T
                                    tpuschl
                                    last edited by

                                    Hi.

                                    Sorry i found it :).
                                    I downloaded that version  pfSense-LiveCD-2.1-BETA1-amd64-20130222-2301.iso.gz from http://snapshots.pfsense.org/FreeBSD_RELENG_8_3/amd64/pfSense_HEAD/livecd_installer/?C=M;O=D
                                    Is this the latest one? :)

                                    Thanks
                                    Thomas

                                    1 Reply Last reply Reply Quote 0
                                    • ?
                                      A Former User
                                      last edited by

                                      Hello everyone,

                                      This does not work as of 2.0.3-RELEASE.

                                      Can someone confirm if it is working well with your setup?

                                      1 Reply Last reply Reply Quote 0
                                      • D
                                        doktornotor Banned
                                        last edited by

                                        @skorzen:

                                        Can someone confirm if it is working well with your setup?

                                        Mobile clients auth works just fine with 2.1 and Active Directory for me.

                                        1 Reply Last reply Reply Quote 0
                                        • jimpJ
                                          jimp Rebel Alliance Developer Netgate
                                          last edited by

                                          It will not work with 2.0.x. It is a new feature for 2.1 (not 2.0.1, 2.1)

                                          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                                          Need help fast? Netgate Global Support!

                                          Do not Chat/PM for help!

                                          1 Reply Last reply Reply Quote 0
                                          • C
                                            CDuv
                                            last edited by

                                            Recently upgraded from v2.0.1 to v2.1 and my IPSec VPN setup (using LDAP as auth source) stopped working.
                                            I've check settings they haven't changed during upgrade and seemed OK. I've re-applied configuration explained in Mobile IPsec on 2.0 HowTo: still no success.

                                            Here is IPSec System log:

                                            Mar 28 11:29:01 racoon: [<<mobile_client_ip>>] ERROR: unknown Informational exchange received.
                                            Mar 28 11:29:00 racoon: [<<mobile_client_ip>>] ERROR: unknown Informational exchange received.
                                            Mar 28 11:28:58 racoon: [<<mobile_client_ip>>] ERROR: unknown Informational exchange received.
                                            Mar 28 11:28:56 racoon: [Self]: INFO: ISAKMP-SA deleted <<pfsense_public_ip>>[4500]-<<mobile_client_ip>>[4500] spi:fc59d3b640a2c8ee:584f9c63d7s25ab6
                                            Mar 28 11:28:56 racoon: INFO: purged ISAKMP-SA spi=fc59d3b640a2c8ee:584f9c63d7s25ab6.
                                            Mar 28 11:28:56 racoon: INFO: purging ISAKMP-SA spi=fc59d3b640a2c8ee:584f9c63d7s25ab6.
                                            Mar 28 11:28:56 racoon: [<<mobile_client_ip>>] INFO: DPD: remote (ISAKMP-SA spi=fc59d3b640a2c8ee:584f9c63d7s25ab6) seems to be dead.
                                            Mar 28 11:28:21 racoon: [<<mobile_client_ip>>] INFO: received INITIAL-CONTACT
                                            Mar 28 11:28:21 racoon: [Self]: INFO: ISAKMP-SA established <<pfsense_public_ip>>[4500]-<<mobile_client_ip>>[4500] spi:fc59d3b640a2c8ee:584f9c63d7s25ab6
                                            Mar 28 11:28:21 racoon: INFO: Sending Xauth request
                                            Mar 28 11:28:21 racoon: INFO: NAT detected: ME PEER
                                            Mar 28 11:28:21 racoon: INFO: NAT-D payload #1 doesn't match
                                            Mar 28 11:28:21 racoon: [<<mobile_client_ip>>] INFO: Hashing <<mobile_client_ip>>[4500] with algo #2
                                            Mar 28 11:28:21 racoon: INFO: NAT-D payload #0 doesn't match
                                            Mar 28 11:28:21 racoon: [Self]: [<<pfsense_public_ip>>] INFO: Hashing <<pfsense_public_ip>>[4500] with algo #2
                                            Mar 28 11:28:21 racoon: [Self]: INFO: NAT-T: ports changed to: <<mobile_client_ip>>[4500]<-><<pfsense_public_ip>>[4500]
                                            Mar 28 11:28:21 racoon: INFO: Adding xauth VID payload.
                                            Mar 28 11:28:21 racoon: [Self]: [<<pfsense_public_ip>>] INFO: Hashing <<pfsense_public_ip>>[500] with algo #2
                                            Mar 28 11:28:21 racoon: [<<mobile_client_ip>>] INFO: Hashing <<mobile_client_ip>>[500] with algo #2
                                            Mar 28 11:28:21 racoon: INFO: Adding remote and local NAT-D payloads.
                                            Mar 28 11:28:21 racoon: [<<mobile_client_ip>>] INFO: Selected NAT-T version: RFC 3947
                                            Mar 28 11:28:21 racoon: INFO: received Vendor ID: CISCO-UNITY
                                            Mar 28 11:28:21 racoon: INFO: received Vendor ID: DPD
                                            Mar 28 11:28:21 racoon: INFO: received broken Microsoft ID: FRAGMENTATION
                                            Mar 28 11:28:21 racoon: INFO: received Vendor ID: RFC 3947
                                            Mar 28 11:28:21 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
                                            Mar 28 11:28:21 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
                                            Mar 28 11:28:21 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-01
                                            Mar 28 11:28:21 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
                                            Mar 28 11:28:21 racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
                                            Mar 28 11:28:21 racoon: INFO: begin Aggressive mode.
                                            Mar 28 11:28:21 racoon: [Self]: INFO: respond new phase 1 negotiation: <<pfsense_public_ip>>[500]<=><<mobile_client_ip>>[500]</mobile_client_ip></pfsense_public_ip></mobile_client_ip></mobile_client_ip></mobile_client_ip></pfsense_public_ip></pfsense_public_ip></pfsense_public_ip></mobile_client_ip></pfsense_public_ip></pfsense_public_ip></mobile_client_ip></mobile_client_ip></mobile_client_ip></pfsense_public_ip></mobile_client_ip></mobile_client_ip></mobile_client_ip></pfsense_public_ip></mobile_client_ip></mobile_client_ip></mobile_client_ip>

                                            LDAP configuration seems OK (used the "Save & Test" button and everything was "OK").

                                            After enabling racoon DEBUG mode, a restart gives the following logs:

                                            Mar 28 12:55:44 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 10.0.0.0/24[0] 10.0.0.30/32[0] proto=any dir=in
                                            Mar 28 12:55:44 racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x28501288: 10.0.0.0/24[0] 10.0.0.30/32[0] proto=any dir=in
                                            Mar 28 12:55:44 racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0xbfbfe6b4: 10.0.0.0/24[0] 10.0.0.30/32[0] proto=any dir=in
                                            Mar 28 12:55:44 racoon: DEBUG: got pfkey X_SPDADD message
                                            Mar 28 12:55:44 racoon: DEBUG: pk_recv: retry[0] recv()
                                            Mar 28 12:55:44 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 10.0.0.30/32[0] 10.0.0.0/24[0] proto=any dir=out
                                            Mar 28 12:55:44 racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x285013c8: 10.0.0.30/32[0] 10.0.0.0/24[0] proto=any dir=out
                                            Mar 28 12:55:44 racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0xbfbfe6b4: 10.0.0.30/32[0] 10.0.0.0/24[0] proto=any dir=out
                                            Mar 28 12:55:44 racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x28501288: 10.0.0.0/24[0] 10.0.0.30/32[0] proto=any dir=in
                                            Mar 28 12:55:44 racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0xbfbfe6b4: 10.0.0.30/32[0] 10.0.0.0/24[0] proto=any dir=out
                                            Mar 28 12:55:44 racoon: DEBUG: got pfkey X_SPDADD message
                                            Mar 28 12:55:44 racoon: DEBUG: pk_recv: retry[0] recv()
                                            Mar 28 12:55:44 racoon: INFO: unsupported PF_KEY message REGISTER
                                            Mar 28 12:55:44 racoon: DEBUG: got pfkey REGISTER message
                                            Mar 28 12:55:44 racoon: DEBUG: pk_recv: retry[0] recv()
                                            Mar 28 12:55:44 racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x28501288: 10.0.0.0/24[0] 10.0.0.30/32[0] proto=any dir=in
                                            Mar 28 12:55:44 racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0xbfbfe6b4: 10.0.0.30/32[0] 10.0.0.0/24[0] proto=any dir=out
                                            Mar 28 12:55:44 racoon: DEBUG: got pfkey X_SPDDUMP message
                                            Mar 28 12:55:44 racoon: DEBUG: pk_recv: retry[0] recv()
                                            Mar 28 12:55:44 racoon: DEBUG: got pfkey X_SPDDUMP message
                                            Mar 28 12:55:44 racoon: DEBUG: pk_recv: retry[0] recv()
                                            Mar 28 12:55:44 racoon: [Self]: INFO: <<pfsense_public_ip>>[500] used as isakmp port (fd=15)
                                            Mar 28 12:55:44 racoon: [Self]: INFO: <<pfsense_public_ip>>[500] used for NAT-T
                                            Mar 28 12:55:44 racoon: [Self]: INFO: <<pfsense_public_ip>>[4500] used as isakmp port (fd=14)
                                            Mar 28 12:55:44 racoon: [Self]: INFO: <<pfsense_public_ip>>[4500] used for NAT-T
                                            Mar 28 12:55:44 racoon: DEBUG: open /var/db/racoon/racoon.sock as racoon management.
                                            Mar 28 12:55:44 racoon: DEBUG: getsainfo params: loc='ANONYMOUS' rmt='ANONYMOUS' peer='NULL' client='NULL' id=2
                                            Mar 28 12:55:44 racoon: DEBUG: no check of compression algorithm; not supported in sadb message.
                                            Mar 28 12:55:44 racoon: DEBUG: hmac(modp1024)
                                            Mar 28 12:55:44 racoon: INFO: Resize address pool from 0 to 65533
                                            Mar 28 12:55:44 racoon: DEBUG: reading config file /var/etc/ipsec/racoon.conf
                                            Mar 28 12:55:44 racoon: DEBUG: call pfkey_send_register for IPCOMP
                                            Mar 28 12:55:44 racoon: DEBUG: call pfkey_send_register for ESP
                                            Mar 28 12:55:44 racoon: DEBUG: call pfkey_send_register for AH
                                            Mar 28 12:55:44 racoon: INFO: Reading configuration from "/var/etc/ipsec/racoon.conf"
                                            Mar 28 12:55:44 racoon: INFO: @(#)This product linked OpenSSL 1.0.1e 11 Feb 2013 (http://www.openssl.org/)
                                            Mar 28 12:55:44 racoon: INFO: @(#)ipsec-tools 0.8.1 (http://ipsec-tools.sourceforge.net)
                                            Mar 28 12:55:39 racoon: INFO: racoon process 87375 shutdown
                                            Mar 28 12:55:39 racoon: INFO: caught signal 15</pfsense_public_ip></pfsense_public_ip></pfsense_public_ip></pfsense_public_ip>

                                            It complains about a "Unknown Gateway/Dynamic" (and seems to ignore it) but can't find such thing in IPSec/Routing settings.

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.