IPsec+LDAP

jimp

IPsec+LDAP is known to be broken at the moment. There is a ticket pending for it.

The authentication is being switched to a script-based auth mechanism so it can easily do LDAP, RADIUS, etc, like OpenVPN can.

That has nothing to do with a site-to-site tunnel being broken as in this ticket though.

afrojoe

@jimp:

IPsec+LDAP is known to be broken at the moment. There is a ticket pending for it.

The authentication is being switched to a script-based auth mechanism so it can easily do LDAP, RADIUS, etc, like OpenVPN can.

That has nothing to do with a site-to-site tunnel being broken as in this ticket though.

Thanks Jim, However, I'm not quite sure what you mean… my site-to-site tunnel is down though  ???

jimp

It's down because racoon isn't running, not because the tunnel won't establish. It's not the same problem as the thread you originally posted in. I moved this to a new threads because it was unrelated.

afrojoe

@jimp:

It's down because racoon isn't running, not because the tunnel won't establish. It's not the same problem as the thread you originally posted in. I moved this to a new threads because it was unrelated.

Ah, okay. :)

Is there a work around at the moment?

jimp

Yes, don't configure LDAP support.

afrojoe

@jimp:

Yes, don't configure LDAP support.

do you know where i can go to shut it off? (i dont recall turning LDAP on!)  :-\

jimp

probably on the mobile tab.

afrojoe

@jimp:

probably on the mobile tab.

Hmm, I dont even have that turned on.

I also perused through every tab on pfSense and have nothing to do with LDAP turned on. Very puzzling.

jimp

Do you have an LDAP server setup under System > User Manager, on the server tab perhaps?

Looking at the code the only way it would put that ldap section in there is if someone had the mobile IPsec tab setup to use a non-local source, and if that source was ldap.

jimp

I disabled that whole chunk of code for now so it won't write out an invalid racoon.conf while that part is being reworked.

https://github.com/bsdperimeter/pfsense/commit/9500537d51b481086e8a685b70e825688c0526e1

afrojoe

@jimp:

Do you have an LDAP server setup under System > User Manager, on the server tab perhaps?

Looking at the code the only way it would put that ldap section in there is if someone had the mobile IPsec tab setup to use a non-local source, and if that source was ldap.

Found it!  Yes, I have an LDAP server enabled for OpenVPN.  I really don't know why, because I use the Local Database for authentication… that shizz is getting turned off big time.  8)

I'll letcha know how that works out.

EDIT:  IPSec tunnel is back up!  Thanks Jim.. (aka: Super Mario)