IPsec+LDAP

afrojoe · Sep 5, 2012, 8:01 PM

Right, and the boxes I'm referring to on 2.1 have been upgraded from 2.0.x (and in some cases, 1.2.3), as well as some clean-install 2.1 VMs.

Not saying it hasn't happened, but I haven't witnessed it personally.

Sep 5 15:53:26 	racoon: ERROR: fatal parse failure (1 errors)
Sep 5 15:53:26 	racoon: ERROR: /var/etc/racoon.conf:14: "ldapcfg" racoon not configured with --with-libldap
Sep 5 15:53:26 	racoon: INFO: Reading configuration from "/var/etc/racoon.conf"
Sep 5 15:53:26 	racoon: INFO: @(#)This product linked OpenSSL 0.9.8q 2 Dec 2010 (http://www.openssl.org/)
Sep 5 15:53:26 	racoon: INFO: @(#)ipsec-tools 0.8.0 (http://ipsec-tools.sourceforge.net)

The above is during an attempted startup of IPSec service… and here's my /var/etc/racoon.conf:


# This file is automatically generated. Do not edit
path pre_shared_key "/var/etc/psk.txt";

path certificate  "/var/etc";

listen
{
        adminsock "/var/db/racoon/racoon.sock" "root" "wheel" 0660;
        isakmp 206.248.x.x [500];
        isakmp_natt 206.248.x.x  [4500];
}

ldapcfg {
        version 3;
        host "";
        port 389;
        base "";
        subtree on;
        bind_dn "";
        bind_pw "";
        attr_user "";
}

remote 70.55.x.x
{
        ph1id 1;
        exchange_mode aggressive;
        my_identifier address 206.248.x.x;
        peers_identifier address 70.55.x.x;
        ike_frag on;
        generate_policy = off;
        initial_contact = on;
        nat_traversal = on;

        dpd_delay = 10;
        dpd_maxfail = 5;
        support_proxy on;
        proposal_check claim;

        proposal
        {
                authentication_method pre_shared_key;
                encryption_algorithm blowfish 256;
                hash_algorithm sha1;
                dh_group 2;
                lifetime time 28800 secs;
        }
}

sainfo subnet 10.0.2.0/24 any subnet 192.168.2.0/24 any
{
        remoteid 1;
        encryption_algorithm blowfish 256;
        authentication_algorithm hmac_sha1;
        pfs_group 2;
        lifetime time 86400 secs;
        compression_algorithm deflate;
}

jimp · Sep 5, 2012, 8:08 PM

IPsec+LDAP is known to be broken at the moment. There is a ticket pending for it.

The authentication is being switched to a script-based auth mechanism so it can easily do LDAP, RADIUS, etc, like OpenVPN can.

That has nothing to do with a site-to-site tunnel being broken as in this ticket though.

afrojoe · Sep 5, 2012, 8:25 PM

@jimp:

IPsec+LDAP is known to be broken at the moment. There is a ticket pending for it.

The authentication is being switched to a script-based auth mechanism so it can easily do LDAP, RADIUS, etc, like OpenVPN can.

That has nothing to do with a site-to-site tunnel being broken as in this ticket though.

Thanks Jim, However, I'm not quite sure what you mean… my site-to-site tunnel is down though ???

jimp · Sep 5, 2012, 8:26 PM

It's down because racoon isn't running, not because the tunnel won't establish. It's not the same problem as the thread you originally posted in. I moved this to a new threads because it was unrelated.

afrojoe · Sep 5, 2012, 11:26 PM

@jimp:

It's down because racoon isn't running, not because the tunnel won't establish. It's not the same problem as the thread you originally posted in. I moved this to a new threads because it was unrelated.

Ah, okay. :)

Is there a work around at the moment?

jimp · Sep 5, 2012, 11:30 PM

Yes, don't configure LDAP support.

afrojoe · Sep 6, 2012, 12:39 AM

@jimp:

Yes, don't configure LDAP support.

do you know where i can go to shut it off? (i dont recall turning LDAP on!) :-\

jimp · Sep 6, 2012, 1:10 AM

probably on the mobile tab.

afrojoe · Sep 6, 2012, 4:46 AM

@jimp:

probably on the mobile tab.

Hmm, I dont even have that turned on.

I also perused through every tab on pfSense and have nothing to do with LDAP turned on. Very puzzling.

jimp · Sep 6, 2012, 12:17 PM

Do you have an LDAP server setup under System > User Manager, on the server tab perhaps?

Looking at the code the only way it would put that ldap section in there is if someone had the mobile IPsec tab setup to use a non-local source, and if that source was ldap.

jimp · Sep 6, 2012, 12:23 PM

I disabled that whole chunk of code for now so it won't write out an invalid racoon.conf while that part is being reworked.

https://github.com/bsdperimeter/pfsense/commit/9500537d51b481086e8a685b70e825688c0526e1

afrojoe · Sep 6, 2012, 1:17 PM

@jimp:

Do you have an LDAP server setup under System > User Manager, on the server tab perhaps?

Looking at the code the only way it would put that ldap section in there is if someone had the mobile IPsec tab setup to use a non-local source, and if that source was ldap.

Found it! Yes, I have an LDAP server enabled for OpenVPN. I really don't know why, because I use the Local Database for authentication… that shizz is getting turned off big time. 8)

I'll letcha know how that works out.

EDIT: IPSec tunnel is back up! Thanks Jim.. (aka: Super Mario)