Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Errors using MacOS server LDAP as backend auth for iOS and MacOS clients

    Scheduled Pinned Locked Moved IPsec
    2 Posts 1 Posters 498 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      SpaceBass
      last edited by

      hey folks,

      I'm in the process of moving away from —or at least having alternatives to— OpenVPN. On my PF boxes, I have my MacOS servers successfully set up as authentication servers using LDAP. (This is what I use for OpenVPN).

      I'd like to replicate that setup for IPsec and am running into problems. I've attached screenshots of my setup. I followed the PF book for LDAP auth.

      When I try and connect using the build in MacOS IPsec client and the Apple IPsec Profile from PF, I get the following errors:

      Sep 24 15:25:30	charon		05[NET] <bypasslan|64> sending packet: from FIREWALL'S IP[4500] to 10.15.1.161[4500] (68 bytes)
Sep 24 15:25:30	charon		05[ENC] <bypasslan|64> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Sep 24 15:25:30	charon		05[IKE] <bypasslan|64> peer supports MOBIKE
Sep 24 15:25:30	charon		05[IKE] <bypasslan|64> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Sep 24 15:25:30	charon		05[CFG] <bypasslan|64> no alternative config found
Sep 24 15:25:30	charon		05[CFG] <bypasslan|64> selected peer config 'bypasslan' inacceptable: non-matching authentication done
Sep 24 15:25:30	charon		05[CFG] <bypasslan|64> constraint requires public key authentication, but pre-shared key was used
Sep 24 15:25:30	charon		05[IKE] <bypasslan|64> authentication of 'REMOVED FOR POSTING' with pre-shared key successful
Sep 24 15:25:30	charon		05[CFG] <bypasslan|64> selected peer config 'bypasslan'
Sep 24 15:25:30	charon		05[CFG] <64> looking for peer configs matching 10.15.1.1[REMOVED]...10.15.1.161[REMOVED FOR POSTING]</bypasslan|64></bypasslan|64></bypasslan|64></bypasslan|64></bypasslan|64></bypasslan|64></bypasslan|64></bypasslan|64></bypasslan|64>

      For testing, I'm using the internal LAN IP of my PF box. I've replicated the same errors when trying to connect to the WAN side over cellular.


      Interestingly, on MacOS the profile seems to set up auth to use a shared secret, not a user/pass. I've tried changing that with no success.

      Anyone have any creative troubleshooting tips?

      1 Reply Last reply Reply Quote 0
      • S
        SpaceBass
        last edited by

        Hey gang - just a quick check in to see if anyone has experience with IPsec and LDAP or tips on where to start troubleshooting?

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.