Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSec with LDAP Backend not working

    Scheduled Pinned Locked Moved IPsec
    1 Posts 1 Posters 1.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P Offline
      pfsense_l
      last edited by

      Hello together

      I encountered some problems when i tried to configure IPSec with PSK+xauth over LDAP.
      The LDAP Backend is an Windows 2012 R2 Active Directory Server. The pfsense version is 2.1.5-RELEASE (i386).

      Those object were created in the Active Directory to setup the LDAP Backend:
      Users:
      pfsense - to query the Active Directory
      testuser - to test the VPN connection

      Groups:
      vpn - all user that can connect to the VPN are in this Group, the testuser is member in this group

      Then i created the same Group (with the same name) in pfsense and gave them the permission "User - VPN - IPsec xauth Dialin".

      When I go to Diagnostics > Authentification and i test my LDAP backend it works and it even can recognize that the test user is in the Group VPN.

      The LDAP Source is configured like that:

      Hostname or IP address (example.org)
      Port value (389)
      Transport (TCP - Standard)
      Protocol version (3)
      Search scope (Entire Subtree) - DC=example,DC=org
      Authentication containers (OU=Users,DC=example,DC=org)
      Bind credentials

      • name: example\pfsense

      • password: 1234

      User naming attribute (samAccountName)
      Group naming attribute (cn)
      Group member attribute (memberof)

      The IPsec says my user hasn't enough permission
      IPsec log:

      racoon: user 'testuser' cannot authenticate through IPSec since the required privileges are missing.
racoon: user 'testuser' could not authenticate.

      I don't think the IPsec configuration is wrong because when i switch in the Mobile Device Tab of the IPsec configuration and i choose Local Database instead of LDAP Source it works with a local user.
      But just in case i post the IPsec configuration.

      The IPsec is configured like that:

      Mobile Clients:
      Enabled (checked)
      User authentication (LDAP Source)
      Group authentification (none)
      Virtual Address Pool: 192.168.9.0/24
      Network List (not checked)
      Save Xauth Password (checked)
      DNS Default Domain (checked) - example.org
      Split DNS (not checked)
      DNS Servers (checked)

      • Server 1: 8.8.8.8

      • Server 2: 8.8.4.4

      WINS Servers (not checked)
      Phase2 PFS Group (not checked)
      Login Banner (not checked)

      Phase 1:
      Internet Protocol (IPv4)
      Interface (WAN)
      Authentication method (Mutual PSK+xauth)
      Negotiation mode (aggressive)
      My identifier (My IP address)
      Peer identifier (user distinguished name)

      • name: vpn@example.org

      • Password: 1234

      Policy Generation (Unique)
      Proposal Checking (Strict)
      Encryption algorithm (AES 128)
      Hash algorithm (SHA1)
      DH key group (2)
      Lifetime (86400)
      NAT Traversal (Force)
      Dead Peer Detection (checked)

      • delay: 10 seconds

      • disconnect: 5 retries

      Phase 2:
      Mode (Tunnel IPv4)
      Local Network (Lan Subnet)
      Protocol (ESP)
      Encryption algorithms (AES 128)
      Hash algorithms (SHA 1)
      PFS key group (off)
      Lifetime (28800)

      I hope somebody can help me

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.