IPSec with LDAP Backend not working
-
Hello together
I encountered some problems when i tried to configure IPSec with PSK+xauth over LDAP.
The LDAP Backend is an Windows 2012 R2 Active Directory Server. The pfsense version is 2.1.5-RELEASE (i386).Those object were created in the Active Directory to setup the LDAP Backend:
Users:
pfsense - to query the Active Directory
testuser - to test the VPN connectionGroups:
vpn - all user that can connect to the VPN are in this Group, the testuser is member in this groupThen i created the same Group (with the same name) in pfsense and gave them the permission "User - VPN - IPsec xauth Dialin".
When I go to Diagnostics > Authentification and i test my LDAP backend it works and it even can recognize that the test user is in the Group VPN.
The LDAP Source is configured like that:
Hostname or IP address (example.org)
Port value (389)
Transport (TCP - Standard)
Protocol version (3)
Search scope (Entire Subtree) - DC=example,DC=org
Authentication containers (OU=Users,DC=example,DC=org)
Bind credentials-
name: example\pfsense
-
password: 1234
User naming attribute (samAccountName)
Group naming attribute (cn)
Group member attribute (memberof)The IPsec says my user hasn't enough permission
IPsec log:racoon: user 'testuser' cannot authenticate through IPSec since the required privileges are missing. racoon: user 'testuser' could not authenticate.
I don't think the IPsec configuration is wrong because when i switch in the Mobile Device Tab of the IPsec configuration and i choose Local Database instead of LDAP Source it works with a local user.
But just in case i post the IPsec configuration.The IPsec is configured like that:
Mobile Clients:
Enabled (checked)
User authentication (LDAP Source)
Group authentification (none)
Virtual Address Pool: 192.168.9.0/24
Network List (not checked)
Save Xauth Password (checked)
DNS Default Domain (checked) - example.org
Split DNS (not checked)
DNS Servers (checked)-
Server 1: 8.8.8.8
-
Server 2: 8.8.4.4
WINS Servers (not checked)
Phase2 PFS Group (not checked)
Login Banner (not checked)Phase 1:
Internet Protocol (IPv4)
Interface (WAN)
Authentication method (Mutual PSK+xauth)
Negotiation mode (aggressive)
My identifier (My IP address)
Peer identifier (user distinguished name)-
name: vpn@example.org
-
Password: 1234
Policy Generation (Unique)
Proposal Checking (Strict)
Encryption algorithm (AES 128)
Hash algorithm (SHA1)
DH key group (2)
Lifetime (86400)
NAT Traversal (Force)
Dead Peer Detection (checked)-
delay: 10 seconds
-
disconnect: 5 retries
Phase 2:
Mode (Tunnel IPv4)
Local Network (Lan Subnet)
Protocol (ESP)
Encryption algorithms (AES 128)
Hash algorithms (SHA 1)
PFS key group (off)
Lifetime (28800)I hope somebody can help me
-