Errors using MacOS server LDAP as backend auth for iOS and MacOS clients



  • hey folks,

    I'm in the process of moving away from —or at least having alternatives to— OpenVPN. On my PF boxes, I have my MacOS servers successfully set up as authentication servers using LDAP. (This is what I use for OpenVPN).

    I'd like to replicate that setup for IPsec and am running into problems. I've attached screenshots of my setup. I followed the PF book for LDAP auth.

    When I try and connect using the build in MacOS IPsec client and the Apple IPsec Profile from PF, I get the following errors:

    Sep 24 15:25:30	charon		05[NET] <bypasslan|64> sending packet: from FIREWALL'S IP[4500] to 10.15.1.161[4500] (68 bytes)
    Sep 24 15:25:30	charon		05[ENC] <bypasslan|64> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
    Sep 24 15:25:30	charon		05[IKE] <bypasslan|64> peer supports MOBIKE
    Sep 24 15:25:30	charon		05[IKE] <bypasslan|64> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
    Sep 24 15:25:30	charon		05[CFG] <bypasslan|64> no alternative config found
    Sep 24 15:25:30	charon		05[CFG] <bypasslan|64> selected peer config 'bypasslan' inacceptable: non-matching authentication done
    Sep 24 15:25:30	charon		05[CFG] <bypasslan|64> constraint requires public key authentication, but pre-shared key was used
    Sep 24 15:25:30	charon		05[IKE] <bypasslan|64> authentication of 'REMOVED FOR POSTING' with pre-shared key successful
    Sep 24 15:25:30	charon		05[CFG] <bypasslan|64> selected peer config 'bypasslan'
    Sep 24 15:25:30	charon		05[CFG] <64> looking for peer configs matching 10.15.1.1[REMOVED]...10.15.1.161[REMOVED FOR POSTING]</bypasslan|64></bypasslan|64></bypasslan|64></bypasslan|64></bypasslan|64></bypasslan|64></bypasslan|64></bypasslan|64></bypasslan|64>
    

    For testing, I'm using the internal LAN IP of my PF box. I've replicated the same errors when trying to connect to the WAN side over cellular.


    Interestingly, on MacOS the profile seems to set up auth to use a shared secret, not a user/pass. I've tried changing that with no success.

    Anyone have any creative troubleshooting tips?



  • Hey gang - just a quick check in to see if anyone has experience with IPsec and LDAP or tips on where to start troubleshooting?