Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    LDAP xauth + IPSec

    IPsec
    9
    21
    14253
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      caurelio last edited by

      I figured I would share this with everyone since it took me a little longer to ferret out than I would have liked.
      Technically the binaries on pfsense 2.0 will support an LDAP backend for xauth connections to an IPSec VPN, but the GUI has no mechanism to actually configure it. As a result, I made some quick patches to two of the files to be able to actually use this feature.

      I modified: /etc/inc/vpn.inc and /usr/local/www/system_authservers.php to allow for an additional auth mechanism on the IPSec mobile clients configuration screen.

      The xauth source dropdowns will now hold the option "LDAP", which (when selected) will use the first configured LDAP server from your authentication servers screen.

      I put both files in a tarball for everyone, so if you feel like using it, all you have to do is replace the versions on your existing pfsense install and you're good to go (the easiest way to do that is using ssh and select the shell access option)

      Here's a link to the tarball for anyone interested:
      http://www.mediafire.com/?c85a7f7mrc1jkr9

      1 Reply Last reply Reply Quote 0
      • jimp
        jimp Rebel Alliance Developer Netgate last edited by

        We took a different path for pfSense 2.1, we patched racoon to authenticate from an external script, the same way that OpenVPN does.

        http://redmine.pfsense.org/issues/1112

        1 Reply Last reply Reply Quote 0
        • C
          caurelio last edited by

          When is 2.1 scheduled for release?

          1 Reply Last reply Reply Quote 0
          • jimp
            jimp Rebel Alliance Developer Netgate last edited by

            Not sure - hoping for 6-8 weeks, not sure how feasible that is.

            1 Reply Last reply Reply Quote 0
            • D
              dhatz last edited by

              @jimp:

              We took a different path for pfSense 2.1, we patched racoon to authenticate from an external script, the same way that OpenVPN does.

              http://redmine.pfsense.org/issues/1112

              jimp, talking about racoon patches, it'd great if someone who is intimately familiar with ipsec-tools would take a closer look at the discussions & proposed patches that have been submitted to the ipsec-tools-devel mailing list in the months since the release of 0.8.0 …

              E.g. one that seemed particularly interesting to me for possible inclusion into pfsense, was a fix for the DPD-cookie check, which would allow racoon 0.8.0 to interoperate with old (IOS 12.3) Cisco devices, see discussion here

              1 Reply Last reply Reply Quote 0
              • jimp
                jimp Rebel Alliance Developer Netgate last edited by

                Open a ticket in redmine with those links, I wouldn't know about the code that deep down.

                1 Reply Last reply Reply Quote 0
                • D
                  dhatz last edited by

                  Check http://redmine.pfsense.org/issues/1872

                  1 Reply Last reply Reply Quote 0
                  • jimp
                    jimp Rebel Alliance Developer Netgate last edited by

                    Again… I wouldn't really know... If it's still needed even on current builds, feel free to comment on the ticket. I don't know the code in racoon that well.

                    1 Reply Last reply Reply Quote 0
                    • D
                      dhatz last edited by

                      I opened a ticket in redmine with the links, as suggested.

                      1 Reply Last reply Reply Quote 0
                      • E
                        eri-- last edited by

                        I will take  look at it later on since i have to do some more fixes on ipsec side

                        1 Reply Last reply Reply Quote 0
                        • J
                          jezyk last edited by

                          Hi there,
                          I'm trying to test this solution on 2.0 or 2.0.1 release and it doesn’t work.
                          On the dropdown list LDAP option still not available. Only what I’ve done that was replaced two scripts (vpn.inc, system_usermanager.php). Is it enough?
                          I’ll be gratefully for any advice.
                          Kind regards.

                          1 Reply Last reply Reply Quote 0
                          • C
                            caurelio last edited by

                            @jezyk:

                            Hi there,
                            I'm trying to test this solution on 2.0 or 2.0.1 release and it doesn’t work.
                            On the dropdown list LDAP option still not available. Only what I’ve done that was replaced two scripts (vpn.inc, system_usermanager.php). Is it enough?
                            I’ll be gratefully for any advice.
                            Kind regards.

                            Hey jezyk, I tried to respond to your PM before, but the site locked up and is not letting me get to your messages anymore.

                            I did this all under 2.0. Supposedly 2.1 has this built-in now, but I haven't tested 2.1 to know for sure.

                            Anyway, just replacing those two files under 2.0 should be enough. You will need to do a little configuring to get LDAP and VPN up though.
                            Try this:

                            In the menu bar, go to >  System  > User Manager
                            Then click on the "Servers" tab.
                            Configure your server there (I use the server name 'LDAP' but you could user anything)

                            Then use the menu bar again to go to > VPN  >  IPSec
                            Click on the Mobile Clients Tab.
                            On this page, you should see the User Auth and Group Auth both set to LDAP.
                            Just configure your clients and you should be good to go!
                            ;D

                            1 Reply Last reply Reply Quote 0
                            • T
                              tpuschl last edited by

                              Hi.

                              I downloaded the Files from that link: http://www.mediafire.com/?c85a7f7mrc1jkr9
                              Enabled SSH on pfsense and created a new local admin user which i used for the ssh session to upload both files.
                              Then i connect over ssh with the admin account and replaced the two files with the uploaded ones (etc/inc/vpn.inc and /usr/local/www/system_authservers.php). With my new account i had not the necessary permission.
                              Then i configured my LDAP Server In the menu bar>  System  > User Manager -> Servers and tested after that the LDAP Authentication over Diagnostics -> Authentication which was successfull.
                              But under VPN  >  IPSec -> Mobile Clients i can still only select "System" in both DropDowns for Xauth. (see Screenshots).
                              I tried pfsense version 2.0 and also 2.0.2 (latest release) with same result: i can't select LDAP as Xauth for IPsec only "System" is available there.
                              Did i something wrong?
                              I hope somebody can help me with that or can tell me a working solution.
                              I read that in version 2.1 this should already be implemented (ipsec ldap xauth) but this version is still not available or should not be used in production environments right?

                              Many thanks
                              Thomas

                              ![Bildschirmfoto 2013-02-22 um 19.16.40.png](/public/imported_attachments/1/Bildschirmfoto 2013-02-22 um 19.16.40.png)
                              ![Bildschirmfoto 2013-02-22 um 19.16.40.png_thumb](/public/imported_attachments/1/Bildschirmfoto 2013-02-22 um 19.16.40.png_thumb)

                              1 Reply Last reply Reply Quote 0
                              • jimp
                                jimp Rebel Alliance Developer Netgate last edited by

                                Many people are using 2.1 in production with success.

                                It is nearing RC1, so it's quite stable despite its Beta label.

                                1 Reply Last reply Reply Quote 0
                                • T
                                  tpuschl last edited by

                                  Hi Jimp
                                  Thanks for the fast reply.
                                  So you mean i can already use 2.1 RC1 in a production environment?
                                  Where can i download the 2.1 iso file ? I couldn't find that…
                                  Thanks
                                  Thomas

                                  1 Reply Last reply Reply Quote 0
                                  • T
                                    tpuschl last edited by

                                    Hi.

                                    Sorry i found it :).
                                    I downloaded that version  pfSense-LiveCD-2.1-BETA1-amd64-20130222-2301.iso.gz from http://snapshots.pfsense.org/FreeBSD_RELENG_8_3/amd64/pfSense_HEAD/livecd_installer/?C=M;O=D
                                    Is this the latest one? :)

                                    Thanks
                                    Thomas

                                    1 Reply Last reply Reply Quote 0
                                    • ?
                                      A Former User last edited by

                                      Hello everyone,

                                      This does not work as of 2.0.3-RELEASE.

                                      Can someone confirm if it is working well with your setup?

                                      1 Reply Last reply Reply Quote 0
                                      • D
                                        doktornotor Banned last edited by

                                        @skorzen:

                                        Can someone confirm if it is working well with your setup?

                                        Mobile clients auth works just fine with 2.1 and Active Directory for me.

                                        1 Reply Last reply Reply Quote 0
                                        • jimp
                                          jimp Rebel Alliance Developer Netgate last edited by

                                          It will not work with 2.0.x. It is a new feature for 2.1 (not 2.0.1, 2.1)

                                          1 Reply Last reply Reply Quote 0
                                          • C
                                            CDuv last edited by

                                            Recently upgraded from v2.0.1 to v2.1 and my IPSec VPN setup (using LDAP as auth source) stopped working.
                                            I've check settings they haven't changed during upgrade and seemed OK. I've re-applied configuration explained in Mobile IPsec on 2.0 HowTo: still no success.

                                            Here is IPSec System log:

                                            Mar 28 11:29:01 racoon: [<<mobile_client_ip>>] ERROR: unknown Informational exchange received.
                                            Mar 28 11:29:00 racoon: [<<mobile_client_ip>>] ERROR: unknown Informational exchange received.
                                            Mar 28 11:28:58 racoon: [<<mobile_client_ip>>] ERROR: unknown Informational exchange received.
                                            Mar 28 11:28:56 racoon: [Self]: INFO: ISAKMP-SA deleted <<pfsense_public_ip>>[4500]-<<mobile_client_ip>>[4500] spi:fc59d3b640a2c8ee:584f9c63d7s25ab6
                                            Mar 28 11:28:56 racoon: INFO: purged ISAKMP-SA spi=fc59d3b640a2c8ee:584f9c63d7s25ab6.
                                            Mar 28 11:28:56 racoon: INFO: purging ISAKMP-SA spi=fc59d3b640a2c8ee:584f9c63d7s25ab6.
                                            Mar 28 11:28:56 racoon: [<<mobile_client_ip>>] INFO: DPD: remote (ISAKMP-SA spi=fc59d3b640a2c8ee:584f9c63d7s25ab6) seems to be dead.
                                            Mar 28 11:28:21 racoon: [<<mobile_client_ip>>] INFO: received INITIAL-CONTACT
                                            Mar 28 11:28:21 racoon: [Self]: INFO: ISAKMP-SA established <<pfsense_public_ip>>[4500]-<<mobile_client_ip>>[4500] spi:fc59d3b640a2c8ee:584f9c63d7s25ab6
                                            Mar 28 11:28:21 racoon: INFO: Sending Xauth request
                                            Mar 28 11:28:21 racoon: INFO: NAT detected: ME PEER
                                            Mar 28 11:28:21 racoon: INFO: NAT-D payload #1 doesn't match
                                            Mar 28 11:28:21 racoon: [<<mobile_client_ip>>] INFO: Hashing <<mobile_client_ip>>[4500] with algo #2
                                            Mar 28 11:28:21 racoon: INFO: NAT-D payload #0 doesn't match
                                            Mar 28 11:28:21 racoon: [Self]: [<<pfsense_public_ip>>] INFO: Hashing <<pfsense_public_ip>>[4500] with algo #2
                                            Mar 28 11:28:21 racoon: [Self]: INFO: NAT-T: ports changed to: <<mobile_client_ip>>[4500]<-><<pfsense_public_ip>>[4500]
                                            Mar 28 11:28:21 racoon: INFO: Adding xauth VID payload.
                                            Mar 28 11:28:21 racoon: [Self]: [<<pfsense_public_ip>>] INFO: Hashing <<pfsense_public_ip>>[500] with algo #2
                                            Mar 28 11:28:21 racoon: [<<mobile_client_ip>>] INFO: Hashing <<mobile_client_ip>>[500] with algo #2
                                            Mar 28 11:28:21 racoon: INFO: Adding remote and local NAT-D payloads.
                                            Mar 28 11:28:21 racoon: [<<mobile_client_ip>>] INFO: Selected NAT-T version: RFC 3947
                                            Mar 28 11:28:21 racoon: INFO: received Vendor ID: CISCO-UNITY
                                            Mar 28 11:28:21 racoon: INFO: received Vendor ID: DPD
                                            Mar 28 11:28:21 racoon: INFO: received broken Microsoft ID: FRAGMENTATION
                                            Mar 28 11:28:21 racoon: INFO: received Vendor ID: RFC 3947
                                            Mar 28 11:28:21 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
                                            Mar 28 11:28:21 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
                                            Mar 28 11:28:21 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-01
                                            Mar 28 11:28:21 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
                                            Mar 28 11:28:21 racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
                                            Mar 28 11:28:21 racoon: INFO: begin Aggressive mode.
                                            Mar 28 11:28:21 racoon: [Self]: INFO: respond new phase 1 negotiation: <<pfsense_public_ip>>[500]<=><<mobile_client_ip>>[500]</mobile_client_ip></pfsense_public_ip></mobile_client_ip></mobile_client_ip></mobile_client_ip></pfsense_public_ip></pfsense_public_ip></pfsense_public_ip></mobile_client_ip></pfsense_public_ip></pfsense_public_ip></mobile_client_ip></mobile_client_ip></mobile_client_ip></pfsense_public_ip></mobile_client_ip></mobile_client_ip></mobile_client_ip></pfsense_public_ip></mobile_client_ip></mobile_client_ip></mobile_client_ip>

                                            LDAP configuration seems OK (used the "Save & Test" button and everything was "OK").

                                            After enabling racoon DEBUG mode, a restart gives the following logs:

                                            Mar 28 12:55:44 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 10.0.0.0/24[0] 10.0.0.30/32[0] proto=any dir=in
                                            Mar 28 12:55:44 racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x28501288: 10.0.0.0/24[0] 10.0.0.30/32[0] proto=any dir=in
                                            Mar 28 12:55:44 racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0xbfbfe6b4: 10.0.0.0/24[0] 10.0.0.30/32[0] proto=any dir=in
                                            Mar 28 12:55:44 racoon: DEBUG: got pfkey X_SPDADD message
                                            Mar 28 12:55:44 racoon: DEBUG: pk_recv: retry[0] recv()
                                            Mar 28 12:55:44 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 10.0.0.30/32[0] 10.0.0.0/24[0] proto=any dir=out
                                            Mar 28 12:55:44 racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x285013c8: 10.0.0.30/32[0] 10.0.0.0/24[0] proto=any dir=out
                                            Mar 28 12:55:44 racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0xbfbfe6b4: 10.0.0.30/32[0] 10.0.0.0/24[0] proto=any dir=out
                                            Mar 28 12:55:44 racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x28501288: 10.0.0.0/24[0] 10.0.0.30/32[0] proto=any dir=in
                                            Mar 28 12:55:44 racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0xbfbfe6b4: 10.0.0.30/32[0] 10.0.0.0/24[0] proto=any dir=out
                                            Mar 28 12:55:44 racoon: DEBUG: got pfkey X_SPDADD message
                                            Mar 28 12:55:44 racoon: DEBUG: pk_recv: retry[0] recv()
                                            Mar 28 12:55:44 racoon: INFO: unsupported PF_KEY message REGISTER
                                            Mar 28 12:55:44 racoon: DEBUG: got pfkey REGISTER message
                                            Mar 28 12:55:44 racoon: DEBUG: pk_recv: retry[0] recv()
                                            Mar 28 12:55:44 racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x28501288: 10.0.0.0/24[0] 10.0.0.30/32[0] proto=any dir=in
                                            Mar 28 12:55:44 racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0xbfbfe6b4: 10.0.0.30/32[0] 10.0.0.0/24[0] proto=any dir=out
                                            Mar 28 12:55:44 racoon: DEBUG: got pfkey X_SPDDUMP message
                                            Mar 28 12:55:44 racoon: DEBUG: pk_recv: retry[0] recv()
                                            Mar 28 12:55:44 racoon: DEBUG: got pfkey X_SPDDUMP message
                                            Mar 28 12:55:44 racoon: DEBUG: pk_recv: retry[0] recv()
                                            Mar 28 12:55:44 racoon: [Self]: INFO: <<pfsense_public_ip>>[500] used as isakmp port (fd=15)
                                            Mar 28 12:55:44 racoon: [Self]: INFO: <<pfsense_public_ip>>[500] used for NAT-T
                                            Mar 28 12:55:44 racoon: [Self]: INFO: <<pfsense_public_ip>>[4500] used as isakmp port (fd=14)
                                            Mar 28 12:55:44 racoon: [Self]: INFO: <<pfsense_public_ip>>[4500] used for NAT-T
                                            Mar 28 12:55:44 racoon: DEBUG: open /var/db/racoon/racoon.sock as racoon management.
                                            Mar 28 12:55:44 racoon: DEBUG: getsainfo params: loc='ANONYMOUS' rmt='ANONYMOUS' peer='NULL' client='NULL' id=2
                                            Mar 28 12:55:44 racoon: DEBUG: no check of compression algorithm; not supported in sadb message.
                                            Mar 28 12:55:44 racoon: DEBUG: hmac(modp1024)
                                            Mar 28 12:55:44 racoon: INFO: Resize address pool from 0 to 65533
                                            Mar 28 12:55:44 racoon: DEBUG: reading config file /var/etc/ipsec/racoon.conf
                                            Mar 28 12:55:44 racoon: DEBUG: call pfkey_send_register for IPCOMP
                                            Mar 28 12:55:44 racoon: DEBUG: call pfkey_send_register for ESP
                                            Mar 28 12:55:44 racoon: DEBUG: call pfkey_send_register for AH
                                            Mar 28 12:55:44 racoon: INFO: Reading configuration from "/var/etc/ipsec/racoon.conf"
                                            Mar 28 12:55:44 racoon: INFO: @(#)This product linked OpenSSL 1.0.1e 11 Feb 2013 (http://www.openssl.org/)
                                            Mar 28 12:55:44 racoon: INFO: @(#)ipsec-tools 0.8.1 (http://ipsec-tools.sourceforge.net)
                                            Mar 28 12:55:39 racoon: INFO: racoon process 87375 shutdown
                                            Mar 28 12:55:39 racoon: INFO: caught signal 15</pfsense_public_ip></pfsense_public_ip></pfsense_public_ip></pfsense_public_ip>

                                            It complains about a "Unknown Gateway/Dynamic" (and seems to ignore it) but can't find such thing in IPSec/Routing settings.

                                            1 Reply Last reply Reply Quote 0
                                            • C
                                              CDuv last edited by

                                              Follow up:
                                              When debugging and redacting previous post I've disabled a second IPSec tunnel (one for point-to-point VPN, not mobile clients) and now mobile client access seems to work just fine (using Shrew Soft VPN Connect software and builtin iOS client).
                                              ("Unknown Gateway/Dynamic" log message is still there though)

                                              I'll look into the settings of this second tunnel later (time to confirm that at least everything is OK with one tunnel).

                                              1 Reply Last reply Reply Quote 0
                                              • First post
                                                Last post

                                              Products

                                              • Platform Overview
                                              • TNSR
                                              • pfSense
                                              • Appliances

                                              Services

                                              • Training
                                              • Professional Services

                                              Support

                                              • Subscription Plans
                                              • Contact Support
                                              • Product Lifecycle
                                              • Documentation

                                              News

                                              • Media Coverage
                                              • Press
                                              • Events

                                              Resources

                                              • Blog
                                              • FAQ
                                              • Find a Partner
                                              • Resource Library
                                              • Security Information

                                              Company

                                              • About Us
                                              • Careers
                                              • Partners
                                              • Contact Us
                                              • Legal
                                              Our Mission

                                              We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                                              Subscribe to our Newsletter

                                              Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                                              © 2021 Rubicon Communications, LLC | Privacy Policy