LDAP xauth + IPSec



  • I figured I would share this with everyone since it took me a little longer to ferret out than I would have liked.
    Technically the binaries on pfsense 2.0 will support an LDAP backend for xauth connections to an IPSec VPN, but the GUI has no mechanism to actually configure it. As a result, I made some quick patches to two of the files to be able to actually use this feature.

    I modified: /etc/inc/vpn.inc and /usr/local/www/system_authservers.php to allow for an additional auth mechanism on the IPSec mobile clients configuration screen.

    The xauth source dropdowns will now hold the option "LDAP", which (when selected) will use the first configured LDAP server from your authentication servers screen.

    I put both files in a tarball for everyone, so if you feel like using it, all you have to do is replace the versions on your existing pfsense install and you're good to go (the easiest way to do that is using ssh and select the shell access option)

    Here's a link to the tarball for anyone interested:
    http://www.mediafire.com/?c85a7f7mrc1jkr9


  • Rebel Alliance Developer Netgate

    We took a different path for pfSense 2.1, we patched racoon to authenticate from an external script, the same way that OpenVPN does.

    http://redmine.pfsense.org/issues/1112



  • When is 2.1 scheduled for release?


  • Rebel Alliance Developer Netgate

    Not sure - hoping for 6-8 weeks, not sure how feasible that is.



  • @jimp:

    We took a different path for pfSense 2.1, we patched racoon to authenticate from an external script, the same way that OpenVPN does.

    http://redmine.pfsense.org/issues/1112

    jimp, talking about racoon patches, it'd great if someone who is intimately familiar with ipsec-tools would take a closer look at the discussions & proposed patches that have been submitted to the ipsec-tools-devel mailing list in the months since the release of 0.8.0 …

    E.g. one that seemed particularly interesting to me for possible inclusion into pfsense, was a fix for the DPD-cookie check, which would allow racoon 0.8.0 to interoperate with old (IOS 12.3) Cisco devices, see discussion here


  • Rebel Alliance Developer Netgate

    Open a ticket in redmine with those links, I wouldn't know about the code that deep down.




  • Rebel Alliance Developer Netgate

    Again… I wouldn't really know... If it's still needed even on current builds, feel free to comment on the ticket. I don't know the code in racoon that well.



  • I opened a ticket in redmine with the links, as suggested.



  • I will take  look at it later on since i have to do some more fixes on ipsec side



  • Hi there,
    I'm trying to test this solution on 2.0 or 2.0.1 release and it doesn’t work.
    On the dropdown list LDAP option still not available. Only what I’ve done that was replaced two scripts (vpn.inc, system_usermanager.php). Is it enough?
    I’ll be gratefully for any advice.
    Kind regards.



  • @jezyk:

    Hi there,
    I'm trying to test this solution on 2.0 or 2.0.1 release and it doesn’t work.
    On the dropdown list LDAP option still not available. Only what I’ve done that was replaced two scripts (vpn.inc, system_usermanager.php). Is it enough?
    I’ll be gratefully for any advice.
    Kind regards.

    Hey jezyk, I tried to respond to your PM before, but the site locked up and is not letting me get to your messages anymore.

    I did this all under 2.0. Supposedly 2.1 has this built-in now, but I haven't tested 2.1 to know for sure.

    Anyway, just replacing those two files under 2.0 should be enough. You will need to do a little configuring to get LDAP and VPN up though.
    Try this:

    In the menu bar, go to >  System  > User Manager
    Then click on the "Servers" tab.
    Configure your server there (I use the server name 'LDAP' but you could user anything)

    Then use the menu bar again to go to > VPN  >  IPSec
    Click on the Mobile Clients Tab.
    On this page, you should see the User Auth and Group Auth both set to LDAP.
    Just configure your clients and you should be good to go!
    ;D



  • Hi.

    I downloaded the Files from that link: http://www.mediafire.com/?c85a7f7mrc1jkr9
    Enabled SSH on pfsense and created a new local admin user which i used for the ssh session to upload both files.
    Then i connect over ssh with the admin account and replaced the two files with the uploaded ones (etc/inc/vpn.inc and /usr/local/www/system_authservers.php). With my new account i had not the necessary permission.
    Then i configured my LDAP Server In the menu bar>  System  > User Manager -> Servers and tested after that the LDAP Authentication over Diagnostics -> Authentication which was successfull.
    But under VPN  >  IPSec -> Mobile Clients i can still only select "System" in both DropDowns for Xauth. (see Screenshots).
    I tried pfsense version 2.0 and also 2.0.2 (latest release) with same result: i can't select LDAP as Xauth for IPsec only "System" is available there.
    Did i something wrong?
    I hope somebody can help me with that or can tell me a working solution.
    I read that in version 2.1 this should already be implemented (ipsec ldap xauth) but this version is still not available or should not be used in production environments right?

    Many thanks
    Thomas

    ![Bildschirmfoto 2013-02-22 um 19.16.40.png](/public/imported_attachments/1/Bildschirmfoto 2013-02-22 um 19.16.40.png)
    ![Bildschirmfoto 2013-02-22 um 19.16.40.png_thumb](/public/imported_attachments/1/Bildschirmfoto 2013-02-22 um 19.16.40.png_thumb)


  • Rebel Alliance Developer Netgate

    Many people are using 2.1 in production with success.

    It is nearing RC1, so it's quite stable despite its Beta label.



  • Hi Jimp
    Thanks for the fast reply.
    So you mean i can already use 2.1 RC1 in a production environment?
    Where can i download the 2.1 iso file ? I couldn't find that…
    Thanks
    Thomas



  • Hi.

    Sorry i found it :).
    I downloaded that version  pfSense-LiveCD-2.1-BETA1-amd64-20130222-2301.iso.gz from http://snapshots.pfsense.org/FreeBSD_RELENG_8_3/amd64/pfSense_HEAD/livecd_installer/?C=M;O=D
    Is this the latest one? :)

    Thanks
    Thomas



  • Hello everyone,

    This does not work as of 2.0.3-RELEASE.

    Can someone confirm if it is working well with your setup?


  • Banned

    @skorzen:

    Can someone confirm if it is working well with your setup?

    Mobile clients auth works just fine with 2.1 and Active Directory for me.


  • Rebel Alliance Developer Netgate

    It will not work with 2.0.x. It is a new feature for 2.1 (not 2.0.1, 2.1)



  • Recently upgraded from v2.0.1 to v2.1 and my IPSec VPN setup (using LDAP as auth source) stopped working.
    I've check settings they haven't changed during upgrade and seemed OK. I've re-applied configuration explained in Mobile IPsec on 2.0 HowTo: still no success.

    Here is IPSec System log:

    Mar 28 11:29:01 racoon: [<<mobile_client_ip>>] ERROR: unknown Informational exchange received.
    Mar 28 11:29:00 racoon: [<<mobile_client_ip>>] ERROR: unknown Informational exchange received.
    Mar 28 11:28:58 racoon: [<<mobile_client_ip>>] ERROR: unknown Informational exchange received.
    Mar 28 11:28:56 racoon: [Self]: INFO: ISAKMP-SA deleted <<pfsense_public_ip>>[4500]-<<mobile_client_ip>>[4500] spi:fc59d3b640a2c8ee:584f9c63d7s25ab6
    Mar 28 11:28:56 racoon: INFO: purged ISAKMP-SA spi=fc59d3b640a2c8ee:584f9c63d7s25ab6.
    Mar 28 11:28:56 racoon: INFO: purging ISAKMP-SA spi=fc59d3b640a2c8ee:584f9c63d7s25ab6.
    Mar 28 11:28:56 racoon: [<<mobile_client_ip>>] INFO: DPD: remote (ISAKMP-SA spi=fc59d3b640a2c8ee:584f9c63d7s25ab6) seems to be dead.
    Mar 28 11:28:21 racoon: [<<mobile_client_ip>>] INFO: received INITIAL-CONTACT
    Mar 28 11:28:21 racoon: [Self]: INFO: ISAKMP-SA established <<pfsense_public_ip>>[4500]-<<mobile_client_ip>>[4500] spi:fc59d3b640a2c8ee:584f9c63d7s25ab6
    Mar 28 11:28:21 racoon: INFO: Sending Xauth request
    Mar 28 11:28:21 racoon: INFO: NAT detected: ME PEER
    Mar 28 11:28:21 racoon: INFO: NAT-D payload #1 doesn't match
    Mar 28 11:28:21 racoon: [<<mobile_client_ip>>] INFO: Hashing <<mobile_client_ip>>[4500] with algo #2
    Mar 28 11:28:21 racoon: INFO: NAT-D payload #0 doesn't match
    Mar 28 11:28:21 racoon: [Self]: [<<pfsense_public_ip>>] INFO: Hashing <<pfsense_public_ip>>[4500] with algo #2
    Mar 28 11:28:21 racoon: [Self]: INFO: NAT-T: ports changed to: <<mobile_client_ip>>[4500]<-><<pfsense_public_ip>>[4500]
    Mar 28 11:28:21 racoon: INFO: Adding xauth VID payload.
    Mar 28 11:28:21 racoon: [Self]: [<<pfsense_public_ip>>] INFO: Hashing <<pfsense_public_ip>>[500] with algo #2
    Mar 28 11:28:21 racoon: [<<mobile_client_ip>>] INFO: Hashing <<mobile_client_ip>>[500] with algo #2
    Mar 28 11:28:21 racoon: INFO: Adding remote and local NAT-D payloads.
    Mar 28 11:28:21 racoon: [<<mobile_client_ip>>] INFO: Selected NAT-T version: RFC 3947
    Mar 28 11:28:21 racoon: INFO: received Vendor ID: CISCO-UNITY
    Mar 28 11:28:21 racoon: INFO: received Vendor ID: DPD
    Mar 28 11:28:21 racoon: INFO: received broken Microsoft ID: FRAGMENTATION
    Mar 28 11:28:21 racoon: INFO: received Vendor ID: RFC 3947
    Mar 28 11:28:21 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
    Mar 28 11:28:21 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
    Mar 28 11:28:21 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-01
    Mar 28 11:28:21 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
    Mar 28 11:28:21 racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
    Mar 28 11:28:21 racoon: INFO: begin Aggressive mode.
    Mar 28 11:28:21 racoon: [Self]: INFO: respond new phase 1 negotiation: <<pfsense_public_ip>>[500]<=><<mobile_client_ip>>[500]</mobile_client_ip></pfsense_public_ip></mobile_client_ip></mobile_client_ip></mobile_client_ip></pfsense_public_ip></pfsense_public_ip></pfsense_public_ip></mobile_client_ip></pfsense_public_ip></pfsense_public_ip></mobile_client_ip></mobile_client_ip></mobile_client_ip></pfsense_public_ip></mobile_client_ip></mobile_client_ip></mobile_client_ip></pfsense_public_ip></mobile_client_ip></mobile_client_ip></mobile_client_ip>

    LDAP configuration seems OK (used the "Save & Test" button and everything was "OK").

    After enabling racoon DEBUG mode, a restart gives the following logs:

    Mar 28 12:55:44 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 10.0.0.0/24[0] 10.0.0.30/32[0] proto=any dir=in
    Mar 28 12:55:44 racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x28501288: 10.0.0.0/24[0] 10.0.0.30/32[0] proto=any dir=in
    Mar 28 12:55:44 racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0xbfbfe6b4: 10.0.0.0/24[0] 10.0.0.30/32[0] proto=any dir=in
    Mar 28 12:55:44 racoon: DEBUG: got pfkey X_SPDADD message
    Mar 28 12:55:44 racoon: DEBUG: pk_recv: retry[0] recv()
    Mar 28 12:55:44 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 10.0.0.30/32[0] 10.0.0.0/24[0] proto=any dir=out
    Mar 28 12:55:44 racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x285013c8: 10.0.0.30/32[0] 10.0.0.0/24[0] proto=any dir=out
    Mar 28 12:55:44 racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0xbfbfe6b4: 10.0.0.30/32[0] 10.0.0.0/24[0] proto=any dir=out
    Mar 28 12:55:44 racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x28501288: 10.0.0.0/24[0] 10.0.0.30/32[0] proto=any dir=in
    Mar 28 12:55:44 racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0xbfbfe6b4: 10.0.0.30/32[0] 10.0.0.0/24[0] proto=any dir=out
    Mar 28 12:55:44 racoon: DEBUG: got pfkey X_SPDADD message
    Mar 28 12:55:44 racoon: DEBUG: pk_recv: retry[0] recv()
    Mar 28 12:55:44 racoon: INFO: unsupported PF_KEY message REGISTER
    Mar 28 12:55:44 racoon: DEBUG: got pfkey REGISTER message
    Mar 28 12:55:44 racoon: DEBUG: pk_recv: retry[0] recv()
    Mar 28 12:55:44 racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x28501288: 10.0.0.0/24[0] 10.0.0.30/32[0] proto=any dir=in
    Mar 28 12:55:44 racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0xbfbfe6b4: 10.0.0.30/32[0] 10.0.0.0/24[0] proto=any dir=out
    Mar 28 12:55:44 racoon: DEBUG: got pfkey X_SPDDUMP message
    Mar 28 12:55:44 racoon: DEBUG: pk_recv: retry[0] recv()
    Mar 28 12:55:44 racoon: DEBUG: got pfkey X_SPDDUMP message
    Mar 28 12:55:44 racoon: DEBUG: pk_recv: retry[0] recv()
    Mar 28 12:55:44 racoon: [Self]: INFO: <<pfsense_public_ip>>[500] used as isakmp port (fd=15)
    Mar 28 12:55:44 racoon: [Self]: INFO: <<pfsense_public_ip>>[500] used for NAT-T
    Mar 28 12:55:44 racoon: [Self]: INFO: <<pfsense_public_ip>>[4500] used as isakmp port (fd=14)
    Mar 28 12:55:44 racoon: [Self]: INFO: <<pfsense_public_ip>>[4500] used for NAT-T
    Mar 28 12:55:44 racoon: DEBUG: open /var/db/racoon/racoon.sock as racoon management.
    Mar 28 12:55:44 racoon: DEBUG: getsainfo params: loc='ANONYMOUS' rmt='ANONYMOUS' peer='NULL' client='NULL' id=2
    Mar 28 12:55:44 racoon: DEBUG: no check of compression algorithm; not supported in sadb message.
    Mar 28 12:55:44 racoon: DEBUG: hmac(modp1024)
    Mar 28 12:55:44 racoon: INFO: Resize address pool from 0 to 65533
    Mar 28 12:55:44 racoon: DEBUG: reading config file /var/etc/ipsec/racoon.conf
    Mar 28 12:55:44 racoon: DEBUG: call pfkey_send_register for IPCOMP
    Mar 28 12:55:44 racoon: DEBUG: call pfkey_send_register for ESP
    Mar 28 12:55:44 racoon: DEBUG: call pfkey_send_register for AH
    Mar 28 12:55:44 racoon: INFO: Reading configuration from "/var/etc/ipsec/racoon.conf"
    Mar 28 12:55:44 racoon: INFO: @(#)This product linked OpenSSL 1.0.1e 11 Feb 2013 (http://www.openssl.org/)
    Mar 28 12:55:44 racoon: INFO: @(#)ipsec-tools 0.8.1 (http://ipsec-tools.sourceforge.net)
    Mar 28 12:55:39 racoon: INFO: racoon process 87375 shutdown
    Mar 28 12:55:39 racoon: INFO: caught signal 15</pfsense_public_ip></pfsense_public_ip></pfsense_public_ip></pfsense_public_ip>

    It complains about a "Unknown Gateway/Dynamic" (and seems to ignore it) but can't find such thing in IPSec/Routing settings.



  • Follow up:
    When debugging and redacting previous post I've disabled a second IPSec tunnel (one for point-to-point VPN, not mobile clients) and now mobile client access seems to work just fine (using Shrew Soft VPN Connect software and builtin iOS client).
    ("Unknown Gateway/Dynamic" log message is still there though)

    I'll look into the settings of this second tunnel later (time to confirm that at least everything is OK with one tunnel).


Log in to reply