<![CDATA[IPsec+LDAP]]>@jimp:

Right, and the boxes I'm referring to on 2.1 have been upgraded from 2.0.x (and in some cases, 1.2.3), as well as some clean-install 2.1 VMs.

Not saying it hasn't happened, but I haven't witnessed it personally.

Sep 5 15:53:26 	racoon: ERROR: fatal parse failure (1 errors)
Sep 5 15:53:26 	racoon: ERROR: /var/etc/racoon.conf:14: "ldapcfg" racoon not configured with --with-libldap
Sep 5 15:53:26 	racoon: INFO: Reading configuration from "/var/etc/racoon.conf"
Sep 5 15:53:26 	racoon: INFO: @(#)This product linked OpenSSL 0.9.8q 2 Dec 2010 (http://www.openssl.org/)
Sep 5 15:53:26 	racoon: INFO: @(#)ipsec-tools 0.8.0 (http://ipsec-tools.sourceforge.net)

The above is during an attempted startup of IPSec service…  and here's my /var/etc/racoon.conf:


# This file is automatically generated. Do not edit
path pre_shared_key "/var/etc/psk.txt";

path certificate  "/var/etc";

listen
{
        adminsock "/var/db/racoon/racoon.sock" "root" "wheel" 0660;
        isakmp 206.248.x.x [500];
        isakmp_natt 206.248.x.x  [4500];
}

ldapcfg {
        version 3;
        host "";
        port 389;
        base "";
        subtree on;
        bind_dn "";
        bind_pw "";
        attr_user "";
}

remote 70.55.x.x
{
        ph1id 1;
        exchange_mode aggressive;
        my_identifier address 206.248.x.x;
        peers_identifier address 70.55.x.x;
        ike_frag on;
        generate_policy = off;
        initial_contact = on;
        nat_traversal = on;

        dpd_delay = 10;
        dpd_maxfail = 5;
        support_proxy on;
        proposal_check claim;

        proposal
        {
                authentication_method pre_shared_key;
                encryption_algorithm blowfish 256;
                hash_algorithm sha1;
                dh_group 2;
                lifetime time 28800 secs;
        }
}

sainfo subnet 10.0.2.0/24 any subnet 192.168.2.0/24 any
{
        remoteid 1;
        encryption_algorithm blowfish 256;
        authentication_algorithm hmac_sha1;
        pfs_group 2;
        lifetime time 86400 secs;
        compression_algorithm deflate;
}
]]>https://forum.netgate.com/topic/48324/ipsec-ldapRSS for NodeSun, 14 Jun 2026 01:17:20 GMTWed, 05 Sep 2012 20:01:31 GMT60<![CDATA[Reply to IPsec+LDAP on Thu, 06 Sep 2012 13:17:38 GMT]]>@jimp:

Do you have an LDAP server setup under System > User Manager, on the server tab perhaps?

Looking at the code the only way it would put that ldap section in there is if someone had the mobile IPsec tab setup to use a non-local source, and if that source was ldap.

Found it!  Yes, I have an LDAP server enabled for OpenVPN.  I really don't know why, because I use the Local Database for authentication… that shizz is getting turned off big time.  8)

I'll letcha know how that works out.

EDIT:  IPSec tunnel is back up!  Thanks Jim.. (aka: Super Mario)

]]>https://forum.netgate.com/post/354632https://forum.netgate.com/post/354632Thu, 06 Sep 2012 13:17:38 GMT<![CDATA[Reply to IPsec+LDAP on Thu, 06 Sep 2012 12:23:33 GMT]]>I disabled that whole chunk of code for now so it won't write out an invalid racoon.conf while that part is being reworked.

https://github.com/bsdperimeter/pfsense/commit/9500537d51b481086e8a685b70e825688c0526e1

]]>https://forum.netgate.com/post/354625https://forum.netgate.com/post/354625Thu, 06 Sep 2012 12:23:33 GMT<![CDATA[Reply to IPsec+LDAP on Thu, 06 Sep 2012 12:17:51 GMT]]>Do you have an LDAP server setup under System > User Manager, on the server tab perhaps?

Looking at the code the only way it would put that ldap section in there is if someone had the mobile IPsec tab setup to use a non-local source, and if that source was ldap.

]]>https://forum.netgate.com/post/354623https://forum.netgate.com/post/354623Thu, 06 Sep 2012 12:17:51 GMT<![CDATA[Reply to IPsec+LDAP on Thu, 06 Sep 2012 04:46:36 GMT]]>@jimp:

probably on the mobile tab.

Hmm, I dont even have that turned on.

I also perused through every tab on pfSense and have nothing to do with LDAP turned on. Very puzzling.

]]>https://forum.netgate.com/post/354562https://forum.netgate.com/post/354562Thu, 06 Sep 2012 04:46:36 GMT<![CDATA[Reply to IPsec+LDAP on Thu, 06 Sep 2012 01:10:45 GMT]]>probably on the mobile tab.

]]>https://forum.netgate.com/post/354556https://forum.netgate.com/post/354556Thu, 06 Sep 2012 01:10:45 GMT<![CDATA[Reply to IPsec+LDAP on Thu, 06 Sep 2012 00:39:32 GMT]]>@jimp:

Yes, don't configure LDAP support.

do you know where i can go to shut it off? (i dont recall turning LDAP on!)  :-\

]]>https://forum.netgate.com/post/354552https://forum.netgate.com/post/354552Thu, 06 Sep 2012 00:39:32 GMT<![CDATA[Reply to IPsec+LDAP on Wed, 05 Sep 2012 23:30:18 GMT]]>Yes, don't configure LDAP support.

]]>https://forum.netgate.com/post/354547https://forum.netgate.com/post/354547Wed, 05 Sep 2012 23:30:18 GMT<![CDATA[Reply to IPsec+LDAP on Wed, 05 Sep 2012 23:26:41 GMT]]>@jimp:

It's down because racoon isn't running, not because the tunnel won't establish. It's not the same problem as the thread you originally posted in. I moved this to a new threads because it was unrelated.

Ah, okay. :)

Is there a work around at the moment?

]]>https://forum.netgate.com/post/354546https://forum.netgate.com/post/354546Wed, 05 Sep 2012 23:26:41 GMT<![CDATA[Reply to IPsec+LDAP on Wed, 05 Sep 2012 20:26:44 GMT]]>It's down because racoon isn't running, not because the tunnel won't establish. It's not the same problem as the thread you originally posted in. I moved this to a new threads because it was unrelated.

]]>https://forum.netgate.com/post/354527https://forum.netgate.com/post/354527Wed, 05 Sep 2012 20:26:44 GMT<![CDATA[Reply to IPsec+LDAP on Wed, 05 Sep 2012 20:25:52 GMT]]>@jimp:

IPsec+LDAP is known to be broken at the moment. There is a ticket pending for it.

The authentication is being switched to a script-based auth mechanism so it can easily do LDAP, RADIUS, etc, like OpenVPN can.

That has nothing to do with a site-to-site tunnel being broken as in this ticket though.

Thanks Jim, However, I'm not quite sure what you mean… my site-to-site tunnel is down though  ???

]]>https://forum.netgate.com/post/354526https://forum.netgate.com/post/354526Wed, 05 Sep 2012 20:25:52 GMT<![CDATA[Reply to IPsec+LDAP on Wed, 05 Sep 2012 20:08:10 GMT]]>IPsec+LDAP is known to be broken at the moment. There is a ticket pending for it.

The authentication is being switched to a script-based auth mechanism so it can easily do LDAP, RADIUS, etc, like OpenVPN can.

That has nothing to do with a site-to-site tunnel being broken as in this ticket though.

]]>https://forum.netgate.com/post/354524https://forum.netgate.com/post/354524Wed, 05 Sep 2012 20:08:10 GMT