IPSec + LDAP: required privileges are missing



  • Hi.
    I'm using pfSense 2.1 beta as I run it in a KVM environment and has virtualized drivers.
    We already have a couple of deployment running fine.
    On a third one I'm trying to configure IPSec with external LDAP auth but I'm having problems. I double checked IPSec and LDAP configuration and it's the exact same on another setup where it's working fine.
    I'm sure LDAP settings are correct because I see pfSense can query the directory, and if I enter wrong credentials for VPN I get a specific error. So, when an LDAP user with correct credentials tries a IPSec connection I get the following in logs:

    racoon: [Self]: INFO: ISAKMP-SA established 192.168.1.2[4500]-109.69.x.x[11026] spi:8ef5ae85dc9439b7:1d94dc59e519b03e
    racoon: [109.69.x.x] INFO: received INITIAL-CONTACT
    racoon: INFO: Using port 1
    racoon: user 'prova' cannot authenticate through IPSec since the required privileges are missing.
    racoon: user 'prova' could not authenticate.
    racoon: INFO: Released port 1
    racoon: INFO: login failed for user "prova"

    The VPN works perfectly for pfsense's local users and we're actually using it this way, but I cannot understand why LDAP shouldn't work. What privileges are missing? I know local users must have IPSEC privileges, but this doesn't apply to LDAP users, AFAIK.

    Any help welcome.
    thanks


Locked