IPSec with LDAP Backend not working



  • Hello together

    I encountered some problems when i tried to configure IPSec with PSK+xauth over LDAP.
    The LDAP Backend is an Windows 2012 R2 Active Directory Server. The pfsense version is 2.1.5-RELEASE (i386).

    Those object were created in the Active Directory to setup the LDAP Backend:
    Users:
    pfsense - to query the Active Directory
    testuser - to test the VPN connection

    Groups:
    vpn - all user that can connect to the VPN are in this Group, the testuser is member in this group

    Then i created the same Group (with the same name) in pfsense and gave them the permission "User - VPN - IPsec xauth Dialin".

    When I go to Diagnostics > Authentification and i test my LDAP backend it works and it even can recognize that the test user is in the Group VPN.

    The LDAP Source is configured like that:

    Hostname or IP address (example.org)
    Port value (389)
    Transport (TCP - Standard)
    Protocol version (3)
    Search scope (Entire Subtree) - DC=example,DC=org
    Authentication containers (OU=Users,DC=example,DC=org)
    Bind credentials

    • name: example\pfsense

    • password: 1234

    User naming attribute (samAccountName)
    Group naming attribute (cn)
    Group member attribute (memberof)

    The IPsec says my user hasn't enough permission
    IPsec log:

    racoon: user 'testuser' cannot authenticate through IPSec since the required privileges are missing.
    racoon: user 'testuser' could not authenticate.
    

    I don't think the IPsec configuration is wrong because when i switch in the Mobile Device Tab of the IPsec configuration and i choose Local Database instead of LDAP Source it works with a local user.
    But just in case i post the IPsec configuration.

    The IPsec is configured like that:

    Mobile Clients:
    Enabled (checked)
    User authentication (LDAP Source)
    Group authentification (none)
    Virtual Address Pool: 192.168.9.0/24
    Network List (not checked)
    Save Xauth Password (checked)
    DNS Default Domain (checked) - example.org
    Split DNS (not checked)
    DNS Servers (checked)

    • Server 1: 8.8.8.8

    • Server 2: 8.8.4.4

    WINS Servers (not checked)
    Phase2 PFS Group (not checked)
    Login Banner (not checked)

    Phase 1:
    Internet Protocol (IPv4)
    Interface (WAN)
    Authentication method (Mutual PSK+xauth)
    Negotiation mode (aggressive)
    My identifier (My IP address)
    Peer identifier (user distinguished name)

    Policy Generation (Unique)
    Proposal Checking (Strict)
    Encryption algorithm (AES 128)
    Hash algorithm (SHA1)
    DH key group (2)
    Lifetime (86400)
    NAT Traversal (Force)
    Dead Peer Detection (checked)

    • delay: 10 seconds

    • disconnect: 5 retries

    Phase 2:
    Mode (Tunnel IPv4)
    Local Network (Lan Subnet)
    Protocol (ESP)
    Encryption algorithms (AES 128)
    Hash algorithms (SHA 1)
    PFS key group (off)
    Lifetime (28800)

    I hope somebody can help me


Log in to reply