IPSec with LDAP Backend not working
I encountered some problems when i tried to configure IPSec with PSK+xauth over LDAP.
The LDAP Backend is an Windows 2012 R2 Active Directory Server. The pfsense version is 2.1.5-RELEASE (i386).
Those object were created in the Active Directory to setup the LDAP Backend:
pfsense - to query the Active Directory
testuser - to test the VPN connection
vpn - all user that can connect to the VPN are in this Group, the testuser is member in this group
Then i created the same Group (with the same name) in pfsense and gave them the permission "User - VPN - IPsec xauth Dialin".
When I go to Diagnostics > Authentification and i test my LDAP backend it works and it even can recognize that the test user is in the Group VPN.
The LDAP Source is configured like that:
Hostname or IP address (example.org)
Port value (389)
Transport (TCP - Standard)
Protocol version (3)
Search scope (Entire Subtree) - DC=example,DC=org
Authentication containers (OU=Users,DC=example,DC=org)
User naming attribute (samAccountName)
Group naming attribute (cn)
Group member attribute (memberof)
The IPsec says my user hasn't enough permission
racoon: user 'testuser' cannot authenticate through IPSec since the required privileges are missing. racoon: user 'testuser' could not authenticate.
I don't think the IPsec configuration is wrong because when i switch in the Mobile Device Tab of the IPsec configuration and i choose Local Database instead of LDAP Source it works with a local user.
But just in case i post the IPsec configuration.
The IPsec is configured like that:
User authentication (LDAP Source)
Group authentification (none)
Virtual Address Pool: 192.168.9.0/24
Network List (not checked)
Save Xauth Password (checked)
DNS Default Domain (checked) - example.org
Split DNS (not checked)
DNS Servers (checked)
Server 1: 126.96.36.199
Server 2: 188.8.131.52
WINS Servers (not checked)
Phase2 PFS Group (not checked)
Login Banner (not checked)
Internet Protocol (IPv4)
Authentication method (Mutual PSK+xauth)
Negotiation mode (aggressive)
My identifier (My IP address)
Peer identifier (user distinguished name)
Policy Generation (Unique)
Proposal Checking (Strict)
Encryption algorithm (AES 128)
Hash algorithm (SHA1)
DH key group (2)
NAT Traversal (Force)
Dead Peer Detection (checked)
delay: 10 seconds
disconnect: 5 retries
Mode (Tunnel IPv4)
Local Network (Lan Subnet)
Encryption algorithms (AES 128)
Hash algorithms (SHA 1)
PFS key group (off)
I hope somebody can help me