LDAP authentication for IPSec?



  • Hi,
    I have FreeIPA (LDAP) servers as authentication backend and this setup works fine with OpenVPN.
    Now I am trying to use them in IPSec road warrior configuration, but couldn't get that to work.
    If I try to configure EAP-Radius as authentication method, pfSense complains that Radius is not set up.
    If I use Mutual PSK + XAuth, then I see in logs:

    found 2 matching configs, but none allows XAuthInitPSK authentication

    Any hints?

    Thanks in advance,
    shpokas


  • Rebel Alliance Developer Netgate

    Both of those would require RADIUS, not LDAP. I have not seen it work, but in theory you could use LDAP as a backend for FreeRADIUS so you could use RADIUS instead.



  • @shpokas:

    Hi,
    I have FreeIPA (LDAP) servers as authentication backend and this setup works fine with OpenVPN.
    Now I am trying to use them in IPSec road warrior configuration, but couldn't get that to work.
    If I try to configure EAP-Radius as authentication method, pfSense complains that Radius is not set up.
    If I use Mutual PSK + XAuth, then I see in logs:

    found 2 matching configs, but none allows XAuthInitPSK authentication

    Any hints?

    Thanks in advance,
    shpokas

    We have no problem running Mutual PSK + XAuth with an OpenLDAP backend. Did you configure XAuth on the Mobile Clients tab with your LDAP server?



  • @shpokas:

    found 2 matching configs, but none allows XAuthInitPSK authentication

    From my experience this means that there could be a problem with the peer identifiers. Strongswan is very strict about identifiers.

    Stefan


Log in to reply