Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    LDAP authentication for IPSec?

    Scheduled Pinned Locked Moved IPsec
    4 Posts 4 Posters 1.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      shpokas
      last edited by

      Hi,
      I have FreeIPA (LDAP) servers as authentication backend and this setup works fine with OpenVPN.
      Now I am trying to use them in IPSec road warrior configuration, but couldn't get that to work.
      If I try to configure EAP-Radius as authentication method, pfSense complains that Radius is not set up.
      If I use Mutual PSK + XAuth, then I see in logs:

      found 2 matching configs, but none allows XAuthInitPSK authentication

      Any hints?

      Thanks in advance,
      shpokas

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        Both of those would require RADIUS, not LDAP. I have not seen it work, but in theory you could use LDAP as a backend for FreeRADIUS so you could use RADIUS instead.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • M
          miken32
          last edited by

          @shpokas:

          Hi,
          I have FreeIPA (LDAP) servers as authentication backend and this setup works fine with OpenVPN.
          Now I am trying to use them in IPSec road warrior configuration, but couldn't get that to work.
          If I try to configure EAP-Radius as authentication method, pfSense complains that Radius is not set up.
          If I use Mutual PSK + XAuth, then I see in logs:

          found 2 matching configs, but none allows XAuthInitPSK authentication

          Any hints?

          Thanks in advance,
          shpokas

          We have no problem running Mutual PSK + XAuth with an OpenLDAP backend. Did you configure XAuth on the Mobile Clients tab with your LDAP server?

          1 Reply Last reply Reply Quote 0
          • S
            seidler2547
            last edited by

            @shpokas:

            found 2 matching configs, but none allows XAuthInitPSK authentication

            From my experience this means that there could be a problem with the peer identifiers. Strongswan is very strict about identifiers.

            Stefan

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.