LDAP authentication for IPSec?
-
Hi,
I have FreeIPA (LDAP) servers as authentication backend and this setup works fine with OpenVPN.
Now I am trying to use them in IPSec road warrior configuration, but couldn't get that to work.
If I try to configure EAP-Radius as authentication method, pfSense complains that Radius is not set up.
If I use Mutual PSK + XAuth, then I see in logs:found 2 matching configs, but none allows XAuthInitPSK authentication
Any hints?
Thanks in advance,
shpokas
-
Both of those would require RADIUS, not LDAP. I have not seen it work, but in theory you could use LDAP as a backend for FreeRADIUS so you could use RADIUS instead.
-
Hi,
I have FreeIPA (LDAP) servers as authentication backend and this setup works fine with OpenVPN.
Now I am trying to use them in IPSec road warrior configuration, but couldn't get that to work.
If I try to configure EAP-Radius as authentication method, pfSense complains that Radius is not set up.
If I use Mutual PSK + XAuth, then I see in logs:found 2 matching configs, but none allows XAuthInitPSK authentication
Any hints?
Thanks in advance,
shpokasWe have no problem running Mutual PSK + XAuth with an OpenLDAP backend. Did you configure XAuth on the Mobile Clients tab with your LDAP server?
-
found 2 matching configs, but none allows XAuthInitPSK authentication
From my experience this means that there could be a problem with the peer identifiers. Strongswan is very strict about identifiers.
Stefan
