Text only | Text with Images

OPNsense Forum

Archive => 18.7 Legacy Series => Topic started by: jmeyer on January 29, 2019, 09:51:01 AM

Title: [SOLVED] User authentication with LDAP through ipsec tunnel
Post by: jmeyer on January 29, 2019, 09:51:01 AM
Hello,

I would like to authenticat users through our central LDAP server witch is only reachable through a ipsec tunnel.

I think the authentication go through the wrong (WAN) gateway and is not using the ipsec tunnel. Is it possible to specific the gateway witch should be used for the authentication server?

I'm using opnsense 18.7.10

best regards,
Julian
Title: Re: User authentication with LDAP through ipsec tunnel
Post by: guest19757 on January 29, 2019, 10:07:10 AM
Hello there,

Out of curiosity, I haven't looked at the options in the configuration, I wonder if a outbound NAT or routing table modification? This assumes that LDAP is on a different subnet? These are just workaround suggestions.

Regards
Title: Re: User authentication with LDAP through ipsec tunnel
Post by: mimugmail on January 29, 2019, 02:45:07 PM
You could add WAN IP to IPSEC SA or switch to LDAPS via WAN.
Title: Re: User authentication with LDAP through ipsec tunnel
Post by: jmeyer on January 30, 2019, 11:18:36 AM
Hello,

I tried an outbound NAT, a static route and also adding WAN IP to IPSEC SA of the tunnel. Nothing worked.

With the "Diagnostics: Packet Capture" tool I can see that the traffic is going out on my WAN interface.

I had the same issue with the Unbound DNS service and a domain overwrite of a domain through the tunnel. The solution here was to set the "Outgoing Network Interfaces" to my LAN interface.

Is it possible to set the Outgoing Interfaces for authentication servers?

regards
Title: Re: User authentication with LDAP through ipsec tunnel
Post by: franco on January 30, 2019, 12:22:52 PM
IPsec will prohibit this by default for security reasons. The LDAP request needs to come from a Phase 2 left subnet. There's no way to configure this at the moment for authentication purposes.


Cheers,
Franco
Title: Re: User authentication with LDAP through ipsec tunnel
Post by: mimugmail on January 30, 2019, 01:25:29 PM
Quote from: mimugmail on January 29, 2019, 02:45:07 PM
You could add WAN IP to IPSEC SA or switch to LDAPS via WAN.

I'm doing the first in productin with Cisco at the other side ..
Title: Re: User authentication with LDAP through ipsec tunnel
Post by: franco on January 30, 2019, 01:34:05 PM
Ha, that sounds really cool!  8)
Title: Re: User authentication with LDAP through ipsec tunnel
Post by: jmeyer on January 30, 2019, 02:40:19 PM
Quote from: mimugmail on January 30, 2019, 01:25:29 PM
Quote from: mimugmail on January 29, 2019, 02:45:07 PM
You could add WAN IP to IPSEC SA or switch to LDAPS via WAN.

I'm doing the first in productin with Cisco at the other side ..

Maybe I have done something wrong on the configuration. I will try it again if i'm back in the office. I don't won't to lock me out.

I will give feedback on Friday or monday.

PS: On the other side is currently a pfsense, later this will be an opnsense too.
Title: Re: User authentication with LDAP through ipsec tunnel
Post by: jmeyer on February 04, 2019, 09:59:23 AM
Hi, I just like to confirm, that adding the WAN IP to IPSEC SA is a successfully working solution.
Text only | Text with Images