Author Topic: [SOLVED] User authentication with LDAP through ipsec tunnel (Read 8472 times)

jmeyer · « **on:** January 29, 2019, 09:51:01 am »

Hello,

I would like to authenticat users through our central LDAP server witch is only reachable through a ipsec tunnel.

I think the authentication go through the wrong (WAN) gateway and is not using the ipsec tunnel. Is it possible to specific the gateway witch should be used for the authentication server?

I'm using opnsense 18.7.10

best regards,
Julian

guest19757 · « **Reply #1 on:** January 29, 2019, 10:07:10 am »

Hello there,

Out of curiosity, I haven't looked at the options in the configuration, I wonder if a outbound NAT or routing table modification? This assumes that LDAP is on a different subnet? These are just workaround suggestions.

Regards

mimugmail · « **Reply #2 on:** January 29, 2019, 02:45:07 pm »

You could add WAN IP to IPSEC SA or switch to LDAPS via WAN.

jmeyer · « **Reply #3 on:** January 30, 2019, 11:18:36 am »

Hello,

I tried an outbound NAT, a static route and also adding WAN IP to IPSEC SA of the tunnel. Nothing worked.

With the "Diagnostics: Packet Capture" tool I can see that the traffic is going out on my WAN interface.

I had the same issue with the Unbound DNS service and a domain overwrite of a domain through the tunnel. The solution here was to set the "Outgoing Network Interfaces" to my LAN interface.

Is it possible to set the Outgoing Interfaces for authentication servers?

regards

franco · « **Reply #4 on:** January 30, 2019, 12:22:52 pm »

IPsec will prohibit this by default for security reasons. The LDAP request needs to come from a Phase 2 left subnet. There's no way to configure this at the moment for authentication purposes.

Cheers,
Franco

mimugmail · « **Reply #5 on:** January 30, 2019, 01:25:29 pm »

Quote from: mimugmail on January 29, 2019, 02:45:07 pm

You could add WAN IP to IPSEC SA or switch to LDAPS via WAN.

I'm doing the first in productin with Cisco at the other side ..

franco · « **Reply #6 on:** January 30, 2019, 01:34:05 pm »

Ha, that sounds really cool!

jmeyer · « **Reply #7 on:** January 30, 2019, 02:40:19 pm »

Quote from: mimugmail on January 30, 2019, 01:25:29 pm

Quote from: mimugmail on January 29, 2019, 02:45:07 pm
You could add WAN IP to IPSEC SA or switch to LDAPS via WAN.

I'm doing the first in productin with Cisco at the other side ..

Maybe I have done something wrong on the configuration. I will try it again if i'm back in the office. I don't won't to lock me out.

I will give feedback on Friday or monday.

PS: On the other side is currently a pfsense, later this will be an opnsense too.

jmeyer · « **Reply #8 on:** February 04, 2019, 09:59:23 am »

Hi, I just like to confirm, that adding the WAN IP to IPSEC SA is a successfully working solution.

Author Topic: [SOLVED] User authentication with LDAP through ipsec tunnel (Read 8472 times)

jmeyer

[SOLVED] User authentication with LDAP through ipsec tunnel

guest19757

Re: User authentication with LDAP through ipsec tunnel

mimugmail

Re: User authentication with LDAP through ipsec tunnel

jmeyer

Re: User authentication with LDAP through ipsec tunnel

franco

Re: User authentication with LDAP through ipsec tunnel

mimugmail

Re: User authentication with LDAP through ipsec tunnel

franco

Re: User authentication with LDAP through ipsec tunnel

jmeyer

Re: User authentication with LDAP through ipsec tunnel

jmeyer

Re: User authentication with LDAP through ipsec tunnel