Connecting to Active Directory (AD) via IPSEC

samnet · August 18, 2020, 01:37:18 PM

Dear sirs;
Im trauggling to find a proper way to connect my opnsense to active directory via ipsec vpn tunnel.
Im sure it will not be the case for ovpn. but the main problem the DC that has AD in is actually using those terrible licensed firewalls that has only ipsec and kerio vpn. so I have configured the ipsec and opnsense is conecting via ipsec to DC and I can ping the AD server.
the crazy part is that I cant get the opnsense to join the AD. Ive done a packet capture and what Im seeing it that AD isnt giving a clear replies. and the funny part is that IPSEC is actually throwing the WAN ip as source. which is bit funny, but can someone share his experience on this??
can this work?
Firewall on AD windows 2012 is off btw.

mimugmail · August 18, 2020, 04:54:54 PM

You have to add the wan IP to phase2 in IPsec.

samnet · August 18, 2020, 10:58:45 PM

thx for this, can you pls explain more on how to do this?

mimugmail · August 19, 2020, 07:40:58 AM

Add a second phase2 to your IPsec, local net is WAN IP with /32 and remote net is LAN of DC

samnet · August 19, 2020, 04:41:24 PM

this is done already from what I recall, the way packets are shown is
Wanip 72.xx.xx.96:45556 to AD server ip 10.xx.x.2:389
ive done a packet capture and I can see 5 requests coming out but no AD handshake

mimugmail · August 19, 2020, 08:31:47 PM

Screenshot of phase2 please

Connecting to Active Directory (AD) via IPSEC

samnet

August 18, 2020, 01:37:18 PM

mimugmail

August 18, 2020, 04:54:54 PM #1

samnet

August 18, 2020, 10:58:45 PM #2

mimugmail

August 19, 2020, 07:40:58 AM #3

samnet

August 19, 2020, 04:41:24 PM #4

mimugmail

August 19, 2020, 08:31:47 PM #5