LDAP over IPsec?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

LDAP over IPsec?

L1 Bithead

Hello.

 

I'm trying to configure UserID via our domain controllers in AWS.

 

The setup:

We have an HA PA-820 pair on-prem connected to our domain in AWS via a redundant IPsec tunnel.  Traffic is passing between LAN and IPsec zones; on-prem workstations can ping both domain controllers.  I have configured an LDAP Server Profile, an Authentication Profile, and User Identification.

 

The problem:

When I went to set up an LDAP Server Profile, the "Base DN" dropdown did not auto-populate with our domain name, despite the domain controllers' addresses having been entered into the appropriate field.  I've manually entered the Base DN, in hopes that it might work, anyway.  However, when I try to test the LDAP configuration, I get this:

 

test authentication authentication-profile domain.org-auth-profile username user@domain.org password
Enter password :

Server error :domain.org-auth-profile is invalid authentication-profile.Current target-vsys is none
test -> authentication -> authentication-profile is invalid

 

In Device > Setup > Service Route Configuration, I have configured LDAP to go through the LAN interface, to no avail.  Configuring it to go through one of the tunnel interfaces also hasn't worked.  I have configured a security rule to allow traffic from Management to LAN, but I'm not seeing any hits on that rule in the traffic monitor.

 

What am I missing?

 

Any help you can provide would be very much appreciated.

1 accepted solution

Accepted Solutions

Hey @DaneMutters

 

100% what @OtakarKlier said. When the firewall is doing the route lookup, it is finding no route for the traffic which means it will just use the default route which evidently points to your WAN interface.

 

Add a static route for 10.250.12/24 (or etc) with interface of tunnel interface and no nexthop IP and your issue will be resolved.

View solution in original post

5 REPLIES 5

Cyber Elite
Cyber Elite

Hello,

What do the traffic logs show? Do you have a policy that allows ldap traffic? Filter by source and destiantion IP's and see if any of the traffic is getting denied or blocked.

 

Regards,

Thanks for the reply, Otakar.Klier.

 

There aren't any entries from the Management interface (192.169.1.245) to the DC, but there are some from the LAN interface (192.168.1.1) to the DCs (10.250.11.50 and 10.250.12.50).  Currently, I have rules allowing all LAN traffic to pass through the tunnel, in both directions.  Threat scanning and decryption have not yet been configured, so they shouldn't be blocking anything.  I also have rules allowing all traffic from Management to/from the tunnel (temporarily).  Curiously, neither of those rules are getting hit; instead, it's hitting the Internet egress rule from LAN to WAN.

 

Screenshot from 2018-10-11 13-47-53.png

Hello,

Based on the incomplete application log. I suspect a routing issue. Double check the virtual router config and make sure that the AS routes are pointed at your tunnel. Could explain why its trying to go out the internet instead.

 

Hope that helps.

Hey @DaneMutters

 

100% what @OtakarKlier said. When the firewall is doing the route lookup, it is finding no route for the traffic which means it will just use the default route which evidently points to your WAN interface.

 

Add a static route for 10.250.12/24 (or etc) with interface of tunnel interface and no nexthop IP and your issue will be resolved.

That did the trick!  I added static routes for both tunnels, and now it's working.  Thank-you, both!

  • 1 accepted solution
  • 4907 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!