Sangfor Community»Categories Products IPSec/SSL VPN LDAP Authentication via IPsec Tunnel

LDAP Authentication via IPsec Tunnel

views: 1999 | comments: 3 | added to Favorites 0
Lights on | 提示:支持键盘翻页<-左 右->
    组图打开中,请稍候......
Created: 07 Aug 2024 18:55

Summary:

We are facing issue with integrate AD to sangfor firewall. Firewall is on branch location and AD is located on Head Office. Head Office having Palo Alto firewall. So we created IPsec tunnel and now L ...

Reply

Sheikh_Shani Posted 31 Aug 2024 13:18
Hello Dear

It sounds like you have set up an IPsec tunnel successfully, allowing users on the branch LAN to access the Active Directory (AD) server located at the Head Office. However, the issue arises when the Sangfor firewall tries to authenticate with the AD server.

The firewall's command line interface (CLI) cannot reach the AD server, even though LAN users can. This suggests that there might be a network configuration issue, such as routing or access control lists (ACLs), preventing the firewall from accessing the AD server over the IPsec tunnel.

You should check:
1. Routing configurations on the Sangfor firewall to ensure traffic is directed correctly through the tunnel.
2. Any firewall rules or ACLs on both the Sangfor and Palo Alto firewalls that might block the authentication attempts.
3. Ensure that the correct IP address of the AD server is used in the firewall configurations.

By resolving these issues, the firewall should be able to authenticate with the AD server.
Zonger Posted 29 Aug 2024 19:23
It is because, the firewall is initiating the authentication request to the AD server. When the firewall attempts to authenticate with the AD server, it sends an authentication request to the AD server's IP address, and the AD server responds with an authentication response. The firewall needs to have a direct or indirect connection (through the IPsec tunnel) to the AD server's IP address in order to receive this response. This is a requirement for the Active Directory authentication protocol to function correctly.
admin Posted 23 Aug 2024 14:38
When deploying NGAF 7.5.1 in a Layer 2 environment with virtual wire and behavior management (bridge), issues may arise where wireless VLANs cannot obtain IP addresses via DHCP. This is often due to the default application control policies blocking DHCP DISCOVER packets, which have a source IP of 0.0.0.0 and a destination IP of 255.255.255.255.

Possible Solution:
1) Application Control Policies: Ensure policies allow DHCP traffic by setting both source and destination IPs to "all" and explicitly allowing the DHCP protocol.

2) DHCP Relay Configuration: For environments using DHCP relay, configure the relevant interfaces for both client-side and server-side communication to ensure proper packet transmission.