Christoph Lösch's questions

We use Azure AD Domain Services and want to use it to authenticate to our local WiFi. For that we want to know, how secure the option "Enable secure LDAP access over the internet" is.

The article Configure Secure LDAP (LDAPS) for an Azure AD Domain Services managed domain is interesting but also does not state anything about securing the LDAPS access or somehow limit it.

Because it seems not possible to define source-ip-addresses, we guess that after enabling it, Azure AD is really public accessible, is that true?

Which options are there to limit the access?

What is the recommended way to do that?

Basically I'm trying to connect a pfSense to an EdgeRouter via IPsec site2site.
(public ip networks obfuscated by '1.2.')

             [pfsense] <-> [edgerouter]  
public: 1.2.156.229/30 <-> 1.2.112.249/30
tunnel: 10.5.44.100/24 <-> 10.20.30.100/24

IPsec settings on both sites:
phase1: IKEv2 PSK AES128 SHA1 DH2
phase2: ESP AES128 SHA1

EdgeRouter has Internet access via mesh-routed OLSR, so its gateway is commonly non-local and is also subject to change if the mesh network changes. This is intended this way by OLSR so its not wrong in this setup that the gateway is not on same subnet.

The tunnel/connection is up but there is no traffic passing through it, so after raising strongswan kernel loglevel and digging in charon.log on both sites, I found a problem with setting up routes on EdgeRouter:

charon.log on edgerouter:

Mar  4 23:27:27 12[KNL] <peer-1.2.156.229-tunnel-1|1> getting a local address in traffic selector 10.20.30.0/24
Mar  4 23:27:27 12[KNL] <peer-1.2.156.229-tunnel-1|1> using host 10.20.30.100
Mar  4 23:27:27 12[KNL] <peer-1.2.156.229-tunnel-1|1> sending RTM_GETROUTE 207: => 52 bytes @ 0x711f80a8
Mar  4 23:27:27 12[KNL] <peer-1.2.156.229-tunnel-1|1>    0: 34 00 00 00 1A 00 01 00 CF 00 00 00 6A 6B 00 00  4...........jk..
Mar  4 23:27:27 12[KNL] <peer-1.2.156.229-tunnel-1|1>   16: 02 00 00 00 00 00 00 00 00 00 00 00 08 00 10 00  ................
Mar  4 23:27:27 12[KNL] <peer-1.2.156.229-tunnel-1|1>   32: FF FF FF FF 08 00 07 00 4E 29 70 F9 08 00 01 00  ........N)p.....
Mar  4 23:27:27 12[KNL] <peer-1.2.156.229-tunnel-1|1>   48: C1 EE 9C E5                                      ....
Mar  4 23:27:27 12[KNL] <peer-1.2.156.229-tunnel-1|1> received RTM_NEWROUTE 207: => 112 bytes @ 0x604f58
Mar  4 23:27:27 12[KNL] <peer-1.2.156.229-tunnel-1|1>    0: 70 00 00 00 18 00 00 00 CF 00 00 00 6A 6B 00 00  p...........jk..
Mar  4 23:27:27 12[KNL] <peer-1.2.156.229-tunnel-1|1>   16: 02 20 00 00 FE 00 00 01 00 02 00 00 08 00 0F 00  . ..............
Mar  4 23:27:27 12[KNL] <peer-1.2.156.229-tunnel-1|1>   32: FE 00 00 00 08 00 01 00 C1 EE 9C E5 08 00 04 00  ................
Mar  4 23:27:27 12[KNL] <peer-1.2.156.229-tunnel-1|1>   48: 0A 00 00 00 08 00 07 00 4E 29 70 F9 08 00 05 00  ........N)p.....
Mar  4 23:27:27 12[KNL] <peer-1.2.156.229-tunnel-1|1>   64: 4E 29 76 75 08 00 10 00 FF FF FF FF 24 00 0C 00  N)vu........$...
Mar  4 23:27:27 12[KNL] <peer-1.2.156.229-tunnel-1|1>   80: 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
Mar  4 23:27:27 12[KNL] <peer-1.2.156.229-tunnel-1|1>   96: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
Mar  4 23:27:27 12[KNL] <peer-1.2.156.229-tunnel-1|1> using 1.2.118.117 as nexthop to reach 1.2.156.229/32
Mar  4 23:27:27 12[KNL] <peer-1.2.156.229-tunnel-1|1> 1.2.112.249 is on interface br0
Mar  4 23:27:27 12[KNL] <peer-1.2.156.229-tunnel-1|1> installing route: 10.5.44.0/24 via 1.2.118.117 src 10.20.30.100 dev br0
Mar  4 23:27:27 12[KNL] <peer-1.2.156.229-tunnel-1|1> getting iface index for br0
Mar  4 23:27:27 12[KNL] <peer-1.2.156.229-tunnel-1|1> sending RTM_NEWROUTE 208: => 60 bytes @ 0x711f8090
Mar  4 23:27:27 12[KNL] <peer-1.2.156.229-tunnel-1|1>    0: 3C 00 00 00 18 00 05 06 D0 00 00 00 6A 6B 00 00  <...........jk..
Mar  4 23:27:27 12[KNL] <peer-1.2.156.229-tunnel-1|1>   16: 02 18 00 00 DC 04 00 01 00 00 00 00 08 00 01 00  ................
Mar  4 23:27:27 12[KNL] <peer-1.2.156.229-tunnel-1|1>   32: 0A 05 2C 00 08 00 07 00 0A 14 1E 64 08 00 05 00  ..,........d....
Mar  4 23:27:27 12[KNL] <peer-1.2.156.229-tunnel-1|1>   48: 4E 29 76 75 08 00 04 00 0A 00 00 00              N)vu........
Mar  4 23:27:27 12[KNL] <peer-1.2.156.229-tunnel-1|1> received (2) 208: => 80 bytes @ 0x604fe8
Mar  4 23:27:27 12[KNL] <peer-1.2.156.229-tunnel-1|1>    0: 50 00 00 00 02 00 00 00 D0 00 00 00 6A 6B 00 00  P...........jk..
Mar  4 23:27:27 12[KNL] <peer-1.2.156.229-tunnel-1|1>   16: FD FF FF FF 3C 00 00 00 18 00 05 06 D0 00 00 00  ....<...........
Mar  4 23:27:27 12[KNL] <peer-1.2.156.229-tunnel-1|1>   32: 6A 6B 00 00 02 18 00 00 DC 04 00 01 00 00 00 00  jk..............
Mar  4 23:27:27 12[KNL] <peer-1.2.156.229-tunnel-1|1>   48: 08 00 01 00 0A 05 2C 00 08 00 07 00 0A 14 1E 64  ......,........d
Mar  4 23:27:27 12[KNL] <peer-1.2.156.229-tunnel-1|1>   64: 08 00 05 00 4E 29 76 75 08 00 04 00 0A 00 00 00  ....N)vu........
Mar  4 23:27:27 12[KNL] <peer-1.2.156.229-tunnel-1|1> unable to install source route for 10.20.30.100
Mar  4 23:27:27 12[IKE] <peer-1.2.156.229-tunnel-1|1> CHILD_SA peer-1.2.156.229-tunnel-1{2} established with SPIs c042bc69_i c46929b0_o and TS 10.20.30.0/24 === 10.5.44.0/24
Mar  4 23:27:40 11[KNL] creating roam job due to route change
Mar  4 23:27:40 11[KNL] <peer-1.2.156.229-tunnel-1|1> sending RTM_GETROUTE 209: => 52 bytes @ 0x719f8888

I tried to reproduce the error to understand whats going wrong.

# # reproduce error:
# ip route add 10.5.44.0/24 via 1.2.118.117 src 10.20.30.100 dev br1
RTNETLINK answers: No such process

# # check default route and local ip address:
# ip route show | grep 0.0.0.0
0.0.0.0/1 via 1.2.118.117 dev br0  metric 2 onlink
# ip -f inet address show br0
10: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
    inet 1.2.112.249/30 brd 1.2.112.251 scope global br0
# ip -f inet address show br1
11: br1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1462 qdisc noqueue state UP group default
    inet 10.20.30.100/24 brd 10.20.30.255 scope global br1

# # try to narrow down the problem
# ip route add 10.5.44.0/24 via 1.2.118.117 src 10.20.30.100 dev br1
RTNETLINK answers: No such process
# ip route add 10.5.44.0/24 src 10.20.30.100 dev br1
# ip route change 10.5.44.0/24 via 1.2.118.117 src 10.20.30.100 dev br1
RTNETLINK answers: No such process

Now I don't understand what rtnetlink is missing or what is wrong with gateway?

Searching for the strongswan or rtnetlink errors, does not give anything special as answer, just general explanations which i already understand. My next guess would be, I missed something while setting up this tunnel? The EdgeRouter has a bridge interface(br0) with public ip for internet access and a second bridge interface(br1) with local ip for mgmt network.

Also I checked this article describing IPsec on EdgeRouter and my configuration is nearly same, aside that I'm using bridge interfaces and IKEv2 (instead described IKEv1).

Digging deeper just got me to What CAN cause 'RTNETLINK answers : No such process' when adding a route and now I'm out of ideas what could be wrong.