IPSec/L2TP smartcard authentication after migration from USG 200 to VPN 300

henning Posts: 2
First Comment
edited April 2021 in Security
I recently migrated from an USG 200 to a VPN 300 appliance. Almost everything works as expected, but I have some trouble getting L2TP via IPSec to work as it did before on the old device.
The scenario is as follows:

IPSec IKEv1 gateway using certificate authentication and L2TP allowing Active Directory users to connect. The authentication method is configured on "group ad". The AAA server is reachable and resolves any users correctly.

This setup just works on the USG 200, but when it comes to the new VPN 300, the tunnel gets established successfully (IKE log) and the internal RADIUS logs a successfull authentication. Normally (on the USG) this is followed by a log entry like "User xxx has been granted an L2TP over IPSec session." and the connection is established. But with the new VPN 300, the tunnel gets disconnected and Windows clients will get an error 619.

I'm quite out of ideas right now because, I'm doing basically the same things on both devices?!

USG 200 is on FW 3.30 AQU7, VPN 300 on 4.31 ABFC2

All Replies

  • henning
    henning Posts: 2
    First Comment
    edited August 2018
    Here is the log for reference. As you can see, the IPSec tunnel is established, the RADIUS authenticates the user, but the L2TP connection won't start.

  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,366  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Hi @Henning
    I will send you private message to check this issue more detail.

Security Highlight