IPSec/L2TP smartcard authentication after migration from USG 200 to VPN 300
I recently migrated from an USG 200 to a VPN 300 appliance. Almost everything works as expected, but I have some trouble getting L2TP via IPSec to work as it did before on the old device.
The scenario is as follows:
IPSec IKEv1 gateway using certificate authentication and L2TP allowing Active Directory users to connect. The authentication method is configured on "group ad". The AAA server is reachable and resolves any users correctly.
This setup just works on the USG 200, but when it comes to the new VPN 300, the tunnel gets established successfully (IKE log) and the internal RADIUS logs a successfull authentication. Normally (on the USG) this is followed by a log entry like "User xxx has been granted an L2TP over IPSec session." and the connection is established. But with the new VPN 300, the tunnel gets disconnected and Windows clients will get an error 619.
I'm quite out of ideas right now because, I'm doing basically the same things on both devices?!
USG 200 is on FW 3.30 AQU7, VPN 300 on 4.31 ABFC2
The scenario is as follows:
IPSec IKEv1 gateway using certificate authentication and L2TP allowing Active Directory users to connect. The authentication method is configured on "group ad". The AAA server is reachable and resolves any users correctly.
This setup just works on the USG 200, but when it comes to the new VPN 300, the tunnel gets established successfully (IKE log) and the internal RADIUS logs a successfull authentication. Normally (on the USG) this is followed by a log entry like "User xxx has been granted an L2TP over IPSec session." and the connection is established. But with the new VPN 300, the tunnel gets disconnected and Windows clients will get an error 619.
I'm quite out of ideas right now because, I'm doing basically the same things on both devices?!
USG 200 is on FW 3.30 AQU7, VPN 300 on 4.31 ABFC2
0
All Replies
-
Here is the log for reference. As you can see, the IPSec tunnel is established, the RADIUS authenticates the user, but the L2TP connection won't start.
0 -
Hi @Henning
I will send you private message to check this issue more detail.0
Categories
- All Categories
- 347 Beta Program
- 2.1K Nebula
- 114 Nebula Ideas
- 77 Nebula Status and Incidents
- 5K Security
- 44 USG FLEX H Series
- 246 Security Ideas
- 1.2K Switch
- 64 Switch Ideas
- 901 WirelessLAN
- 33 WLAN Ideas
- 5.8K Consumer Product
- 204 Service & License
- 326 News and Release
- 71 Security Advisories
- 21 Education Center
- 5 [Campaign] Zyxel Network Detective
- 1.8K FAQ
- 831 Nebula FAQ
- 401 Security FAQ
- 219 Switch FAQ
- 190 WirelessLAN FAQ
- 45 Consumer Product FAQ
- 136 Service & License FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 71 About Community
- 61 Security Highlight