IPSec/L2TP smartcard authentication after migration from USG 200 to VPN 300
I recently migrated from an USG 200 to a VPN 300 appliance. Almost everything works as expected, but I have some trouble getting L2TP via IPSec to work as it did before on the old device.
The scenario is as follows:
IPSec IKEv1 gateway using certificate authentication and L2TP allowing Active Directory users to connect. The authentication method is configured on "group ad". The AAA server is reachable and resolves any users correctly.
This setup just works on the USG 200, but when it comes to the new VPN 300, the tunnel gets established successfully (IKE log) and the internal RADIUS logs a successfull authentication. Normally (on the USG) this is followed by a log entry like "User xxx has been granted an L2TP over IPSec session." and the connection is established. But with the new VPN 300, the tunnel gets disconnected and Windows clients will get an error 619.
I'm quite out of ideas right now because, I'm doing basically the same things on both devices?!
USG 200 is on FW 3.30 AQU7, VPN 300 on 4.31 ABFC2
The scenario is as follows:
IPSec IKEv1 gateway using certificate authentication and L2TP allowing Active Directory users to connect. The authentication method is configured on "group ad". The AAA server is reachable and resolves any users correctly.
This setup just works on the USG 200, but when it comes to the new VPN 300, the tunnel gets established successfully (IKE log) and the internal RADIUS logs a successfull authentication. Normally (on the USG) this is followed by a log entry like "User xxx has been granted an L2TP over IPSec session." and the connection is established. But with the new VPN 300, the tunnel gets disconnected and Windows clients will get an error 619.
I'm quite out of ideas right now because, I'm doing basically the same things on both devices?!
USG 200 is on FW 3.30 AQU7, VPN 300 on 4.31 ABFC2
0
All Replies
-
Here is the log for reference. As you can see, the IPSec tunnel is established, the RADIUS authenticates the user, but the L2TP connection won't start.
0 -
Hi @Henning
I will send you private message to check this issue more detail.0
Categories
- All Categories
- 415 Beta Program
- 2.3K Nebula
- 141 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.5K Security
- 216 USG FLEX H Series
- 262 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1K Wireless
- 39 Wireless Ideas
- 6.3K Consumer Product
- 243 Service & License
- 382 News and Release
- 81 Security Advisories
- 27 Education Center
- 8 [Campaign] Zyxel Network Detective
- 3K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight