L2TP connection fails with Mac OS Ventura, but works with windows
I'm trying to connect via L2TP VPN a MacBook with Mac OS Ventura (13.4.1) fully updated.
With the same zyxel-device username, Windows 10 works without issues. With Mac OS, both OS and firewall tells me that username and password are uncorrect, however they are.
Device is a fully updated (5.37) USG Flex 100 W. For creating the VPN on the client, I used this tutorial.
https://support.zyxel.eu/hc/en-us/articles/360001390914
Another VPN Client is already installed, but was shut down during tests.
Any hint appreciated, I am not allowed to share logs or allow remote access (currently) to the device (USG Flex 100 W)
Accepted Solution
-
@mMontana Sorry for the late reply.
If your firewall is behind NAT, you need to manually change the local policy to the public IP and allow IKE, NATT, and L2TP-UDP on the WAN interface. you may refer to this clip.
Moreover, regarding the username/password incorrect issue, there is a case that some users may encounter, that is, the user account reaches the max number of simultaneous login. when it reaches the limitation, it rejects and show "username/password incorrect". You may enable "user idle detection" to force the idle user to log out.
0
All Replies
-
It's hard to troubleshoot further without VPN logs or remote access. Anyway, I suspect the proposal is the root cause, you may check on the logs by yourself since the logs cannot share with me.
Moreover, I can confirm that macOS L2TP VPN can work with USGFLEX100 5.37, I create the VPN profile with quick setup wizard, and I didn't change any proposal settings. Please refer to this article:
0 -
L2TP connection was realized on USG60W, ZLD 4.x firmware, not using the procedure, so proposal were the defaults for that generation of product with the wizard; log confirms that the issue seem the password and/or the username.
Current L2TP setup is not recognized from the procedure, i will follow the new wizard as troubleshoot step.0 -
FYI: phase 1
Old proposals
Current proposals
Phase 2
Old proposals
Current proposal.
I'm amazed how 3DES is deprecated
while still massively used as default.
I re-created the VPN using the wizard and the data i need. With the same L2TP Script I used for Microsoft Windows works anyway.
One more question: wan interface used for connection has private ip address, not public one.
Wizard can correctly manage that? In ZLD 4.x L2TP procedures I had to use the public iP address as Local policy object.0 -
@mMontana so creating VPN profile with quick wizard has no help?
Is the password includes any special characters? Could you try a simple password with only number/letter?
0 -
In reverse order: password, as defaulty policy, request special character, so there is. Special character is -
Scripts generated from the wizard contain the WAN interface IP address (which is private) and not the static IP of the connection (which is public and managed by the ISP CPE). They did not work.
The new VPN connection and gateway had been created, and the connection is slightly different from the older one. The IP Policy in the connection, as stated do not require anymore the effective Public IP Address of the USG device.
Both connection worked with Windows, I'm waiting for an answer from the Mac OS user.
0 -
@mMontana I would like to know if it's a local user account or AD user account?
0 -
Updates:
I virtualized somehow Ventura, I updated to 13.4.5 and i were able to connect to the wizard-created L2TP tunnel. However, my test is not validating as "working", only the end user can validate.
And he's on holydays.@Zyxel_James only local users for this setup.
Would you please kindy answer to:
-wan interface used for connection has private ip address, not public one. Wizard can correctly manage that? In ZLD 4.x L2TP procedures I had to use the public iP address as Local policy object
-scripts generated from ZLD 5.37 used WAN interface address, not public ip address. They can be manually edited to use correct information?
- MacOS X did not import the .mobilconfig file edited by me with correct IP address (public). Is due to some checksum needed into the file?Thanks for your time.
0 -
We have an older USG 1000 with lots of l2tp connections for Macbook users. One of our users
upgraded to Ventura, and the l2tp tunnel stopped working, as you describe.
The L2TP tunnel works after deleting the mac l2tp tunnel profile rebuilding it.
If you're still having problems, I can check some settings on the mac, perhaps will help. We also
route all traffic thru the l2tp vpn once connected.
We have 15 or so macs for outside sales reps that use the l2tp daily.
0 -
@mm_bret thanks for your experience.
I managed to install and update ventura, however my client still won't trying to connect/recreate l2tp connection.
Now I have evidence that everything works as intended, however… PITA to destroy-than-redo (more or less) the VPN connection from USG60w flavour to USG Flex 100W flavour.Since 10th of august my last post was not answered from Zyxel_James or any representative.
Mr Zyxel_James might be on holiday leave, IDK for other representative.
Unsatisfied is not enough for describe my feeling.0 -
I'm obliged to review my disappointment and perceived lack of professionality from Zyxel team.
Almost 40 days from my question, still unanswered.0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 149 Nebula Ideas
- 96 Nebula Status and Incidents
- 5.7K Security
- 263 USG FLEX H Series
- 271 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.4K Consumer Product
- 249 Service & License
- 387 News and Release
- 84 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.5K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 73 Security Highlight