L2TP connection fails with Mac OS Ventura, but works with windows

mMontana
mMontana Posts: 1,389  Guru Member
50 Answers 1000 Comments Friend Collector Fifth Anniversary
edited August 2023 in Security

I'm trying to connect via L2TP VPN a MacBook with Mac OS Ventura (13.4.1) fully updated.

With the same zyxel-device username, Windows 10 works without issues. With Mac OS, both OS and firewall tells me that username and password are uncorrect, however they are.

Device is a fully updated (5.37) USG Flex 100 W. For creating the VPN on the client, I used this tutorial.
https://support.zyxel.eu/hc/en-us/articles/360001390914

Another VPN Client is already installed, but was shut down during tests.

Any hint appreciated, I am not allowed to share logs or allow remote access (currently) to the device (USG Flex 100 W)

Accepted Solution

  • Zyxel_James
    Zyxel_James Posts: 663  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate 100 Answers
    Answer ✓

    @mMontana Sorry for the late reply.

    If your firewall is behind NAT, you need to manually change the local policy to the public IP and allow IKE, NATT, and L2TP-UDP on the WAN interface. you may refer to this clip.

    Moreover, regarding the username/password incorrect issue, there is a case that some users may encounter, that is, the user account reaches the max number of simultaneous login. when it reaches the limitation, it rejects and show "username/password incorrect". You may enable "user idle detection" to force the idle user to log out.

«1

All Replies

  • Zyxel_James
    Zyxel_James Posts: 663  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate 100 Answers

    @mMontana

    It's hard to troubleshoot further without VPN logs or remote access. Anyway, I suspect the proposal is the root cause, you may check on the logs by yourself since the logs cannot share with me.

    Moreover, I can confirm that macOS L2TP VPN can work with USGFLEX100 5.37, I create the VPN profile with quick setup wizard, and I didn't change any proposal settings. Please refer to this article:

  • mMontana
    mMontana Posts: 1,389  Guru Member
    50 Answers 1000 Comments Friend Collector Fifth Anniversary

    L2TP connection was realized on USG60W, ZLD 4.x firmware, not using the procedure, so proposal were the defaults for that generation of product with the wizard; log confirms that the issue seem the password and/or the username.


    Current L2TP setup is not recognized from the procedure, i will follow the new wizard as troubleshoot step.

  • mMontana
    mMontana Posts: 1,389  Guru Member
    50 Answers 1000 Comments Friend Collector Fifth Anniversary
    edited August 2023

    FYI: phase 1

    Old proposals

    Current proposals

    Phase 2

    Old proposals

    Current proposal.

    I'm amazed how 3DES is deprecated
    https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf

    while still massively used as default.

    I re-created the VPN using the wizard and the data i need. With the same L2TP Script I used for Microsoft Windows works anyway.

    One more question: wan interface used for connection has private ip address, not public one.
    Wizard can correctly manage that? In ZLD 4.x L2TP procedures I had to use the public iP address as Local policy object.

  • Zyxel_James
    Zyxel_James Posts: 663  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate 100 Answers

    @mMontana so creating VPN profile with quick wizard has no help?

    Is the password includes any special characters? Could you try a simple password with only number/letter?

  • mMontana
    mMontana Posts: 1,389  Guru Member
    50 Answers 1000 Comments Friend Collector Fifth Anniversary

    In reverse order: password, as defaulty policy, request special character, so there is. Special character is -

    Scripts generated from the wizard contain the WAN interface IP address (which is private) and not the static IP of the connection (which is public and managed by the ISP CPE). They did not work.

    The new VPN connection and gateway had been created, and the connection is slightly different from the older one. The IP Policy in the connection, as stated do not require anymore the effective Public IP Address of the USG device.

    Both connection worked with Windows, I'm waiting for an answer from the Mac OS user.

  • Zyxel_James
    Zyxel_James Posts: 663  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate 100 Answers

    @mMontana I would like to know if it's a local user account or AD user account?

  • mMontana
    mMontana Posts: 1,389  Guru Member
    50 Answers 1000 Comments Friend Collector Fifth Anniversary

    Updates:

    I virtualized somehow Ventura, I updated to 13.4.5 and i were able to connect to the wizard-created L2TP tunnel. However, my test is not validating as "working", only the end user can validate.
    And he's on holydays.

    @Zyxel_James only local users for this setup.
    Would you please kindy answer to:
    -wan interface used for connection has private ip address, not public one. Wizard can correctly manage that? In ZLD 4.x L2TP procedures I had to use the public iP address as Local policy object
    -scripts generated from ZLD 5.37 used WAN interface address, not public ip address. They can be manually edited to use correct information?
    - MacOS X did not import the .mobilconfig file edited by me with correct IP address (public). Is due to some checksum needed into the file?

    Thanks for your time.

  • mm_bret
    mm_bret Posts: 63  Ally Member
    First Comment Fourth Anniversary

    We have an older USG 1000 with lots of l2tp connections for Macbook users. One of our users

    upgraded to Ventura, and the l2tp tunnel stopped working, as you describe.

    The L2TP tunnel works after deleting the mac l2tp tunnel profile rebuilding it.

    If you're still having problems, I can check some settings on the mac, perhaps will help. We also

    route all traffic thru the l2tp vpn once connected.

    We have 15 or so macs for outside sales reps that use the l2tp daily.

  • mMontana
    mMontana Posts: 1,389  Guru Member
    50 Answers 1000 Comments Friend Collector Fifth Anniversary
    edited September 2023

    @mm_bret thanks for your experience.

    I managed to install and update ventura, however my client still won't trying to connect/recreate l2tp connection.
    Now I have evidence that everything works as intended, however… PITA to destroy-than-redo (more or less) the VPN connection from USG60w flavour to USG Flex 100W flavour.

    Since 10th of august my last post was not answered from Zyxel_James or any representative.
    Mr Zyxel_James might be on holiday leave, IDK for other representative.
    Unsatisfied is not enough for describe my feeling.

  • mMontana
    mMontana Posts: 1,389  Guru Member
    50 Answers 1000 Comments Friend Collector Fifth Anniversary

    I'm obliged to review my disappointment and perceived lack of professionality from Zyxel team.
    Almost 40 days from my question, still unanswered.