USG 60W VPN L2TP. Client(windows 10) error 651.
Hello!
Sorry for my google translator.
There is a device zyxel usg 60w V4.35(AAKZ.3). I configure vpn server according to the instructions: http://onesecurity.zyxel.com/img/uploads/ZyWALL_L2TP_VPN_Setup.pdf
But when you try to connect the user, error 651 occurs. There is no connection with IOS either.
Имя журнала: Application
Источник: RasClient
Дата: 02.04.2020 14:53:27
Код события: 20227
Категория задачи:Отсутствует
Уровень: Ошибка
Ключевые слова:Классический
Пользователь: Н/Д
Компьютер:
Описание:
CoID={B6CF3F7D-7A35-4635-80DF-7BCD55E136C5}: Пользователь установил удаленное подключение VPN-подключение, которое завершилось сбоем. Возвращен код ошибки 651.
Xml события:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="RasClient" />
<EventID Qualifiers="0">20227</EventID>
<Level>2</Level>
<Task>0</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2020-04-02T11:53:27.209308100Z" />
<EventRecordID>2770</EventRecordID>
<Channel>Application</Channel>
<Computer></Computer>
<Security />
</System>
<EventData>
<Data>{B6CF3F7D-7A35-4635-80DF-7BCD55E136C5}</Data>
<Data></Data>
<Data>VPN-подключение</Data>
<Data>651</Data>
</EventData>
</Event>
What to do? How to configure the server?
Thanks.
Accepted Solution
-
warwickt, i solved this problem!
The registry key is to blame:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parameters "ProhibitIpSec"=dword:00000001
Deleted it and was able to establish a connection!
Unfortunately that's not all. Now I need to organize authentication for domain users and provide access to local resources. But that is another story.
Thanks for participating!
1
All Replies
-
Hi Ered no worries. This looks like a "vpn proposal" issue with your:
- InBuilt VPN Client on your windows System (10??) and / or
- take this cautiously .. (lots of junk for win10) this ---> https://windows101tricks.com/fix-connection-failed-error-651-windows-10/
- the VPN Gateway settings on your USG60 configuration that looks like ok.
- Phase 1 Gateway: supports proposals: 3des-sha , 3des-md5 and des-sha, DH2
- Phase 2 connection : supports proposals: 3des-sha, des-sha and 3des-md5, PFS=none
Looks ok so far .
Your Windows 10 Built In Default client:
I'm not a Windows/OS user however following recent a flood of client headaches with this OS platform I have gained some small knowledge that might help.
The Racslient 651 error might indicate some error in your windows 10 client set up / configuration.
would you check your USG60 logs to see if the Windows client actual connects to your USG router?
Would you be able to post your Windows 10 Vpn connection details by issuing the command in the Windows 10 powershell.exe.?
Here's an example for a win10 VPN Connection called "Ered_Test"
Get-VpnConnection -name "Ered_Test" | Format-List -Property *
PS C:\Users\lab04> Get-VpnConnection -name "Ered_Test" | Format-List -Property * EapConfigXmlStream : VpnConfigurationXml : #document IPSecCustomPolicy : MachineCertificateIssuerFilter : MachineCertificateEKUFilter : ConnectionStatus : Disconnected DnsSuffix : Guid : {4515CC62-CACB-4314-A0D6-D0F9B68B0CCF} IdleDisconnectSeconds : 0 IsAutoTriggerEnabled : False Name : Ered_Test ProfileType : Inbox ProvisioningAuthority : Proxy : RememberCredential : False Routes : {} ServerAddress : ereds.vpnserver.ru ServerList : {} SplitTunneling : False VpnTrigger : VpnConnectionTrigger AllUserConnection : False AuthenticationMethod : {MsChapv2} EncryptionLevel : Required L2tpIPsecAuth : Psk NapState : NotConnected TunnelType : L2tp UseWinlogonCredential : False PSComputerName : CimClass : root/Microsoft/Windows/RemoteAccess/Client:VpnConnection CimInstanceProperties : {ConnectionStatus, DnsSuffix, Guid, IdleDisconnectSeconds...} CimSystemProperties : Microsoft.Management.Infrastructure.CimSystemProperties
FWIW - working L2TP over IPSEC (Ikev1)
This USG configuration works for L2TP/ over IPSEC for Windows10 Built In, MAcOS VPN , iOS and Android USG VPN that works.
assumptions:
- use Pre-Shared-Key PSK
- L2TP of IPSEC
- User and Password Authentication - pass to Local and LDAP AAA
- you use default by the looks.
- Windows 7/8/10 use either PAP or MSCHAP
- USG routers are on WAN (not behind NAT wall)
Zyxel USG Settings
VPN GATEWAY CONFIGURATION:
allows proposal 1 : 3des-sha, DH group = 2
IKE policy: example_L2TP_ipsec_GATEWAY negotiation mode: main proposal: 1 encryption: 3des authentication: sha SA lifetime: 3600 key group: group2 NAT traversal: yes dead peer detection: yes my address: some-vpn-serverin.hk type: ip secure gateway address: 1 address: 0.0.0.0 secure gateway address: 2 address: 0.0.0.0 fall back: deactivate fall back check interval: 300 authentication method: pre-share pre-shared key: example123456 certificate: default local ID: 0.0.0.0 type: ip peer ID: type: any user ID: type: X-Auth: no type: server method: vpn_auth_all allowed user: username: password: EAP-Auth: no type: aaa method: allowed user: allowed auth method: mschapv2 username: auth method: mschapv2 password: vcp reference count: 0 IKE_version: IKEv1 active: yesGateway Configuration
Connection Configuration:
Allows Phase 2 proposals: aes128-sha1 , 3des-sha1, pfs=none
cryptography mapping: example_L2TP_ipsec_CONNECTION VPN gateway: example_L2TP_ipsec_GATEWAY Gateway IP Version: IPv4 encapsulation: transport active protocol: esp transform set: 1 encryption: aes128 authentication: sha transform set: 2 encryption: 3des authentication: sha SA lifetime: 86400 PFS: none nail up: no scenario: remote-access-server l2tp: yes local policy: WAN_ANY_IP remote policy: any protocol type: any configuration provide: mode config: no configuration payload: no address pool: first dns: second dns: first wins: second wins: policy enforcement: no replay detection: no narrowed: yes adjust mss: yes mss value: 0 stop rekeying: no NetBIOS broadcast over IPSec: no outbound SNAT: no source: destination: target: inbound SNAT: no source: destination: target: inbound DNAT: no vcp reference count: 0 active: yes VTI: connected: no rule type: 4in4
L2TP:
L2TP over IPSec: activate : yes crypto : example_L2TP_ipsec_CONNECTION address pool : VPNCLIENT_SUBPOOL authentication : vpn_l2tp_auth_aaa certificate : default user : all_users keepalive timer : 180 first dns server : 10.161.151.1 second dns server : first wins server : second wins server:
Post your Windows 10 VPN config from Powershelgl. change the names for your account/server etc.
HTH
warwick
Hong kong
0 - InBuilt VPN Client on your windows System (10??) and / or
-
Hi warwickt!
Embedded client. I tried to connect from different devices located in different networks and knowledge with direct access to the Internet. The same mistake.
The client connects, since there were blocking entries in the firewall before the ports were resolved
Get-VpnConnection -name "Ered_Test" | Format-List -Property * EapConfigXmlStream : VpnConfigurationXml : #document IPSecCustomPolicy : MachineCertificateIssuerFilter : MachineCertificateEKUFilter : ConnectionStatus : Disconnected DnsSuffix : Guid : {8779F410-44DB-448D-9232-46A66F363D94} IdleDisconnectSeconds : 0 IsAutoTriggerEnabled : False Name : Ered_Test ProfileType : Inbox ProvisioningAuthority : Proxy : RememberCredential : False Routes : {} ServerAddress : 'Static ip' ServerList : {} SplitTunneling : False VpnTrigger : VpnConnectionTrigger AllUserConnection : False AuthenticationMethod : {Pap} EncryptionLevel : Optional L2tpIPsecAuth : Psk NapState : NotConnected TunnelType : L2tp UseWinlogonCredential : False PSComputerName : CimClass : root/Microsoft/Windows/RemoteAccess/Client:VpnConnection CimInstanceProperties : {ConnectionStatus, DnsSuffix, Guid, IdleDisconnectSeconds...} CimSystemProperties : Microsoft.Management.Infrastructure.CimSystemProperties
Sorry, is there any command in the web console to display the settings for vpn, gateway, l2tp?
0 -
Hi Ered interesting .... the Zyxel USG Command your can use for the above ssh or "web console" from the cli using your initial example are:
display the IPSEC Gateway details for your "L2TP_GAteway_rincom":
show ike policy L2TP_GAteway_rincom
display the IPSEC Connection detail for "test2":
show crypto map test2
display the L2TP config detail:
show l2tp-over-ipsec
SO was the issue wi your Windows 10 client? (Firewall?) 651 error?
Please post so that there may know.
Regards
Warwick
Hong Kong
0 -
Hi warwickt! Thanks.
Zyxel USG Settings
L2TP_Gateway_rincom
IKE policy: L2TP_Gateway_rincom IKD_ID: 2 negotiation mode: main proposal: 1 encryption: 3des authentication: sha proposal: 2 encryption: des authentication: sha proposal: 3 encryption: 3des authentication: md5 SA lifetime: 86400 key group: group2 NAT traversal: yes dead peer detection: yes my address: BKS type: interface secure gateway address: 1 address: 0.0.0.0 secure gateway address: 2 address: 0.0.0.0 fall back: deactivate fall back check interval: 300 authentication method: pre-share pre-shared key: 123456789 certificate: default local ID: 0.0.0.0 type: ip peer ID: type: any user ID: type: X-Auth: no type: server method: default allowed user: username: password: EAP-Auth: no type: aaa method: allowed user: allowed auth method: mschapv2 username: auth method: mschapv2 password: VPN connection: test2 vcp reference count: 0 IKE_version: IKEv1 active: yes
Connection Configuration:
cryptography mapping: test2 VPN gateway: L2TP_Gateway_rincom Gateway IP Version: IPv4 encapsulation: transport active protocol: esp transform set: 1 encryption: 3des authentication: sha transform set: 2 encryption: des authentication: sha transform set: 3 encryption: 3des authentication: md5 SA lifetime: 86400 PFS: none nail up: no scenario: remote-access-server l2tp: yes local policy: Wan1 remote policy: any protocol type: any configuration provide: mode config: no configuration payload: no address pool: first dns: second dns: first wins: second wins: policy enforcement: no replay detection: no narrowed: no adjust mss: yes mss value: 0 stop rekeying: no NetBIOS broadcast over IPSec: no outbound SNAT: no source: destination: target: inbound SNAT: no source: destination: target: inbound DNAT: no vcp reference count: 0 active: yes VTI: VPN ID: 2 connected: no connectivity check: no check method: none IP address: none period: none timeout: none fail tolerance: none port: none log: no rule type: 4in4
L2TP config
L2TP over IPSec: activate : yes crypto : test2 address pool : WIZ_L2TP_VPN_IP_ADDRESS_POOL authentication : default certificate : default user : VPN_Users_rincom keepalive timer : 60 first dns server : second dns server : first wins server : second wins server:
The problem is probably not in Windows 10. The firewall was completely disabled, as well as the antivirus, the situation has not changed. Also, different client equipment and different settings, the situation is the same ...
I wrote in support of Zyxel. And sent them a configuration file. Waiting for an answer.
0 -
warwickt, i solved this problem!
The registry key is to blame:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parameters "ProhibitIpSec"=dword:00000001
Deleted it and was able to establish a connection!
Unfortunately that's not all. Now I need to organize authentication for domain users and provide access to local resources. But that is another story.
Thanks for participating!
1 -
Hi Ered . hmm.... any chance you could catch the USG60 logs for this event and post them here (attachment?)
You want the IKE and IPSEC logs from the router .
You can screen grab them from the WEB UI however these are generally a pain to look at .
or BETTER, You can get the DEBUG and ALL event logs of are IKE (and IPSEC) EVENT using these commands if you like.
1) set detail logging for these events
configure terminal logging system-log category ike level all logging system-log category ipsec level all show logging debug entries category ik
2) attempt your L2Tp Windows 10 client ...when it fails
3) gather the USG60 router IKE and DEBUG logs with this USG ZYOS command
Router# show logging entries category ike show logging debug entries category ike
4) copy, redact/massage what you need and post them back here.
I'm interested in the resolution!
HTH
Warwick
Hong Kong
0 -
Hi warwickt! I already solved the connection problem. Windows 10 was to blame. The problem was in the registry. Here is my post about it.
Now another problem. Only a local user can connect. When connecting AD users, an “invalid log / password” error occurs. I familiarized myself with this topic and implemented the recommendations, the result is the same. https://businessforum.zyxel.com/discussion/4105/ad-auth-with-built-in-windows-l2tp-client#latest
Maybe you can advise me something?
Here is the output of the command show logging entries category ike
No. Date/Time Source Destination Priority Category Note Source Interface Destination Interface Protocol Source Country Destination Country Source CountryCode Destination CountryCode Message =============================================================================== 147 2020-04-05 22:13:22 ip_zyxel_wan:500 ip_client:500 info ike IKE_LOG ISAKMP SA [L2TP_Gateway_rincom] is disconnected 148 2020-04-05 22:13:22 ip_client:500 ip_zyxel_wan:500 info ike IKE_LOG Received delete notification 149 2020-04-05 22:13:22 ip_client:500 ip_zyxel_wan:500 info ike IKE_LOG Recv:[HASH][DEL] [count=2] 154 2020-04-05 22:13:15 ip_zyxel_wan:500 ip_client:500 info ike IKE_LOG Dynamic Tunnel [L2TP_Gateway_rincom:test2:0xff215648] built successfully 155 2020-04-05 22:13:15 ip_zyxel_wan:500 ip_client:500 info ike IKE_LOG [ESP 3des-cbc|hmac-sha1-96][SPI 0x95b3fd59|0xff215648][Lifetime 3620] 156 2020-04-05 22:13:15 ip_zyxel_wan:500 ip_client:500 info ike IKE_LOG [Policy: ipv4(udp:1701,ip_zyxel_wan)-ipv4(udp:1701,ip_client)] 157 2020-04-05 22:13:15 ip_zyxel_wan:500 ip_client:500 info ike IKE_LOG [Responder:ip_zyxel_wan][Initiator:ip_client] 158 2020-04-05 22:13:15 ip_client:500 ip_zyxel_wan:500 info ike IKE_LOG Recv:[HASH] 159 2020-04-05 22:13:15 ip_zyxel_wan:500 ip_client:500 info ike IKE_LOG Send:[HASH][SA][NONCE][ID][ID] 160 2020-04-05 22:13:15 ip_client:500 ip_zyxel_wan:500 info ike IKE_LOG Recv TSi: ipv4(udp:1701,ip_client), TSr: ipv4(udp:1701,ip_zyxel_wan). 161 2020-04-05 22:13:15 ip_client:500 ip_zyxel_wan:500 info ike IKE_LOG Recv IPSec sa: SA([0] protocol = ESP (3), spi_len = 4, spi = 0x00000000, AES CBC key len = 256, HMAC-SHA1-96, No ESN, AES CBC key len = 128, 3DES, DES, NULL; [1] protocol = AH (2), spi_len = 4, spi = 0x00000000, HMAC-SHA1-96, No ESN; ). 162 2020-04-05 22:13:15 ip_client:500 ip_zyxel_wan:500 info ike IKE_LOG Recv:[HASH][SA][NONCE][ID][ID] 163 2020-04-05 22:13:15 ip_zyxel_wan:500 ip_client:500 info ike IKE_LOG Phase 1 IKE SA process done 164 2020-04-05 22:13:15 ip_zyxel_wan:500 ip_client:500 info ike IKE_LOG Send:[ID][HASH] 165 2020-04-05 22:13:15 ip_client:500 ip_zyxel_wan:500 info ike IKE_LOG Recv:[ID][HASH] 166 2020-04-05 22:13:15 ip_zyxel_wan:500 ip_client:500 info ike IKE_LOG Send:[KE][NONCE][PRV][PRV] 167 2020-04-05 22:13:15 ip_client:500 ip_zyxel_wan:500 info ike IKE_LOG Recv:[KE][NONCE][PRV][PRV] 168 2020-04-05 22:13:15 ip_zyxel_wan:500 ip_client:500 info ike IKE_LOG Send:[SA][VID][VID][VID][VID][VID][VID][VID][VID][VID] 169 2020-04-05 22:13:15 ip_zyxel_wan:500 ip_client:500 info ike IKE_LOG The cookie pair is : 0x3e31077388b88097 / 0xda4031d1b91ad12d [count=10] 170 2020-04-05 22:13:15 ip_client:500 ip_zyxel_wan:500 info ike IKE_LOG Recv IKE sa: SA([0] protocol = IKE (1), AES CBC key len = 256, HMAC-SHA1 PRF, HMAC-SHA1-96, 384 bit ECP, AES CBC key len = 128, 256 bit ECP, 2048 bit MODP, 3DES, 1024 bit MODP; ). 171 2020-04-05 22:13:15 ip_client:500 ip_zyxel_wan:500 info ike IKE_LOG Recv:[SA][VID][VID][VID][VID][VID][VID][VID][VID] 172 2020-04-05 22:13:15 ip_client:500 ip_zyxel_wan:500 info ike IKE_LOG The cookie pair is : 0xda4031d1b91ad12d / 0x3e31077388b88097 [count=8] 173 2020-04-05 22:13:15 ip_client:500 ip_zyxel_wan:500 info ike IKE_LOG Recv Main Mode request from [ip_client] 174 2020-04-05 22:13:15 ip_client:500 ip_zyxel_wan:500 info ike IKE_LOG The cookie pair is : 0x3e31077388b88097 / 0x0000000000000000
0 -
Hi Ered excellent that you resolved it. Nice logs too mate! Your tunnel gets built. nice one!
Your authentication issue .. but first
Firstly you say "registry setting" in Windows inbuilt VPN Rasman client?? I see the what you had specified... strange as we have never had to set this. "ProhibitIpSec"
Here is what we always have set as a default for Rasman. we use powershell to customise the VPN connections so we don't need registry settings.
FWIW here is our one:
PS C:\Users\bsdmaint> Get-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\RasMan\Parameters\ AllowL2TPWeakCrypto : 0 AllowPPTPWeakCrypto : 0 KeepRasConnections : 0 Medias : {rastapi} ServiceDll : C:\Windows\System32\rasmans.dll ServiceDllUnloadOnStop : 1 MiniportsInstalled : 65535 NegotiateDH2048_AES256 : 0 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters\ PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan PSChildName : Parameters PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry
- what was this associated with with .. NAT or Encryption? For example in windows (power-shell)
Would you specify for myself and others? For example
Get-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\RasMan\Parameters\ # what is NegotiateDH2048_AES256 for example?
or
Get-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\PolicyAgent\Parameters\ ## did you use AssumeUDPEncapsulationContextOnSendRule ? for behind a NAT
2nd: The issue you have is an authentication . It's straight worfrwrd to see what this is . Just collect the logs for L2TP .
show logging entries category l2tp-over-ipsec
The failure could be anu=y or more of this type of scenario:
- wrong userid/account and or/or password
- the AD host can't be reached by the router
- the password encryption doesn't match is wrong.
For example I noticed previously your GATEWAY Phase 1 proposal contains:
policy: L2TP_Gateway_rincom EAP-Auth: no type: aaa method: allowed user: allowed auth method: mschapv2 username: auth method: mschapv2 password:
however your Windows VPN connection " " specifies PAP.
Get-VpnConnection -name "Ered_Test" | Format-List -Property * AuthenticationMethod : {Pap}
and your L2TP is : default ..
L2TP over IPSec: activate : yes crypto : test2 address pool : WIZ_L2TP_VPN_IP_ADDRESS_POOL authentication : default certificate : default user : VPN_Users_rincom
Suggest you run the connection again and post the L2TP logs .. also the debug ones.
show logging entries category l2tp-over-ipsec
It should be easy to resolve?
Warwick
Hong Kong
0 -
Hi warwickt!
Here is our one:
PS C:\Users\Ered> Get-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\RasMan\Parameters\ AllowL2TPWeakCrypto : 0 AllowPPTPWeakCrypto : 0 KeepRasConnections : 0 Medias : {rastapi} ServiceDll : C:\WINDOWS\System32\rasmans.dll ServiceDllUnloadOnStop : 1 MiniportsInstalled : 65535 ProhibitIpSec : 0 AllocatedLuids : {} PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMa n\Parameters\ PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMa n PSChildName : Parameters PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry
The problem was that "ProhibitIpSec" prohibited ipsec.
2nd:
Sorry, I did not provide updated data.
L2TP
L2TP over IPSec: activate : yes crypto : test2 address pool : VPN_Subnet_rincom authentication : default certificate : default user : any keepalive timer : 60 first dns server : 192.168.0.21 second dns server : first wins server : second wins server:
aaa authentication default
No. Method =============================================================================== 0 VPNAD 1 local #vpnad = users ad
VPN connection
PS C:\Users\Ered> Get-VpnConnection -name "DA_Test" | Format-List -Property * EapConfigXmlStream : VpnConfigurationXml : #document IPSecCustomPolicy : MachineCertificateIssuerFilter : MachineCertificateEKUFilter : ConnectionStatus : Disconnected DnsSuffix : Guid : {00226DC3-9B6F-46DB-9D56-8F8473189DE7} IdleDisconnectSeconds : 0 IsAutoTriggerEnabled : False Name : DA_Test ProfileType : Inbox ProvisioningAuthority : Proxy : RememberCredential : True Routes : {} ServerAddress : Ip_Zyxel_Wan ServerList : {} SplitTunneling : False VpnTrigger : VpnConnectionTrigger AllUserConnection : False AuthenticationMethod : {MsChapv2} EncryptionLevel : Optional L2tpIPsecAuth : Psk NapState : NotConnected TunnelType : L2tp UseWinlogonCredential : False PSComputerName : CimClass : root/Microsoft/Windows/RemoteAccess/Client:VpnConnection CimInstanceProperties : {ConnectionStatus, DnsSuffix, Guid, IdleDisconnectSeconds...} CimSystemProperties : Microsoft.Management.Infrastructure.CimSystemProperties
L2TP logs
show logging entries category l2tp-over-ipsec No. Date/Time Source Destination Priority Category Note Source Interface Destination Interface Protocol Source Country Destination Country Source CountryCode Destination CountryCode Message =============================================================================== 5 2020-04-06 12:16:35 Ip_Zyxel_Wan:1701 Ip_Client:1701 alert l2tp-over-ipsec L2TP_LOG User admin has been denied from L2TP service.(Incorrect Username or Password)
Oh yes, aaa server user verification succeeds.
Seems to have missed nothing )
0 -
Hi Ered I think you're really close to solving this.
Authentication Error ( = L2TP)
As you point out AAA in the server validates user admin ... for example works great .. as below against an LDAP server...
Router> test aaa server ldap host freebsdmax04.lab004.inhouse host freebsdmax04.lab004.remote port 389 base-dn "cn=users,dc=freebsdmax04,dc=lab004,dc=inhouse" login-name-attribute uid account "test_ldapuser"
However your L2TP Authentication Method needs to include an authentication method that has Active Directory. (AD) in it too!
L2TP over IPSec: activate : yes crypto : test2 address pool : VPN_Subnet_rincom authentication : default <<<<<<<<<<<<<<<<<<<<!! default !!!! certificate : default user : any keepalive timer : 60 first dns server : 192.168.0.21 second dns server : first wins server : second wins server:
For example issue this command in the cli or Console UI
show auth-server status
Steps to do this.
- Assuming AAA server is already configured as AD with your details
- create a NEW Authentication Method - example "ALL_of_us"
- Edit and add in this order:
- 1. local
- 2. group ad
- change the L2TP Authentication Method to "ALL_of_us" -- see below.
L2TP over IPSec: activate : yes crypto : test2 address pool : VPN_Subnet_rincom authentication : ALL_of_us certificate : default user : any keepalive timer : 60 first dns server : 192.168.0.21 second dns server : first wins server : second wins server:
In this example that uses LDAP .. see how it looks.
Router> show aaa authentication All_of_us No. Method =============================================================================== 0 local 1 ldap Router>
Try the access again as an AD account.
Post your results for us to see.
HTH
Warwick
Hong Kong
0
Categories
- All Categories
- 415 Beta Program
- 2.3K Nebula
- 141 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.6K Security
- 218 USG FLEX H Series
- 262 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1K Wireless
- 39 Wireless Ideas
- 6.3K Consumer Product
- 245 Service & License
- 382 News and Release
- 81 Security Advisories
- 27 Education Center
- 8 [Campaign] Zyxel Network Detective
- 3.1K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight