USG 60W VPN L2TP. Client(windows 10) error 651.

Ered
Ered Posts: 14  Freshman Member
First Comment Friend Collector
edited April 2021 in Security

Hello!

Sorry for my google translator.

There is a device zyxel usg 60w V4.35(AAKZ.3). I configure vpn server according to the instructions: http://onesecurity.zyxel.com/img/uploads/ZyWALL_L2TP_VPN_Setup.pdf

But when you try to connect the user, error 651 occurs. There is no connection with IOS either.

Имя журнала:  Application

Источник:     RasClient

Дата:         02.04.2020 14:53:27

Код события:  20227

Категория задачи:Отсутствует

Уровень:      Ошибка

Ключевые слова:Классический

Пользователь: Н/Д

Компьютер:   

Описание:

CoID={B6CF3F7D-7A35-4635-80DF-7BCD55E136C5}: Пользователь установил удаленное подключение VPN-подключение, которое завершилось сбоем. Возвращен код ошибки 651.

Xml события:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

 <System>

   <Provider Name="RasClient" />

   <EventID Qualifiers="0">20227</EventID>

   <Level>2</Level>

   <Task>0</Task>

   <Keywords>0x80000000000000</Keywords>

   <TimeCreated SystemTime="2020-04-02T11:53:27.209308100Z" />

   <EventRecordID>2770</EventRecordID>

   <Channel>Application</Channel>

   <Computer></Computer>

   <Security />

 </System>

 <EventData>

   <Data>{B6CF3F7D-7A35-4635-80DF-7BCD55E136C5}</Data>

   <Data></Data>

   <Data>VPN-подключение</Data>

   <Data>651</Data>

 </EventData>

</Event>


What to do? How to configure the server?

Thanks.

Accepted Solution

  • Ered
    Ered Posts: 14  Freshman Member
    First Comment Friend Collector
    Answer ✓

    warwickt, i solved this problem!

    The registry key is to blame:

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parameters
    "ProhibitIpSec"=dword:00000001
    

    Deleted it and was able to establish a connection!

    Unfortunately that's not all. Now I need to organize authentication for domain users and provide access to local resources. But that is another story.

    Thanks for participating!

«1

All Replies

  • warwickt
    warwickt Posts: 111  Ally Member
    5 Answers First Comment Friend Collector Third Anniversary

    Hi Ered no worries. This looks like a "vpn proposal" issue with your:

    1. InBuilt VPN Client on your windows System (10??) and / or
      1. take this cautiously .. (lots of junk for win10) this ---> https://windows101tricks.com/fix-connection-failed-error-651-windows-10/
    2. the VPN Gateway settings on your USG60 configuration that looks like ok.
      1. Phase 1 Gateway: supports proposals: 3des-sha , 3des-md5 and des-sha, DH2
      2. Phase 2 connection : supports proposals: 3des-sha, des-sha and 3des-md5, PFS=none

    Looks ok so far .

    Your Windows 10 Built In Default client:

    I'm not a Windows/OS user however following recent a flood of client headaches with this OS platform I have gained some small knowledge that might help.

    The Racslient 651 error might indicate some error in your windows 10 client set up / configuration.

    would you check your USG60 logs to see if the Windows client actual connects to your USG router?

    Would you be able to post your Windows 10 Vpn connection details by issuing the command in the Windows 10 powershell.exe.?

    Here's an example for a win10 VPN Connection called "Ered_Test"

    Get-VpnConnection -name "Ered_Test" | Format-List -Property *


    PS C:\Users\lab04> Get-VpnConnection -name "Ered_Test" | Format-List -Property *                                                                  
                                                                                                                   
    EapConfigXmlStream       :                                                                                          
    VpnConfigurationXml      : #document                                                                                     
    IPSecCustomPolicy       :                                                                                          
    MachineCertificateIssuerFilter :                                                                                          
    MachineCertificateEKUFilter  :                                                                                          
    ConnectionStatus        : Disconnected                                                                                    
    DnsSuffix           :                                                                                          
    Guid              : {4515CC62-CACB-4314-A0D6-D0F9B68B0CCF}                                                                       
    IdleDisconnectSeconds     : 0                                                                                         
    IsAutoTriggerEnabled      : False                                                                                       
    Name              : Ered_Test                                                                                     
    ProfileType          : Inbox                                                                                       
    ProvisioningAuthority     :                                                                                          
    Proxy             :                                                                                          
    RememberCredential       : False                                                                                       
    Routes             : {}                                                                                         
    ServerAddress         : ereds.vpnserver.ru                                                                                 
    ServerList           : {}                                                                                         
    SplitTunneling         : False                                                                                       
    VpnTrigger           : VpnConnectionTrigger                                                                                
    AllUserConnection       : False                                                                                       
    AuthenticationMethod      : {MsChapv2}                                                                                     
    EncryptionLevel        : Required                                                                                      
    L2tpIPsecAuth         : Psk                                                                                        
    NapState            : NotConnected                                                                                    
    TunnelType           : L2tp                                                                                        
    UseWinlogonCredential     : False                                                                                       
    PSComputerName         :                                                                                          
    CimClass            : root/Microsoft/Windows/RemoteAccess/Client:VpnConnection                                                              
    CimInstanceProperties     : {ConnectionStatus, DnsSuffix, Guid, IdleDisconnectSeconds...}                                                           
    CimSystemProperties      : Microsoft.Management.Infrastructure.CimSystemProperties                                                              
    

                                                                                                              

    FWIW - working L2TP over IPSEC (Ikev1)

    This USG configuration works for L2TP/ over IPSEC for Windows10 Built In,  MAcOS VPN ,  iOS and Android USG VPN that works.

    assumptions:

    • use Pre-Shared-Key PSK
    • L2TP of IPSEC
    • User and Password Authentication - pass to Local and LDAP AAA
      • you use default by the looks.
      • Windows 7/8/10 use either PAP or MSCHAP
    • USG routers are on WAN (not behind NAT wall)

    Zyxel USG Settings

    VPN GATEWAY CONFIGURATION:

    allows proposal 1 : 3des-sha, DH group = 2

    IKE policy: example_L2TP_ipsec_GATEWAY
    
     negotiation mode: main
     proposal: 1
      encryption: 3des
      authentication: sha
     SA lifetime: 3600
     key group: group2
     NAT traversal: yes
     dead peer detection: yes
     my address: some-vpn-serverin.hk
      type: ip
     secure gateway address: 1
      address: 0.0.0.0
     secure gateway address: 2
      address: 0.0.0.0
     fall back: deactivate
     fall back check interval: 300
     authentication method: pre-share
     pre-shared key: example123456
     certificate: default
     local ID: 0.0.0.0
      type: ip
     peer ID: 
      type: any
     user ID: 
     type: 
     X-Auth: no
      type: server
      method: vpn_auth_all
      allowed user: 
      username: 
      password: 
     EAP-Auth: no
      type: 
      aaa method: 
      allowed user: 
      allowed auth method: mschapv2
      username: 
      auth method: mschapv2
      password: 
     vcp reference count: 0
     IKE_version: IKEv1
     active: yesGateway Configuration
    


    Connection Configuration:

    Allows Phase 2 proposals: aes128-sha1 , 3des-sha1, pfs=none

    cryptography mapping: example_L2TP_ipsec_CONNECTION
     VPN gateway: example_L2TP_ipsec_GATEWAY
     Gateway IP Version: IPv4
     encapsulation: transport
     active protocol: esp
     transform set: 1
      encryption: aes128
      authentication: sha
     transform set: 2
      encryption: 3des
      authentication: sha
     SA lifetime: 86400
     PFS: none
     nail up: no
     scenario: remote-access-server
     l2tp: yes
     local policy: WAN_ANY_IP
     remote policy: any
     protocol type: any
     configuration provide:  
      mode config: no
      configuration payload: no
      address pool: 
      first dns: 
      second dns: 
      first wins: 
      second wins: 
     policy enforcement: no
     replay detection: no
     narrowed: yes
     adjust mss: yes
     mss value: 0
     stop rekeying: no
     NetBIOS broadcast over IPSec: no
     outbound SNAT: no
      source: 
      destination: 
      target: 
     inbound SNAT: no
      source: 
      destination: 
      target: 
     inbound DNAT: no
     vcp reference count: 0
     active: yes
     VTI: 
     connected: no
     rule type: 4in4
    
    L2TP:
    L2TP over IPSec:
     activate     : yes
     crypto      : example_L2TP_ipsec_CONNECTION
     address pool   : VPNCLIENT_SUBPOOL
     authentication  : vpn_l2tp_auth_aaa
     certificate   : default
     user       : all_users
     keepalive timer : 180
     first dns server : 10.161.151.1
     second dns server : 
     first wins server : 
     second wins server: 
    


    Post your Windows 10 VPN config from Powershelgl. change the names for your account/server etc.


    HTH

    warwick

    Hong kong

  • Ered
    Ered Posts: 14  Freshman Member
    First Comment Friend Collector

    Hi warwickt!

    Embedded client. I tried to connect from different devices located in different networks and knowledge with direct access to the Internet. The same mistake.

    The client connects, since there were blocking entries in the firewall before the ports were resolved


    Get-VpnConnection -name "Ered_Test" | Format-List -Property *
    EapConfigXmlStream    :
    VpnConfigurationXml   : #document
    IPSecCustomPolicy    :
    MachineCertificateIssuerFilter :
    MachineCertificateEKUFilter :
    ConnectionStatus    : Disconnected
    DnsSuffix      :
    Guid       : {8779F410-44DB-448D-9232-46A66F363D94}
    IdleDisconnectSeconds   : 0
    IsAutoTriggerEnabled   : False
    Name       : Ered_Test
    ProfileType     : Inbox
    ProvisioningAuthority   :
    Proxy       :
    RememberCredential    : False
    Routes       : {}
    ServerAddress     : 'Static ip'
    ServerList      : {}
    SplitTunneling     : False
    VpnTrigger      : VpnConnectionTrigger
    AllUserConnection    : False
    AuthenticationMethod   : {Pap}
    EncryptionLevel    : Optional
    L2tpIPsecAuth     : Psk
    NapState      : NotConnected
    TunnelType      : L2tp
    UseWinlogonCredential   : False
    PSComputerName     :
    CimClass      : root/Microsoft/Windows/RemoteAccess/Client:VpnConnection
    CimInstanceProperties   : {ConnectionStatus, DnsSuffix, Guid, IdleDisconnectSeconds...}
    CimSystemProperties   : Microsoft.Management.Infrastructure.CimSystemProperties
    


    Sorry, is there any command in the web console to display the settings for vpn, gateway, l2tp?

  • warwickt
    warwickt Posts: 111  Ally Member
    5 Answers First Comment Friend Collector Third Anniversary

    Hi Ered interesting .... the Zyxel USG Command your can use for the above ssh or "web console" from the cli using your initial example are:


    display the IPSEC Gateway details for your "L2TP_GAteway_rincom":
    show ike policy L2TP_GAteway_rincom
    
    display the IPSEC Connection detail for "test2":
    show crypto map test2
    
    display the L2TP config detail:
    show l2tp-over-ipsec
    


    SO was the issue wi your Windows 10 client? (Firewall?) 651 error?

    Please post so that there may know.

    Regards

    Warwick

    Hong Kong

  • Ered
    Ered Posts: 14  Freshman Member
    First Comment Friend Collector
    edited April 2020

    Hi warwickt! Thanks.

    Zyxel USG Settings


    L2TP_Gateway_rincom

    IKE policy: L2TP_Gateway_rincom
     IKD_ID: 2
     negotiation mode: main
     proposal: 1
       encryption: 3des
       authentication: sha
     proposal: 2
       encryption: des
       authentication: sha
     proposal: 3
       encryption: 3des
       authentication: md5
     SA lifetime: 86400
     key group: group2
     NAT traversal: yes
     dead peer detection: yes
     my address: BKS
       type: interface
     secure gateway address: 1
       address: 0.0.0.0
     secure gateway address: 2
       address: 0.0.0.0
     fall back: deactivate
     fall back check interval: 300
     authentication method: pre-share
     pre-shared key: 123456789
     certificate: default
     local ID: 0.0.0.0
       type: ip
     peer ID:
       type: any
     user ID:
     type:
     X-Auth: no
       type: server
       method: default
       allowed user:
       username:
       password:
     EAP-Auth: no
       type:
       aaa method:
       allowed user:
       allowed auth method: mschapv2
       username:
       auth method: mschapv2
       password:
     VPN connection: test2
     vcp reference count: 0
     IKE_version: IKEv1
     active: yes
    


    Connection Configuration:
    cryptography mapping: test2
     VPN gateway: L2TP_Gateway_rincom
     Gateway IP Version: IPv4
     encapsulation: transport
     active protocol: esp
     transform set: 1
       encryption: 3des
       authentication: sha
     transform set: 2
       encryption: des
       authentication: sha
     transform set: 3
       encryption: 3des
       authentication: md5
     SA lifetime: 86400
     PFS: none
     nail up: no
     scenario: remote-access-server
     l2tp: yes
     local policy: Wan1
     remote policy: any
     protocol type: any
     configuration provide:
       mode config: no
       configuration payload: no
       address pool:
       first dns:
       second dns:
       first wins:
       second wins:
     policy enforcement: no
     replay detection: no
     narrowed: no
     adjust mss: yes
     mss value: 0
     stop rekeying: no
     NetBIOS broadcast over IPSec: no
     outbound SNAT: no
       source:
       destination:
       target:
     inbound SNAT: no
       source:
       destination:
       target:
     inbound DNAT: no
     vcp reference count: 0
     active: yes
     VTI:
     VPN ID: 2
     connected: no
     connectivity check: no
       check method: none
       IP address: none
       period: none
       timeout: none
       fail tolerance: none
       port: none
       log: no
     rule type: 4in4
    
    L2TP config
    L2TP over IPSec:
     activate         : yes
     crypto           : test2
     address pool     : WIZ_L2TP_VPN_IP_ADDRESS_POOL
     authentication   : default
     certificate      : default
     user             : VPN_Users_rincom
     keepalive timer  : 60
     first dns server :
     second dns server :
     first wins server :
     second wins server:
    

    The problem is probably not in Windows 10. The firewall was completely disabled, as well as the antivirus, the situation has not changed. Also, different client equipment and different settings, the situation is the same ...

    I wrote in support of Zyxel. And sent them a configuration file. Waiting for an answer.

  • Ered
    Ered Posts: 14  Freshman Member
    First Comment Friend Collector
    Answer ✓

    warwickt, i solved this problem!

    The registry key is to blame:

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parameters
    "ProhibitIpSec"=dword:00000001
    

    Deleted it and was able to establish a connection!

    Unfortunately that's not all. Now I need to organize authentication for domain users and provide access to local resources. But that is another story.

    Thanks for participating!

  • warwickt
    warwickt Posts: 111  Ally Member
    5 Answers First Comment Friend Collector Third Anniversary
    edited April 2020

    Hi Ered . hmm.... any chance you could catch the USG60 logs for this event and post them here (attachment?)

    You want the IKE and IPSEC logs from the router .

    You can screen grab them from the WEB UI however these are generally a pain to look at .

    or BETTER, You can get the DEBUG and ALL event logs of are IKE (and IPSEC) EVENT using these commands if you like.

    1) set detail logging for these events

    configure terminal 
    logging system-log category ike level all
    logging system-log category ipsec level all
    show logging debug entries category ik
    
    

    2) attempt your L2Tp Windows 10 client ...when it fails

    3) gather the USG60 router IKE and DEBUG logs with this USG ZYOS command

    Router#
    show logging entries category ike
    show logging debug entries category ike
    

    4) copy, redact/massage what you need and post them back here.

    I'm interested in the resolution!

    HTH

    Warwick

    Hong Kong

  • Ered
    Ered Posts: 14  Freshman Member
    First Comment Friend Collector

    Hi warwickt! I already solved the connection problem. Windows 10 was to blame. The problem was in the registry. Here is my post about it.

    Now another problem. Only a local user can connect. When connecting AD users, an “invalid log / password” error occurs. I familiarized myself with this topic and implemented the recommendations, the result is the same. https://businessforum.zyxel.com/discussion/4105/ad-auth-with-built-in-windows-l2tp-client#latest

    Maybe you can advise me something?

    Here is the output of the command show logging entries category ike


    No. Date/Time          Source
                            Destination
        Priority           Category              Note
        Source Interface   Destination Interface Protocol
        Source Country                                    Destination Country
        Source CountryCode Destination CountryCode
        Message
    ===============================================================================
    147 2020-04-05 22:13:22 ip_zyxel_wan:500
                           ip_client:500
        info               ike                   IKE_LOG
    
    
    
        ISAKMP SA [L2TP_Gateway_rincom] is disconnected
    148 2020-04-05 22:13:22 ip_client:500
                           ip_zyxel_wan:500
        info               ike                   IKE_LOG
    
    
    
        Received delete notification
    149 2020-04-05 22:13:22 ip_client:500
                           ip_zyxel_wan:500
        info               ike                   IKE_LOG
    
    
    
        Recv:[HASH][DEL] [count=2]
    154 2020-04-05 22:13:15 ip_zyxel_wan:500
                           ip_client:500
        info               ike                   IKE_LOG
    
    
    
        Dynamic Tunnel [L2TP_Gateway_rincom:test2:0xff215648] built successfully
    155 2020-04-05 22:13:15 ip_zyxel_wan:500
                           ip_client:500
        info               ike                   IKE_LOG
    
    
    
        [ESP 3des-cbc|hmac-sha1-96][SPI 0x95b3fd59|0xff215648][Lifetime 3620]
    156 2020-04-05 22:13:15 ip_zyxel_wan:500
                           ip_client:500
        info               ike                   IKE_LOG
    
    
    
        [Policy: ipv4(udp:1701,ip_zyxel_wan)-ipv4(udp:1701,ip_client)]
    157 2020-04-05 22:13:15 ip_zyxel_wan:500
                           ip_client:500
        info               ike                   IKE_LOG
    
    
    
        [Responder:ip_zyxel_wan][Initiator:ip_client]
    158 2020-04-05 22:13:15 ip_client:500
                           ip_zyxel_wan:500
        info               ike                   IKE_LOG
    
    
    
        Recv:[HASH]
    159 2020-04-05 22:13:15 ip_zyxel_wan:500
                           ip_client:500
        info               ike                   IKE_LOG
    
    
    
        Send:[HASH][SA][NONCE][ID][ID]
    160 2020-04-05 22:13:15 ip_client:500
                           ip_zyxel_wan:500
        info               ike                   IKE_LOG
    
    
    
        Recv TSi: ipv4(udp:1701,ip_client), TSr: ipv4(udp:1701,ip_zyxel_wan).
    161 2020-04-05 22:13:15 ip_client:500
                           ip_zyxel_wan:500
        info               ike                   IKE_LOG
    
    
    
        Recv IPSec sa: SA([0] protocol = ESP (3), spi_len = 4, spi = 0x00000000, AES CBC key len = 256, HMAC-SHA1-96, No ESN, AES CBC key len = 128, 3DES, DES, NULL; [1] protocol = AH (2), spi_len = 4, spi = 0x00000000, HMAC-SHA1-96, No ESN; ).
    162 2020-04-05 22:13:15 ip_client:500
                           ip_zyxel_wan:500
        info               ike                   IKE_LOG
    
    
    
        Recv:[HASH][SA][NONCE][ID][ID]
    163 2020-04-05 22:13:15 ip_zyxel_wan:500
                           ip_client:500
        info               ike                   IKE_LOG
    
    
    
        Phase 1 IKE SA process done
    164 2020-04-05 22:13:15 ip_zyxel_wan:500
                           ip_client:500
        info               ike                   IKE_LOG
    
    
    
        Send:[ID][HASH]
    165 2020-04-05 22:13:15 ip_client:500
                           ip_zyxel_wan:500
        info               ike                   IKE_LOG
    
    
    
        Recv:[ID][HASH]
    166 2020-04-05 22:13:15 ip_zyxel_wan:500
                           ip_client:500
        info               ike                   IKE_LOG
    
    
    
        Send:[KE][NONCE][PRV][PRV]
    167 2020-04-05 22:13:15 ip_client:500
                           ip_zyxel_wan:500
        info               ike                   IKE_LOG
    
    
    
        Recv:[KE][NONCE][PRV][PRV]
    168 2020-04-05 22:13:15 ip_zyxel_wan:500
                           ip_client:500
        info               ike                   IKE_LOG
    
    
    
        Send:[SA][VID][VID][VID][VID][VID][VID][VID][VID][VID]
    169 2020-04-05 22:13:15 ip_zyxel_wan:500
                           ip_client:500
        info               ike                   IKE_LOG
    
    
    
        The cookie pair is : 0x3e31077388b88097 / 0xda4031d1b91ad12d [count=10]
    170 2020-04-05 22:13:15 ip_client:500
                           ip_zyxel_wan:500
        info               ike                   IKE_LOG
    
    
    
        Recv IKE sa: SA([0] protocol = IKE (1), AES CBC key len = 256, HMAC-SHA1 PRF, HMAC-SHA1-96, 384 bit ECP, AES CBC key len = 128, 256 bit ECP, 2048 bit MODP, 3DES, 1024 bit MODP; ).
    171 2020-04-05 22:13:15 ip_client:500
                           ip_zyxel_wan:500
        info               ike                   IKE_LOG
    
    
    
        Recv:[SA][VID][VID][VID][VID][VID][VID][VID][VID]
    172 2020-04-05 22:13:15 ip_client:500
                           ip_zyxel_wan:500
        info               ike                   IKE_LOG
    
    
    
        The cookie pair is : 0xda4031d1b91ad12d / 0x3e31077388b88097 [count=8]
    173 2020-04-05 22:13:15 ip_client:500
                           ip_zyxel_wan:500
        info               ike                   IKE_LOG
    
    
    
        Recv Main Mode request from [ip_client]
    174 2020-04-05 22:13:15 ip_client:500
                           ip_zyxel_wan:500
        info               ike                   IKE_LOG
    
    
    
        The cookie pair is : 0x3e31077388b88097 / 0x0000000000000000
    


  • warwickt
    warwickt Posts: 111  Ally Member
    5 Answers First Comment Friend Collector Third Anniversary

    Hi Ered excellent that you resolved it. Nice logs too mate! Your tunnel gets built. nice one!

    Your authentication issue .. but first

    Firstly you say "registry setting" in Windows inbuilt VPN Rasman client?? I see the what you had specified... strange as we have never had to set this. "ProhibitIpSec"

    Here is what we always have set as a default for Rasman. we use powershell to customise the VPN connections so we don't need registry settings.

    FWIW here is our one:

    PS C:\Users\bsdmaint> Get-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\RasMan\Parameters\                                                        
                                                                                                              
                                                                                                              
    AllowL2TPWeakCrypto  : 0                                                                                             
    AllowPPTPWeakCrypto  : 0                                                                                             
    KeepRasConnections   : 0                                                                                             
    Medias         : {rastapi}                                                                                         
    ServiceDll       : C:\Windows\System32\rasmans.dll                                                                              
    ServiceDllUnloadOnStop : 1                                                                                             
    MiniportsInstalled   : 65535                                                                                           
    NegotiateDH2048_AES256 : 0                                                                                             
    PSPath         : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters\                                        
    PSParentPath      : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan                                              
    PSChildName      : Parameters                                                                                         
    PSDrive        : HKLM                                                                                            
    PSProvider       : Microsoft.PowerShell.Core\Registry
    
    • what was this associated with with .. NAT or Encryption? For example in windows (power-shell)

    Would you specify for myself and others? For example

    Get-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\RasMan\Parameters\
    
    # what is NegotiateDH2048_AES256 for example?
    

    or

    Get-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\PolicyAgent\Parameters\ 
    
    ## did you use AssumeUDPEncapsulationContextOnSendRule ? for behind a NAT
    

    2nd: The issue you have is an authentication . It's straight worfrwrd to see what this is . Just collect the logs for L2TP .


     show logging entries category l2tp-over-ipsec

    The failure could be anu=y or more of this type of scenario:

    • wrong userid/account and or/or password
    • the AD host can't be reached by the router
    • the password encryption doesn't match is wrong.

    For example I noticed previously your GATEWAY Phase 1 proposal contains:

    policy: L2TP_Gateway_rincom
    
    EAP-Auth: no
       type:
       aaa method:
       allowed user:
       allowed auth method: mschapv2
       username:
       auth method: mschapv2
       password:
    

    however your Windows VPN connection " " specifies PAP.

    Get-VpnConnection -name "Ered_Test" | Format-List -Property *
    
    AuthenticationMethod : {Pap}
    

    and your L2TP is : default ..

    L2TP over IPSec:
     activate         : yes
     crypto           : test2
     address pool     : WIZ_L2TP_VPN_IP_ADDRESS_POOL
     authentication   : default
     certificate      : default
     user             : VPN_Users_rincom
    

    Suggest you run the connection again and post the L2TP logs .. also the debug ones.

    show logging entries category l2tp-over-ipsec
    

    It should be easy to resolve?

    Warwick

    Hong Kong

  • Ered
    Ered Posts: 14  Freshman Member
    First Comment Friend Collector


    Hi warwickt!

    Here is our one:

    PS C:\Users\Ered> Get-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\RasMan\Parameters\
    
    
    AllowL2TPWeakCrypto  : 0
    AllowPPTPWeakCrypto  : 0
    KeepRasConnections   : 0
    Medias         : {rastapi}
    ServiceDll       : C:\WINDOWS\System32\rasmans.dll
    ServiceDllUnloadOnStop : 1
    MiniportsInstalled   : 65535
    ProhibitIpSec     : 0
    AllocatedLuids     : {}
    PSPath         : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMa
                 n\Parameters\
    PSParentPath      : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMa
                 n
    PSChildName      : Parameters
    PSDrive        : HKLM
    PSProvider       : Microsoft.PowerShell.Core\Registry
    

    The problem was that "ProhibitIpSec" prohibited ipsec.

    2nd:

    Sorry, I did not provide updated data.

    L2TP

    L2TP over IPSec:
     activate     : yes
     crypto      : test2
     address pool   : VPN_Subnet_rincom
     authentication  : default
     certificate    : default
     user       : any
     keepalive timer  : 60
     first dns server : 192.168.0.21
     second dns server :
     first wins server :
     second wins server:
    

    aaa authentication default

    No. Method
    ===============================================================================
    0  VPNAD
    1  local
    #vpnad = users ad
    

    VPN connection

    PS C:\Users\Ered> Get-VpnConnection -name "DA_Test" | Format-List -Property *
    
    
    EapConfigXmlStream       :
    VpnConfigurationXml      : #document
    IPSecCustomPolicy       :
    MachineCertificateIssuerFilter :
    MachineCertificateEKUFilter  :
    ConnectionStatus        : Disconnected
    DnsSuffix           :
    Guid              : {00226DC3-9B6F-46DB-9D56-8F8473189DE7}
    IdleDisconnectSeconds     : 0
    IsAutoTriggerEnabled      : False
    Name              : DA_Test
    ProfileType          : Inbox
    ProvisioningAuthority     :
    Proxy             :
    RememberCredential       : True
    Routes             : {}
    ServerAddress         : Ip_Zyxel_Wan
    ServerList           : {}
    SplitTunneling         : False
    VpnTrigger           : VpnConnectionTrigger
    AllUserConnection       : False
    AuthenticationMethod      : {MsChapv2}
    EncryptionLevel        : Optional
    L2tpIPsecAuth         : Psk
    NapState            : NotConnected
    TunnelType           : L2tp
    UseWinlogonCredential     : False
    PSComputerName         :
    CimClass            : root/Microsoft/Windows/RemoteAccess/Client:VpnConnection
    CimInstanceProperties     : {ConnectionStatus, DnsSuffix, Guid, IdleDisconnectSeconds...}
    CimSystemProperties      : Microsoft.Management.Infrastructure.CimSystemProperties
    

    L2TP logs

    show logging entries category l2tp-over-ipsec
    No. Date/Time      Source
                 Destination
       Priority      Category        Note
       Source Interface  Destination Interface Protocol
       Source Country                   Destination Country
       Source CountryCode Destination CountryCode
       Message
    ===============================================================================
    5  2020-04-06 12:16:35 Ip_Zyxel_Wan:1701
                Ip_Client:1701
       alert        l2tp-over-ipsec    L2TP_LOG
    
       User admin has been denied from L2TP service.(Incorrect Username or Password)
    

    Oh yes, aaa server user verification succeeds.


    Seems to have missed nothing )

  • warwickt
    warwickt Posts: 111  Ally Member
    5 Answers First Comment Friend Collector Third Anniversary
    edited April 2020

    Hi Ered I think you're really close to solving this.

    Authentication Error ( = L2TP)

    As you point out AAA in the server validates user admin ... for example works great .. as below against an LDAP server...

    Router> test aaa server ldap host freebsdmax04.lab004.inhouse host freebsdmax04.lab004.remote port 389 base-dn "cn=users,dc=freebsdmax04,dc=lab004,dc=inhouse" login-name-attribute uid account "test_ldapuser"
    

    However your L2TP Authentication Method needs to include an authentication method that has Active Directory. (AD) in it too!

    L2TP over IPSec:
     activate : yes
     crypto : test2
     address pool : VPN_Subnet_rincom
     authentication : default      <<<<<<<<<<<<<<<<<<<<!! default !!!!     
     certificate : default
     user : any
     keepalive timer : 60
     first dns server : 192.168.0.21
     second dns server :
     first wins server :
     second wins server:
    
    


    For example issue this command in the cli or Console UI

    show auth-server status
    
    

    Steps to do this.

    1. Assuming AAA server is already configured as AD with your details
    2. create a NEW Authentication Method - example "ALL_of_us"
    3. Edit and add in this order:
      1. 1. local
      2. 2. group ad
    4. change the L2TP Authentication Method to "ALL_of_us" -- see below.
    L2TP over IPSec:
     activate   : yes
     crypto   : test2
     address pool  : VPN_Subnet_rincom
     authentication : ALL_of_us
     certificate  : default
     user    : any
     keepalive timer : 60
     first dns server : 192.168.0.21
     second dns server :
     first wins server :
     second wins server:
    

    In this example that uses LDAP .. see how it looks.

    Router> show aaa authentication All_of_us
    No. Method
    ===============================================================================
    0  local
    1  ldap
    Router>
    

    Try the access again as an AD account.

    Post your results for us to see.

    HTH

    Warwick

    Hong Kong

Security Highlight