USG 60W VPN L2TP. Client(windows 10) error 651.

Ered

https://businessforum.zyxel.com/discussion/comment/13006#Comment_13006

warwickt, I set up the default method by including group advertising in it. I wrote about this in the last post, look, there is a conclusion from the team.

aaa authentication default

No. Method
===============================================================================
0  VPNAD
1  local
#vpnad = group ad

But if this is important, then I followed your instructions:

Router# show aaa authentication ALL_of_us
No. Method
===============================================================================
0  local
1  VPNAD

Router# show l2tp-over-ipsec

L2TP over IPSec:
 activate     : yes
 crypto      : test2
 address pool   : VPN_Subnet_rincom
 authentication  : ALL_of_us
 certificate    : default
 user       : any
 keepalive timer  : 60
 first dns server : 192.168.0.21
 second dns server :
 first wins server :
 second wins server:

Router# show logging entries category l2tp-over-ipsec

No. Date/Time      Source
             Destination
   Priority      Category        Note
   Source Interface  Destination Interface Protocol
   Source Country                   Destination Country
   Source CountryCode Destination CountryCode
   Message
===============================================================================
12  2020-04-06 16:24:21 ip_Zyxel_Wan:1701
            ip_client:1701
   alert        l2tp-over-ipsec    L2TP_LOG



   User admin has been denied from L2TP service.(Incorrect Username or Password)
Router#

warwickt

Hi Ered hmmm this is strange ..

oops missed the team post ....

The order of the Authentication Method for us is to look at local users first then got to the AD/LDAP... I don't suppose it matters.

Interesting only the basic L2TP log record. can you enable the debug .. see below.

It's clear that the L2TP authentication is failing you.

Just a thought:

• Can you try another local user account (one in the USG e.g "testuser01") then
• Try another account in ADactiev Directory that is not called admin?
• There might be a mess with admin@usg and admin@ad ...
• Fwiw we NEVER use admin .. create anther type of boss / wheel user loL!

very curious..

I'd like to help to resolve this...

Can you get the L2TP DEBUG logs for the event and host them here?

Router> configure terminal  
Router(config)# logging system-log category l2tp-over-ipsec level all
server category 'l2tp-over-ipsec' is : all 
Router(config)# exit

then gather the logs after you run your test>.... dump them in a file and attach them.

show logging entries category l2tp-over-ipsec 
## get the debugging entries for L2TP as well
show logging debug entries category l2tp-over-ipsec


Interested as always.

warwick

Hong Kong

Ered

https://businessforum.zyxel.com/discussion/comment/13011#Comment_13011

Hi warwickt.

Of course I tried using different users. Below I will attach the data that you requested. They are attended by admin (local) and testVPN (testVPN@rincom.com) (ad user).

And yes, I know that using an admin is a bad idea. I will change after installation is complete. Thanks)

debug - I used 2 different connections for admin-pop, for testvpn ms-chap v2. Erroneous.

debug2 - admin fna testVPN connected by ms-chap v2.

debug2.txt

debug.txt

log.txt

warwickt

Hi Ered , thanks for the followup. I have looked over the category "L2TP-over-ipsec" and debug logs.

Your situation appears to be simply that L2TP AD authentication is failing and L2TP Local authentication is working correctly.

From the logs (L2TP and debug) using logs "log.txt" and "debug.txt". to match the success and two failures .. thus:

(I removed superfluous logs entry data for brevity)

Diagnosis:

1) Local L2TP Authentication works correctly ✅: review bottom to top (37 to 22)

This clearly show that LOCAL account 'admin' was successfully authenticated using authentication method from 'local' finally at 2020-04-06 18:00:57.

The cat 'L2TP' event 88 below described a successful L2TP connection for account 'admin"..... and....

##########----> System-Log Category 'L2TP" event logs
##
88  2020-04-06 18:00:57 ip_zyxel_WAN:170
   info        l2tp-over-ipsec    L2TP_LOG
   User admin has been granted an L2TP over IPsec session.

From this and Of particular note, is debug log entry 23 that described the authentication_module (local) and the server_type=local. .. all very cool for admin@local.. .

• oh and notice the authentication was using PAP not mschap2... see later..

##########----> System-Log DEBUG Category "L2TP" logs
##
### L2TP Session Begins Completes for local account 'admin'
22  2020-04-06 18:00:57 ip_zyxel_WAN:1701
     ext_group_names_size: 0
23  2020-04-06 18:00:57 ip_zyxel_WAN:1701
      auth_module: local(1), server_type:local , real_name: admin #<+++!!!!
24  2020-04-06 18:00:57 ip_zyxel_WAN:1701
     PPP Authentication method: PAP      <<<<<<!!!!!!  PAP !!!!!!!!!!!
25  2020-04-06 18:00:57
     Remote tunnel ID  63 session ID   1
26  2020-04-06 18:00:57
     Local tunnel ID 19265 session ID 63181
27  2020-04-06 18:00:57
     Remote L2TP peer ip_client:1701
28  2020-04-06 18:00:57
     Local L2TP peer ip_zyxel_WAN:1701
29  2020-04-06 18:00:57
     L2TP [Responder, incoming-call] negotiation completed:
##...... snip snip 
33  2020-04-06 18:00:57 ip_zyxel_WAN:1701
     Authentication OK
34  2020-04-06 18:00:57 ip_zyxel_WAN:1701
     Looking up secret for 'admin', auth_type=2
35  2020-04-06 18:00:57
     peer requests authentication protocol PAP
36  2020-04-06 18:00:57 ip_zyxel_WAN:1701
     L2TP peer IP: 192.168.9.1
37  2020-04-06 18:00:57 ip_zyxel_WAN:1701
### L2TP Session Begins Here for local account 'admin'

2) however.... AD (external) authentication is failing immediately: review DEBUG #94 to #85....

the L2TP authentication fails in the same manner for the two examples at times:

• 2020-04-06 18:00:19 - AD account 'testVPN'
• 2020-04-06 18:00:52 - AD account 'testVPN@rincom.com'

Here is the L2TP system-log event # 143 for AD account testVPN

#########----> System-log Category "L2TP" logs
143 2020-04-06 18:00:19 ip_zyxel_WAN:1701
 alert        l2tp-over-ipsec    L2TP_LOG
 User testVPN has been denied from L2TP service.(Incorrect Username or Password)

examining the L2TP debugging logs, around the time of the event above( thinned for brevity.... L2TP debug logs review #94 to #85 for L2TP failure event at 2020-04-06 18:00:19.....

#########----> System-log DEBUG "L2TP" logs . recent to oldest

85 2020-04-06 18:00:19 ip_zyxel_WAN:1701          ip_client:1701
Session terminated
86  2020-04-06 18:00:19
Session ID #26760 of tunnel ID #18827 has inserted to close list

87  2020-04-06 18:00:19 ip_zyxel_WAN:1701          ip_client:1701
Message: PPP failure: Reason: Authentication failed

88  2020-04-06 18:00:19
Remote tunnel ID  61 session ID   1

89  2020-04-06 18:00:19
Local tunnel ID 18827 session ID 26760

90  2020-04-06 18:00:19
Remote L2TP peer ip_client:1701

91  2020-04-06 18:00:19
 Local L2TP peer ip_zyxel_WAN:1701

92  2020-04-06 18:00:19
  L2TP [Responder, incoming-call] negotiation failed:

93  2020-04-06 18:00:18
   PPP AUTH Time Out
94  2020-04-06 18:00:16
   peer requests authentication protocol MS-CHAPv2    ##<<<<!!!! MS-CHAPv2??

It's not apparent why the AD authentication actually failed (detail however it is clear that the authentication never actually proceeded because there is no log records for it .. instead it immediately is failed - refer debug log record #87 above.

It's clear that there should be some debug record showing HOW it might have been authenticated .. ice authentication methid/machine.. for example..

 auth_module: ZyXELad(3), server_type:ad , real_name: testVPN

where authentication_module would be the authentication method group etc etc .

Its feels like the Ad method had nowhere to go ... so to speak..

Log #94 above .. I'm guessing the the AD authentication proposal is suddenly MS-CHAPv2 .. rather than the PAP that was specified in the WIN10 connection proposal ... perhaps some default ... any clues welcome!

So I'd propose to examine again the Authentication Method (groups) for the L2TP the local and the AD groups..

Suggestion to test the L2TP local AND AD groups:

1. Create an entirely new Authentication Method Group called "vpn_local_and_ad"
2. add in these defaults groups:
   1. local
   2. group ad
3. then change the L2TP Authentication Method to use the new "vpn_local_and_ad"
4. enable logging and test it

for example ....

##
## Configure a new Authentication Method for Local Admin and AD
##
Router> configure terminal 
#
# create the authentication group vpn_local_and_ad
#
Router(config)# aaa authentication vpn_local_and_ad local group ad

Router(config)# show aaa authentication vpn_local_and_ad
No. Method
===============================================================================
0 local
1 ad
Router(config)#

##
## now configure it as the L2TP authentication method
##
Router(config)# l2tp-over-ipsec authentication vpn_local_and_ad
Router(config)# write
Router(config)# exit

Summary:

It appears the AD authentication methods not being called for your L2TP.. Try a basic authentication method of your own with L2TP and see how you go.

Please post your results for us all to see.

HTH

Warwick

Hong Kong

Ered

https://businessforum.zyxel.com/discussion/comment/13043#Comment_13043

Hi warwickt, i will try to answer without repeating the same actions over and over.

1. PAP and MS-Chapv2

I have 2 client connections:

1) With saved local admin and PAP data

2) For ad-users and mschapv2 protocol

testVPN was checked through the second connection with mschapv2. But the admin I out of habit connected through the first(PAP).

• It is worth noting that the local admin also correctly connects using the mschapv2 protocol

2. Suggestion to test the L2TP local AND AD groups

I don’t think it makes sense to create another group of vpn_local_and_ad authentication methods. Indeed, before the last test, I created ALL_of_us (local. Group-ad) in the same way, and the data was collected under this group. These are the same actions.

Also from my experience: I tried to create and assign an authentication method only to group-ad - it did not help. I tried to create an ad user group and assign authentication to it - it did not help.

My thoughts:

It seems that he does not know where to look for the AD user. Perhaps it’s worth prescribing some additional route or something similar for this. But I do not know...

If you have any ideas then this will be great!

If you think that I am not right and it is necessary to do everything described earlier again, then tell me and I will.

Thanks.

warwickt

Hi Ered thanks for all your responses. Frankly I am out of ideas other than try and use a TEST for AD-authentication using PAP instead of MS-CHAP just for a test.

Probably Best push Zyxel technical support.

And as usual please post your resolution as Im interested in it.

Good Luck.

Regards

Warwick

Hong Kong

Ered

https://businessforum.zyxel.com/discussion/comment/13072#Comment_13072

Hi warwickt!

I also tried using PAP for TEST.

With technical support, we communicate slowly). If there is any result, I will definitely publish it here.

Thanks for participating!

P.s. There was a problem with the vpn session lifetime, I created a separate question. You may be interested.There was a problem with the vpn session lifetime, I created a separate question. You may be interested. https://businessforum.zyxel.com/discussion/comment/13067#Comment_13067

Zyxel_Charlie

@Ered

After checked the situation you described, it seems the USG cannot find the way to call AD user. As I checked it locally with external AD, it seems working without any issue. Therefore, can you private message the configuration to me for check further.

Ered

https://businessforum.zyxel.com/discussion/comment/13159#Comment_13159

Hello, @Zyxel_Charlie!

In the process of communicating with technical support, it was revealed that there is a problem with v4.35 firmware. I was recommended to upgrade it to version V4.35 (AAKZ.3) ITS-WK13-r92843. Which I did.

But this did not solve the problem. In support of provided packet capture and

updated configuration. Since Friday (10.0.2020) I am waiting for their answer.

I will send the configuration in a message.