Access an AD server for AD authentication when the AD server is in a tunnel

JeroenSoree Posts: 9
First Comment
edited April 2021 in Security


We have a USG 110 working great with a tunnel form the office to our Datacenter. No problem there. Now we want AD authentication on SSL VPN via AD but our USG is not able to see the domain contollers in our DC. Ping from the USG to the DC also does not work, Tracaroute goes onto the internet. Our DC's are in the datacenter and I would like to set up ad as an AAA Server. From a client in the office the DC's are reachable.

Lost a bit. Any idea's?


All Replies

  • Jeremylin
    Jeremylin Posts: 166  Master Member
    First Anniversary First Answer First Comment
    edited April 2020

    AD domain host can not see the USG?

    Do you enable MSchap V2 on AD? Try to disable it.

  • JeroenSoree


    Tried it with and without. Problem is the USG does not see the DC when the DC is on the other side of our tunnel to the Datacenter. The USG in in our office, the Datacenter is miles away via a tunnel.

  • zyman2008
    zyman2008 Posts: 199  Master Member
    First Anniversary 10 Comments Friend Collector First Answer


    I think that's the old problem of ZyWALL routing of policy based IPSec VPN.

    Since policy based IPSec without an interface bind with the tunnel.

    Which interface IP address will be to connect to the remote services ?

    So the right solution is using route based IPSec VPN with VTI interface.

    Or a very trick way if you keep using the policy based IPSec VPN,

    For example,

    The remote server IP address is

    The local policy of the IPSec VPN is the lan1 network.

    And you want ZyWALL to connect to with lan1 interface ip address

    Add a static route,

    Destination:, next-hop: interface lan1

    Then ZyWALL will using lan1 interface IP address as the source IP to connect to the remote services.

Security Highlight