USG 60W VPN L2TP. Client(windows 10) error 651.

Hi Ered hmmm this is strange ..

oops missed the team post ....

The order of the Authentication Method for us is to look at local users first then got to the AD/LDAP... I don't suppose it matters.

Interesting only the basic L2TP log record. can you enable the debug .. see below.

It's clear that the L2TP authentication is failing you.

Just a thought:

• Can you try another local user account (one in the USG e.g "testuser01") then
• Try another account in ADactiev Directory that is not called admin?
• There might be a mess with admin@usg and admin@ad ...
• Fwiw we NEVER use admin .. create anther type of boss / wheel user loL!

very curious..

I'd like to help to resolve this...

Can you get the L2TP DEBUG logs for the event and host them here?

Router> configure terminal  
Router(config)# logging system-log category l2tp-over-ipsec level all
server category 'l2tp-over-ipsec' is : all 
Router(config)# exit

then gather the logs after you run your test>.... dump them in a file and attach them.

show logging entries category l2tp-over-ipsec 
## get the debugging entries for L2TP as well
show logging debug entries category l2tp-over-ipsec


Interested as always.

warwick

Hong Kong

Hi Ered , thanks for the followup. I have looked over the category "L2TP-over-ipsec" and debug logs.

Your situation appears to be simply that L2TP AD authentication is failing and L2TP Local authentication is working correctly.

From the logs (L2TP and debug) using logs "log.txt" and "debug.txt". to match the success and two failures .. thus:

(I removed superfluous logs entry data for brevity)

Diagnosis:

1) Local L2TP Authentication works correctly ✅: review bottom to top (37 to 22)

This clearly show that LOCAL account 'admin' was successfully authenticated using authentication method from 'local' finally at 2020-04-06 18:00:57.

The cat 'L2TP' event 88 below described a successful L2TP connection for account 'admin"..... and....

##########----> System-Log Category 'L2TP" event logs
##
88  2020-04-06 18:00:57 ip_zyxel_WAN:170
   info        l2tp-over-ipsec    L2TP_LOG
   User admin has been granted an L2TP over IPsec session.

From this and Of particular note, is debug log entry 23 that described the authentication_module (local) and the server_type=local. .. all very cool for admin@local.. .

• oh and notice the authentication was using PAP not mschap2... see later..

##########----> System-Log DEBUG Category "L2TP" logs
##
### L2TP Session Begins Completes for local account 'admin'
22  2020-04-06 18:00:57 ip_zyxel_WAN:1701
     ext_group_names_size: 0
23  2020-04-06 18:00:57 ip_zyxel_WAN:1701
      auth_module: local(1), server_type:local , real_name: admin #<+++!!!!
24  2020-04-06 18:00:57 ip_zyxel_WAN:1701
     PPP Authentication method: PAP      <<<<<<!!!!!!  PAP !!!!!!!!!!!
25  2020-04-06 18:00:57
     Remote tunnel ID  63 session ID   1
26  2020-04-06 18:00:57
     Local tunnel ID 19265 session ID 63181
27  2020-04-06 18:00:57
     Remote L2TP peer ip_client:1701
28  2020-04-06 18:00:57
     Local L2TP peer ip_zyxel_WAN:1701
29  2020-04-06 18:00:57
     L2TP [Responder, incoming-call] negotiation completed:
##...... snip snip 
33  2020-04-06 18:00:57 ip_zyxel_WAN:1701
     Authentication OK
34  2020-04-06 18:00:57 ip_zyxel_WAN:1701
     Looking up secret for 'admin', auth_type=2
35  2020-04-06 18:00:57
     peer requests authentication protocol PAP
36  2020-04-06 18:00:57 ip_zyxel_WAN:1701
     L2TP peer IP: 192.168.9.1
37  2020-04-06 18:00:57 ip_zyxel_WAN:1701
### L2TP Session Begins Here for local account 'admin'

2) however.... AD (external) authentication is failing immediately: review DEBUG #94 to #85....

the L2TP authentication fails in the same manner for the two examples at times:

• 2020-04-06 18:00:19 - AD account 'testVPN'
• 2020-04-06 18:00:52 - AD account 'testVPN@rincom.com'

Here is the L2TP system-log event # 143 for AD account testVPN

#########----> System-log Category "L2TP" logs
143 2020-04-06 18:00:19 ip_zyxel_WAN:1701
 alert        l2tp-over-ipsec    L2TP_LOG
 User testVPN has been denied from L2TP service.(Incorrect Username or Password)

examining the L2TP debugging logs, around the time of the event above( thinned for brevity.... L2TP debug logs review #94 to #85 for L2TP failure event at 2020-04-06 18:00:19.....

#########----> System-log DEBUG "L2TP" logs . recent to oldest

85 2020-04-06 18:00:19 ip_zyxel_WAN:1701          ip_client:1701
Session terminated
86  2020-04-06 18:00:19
Session ID #26760 of tunnel ID #18827 has inserted to close list

87  2020-04-06 18:00:19 ip_zyxel_WAN:1701          ip_client:1701
Message: PPP failure: Reason: Authentication failed

88  2020-04-06 18:00:19
Remote tunnel ID  61 session ID   1

89  2020-04-06 18:00:19
Local tunnel ID 18827 session ID 26760

90  2020-04-06 18:00:19
Remote L2TP peer ip_client:1701

91  2020-04-06 18:00:19
 Local L2TP peer ip_zyxel_WAN:1701

92  2020-04-06 18:00:19
  L2TP [Responder, incoming-call] negotiation failed:

93  2020-04-06 18:00:18
   PPP AUTH Time Out
94  2020-04-06 18:00:16
   peer requests authentication protocol MS-CHAPv2    ##<<<<!!!! MS-CHAPv2??

It's not apparent why the AD authentication actually failed (detail however it is clear that the authentication never actually proceeded because there is no log records for it .. instead it immediately is failed - refer debug log record #87 above.

It's clear that there should be some debug record showing HOW it might have been authenticated .. ice authentication methid/machine.. for example..

 auth_module: ZyXELad(3), server_type:ad , real_name: testVPN

where authentication_module would be the authentication method group etc etc .

Its feels like the Ad method had nowhere to go ... so to speak..

Log #94 above .. I'm guessing the the AD authentication proposal is suddenly MS-CHAPv2 .. rather than the PAP that was specified in the WIN10 connection proposal ... perhaps some default ... any clues welcome!

So I'd propose to examine again the Authentication Method (groups) for the L2TP the local and the AD groups..

Suggestion to test the L2TP local AND AD groups:

1. Create an entirely new Authentication Method Group called "vpn_local_and_ad"
2. add in these defaults groups:
   1. local
   2. group ad
3. then change the L2TP Authentication Method to use the new "vpn_local_and_ad"
4. enable logging and test it

for example ....

##
## Configure a new Authentication Method for Local Admin and AD
##
Router> configure terminal 
#
# create the authentication group vpn_local_and_ad
#
Router(config)# aaa authentication vpn_local_and_ad local group ad

Router(config)# show aaa authentication vpn_local_and_ad
No. Method
===============================================================================
0 local
1 ad
Router(config)#

##
## now configure it as the L2TP authentication method
##
Router(config)# l2tp-over-ipsec authentication vpn_local_and_ad
Router(config)# write
Router(config)# exit

Summary:

It appears the AD authentication methods not being called for your L2TP.. Try a basic authentication method of your own with L2TP and see how you go.

Please post your results for us all to see.

HTH

Warwick

Hong Kong

Hi Ered thanks for all your responses. Frankly I am out of ideas other than try and use a TEST for AD-authentication using PAP instead of MS-CHAP just for a test.

Probably Best push Zyxel technical support.

And as usual please post your resolution as Im interested in it.

Good Luck.

Regards

Warwick

Hong Kong