CR35iNG running v10.6.6 MR-5
Goal is to set up L2TP/IPSec client VPN using Windows 10 native client, using domain credentials with the "Automatically use my Windows logon name and password" option in the client, and auth via cert, not PSK.
The justification for using L2TP & native client is the administrative ease with which the clients can be set up with Group Policy, and that users don't need to furnish credentials. Cyberoam's SSL VPN client requires manual setup, and use is clumsy for the end user. We're trying to duplicate the simplicity (for admins and users) that we currently enjoy with SSTP. With AD CS certs, can only use with domain members, but will use SSL VPN for the few non-domain machines.
AD auth & CTAS are working. Users and groups are imported to the firewall. Can log on to the firewall console with domain creds. Can log on to CR SSL VPN with domain creds.
In Identity/Authentication, L2TP/PPTP/IPSec auth is set to use the domain 1st, local 2nd (same with all of the auth settings) and L2TP SSO is enabled.
AD CS certs are installed on router and PCs, but for simplicity during testing, using a PSK on both.
I have found the following:
- I can log on to the VPN if I use credentials created locally on the router, but I can't use domain creds, whether I type them or use the "Automatically use my Windows logon name and password" checkbox.
- I am not able to log on to the VPN if I am also logged on to it from a different computer with a different WAN IP using a different (and local) VPN account.
In researching this, ran across this blog--
https://workendtech.com/2012/03/22/set-l2tp-vpn-cyberoam-2/
The blog mentions the exact same problems...in 2012. Ummm, that would be 8 years and who-knows-how-many CROS updates ago!
These problems are both deal-killers for L2TP. Before I waste any more time on this, particularly with phone support--
- Are these known issues?
- Does Sophos XG have the same problems?
- If there's a solution for multiple users and domain creds, are certificates known to work?
This thread was automatically locked due to age.