Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 1 subscriber
  • Views 4419 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Multiple L2TP client VPN problems

IT IT7

CR35iNG running v10.6.6 MR-5

Goal is to set up L2TP/IPSec client VPN using Windows 10 native client, using domain credentials with the "Automatically use my Windows logon name and password" option in the client, and auth via cert, not PSK.

The justification for using L2TP & native client is the administrative ease with which the clients can be set up with Group Policy, and that users don't need to furnish credentials. Cyberoam's SSL VPN client requires manual setup, and use is clumsy for the end user. We're trying to duplicate the simplicity (for admins and users) that we currently enjoy with SSTP. With AD CS certs, can only use with domain members, but will use SSL VPN for the few non-domain machines.

AD auth & CTAS are working. Users and groups are imported to the firewall. Can log on to the firewall console with domain creds. Can log on to CR SSL VPN with domain creds.

In Identity/Authentication, L2TP/PPTP/IPSec auth is set to use the domain 1st, local 2nd (same with all of the auth settings) and L2TP SSO is enabled.

AD CS certs are installed on router and PCs, but for simplicity during testing, using a PSK on both. 

I have found the following:

  1. I can log on to the VPN if I use credentials created locally on the router, but I can't use domain creds, whether I type them or use the "Automatically use my Windows logon name and password" checkbox.
  2. I am not able to log on to the VPN if I am also logged on to it from a different computer with a different WAN IP using a different (and local) VPN account.

In researching this, ran across this blog--

https://workendtech.com/2012/03/22/set-l2tp-vpn-cyberoam-2/

The blog mentions the exact same problems...in 2012. Ummm, that would be 8 years and who-knows-how-many CROS updates ago!

These problems are both deal-killers for L2TP. Before I waste any more time on this, particularly with phone support--

  1. Are these known issues?
  2. Does Sophos XG have the same problems?
  3. If there's a solution for multiple users and domain creds, are certificates known to work?


This thread was automatically locked due to age.
Parents
  • 0

    Hi  

    Thank you for the detailed post.

    1. You can connect Single L2TP/IPsec SA from one remote WAN, so if you have multiple users behind the same WAN IP try to connect L2TP VPN only one user will be able to connect, for Multiple connection WAN IP has to be different from where the user is connecting.

    2. For AD authentication only PAP authentication protocol is supported in L2TP VPN

    3. XG has the same scenario for L2TP VPN

    4. For L2TP configuration, you may refer to the article which is for XG but can be used for Cyberoam as well- https://community.sophos.com/kb/en-us/132253

    Regards,

    Keyur
    Community Support Engineer | Sophos Support
    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

  • 0 in reply to Keyur

    Thanks for your reply, Keyur.

    I was using a different WAN IP for each of the 2 simultaneous connections, as stated in the original post.

    PAP? In 2020?! That's another deal-breaker. RAS has long supported MSCHAPv2 with L2TP, so it's possible...just apparently not for Cyberoam/Sophos.

    Clearly I need to give up trying to use L2TP and the Windows native VPN client when using Cyberoam or Sophos firewalls. That's a major disappointment.

    Can the XG SSL VPN client be installed and configured via Group Policy, even if it's just a script? Or is it like the Cyberoam SSL VPN client, which requires manual install, and manually importing the config file?

    Thanks.

Reply
  • 0 in reply to Keyur

    Thanks for your reply, Keyur.

    I was using a different WAN IP for each of the 2 simultaneous connections, as stated in the original post.

    PAP? In 2020?! That's another deal-breaker. RAS has long supported MSCHAPv2 with L2TP, so it's possible...just apparently not for Cyberoam/Sophos.

    Clearly I need to give up trying to use L2TP and the Windows native VPN client when using Cyberoam or Sophos firewalls. That's a major disappointment.

    Can the XG SSL VPN client be installed and configured via Group Policy, even if it's just a script? Or is it like the Cyberoam SSL VPN client, which requires manual install, and manually importing the config file?

    Thanks.

Children
Unfiltered HTML