Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 3 replies
  • Answers 1 answer
  • Subscribers 3 subscribers
  • Views 11847 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

L2TP with Certificate and RADIUS

Stefan Becker1

Hi everyone,

i have the following sceanrio. 

UTM with Firmware 9.502-4, Windows Server 2012 R2 with Network Policy Role and Windows 10 Client

At first i have generated a certificate under Remote Access -> Certificate Management with the Name vpn. 

I configured a L2TP over IPSec configuration with X.509 Certificate Check and selct the certificate vpn and i select RADIUS for my users. Then i downloaded the certificate vpn and installed to the Windows 10 Client. But in the configuration tab of the vpn connection, i can't select the certificate. Is thos correct? Do i have to distribute only this certificate to my users? Or have anyone his own certificate?

If i start the Connection the Client try for while, but the i get the error message, that a failure during the security Exchange with the remote Computer. At the NPS i see the request, but the username is absolutly wrong (Domain\admin) and worng NAS-Type. I have configured l2tp, but i saw webadmin

In the UTM logfile i found:

[..]
2017:08:04-10:40:12 vpn pluto[5409]: | certificate is valid
2017:08:04-10:40:12 vpn pluto[5409]: | authcert list locked by 'verify_x509cert'
2017:08:04-10:40:12 vpn pluto[5409]: | issuer cacert found
[..]

2017:08:04-10:40:12 vpn pluto[5409]: | certificate signature is valid
2017:08:04-10:40:12 vpn pluto[5409]: | authcert list unlocked by 'verify_x509cert'
2017:08:04-10:40:12 vpn pluto[5409]: | reached self-signed root ca with a path length of 0
2017:08:04-10:40:12 vpn pluto[5409]: | Public key validated
2017:08:04-10:40:12 vpn pluto[5409]: | Notify Message Type: AUTHENTICATION_FAILED
2017:08:04-10:40:12 vpn pluto[5409]: | removing 12 bytes of padding
2017:08:04-10:40:12 vpn pluto[5409]: "L_for admin"[11] 80.187.102.188:2710 #8: ignoring informational payload, type AUTHENTICATION_FAILED

 [..]

Do i think wrong? Or what is my mistake?

Best regards and thank you very much,

Stefan



This thread was automatically locked due to age.
  • 0

    Configure the VPN connection in the Network and Sharing Center instead, using "Set up a new connection or network".

    1. Choose "Connect to  a workspace"
    2. Select my internet Connection (VPN)
    3. Input the utm public hostname or ip
    4. Also select "Allow other people to use this connection" if you want to connect the VPN at windows logon screen
    5. Now go to network adapters and find your newly created connection
    6. Select preferences
    7. On the security Tab select type of VPN = L2TP/IPsec. Data encryption = Maxmimum strength if you desire. For authentication select "Microsoft CHAP Version 2 (MS-CHAP v2)" under Allow these protocols. You can also choose to automatically use your Windows credentials.
    8. On the same tab select "Advanced Settings" button and there select "Use certificate for authentication".

    Download the VPN signing CA from the UTM and import it on the client as as a trusted root cert for the computer.

    Download your client cert from utm and import it as a personal cert for the user.

    BR

    /Erik

  • 0 in reply to ErikFranzén

    Hi Erik,

    thank you for your answer. With MS-CfgfdgHAPv2 it's works. I read this article https://community.sophos.com/kb/en-us/116144 and thought, that i can use Microsoft: Protected EAP (PEAP) for mor security. Do i have the opportunity to use it?

    Best regards,

    Stefan

  • 0 in reply to Stefan Becker1

    According to what I have read in a Sophos PFD, UTM is only supporting MSCHAP for L2TP over IPsec. But that could have been changed?

    Another issue for L2TP over IPsec is that you cannot configure which networks should use the tunnel. Only routes for the UTM local networks are transferred to the client.

Unfiltered HTML