Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 10 replies
  • Answers 1 answer
  • Subscribers 27 subscribers
  • Views 2089 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

L2TP Pool too small / Allow leasing IP addresses from RADIUS

Ben@Network

Hello Community,

we have many L2TP-VPN Users and the /24 IP Scope is too small for all our VPN Users. If I read the documentation right, it is not possible to use a lager pool then /24. For us a /23 Pool will fit. Actually, we use a mix of SSLVPN and L2TP-VPN. Soon we will disable the SSLVPN.

Now I’m experimenting with the option, that the IP address is assigned by RADUS/DHCP-Server. In the background we have a Microsoft NPS server which authenticates the users via RADUS. If the firewall assigns the IP addresses from the configured L2TP-Pool, it works as expected.
My setup is the following:

  • On firewall in L2TP global settings “Allow leasing IP address from RADIUS server for L2TP, PPTP and IPsec remote access” is checked.
  • On firewall the RADIUS authentication server is configured with NAS identifier “firewall name” and NAS Port Type is “(5) virtual”
  • On firewall I created a new VLAN 1788 on LAN Interface and enabled DHCP for this VLAN
  • On NPS server I added the following settings for the (working, if firewall assigns IPs) Network Policy:
    • Tunnel-Medium-Type: 802
    • Tunnel-Pvt-Group-ID: 1788
    • Tunnel-Type: Virtual LANs (VLAN)

With these settings the RADIUS authentication works, if I check it with tcpdump I get an “Access-Accept” back from NPS server. But the VPN Client gives an error message that the authentication has been failed. I checked on the firewall for DHCP requests, but I did not see any DHCP requests for my VLAN 1788.

My firewall runs on SFOS 19.5.Has anybody a working set up fort this scenario?

Thanks,

Ben



This thread was automatically locked due to age.
Parents
  • 0

    Hello  ,

    Thank you for reaching out to the community, as per the documenting for the L2TP settings: 

    > It clearly states - enter a private IP address range with at least a 24-bit netmask. Sophos Firewall will lease IP addresses to L2TP clients from this range.
    > IP address ranges for L2TP and PPTP must not overlap with the SSL VPN range.
    > If you use Radius server option, then the firewall then uses the IP addresses provided by the RADIUS server if you use one.
    > If the RADIUS server doesn't provide an address, the firewall assigns the static address configured for the user or leases an address from the specified range.
    > You can validate the Radius server authentication parameter here - Configure RADIUS authentication for PPTP and L2TP VPN
    > On the NPS server it requires the following: 
    i) NAS Identifier - The Firewall
    ii) NAS IPv4 Address - <IP ADDRESS>
    iii) Client Friendly name - The Firewall
    iv) NAS Port type - Virtual (VPN) 

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Global Support & Services 


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Vivek Jagad

    Hi Vivek,

    > It clearly states - enter a private IP address range with at least a 24-bit netmask. Sophos Firewall will lease IP addresses to L2TP clients from this range.

    This is an error in the documentation. The /24 scope is the largest subnet that is possible to configure: 

    Ben

    If a post solves your question please use the 'Verify Answer' button.

Reply
  • 0 in reply to Vivek Jagad

    Hi Vivek,

    > It clearly states - enter a private IP address range with at least a 24-bit netmask. Sophos Firewall will lease IP addresses to L2TP clients from this range.

    This is an error in the documentation. The /24 scope is the largest subnet that is possible to configure: 

    Ben

    If a post solves your question please use the 'Verify Answer' button.

Children
  • 0 in reply to Ben@Network

    Hey  ,

    Thank you for the update, I have updated our internal team to rectify this error in the documentation !

    Meanwhile have you gone through the rest of the information shared ? 

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Global Support & Services 


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Vivek Jagad

    Hi Vivek,

    yes, the RADIUS authentication itself works. If the firewall assigns the IPs from the configured pool, I will get an IP address. The problem is, that the /24 pool is too small and tried to get an IP Address from an DHCP Server via the RADIUS server. I found a Microsoft document, which describes the settings on the NPS Server:

    https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc754422(v=ws.10)?redirectedfrom=MSDN

    If I configure the Tunnel parameter on NPS Server, the RADIUS request is answered with the VLAN ID 1788:

    10:14:41.461933 Port1.10, IN: IP (tos 0x0, ttl 128, id 20758, offset 0, flags [none], proto UDP (17), length 320)
     RADIUS-Server.1812 > FIREWALL.51592: [udp sum ok] RADIUS, length: 292
     Access-Accept (2), id: 0x00, Authenticator: dbcc34edcea7196cf0b042d39d6efec7
     Framed-IP-Address Attribute (8), length: 6, Value: User Selected
     0x0000: ffff ffff
     Framed-MTU Attribute (12), length: 6, Value: 1300
     0x0000: 0000 0514
     Tunnel-Medium-Type Attribute (65), length: 6, Value: Tag[Unused] 802
     0x0000: 0000 0006
     Tunnel-Private-Group-ID Attribute (81), length: 6, Value: 1788
     0x0000: 3137 3838
     Tunnel-Type Attribute (64), length: 6, Value: Tag[Unused] VLAN
     0x0000: 0000 000d
     Class Attribute (25), length: 46, Value: ....
     0x0000: 8efe 07f3 0000 0137 0001 0200 0a31 01c9
     0x0010: 0000 0000 72a9 11c6 1d19 cca3 01d9 1640
     0x0020: 1d58 588c 0000 0000 0003 147b
     Vendor-Specific Attribute (26), length: 42, Value: Vendor: Microsoft (311)
    ...



    But I did not see any DHCP request from the client or firewall.

    Ben

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Ben@Network

    Can you share the screenshot of the DHCP server configured for VLAN ID 1788 ?
    And Create and download a packet capture for Port 67 & 68
    https://support.sophos.com/support/s/article/KB-000037007?language=en_US

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Global Support & Services 


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Vivek Jagad

    Hi Vivek,

    here is a screenshot of my DHCP settings:



    All other options are empty.

    I also made a tcpdump for Port 67 and 68 on firewall console, but I did not see any DHCP Pakets from my MAC Addess. I send you the tcpdump via PM.

    Thanks,

    Ben

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Ben@Network

    Then, any logs in the /var/dhcpd.log for this DHCP server ?

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Global Support & Services 


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Vivek Jagad

    Hi Vivek,

    I did not see any entries in the dhcpd.log if the client connects to L2TP-VPN. in the l2tpd.log I see this entries for the Client:

    xl2tpd[10184]: Connection established to <Client-IP>, 1701. Local: 28932, Remote: 2 (ref=0/0). LNS session is 'default'
    xl2tpd[10184]: check_control: Received out of order control packet on tunnel 2 (got 3, expected 2)
    xl2tpd[10184]: handle_packet: bad control packet!
    xl2tpd[10184]: start_pppd: I'm running:
    xl2tpd[10184]: "/bin/pppd"
    xl2tpd[10184]: "/dev/pts/2"
    xl2tpd[10184]: "ipparam"
    xl2tpd[10184]: "l2tp#<Client-IP>"
    xl2tpd[10184]: "passive"
    xl2tpd[10184]: "nodetach"
    xl2tpd[10184]: "<Firewall-IP>:0.0.0.0"
    xl2tpd[10184]: "auth"
    xl2tpd[10184]: "name"
    xl2tpd[10184]: "cyberoamserver"
    xl2tpd[10184]: "debug"
    xl2tpd[10184]: "file"
    xl2tpd[10184]: "/cfs/options.l2tpd"
    xl2tpd[10184]: Call established with <Client-IP>, PID: 6695, Local: 40832, Remote: 1, Serial: 0
    xl2tpd[10184]: control_finish: Connection closed to <Client-IP>, serial 0 ()
    xl2tpd[10184]: Terminating pppd: sending TERM signal to pid 6695
    xl2tpd[10184]: control_finish: Connection closed to <Client-IP>, port 1701 (), Local: 28932, Remote: 2

    BR,

    Ben

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Ben@Network

    Based on the logs there might be a possibility of packet loss over the ISP, and besides what is the authentication method set for l2tp ?
    console> set vpn l2tp authentication

    ANY CHAP MS_CHAPv2 PAP

    Try setting the authentication method to "ANY"and check !! 

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Global Support & Services 


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Vivek Jagad

    Hi Vivek,

    "Any" was already enabled for L2TP authentification:

    console> show vpn configuration
    PPTP not configured.
    L2TP
    AUTHENTICATION ANY
    MTU 1410

    BR,

    Ben

    If a post solves your question please use the 'Verify Answer' button.

Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?