Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 4 replies
  • Answers 2 answers
  • Subscribers 27 subscribers
  • Views 10889 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

L2TP radius authentication failing XG210 (SFOS 16.01.1)

Curt Hostetter

Hi, hoping someone can help assist with getting our L2TP VPN working with our RADIUS server.

Running an XG210 on SFOS 16.01.1

Experiencing same issue as this thread: https://community.sophos.com/products/xg-firewall/f/vpn/77206/pptp-l2tp-radius-authentication-failing

 

- Local user authentication works fine for L2TP

- RADIUS server is setup. Using "Test Connection" is successful with the user i'm trying to VPN in as.

- able to login to the admin portal using RADIUS with same user.

- RADIUS server selected as L2TP authentication method

- using preshared key for L2TP

- RADIUS server is running on our AD server, using AD as the authentication backend

network policy rules set up for LAN/VPN, VPN/LAN and VPN/WAN

 

Currently the only client I have access to is my iPhone 6 running iOS 9.3.3

Logs:

 

2016-10-26 09:23:12
L2TP
SUCCESSFUL
-
LCP : Negotiation Closed for 166.xxx.xx.45
17990
2016-10-26 09:23:06
IPsec
SUCCESSFUL
-
"GavantL2TP" SA-MGT: Deleting connection instance with peer 166.xxx.xx.45, isakmp=0, ipsec=0
17881
2016-10-26 09:23:06
IPsec
SUCCESSFUL
-
GavantL2TP SA-MGT: Peer requested to delete Phase-1 SA. Deleting ISAKMP state 154
17878
2016-10-26 09:23:06
IPsec
TERMINATED
-
IPSec Connection GavantL2TP between 208.xxx.xxx.146 and 166.xxx.xx.45 terminated.
17802
2016-10-26 09:23:06
IPsec
SUCCESSFUL
-
GavantL2TP SA-MGT: Peer requested to delete Phase-2 SA. Deleting IPSEC state 155
17879
2016-10-26 09:23:06
L2TP
FAILED
-
LCP : Negotiation Closing for 166.xxx.xx.45 : Authentication failed
17991
2016-10-26 09:23:06
L2TP
FAILED
-
IPCP : Taking IPCP down for 166.xxx.xx.45 : LCP down
17991
2016-10-26 09:23:06
L2TP
FAILED
-
CHAP : Authentication Failed for User chostetter
17986
2016-10-26 09:23:06
L2TP
SUCCESSFUL
-
CHAP : Starting Authentication
17984
2016-10-26 09:23:06
L2TP
SUCCESSFUL
-
LCP : Link Established for 166.xxx.xx.45
17983
2016-10-26 09:23:06
L2TP
SUCCESSFUL
-
LCP : Negotiation Opening for 166.xxx.xx.45
17982
2016-10-26 09:23:04
IPsec
SUCCESSFUL
-
"GavantL2TP" DPD: Dead peer detection enabled
17892
2016-10-26 09:23:04
IPsec
ESTABLISHED
-
IPSec Connection GavantL2TP between 208.xxx.xxx.146 and 166.xxx.xx.45 established.
17801
2016-10-26 09:23:04
IPsec
SUCCESSFUL
-
GavantL2TP EST-P2: Responding to a Phase-2 establishment request with message id a895ecb1
17867
2016-10-26 09:23:03
IPsec
SUCCESSFUL
-
"GavantL2TP" DPD: Dead peer detection enabled
17892
2016-10-26 09:23:03
IPsec
SUCCESSFUL
-
"GavantL2TP" SA-MGT: Deleting connection instance with peer 166.xxx.xx.45, isakmp=0, ipsec=0
17881
2016-10-26 09:23:03
IPsec
SUCCESSFUL
-
GavantL2TP EST-P1: Switched the connection from GavantL2TP to GavantL2TP. As GavantL2TP configuration matches the reqest better
17852
2016-10-26 09:23:03
IPsec
SUCCESSFUL
-
GavantL2TP EST-P1-MM peer id is ID_IPV4_ADDR: '10.xx.xx.62'
17848
2016-10-26 09:23:03
IPsec
SUCCESSFUL
-
EST-P1: Peer did not accept any proposal sent
17853
2016-10-26 09:23:03
IPsec
SUCCESSFUL
-
NAT-T: Remote Server is behind NAT device
17876

 

 

Any help or troubleshooting tips would be super appreciated. Thanks!



This thread was automatically locked due to age.
Parents
  • 0

    Hi Curt, 

    As the setting seems to be correct , Could you check if the user exist under users in XG appliance , also check if L2TP is enabled for that user . As you are using radius server as an Authentication server , you may need to use PAP instead of MS-CHAP. .

    Let me know if it works out for you 

    Thanks and regards

    Aditya Patel 

  • 0 in reply to Aditya Patel

    The user does not exist as a local user, that is the point of using Radius connected with AD. However, if you log into the appliance portal with a Radius user, it does cause a user to be automatically created in the local user list, and L2TP is initially disabled for that new user. Upon enabling it, we are still unable to establish VPN with that user.

    I reduced the Radius server down to PAP and it still fails. Note that testing still shows that the iPhone is attempting to connect with CHAP by default.

    2016-10-26 10:52:08
    L2TP
    FAILED
    -
    LCP : Negotiation Closing for 70.209.143.57 : Authentication failed
    17991
    2016-10-26 10:52:08
    L2TP
    FAILED
    -
    IPCP : Taking IPCP down for 70.209.143.57 : LCP down
    17991
    2016-10-26 10:52:08
    L2TP
    FAILED
    -
    CHAP : Authentication Failed for User jkloptosky
    17986

Reply
  • 0 in reply to Aditya Patel

    The user does not exist as a local user, that is the point of using Radius connected with AD. However, if you log into the appliance portal with a Radius user, it does cause a user to be automatically created in the local user list, and L2TP is initially disabled for that new user. Upon enabling it, we are still unable to establish VPN with that user.

    I reduced the Radius server down to PAP and it still fails. Note that testing still shows that the iPhone is attempting to connect with CHAP by default.

    2016-10-26 10:52:08
    L2TP
    FAILED
    -
    LCP : Negotiation Closing for 70.209.143.57 : Authentication failed
    17991
    2016-10-26 10:52:08
    L2TP
    FAILED
    -
    IPCP : Taking IPCP down for 70.209.143.57 : LCP down
    17991
    2016-10-26 10:52:08
    L2TP
    FAILED
    -
    CHAP : Authentication Failed for User jkloptosky
    17986

Children
  • 0 in reply to Curt Hostetter

    HI Curt,

    In addition to Sachin's response , The reason you would need to enable VPN on the user . SO if the user is authenticated via Captive portal or any other authentication method the user should be registered with XG . Then open that user profile and enable L2TP VPN . 

    Thanks and Regards

    Aditya Patel