Guest User!

You are not Sophos Staff.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

L2TP over IPsec with Radius

I am trying to configure L2TP over IPsec VPN using Radius servers, but I'm having some problems.

1. the server is authenticating properly, follows the figure with the authentication test.
2. Did the settings by following the information shown by the Snowplow, but without success.
3. the access log, stating an error connection log for CHAP and the error message 691.



2013:03:19-12:01:06 secg97 pluto[8037]: packet from 201.49.22.163:500: ignoring Vendor ID payload [IKE CGA version 1]

2013:03:19-12:01:06 secg97 pluto[8037]: "S_for admin"[99] 201.49.22.163 #99: responding to Main Mode from unknown peer 201.49.22.163
2013:03:19-12:01:06 secg97 pluto[8037]: "S_for admin"[99] 201.49.22.163 #99: ECP_384 is not supported. Attribute OAKLEY_GROUP_DESCRIPTION
2013:03:19-12:01:06 secg97 pluto[8037]: "S_for admin"[99] 201.49.22.163 #99: ECP_256 is not supported. Attribute OAKLEY_GROUP_DESCRIPTION
2013:03:19-12:01:06 secg97 pluto[8037]: "S_for admin"[99] 201.49.22.163 #99: NAT-Traversal: Result using RFC 3947: peer is NATed
2013:03:19-12:01:06 secg97 pluto[8037]: "S_for admin"[99] 201.49.22.163 #99: Peer ID is ID_IPV4_ADDR: '192.168.31.101'
2013:03:19-12:01:06 secg97 pluto[8037]: "S_for admin"[100] 201.49.22.163 #99: deleting connection "S_for admin"[99] instance with peer 201.49.22.163 {isakmp=#0/ipsec=#0}
2013:03:19-12:01:06 secg97 pluto[8037]: | NAT-T: new mapping 201.49.22.163:500/4500)
2013:03:19-12:01:06 secg97 pluto[8037]: "S_for admin"[100] 201.49.22.163:4500 #99: sent MR3, ISAKMP SA established
2013:03:19-12:01:06 secg97 pluto[8037]: "S_for admin"[50] 201.49.22.163:4500 #100: NAT-Traversal: received 2 NAT-OA. using first, ignoring others
2013:03:19-12:01:06 secg97 pluto[8037]: "S_for admin"[50] 201.49.22.163:4500 #100: responding to Quick Mode
2013:03:19-12:01:06 secg97 pppd-l2tp[25140]: Plugin radius.so loaded.
2013:03:19-12:01:06 secg97 pppd-l2tp[25140]: RADIUS plugin initialized.
2013:03:19-12:01:06 secg97 pppd-l2tp[25140]: Plugin radattr.so loaded.
2013:03:19-12:01:06 secg97 pppd-l2tp[25140]: RADATTR plugin initialized.
2013:03:19-12:01:06 secg97 pppd-l2tp[25140]: Plugin ippool.so loaded.
2013:03:19-12:01:06 secg97 pppd-l2tp[25140]: Plugin pppol2tp.so loaded.
2013:03:19-12:01:06 secg97 pppd-l2tp[25140]: pppd 2.4.5 started by (unknown), uid 0
2013:03:19-12:01:06 secg97 pppd-l2tp[25140]: Using interface ppp0
2013:03:19-12:01:06 secg97 pppd-l2tp[25140]: Connect: ppp0 
2013:03:19-12:01:06 secg97 pppd-l2tp[25140]: Overriding mtu 1500 to 1380
2013:03:19-12:01:06 secg97 pppd-l2tp[25140]: Overriding mru 1500 to mtu value 1380
2013:03:19-12:01:06 secg97 pppd-l2tp[25140]: Overriding mtu 1400 to 1380
2013:03:19-12:01:06 secg97 pluto[8037]: "S_for admin"[50] 201.49.22.163:4500 #100: IPsec SA established {ESP=>0x2d7aa888 2013:03:19-12:01:06 secg97 pppd-l2tp[25140]: RADIUS: wrong service type 6 for daniel.gurgel
2013:03:19-12:01:06 secg97 pppd-l2tp[25140]: Peer daniel.gurgel failed CHAP authentication

2013:03:19-12:01:06 secg97 pppd-l2tp[25140]: Overriding mtu 1500 to 1380
2013:03:19-12:01:06 secg97 pppd-l2tp[25140]: Overriding mru 1500 to mtu value 1380
2013:03:19-12:01:06 secg97 pppd-l2tp[25140]: Connection terminated.
2013:03:19-12:01:06 secg97 pppd-l2tp[25140]: Exit.
2013:03:19-12:01:07 secg97 pluto[8037]: "S_for admin"[100] 201.49.22.163:4500 #99: received Delete SA(0x2d7aa888) payload: deleting IPSEC State #100
2013:03:19-12:01:07 secg97 pluto[8037]: "S_for admin"[100] 201.49.22.163:4500 #99: deleting connection "S_for admin"[50] instance with peer 201.49.22.163 {isakmp=#0/ipsec=#0}
2013:03:19-12:01:07 secg97 pluto[8037]: "S_for admin"[100] 201.49.22.163:4500 #99: received Delete SA payload: deleting ISAKMP State #99
2013:03:19-12:01:07 secg97 pluto[8037]: "S_for admin"[100] 201.49.22.163:4500: deleting connection "S_for admin"[100] instance with peer 201.49.22.163 {isakmp=#0/ipsec=#0}


Anyone with similar problem? UTM 9,005-16.


This thread was automatically locked due to age.
Parents
  • What does the Remote Access Policy show?  Maybe you misspelled "l2tp"?

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • What does the Remote Access Policy show?  Maybe you misspelled "l2tp"?

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
  • Did the same configuration below, but without success ...
    Sophos/Astaro would have some tutorial on how to set this up?

    http://www.astaro.org/gateway-products/vpn-site-site-remote-access/30951-pptp-radius-windows-2008-server-failing.html

    SOLUTION:

    1. Open NPS MMC on 2008 R2 RADIUS server
    2. Browse to Connection Request Policies
    2.1. Server Manager/Roles/Network Policy and Access Services/NPS (Local)/Policies/Connection Request Policies:
    3. Edit Virtual Private Network (VPN) Connections (Or whatever you named it)
    3.1. I renamed mine to ASG L2TP VPN Connections
    4. Browse to Overview tab
    5. Change Type of network access server from Remote Access Server (VPN-Dial up) to Unspecified
    6. Browse to Conditions tab
    7. Remove Condition NAS Port Type = Virtual (VPN)
    8. Add Condition NAS Identifier = l2tp 
    9. Add Condition client IPv4 Address =  (For Added Security)
    10. Apply and close policy
    11. Browse to Network Policies
    11.1. Server Manager/Roles/Network Policy and Access Services/NPS (Local)/Policies/Network Policies:
    12. Edit Virtual Private Network (VPN) Connections (Or whatever you named it)
    12.1. I renamed mine to ASG L2TP VPN Connections
    13. Browse to Overview tab
    14. Change Type of network access server from Remote Access Server (VPN-Dial up) to Unspecified
    15. Browse to Conditions tab
    16. Remove Condition NAS Port Type = Virtual (VPN)
    17. Add Condition NAS Identifier = l2tp
    18. Add (if absent) Windows Groups = Active Directory group that allows users to VPN
    19. Apply and close policy
    20. Test


    unsuccessfully! [:(]
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?