Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 7 replies
  • Subscribers 1 subscriber
  • Views 2278 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Win7 & multiple L2TP/IPSec VPNs

utmfan
So I'm trying to configure multiple VPNs on a Windows 7 machine using L2TP, and it would appear that you cannot use more than one "Personal Certificate" to identify the user, as Windows doesn't have any way of selecting the correct user certificate. Having multiple trusted root authorities is not a problem, though. 

With that in mind, I was wondering if it would be possible to replicate the user certificate across multiple UTMs? I have tried downloading and uploading the certificates through "Certificate Management" in web admin, but so far without any success. Can anyone give me some pointers?


This thread was automatically locked due to age.
  • 0
    Hi, utmfan - I think this is possible. In another UTM, change your User object's X509 selection to a different one. Now, delete the certificate, import the PKCS#12 from your UTM and change the selection to it in the User object. Any luck with that?

    Cheers - Bob

    Sorry for any short responses.  Posted from my iPhone.
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0
    Hi Bob, been busy so I didn't get back to trying this until now.

    It doesn't seem to work. The Windows VPN fails with error 789 (which seems to be a certificate problem, based on previous experience).

    I will try creating some new users and see if that helps, but it didn't work on an existing one.
  • 0
    I wonder if you don't also need to use the same "Local X509 Cert" in the L2TP/IPsec definitions.  That would require importing the cert+CA from your first unit into the others with a different name and then selecting it in L2TP/IPsec.

    Did that do it?

    Cheers - Bob
    PS Hopefully, d12fk or one of the other VPN ninjas will come here and comment.
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    I wonder if you don't also need to use the same "Local X509 Cert" in the L2TP/IPsec definitions.  That would require importing the cert+CA from your first unit into the others with a different name and then selecting it in L2TP/IPsec.

    Did that do it?

    Cheers - Bob
    PS Hopefully, d12fk or one of the other VPN ninjas will come here and comment.


    Got around to trying this: no go either.  I suspect because the Local X509 has a different FQDN that it isn't going to be happy importing a certificate from another UTM.  I just get the same 789 error from Windows.  

    This is really annoying.  Why wouldn't you want to use multiple certificates in your VPN profiles?  It seems like a silly oversight on Microsoft's part.  Or perhaps I'm missing a configuration step somewhere that lets you specify which certificate to use...
  • 0
    Please show the lines from the IPsec log for a connection attempt.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    I wonder if you don't also need to use the same "Local X509 Cert" in the L2TP/IPsec definitions.  That would require importing the cert+CA from your first unit into the others with a different name and then selecting it in L2TP/IPsec.

    Did that do it?

    Cheers - Bob
    PS Hopefully, d12fk or one of the other VPN ninjas will come here and comment.


    Hey Bob,

    You're a legend.  Yes, using the same "Local X509 Cert" on both UTMs and the same user certificate works.  It didn't work the first time I tried it due to firewall rules (silly oversight on my part).  

    Now all I need to do is decide which UTM is easier to re-issue certificates to all the users.  [8-)]
  • 0
    That's good to hear.  Hopefully one of the SUM gurus will let us know if it's possible to accomplish this with SUM or what feature should be suggested for it.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?

Unfiltered HTML