As above. I'm using AD authentication with STAS. I have SSL-VPN and L2TP VPN working just fine to authenticate AD groups. But the Cisco IPsec VPN just won't work.
If I put individual AD users in the User and Groups list, it works just fine. But if I try with an AD group, or with a local group whose membership is synchronized with an AD group, I get the following in the IPsec VPN log:
2016:04:20-15:19:22 home pluto[6724]: "D_for VPN Users to LAN (Network)-1"[10] 166.176.187.113:53930 #67: we have a cert and are sending it
2016:04:20-15:19:22 home pluto[6724]: "D_for VPN Users to LAN (Network)-1"[10] 166.176.187.113:53930 #67: Dead Peer Detection (RFC 3706) enabled
2016:04:20-15:19:22 home pluto[6724]: "D_for VPN Users to LAN (Network)-1"[10] 166.176.187.113:53930 #67: sent MR3, ISAKMP SA established
2016:04:20-15:19:22 home pluto[6724]: "D_for VPN Users to LAN (Network)-1"[10] 166.176.187.113:53930 #67: sending XAUTH request
2016:04:20-15:19:36 home pluto[6724]: "D_for VPN Users to LAN (Network)-1"[10] 166.176.187.113:53930 #67: parsing XAUTH reply
2016:04:20-15:19:36 home pluto[6724]: "D_for VPN Users to LAN (Network)-1"[10] 166.176.187.113:53930 #67: extended authentication failed
2016:04:20-15:19:36 home pluto[6724]: "D_for VPN Users to LAN (Network)-1"[10] 166.176.187.113:53930 #67: sending XAUTH status
2016:04:20-15:19:36 home pluto[6724]: "D_for VPN Users to LAN (Network)-1"[10] 166.176.187.113:53930 #67: parsing XAUTH ack
2016:04:20-15:19:36 home pluto[6724]: "D_for VPN Users to LAN (Network)-1"[10] 166.176.187.113:53930: deleting connection "D_for VPN Users to LAN (Network)-1"[10] instance with peer 166.176.187.113 {isakmp=#0/ipsec=#0}
2016:04:20-15:19:36 home pluto[6724]: packet from 166.176.187.113:53930: Informational Exchange is for an unknown (expired?) SA
What's up with this?
Matthew
This thread was automatically locked due to age.
