IPsec Problems

**WebFooL** · 02-12-2016, 04:07 AM

Hi,

We have a issue with IPsec.

It works well when we use "Local Catalog"
But when we switch over to Radius it stops working Xauth still works but we would like to push out a GPO and just run the native windows vpn client.

When we run the radius test in untangle it successfully authenticates users.

Here is a logg snippet from a connection attempt:

Code:

Feb 12 11:52:02 ut xl2tpd[1086]: control_finish: Connection closed to 94.234.170.45, port 1701 (), Local: 1108, Remote: 7Feb 12 11:52:02 ut xl2tpd[1086]: Terminating pppd: sending TERM signal to pid 7123
Feb 12 11:52:02 ut xl2tpd[1086]: control_finish: Connection closed to 94.234.170.45, serial 0 ()
Feb 12 11:52:02 ut xl2tpd[1086]: call_close: Call 7543 to 94.234.170.45 disconnected
Feb 12 11:52:02 ut xl2tpd[1086]: child_handler : pppd exited for call 1 with code 11
Feb 12 11:52:01 ut xl2tpd[1086]: Call established with 94.234.170.45, Local: 7543, Remote: 1, Serial: 0
Feb 12 11:52:01 ut xl2tpd[1086]: "/dev/pts/1" 
Feb 12 11:52:01 ut xl2tpd[1086]: "/etc/ppp/options.xl2tpd" 
Feb 12 11:52:01 ut xl2tpd[1086]: "file" 
Feb 12 11:52:01 ut xl2tpd[1086]: "untangle-l2tp" 
Feb 12 11:52:01 ut xl2tpd[1086]: "name" 
Feb 12 11:52:01 ut xl2tpd[1086]: "auth" 
Feb 12 11:52:01 ut xl2tpd[1086]: "172.20.200.1:172.20.200.2" 
Feb 12 11:52:01 ut xl2tpd[1086]: "nodetach" 
Feb 12 11:52:01 ut xl2tpd[1086]: "passive" 
Feb 12 11:52:01 ut xl2tpd[1086]: "/usr/sbin/pppd" 
Feb 12 11:52:01 ut xl2tpd[1086]: start_pppd: I'm running: 
Feb 12 11:52:01 ut xl2tpd[1086]: handle_packet: bad control packet!
Feb 12 11:52:01 ut xl2tpd[1086]: check_control: Received out of order control packet on tunnel 7 (got 3, expected 2)
Feb 12 11:52:01 ut xl2tpd[1086]: Connection established to 94.234.170.45, 1701.  Local: 1108, Remote: 7 (ref=0/0).  LNS session is 'default'

The Client reports Error: 691

We have followed this guide to add the tunnel:
https://support.untangle.com/hc/en-u...PN-to-L2TP-VPN

Any help or suggestion would be appreciated :-)

**jcoffin** · 02-12-2016, 08:53 AM

Thanks Björn, I will look into it today.

**WebFooL** · 02-12-2016, 10:42 AM

Let me know if you need more info.

And if you like my UID to the box.

**jcoffin** · 02-12-2016, 02:49 PM

It is working for me. What type of RADIUS server are you using? Also verify the password encryption matches the accepted types of your RADIUS server.

**WebFooL** · 02-12-2016, 11:44 PM

We are using Microsoft NPS.
I bet thet there is a radius issue but the test in untangle get success.

I can post the radius config on Monday.

**dmorris** · 02-13-2016, 12:21 AM

The test uses the java radius connector, but I think the "xauth" daemon does radius directly.
so unfortunately i don't think the test suceeded passing implies that the xauth daemon can do it.

It doesn't support plugins so we had to use the integrated radius implementation. It cant call ours.
So we just configure it with the same settings, but I would not at all be surprised if it has a different compatibility list.

**jcoffin** · 02-13-2016, 08:17 AM

Originally Posted by WebFooL

We are using Microsoft NPS.
I bet thet there is a radius issue but the test in untangle get success.

I was afraid of that. We did have a previous bug which was fixed on 6/22/15 in Directory Connector that required MS-CHAP v2 if RADIUS is being provided by an Active Directory server. With Xauth using it's own RADIUS connector, I bet that MS-CHAP v2 is either not configured or not an option with Xauth.

**WebFooL** · 02-14-2016, 12:02 PM

Radiustest.PNG
Test goes OK in Untangles WebUI
Policy Configuration:
Policy.PNG
NetworkPolicy.PNG
Windows 10 VPN error MSG
Error MSG.PNG

I bet that there is a Radius configuration.

**WebFooL** · 02-14-2016, 12:11 PM

Ahh Now I remember..

We hade an issue with that the new rule matched with our WiFi so we disabled "MS-CHAP-v2" and testet to run with just PAP.

So the more correct question here is has anyone gotten NPS configured so that "Contitions" works correctly.
We have tested to add contion access client ip/mask untangle so that only questions from Untangle matches the policy.
But still our wifi (Aruba) hits it.

O well I can just build another Radius server until we figure it out.

**mahotz** · 03-09-2016, 04:18 PM

I may have found a fix if you have some free time and want to make some manual tweaks and test.

On Untangle, after you have everything configured and running, manually modify the /etc/ipsec.conf in the VPN-XAUTH-n section(s):

CHANGE: rightauth2=xauth-radius
BECOMES: rightauth2=xauth-eap

Then use /etc/init.d/ipsec restart so the daemon picks up the change.

On your Windows AD/RADIUS server, modify the Authentication Methods section of the appropriate NPS Network Policy, and in the list of EAP Types add "Microsoft: Secured Password (EAP-MSCHAP v2)" and "Microsoft: Protected EAP (PEAP)". You should be able to disable all the other "Less secure authentication methods" boxes.

The crazy thing is... when I first started playing with this, it only worked if I added the second one (PEAP) but after more playing around it now only seems to work when I add the first one (EAP-MSCHAP v2).

Once the changes are made, try connecting an Xauth client and see if you have any luck. I tested here with a Windows 2008 server and an old iPhone 4 running iOS 7.1.2

Thread: IPsec Problems

LinkBack

Thread Tools

IPsec Problems

Posting Permissions