USG 60W VPN L2TP. Client(windows 10) error 651.
Ered
Member Posts: 14
Hello!
Sorry for my google translator.
There is a device zyxel usg 60w V4.35(AAKZ.3). I configure vpn server according to the instructions: http://onesecurity.zyxel.com/img/uploads/ZyWALL_L2TP_VPN_Setup.pdf
But when you try to connect the user, error 651 occurs. There is no connection with IOS either.
Имя журнала: Application
Источник: RasClient
Дата: 02.04.2020 14:53:27
Код события: 20227
Категория задачи:Отсутствует
Уровень: Ошибка
Ключевые слова:Классический
Пользователь: Н/Д
Компьютер:
Описание:
CoID={B6CF3F7D-7A35-4635-80DF-7BCD55E136C5}: Пользователь установил удаленное подключение VPN-подключение, которое завершилось сбоем. Возвращен код ошибки 651.
Xml события:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="RasClient" />
<EventID Qualifiers="0">20227</EventID>
<Level>2</Level>
<Task>0</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2020-04-02T11:53:27.209308100Z" />
<EventRecordID>2770</EventRecordID>
<Channel>Application</Channel>
<Computer></Computer>
<Security />
</System>
<EventData>
<Data>{B6CF3F7D-7A35-4635-80DF-7BCD55E136C5}</Data>
<Data></Data>
<Data>VPN-подключение</Data>
<Data>651</Data>
</EventData>
</Event>
What to do? How to configure the server?
Thanks.
Accepted Solution
-
Ered
Posts: 14
warwickt, i solved this problem!
The registry key is to blame:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parameters "ProhibitIpSec"=dword:00000001
Deleted it and was able to establish a connection!
Unfortunately that's not all. Now I need to organize authentication for domain users and provide access to local resources. But that is another story.
Thanks for participating!
All Replies
Hi Ered no worries. This looks like a "vpn proposal" issue with your:
Looks ok so far .
Your Windows 10 Built In Default client:
I'm not a Windows/OS user however following recent a flood of client headaches with this OS platform I have gained some small knowledge that might help.
The Racslient 651 error might indicate some error in your windows 10 client set up / configuration.
would you check your USG60 logs to see if the Windows client actual connects to your USG router?
Would you be able to post your Windows 10 Vpn connection details by issuing the command in the Windows 10 powershell.exe.?
Here's an example for a win10 VPN Connection called "Ered_Test"
Get-VpnConnection -name "Ered_Test" | Format-List -Property *
PS C:\Users\lab04> Get-VpnConnection -name "Ered_Test" | Format-List -Property * EapConfigXmlStream : VpnConfigurationXml : #document IPSecCustomPolicy : MachineCertificateIssuerFilter : MachineCertificateEKUFilter : ConnectionStatus : Disconnected DnsSuffix : Guid : {4515CC62-CACB-4314-A0D6-D0F9B68B0CCF} IdleDisconnectSeconds : 0 IsAutoTriggerEnabled : False Name : Ered_Test ProfileType : Inbox ProvisioningAuthority : Proxy : RememberCredential : False Routes : {} ServerAddress : ereds.vpnserver.ru ServerList : {} SplitTunneling : False VpnTrigger : VpnConnectionTrigger AllUserConnection : False AuthenticationMethod : {MsChapv2} EncryptionLevel : Required L2tpIPsecAuth : Psk NapState : NotConnected TunnelType : L2tp UseWinlogonCredential : False PSComputerName : CimClass : root/Microsoft/Windows/RemoteAccess/Client:VpnConnection CimInstanceProperties : {ConnectionStatus, DnsSuffix, Guid, IdleDisconnectSeconds...} CimSystemProperties : Microsoft.Management.Infrastructure.CimSystemPropertiesFWIW - working L2TP over IPSEC (Ikev1)
This USG configuration works for L2TP/ over IPSEC for Windows10 Built In, MAcOS VPN , iOS and Android USG VPN that works.
assumptions:
Zyxel USG Settings
VPN GATEWAY CONFIGURATION:
allows proposal 1 : 3des-sha, DH group = 2
Connection Configuration:
Allows Phase 2 proposals: aes128-sha1 , 3des-sha1, pfs=none
L2TP:
Post your Windows 10 VPN config from Powershelgl. change the names for your account/server etc.
HTH
warwick
Hong kong
Hi warwickt!
Embedded client. I tried to connect from different devices located in different networks and knowledge with direct access to the Internet. The same mistake.
The client connects, since there were blocking entries in the firewall before the ports were resolved
Get-VpnConnection -name "Ered_Test" | Format-List -Property * EapConfigXmlStream : VpnConfigurationXml : #document IPSecCustomPolicy : MachineCertificateIssuerFilter : MachineCertificateEKUFilter : ConnectionStatus : Disconnected DnsSuffix : Guid : {8779F410-44DB-448D-9232-46A66F363D94} IdleDisconnectSeconds : 0 IsAutoTriggerEnabled : False Name : Ered_Test ProfileType : Inbox ProvisioningAuthority : Proxy : RememberCredential : False Routes : {} ServerAddress : 'Static ip' ServerList : {} SplitTunneling : False VpnTrigger : VpnConnectionTrigger AllUserConnection : False AuthenticationMethod : {Pap} EncryptionLevel : Optional L2tpIPsecAuth : Psk NapState : NotConnected TunnelType : L2tp UseWinlogonCredential : False PSComputerName : CimClass : root/Microsoft/Windows/RemoteAccess/Client:VpnConnection CimInstanceProperties : {ConnectionStatus, DnsSuffix, Guid, IdleDisconnectSeconds...} CimSystemProperties : Microsoft.Management.Infrastructure.CimSystemPropertiesSorry, is there any command in the web console to display the settings for vpn, gateway, l2tp?
Hi Ered interesting .... the Zyxel USG Command your can use for the above ssh or "web console" from the cli using your initial example are:
display the IPSEC Gateway details for your "L2TP_GAteway_rincom":
display the IPSEC Connection detail for "test2":
display the L2TP config detail:
SO was the issue wi your Windows 10 client? (Firewall?) 651 error?
Please post so that there may know.
Regards
Warwick
Hong Kong
Hi warwickt! Thanks.
Zyxel USG Settings
L2TP_Gateway_rincom
Connection Configuration:
L2TP config
The problem is probably not in Windows 10. The firewall was completely disabled, as well as the antivirus, the situation has not changed. Also, different client equipment and different settings, the situation is the same ...
I wrote in support of Zyxel. And sent them a configuration file. Waiting for an answer.
Hi Ered . hmm.... any chance you could catch the USG60 logs for this event and post them here (attachment?)
You want the IKE and IPSEC logs from the router .
You can screen grab them from the WEB UI however these are generally a pain to look at .
or BETTER, You can get the DEBUG and ALL event logs of are IKE (and IPSEC) EVENT using these commands if you like.
1) set detail logging for these events
2) attempt your L2Tp Windows 10 client ...when it fails
3) gather the USG60 router IKE and DEBUG logs with this USG ZYOS command
4) copy, redact/massage what you need and post them back here.
I'm interested in the resolution!
HTH
Warwick
Hong Kong
Hi warwickt! I already solved the connection problem. Windows 10 was to blame. The problem was in the registry. Here is my post about it.
Now another problem. Only a local user can connect. When connecting AD users, an “invalid log / password” error occurs. I familiarized myself with this topic and implemented the recommendations, the result is the same. https://businessforum.zyxel.com/discussion/4105/ad-auth-with-built-in-windows-l2tp-client#latest
Maybe you can advise me something?
Here is the output of the command show logging entries category ike
Hi Ered excellent that you resolved it. Nice logs too mate! Your tunnel gets built. nice one!
Your authentication issue .. but first
Firstly you say "registry setting" in Windows inbuilt VPN Rasman client?? I see the what you had specified... strange as we have never had to set this. "ProhibitIpSec"
Here is what we always have set as a default for Rasman. we use powershell to customise the VPN connections so we don't need registry settings.
FWIW here is our one:
PS C:\Users\bsdmaint> Get-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\RasMan\Parameters\ AllowL2TPWeakCrypto : 0 AllowPPTPWeakCrypto : 0 KeepRasConnections : 0 Medias : {rastapi} ServiceDll : C:\Windows\System32\rasmans.dll ServiceDllUnloadOnStop : 1 MiniportsInstalled : 65535 NegotiateDH2048_AES256 : 0 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters\ PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan PSChildName : Parameters PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\RegistryWould you specify for myself and others? For example
or
2nd: The issue you have is an authentication . It's straight worfrwrd to see what this is . Just collect the logs for L2TP .
show logging entries category l2tp-over-ipsec
The failure could be anu=y or more of this type of scenario:
For example I noticed previously your GATEWAY Phase 1 proposal contains:
however your Windows VPN connection " " specifies PAP.
Get-VpnConnection -name "Ered_Test" | Format-List -Property * AuthenticationMethod : {Pap}and your L2TP is : default ..
Suggest you run the connection again and post the L2TP logs .. also the debug ones.
It should be easy to resolve?
Warwick
Hong Kong
Hi warwickt!
Here is our one:
PS C:\Users\Ered> Get-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\RasMan\Parameters\ AllowL2TPWeakCrypto : 0 AllowPPTPWeakCrypto : 0 KeepRasConnections : 0 Medias : {rastapi} ServiceDll : C:\WINDOWS\System32\rasmans.dll ServiceDllUnloadOnStop : 1 MiniportsInstalled : 65535 ProhibitIpSec : 0 AllocatedLuids : {} PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMa n\Parameters\ PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMa n PSChildName : Parameters PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\RegistryThe problem was that "ProhibitIpSec" prohibited ipsec.
2nd:
Sorry, I did not provide updated data.
L2TP
aaa authentication default
VPN connection
PS C:\Users\Ered> Get-VpnConnection -name "DA_Test" | Format-List -Property * EapConfigXmlStream : VpnConfigurationXml : #document IPSecCustomPolicy : MachineCertificateIssuerFilter : MachineCertificateEKUFilter : ConnectionStatus : Disconnected DnsSuffix : Guid : {00226DC3-9B6F-46DB-9D56-8F8473189DE7} IdleDisconnectSeconds : 0 IsAutoTriggerEnabled : False Name : DA_Test ProfileType : Inbox ProvisioningAuthority : Proxy : RememberCredential : True Routes : {} ServerAddress : Ip_Zyxel_Wan ServerList : {} SplitTunneling : False VpnTrigger : VpnConnectionTrigger AllUserConnection : False AuthenticationMethod : {MsChapv2} EncryptionLevel : Optional L2tpIPsecAuth : Psk NapState : NotConnected TunnelType : L2tp UseWinlogonCredential : False PSComputerName : CimClass : root/Microsoft/Windows/RemoteAccess/Client:VpnConnection CimInstanceProperties : {ConnectionStatus, DnsSuffix, Guid, IdleDisconnectSeconds...} CimSystemProperties : Microsoft.Management.Infrastructure.CimSystemPropertiesL2TP logs
Oh yes, aaa server user verification succeeds.
Seems to have missed nothing )
Hi Ered I think you're really close to solving this.
Authentication Error ( = L2TP)
As you point out AAA in the server validates user admin ... for example works great .. as below against an LDAP server...
However your L2TP Authentication Method needs to include an authentication method that has Active Directory. (AD) in it too!
For example issue this command in the cli or Console UI
Steps to do this.
In this example that uses LDAP .. see how it looks.
Try the access again as an AD account.
Post your results for us to see.
HTH
Warwick
Hong Kong