Access an AD server for AD authentication when the AD server is in a tunnel

JeroenSoree

Hi,

We have a USG 110 working great with a tunnel form the office to our Datacenter. No problem there. Now we want AD authentication on SSL VPN via AD but our USG is not able to see the domain contollers in our DC. Ping from the USG to the DC also does not work, Tracaroute goes onto the internet. Our DC's are in the datacenter and I would like to set up ad as an AAA Server. From a client in the office the DC's are reachable.

Lost a bit. Any idea's?

Jeroen

Jeremylin

AD domain host can not see the USG?

Do you enable MSchap V2 on AD? Try to disable it.

JeroenSoree

Hi,

Tried it with and without. Problem is the USG does not see the DC when the DC is on the other side of our tunnel to the Datacenter. The USG in in our office, the Datacenter is miles away via a tunnel.

zyman2008

Hi,

I think that's the old problem of ZyWALL routing of policy based IPSec VPN.

Since policy based IPSec without an interface bind with the tunnel.

Which interface IP address will be to connect to the remote services ?

So the right solution is using route based IPSec VPN with VTI interface.

Or a very trick way if you keep using the policy based IPSec VPN,

For example,

The remote server IP address is 10.10.10.1

The local policy of the IPSec VPN is the lan1 network.

And you want ZyWALL to connect to 10.10.10.1 with lan1 interface ip address

Add a static route,

Destination: 10.10.10.1/32, next-hop: interface lan1

Then ZyWALL will using lan1 interface IP address as the source IP to connect to the remote services.