SSL VPN / L2TP / AD Authentication: connection fail when VTI active

Alexander_Morozov
edited April 2021 in Security

Briefly:

When we add VTI into our configuration of Zywall 310, SSL VPN (SecuExtender) and L2TP clients cannot connect using AD authentication, while local authentication (on Zywall itself) works fine.

We supposed, that our new VTI does not let Zywall to get to DC.

We used "Configuration validation" in Object/AAA Server/Active Directory section to check this idea.

Everithing is "ok" there.

Also we captured LDAP interchange between Zywall and DC and found, that bind is sucsessfull, Zywall authenticates user in AD with a password as well (for SSL VPN)

And bind is successfull / authentication fail (for L2TP/PAP)

Simple things, like: disable firewall, update firmware, etc., etc. is already done.

So, we caught a complicated bug.

When we disable VTI, SSL VPN client and L2TP client connects well.

We need a remote assistance of an expert, ready to share the configuration and debug logs.

All Replies

  • Zyxel_Emily
    Zyxel_Emily Posts: 1,278  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    Hi @Alexander_Morozov,

    Here is the test result in our lab.

    Model: ZyWALL 310, USG110

    FW: 4.35

    VTI interfaces and VTI trunk are created on both devices.

    VPN tunnels are established.

    L2TP VPN and SSL VPN can be connected to ZyWALL 310 using the AD user account.


    Since the issue is not able to be reproduced in our lab, could you share startup-config.conf with us to check the symptom?

    I will contact you in private message for more information.

  • Hello, Emily!

    I sent you conf. in a private message.

Security Highlight