DrayTek UK Users' Community Forum

Help, Advice and Solutions from DrayTek Users

Vigor 2830 L2TP with RADIUS - can you force IPSec?

  • dansorion
  • Topic Author
  • Offline
  • Junior Member
  • Junior Member
More
05 Mar 2018 10:58 #90940 by dansorion
I've got a Vigor 2830 configured with L2TP and IPsec services enabled, and a pre-shared key configured for IPsec, and using RADIUS for user authentication. Have successfully got Windows 7 and Windows 10 clients using built-in VPN working with L2TP + IPsec, however there doesn't seem to be a way in the Vigor to require IPsec with L2TP when using RADIUS - if a pre-shared isn't entered then the Windows client will still connect, and in the router logs it shows the connection up entry as [H2L][UP][L2TP] rather than [H2L][UP][L2TP/IPsec]. There are settings for L2TP with IPsec Policy Must for user accounts configured in the Vigor itself, but we'd prefer to use RADIUS for user account management in our active directory system and to keep passwords sync'd, plus we manage which users are allowed to use the VPN by having allow user groups defined in the Windows Network Policy Services that are used for the RADIUS checks.

If it's not possible to enforce this in the 2830, is there another similar router model that does have this capability?

Dan

Please Log in or Create an account to join the conversation.

More
06 Mar 2018 16:46 #90965 by hornbyp
In "VPN and Remote Access >> IPsec General Setup" do you have "[ ] Medium (AH)" enabled? When I was setting up my Lan-to-lan VPN, I kept getting an unencrypted connection until I cleared that.

Please Log in or Create an account to join the conversation.

  • dansorion
  • Topic Author
  • Offline
  • Junior Member
  • Junior Member
More
08 Mar 2018 07:46 #90997 by dansorion
Nope, that setting does not prevent the Windows 10 client from connecting to via L2TP without IPsec. I've also tried turning off the L2TP service and having just IPsec enabled, but that's no go too as it just prevents the clients connecting at all.

What is odd is that the Windows 1703 automatic VPN settings don't work with our configuration, and require setting L2TP with IPsec PSK before it will connect. It's the current Windows 1709 that is working in automatic mode without having to define the PSK, it just requires the VPN IP address and a RADIUS user account and connects without any issues. The intention with the PSK requirement was to prevent employees from using their own PCs to connect to the VPN, as our IT department sets up the VPN on the company supplied laptops with the PSK. We only found out about this PSK bypass due to one of our new laptops leaving the building without the VPN being configured and the employee added the VPN themselves, just entering the host name and their name and password and it was in without any additional settings.

I've found in the 2960 firmware update notes that this router has a "Force IPsec with L2TP" option in [VPN and Remote Access] > [PPP General Setup] so there's at least one Vigor that has this capability, so we're currently looking at whether upgrading our 2830's is feasible - we'd need to make sure that all of our current configuration settings would work the same in the 2960, so it looks like I'm going to be digging through the manual and seeing how it compares. Would be handy to know if any other models have this same option, so I might have to download all of the manuals for the current range and compare them bit by bit.

Please Log in or Create an account to join the conversation.

More
17 Sep 2018 13:28 #92926 by ben.hall
I recognise this is an old thread, but can you give any pointers on how you configured the Remote Dial-in User to allow RADIUS authentication for the L2TP/IPSec VPN.

Documentation is not great and I'm banging my head on the desk....

Please Log in or Create an account to join the conversation.

  • dansorion
  • Topic Author
  • Offline
  • Junior Member
  • Junior Member
More
17 Sep 2018 13:49 #92927 by dansorion

ben.hall wrote: I recognise this is an old thread, but can you give any pointers on how you configured the Remote Dial-in User to allow RADIUS authentication for the L2TP/IPSec VPN.

Documentation is not great and I'm banging my head on the desk....



It took us a while too :)


Go to Applications on the left, then the RADIUS menu. Tick the Enable box, add in the Server IP Address, port, and Shared Secret for your RADIUS server. The Vigor will then send user credentials on login to this server if the username doesn't exist in the Remote Dial-in User list. That's the key thing - don't set up the same usernames as you have in RADIUS in the Vigor user list itself, otherwise it won't use RADIUS. This is also why we can't use the "L2TP with IPSec Policy: Must" setting in the Remote Dial-in User settings - that only applies to internal users in the Vigor system, not to RADIUS users.

We used to use PPP so also have the RADIUS setting ticked in the PPP Authentication Methods under the PPP General Setup screen. Shouldn't apply to L2TP, but just in case try enabling that too. We also have the LAN IP assignments set here, so it appears that some of these settings might apply to the L2TP service even though there is no mention of L2TP on that settings page.

We're using Windows 2008 R2 Network Policy Server with our Vigors, and so you have to ensure that you set up the RADIUS server correctly to allow the Vigor to connect to it, but from the Vigor side you should only have to configure the RADIUS server settings.

Dan

Please Log in or Create an account to join the conversation.

Moderators: ChrisSami