Reply
New Member
Posts: 1
Registered: ‎03-13-2017

LT2P/IPsec with certyficate on USG working fine but ...

Hello. I have been configured LT2P/IPsec with certyficate on USG.
When I try connect from android I have to attach CA cert and Client cert and also have to wite user name and passowrd. Once done phone can connect to VPN. Without certyficate can`t. That is correct and what i expected from configuration.

But today I discovered that if I make LT2P/IPsec  VPN connection from Windows 7 or 10 and use PAP without certyficate and just write login and password then I can connect also. That is not correct for me.

So my task is connect to LT2P/IPsec only from deviced with certyficate or certyficate + login/pass and prevent to connect without certyficate. Below my configuration. When I make mistake ?

}
	"firewall": {
		"group": {
			"network-group": {
				"remote_user_vpn_network": {
					"description": "remote_user_vpn_network",
					"network": [
						"192.168.1.0/24"
					]
				}
			}
		},
		"name": {
			"WAN_LOCAL": {
				"rule": {
					"3": {
						"action": "accept",
						"description": "Allow L2TP",
						"destination": {
							"port": "500,1701,4500"
						},
						"protocol": "udp"
					},
					"4": {
						"action": "accept",
						"description": "Allow ESP",
						"protocol": "esp"
					}
				}
			}
		}
	},
	"vpn": {
		"ipsec": {
			"auto-firewall-nat-exclude": "disable",
			"esp-group": {
				"android": {
					"compression": "disable",
					"lifetime": "3600",
					"mode": "tunnel",
					"pfs": "enable",
					"proposal": {
						"1": {
							"encryption": "aes256",
							"hash": "sha1"
						}
					}
				}
			},
			"ike-group": {
				"android": {
					"key-exchange": "ikev1",
					"lifetime": "28800",
					"proposal": {
						"1": {
							"dh-group": "2",
							"encryption": "aes256",
							"hash": "sha256"
						}
					}
				}
			},
			"ipsec-interfaces": {
				"interface": [
					"eth0"
				]
			},
			"nat-networks": {
				"allowed-network": {
					"0.0.0.0/0": "''"
				}
			},
			"nat-traversal": "enable"
		},
		"l2tp": {
			"remote-access": {
				"authentication": {
					"local-users": {
						"username": {
							"test1": {
								"password": "test1"
							},
							"test2": {
								"password": "test2"
							}
						}
					},
					"mode": "local"
				},
				"client-ip-pool": {
					"start": "192.168.0.200",
					"stop": "192.168.0.210"
				},
				"dhcp-interface": "eth0",
				"dns-servers": {
					"server-1": "192.168.0.1",
					"server-2": "8.8.8.8"
				},
				"ipsec-settings": {
					"authentication": {
						"mode": "x509",
						"x509": {
							"ca-cert-file": "/config/auth/cacer.pem",
							"server-cert-file": "/config/auth/svrcer.pem",
							"server-key-file": "/config/auth/svrkey.key",
							"server-key-password": "************"
						}
					},
					"ike-lifetime": "3600"
				},
				"mtu": "1412"
			}
		}



	}

}


 
 

Reply