L2TP connection probably interferes with access to Active Directory server

Post your questions about SoftEther VPN software here. Please answer questions if you can afford.
Post Reply
Widi2021
Posts: 1
Joined: Thu Sep 23, 2021 7:51 am

L2TP connection probably interferes with access to Active Directory server

Post by Widi2021 » Tue Oct 26, 2021 9:34 am

Hello community,
we have a problem with workstations that are included in a corporate network (Active Directory).
There is a working SoftetherVPN server (V4.38 Build 9760) with a few Virtual Hubs and a few users. There are a few external devices that successfully connect to the VPN networks via OpenVPN.
Now we are going to connect our workstations (Windows 10) to these networks. The first attempts with connections via OpenVPN or L2TP seem to work.
However, we have now noticed that access to our login server (Active Directory) seems to be disrupted as long as the L2TP connection is active.

Our settings:
  1. VPN connetion settings on Window 10 workstation:
    • VPN type: L2TP/IPsec
    • with pre-shared key
    • Auth protocol: MS-CHAP v2
    • Default gateway disabled for IPv4 and IPv6
  2. Virtual Hub settings on VPN server
    • SecureNAT: 192.168.150.1/24
    • DHCP: 192.168.150.100-149
    • Static routes: 192.168.152.0/255.255.248.0/192.168.150.254
  3. Layer 3 Switch on VPN server
    • 192.168.150.254 connects to the virtual hubs to which the external devices are connected.
      These are distributed among the subnets 192.168.152.0/21.
Now I can establish the L2TP connection on our Windows workstations and access our external devices through it.

Code: Select all

$ ipconfig /all
PPP-Adapter fwidmann@softether.myhost.tld:

   Verbindungsspezifisches DNS-Suffix:
   Beschreibung. . . . . . . . . . . : fwidmann@softether.myhost.tld
   Physische Adresse . . . . . . . . :
   DHCP aktiviert. . . . . . . . . . : Nein
   Autokonfiguration aktiviert . . . : Ja
   IPv4-Adresse  . . . . . . . . . . : 192.168.150.100(Bevorzugt)
   Subnetzmaske  . . . . . . . . . . : 255.255.255.255
   Standardgateway . . . . . . . . . :
   NetBIOS über TCP/IP . . . . . . . : Deaktiviert

$ route print
   <excerpt of the whole list>
     Netzwerkziel    Netzwerkmaske          Gateway    Schnittstelle Metrik
      <myHost IP>  255.255.255.255    192.168.72.11    192.168.74.94     26
    192.168.150.0    255.255.255.0          1.0.0.1  192.168.150.100     26
  192.168.150.100  255.255.255.255   Auf Verbindung   192.168.150.100    281
    192.168.152.0    255.255.248.0   Auf Verbindung   192.168.150.100     26
  192.168.159.255  255.255.255.255   Auf Verbindung   192.168.150.100    281
        224.0.0.0        240.0.0.0   Auf Verbindung   192.168.150.100    281
  255.255.255.255  255.255.255.255   Auf Verbindung   192.168.150.100    281
  
$ tracert 192.168.153.1
Routenverfolgung zu 192.168.153.1 über maximal 30 Hops
  1     8 ms     8 ms     8 ms  192.168.150.254
  2   103 ms    57 ms    56 ms  192.168.153.1
Ablaufverfolgung beendet.

$ ping 192.168.153.1
Ping wird ausgeführt für 192.168.153.1 mit 32 Bytes Daten:
Antwort von 192.168.153.1: Bytes=32 Zeit=54ms TTL=63
Antwort von 192.168.153.1: Bytes=32 Zeit=50ms TTL=63
Antwort von 192.168.153.1: Bytes=32 Zeit=68ms TTL=63
Antwort von 192.168.153.1: Bytes=32 Zeit=60ms TTL=63
So far, everything still looks well.

But now: When we try to start a program on our Windows workstation that needs login data from our login server, we get the following error message:
error01.png
This program starts without problems as soon as the L2TP connection is closed.

Can anyone explain this? What is the error?

If you need more information, please contact me.

Regards
Friedbert
You do not have the required permissions to view the files attached to this post.

nobody12
Posts: 139
Joined: Sat Feb 13, 2021 10:22 pm

Re: L2TP connection probably interferes with access to Active Directory server

Post by nobody12 » Thu Nov 04, 2021 6:39 pm

I think you missed to build the parameters of the VPN so that the PCs which connect to the VPN see the network as the domain home network. Only then windows SSO will work.
Try to give the clients the DNS servers which are used by your AD domain. And add the search path for the local domain to the DHCP parameters. It also will not hurt to add the subnet used by the clients to the ActiveDirecorySites and Services.
In addition, better disable the secure-NAT function (but keep the layer3 virtual switch). With the Secure-NAT function enabled the devices in the Network behind the VPN Server are not reachable by your domain controller because they are behind a NAT firewall - therefore not manageable. Also problem might arise because all clients behind the secure NAT appearing under the IP of the VPN Server. And, because of the nature of NAT, after TCP or UDP timeout a connection to your fileserver might be closed even if it should stay live.

I was successful with this kind of setup using openvpn, you can simply add the needed parameters to the clients .ovpn file if it is not possible to send then using DHCP. I have not tried L2TP Windows native. A problem here might be that Windows prefers the DNS servers supplied by the DHCP server of the interenet connection are used first.

Post Reply