topic Re: VPN Identity Awareness in SASE and Remote Access

VPN Identity Awareness

Christopher_To — Thu, 04 Apr 2019 17:58:33 GMT

Hi all,

I'm trying to setup VPN for a remote site utilizing Identity Awareness. The remote site doesn't have any local domain controllers, but it is connected via site2site tunnel with another site that has the domain controllers.

When trying to connect via the End Point client the status hangs at 47% and then fails.

Here is the gateway's AD Query Status

Can anyone assist?

Thanks!

Re: VPN Identity Awareness

PhoneBoy — Thu, 04 Apr 2019 23:07:12 GMT

Hi, a few questions here:

What version of gateway(s) involved here?
What version/flavor of VPN client?
Does the client encryption domain include the AD servers on the remote site?
Can the same client connect to other gateways ok?

Re: VPN Identity Awareness

Christopher_To — Fri, 05 Apr 2019 14:45:09 GMT

What version of gateway(s) involved here? Both gateways are on R77.30
What version/flavor of VPN client?

Does the client encryption domain include the AD servers on the remote site? So the AD servers sit on a 10.1.1.x/24 network. That network is defined in the encryption domain of the other gateway but not the encryption domain of the gateway I'm trying to connect to. Do I need to add that network to the encryption domain of the gateway I am connecting to?
Can the same client connect to other gateways ok? Yes, I can connect to other gateways with the same client.

Re: VPN Identity Awareness

PhoneBoy — Mon, 08 Apr 2019 20:11:08 GMT

The gateway you're connecting to shouldn't have the remote AD server's network as part of it's encryption domain.
That said, I think both gateways need to be part of the same RemoteAccess community.
Is that the case here or not?

Re: VPN Identity Awareness

Christopher_To — Wed, 10 Apr 2019 01:31:43 GMT

The gateway that I am connecting to does not have the AD server network in its encryption domain, and both gateways are part of the same RemoteAccess Community.