L2TP Phase 2 proposal mismatch


I have problems to set up a L2TP over IPSec VPN on my ZyWALL310 VPN.

I used both the Quick Setup to configure the VPN and I configured it manually from scratch. Always with the same result. It seems that Phase 1 of the negotiation works fine, but the log ends with:

[Default_L2TP_VPN_Connection] Phase 2 proposal mismatch

[SA] No proposal chosen.

I've attached some pics of my config. Any ideas?

Thanks for your help!

VPN Gateway:

VPN Connection:

L2TP Config:

Screenshot of log:

All Replies

  • Zyxel_CharlieZyxel_Charlie Moderator, Zyxel Offical Agent Posts: 996  mod


    For the log message: "Phase 2 proposal mismatch" which could be the Algorithm on VPN connection mismatch.

    Double check the Encryption and Authentication on the USG are match with VPN client's.

  • PeterUKPeterUK Member Posts: 735  Guru Member
  • Hi Peter, hi Charlie!

    Thanks for your suggestions! In fact, is was a mixture of wrong proposals and user management. I had great help yesterday from Zyxel support, who found out that my proposals were slightly wrong.

    Today, the tunnel is working perfectly. I am now trying to find out how to assign different User Groups to different Security Policies.

    In the L2TP Config, I've set "Allowed Users" to L2TP-Group, which is my preconfigured group of allowed Users.

    In the 2 Security Policies ("IPSec Outgoing to Any" and "IPSec to Device"), I've done the same: I've limited it to the L2TP-Group Users. But that causes trouble. The VPN is only set up when I set the Users to "any".

    I now 'only' need to figure out how to configure that part.



  • JeremylinJeremylin Member Posts: 139  Ally Member

    Just curious that why you want to configure it

    ("IPSec Outgoing to Any" and "IPSec to Device")

Sign In to comment.