L2TP 2nd try

bavaria
bavaria Posts: 27  Freshman Member
First Anniversary 10 Comments
edited April 2021 in Security
Hi together,

I have an USG110.
And I have problems to connect from my Android to the USG.
I followed this instruction https://kb.zyxel.com/KB/searchArticle!gwsViewDetail.action?articleOid=015514.

I have a "short" connect in phase 1:
enclosed the log

2020-11-25 14:31:30,194.230.147.29:28885  ,77.58.xxx.xxx:500     ,     info               ,ike                   ,IKE_LOG              ,                        ,                      ,                     ,     Recv Main Mode request from [194.230.147.29]

2020-11-25 14:31:30,194.230.147.29:28885  ,77.58.xxx.xxx:500     ,     info               ,ike                   ,IKE_LOG              ,                        ,                      ,                     ,     The cookie pair is : 0x7279c6b27a7d5860 / 0x8dd1b16585edd57d

2020-11-25 14:31:30,194.230.147.29:28885  ,77.58.xxx.xxx:500     ,     info               ,ike                   ,IKE_LOG              ,                        ,                      ,                     ,     Recv:[SA][VID][VID][VID][VID][VID][VID]

2020-11-25 14:31:30,194.230.147.29:28885  ,77.58.xxx.xxx:500     ,     info               ,ike                   ,IKE_LOG              ,                        ,                      ,                     ,     Recv IKE sa: SA([0] protocol = IKE (1), AES CBC key len = 256, HMAC-SHA384 PRF, HMAC-SHA384-192, 1024 bit MODP, HMAC-SHA256 PRF, HMAC-SHA256-128, HMAC-SHA512 PRF, HMAC-SHA512-256, HMAC-SHA1 PRF, HMAC-SHA1-96, HMAC-MD5 PRF, HMAC-MD5-96, AES CBC key len = 1

2020-11-25 14:31:30,77.58.xxx.xxx:500      ,194.230.147.29:28885 ,     info               ,ike                   ,IKE_LOG              ,                        ,                      ,                     ,     The cookie pair is : 0x8dd1b16585edd57d / 0x7279c6b27a7d5860

2020-11-25 14:31:30,77.58.xxx.xxx:500      ,194.230.147.29:28885 ,     info               ,ike                   ,IKE_LOG              ,                        ,                      ,                     ,     Send:[NOTIFY:NO_PROPOSAL_CHOSEN]

2020-11-25 14:31:30,                      ,                     ,     debug              ,ike                   ,IKE_LOG              ,                        ,                      ,                     ,       Remote IKE peer 194.230.147.29:28885 ID (null)

2020-11-25 14:32:30,77.58.xxx.xxx:500      ,194.230.147.29:28885 ,     info               ,ike                   ,IKE_LOG              ,                        ,                      ,                     ,     The cookie pair is : 0x8dd1b16585edd57d / 0x7279c6b27a7d5860

2020-11-25 14:32:30,77.58.xxx.xxx:500      ,194.230.147.29:28885 ,     info               ,ike                   ,IKE_LOG              ,                        ,                      ,                     ,     ISAKMP SA [] is disconnected



any ideas, what is wrong?

Accepted Solution

  • bavaria
    bavaria Posts: 27  Freshman Member
    First Anniversary 10 Comments
    Answer ✓
    Here is the answer for those who have the same problem.
    The USG cannot distinguish between ip-sec VPN and l2tp (over ip-sec) VPN when listening to the same FQDN.

All Replies

  • Jeremylin
    Jeremylin Posts: 166  Master Member
    First Anniversary First Answer First Comment
    There is NO_PROPOSAL_CHOSEN on log message. It could be Phase 1 Algorithms mismatch.
    From my site is working with this scenario.
    Did you use quick setup to create VPN profile?
  • bavaria
    bavaria Posts: 27  Freshman Member
    First Anniversary 10 Comments
    As I mentioned, it is my second try.
    So I removed all settings from the first try and then I started with the quick setup.

    I compared the settings with this ATP800 Lab
    https://support.zyxel.eu/hc/en-us/articles/360008700039-Virtual-Lab-End-to-Site-VPN-L2TP-
    and I can't see any differences. (one difference, I have a local user).

    I have no glue why Phase 1 can't find a proposal.
  • Zyxel_Charlie
    Zyxel_Charlie Posts: 1,034  Zyxel Employee
    First Anniversary Friend Collector First Answer First Comment
    edited November 2020
    @bavaria
    Can you private message the remote access , since I would like to establish VPN from my side for check further.
  • bavaria
    bavaria Posts: 27  Freshman Member
    First Anniversary 10 Comments
    Answer ✓
    Here is the answer for those who have the same problem.
    The USG cannot distinguish between ip-sec VPN and l2tp (over ip-sec) VPN when listening to the same FQDN.

Security Highlight