ZyWall 110 Tunnel [L2TP_VPN] Phase 2 Local policy mismatch

VyacheslavVyacheslav Member Posts: 17  Freshman Member







info
IKE
ISAKMP SA [L2TP_VPN_GW] is disconnected
 


info
IKE
Received delete notification
 


info
IKE
Recv:[HASH][DEL]
 


info
IKE
Send:[HASH][NOTIFY:NO_PROPOSAL_CHOSEN]
 


info
IKE
[SA] : No proposal chosen
 


info
IKE
[ID] : Tunnel [L2TP_VPN] Phase 2 Local policy mismatch
 


info
IKE
Recv:[HASH][SA][NONCE][ID][ID]


info
IKE
Рhase 1 IKE SA process done


Phase 1 and Phase 2 Proposal settings are the same.

Answers

  • Zyxel_StanleyZyxel_Stanley Zyxel Official Agent Posts: 586  mod
    Hi @Vyacheslav
    The VPN phase 2 is configuration of VPN Connection.
    You can make sure if your configuration is correct.

  • VyacheslavVyacheslav Member Posts: 17  Freshman Member
    edited May 16, 2019 2:34PM
    Thanks for the answer, but my settings are the same as yours except 3DES, which is missing from me on ZyWall 110 (firmware 4.33).
  • VyacheslavVyacheslav Member Posts: 17  Freshman Member
    edited May 16, 2019 4:18PM
    May be downgrade firmware to 4.25?
  • VyacheslavVyacheslav Member Posts: 17  Freshman Member
    from 4.33 realase

    IPSec VPN
    1. [SPR: 070814168]
    [Symptom]
    VPN tunnel could not be established when:
    a. a non ZyWALL/USG peer gateway reboot and
    b. ZyWALL/USG has a previous established Phase 1 with peer gateway, and the Phase 1 has not expired yet. Under those conditions, ZyWALL/USG will continue to use the previous phase 1 SA to negotiate the Phase 2 SA. It would result in phase 2 negotiation to fail.
    [Workaround]
    User could disable and re-enable phase 1 rule in ZyWALL/USG or turn on DPD function to resolve problem.

    its my situation, but  me that dont help.
  • VyacheslavVyacheslav Member Posts: 17  Freshman Member
  • Zyxel_StanleyZyxel_Stanley Zyxel Official Agent Posts: 586  mod

    Hi @Vyacheslav  

    Can you have a check L2TP connection setting on your PC?



  • VyacheslavVyacheslav Member Posts: 17  Freshman Member
    Thank you all! The problem was that as a test computer I used a home with Windows 10, and VPN started working after "regedit"==> "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent"==>parameter "AssumeUDPEncapsulationContextOnSendRule" "Value Data" it was changed from "2" on "1". I express special thanks to the user "[Zyxel] jonatan" for actively participating in solving my problem.
  • Zyxel_StanleyZyxel_Stanley Zyxel Official Agent Posts: 586  mod

    Hi @Vyacheslav

    The registry key 2 you mentioned is for establish VPN when both USG and client are behind NAT router. In your scenario, USG should not behind NAT, the value 1 is enough.

    It’s good to hard you resolved the issue. :+1:

  • Zyxel_StanleyZyxel_Stanley Zyxel Official Agent Posts: 586  mod

    Hi @adi_dragnic

    You can make sure if USG configuration is correct.

    (1)   Configuration > Cloud CNM > SecuReporter


    (2)   Enable “Collect Statistics” in all of UTM functions.

    Monitor > UTM Statistics > APP Patrol/ Content Filter/ IDP/ Anti-Virus/ Anti-Spam/ SSL-Insepction > Enable “Collect Statistics”

            
Sign In to comment.