Phase 1 authentication method mismatch - No proposal chosen

Hi,

We have a Zywall VPN 300 between the internet router and the main switch. Please find diagram to understand the IP addresses and connections.

We are trying to connect a laptop with Windows 10 via VPN end-to-site to be able to communicate with a workstation in the internal network which has the address 10.0.0.2.

We have tried with the VPN setup wizards to create a "Zyxel VPN Client (SecuExtender IPSec)" and an "L2TP over IPSec Client (iOS, Windows, Android)"

With L2TP, the connection fails, and I am not able to capture any packet sent to the router public IP address. There is no log entry about that in the Zywall VPN 300.

With SecuExtender, I am able to capture the packets to the router, but the connection fails and there are log entries about it in the Zywall VPN 300. Two of them are
- Phase 1 authentication method mismatch
- No proposal chosen

Please find also screenshots of the current port configuration in the Zywall, zones, and Security policies.




Accepted Solution

  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,378  Zyxel Employee
    100 Answers 1000 Comments Friend Collector Seventh Anniversary
    Answer ✓

    Hi @some_IT_person  

    Your device is behind NAT router. So you may make sure “My address” is configured as “0.0.0.0”.

    If configured as interface IP address, then will caused negotiation fail due to IP mismatch.

    Since your interface IP is 192.168.0.21(private IP) but doesn’t  match to public IP address.


All Replies

  • mMontana
    mMontana Posts: 1,380  Guru Member
    50 Answers 1000 Comments Friend Collector Fifth Anniversary
    This won't solve the issue with your IPSec configuration but ge2 and ge6 should not share the same address space.
  • I have successfully established an L2TP/IPsec connection from a Gnu/Linux client.

    The windows 10 client still shows the same errors.
  • mMontana
    mMontana Posts: 1,380  Guru Member
    50 Answers 1000 Comments Friend Collector Fifth Anniversary
    edited July 2021
    Did you changed the proposed cyphers into the IPSec Gateway of L2TP?
  • No, I left the default values.

    I was able to establish a connection with a macbook and with another W10 laptop.
    So, the initial W10 laptop was defect.
  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,378  Zyxel Employee
    100 Answers 1000 Comments Friend Collector Seventh Anniversary
    Answer ✓

    Hi @some_IT_person  

    Your device is behind NAT router. So you may make sure “My address” is configured as “0.0.0.0”.

    If configured as interface IP address, then will caused negotiation fail due to IP mismatch.

    Since your interface IP is 192.168.0.21(private IP) but doesn’t  match to public IP address.



  • Thanks, that was the problem. :)

    P.D.: Sorry for the duplicated comments. I was not able to see my new posted comment and I got no feedback of something going right or wrong. Not sure if the problem was on my side or the comments went through moderation from your side. If that is the case I can suggest you to inform the person about comment pending of moderation.
  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,378  Zyxel Employee
    100 Answers 1000 Comments Friend Collector Seventh Anniversary
    edited July 2021
    Hi @some_IT_person
    It's good to know your configuration is correct. :+1:
    We have removed duplicate response in this thread, and thanks for your suggestion for better user experience. :)

Security Highlight