Problem with incomming VPN connections

CDS
CDS Posts: 16  Freshman Member
First Comment Fourth Anniversary
edited April 2021 in Security
Hi Folks,
I got the following issue which leaves me kind of clueless now:

USG210 on latest FW.
Configured two VPN:
VPN1: IPSEC site-to-site connection with static peer, using Gateway GATE_1 and Connection CON_1, both sites addressed via DNS
VPN2: L2TPoverIPSec, for mobile devices, using L2TP_Gate and L2TP_Connection.

VPN1 is up and runns just fine - absolutely no problem

When client tries to connect via L2TP this fails. The USG correctly ises L2TP_Gate for Phase one, but CON_1 for phase2 - what obviously is wrong and fails.

The config shows that the correct Gates and Connections are connected to each other.

Any hints how to solve this?

Regards

Carsten

Accepted Solution

All Replies

  • Zyxel_Charlie
    Zyxel_Charlie Posts: 1,034  Zyxel Employee
    50 Answers 500 Comments Friend Collector Fourth Anniversary
    @CDS
    Can you screenshot the log message when the issue occur.
    Go to Monitor>Log>Select IKE on category(please screenshot the message)

    Also, I want to check your configuration as well, please share it.
    Charlie
  • CDS
    CDS Posts: 16  Freshman Member
    First Comment Fourth Anniversary
    The Log:

    L2TP_Gate is the correct gateway, but the corresponding connection is L2TP_Connection.

    No.  Date/Time           Source                 Destination      Message
    1    2019-01-10 19:27:38 MobileClient_IP:3169     Server_IP:500  The cookie pair is : 0x9b7d21976a5a4f83 / 0x0000000000000000
    2    2019-01-10 19:27:38 MobileClient_IP:3169     Server_IP:500  Recv Main Mode request from [MobileClient_IP]
    3    2019-01-10 19:27:38 MobileClient_IP:3169     Server_IP:500  The cookie pair is : 0x373516f32396dc30 / 0x9b7d21976a5a4f83
    4    2019-01-10 19:27:38 MobileClient_IP:3169     Server_IP:500  Recv:[SA][VID][VID][VID][VID][VID][VID]
    5    2019-01-10 19:27:38 MobileClient_IP:3169     Server_IP:500  Recv IKE sa: SA([0] protocol = IKE (1), AES CBC key len = 256, HMAC-SHA384 PRF, HMAC-SHA384-192, 1024 bit MODP, HMAC-SHA256 PRF, HMAC-SHA256-128, HMAC-SHA512 PRF, HMAC-SHA512-256, HMAC-SHA1 PRF, HMAC-SHA1-96, HMAC-MD5 PRF, HMAC-MD5-96, AES CBC key len = 1
    6    2019-01-10 19:27:38 Server_IP:500      MobileClient_IP:3169 The cookie pair is : 0x9b7d21976a5a4f83 / 0x373516f32396dc30
    7    2019-01-10 19:27:38 Server_IP:500      MobileClient_IP:3169 Send:[SA][VID][VID][VID][VID][VID][VID][VID][VID][VID]
    8    2019-01-10 19:27:38 MobileClient_IP:3169     Server_IP:500  The cookie pair is : 0x373516f32396dc30 / 0x9b7d21976a5a4f83
    9    2019-01-10 19:27:38 MobileClient_IP:3169     Server_IP:500  Recv:[KE][NONCE][PRV][PRV]
    10   2019-01-10 19:27:38 Server_IP:500      MobileClient_IP:3169 The cookie pair is : 0x9b7d21976a5a4f83 / 0x373516f32396dc30
    11   2019-01-10 19:27:38 Server_IP:500      MobileClient_IP:3169 Send:[KE][NONCE][PRV][PRV]
    12   2019-01-10 19:27:39 MobileClient_IP:4500     Server_IP:4500 The cookie pair is : 0x373516f32396dc30 / 0x9b7d21976a5a4f83
    13   2019-01-10 19:27:39 MobileClient_IP:4500     Server_IP:4500 Recv:[ID][HASH]
    14   2019-01-10 19:27:39 Server_IP:4500     MobileClient_IP:4500 The cookie pair is : 0x9b7d21976a5a4f83 / 0x373516f32396dc30
    15   2019-01-10 19:27:39 Server_IP:4500     MobileClient_IP:4500 Send:[ID][HASH]
    16   2019-01-10 19:27:39 Server_IP:4500     MobileClient_IP:4500 The cookie pair is : 0x9b7d21976a5a4f83 / 0x373516f32396dc30
    17   2019-01-10 19:27:39 Server_IP:4500     MobileClient_IP:4500 Phase 1 IKE SA process done
    18   2019-01-10 19:27:39 MobileClient_IP:4500     Server_IP:4500 The cookie pair is : 0x373516f32396dc30 / 0x9b7d21976a5a4f83
    19   2019-01-10 19:27:39 MobileClient_IP:4500     Server_IP:4500 Recv:[HASH][NOTIFY:INITIAL_CONTACT]
    20   2019-01-10 19:27:40 MobileClient_IP:4500     Server_IP:4500 The cookie pair is : 0x373516f32396dc30 / 0x9b7d21976a5a4f83
    21   2019-01-10 19:27:40 MobileClient_IP:4500     Server_IP:4500 Recv:[HASH][SA][NONCE][ID][ID]
    22   2019-01-10 19:27:40 Server_IP:4500     MobileClient_IP:4500 The cookie pair is : 0x9b7d21976a5a4f83 / 0x373516f32396dc30
    23   2019-01-10 19:27:40 Server_IP:4500     MobileClient_IP:4500 [SA] : Tunnel [SCHAUDELNET_Fedderwardersiel] Phase 2 proposal mismatch
    24   2019-01-10 19:27:40 Server_IP:4500     MobileClient_IP:4500 The cookie pair is : 0x9b7d21976a5a4f83 / 0x373516f32396dc30
    25   2019-01-10 19:27:40 Server_IP:4500     MobileClient_IP:4500 [SA] : No proposal chosen
    26   2019-01-10 19:27:40 Server_IP:4500     MobileClient_IP:4500 The cookie pair is : 0x9b7d21976a5a4f83 / 0x373516f32396dc30
    27   2019-01-10 19:27:40 Server_IP:4500     MobileClient_IP:4500 Send:[HASH][NOTIFY:NO_PROPOSAL_CHOSEN]
    33   2019-01-10 19:28:08 Server_IP:4500     MobileClient_IP:4500 The cookie pair is : 0x9b7d21976a5a4f83 / 0x373516f32396dc30
    34   2019-01-10 19:28:08 Server_IP:4500     MobileClient_IP:4500 Send:[HASH][DEL]
    35   2019-01-10 19:28:08 Server_IP:4500     MobileClient_IP:4500 The cookie pair is : 0x9b7d21976a5a4f83 / 0x373516f32396dc30
    36   2019-01-10 19:28:08 Server_IP:4500     MobileClient_IP:4500 Send:[HASH][DEL]
    37   2019-01-10 19:28:08 Server_IP:4500     MobileClient_IP:4500 The cookie pair is : 0x9b7d21976a5a4f83 / 0x373516f32396dc30
    38   2019-01-10 19:28:08 Server_IP:4500     MobileClient_IP:4500 Send:[HASH][DEL]
    39   2019-01-10 19:28:08 Server_IP:4500     MobileClient_IP:4500 The cookie pair is : 0x9b7d21976a5a4f83 / 0x373516f32396dc30
    40   2019-01-10 19:28:08 Server_IP:4500     MobileClient_IP:4500 ISAKMP SA [L2TP_Gate] is disconnected
    41   2019-01-10 19:28:08 Server_IP:500      MobileClient_IP:28941 The cookie pair is : 0x9b7d21976a5a4f83 / 0x373516f32396dc30
    42   2019-01-10 19:28:08 Server_IP:500      MobileClient_IP:28941 [COOKIE] Invalid cookie, no sa found
    43   2019-01-10 19:28:10 MobileClient_IP:4642     Server_IP:1701  Match default rule, DROP
    44   2019-01-10 19:28:10 MobileClient_IP:4642     Server_IP:1701  Match default rule, DROP
    End of Logs


    Config:







  • Zyxel_Charlie
    Zyxel_Charlie Posts: 1,034  Zyxel Employee
    50 Answers 500 Comments Friend Collector Fourth Anniversary
    @CDS
    Regarding to log message, the proposal of phase 2 mismatch.
    Modified the proposal as below and check it again.

    Charlie
  • CDS
    CDS Posts: 16  Freshman Member
    First Comment Fourth Anniversary
    If this is the only reason, why does the log stat in line 23 " Tunnel [SCHAUDELNET_Fedderwardersiel] Phase 2 proposal mismatch" . THIS is the VPN1 in my original description and the connection which is NOT supposed to be used for L2TP connections.
    These both VPN's intentionally are using different Local policies.
  • CDS
    CDS Posts: 16  Freshman Member
    First Comment Fourth Anniversary
    AH THANKS!
    Changing the local policy did it.
    Strange how this error is shown in log log ..

Security Highlight