USG60 - IPSEC VPN failing at Phase 1, even though proposal seems to match?
Good morning All.
I had a IPSEC/L2TP VPN set up on my USG60, this was working correctly with Windows 10 clients. When it was not required last year it was disabled in the GUI. Now it does not want to work when re-enabled, and I can't see exactly why.
I have attempted to remove and recreate the various parts, but this did not improve anything.
I see the following in the logs:
[SA] : No proposal chosen
[SA] : Tunnel [###_IPSEC_VPN_CONN] Phase 1 proposal mismatch
Recv IKE sa: SA([0] protocol = IKE (1), AES CBC key len = 256, HMAC-SHA1 PRF, HMAC-SHA1-96, 384 bit ECP, AES CBC key len = 128, 256 bit ECP, 2048 bit MODP, 3DES, 1024 bit MODP; )."
And from Wireshark, 5 proposal transforms are seen from the client:
AES 256
SHA
384 bit ECP (DH Group 20)
AES 128
SHA
256 bit ECP - (DH Group 19)
AES 256
SHA
2048 bit MODP (DH Group 14)
3DES
SHA
2048 bit MODP (DH Group 14)
3DES
SHA
Alternate 1024-bit MODP (DH Group 2)
I have the USG60 set up with:
3DES SHA1
AES256 SHA1
Key Group: DH14
So, two proposals look like they should match but don't. What would be my best steps to troubleshoot further?
All Replies
-
for windows default are
For the windows client L2TP/IPsec last I checked was
Phase 1 3DES/SHA1 DH2
Phase 2 AES256/SHA1 PFS none
however this can be increased
2 -
Thanks very much for the comment. I have just tried reverting to the suggested config (which should match proposal 5), but that showed exactly the same in the logs.
I did find out how to enable Debug Logging, but it didn't show anything useful (apart from a mysterious line after the proposal failure line that just said in its entirety "Reason:"….
configure terminal logging system-log category ike level all logging system-log category ipsec level all
So, I deleted everything and ran the Quick Setup Wizard. It has made a VPN configuration that I can sucessfuly connect to! Although I can't access any LAN resources (HTTP/HTTPS/SMB), oddly ICMP works fine from the remote client to things on the LAN, and things on the LAN to the remote client.
I will start tracing and see where that gets me.
0
Guru Member
Categories
- All Categories
- 397 Beta Program
- 2.1K Nebula
- 117 Nebula Ideas
- 81 Nebula Status and Incidents
- 5.1K Security
- 91 USG FLEX H Series
- 247 Security Ideas
- 1.3K Switch
- 69 Switch Ideas
- 920 WirelessLAN
- 35 WLAN Ideas
- 5.9K Consumer Product
- 210 Service & License
- 337 News and Release
- 71 Security Advisories
- 21 Education Center
- 5 [Campaign] Zyxel Network Detective
- 2K FAQ
- 938 Nebula FAQ
- 425 Security FAQ
- 238 Switch FAQ
- 210 WirelessLAN FAQ
- 47 Consumer Product FAQ
- 139 Service & License FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 72 About Community
- 62 Security Highlight
