USG60 - IPSEC VPN failing at Phase 1, even though proposal seems to match?

Options
Jon_C
Jon_C Posts: 2
First Anniversary First Comment

Good morning All.

I had a IPSEC/L2TP VPN set up on my USG60, this was working correctly with Windows 10 clients. When it was not required last year it was disabled in the GUI. Now it does not want to work when re-enabled, and I can't see exactly why.

I have attempted to remove and recreate the various parts, but this did not improve anything.

I see the following in the logs:

[SA] : No proposal chosen

[SA] : Tunnel [###_IPSEC_VPN_CONN] Phase 1 proposal mismatch

Recv IKE sa: SA([0] protocol = IKE (1), AES CBC key len = 256, HMAC-SHA1 PRF, HMAC-SHA1-96, 384 bit ECP, AES CBC key len = 128, 256 bit ECP, 2048 bit MODP, 3DES, 1024 bit MODP; )."

And from Wireshark, 5 proposal transforms are seen from the client:

AES 256
SHA
384 bit ECP (DH Group 20)

AES 128
SHA
256 bit ECP - (DH Group 19)

AES 256
SHA
2048 bit MODP (DH Group 14)

3DES
SHA
2048 bit MODP (DH Group 14)

3DES
SHA
Alternate 1024-bit MODP (DH Group 2)

I have the USG60 set up with:

3DES SHA1
AES256 SHA1

Key Group: DH14

So, two proposals look like they should match but don't. What would be my best steps to troubleshoot further?

All Replies

  • PeterUK
    PeterUK Posts: 2,878  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited April 2
    Options

    for windows default are

    For the windows client L2TP/IPsec last I checked was

    Phase 1 3DES/SHA1 DH2

    Phase 2 AES256/SHA1 PFS none

    however this can be increased 

  • Jon_C
    Jon_C Posts: 2
    First Anniversary First Comment
    Options

    Thanks very much for the comment. I have just tried reverting to the suggested config (which should match proposal 5), but that showed exactly the same in the logs.

    I did find out how to enable Debug Logging, but it didn't show anything useful (apart from a mysterious line after the proposal failure line that just said in its entirety "Reason:"….

    configure terminal 
    logging system-log category ike level all
    logging system-log category ipsec level all
    

    So, I deleted everything and ran the Quick Setup Wizard. It has made a VPN configuration that I can sucessfuly connect to! Although I can't access any LAN resources (HTTP/HTTPS/SMB), oddly ICMP works fine from the remote client to things on the LAN, and things on the LAN to the remote client.

    I will start tracing and see where that gets me.

Security Highlight