USG60 - IPSEC VPN failing at Phase 1, even though proposal seems to match?

Jon_C
Jon_C Posts: 2
First Comment Second Anniversary
in Security

Good morning All.

I had a IPSEC/L2TP VPN set up on my USG60, this was working correctly with Windows 10 clients. When it was not required last year it was disabled in the GUI. Now it does not want to work when re-enabled, and I can't see exactly why.

I have attempted to remove and recreate the various parts, but this did not improve anything.

I see the following in the logs:

[SA] : No proposal chosen

[SA] : Tunnel [###_IPSEC_VPN_CONN] Phase 1 proposal mismatch

Recv IKE sa: SA([0] protocol = IKE (1), AES CBC key len = 256, HMAC-SHA1 PRF, HMAC-SHA1-96, 384 bit ECP, AES CBC key len = 128, 256 bit ECP, 2048 bit MODP, 3DES, 1024 bit MODP; )."

And from Wireshark, 5 proposal transforms are seen from the client:

AES 256
SHA
384 bit ECP (DH Group 20)

AES 128
SHA
256 bit ECP - (DH Group 19)

AES 256
SHA
2048 bit MODP (DH Group 14)

3DES
SHA
2048 bit MODP (DH Group 14)

3DES
SHA
Alternate 1024-bit MODP (DH Group 2)

I have the USG60 set up with:

3DES SHA1
AES256 SHA1

Key Group: DH14

So, two proposals look like they should match but don't. What would be my best steps to troubleshoot further?

All Replies

  • PeterUK
    PeterUK Posts: 3,500  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited April 2024

    for windows default are

    For the windows client L2TP/IPsec last I checked was

    Phase 1 3DES/SHA1 DH2

    Phase 2 AES256/SHA1 PFS none

    however this can be increased 

    https://community.zyxel.com/en/discussion/comment/60483#Comment_60483

  • Jon_C
    Jon_C Posts: 2
    First Comment Second Anniversary

    Thanks very much for the comment. I have just tried reverting to the suggested config (which should match proposal 5), but that showed exactly the same in the logs.

    I did find out how to enable Debug Logging, but it didn't show anything useful (apart from a mysterious line after the proposal failure line that just said in its entirety "Reason:"….

    configure terminal 
logging system-log category ike level all
logging system-log category ipsec level all

    So, I deleted everything and ran the Quick Setup Wizard. It has made a VPN configuration that I can sucessfuly connect to! Although I can't access any LAN resources (HTTP/HTTPS/SMB), oddly ICMP works fine from the remote client to things on the LAN, and things on the LAN to the remote client.

    I will start tracing and see where that gets me.

Categories

Security Help Center

EnglishTiếng ViệtРусскийไทย中文(台灣)