ZyWall 110 Tunnel [L2TP_VPN] Phase 2 Local policy mismatch

Vyacheslav
Vyacheslav Posts: 17  Freshman Member
First Comment
edited April 2021 in Security







info
IKE
ISAKMP SA [L2TP_VPN_GW] is disconnected
 


info
IKE
Received delete notification
 


info
IKE
Recv:[HASH][DEL]
 


info
IKE
Send:[HASH][NOTIFY:NO_PROPOSAL_CHOSEN]
 


info
IKE
[SA] : No proposal chosen
 


info
IKE
[ID] : Tunnel [L2TP_VPN] Phase 2 Local policy mismatch
 


info
IKE
Recv:[HASH][SA][NONCE][ID][ID]


info
IKE
Рhase 1 IKE SA process done


Phase 1 and Phase 2 Proposal settings are the same.

All Replies

  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,378  Zyxel Employee
    100 Answers 1000 Comments Friend Collector Seventh Anniversary
    Hi @Vyacheslav
    The VPN phase 2 is configuration of VPN Connection.
    You can make sure if your configuration is correct.

  • Vyacheslav
    Vyacheslav Posts: 17  Freshman Member
    First Comment
    edited May 2019
    Thanks for the answer, but my settings are the same as yours except 3DES, which is missing from me on ZyWall 110 (firmware 4.33).
  • Vyacheslav
    Vyacheslav Posts: 17  Freshman Member
    First Comment
    edited May 2019
    May be downgrade firmware to 4.25?
  • Vyacheslav
    Vyacheslav Posts: 17  Freshman Member
    First Comment
    from 4.33 realase

    IPSec VPN
    1. [SPR: 070814168]
    [Symptom]
    VPN tunnel could not be established when:
    a. a non ZyWALL/USG peer gateway reboot and
    b. ZyWALL/USG has a previous established Phase 1 with peer gateway, and the Phase 1 has not expired yet. Under those conditions, ZyWALL/USG will continue to use the previous phase 1 SA to negotiate the Phase 2 SA. It would result in phase 2 negotiation to fail.
    [Workaround]
    User could disable and re-enable phase 1 rule in ZyWALL/USG or turn on DPD function to resolve problem.

    its my situation, but  me that dont help.
  • Vyacheslav
    Vyacheslav Posts: 17  Freshman Member
    First Comment

  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,378  Zyxel Employee
    100 Answers 1000 Comments Friend Collector Seventh Anniversary

    Hi @Vyacheslav  

    Can you have a check L2TP connection setting on your PC?



  • Vyacheslav
    Vyacheslav Posts: 17  Freshman Member
    First Comment
    Thank you all! The problem was that as a test computer I used a home with Windows 10, and VPN started working after "regedit"==> "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent"==>parameter "AssumeUDPEncapsulationContextOnSendRule" "Value Data" it was changed from "2" on "1". I express special thanks to the user "[Zyxel] jonatan" for actively participating in solving my problem.
  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,378  Zyxel Employee
    100 Answers 1000 Comments Friend Collector Seventh Anniversary

    Hi @Vyacheslav

    The registry key 2 you mentioned is for establish VPN when both USG and client are behind NAT router. In your scenario, USG should not behind NAT, the value 1 is enough.

    It’s good to hard you resolved the issue. :+1:

Security Highlight