USG 20 L2TP VPN for Android / iOS - Phase 2 proposal mismatch

Gregorij

Hi,

I am trying to set up remote access for mobile clients (Android and iOS) utilizing L2TP VPN on our USG 20 device. 

USG 20 is on the latest 3.30 firmware and there is already established site-to-site IPSec tunnel between this device and remote PfSense box. We have public IPv4, but it is not configured on the USG 20 itself. This public IP is configured on our ISPs edge router and then it is 1:1 NATed to the IP, that is assigned on the USG 20 WAN interface.

I´ve followed the tutorial for setting up L2TP remote access, which is described in the Zywall USG20-2000 User´s Guide, but it is not working. I can see in the log, that the client is trying to connect, it successfully pass phase 1 but in phase 2 it ends with Phase 2 proposal mismatch.

My setup:

VPN Gateway:

Interface: wan1

Using pre-shared key

Local ID Type: IP, 0.0.0.0

Peer ID Type: Any

SA lifetime: 28800

Negotiation mode: Main

Proposal: AES-256, SHA-256

Key Group: DH2

NAT Travesal: true

Dead Peer Detection: true

Enable extended authentication: false

VPN Connection:

VPN Gateway: Remote Access (Server role), selected previously created VPN gateway

Local policy: IP address of the WAN inteface (the internal one, not the public one)

SA lifetime: 28800

Active protocol: ESP

Encapsulation: Transport

Proposal: AES-256, SHA-256, but I´ve tried a lot of things here

Perfect forward secrecy: none

Zone: IPSec_VPN

In the log, I can see following entries:

Recv Main Mode request from [37.48.3.109]

Recv:[SA][VID][VID][VID][VID][VID][VID][VID][VID][VID][VID][VID][VID]

Send:[SA][VID][VID][VID][VID][VID][VID][VID][VID]

Recv:[KE][NONCE][PRV][PRV]

Send:[KE][NONCE][PRV][PRV]

Recv:[ID][HASH][NOTIFY:INITIAL_CONTACT]

Send:[ID][HASH]

Phase 1 IKE SA process done

Recv:[HASH][SA][NONCE][ID][ID][PRV][PRV]

[SA] : Tunnel [Default_L2TP_VPN_Connection] Phase 2 proposal mismatch

[SA] : No proposal chosen

Send:[HASH][NOTIFY:NO_PROPOSAL_CHOSEN]

Recv:[HASH][DEL]

Received delete notification

ISAKMP SA [Default_L2TP_VPN_GW] is disconnected

I would appreciate any help on this. I´ve found several topics here and on other forums, they all recommend altering VPN Connection Proposal settings or Local policy settings, but neither of this helped me.

Thanks in advance.

Jiri

Zyxel_Jerry

Hi @Gregorij

The log shows there is Phase2 proposal mismatch

[SA] : Tunnel [Default_L2TP_VPN_Connection] Phase 2 proposal mismatch.

 Cause we don’t’ know what Authentication and Encryption settings of the mobile.

You can try different kinds of Encryption and Authentication in the proposal to test it which match the mobile’s settings.

Gregorij

Hi @Zyxel_Jerry ,

thank you for your answer, but I´ve alredy tried to alter these settings in many different ways.

In the meantime, I´ve enabled debug logs on USG 20 and also tried to capture the traffic and browse it in WireShark. I am not a pro in investigating network communication but if I understand the dumps correctly, there is no issue with encryption and authentication algorithms. Proposals from clients seems to match the settings I have in VPN setup. But in the debug log, I can see these records:

Message: No proposal chosen (14)

Reason:

Local Traffic Selector mismatch

Algorithm did not match policy

[NULL(#0)]IPsec SA negotiations: 1136 done, 32 successful, 1104 failed

Should the issue be with the NAT? It seems to me, that client sends to the device its public IP address, but in the Local policy settings, I have the IP address of the WAN interface. In some tutorials, I saw that in the local policy settings, there can be the public IP, but USG 20 doesn´t allow me to do such settings.

Thanks.

l2tpvpn

Did you resolve the issue? I have exactly the same problem. The USG20 is behind an ISP router/gateway. I can get I2TP vpn from local network that the USG20 outside interface is connected. That should tell me the encryption settings are good, right?

[Deleted User]

Hello @l2tpvpn and welcome to the forum!

When the L2TP server is behind a NAT router, you have to use the public internet IP as the local policy on the USG! The router in front has to forward the required services.

Have a look here:

https://support.zyxel.eu/hc/en-us/articles/360001390654-How-to-configure-L2TP-behind-NAT

When using a Windows client, you might have to import a registry key for IPsec behind NAT:

https://support.zyxel.eu/hc/en-us/articles/360003503440-L2TP-behind-NAT-on-a-Windows-client

Or evaluate (maybe with the provider) if the router can be set into bridge mode, so that the public WAN IP will be assigned to the USGs WAN interface, then you can simply follow this guide:

https://support.zyxel.eu/hc/en-us/articles/360001390914-L2TP-configuration-on-a-USG-Firewall-using-the-Windows-built-in-client

But be aware (and this info is also interesting for @Gregorij) that the old ZyWALL USG series (Firmware 3.xx) is not capable of L2TP behind NAT.

So @l2tpvpn, when you use a next generation USG20W-VPN (firmware 4.xx) for example, you can use the guide for L2TP behind NAT.

But it is obviously easier to set the router in front in bridge mode if possible.

Hope this helps!

Best regards

Lukas