L2TP Phase 2 proposal mismatch

Christian78 Posts: 8
First Anniversary Friend Collector First Comment
edited April 2021 in Security


I have problems to set up a L2TP over IPSec VPN on my ZyWALL310 VPN.

I used both the Quick Setup to configure the VPN and I configured it manually from scratch. Always with the same result. It seems that Phase 1 of the negotiation works fine, but the log ends with:

[Default_L2TP_VPN_Connection] Phase 2 proposal mismatch

[SA] No proposal chosen.

I've attached some pics of my config. Any ideas?

Thanks for your help!

VPN Gateway:

VPN Connection:

L2TP Config:

Screenshot of log:

All Replies

  • Zyxel_Charlie
    Zyxel_Charlie Posts: 1,034  Zyxel Employee
    First Anniversary Friend Collector First Answer First Comment


    For the log message: "Phase 2 proposal mismatch" which could be the Algorithm on VPN connection mismatch.

    Double check the Encryption and Authentication on the USG are match with VPN client's.

  • PeterUK
    PeterUK Posts: 2,732  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer

    Try changing your proposal  to the following


  • Christian78

    Hi Peter, hi Charlie!

    Thanks for your suggestions! In fact, is was a mixture of wrong proposals and user management. I had great help yesterday from Zyxel support, who found out that my proposals were slightly wrong.

    Today, the tunnel is working perfectly. I am now trying to find out how to assign different User Groups to different Security Policies.

    In the L2TP Config, I've set "Allowed Users" to L2TP-Group, which is my preconfigured group of allowed Users.

    In the 2 Security Policies ("IPSec Outgoing to Any" and "IPSec to Device"), I've done the same: I've limited it to the L2TP-Group Users. But that causes trouble. The VPN is only set up when I set the Users to "any".

    I now 'only' need to figure out how to configure that part.



  • Jeremylin
    Jeremylin Posts: 166  Master Member
    First Anniversary First Answer First Comment

    Just curious that why you want to configure it

    ("IPSec Outgoing to Any" and "IPSec to Device")

Security Highlight