USG 110 wrong VPN Connection chosen
Hello,
We have 2 VPN connection set:
1 L2TP over IPSEC client (Dynamic 0.0.0.0) to site (our USG 110)
1 IPSEC site (our USG 110) - site (Home Dlink which was working with our old USG100), Fix IPs on both site
The L2TP VPN work fine.
The external router trying to connect the VPN to the USG, but unfortunately, according the logs, the USG take the wrong VPN rule to connect the external router. He take the L2TP VPN rule instead of the site-site IPSEC rule, and of course, we receive a "wrong proposal chosen".
The Local ID type for the VPN Gateway policy for the site-site VPN are the IPs address.
Best Answers
-
Hi DUU the most efficient way to resolve the proposal mismatch and the crypto details is to:
- gather the debug logs for the failure from each USG110
- compare the PH1 and PH2 settings - list format for each USG110
- review the LOACAL and Peer Identities and types.
The logs/debug logs will give you sufficient information to resolve this.
FWIW if the Gateway proposal is selecting the wrong connection it's possible the LOCAL POLICY is misconfigured on one of the Site-TO-Site
local ID: type: peer ID: type:
Post the error logs fro one of the USG110 appliances , as always I'm curious what the solution would be.
HTH
warwick
Hong Kong
6 -
Hello,
Thank you for you message.
You completely right, I remove all policies on both side and reconfigured it using the Wizard. Everything working now well. I also figured out that firstly I set the local ID as WAN IP, but the WAN IP wasn't the public IP, because the router was behind another one, that why the ID didn't match.
1
All Replies
-
Hi DUU the most efficient way to resolve the proposal mismatch and the crypto details is to:
- gather the debug logs for the failure from each USG110
- compare the PH1 and PH2 settings - list format for each USG110
- review the LOACAL and Peer Identities and types.
The logs/debug logs will give you sufficient information to resolve this.
FWIW if the Gateway proposal is selecting the wrong connection it's possible the LOCAL POLICY is misconfigured on one of the Site-TO-Site
local ID: type: peer ID: type:
Post the error logs fro one of the USG110 appliances , as always I'm curious what the solution would be.
HTH
warwick
Hong Kong
6 -
Hello,
Thank you for you message.
You completely right, I remove all policies on both side and reconfigured it using the Wizard. Everything working now well. I also figured out that firstly I set the local ID as WAN IP, but the WAN IP wasn't the public IP, because the router was behind another one, that why the ID didn't match.
1
Categories
- All Categories
- 415 Beta Program
- 2.3K Nebula
- 141 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.6K Security
- 218 USG FLEX H Series
- 262 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1K Wireless
- 39 Wireless Ideas
- 6.3K Consumer Product
- 245 Service & License
- 382 News and Release
- 81 Security Advisories
- 27 Education Center
- 8 [Campaign] Zyxel Network Detective
- 3.1K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight