NCP to USG20W VPN Connection

Bernhard · January 2018

I try to establish a connection from the NCP client 10.04 to Zyxel USG20W FW: 3.30(BDR.9)
Always get the error in Phase1 Ike: XMIT_MSG1_MAIN - XXX,vpngw=91.111.111.11:500

1    2018-01-06 20:31:40 62.46.64.61:10952      91.113.113.82:500
     notice              firewall               ACCESS FORWARD
     priority:15, from WAN to ZyWALL, UDP, service Default_Allow_WAN_To_ZyWALL, ACCEPT
2    2018-01-06 20:31:40 62.46.64.61:10952      91.113.113.82:500
     info                ike                    IKE_LOG
     The cookie pair is : 0x85d45d1ccf0f9fad / 0x0000000000000000
3    2018-01-06 20:31:40 62.46.64.61:10952      91.113.113.82:500
     info                ike                    IKE_LOG
     Recv Main Mode request from [62.46.64.61]
4    2018-01-06 20:31:40 62.46.64.61:10952      91.113.113.82:500
     info                ike                    IKE_LOG
     The cookie pair is : 0x0bd0cdf5f0de19ac / 0x85d45d1ccf0f9fad
5    2018-01-06 20:31:40 62.46.64.61:10952      91.113.113.82:500
     info                ike                    IKE_LOG
     Recv:[SA][VID][VID][VID][VID][VID][VID][VID][VID][VID][VID]
6    2018-01-06 20:31:40 91.113.113.82:500      62.46.64.61:10952
     info                ike                    IKE_LOG
     The cookie pair is : 0x85d45d1ccf0f9fad / 0x0bd0cdf5f0de19ac [count=3]
7    2018-01-06 20:31:40 91.113.113.82:500      62.46.64.61:10952
     info                ike                    IKE_LOG
     [SA] : Tunnel [Default_L2TP_VPN_Connection] Phase 1 proposal mismatch
8    2018-01-06 20:31:40 91.113.113.82:500      62.46.64.61:10952
     info                ike                    IKE_LOG
     [SA] : No proposal chosen
9    2018-01-06 20:31:40 91.113.113.82:500      62.46.64.61:10952
     info                ike                    IKE_LOG
     Send:[NOTIFY:NO_PROPOSAL_CHOSEN]
10   2018-01-06 20:31:55 62.46.64.61:10952      91.113.113.82:500
     info                ike                    IKE_LOG
     The cookie pair is : 0x0bd0cdf5f0de19ac / 0x85d45d1ccf0f9fad
11   2018-01-06 20:31:55 62.46.64.61:10952      91.113.113.82:500
     info                ike                    IKE_LOG
     Recv:[DEL]

The log of the NCP says:
06.01.2018 19:45:19 - IPSec: Start building connection
06.01.2018 19:45:19 - IpsDial: connection time interface choice,LocIpa=192.168.30.30,AdapterIndex=200
06.01.2018 19:45:19 - Ike: Outgoing connect request MAIN mode - gateway=91.113.113.82 : XXX
06.01.2018 19:45:19 - Ike: XMIT_MSG1_MAIN - XXX,vpngw=91.113.113.82:500
06.01.2018 19:45:19 - Ike: NOTIFY : XXX: RECEIVED : NO_PROPOSAL_CHOSEN : 14
06.01.2018 19:45:23 - Ike: ConRef=14, retry timeout, resend to=91.113.113.82:500
06.01.2018 19:45:23 - Ike: NOTIFY : XXX: RECEIVED : NO_PROPOSAL_CHOSEN : 14
06.01.2018 19:45:27 - Ike: ConRef=14, retry timeout, resend to=91.113.113.82:500
06.01.2018 19:45:27 - Ike: NOTIFY : XXX: RECEIVED : NO_PROPOSAL_CHOSEN : 14
06.01.2018 19:45:31 - Ike: ConRef=14, retry timeout, resend to=91.113.113.82:500
06.01.2018 19:45:31 - Ike: NOTIFY : XXX: RECEIVED : NO_PROPOSAL_CHOSEN : 14
06.01.2018 19:45:35 - ERROR - 4021: IKE(phase1) - Could not contact Gateway (No response) in state <Wait for Message 2 > - XXX.
06.01.2018 19:45:35 - Ike: phase1:name(XXX) - ERROR - retry timeout - max retries
06.01.2018 19:45:35 - IPSec: Disconnected from XXX on channel 1.

Would be great if anybody can help!

#Biz_Security_January

Jeremylin · January 2018

As the log message,
I just curious that do you establish the L2TP VPN connection or IPsec VPN connection?
On USG's log, it appear "[Default_L2TP_VPN_Connection] Phase 1 proposal mismatch"
On NCP's log, 06.01.2018 19:45:35 - IPSec: Disconnected from XXX on channel 1.

NCP to USG20W VPN Connection

Comments

Categories

Security Help Center