USG 20 L2TP VPN for Android / iOS - Phase 2 proposal mismatch
I am trying to set up remote access for mobile clients (Android and iOS) utilizing L2TP VPN on our USG 20 device.
USG 20 is on the latest 3.30 firmware and there is already established site-to-site IPSec tunnel between this device and remote PfSense box. We have public IPv4, but it is not configured on the USG 20 itself. This public IP is configured on our ISPs edge router and then it is 1:1 NATed to the IP, that is assigned on the USG 20 WAN interface.
I´ve followed the tutorial for setting up L2TP remote access, which is described in the Zywall USG20-2000 User´s Guide, but it is not working. I can see in the log, that the client is trying to connect, it successfully pass phase 1 but in phase 2 it ends with Phase 2 proposal mismatch.
Using pre-shared key
Local ID Type: IP, 0.0.0.0
Peer ID Type: Any
SA lifetime: 28800
Negotiation mode: Main
Proposal: AES-256, SHA-256
Key Group: DH2
NAT Travesal: true
Dead Peer Detection: true
Enable extended authentication: false
VPN Gateway: Remote Access (Server role), selected previously created VPN gateway
Local policy: IP address of the WAN inteface (the internal one, not the public one)
SA lifetime: 28800
Active protocol: ESP
Proposal: AES-256, SHA-256, but I´ve tried a lot of things here
Perfect forward secrecy: none
In the log, I can see following entries:
Recv Main Mode request from [22.214.171.124]
Phase 1 IKE SA process done
[SA] : Tunnel [Default_L2TP_VPN_Connection] Phase 2 proposal mismatch
[SA] : No proposal chosen
Received delete notification
ISAKMP SA [Default_L2TP_VPN_GW] is disconnected
I would appreciate any help on this. I´ve found several topics here and on other forums, they all recommend altering VPN Connection Proposal settings or Local policy settings, but neither of this helped me.
Thanks in advance.