L2TP Phase 2 proposal mismatch

Christian78 · March 2020

Hi!

I have problems to set up a L2TP over IPSec VPN on my ZyWALL310 VPN.

I used both the Quick Setup to configure the VPN and I configured it manually from scratch. Always with the same result. It seems that Phase 1 of the negotiation works fine, but the log ends with:

[Default_L2TP_VPN_Connection] Phase 2 proposal mismatch

[SA] No proposal chosen.

I've attached some pics of my config. Any ideas?

Thanks for your help!

VPN Gateway:

VPN Connection:

L2TP Config:

Screenshot of log:

Zyxel_Charlie · April 2020

@Christian78

For the log message: "Phase 2 proposal mismatch" which could be the Algorithm on VPN connection mismatch.

Double check the Encryption and Authentication on the USG are match with VPN client's.

PeterUK · April 2020

Try changing your proposal to the following

https://businessforum.zyxel.com/discussion/comment/10293#Comment_10293

Christian78 · April 2020

Hi Peter, hi Charlie!

Thanks for your suggestions! In fact, is was a mixture of wrong proposals and user management. I had great help yesterday from Zyxel support, who found out that my proposals were slightly wrong.

Today, the tunnel is working perfectly. I am now trying to find out how to assign different User Groups to different Security Policies.

In the L2TP Config, I've set "Allowed Users" to L2TP-Group, which is my preconfigured group of allowed Users.

In the 2 Security Policies ("IPSec Outgoing to Any" and "IPSec to Device"), I've done the same: I've limited it to the L2TP-Group Users. But that causes trouble. The VPN is only set up when I set the Users to "any".

I now 'only' need to figure out how to configure that part.

Cheers,

Christian