NCP to USG20W VPN Connection

Bernhard
Bernhard Posts: 1  Freshman Member
First Anniversary
edited April 2021 in Security
I try to establish a connection from the NCP client 10.04 to Zyxel USG20W FW: 3.30(BDR.9)
Always get the error in Phase1 Ike: XMIT_MSG1_MAIN - XXX,vpngw=91.111.111.11:500

1    2018-01-06 20:31:40 62.46.64.61:10952      91.113.113.82:500    
     notice              firewall               ACCESS FORWARD                                 
     priority:15, from WAN to ZyWALL, UDP, service Default_Allow_WAN_To_ZyWALL, ACCEPT
2    2018-01-06 20:31:40 62.46.64.61:10952      91.113.113.82:500    
     info                ike                    IKE_LOG                                        
     The cookie pair is : 0x85d45d1ccf0f9fad / 0x0000000000000000
3    2018-01-06 20:31:40 62.46.64.61:10952      91.113.113.82:500    
     info                ike                    IKE_LOG                                        
     Recv Main Mode request from [62.46.64.61]
4    2018-01-06 20:31:40 62.46.64.61:10952      91.113.113.82:500    
     info                ike                    IKE_LOG                                        
     The cookie pair is : 0x0bd0cdf5f0de19ac / 0x85d45d1ccf0f9fad
5    2018-01-06 20:31:40 62.46.64.61:10952      91.113.113.82:500    
     info                ike                    IKE_LOG                                        
     Recv:[SA][VID][VID][VID][VID][VID][VID][VID][VID][VID][VID]
6    2018-01-06 20:31:40 91.113.113.82:500      62.46.64.61:10952    
     info                ike                    IKE_LOG                                        
     The cookie pair is : 0x85d45d1ccf0f9fad / 0x0bd0cdf5f0de19ac [count=3]
7    2018-01-06 20:31:40 91.113.113.82:500      62.46.64.61:10952    
     info                ike                    IKE_LOG                                        
     [SA] : Tunnel [Default_L2TP_VPN_Connection] Phase 1 proposal mismatch
8    2018-01-06 20:31:40 91.113.113.82:500      62.46.64.61:10952    
     info                ike                    IKE_LOG                                        
     [SA] : No proposal chosen
9    2018-01-06 20:31:40 91.113.113.82:500      62.46.64.61:10952    
     info                ike                    IKE_LOG                                        
     Send:[NOTIFY:NO_PROPOSAL_CHOSEN]
10   2018-01-06 20:31:55 62.46.64.61:10952      91.113.113.82:500    
     info                ike                    IKE_LOG                                        
     The cookie pair is : 0x0bd0cdf5f0de19ac / 0x85d45d1ccf0f9fad
11   2018-01-06 20:31:55 62.46.64.61:10952      91.113.113.82:500    
     info                ike                    IKE_LOG                                        
     Recv:[DEL]
     
The log of the NCP says:
06.01.2018 19:45:19  -  IPSec: Start building connection
06.01.2018 19:45:19  -  IpsDial: connection time interface choice,LocIpa=192.168.30.30,AdapterIndex=200
06.01.2018 19:45:19  -  Ike: Outgoing connect request MAIN mode - gateway=91.113.113.82 : XXX
06.01.2018 19:45:19  -  Ike: XMIT_MSG1_MAIN - XXX,vpngw=91.113.113.82:500
06.01.2018 19:45:19  -  Ike: NOTIFY : XXX: RECEIVED : NO_PROPOSAL_CHOSEN : 14
06.01.2018 19:45:23  -  Ike: ConRef=14, retry timeout, resend to=91.113.113.82:500
06.01.2018 19:45:23  -  Ike: NOTIFY : XXX: RECEIVED : NO_PROPOSAL_CHOSEN : 14
06.01.2018 19:45:27  -  Ike: ConRef=14, retry timeout, resend to=91.113.113.82:500
06.01.2018 19:45:27  -  Ike: NOTIFY : XXX: RECEIVED : NO_PROPOSAL_CHOSEN : 14
06.01.2018 19:45:31  -  Ike: ConRef=14, retry timeout, resend to=91.113.113.82:500
06.01.2018 19:45:31  -  Ike: NOTIFY : XXX: RECEIVED : NO_PROPOSAL_CHOSEN : 14
06.01.2018 19:45:35  -  ERROR - 4021: IKE(phase1) - Could not contact Gateway (No response) in state <Wait for Message 2 > - XXX.
06.01.2018 19:45:35  -  Ike: phase1:name(XXX) - ERROR - retry timeout - max retries
06.01.2018 19:45:35  -  IPSec: Disconnected from XXX on channel 1.

Would be great if anybody can help!

#Biz_Security_January

Comments

  • Jeremylin
    Jeremylin Posts: 166  Master Member
    First Anniversary First Answer First Comment
    As the log message,
    I just curious that do you establish the L2TP VPN connection or IPsec VPN connection?
    On USG's log, it appear "[Default_L2TP_VPN_Connection] Phase 1 proposal mismatch"
    On NCP's log, 06.01.2018 19:45:35  -  IPSec: Disconnected from XXX on channel 1.

Security Highlight