Problem with incomming VPN connections
Hi Folks,
I got the following issue which leaves me kind of clueless now:
USG210 on latest FW.
Configured two VPN:
VPN1: IPSEC site-to-site connection with static peer, using Gateway GATE_1 and Connection CON_1, both sites addressed via DNS
VPN2: L2TPoverIPSec, for mobile devices, using L2TP_Gate and L2TP_Connection.
VPN1 is up and runns just fine - absolutely no problem
When client tries to connect via L2TP this fails. The USG correctly ises L2TP_Gate for Phase one, but CON_1 for phase2 - what obviously is wrong and fails.
The config shows that the correct Gates and Connections are connected to each other.
Any hints how to solve this?
Regards
Carsten
0
Accepted Solution
-
@CDS,
L2TP over IPSec is, a L2TP tunnel run inside a transport mode IPSec tunnel.
That's means the IPSec is a point to point tunnel not a network to network tunnel.
So that the local policy of phase 2 is an ip address that can include the wan interface ip address.
Please change it to the wan ip address or any (0.0.0.0)
6
All Replies
-
@CDS
Can you screenshot the log message when the issue occur.
Go to Monitor>Log>Select IKE on category(please screenshot the message)
Also, I want to check your configuration as well, please share it.
Charlie0 -
The Log:L2TP_Gate is the correct gateway, but the corresponding connection is L2TP_Connection.No. Date/Time Source Destination Message
1 2019-01-10 19:27:38 MobileClient_IP:3169 Server_IP:500 The cookie pair is : 0x9b7d21976a5a4f83 / 0x0000000000000000
2 2019-01-10 19:27:38 MobileClient_IP:3169 Server_IP:500 Recv Main Mode request from [MobileClient_IP]
3 2019-01-10 19:27:38 MobileClient_IP:3169 Server_IP:500 The cookie pair is : 0x373516f32396dc30 / 0x9b7d21976a5a4f83
4 2019-01-10 19:27:38 MobileClient_IP:3169 Server_IP:500 Recv:[SA][VID][VID][VID][VID][VID][VID]
5 2019-01-10 19:27:38 MobileClient_IP:3169 Server_IP:500 Recv IKE sa: SA([0] protocol = IKE (1), AES CBC key len = 256, HMAC-SHA384 PRF, HMAC-SHA384-192, 1024 bit MODP, HMAC-SHA256 PRF, HMAC-SHA256-128, HMAC-SHA512 PRF, HMAC-SHA512-256, HMAC-SHA1 PRF, HMAC-SHA1-96, HMAC-MD5 PRF, HMAC-MD5-96, AES CBC key len = 1
6 2019-01-10 19:27:38 Server_IP:500 MobileClient_IP:3169 The cookie pair is : 0x9b7d21976a5a4f83 / 0x373516f32396dc30
7 2019-01-10 19:27:38 Server_IP:500 MobileClient_IP:3169 Send:[SA][VID][VID][VID][VID][VID][VID][VID][VID][VID]
8 2019-01-10 19:27:38 MobileClient_IP:3169 Server_IP:500 The cookie pair is : 0x373516f32396dc30 / 0x9b7d21976a5a4f83
9 2019-01-10 19:27:38 MobileClient_IP:3169 Server_IP:500 Recv:[KE][NONCE][PRV][PRV]
10 2019-01-10 19:27:38 Server_IP:500 MobileClient_IP:3169 The cookie pair is : 0x9b7d21976a5a4f83 / 0x373516f32396dc30
11 2019-01-10 19:27:38 Server_IP:500 MobileClient_IP:3169 Send:[KE][NONCE][PRV][PRV]
12 2019-01-10 19:27:39 MobileClient_IP:4500 Server_IP:4500 The cookie pair is : 0x373516f32396dc30 / 0x9b7d21976a5a4f83
13 2019-01-10 19:27:39 MobileClient_IP:4500 Server_IP:4500 Recv:[ID][HASH]
14 2019-01-10 19:27:39 Server_IP:4500 MobileClient_IP:4500 The cookie pair is : 0x9b7d21976a5a4f83 / 0x373516f32396dc30
15 2019-01-10 19:27:39 Server_IP:4500 MobileClient_IP:4500 Send:[ID][HASH]
16 2019-01-10 19:27:39 Server_IP:4500 MobileClient_IP:4500 The cookie pair is : 0x9b7d21976a5a4f83 / 0x373516f32396dc30
17 2019-01-10 19:27:39 Server_IP:4500 MobileClient_IP:4500 Phase 1 IKE SA process done
18 2019-01-10 19:27:39 MobileClient_IP:4500 Server_IP:4500 The cookie pair is : 0x373516f32396dc30 / 0x9b7d21976a5a4f83
19 2019-01-10 19:27:39 MobileClient_IP:4500 Server_IP:4500 Recv:[HASH][NOTIFY:INITIAL_CONTACT]
20 2019-01-10 19:27:40 MobileClient_IP:4500 Server_IP:4500 The cookie pair is : 0x373516f32396dc30 / 0x9b7d21976a5a4f83
21 2019-01-10 19:27:40 MobileClient_IP:4500 Server_IP:4500 Recv:[HASH][SA][NONCE][ID][ID]
22 2019-01-10 19:27:40 Server_IP:4500 MobileClient_IP:4500 The cookie pair is : 0x9b7d21976a5a4f83 / 0x373516f32396dc30
23 2019-01-10 19:27:40 Server_IP:4500 MobileClient_IP:4500 [SA] : Tunnel [SCHAUDELNET_Fedderwardersiel] Phase 2 proposal mismatch
24 2019-01-10 19:27:40 Server_IP:4500 MobileClient_IP:4500 The cookie pair is : 0x9b7d21976a5a4f83 / 0x373516f32396dc30
25 2019-01-10 19:27:40 Server_IP:4500 MobileClient_IP:4500 [SA] : No proposal chosen
26 2019-01-10 19:27:40 Server_IP:4500 MobileClient_IP:4500 The cookie pair is : 0x9b7d21976a5a4f83 / 0x373516f32396dc30
27 2019-01-10 19:27:40 Server_IP:4500 MobileClient_IP:4500 Send:[HASH][NOTIFY:NO_PROPOSAL_CHOSEN]
33 2019-01-10 19:28:08 Server_IP:4500 MobileClient_IP:4500 The cookie pair is : 0x9b7d21976a5a4f83 / 0x373516f32396dc30
34 2019-01-10 19:28:08 Server_IP:4500 MobileClient_IP:4500 Send:[HASH][DEL]
35 2019-01-10 19:28:08 Server_IP:4500 MobileClient_IP:4500 The cookie pair is : 0x9b7d21976a5a4f83 / 0x373516f32396dc30
36 2019-01-10 19:28:08 Server_IP:4500 MobileClient_IP:4500 Send:[HASH][DEL]
37 2019-01-10 19:28:08 Server_IP:4500 MobileClient_IP:4500 The cookie pair is : 0x9b7d21976a5a4f83 / 0x373516f32396dc30
38 2019-01-10 19:28:08 Server_IP:4500 MobileClient_IP:4500 Send:[HASH][DEL]
39 2019-01-10 19:28:08 Server_IP:4500 MobileClient_IP:4500 The cookie pair is : 0x9b7d21976a5a4f83 / 0x373516f32396dc30
40 2019-01-10 19:28:08 Server_IP:4500 MobileClient_IP:4500 ISAKMP SA [L2TP_Gate] is disconnected
41 2019-01-10 19:28:08 Server_IP:500 MobileClient_IP:28941 The cookie pair is : 0x9b7d21976a5a4f83 / 0x373516f32396dc30
42 2019-01-10 19:28:08 Server_IP:500 MobileClient_IP:28941 [COOKIE] Invalid cookie, no sa found
43 2019-01-10 19:28:10 MobileClient_IP:4642 Server_IP:1701 Match default rule, DROP
44 2019-01-10 19:28:10 MobileClient_IP:4642 Server_IP:1701 Match default rule, DROP
End of LogsConfig:
0 -
@CDS
Regarding to log message, the proposal of phase 2 mismatch.
Modified the proposal as below and check it again.
Charlie0 -
If this is the only reason, why does the log stat in line 23 " Tunnel [SCHAUDELNET_Fedderwardersiel] Phase 2 proposal mismatch" . THIS is the VPN1 in my original description and the connection which is NOT supposed to be used for L2TP connections.
These both VPN's intentionally are using different Local policies.0 -
@CDS,
L2TP over IPSec is, a L2TP tunnel run inside a transport mode IPSec tunnel.
That's means the IPSec is a point to point tunnel not a network to network tunnel.
So that the local policy of phase 2 is an ip address that can include the wan interface ip address.
Please change it to the wan ip address or any (0.0.0.0)
6 -
AH THANKS!Changing the local policy did it.Strange how this error is shown in log log ..0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 147 Nebula Ideas
- 96 Nebula Status and Incidents
- 5.7K Security
- 262 USG FLEX H Series
- 271 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.4K Consumer Product
- 249 Service & License
- 387 News and Release
- 84 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.5K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 73 Security Highlight