"No proposal chosen" VPN IPSEC L2TP Connection between Zyxel USG50 flex and MacOS Sonoma

moe5k
moe5k Posts: 11  Freshman Member
First Comment Friend Collector

Hi,

due to the SSL_VPN Client 1.2.6 for MacOS ist EOL we try to switch from SSL_VPN to L2TP IPSEC VPN. I configured everything like in the description even the encryption to AES256/SHA256 which seems to be nessesary for Sonoma.

But i only got this when i try to connect:

my config for the Gateway is:

whats wrong?

best, moe

All Replies

  • Zyxel_Judy
    Zyxel_Judy Posts: 1,631  Zyxel Employee
    Zyxel Certified Network Engineer Level 2 - Nebula Zyxel Certified Network Engineer Level 2 - Switch Zyxel Certified Network Engineer Level 2 - Security Zyxel Certified Network Engineer Level 1 - Nebula

    Hi @moe5k ,

    Please try using these proposals and check if the issue is resolved.

    Judy

    See how you've made an impact in Zyxel Community this year! https://bit.ly/Your2024Moments_Community

  • moe5k
    moe5k Posts: 11  Freshman Member
    First Comment Friend Collector

    Hi Zyxel_Judy,

    thy for your reply.
    Meanwhile i could manage to establish the connection Phase1 (at least with IKEv1) and even Phase2 (at least with MacOS, not yet with Win10). But now i am struggling with the the routing
    inside the VPN-Connection. I cannot only reach the internal networks when i enable in the client that all the traffic should go via VPN. Is it possible to tell the (MacOS/Win) client to use only the VPN if network YXZ is used?

    best, moe

  • moe5k
    moe5k Posts: 11  Freshman Member
    First Comment Friend Collector
    edited September 25

    Sorry … my Request was may be a bit confusing..
    What i mean is:
    i need to send all traffic trough the tunnel otherwise the routing to the remote network does not work.
    Any suggestions?

    thx moe

  • PeterUK
    PeterUK Posts: 3,461  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    unless the VPN client can send traffic out side the the VPN by default the VPN client sends all traffic down the tunnel.

    have you setup a policy rule to allow from VPN zone to given LAN?

  • moe5k
    moe5k Posts: 11  Freshman Member
    First Comment Friend Collector
    edited September 25

    thx for your answer.
    Yes the VPN-Zone can send traffic to the LAN behind the Zywall. But only as long i force ALL traffic to the tunnel everything is fine. But when i disable the option "send all traffic through VPN Connection" then MacOS tries to reach the remote LAN via its normal interface what of course not works.
    We use the MacOS integrated VPN-client not the IPSEC-client from Zyxel. Does this makes the diffrent maybe?

  • PeterUK
    PeterUK Posts: 3,461  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited September 25

    So in windows you can do this option by PowerShell with "use default gateway on remote network" disabled on VPN TCP/IP settings

    add-vpnconnectionroute -connectionname "VPN name" -destination "192.168.138.0/28" -passthru
    

    or

    add-vpnconnectionroute -connectionname "VPN name" -DestinationPrefix "192.168.138.0/28" -passthru
    

    Not sure about MacOS

    (1) Split Tunneling - L2TP & IPSec SecuExtender – Zyxel Support Campus EMEA

  • moe5k
    moe5k Posts: 11  Freshman Member
    First Comment Friend Collector
    edited September 26

    Yes, i think it is possile to set the routes for that in MacOS too.
    But i don´t want to force my users to do that.

    I thought may be there is an option to set routes for remote networks automatic after the VPN-Connection is established?

Security Highlight