I'm trying to configure a ZyWALL USG 200 firewall to let Windows XP remote clients (dynamic IP address) to connect to the workplace network with a L2TP VPN.
I don't want to use certificates, a common username and password will be enough (and certificate management would be too much).
I'm not a L2TP expert, let alone IPsec, so please bear with me if I ask trivial questions or make blatant mistakes.
I've configured what I think should be a L2TP VPN on the USG200, however I get the following error in its log when I try to connect from the WinXP client:
1 2015-09-25 11:03:33 info IKE Send:[NOTIFY:NO_PROPOSAL_CHOSEN] 192.168.0.1:500 84.223.99.164:500 IKE_LOG
2 2015-09-25 11:03:33 info IKE [SA] : No proposal chosen 192.168.0.1:500 84.223.99.164:500 IKE_LOG
3 2015-09-25 11:03:33 info IKE The cookie pair is : 0x214b5575aaa53052 / 0xa212f247eeebfb4b [count=2] 192.168.0.1:500 84.223.99.164:500 IKE_LOG
4 2015-09-25 11:03:33 info IKE Recv:[SA][VID][VID][VID][VID] 84.223.99.164:500 192.168.0.1:500 IKE_LOG
5 2015-09-25 11:03:33 info IKE The cookie pair is : 0xa212f247eeebfb4b / 0x214b5575aaa53052 84.223.99.164:500 192.168.0.1:500 IKE_LOG
6 2015-09-25 11:03:33 info IKE Recv Main Mode request from [84.223.99.164] 84.223.99.164:500 192.168.0.1:500 IKE_LOG
7 2015-09-25 11:03:33 info IKE The cookie pair is : 0x214b5575aaa53052 / 0x0000000000000000 84.223.99.164:500 192.168.0.1:500 IKE_LOG
(please note that the USG200 shows most recent log entries first). From a Google search I got that the error "No proposal choosen" might be caused by a mismatch between client and server in the IKE Phase 1 proposal configuration. From this document I assume that the following USG200 configuration should work, but it doesn't:
I obviously configred the VPN connection and the L2TP VPN too, but I guess those configuration are not relevant, at least not for the time being. Unfortunately I can't tell why it's not working or if it's the firewall or the client to blame. I can't seem to be able to get any relevant log to diagnose the problem from Windows, so here is how I configured the connection:
Can you please help me understand what I'm doing wrong?
Best Answer
The problem is not the IKE Phase 1 configuration, but the Local Policy in the connection settings (not shown in my question). The Local Policy must be the public interface IP in my case, and it wasn't. The log message is misleading, but the USG was actually warning me about that problem, however I decided fixing that warning was a second step and IKE Phase 1 problem was the first to be solved.
This page helped me understand.