Hi, We have an established L2TP VPN tunnel that has been working for years. Local authentication on the firewall.
The firewall is XG ver 19.01 MR-1 Build 365, and a copule of days ago the VPN just stopped working.
Around the same time we imported the Domain and DNS into Cloudflare - I'm not sure if that has anything to do with it or not.
I have other client swith the same XG / Cloudflare setup that are working fine.
I have tried deleting and re-creating the L2TP tunnel, I have changed the PSK. Nothing seems to work.
I have had various error messages, from none at all (just hangs on auth) to the current one, which is:
"The L2TP connection attempt failed because the security layer could not negotiate compatible parameters with the remote computer" This srror is from a Win 11 PC. My iPhone just times out when I try to connect the VPN from there.
What should I try next?
Hello Anthony Dunne ,Thank you for reaching out to the community, are you facing this issue "security layer could not negotiate compatible parameters with the remote computer." on all the client machine or one particular ? Have you tried connecting with another machine ? Was the windows recently updated or some new security updates were applied on the client machine ?
Thanks & Regards,_______________________________________________________________
Vivek Jagad | Technical Account Manager 3 | Cyber Security Evolved
Sophos Community | Product Documentation | Sophos Techvids | SMSIf a post solves your question please use the 'Verify Answer' button.
Thanks for your reply. All client computers and users are seeing the same problem. Clients can also connect to other VPN endpoints, only this one shows the error.
Can you share your L2TP settings configured on the XG ?
Provided links are not accessible from our end, can you simply drag and drop/copy-paste the screenshots ?
Can you also share L2TP global settings. and On the CLI, select option 5. Device Management, then option 3. Advanced Shell. And share the Strongswan.log and charon.log while connecting the client !!To check the live logs while connecting you can type the following1.) tail -f /log/strongswan.log 2.) tail -f /log/charon.logTo enable the debug service for the strongswan - service strongswan:debug -ds nosynAlso take a tcpdump on the port 1701 while you can connect the client !!#tcpdump -nei any port 1701
Nothing appeared in the tcpdump while I was trying to connect. Tried 3 times
Hey Anthony Dunne ,Thank you for the update, as we can see under the logs it says "No proposal found" so please check the parameters like pre-shared key and try changing the policy used !!
Thanks, I managed to get it working by changing the policy.
Any idea why it would suddenly stop working with the original policy?
it could be multiple various reasons so it depends, as per logs shared we can see that the proposal was not found and peer for any how reason was not providing a reading response...