Main Mode OK, Quick Mode not OK between ASG and ZyWALL5

Hello all,

i have 2 VPN connections between my ASG and two ZyXEL ZyWALL5 at different locations. All works fine.

Now i have a third ZyWALL5 on an third location and a configuration in the same way like the running connections. All parameters for main mode and for quick mode are the same, the firmware of the ZyWALL5 is the same but phase 2 can not be established and i have no idea why this is happening.

Following is the output of the VPN status to compare a running connection "S_SaraDE-SaraCH_0" to a failed one:

000 "S_SaraDE-SaraCH_0": 192.168.0.0/24===217.92.94.29...213.221.231.246===192.168.10.0/24; erouted; eroute owner: #86
000 "S_SaraDE-SaraCH_0":     srcip=unset; dstip=unset; srcup=/opt/_updown.strict_routing 2>/tmp/log 1>/tmp/log; dstup=/opt/_updown.strict_routing 2>/tmp/log 1>/tmp/log;
000 "S_SaraDE-SaraCH_0":   ike_life: 7800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "S_SaraDE-SaraCH_0":   policy: PSK+ENCRYPT+TUNNEL+UP; prio: 24,24; interface: ppp1; 
000 "S_SaraDE-SaraCH_0":   newest ISAKMP SA: #85; newest IPsec SA: #86; 
000 "S_SaraDE-SaraCH_0":   IKE algorithms wanted: 7_128-2-2, flags=-strict
000 "S_SaraDE-SaraCH_0":   IKE algorithms found:  7_128-2_160-2, 
000 "S_SaraDE-SaraCH_0":   IKE algorithm newest: AES_CBC_128-SHA1-MODP1024
000 "S_SaraDE-SaraCH_0":   ESP algorithms wanted: 12_128-2, flags=-strict
000 "S_SaraDE-SaraCH_0":   ESP algorithms loaded: 12_128-2, flags=-strict
000 "S_SaraDE-SaraCH_0":   ESP algorithm newest: AES_128-HMAC_SHA1; pfsgroup=
000 "S_SaraDE-SaraDK_0": 192.168.0.0/24===87.139.71.212...87.64.19.214===192.168.28.0/24; unrouted; eroute owner: #0
000 "S_SaraDE-SaraDK_0":     srcip=unset; dstip=unset; srcup=/opt/_updown.strict_routing 2>/tmp/log 1>/tmp/log; dstup=/opt/_updown.strict_routing 2>/tmp/log 1>/tmp/log;
000 "S_SaraDE-SaraDK_0":   ike_life: 7800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "S_SaraDE-SaraDK_0":   policy: PSK+ENCRYPT+TUNNEL+UP; prio: 24,24; interface: ppp0; 
000 "S_SaraDE-SaraDK_0":   newest ISAKMP SA: #90; newest IPsec SA: #0; 
000 "S_SaraDE-SaraDK_0":   IKE algorithms wanted: 7_128-2-2, flags=-strict
000 "S_SaraDE-SaraDK_0":   IKE algorithms found:  7_128-2_160-2, 
000 "S_SaraDE-SaraDK_0":   IKE algorithm newest: AES_CBC_128-SHA1-MODP1024
000 "S_SaraDE-SaraDK_0":   ESP algorithms wanted: 12_128-2, flags=-strict
000 "S_SaraDE-SaraDK_0":   ESP algorithms loaded: 12_128-2, flags=-strict

In the detailed IPSec log i can find the following entries that seems not to be ok to me:

2007:02:13-11:56:09 (none) pluto[25443]: | peer and cookies match on #2659, provided msgid 00000000 vs e18496bf
2007:02:13-11:56:09 (none) pluto[25443]: | peer and cookies match on #2658, provided msgid 00000000 vs 00000000
2007:02:13-11:56:09 (none) pluto[25443]: | state object #2658 found, in STATE_MAIN_I4
2007:02:13-11:56:09 (none) pluto[25443]: | processing connection S_SaraDE-SaraDK_0
2007:02:13-11:56:09 (none) pluto[25443]: "S_SaraDE-SaraDK_0" #2658: received Delete SA payload: deleting ISAKMP State #2658
2007:02:13-11:56:09 (none) pluto[25443]: | deleting state #2658
2007:02:13-11:56:09 (none) pluto[25443]: | processing connection S_SaraDE-SaraDK_0

Has anybody a good idea to solve the problem?

This thread was automatically locked due to age.