Why the VPN connection cannot be established?

If you are having trouble establishing a VPN tunnel, here are some common causes.

VPN Client and Server cannot reach each other

To check if VPN client and Server can reach each other, we may simply use PING from VPN Client Side to VPN Server to ensure the accessibility. But please remember that, by default, Vigor Routers would not response PING from the Internet, so we need to untick the "Disable PING from the Internet" option on Vigor Router via System Maintenance >> Management page first.

   

Then we can run 'cmd' on the computer and enter ping with the Remote router's WAN IP (e.g., ping 1.169.168.172) to see if we can get the reply from remote site. If you get “Request Timeout“ instead, please check the accessibility between the two VPN routers.

   

Note: For security concerns, it is recommended to check "Disable PING from the Internet" option again after checking the connectivity between VPN Server and VPN Client.

The ports for VPN Service are not opened

On a NAT device like Vigor Routers, we need to open the ports which VPN service requires for VPN tunnel to be established. For Vigor Routers, enable the VPN service via VPN and Remote Access>> Remote Access Control Setup page will open the required ports automatically. And please also make sure that the required ports are not redirected or opened for the LAN clients.

   

If the VPN Server is behind another NAT device, we need to ensure the NAT device has opened the VPN Service Ports to the VPN server. (See How to set Vigor Router to pass-through VPN tunnel?

To check if this could be the reason that VPN cannot be established, we may check the VPN Syslog. If Vigor VPN Server can see the logs below with both “==>” and “<==” direction, it means Vigor VPN Service Port are not blocked.

PPTP:

  • 141­‑2015-01-28 16:08:28­‑Jan 28 08:08:29­‑Vigor­‑PPP Start ()­
  • 141­‑2015-01-28 16:08:28­‑Jan 28 08:08:29­‑Vigor­‑PPTP (VPN-1) ==> Protocol:LCP(c021) ConfReq Identifier:0x00 Authentication Type: CHAP 81 Magic Number: 0x1 ##­
  • 141­‑2015-01-28 16:08:28­‑Jan 28 08:08:29­‑Vigor­‑PPTP (VPN-1) <== Protocol:LCP(c021) ConfReq Identifier:0x00 MRU: 1400 Magic Number: 0x3ff12cbe Protocol Field Compression

IPsec:

  • 141­‑2015-01-28 16:11:06­‑Jan 28 08:11:07­‑Vigor­‑Responding to Main Mode from 220.132.88.33­
  • 141­‑2015-01-28 16:11:06­‑Jan 28 08:11:07­‑Vigor­‑IKE ==>, Next Payload=ISAKMP_NEXT_SA, Exchange Type = 0x2, Message ID = 0x0­
  • 141­‑2015-01-28 16:11:06­‑Jan 28 08:11:07­‑Vigor­‑IKE <==, Next Payload=ISAKMP_NEXT_KE, Exchange Type = 0x2, Message ID = 0x0­
  • 141­‑2015-01-28 16:11:06­‑Jan 28 08:11:07­‑Vigor­‑NAT-Traversal: Using RFC 3947, peer is NATed­
  • 141­‑2015-01-28 16:11:06­‑Jan 28 08:11:07­‑Vigor­‑IKE ==>, Next Payload=ISAKMP_NEXT_KE, Exchange Type = 0x2, Message ID = 0x0­

If we can only see log with direction “==>“ in VPN Client Router but no logs with direction “<==” in VPN Server Router, it means VPN Server doesn't receive the VPN packets from Client; and the probable reason for VPN establishment failure could be VPN Service Port on either Server or Client router is blocked.

PPTP VPN Authentication Failed

If we see “Incoming Call Failed : No Such Entry for xxx” in the VPN Syslog, it means we are trying to establish a VPN tunnel with username “xxx”, but Vigor VPN Server doesn't have the PPTP VPN Profile with user name xxx; on the other hand, if we see “­‑CHAP Login Failed ()”, it means the PPTP dialing in user is using the wrong password. If you are getting these logs. please :

  1. Check If VPN server does have a VPN profile with the user account.
  2. Check both VPN Remote Dial In and VPN LAN to LAN Profiles to see If there are more than one VPN profile with same user account. If yes, please delete the additional profile and re-type the password in VPN profiles on both VPN Client router and VPN Server router.
  3. Input the password in VPN profiles again on both VPN Client router and VPN Server router.

IPsec VPN has incorrect Pre-Shared Key

For VPN clients, Pre-Shared Key can be configured by clicking the IKE Pre-Shared Key button inDial-Out Settings of VPN profile.

   

For VPN servers, Pre-Shared Key could be set up in VPN and Remote Access >> IPsec General Setup.

   

If VPN Profile on VPN server has Specify Remote VPN IP or Peer ID, Pre-Shared Key should be configured by clicking IKE Pre-Shared Key button in Dial-In Settings of VPN profiles.

   

In the Syslog, if we see VPN server sends ”ISAKMP_NEXT_KE message“ but does not receive “ISAKMP_NEXT_ID”, it means the KEY that VPN client sends may probably be wrong. Below is an example log when VPN clients sends the wrong Pre-Shrared Key.

  • 141­‑2015-01-28 16:11:06­‑Jan 28 08:11:07­‑Vigor­‑Responding to Main Mode from 220.132.88.33­
  • 141­‑2015-01-28 16:11:06­‑Jan 28 08:11:07­‑Vigor­‑IKE ==>, Next Payload=ISAKMP_NEXT_SA, Exchange Type = 0x2, Message ID = 0x0­
  • 141­‑2015-01-28 16:11:06­‑Jan 28 08:11:07­‑Vigor­‑IKE <==, Next Payload=ISAKMP_NEXT_KE, Exchange Type = 0x2, Message ID = 0x0­
  • 141­‑2015-01-28 16:11:06­‑Jan 28 08:11:07­‑Vigor­‑NAT-Traversal: Using RFC 3947, peer is NATed­
  • 141­‑2015-01-28 16:11:06­‑Jan 28 08:11:07­‑Vigor­‑IKE ==>, Next Payload=ISAKMP_NEXT_KE, Exchange Type = 0x2, Message ID = 0x0­

If you are getting these logs, please re-input the Pre-Shared Key in the VPN profiles on both VPN client and VPN server.

Mismatched Network setting

To establish a VPN tunnel, the Network setting in the VPN profiles on VPN client and VPN server has to be matched. For example, if the Network setting on the VPN server is as follows:

   

Then the Network Settings on the VPN client should be as follows:

   

We may also check the VPN Syslog, if we see the following message,

  • 141­‑2015-01-29 16:26:17­‑Jan 29 08:26:20­‑Vigor­‑[IPsec dial-in] Client subnet c0a8c200/ffffff00 match failed.­

It means the client subnet configuration is not matched to what VPN sever has in the VPN profile. When we see such logs, please double check if the TCP/IP Network Settings on both Vigors' VPN Profile.

 

Email to Support

If none of the above solve the issue, please send the information below to DrayTek Support ([email protected]) for further analysis:

  1. Remote Access to both Vigor Routers. Please enable Allow management from the Internet via System Maintenance >>Management and provide both Vigor Router's WAN IP, HTTP Port and Login Password to DrayTek support to log in to your rotuers and check the configuration on them.

   

  1. The Syslog on both Vigor Routers. See How to collect router's syslog? for detailed instructions.

   
Was this article helpful?
23Why the VPN connection cannot be established? has been viewed------ 23 ------times.