We have launched the new version of the DrayTek website, and this content is no longer being maintained.
You will find more information on our new site; however, we will keep this page for a few months.

How to analyze Vigor3900's IPsec logs?

VPN log is useful for Network Administrator to troubleshoot VPN connection problems.This document will introduce how to analyze common IPsec VPN logs on Vigor2960 or Vigor3900 with some examples.

The process of IPsec VPN establishment

Let's begin with IPsec VPN creation process. There are two phases, phase 1 is to create IKE-SA, and phase 2 is to create IPSEC-SA.Normally, phase 1 should include six messages:

  • 1,2: MAIN_I1/ MAIN_R1: to negotiate the security policy, Initiator sends the selected phase 1 proposal to remote end (MAIN_I1), and if remote end supports any one of the proposals, it will respond to the initiator (MAIN_R1). The policies include authentication method, PSK or MD5, hash- algorithm, MD5 or SHA, encryption algorithm: DES or 3DES; SA life time (duration) x seconds;
  • 3,4: MAIN_I2/ MAIN_R2: to exchange the DH and key and create the key;
  • 5,6: MAIN_I3/ MAIN_R3: two key ID-protected messages for authenticate each other;

We can roughly say if MAIN_I1 message is sent but doesn't receive MAIN_R1, it means Phase1 proposal may be not matched; if MAIN_I2 message is sent but doesn't receive MAIN_R2, it means Pre-Shared Key may be not matched; if MAIN_I3 message is sent but doesn't receive MAIN_R3, it means WAN IP as ID may be not matched.

And phase 2 (Create IPSEC-SA) should includes four messages:

  • 1&2: QUICK_I1/ QUICK_R1: negotiate the IPSEC-protocol: ESP or AH; IPSec-mode: tunnel or transport; and hash-algorithm: MD5 or SHA;
  • 3&4 QUICK_I2/ QUICK_R2: both are ACK

If Quick_I1 message is sent but doesn't receive Quick_R1, it means phase 2 proposal may not be matched or the network settings are not mismatched.

Below are some common logs for the VPN establishment failure and the solutions.

No_PROPOSAL_CHOSEN

Logs that contain “No_PROPOSAL_CHOSEN” means Phase1 Proposal settings between VPN client and VPN server are mismatched. For example:

  • <141>Dec 30 09:25:42 Vigor: pluto[5737]: "toVPN_KD5" #33: initiating Main Mode
  • <141>Dec 30 09:25:42 Vigor: pluto[5737]: packet from 111.222.111.222:500: ignoring informational payload, type NO_PROPOSAL_CHOSEN

Where “toVPN_KD5” is the name of VPN LAN to LAN profile, and “Initiating Main Mode”means Vigor3900 is the initiator. The above log means Vigor3900 sends out MAIN_I1 message with VPN profile “toVPN_KD5” but the phase 1 proposal responded from VPN server 111.222.111.22 is mismatched.

Solution: Reconfigure phase1 proposal to the ones that VPN server accepts via VPN profiles >> IPsec >> Proposal Tab.

 

Probable Authentication Failure

Logs that contain with “Probable Authentication Failure” means the Pre-Shared Key(PSK) is mismatched. For example:

  • <141>Dec 30 13:34:27 Vigor: pluto[12687]: "VivianTest" #6: probable authentication failure (mismatch of preshared secrets?): malformed payload in packet

Where “VivianTest” is the name of VPN LAN-to-LAN profile, and “probable authentication failure” means Vigor3900 is the responder and the PSK that the VPN client sent does not match the PSK in the VPN profile “VivianTest”.

Solution: Reconfigure Pre-Shared Key via VPN profiles >> IPsec >> Basic Tab.

 

No Connection Has Been Authorized

Logs that contain with “No connection has been authorized” means VPN server doesn't have the VPN profile that matches the received Initial Main Mode message. It could happen while remote peer's IP is not in any VPN LAN to LAN profile and the WAN that receives the message with doesn't have IPsec General PSK. For example:

  • <141>Dec 31 11:14:16 Vigor: pluto[5737]: packet from 172.16.2.198:500: initial Main Mode message received on 172.16.2.194:500 but no connection has been authorized

The above log means WAN IP 172.16.2.194 have received the IPsec Initial Main Mode message from IP 172.16.2.198 but VPN server (172.16.2.194) cannot find a VPN profile to accept this connection.

Solution: Create a VPN profile for accepting IPsec connection from remote Host IP 172.16.2.198;

 

or check if the WAN is selected in IPsec General Setup page (while remote host IP is set to 0.0.0.0)

 

No Acceptable Proposal in IPsec SA

Logs that contain with “no acceptable Proposal in IPsec SA” means the phase 2 IPsec proposal that VPN client sends does not match the proposals configured in VPN router For example:

  • <141>Jan 5 11:31:59 Vigor: pluto[10237]: "VivianTest" #2: {VivianTest}:receive unaccepted ESP Transform ESP_AES_128-HMAC_MD5
  • <141>Jan 5 11:31:59 Vigor: pluto[10237]: "VivianTest" #2: no acceptable Proposal in IPsec SA
  • <141>Jan 5 11:31:59 Vigor: pluto[10237]: "VivianTest" #2: sending encrypted notification NO_PROPOSAL_CHOSEN to 172.16.2.194:500
  • <141>Jan 5 11:32:29 Vigor: pluto[10237]: "VivianTest" #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0xd4168941 (perhaps this is a duplicated packet)

Where “VivianTest” is the name of VPN LAN to LAN profile, and “Receive Unaccepted ESP transform ESP_AES_128-HMAC_MD5” means Vigor3900 received unaccepted phase2 proposal. The above log means Vigor3900 acted as Responder and received unacceptable Quick Mode I1 message.

Solution: Reconfigure phase2 proposal to accept all via VPN profiles >> IPsec >> Proposal Tab.

 

No Acceptable Response to our first Quick Mode message: Perhaps peer likes no proposal

When we see “No Acceptable Response to our first Quick Mode message”, it means the phase 2 proposal that Vigor3900 sends is not matched to the ones in peer VPN server. For example:

  • <141>Jan 5 11:33:09 Vigor: pluto[5737]: "Louis" #108: max number of retransmissions (2) try (1) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal

Solution: Re-configure phase2 proposal to accept all via VPN profiles >> IPsec >> Proposal Tab.

 

Cannot Respond to IPsec SA Request because no connection is known for

Logs that contain with “Cannot respond to IPsec SA Request because no connection is known for” means VPN server doesn't have the VPN profile that matches to the received remote network IP/ Subnet settings. For example:

  • <141>Jan 5 11:59:06 Vigor: pluto[10237]: "VivianTest" #3: cannot respond to IPsec SA request because no connection is known for 192.168.30.0/24===172.16.2.198:500[S?C]...172.16.2.194:500[S?C]===192.168.239.0/24

The above log means Dial In Vigor3900 has VPN profile with remote network 192.168.30.0/24 for remote host IP 172.16.2.198 but the incoming VPN connection is not sent 192.168.30.0/24 as its local network IP/ Subnet settings.

Solution: Reconfigure Remote IP/ Subnet Mask setting on VPN server to be the same as the Local IP/ Subnet Mask setting on VPN client.

 

 

 

E-mail to Support

If you still have problems of establishing an IPSec VPN on Vigor2960 or Vigor3900, please do not hesitate to contact us, and don't forget to offer the VPN logs on both VPN routers for our analysis.

Was this article helpful?
3How to analyze Vigor3900's IPsec logs? has been viewed------ 3 ------times.