This article provides troubleshooting tips for VPN not connecting. Here's are some messages you might see in Syslog when VPN cannot establish and their cause.
Vigor-xxx ==>but no
It means the VPN peer does not get the VPN request at all. You should check the accessibility between the two VPN routers first by testing if they can ping each other. Then, make sure the routers are listening to the VPN request by enabling the service on Remote Access >> Remote Access Control Setup page.
Incoming Call Failed : No Such Entry for xxx
The PPTP VPN client is trying to establish a VPN tunnel with username xxx, but the router doesn't have the PPTP VPN Profile with username xxx
‑CHAP Login Failed ()
The PPTP VPN client is dialing the VPN with a wrong password. Also check if the VPN server has more than one VPN profile with duplicate username, if it does, delete one of them.
The IPsec VPN client is dialing the VPN with a mismatched Pre-Shared Key. If the VPN profile has a specified Remote VPN IP or Peer ID, the Pre-Shared Key is the value of IKE Pre-Shared Key in that VPN profile. If not, it is using the General Pre-Shared Key set at VPN and Remote Access >> IPsec General Setup.
Client subnet xxxxxxxx/ffffff00 match failed
The Local IP and Mask that the client sent does not match the Remote IP and Mask configured at TCP/IP Network Settings.
If none of the above solve your issue of VPN connecting, feel free to contact DrayTek Support. Please provide the following information to the support team for further investigation: 1. Internet Access to both routers, 2. Syslog collected on both routers
The IKE Phase1 Proposal or Authentication that the router sends was not accepted by the VPN peer.
Probable authentication failure
The Pre-Shared Key (PSK) settings did not match the settings of VPN peer.
No connection has been authorized
The router does not have any VPN profile of which the Remote Host settings match the IP address of VPN peer. Or the IPsec General Setup did not include the WAN interface where the VPN request is coming.
No acceptable Proposal in IPsec SA
The Accepted Proposal settings did not include the proposals sent by VPN peer.
No acceptable response to our first Quick Mode message
The IKE Phase2 Proposal or Authentication that the router sends was not accepted by the VPN peer.
Cannot respond to IPsec SA request because no connection is known for ...
The local IP/subnet sent from the VPN peer does not match the Remote IP / Subnet Mask settings in the VPN profile.
Published On: Jan 22, 2016
Was this helpful?
Thank you for your feedback :)
Sorry about that. Contact Support if you need further assistance, or leave us some comments below to help us improve.