Troubleshoot VPN Not Connecting

This article provides troubleshooting tips for VPN not connecting. Here's are some messages you might see in Syslog when VPN cannot establish and their cause.

Only Vigor-xxx ==>  but no Vigor-xxx <==

It means the VPN peer does not get the VPN request at all. You should check the accessibility between the two VPN routers first by testing if they can ping each other. Then, make sure the routers are listening to the VPN request by enabling the service on Remote Access >> Remote Access Control Setup page.

a screenshot of DrayOS Remote Access Control Setup
Incoming Call Failed : No Such Entry for xxx

The PPTP VPN client is trying to establish a VPN tunnel with username xxx, but the router doesn't have the PPTP VPN Profile with username xxx

a screenshot of DrayOS PPTP VPN profile
‑CHAP Login Failed ()

The PPTP VPN client is dialing the VPN with a wrong password. Also check if the VPN server has more than one VPN profile with duplicate username, if it does, delete one of them. a screenshot of DrayOS PPTP VPN profile

Only ISAKMP_NEXT_KE but no ISAKMP_NEXT_ID

The IPsec VPN client is dialing the VPN with a mismatched Pre-Shared Key. If the VPN profile has a specified Remote VPN IP or Peer ID, the Pre-Shared Key is the value of IKE Pre-Shared Key in that VPN profile. If not, it is using the General Pre-Shared Key set at VPN and Remote Access >> IPsec General Setup.

a screenshot of DrayOS IPsec VPN profile
Client subnet xxxxxxxx/ffffff00 match failed

The Local IP and Mask that the client sent does not match the Remote IP and Mask configured at TCP/IP Network Settings. 

a screenshot of DrayOS LAN-to-LAN VPN profile

Contact Support

If none of the above solve your issue of VPN connecting, feel free to contact DrayTek Support. Please provide the following information to the support team for further investigation: 1. Internet Access to both routers, 2. Syslog collected on both routers

No_PROPOSAL_CHOSEN
The IKE Phase1 Proposal or Authentication that the router sends was not accepted by the VPN peer.

Probable authentication failure
The Pre-Shared Key (PSK) settings did not match the settings of VPN peer.

No connection has been authorized
The router does not have any VPN profile of which the Remote Host settings match the IP address of VPN peer. Or the IPsec General Setup did not include the WAN interface where the VPN request is coming.

No acceptable Proposal in IPsec SA
The Accepted Proposal settings did not include the proposals sent by VPN peer.

No acceptable response to our first Quick Mode message
The IKE Phase2 Proposal or Authentication that the router sends was not accepted by the VPN peer.

Cannot respond to IPsec SA request because no connection is known for ...
The local IP/subnet sent from the VPN peer does not match the Remote IP / Subnet Mask settings in the VPN profile.

Published On: 2016-01-22 

Was this helpful?   

book icon

Related Articles