DrayTek UK Users' Community Forum
Help, Advice and Solutions from DrayTek Users
Cannot connect to Vigor via VPN
- cosmarchy
- Topic Author
- Offline
- Junior Member
Less
More
- Posts: 33
- Thank you received: 0
26 Jul 2022 20:19 #101471
by cosmarchy
Cannot connect to Vigor via VPN was created by cosmarchy
Hi,
I have a Vigor 2766AC in a remote location which I am trying to connect to via the built in VPN server.
On the Vigor, I have the following settings:
VPN and Remote Access >> IPsec General Setup
VPN and Remote Access >> Remote Dial-in User
On my windows 10 laptop, I have setup a VPN connection with the following settings:
but when I try to connect, I get the following error:
Does anyone have any suggestions as to what is going on here and why I cannot connect?
Thanks
I have a Vigor 2766AC in a remote location which I am trying to connect to via the built in VPN server.
On the Vigor, I have the following settings:
VPN and Remote Access >> IPsec General Setup
VPN and Remote Access >> Remote Dial-in User
On my windows 10 laptop, I have setup a VPN connection with the following settings:
but when I try to connect, I get the following error:
Does anyone have any suggestions as to what is going on here and why I cannot connect?
Thanks
Please Log in or Create an account to join the conversation.
- cosmarchy
- Topic Author
- Offline
- Junior Member
Less
More
- Posts: 33
- Thank you received: 0
26 Jul 2022 21:44 #101472
by cosmarchy
Replied by cosmarchy on topic Re: Cannot connect to Vigor via VPN
I've tried a number of Windows 10 computers and the Draytek VPN client and I still cannot connect...
Sounds like the Vigor configuration perhaps?
Sounds like the Vigor configuration perhaps?
Please Log in or Create an account to join the conversation.
- hornbyp
- Offline
- Big Contributor
Less
More
- Posts: 1323
- Thank you received: 0
27 Jul 2022 00:54 #101473
by hornbyp
Replied by hornbyp on topic Re: Cannot connect to Vigor via VPN
I just did a compare-and-contrast, with the settings on one of my Windows 10 laptops (which can successfully connect to my ancient 2860n). The only difference I noted, is that that you have assigned a static IP to the client - easy enough to change that as an experiment (I don't know what happens, if for example the two ends don't match).
I found a
web site
that claims to walk through fixing the error message you received - but it's the usual collection of "magic spells" (i.e. reset everything in site).
The 2766's SYSLOG output should reveal how far through the connection process it fails - but I appreciate accessing it remotely (in real-time) is not straightforward! ( I've always found the syslog entries in the web gui to be undecipherable - much easier to interpret in Draytek's
SYSLOGrd
I found a
The 2766's SYSLOG output should reveal how far through the connection process it fails - but I appreciate accessing it remotely (in real-time) is not straightforward! ( I've always found the syslog entries in the web gui to be undecipherable - much easier to interpret in Draytek's
Please Log in or Create an account to join the conversation.
- cosmarchy
- Topic Author
- Offline
- Junior Member
Less
More
- Posts: 33
- Thank you received: 0
27 Jul 2022 20:54 #101475
by cosmarchy
Just tried this without the assign static IP address set and there is no difference.
Had a look at this and followed through. KB5009543 was nowhere to be found so must assume it is not installed.
CHAP Was already turned on as was LCP extensions.
I had already tried restarting IKE and AuthIP IPSec Keying Modules and IPSec Policy Agent services out of desperation.
I also uninstalled the L2TP network adaptor and let it reinstall after a reboot.
Nothing here unfortunately fixed the problem:o
I managed to get a SYSLOG of the VPN login although I have no idea what it means
Replied by cosmarchy on topic Re: Cannot connect to Vigor via VPN
hornbyp wrote:
I just did a compare-and-contrast, with the settings on one of my Windows 10 laptops (which can successfully connect to my ancient 2860n). The only difference I noted, is that that you have assigned a static IP to the client - easy enough to change that as an experiment (I don't know what happens, if for example the two ends don't match).
Just tried this without the assign static IP address set and there is no difference.
hornbyp wrote:
I found aweb site that claims to walk through fixing the error message you received - but it's the usual collection of "magic spells" (i.e. reset everything in site).
Had a look at this and followed through. KB5009543 was nowhere to be found so must assume it is not installed.
CHAP Was already turned on as was LCP extensions.
I had already tried restarting IKE and AuthIP IPSec Keying Modules and IPSec Policy Agent services out of desperation.
I also uninstalled the L2TP network adaptor and let it reinstall after a reboot.
Nothing here unfortunately fixed the problem
hornbyp wrote:
The 2766's SYSLOG output should reveal how far through the connection process it fails - but I appreciate accessing it remotely (in real-time) is not straightforward! ( I've always found the syslog entries in the web gui to be undecipherable - much easier to interpret in Draytek'sSYSLOGrd
I managed to get a SYSLOG of the VPN login although I have no idea what it means
Time Message
2022-07-27 19:52:14 OpenVPN (VPN-0) Negotiation timeout
2022-07-27 19:52:04 OpenVPN (VPN-0, 139.19.117.195) HARD RESET V2, start negotiation
2022-07-27 19:51:45 [IPSEC/IKE][Local][34:-][@xxx.xxx.xxx.xxx] state transition fail: STATE_MAIN_R0
2022-07-27 19:51:45 IPsec Security Level[High]: Ignore Phase1 SA proposals of DES/3DES/MD5/SHA1/DH G1 G2 G5/
2022-07-27 19:51:45 Matching General Setup key for dynamic ip client...
2022-07-27 19:51:45 Matching General Setup key for dynamic ip client...
2022-07-27 19:51:45 Matching General Setup key for dynamic ip client...
2022-07-27 19:51:45 Matching General Setup key for dynamic ip client...
2022-07-27 19:51:45 Matching General Setup key for dynamic ip client...
2022-07-27 19:51:45 Responding to Main Mode from xxx.xxx.xxx.xxx
2022-07-27 19:51:45 IKE <==, Next Payload=ISAKMP_NEXT_SA, Exchange Type = 0x2, Message ID = 0x0
2022-07-27 19:51:42 [IPSEC/IKE][Local][34:-][@xxx.xxx.xxx.xxx] state transition fail: STATE_MAIN_R0
2022-07-27 19:51:42 IPsec Security Level[High]: Ignore Phase1 SA proposals of DES/3DES/MD5/SHA1/DH G1 G2 G5/
Please Log in or Create an account to join the conversation.
- hornbyp
- Offline
- Big Contributor
Less
More
- Posts: 1323
- Thank you received: 0
28 Jul 2022 00:33 #101477
by hornbyp
The logs for a successful session make perfect sense
Yours seem to show that it fell at the first hurdle - negotiating the SA (IPsec Security Association). I wonder if it is as simple as a mismatching "key"? (though you'd hope it would say so). It looks to have tried OpenVPN instead- which is not going to work with the Windows client.
Perhaps try disabling everything except L2TP/IPsec? and double-check that Shared Key. (SSL is probably safe to leave in place).
Just a thought ... you are using a different internet connection on the Windows Client, to the one the 2766 is connected to, aren't you? - The Vigors don't seem to like 'hairpinning' (if that's the right term).
The log should show :-
Not much of that appears to have taken place
Replied by hornbyp on topic Re: Cannot connect to Vigor via VPN
cosmarchy wrote:
I managed to get a SYSLOG of the VPN login although I have no idea what it means
The logs for a successful
Yours seem to show that it fell at the first hurdle - negotiating the SA (IPsec Security Association). I wonder if it is as simple as a mismatching "key"? (though you'd hope it would say so). It looks to have tried OpenVPN instead- which is not going to work with the Windows client.
Perhaps try disabling everything except L2TP/IPsec? and double-check that Shared Key. (SSL is probably safe to leave in place).
Just a thought ... you are using a different internet connection on the Windows Client, to the one the 2766 is connected to, aren't you? - The Vigors don't seem to like 'hairpinning' (if that's the right term).
The log should show :-
Code:
ISAKMP SA established
IPSEC SA established
Phase 1 proposals being accepted
L2TP options being negotiated
PPP Starting
L2TP tunnel being established
CHAP login
IP addresses being offered and accepted.
Not much of that appears to have taken place
Please Log in or Create an account to join the conversation.
Moderators: Chris, Sami
Copyright © 2024 DrayTek