DrayTek UK Users' Community Forum

Help, Advice and Solutions from DrayTek Users

Cannot connect to Vigor via VPN

  • cosmarchy
  • Topic Author
  • Offline
  • Junior Member
  • Junior Member
More
26 Jul 2022 20:19 #101471 by cosmarchy
Cannot connect to Vigor via VPN was created by cosmarchy
Hi,
I have a Vigor 2766AC in a remote location which I am trying to connect to via the built in VPN server.

On the Vigor, I have the following settings:
VPN and Remote Access >> IPsec General Setup


VPN and Remote Access >> Remote Dial-in User


On my windows 10 laptop, I have setup a VPN connection with the following settings:




but when I try to connect, I get the following error:


Does anyone have any suggestions as to what is going on here and why I cannot connect?

Thanks

Please Log in or Create an account to join the conversation.

  • cosmarchy
  • Topic Author
  • Offline
  • Junior Member
  • Junior Member
More
26 Jul 2022 21:44 #101472 by cosmarchy
Replied by cosmarchy on topic Re: Cannot connect to Vigor via VPN
I've tried a number of Windows 10 computers and the Draytek VPN client and I still cannot connect...

Sounds like the Vigor configuration perhaps?

Please Log in or Create an account to join the conversation.

More
27 Jul 2022 00:54 #101473 by hornbyp
Replied by hornbyp on topic Re: Cannot connect to Vigor via VPN
I just did a compare-and-contrast, with the settings on one of my Windows 10 laptops (which can successfully connect to my ancient 2860n). The only difference I noted, is that that you have assigned a static IP to the client - easy enough to change that as an experiment (I don't know what happens, if for example the two ends don't match).

I found a web site that claims to walk through fixing the error message you received - but it's the usual collection of "magic spells" (i.e. reset everything in site).

The 2766's SYSLOG output should reveal how far through the connection process it fails - but I appreciate accessing it remotely (in real-time) is not straightforward! ( I've always found the syslog entries in the web gui to be undecipherable - much easier to interpret in Draytek's SYSLOGrd

Please Log in or Create an account to join the conversation.

  • cosmarchy
  • Topic Author
  • Offline
  • Junior Member
  • Junior Member
More
27 Jul 2022 20:54 #101475 by cosmarchy
Replied by cosmarchy on topic Re: Cannot connect to Vigor via VPN

hornbyp wrote:
I just did a compare-and-contrast, with the settings on one of my Windows 10 laptops (which can successfully connect to my ancient 2860n). The only difference I noted, is that that you have assigned a static IP to the client - easy enough to change that as an experiment (I don't know what happens, if for example the two ends don't match).


Just tried this without the assign static IP address set and there is no difference.

hornbyp wrote:
I found a web site that claims to walk through fixing the error message you received - but it's the usual collection of "magic spells" (i.e. reset everything in site).



Had a look at this and followed through. KB5009543 was nowhere to be found so must assume it is not installed.
CHAP Was already turned on as was LCP extensions.
I had already tried restarting IKE and AuthIP IPSec Keying Modules and IPSec Policy Agent services out of desperation.
I also uninstalled the L2TP network adaptor and let it reinstall after a reboot.

Nothing here unfortunately fixed the problem :o

hornbyp wrote:
The 2766's SYSLOG output should reveal how far through the connection process it fails - but I appreciate accessing it remotely (in real-time) is not straightforward! ( I've always found the syslog entries in the web gui to be undecipherable - much easier to interpret in Draytek's SYSLOGrd



I managed to get a SYSLOG of the VPN login although I have no idea what it means :roll:

Time Message
2022-07-27 19:52:14 OpenVPN (VPN-0) Negotiation timeout
2022-07-27 19:52:04 OpenVPN (VPN-0, 139.19.117.195) HARD RESET V2, start negotiation
2022-07-27 19:51:45 [IPSEC/IKE][Local][34:-][@xxx.xxx.xxx.xxx] state transition fail: STATE_MAIN_R0
2022-07-27 19:51:45 IPsec Security Level[High]: Ignore Phase1 SA proposals of DES/3DES/MD5/SHA1/DH G1 G2 G5/
2022-07-27 19:51:45 Matching General Setup key for dynamic ip client...
2022-07-27 19:51:45 Matching General Setup key for dynamic ip client...
2022-07-27 19:51:45 Matching General Setup key for dynamic ip client...
2022-07-27 19:51:45 Matching General Setup key for dynamic ip client...
2022-07-27 19:51:45 Matching General Setup key for dynamic ip client...
2022-07-27 19:51:45 Responding to Main Mode from xxx.xxx.xxx.xxx
2022-07-27 19:51:45 IKE <==, Next Payload=ISAKMP_NEXT_SA, Exchange Type = 0x2, Message ID = 0x0
2022-07-27 19:51:42 [IPSEC/IKE][Local][34:-][@xxx.xxx.xxx.xxx] state transition fail: STATE_MAIN_R0
2022-07-27 19:51:42 IPsec Security Level[High]: Ignore Phase1 SA proposals of DES/3DES/MD5/SHA1/DH G1 G2 G5/


Please Log in or Create an account to join the conversation.

More
28 Jul 2022 00:33 #101477 by hornbyp
Replied by hornbyp on topic Re: Cannot connect to Vigor via VPN

cosmarchy wrote:
I managed to get a SYSLOG of the VPN login although I have no idea what it means :roll:


The logs for a successful session make perfect sense :D

Yours seem to show that it fell at the first hurdle - negotiating the SA (IPsec Security Association). I wonder if it is as simple as a mismatching "key"? (though you'd hope it would say so). It looks to have tried OpenVPN instead- which is not going to work with the Windows client.

Perhaps try disabling everything except L2TP/IPsec? and double-check that Shared Key. (SSL is probably safe to leave in place).
Just a thought ... you are using a different internet connection on the Windows Client, to the one the 2766 is connected to, aren't you? - The Vigors don't seem to like 'hairpinning' (if that's the right term).

The log should show :-

Code:
ISAKMP SA established IPSEC SA established Phase 1 proposals being accepted L2TP options being negotiated PPP Starting L2TP tunnel being established CHAP login IP addresses being offered and accepted.


Not much of that appears to have taken place :(

Please Log in or Create an account to join the conversation.

Moderators: ChrisSami