This article provides troubleshooting tips for VPNs not connecting. Here are some messages you might see in the Syslog and what to do about them.

DrayOS Routers

Only Vigor-xxx ==>  but no Vigor-xxx <==

This means that the VPN peer is not getting the VPN request. First check that the two VPN routers can see each other by testing if they respond to a ping in both directions. Then, make sure the routers are listening for the VPN request by enabling the service in Remote Access >> Remote Access Control Setup page.

Incoming Call Failed : No Such Entry for xxx

This means that a PPTP VPN client is trying to establish a VPN tunnel with username xxx, but the router doesn’t have a PPTP VPN Profile with that username.

‑CHAP Login Failed ()

The usual cause for this message is that the PPTP VPN client is attempting to connect using an incorrect password. Another possibility is that the VPN server has more than one VPN profile with the same username. If it does, delete one of them.

See also Password requirements for DrayTek devices to ensure the password being used does not exceed the maximum length or is using invalid characters.

 

Only ISAKMP_NEXT_KE but no ISAKMP_NEXT_ID

The IPsec VPN client is attempting to connect using a mismatched Pre-Shared Key. If the VPN profile has a specified Remote VPN IP or Peer ID, the Pre-Shared Key is the value of IKE Pre-Shared Key in that VPN profile. If not, it is using the General Pre-Shared Key set at VPN and Remote Access >> IPsec General Setup.

See also Password requirements for DrayTek devices to ensure the Pre-Shared Key being used does not exceed the maximum length or is using invalid characters.

 

Client subnet xxxxxxxx/ffffff00 match failed

The Local IP and Mask set in the client profile does not match the Remote IP and Mask configured in the TCP/IP Network Settings.

Linux Routers

No_PROPOSAL_CHOSEN

The IKE Phase1 Proposal or Authentication by the sending router was not accepted by the VPN peer.

 

Probable authentication failure

The Pre-Shared Key (PSK) settings did not match the settings of VPN peer.

 

No connection has been authorized

The Remote Host settings in the VPN profile on the server router does not match the IP address of VPN peer, or the IPsec General Setup does not include the WAN interface from where the VPN request is coming.

 

No acceptable Proposal in IPsec SA

The Accepted Proposal settings did not include the proposals sent by VPN peer.

 

No acceptable response to our first Quick Mode message

The IKE Phase2 Proposal or Authentication that the router sent was not accepted by the VPN peer.

 

Cannot respond to IPsec SA request because no connection is known for …

The local IP/subnet sent from the VPN peer does not match the Remote IP / Subnet Mask settings in the VPN profile.

Contact Support

If none of the above solves your issue, feel free to contact DrayTek Support. Please also include Syslogs from both routers for further investigation.