Support /
Knowledge Base

Troubleshooting VPN Connections

When troubleshooting a VPN connection it is always a good idea to watch /var/log/vpn.log for information. The same log is accessible from the web configuration interface in the Log > VPN menu.

When using the web interface to look at the log you can choose to watch only messages related to a certain connexion by filtering the information based on tunnel name. Log messages for a successful connection will look like this:

Oct 7 17:49:11 gw pluto[4069]: "tunnel_Name"[1] XXX.XXX.XXX.XXX:4500 #1330: responding to Main Mode from unknown peer XXX.XXX.XXX.XXX:4500
Oct 7 17:49:11 gw pluto[4069]: "tunnel_Name"[1] XXX.XXX.XXX.XXX:4500 #1330: NATTraversal:Result using RFC 3947: peer is NATed
Oct 7 17:49:11 gw pluto[4069]: "tunnel_Name"[1] XXX.XXX.XXX.XXX:4500 #1330: Peer ID is ID_DER_ASN1_DN: 'C=XX, ST=Xxxxx, L=Xxxxxx, O=Xxxxxx, OU=XXX, CN=XXXXXXX, E=XXXX@XXXXX.XX'
Oct 7 17:49:11 gw pluto[4069]: "tunnel_Name"[1] XXX.XXX.XXX.XXX:4500 #1330: we have a cert and are sending it
Oct 7 17:49:11 gw pluto[4069]: "tunnel_Name"[1] XXX.XXX.XXX.XXX:4500 #1330: sent MR3, ISAKMP SA established
Oct 7 18:19:13 gw pluto[4069]: "tunnel_Name"[1] XXX.XXX.XXX.XXX:4500 #1335: responding to Quick Mode
Oct 7 18:19:13 gw pluto[4069]: "tunnel_Name"[1] XXX.XXX.XXX.XXX:4500 #1335: IPsec SA established {ESP=>0x2476fe41 <0xa8215ae3 NATOA=0.0.0.0}

 

Every tunnel defined on the web interface will have either a Red, Green or Yellow status button that will show the tunnel’s state:

  • Red – tunnel is not initiated
  • Yellow – tunnel is partially established (ISAKMP SA established, but no IPSec SA established)
  • Green – tunnel is established (IPSec SA established)

 

When tunnel status is red, one of these parameters is not configured correctly on one or both ends of the tunnel:

  • Remote IP is misconfigured: one of the gateways attempts to establish a connection to another IP address than intended; solution: check for configured remote IP addresses on both machines. Also check configuration of NAT devices in between the two endpoints (if any).
  • Tunnel from one of the endpoints is not active; solution: check tunnel status for both machines.
  • Authentication methods or encryption schemes are not the same on both machines; solution: verify authentication and encryption parameters. If problems persist use 3DES/MD5 on both endpoints to eliminate this possibility.
  • There is a large time skew between the two tunnel endpoints; solution: configure NTP on both machines.
  • The Syneto acting as CA might have a time skew; solution: configure NTP on both machines.
  • Certificates are not valid or expired: get new X.509 certificates.
  • Preshared keys (passwords) do not match; solution: reset passwords on both machines by editing the tunnel definitions.
  • Tunnel connection is attempted to a machine behind a source NAT; solution: configure the machine having the public IP address to connect to the one behind the NAT.
  • Review compatibility issues and try to determine if any is applicable to your configuration.

 

When tunnel status is yellow the ISAKMP SA is established, meaning the initial connection between the machines and encryption and authentication information has been correctly exchanged. Now problems will be related to establishing networking parameters:

  • Remote Network or Local Network are misconfigured on one or both machines; make sure one machine’s Local Network is the other machine’s Remote Network and the other way around.
  • Review compatibility issues and try to determine if any is applicable to your configuration.

 

When tunnel status is green, but no traffic passes, you will have to verify if:

  • Proper packet filtering rules are allowing traffic to pass from one network to the other.
  • SNAT rules are changing packets from all interfaces, including the VPN tunnel and this is not intended.
  • SNAT rules are not changing packets when intended to (for a Host to Any connection).
  • Review compatibility issues and try to determine if any is applicable to your configuration.