Just set up your VPN connection and struggling to connect? This could be for a number of reasons. Don't sweat it! Our troubleshooting guide takes you through some of the most common VPN errors, as well as how to resolve them and get connected to VPN.
VPN connection timed out
This error means that VPN Tracker timed out while waiting for a response from the VPN gateway:
If your gateway is slow, it may help to increase the connection timeout so VPN Tracker has more time to establish a connection. You can do this under Advanced Settings > Connection Timeout:
VPN gateway not responding (Phase 1)
This error means that VPN Tracker cannot reach the VPN gateway:
Gateway errors can have a number of causes, for example:
There is a problem with the device
The VPN gateway is turned off and VPN Tracker is unable to reach it.
Wrong IP address
The device's IP address has been entered incorrectly into VPN Tracker during configuration.
Dynamic DNS needs updating
If you are using dynamic DNS (e.g. DynDNS, NoIP, DynU, FreeDNS) and tried to connect via hostname, you should double check your service has been updated with your current IP address.
If it's not up to date, you may need to reconfigure dynamic DNS on your VPN gateway. Refer to your device handbook for more information.
Conflicting VPN settings / No proposal chosen (Phase 1)
This message in VPN Tracker means that the VPN gateway isn't willing to accept any of the proposals that VPN Tracker has offered:
In most cases, this means the VPN settings on your gateway do not match up with the settings configured in VPN Tracker. This can occur if the connection was configured incorrectly in VPN Tracker, or if the VPN settings were changed on the gateway at a later date.
Please double check which values are currently set on the VPN gateway and compare these to the values saved in VPN Tracker. You need to offer at least the same values in VPN Tracker for Phase 1.
Phase 1 proposals include:
- Exchange mode (main/aggressive)
- Encryption (3DES, AES-128, etc.)
- Hashing (SHA-1, SHA-256, etc.)
- Diffie-Hellman Group (Group 2, Group 5, etc.)
Once you've found the discrepancy, you can update the connection in VPN Tracker under Configure > Advanced settings and try connecting again.
Almost all VPN connections require at least one form of authentication which shows the gateway you are authorised to connect to the VPN. If these are entered incorrectly, you will see an error in VPN Tracker.
You may encounter a XAUTH error when connecting to the VPN. This means the user login and password entered into VPN Tracker does not match the user account on the gateway:
If you didn't set up the VPN yourself, reach out to your admin for the correct login details. Tip: In larger organisations, this will often be your internal company login.
Pre-shared Key errors
Many configurations require a Pre-shared Key (also known as PSK or Shared Secret) as a type of secure connection password. If the PSK you entered into VPN Tracker isn't an exact match to what is configured on your gateway, you will also receive a connection error, known as a Hash Mismatch:
If you're sure the Pre-shared Key entered into VPN Tracker matches your gateway, check that it doesn't contain any special characters. VPN Tracker may encode non alphanumeric characters in a different way than your gateway, causing a mismatch.
If this is the case, try reconfiguring the PSK on your gateway using only letters and numbers.
By default, traffic to the remote network cannot be sent through the VPN tunnel if it is using the same network as the local network. When remote and local networks overlap, this is known as a network conflict.
Instead, please use a local address that is outside all remote networks. For example, if your remote network is 192.168.10.0/24, do not use a local address starting with 192.168.10.:
Check out this guide for possible network conflict resolutions.
VPN protocol problems
Some networks have compatibility issues with certain VPN protocols which will cause your connection to fail. For example, if your IPsec VPN uses NAT-Traversal and this is disabled on the router, you will not be able to connect.
The best way to identify protocol issues is by using the Connection Checker in VPN Tracker whenever you are in a new network environment. Connection Checker will test the compatibility of VPN protocols and alert you of any compatibility issues:
The VPN says I am connected but I can't access internal services
If you are using a host name to connect to services (e.g. intranet.greenhaven.net), please try once using its IP address instead. If that works, the problem is most likely DNS resolution.
Tip: Not sure of the IP address? Use VPN Tracker's DNS Lookup tool to perform a reverse search:
In this case, please ensure DNS is enabled for the VPN connection and that it has been correctly configured.