Home Wiki > Portal:VPN/YaST VPN Module Troubleshoot
Sign up | Login

Portal:VPN/YaST VPN Module Troubleshoot

tagline: From openSUSE

Common gateway troubleshoot check-list

Most Should you encounter any trouble with VPN connectivity problems, please follow the following check-list:

  1. If the VPN gateway should offer access to networks outside the VPN subnets (such as Internet access), please remember to visit YaST Network Settings module, and set "Enable IPv4 Forwarding" and/or "Enable IPv6 Forwarding" for the involved network interfaces.
  2. If you do not use SuSEfirewall, please check your custom firewall on VPN gateway. Consider to temporarily disable firewall and allow all traffic to eliminate firewall being the cause of failure. Make sure that IP protocol AH and ESP, as well UDP ports 500 and 4500 can freely pass through the firewall. Refer to /etc/YaST2/vpn_firewall_rules for the complete firewall setup.
  3. Check firewall on the hosting provider of VPN gateway. Some hosting providers (very few) block IPSec traffic.
  4. If your hosting provider sets up another firewall for your network traffic (such as EC2 Security Group), please make sure that IP protocol AH and ESP, as well UDP ports 500 and 4500 can freely pass through the firewall.
  5. Make sure IPv4 forwarding is enabled - these lines should be present in /etc/sysctl.conf: "net.ipv4.ip_forward = 1", "net.ipv4.conf.all.forwarding = 1", "net.ipv4.conf.default.forwarding = 1"
  6. If the VPN client has trouble accessing only certain web sites/email servers, try enabling the "Reduce TCP MSS" option in YaST VPN module.
  7. Feel free to file a bug report against YaST VPN module if you still cannot troubleshoot the problem. Please attach in your bug report the content of: file /etc/YaST2/vpn_firewall_rules, journal of "strongswan", output of "iptables -L -v -n" and "iptables -t nat -L -v -n".

Client troubleshoot

Android/Apple troubleshoot check-list

Please follow the common gateway troubleshoot check-list, and then double check server address, IPSec pre-shared key, username/password combination on the client connection setup.

For Android users, please make sure that VPN type is "IPSec Xauth PSK" and field "IPSec identifier" is left blank.

Windows/Blackberry troubleshoot check-list

Please follow the common gateway troubleshoot check-list, and then double check server address, username/password combination on the client connection setup.

For Windows users, please carefully read the Client Setup section in the usage guide and make sure to properly set up certificate trust and Windows registry.