T40 Branch Office VPN wont connect, driving me CRAZZYYYYY

Hi all, spent ages on this today. Gave up eventually after it ruined my day, and installed the Mobile Client on each PC instead. Not ideal and I could really use your help fixing.

We've a T40 at the main HQ (, and at the minute, site 1 ( dials in perfectly via a Draytek Lan To Lan.

I just cannot get site 2 ( to connect, and I'm pretty sure I've mirrored all the settings, as they're both similar draytek models.

Please see attached pictures of the various tunnels and what-not. Hopefully I'm just being a dumb arse and have missed a simple setting.

I've tried various reboots and different firmwares too.

Thanks in advance.


  • Options
    edited December 2023

    Not that this is likely the issue - but it is recommended to not use DPD and IKE keep-alive on the same tunnel.
    DPD is preferred if it is supported by the other end.

    If there is nothing to help understand this in your firewall logs/Traffic Monitor, you can turn on diagnostic logging for IKE which may show something to help:
    In WSM Policy Manager: Setup -> Logging -> Diagnostic Log Level -> VPN -> IKE
    Set the slider to Information or higher

    In the Web UI: System -> Diagnostic Log -> VPN -> IKE
    Click the down arrow and select Information or Debug

  • Options
    edited December 2023

    Thanks for the prompt reply. I have disabled Keep-Alive on this tunnel, and have amended the log settings. Where can one download the log files?

    If I can't get this working, can I set up an SSL VPN Tunnel temporarily to test?

  • Options

    I get these errors now...

  • Options

    Look in Traffic Monitor for the current logs.
    In the Web US it is under Dashboard.

    For historical logs, you need to set up a log server, such as WG Dimension, or a syslog server, and the set up logging to it.

    About Firebox Logging and Notification

    There are free syslog servers which run on Windows and other OSes.
    Dimension runs on a VM and requires a current support license for Dimension to accept logs from a firewall.
    I run my Dimension on VMware Workstation which while not officially supported by WG, works fine for a small site.

    Set Up & Administer Dimension

  • Options

    SSLVPN client connections from behind 1 firewall to a WG firewall should work.

  • Options

    Invalid main mode ID - check the settings on the Gateway setup for this tunnel.

  • Options

    OK so this morning I deleted the tunnel and gateway, and added them from scratch. Still no joy :(

    As time is against me now, I quickly set up a PPTP test tunnel from both Drayteks, and has connected instantly.

    Far from ideal, but at least I have a tunnel for Monday and it buys me a bit of time though.

  • Options

    Check your Traffic Monitor logs when you try to get this tunnel going

  • Options
    james.carsonjames.carson Moderator, WatchGuard Representative

    Check your ISP equipment to see if there is any ESP or IKE ALG enabled. The logs suggest the main mode (tunnel ID) is incorrect, which is a thing ESP-ALGs will try to change.

    -James Carson
    WatchGuard Customer Support

Sign In to comment.