UniFi – Fixing VPN problems for Windows 10

We have a UniFi USG at the office and we keep running into problems with Windows 10 clients that after a while keep getting denied a VPN connection with the error:

Can’t connect to <VPN Name>
The network connection between your computer and the VPN server could not be established because the remote server is not responding. This could be because one of the network devices (e.g, firewalls, NAT, routers, etc) between your computer and the remote server is not configured to allow VPN connection. Please contact your Administrator or your service provider to determine which device may be causing the problem.

We tried the registry hack edit for NAT traversal but that didn’t help, and although we verified the security/authentication settings, since these connections were previously working they were already correct.

Finally, after way too much troubleshooting and confirmations from the community that there are a lot of bugs in this area, and Ubiquiti saying that the problem strongSwan instead, we have a fix. Not a permanent one, but at least if someone has a problem, we know how to correct it now.

First, if you are in a pinch, rebooting the USG should fix things automatically.

  1. To fix this, first get the remote user’s IP address
  2. Next, SSH into the USG
  3. Run the command: sudo swanctl --list-sas
  4. You’ll get a bunch of stuff and you can try to grep for things but you might be limited to what is installed on the USG. The output will look like
remote-access: #1148, ESTABLISHED, IKEv1, cd08d4e086959e6e:1ae4be5c327a85a1
local '10.10.10.10' @ 10.10.10.10
remote '192.168.1.9' @ 256.256.256.256
AES_CBC-256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
established 4227401s ago
remote-access: #359, INSTALLED, TRANSPORT-in-UDP, ESP:AES_CBC-128/HMAC_SHA1_96
installed 4227401 ago
in cc7b6f1d, 40061060 bytes, 55005 packets, 4227182s ago
out 21b4f550, 49388184 bytes, 52190 packets, 4227182s ago
local 10.10.10.10/32[udp/l2f]
remote 256.256.256.256/32[udp/l2f]
  1. You are looking for the part that says “remote” and the user’s IP (the last item in my previous example). When you find that entry, take notice above it for the least-indented item says remote-access: # and then a number. In the previous example it is 1148 on the first row.
  2. Run the command sudo swanctl --terminate --ike-id 2650 to kill the connection.
  3. NOTE: There is usually multiple levels of indentation, and these appear to be nested. You might be able to just kill the child elements, however we’ve only ever killed the highest level.
  4. Re-run the command from step #3 and make sure that IP is no longer listed.
  5. Have the user try to connect again