If the tunnel is not coming up at all, start here.
Common causes:
- Mismatched encryption/authentication settings (e.g., AES vs 3DES, SHA1 vs SHA256)
- Incorrect PSK (Pre-Shared Key)
- Mismatch in IKE version (v1 vs v2)
- Wrong local/remote gateway IP
- MTU is too high (Try lowering it)
What to look for:
- Logs showing “no proposal chosen” → crypto mismatch
- “authentication failed” → PSK mismatch
- No response → routing or ISP blocking UDP 500/4500
Recommended MTU
| Scenario | Recommended MTU |
|---|---|
| Standard IPsec (no NAT-T) | ~1420–1460 |
| IPsec with NAT-T (most common) | ~1380–1420 |
| Unstable / unknown networks | 1400 (safe default) |
| Cloud environments (AWS/Azure VPN) | ~1350–1400 |