I'm having issues with my VPN. As per the provider (It's Norton actually), one thing to try was to open UDP ports 500 and 4500. So I tried that (even though it actually worked before opening them), but the problem wasn't solved, and now it rarely works.
I added the following to /etc/config/firewall
config rule
option src 'wan'
option target 'ACCEPT'
list proto 'udp'
option name 'Norton VPN'
option dest 'lan'
option dest_port '500 4500'
There is a rule to allow UDP port 500but not 4500.
They are forwarded, and showing as such in LuCI. The wiki says when the target (but not the source) port or IP is specified, the rule works as forward.
@vgaetera It just rarely works on my android phone and almost never work on my Windows PC, although they both worked for a few days in the beginning. The clients are installed in the client devices (it's part of Norton 360 service and software and not a dedicated VPN solution, so no much room for tinkering around).
The Norton documentations say UDP ports 500 and 4500, and I got that open on the router. Though, when I try online tools for checking the ports it says they are closed. So not sure if the rule isn't working, or if ISP is blocking them, which they deny.
It looks like IPsec, and the instruction seems to be here.
Unfortunately, I have no experience with IPsec.
Try to follow the @mikma's advice.
And make sure to open ports on the destination host if possible.
Checking UDP ports is typically more problematic than TCP and should be performed differently and separately from usual TCP scans.
UDP port check may not be supported by most online port check services.
Moreover, you need to open the destination, forward it on the router and run the software that listens on that port.
Something like that, though I'm not sure if 4500/UDP is required to open explicitly or not.
Perhaps it depends on the specific IPsec implementation.
It is not clear if the ports must be opened inbound or outbound. Judging by the fact that it worked before opening the ports on the firewall I'll guess it is for outbound.
Are you supposed to connect more than one devices to the VPN at the same time?
To add more details and mystery:
My setup is BTHH5A as modem and main router, and C7 V2 as a WDS client, both running 19.07. BTHH5A is the DHCP server, and has DNS of 1.1.1.1 and 8.8.8.8 configured for the WAN interface. When I experienced the issue, I assigned different SSIDs to the APs so I can easily know which device I'm connected to. No matter what I tried, establishing a VPN connection on the mobile often took long time, and sometimes fail; and it didn't work on the PC.
Then yesterday I happened to restart the C7. Today, I tried the VPN on the mobile and it took no time. I then tried it on the PC and it worked!
I can't think of how the C7 would affect the VPN if I'm connected to the other router, or how restarting the C7 would solve the problem. It could be a coincidence after all, but I'll keep an eye on it and report if I come to a conclusion.
The VPN has been working flawlessly on both PC and mobile, today it stopped working again. There was no issue with VDSL or any any change in my setup that could be related. I tried restarting the C7 and also turning off the WDS AP on the BTHH5A, plus restarting the BTHH5A itself, but still no VPN on PC, and it takes long on the phone to establish VPN connection.
So the mystery remains... probably something form ISP side.
Sounds as something that should be troubleshot with Norton VPN support.
Do they "see" your connection attempts?
Is there any error in their logs?
If you can traceroute to the Norton endpoint address, I would rule out the fault from your side, since it works fine for a week and then it doesn't..