starred/docker-ipsec-vpn-server
1
0
Fork 0
mirror of https://github.com/hwdsl2/docker-ipsec-vpn-server.git synced 2026-04-26 01:55:53 +03:00
Code Issues Projects Releases Packages Wiki Activity

[GH-ISSUE #132] couldn't connection from android 8 #118

New issue
Closed
opened 2026-03-02 07:27:53 +03:00 by kerem · 1 comment
kerem commented 2026-03-02 07:27:53 +03:00
Owner
Copy link

Originally created by @monkeycatdog on GitHub (Mar 29, 2019).
Original GitHub issue: https://github.com/hwdsl2/docker-ipsec-vpn-server/issues/132

Hello!
I have device huawei p20 lite with android 8 and i cannot connect to a vpn (failure)

logs

admin@admin:~$ docker exec -it ipsec-vpn-server ipsec status
000 using kernel interface: netkey
000 interface lo/lo 127.0.0.1@4500
000 interface lo/lo 127.0.0.1@500
000 interface eth0/eth0 172.17.0.3@4500
000 interface eth0/eth0 172.17.0.3@500
000
000
000 fips mode=disabled;
000 SElinux=disabled
000 seccomp=unsupported
000
000 config setup options:
000
000 configdir=/etc, configfile=/etc/ipsec.conf, secrets=/etc/ipsec.secrets, ipsecdir=/etc/ipsec.d
000 nssdir=/etc/ipsec.d, dumpdir=/run/pluto, statsbin=unset
000 sbindir=/usr/local/sbin, libexecdir=/usr/local/libexec/ipsec
000 pluto_version=3.27, pluto_vendorid=OE-Libreswan-3.27
000 nhelpers=-1, uniqueids=no, dnssec-enable=no, perpeerlog=no, logappend=yes, logip=yes, shuntlifetime=900s, xfrmlifetime=300s
000 ddos-cookies-threshold=50000, ddos-max-halfopen=25000, ddos-mode=auto
000 ikeport=500, ikebuf=0, msg_errqueue=yes, strictcrlpolicy=no, crlcheckinterval=0, listen=, nflog-all=0
000 ocsp-enable=no, ocsp-strict=no, ocsp-timeout=2, ocsp-uri=
000 ocsp-trust-name=
000 ocsp-cache-size=1000, ocsp-cache-min-age=3600, ocsp-cache-max-age=86400, ocsp-method=get
000 secctx-attr-type=32001
000 debug:
000
000 nat-traversal=yes, keep-alive=20, nat-ikeport=4500
000 virtual-private (%priv):
000 - allowed subnets: 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12
000 - excluded subnets: 192.168.42.0/24, 192.168.43.0/24
000
000 Kernel algorithms supported:
000
000 algorithm ESP encrypt: name=3DES_CBC, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: name=AES_CBC, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_CCM_12, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_CCM_16, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_CCM_8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_CTR, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_GCM_12, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_GCM_16, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_GCM_8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=CAMELLIA_CBC, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=CHACHA20_POLY1305, keysizemin=256, keysizemax=256
000 algorithm ESP encrypt: name=NULL, keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: name=NULL_AUTH_AES_GMAC, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=SERPENT_CBC, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=TWOFISH_CBC, keysizemin=128, keysizemax=256
000 algorithm AH/ESP auth: name=AES_CMAC_96, key-length=128
000 algorithm AH/ESP auth: name=AES_XCBC_96, key-length=128
000 algorithm AH/ESP auth: name=HMAC_MD5_96, key-length=128
000 algorithm AH/ESP auth: name=HMAC_SHA1_96, key-length=160
000 algorithm AH/ESP auth: name=HMAC_SHA2_256_128, key-length=256
000 algorithm AH/ESP auth: name=HMAC_SHA2_256_TRUNCBUG, key-length=256
000 algorithm AH/ESP auth: name=HMAC_SHA2_384_192, key-length=384
000 algorithm AH/ESP auth: name=HMAC_SHA2_512_256, key-length=512
000 algorithm AH/ESP auth: name=NONE, key-length=0
000
000 IKE algorithms supported:
000
000 algorithm IKE encrypt: v1id=5, v1name=OAKLEY_3DES_CBC, v2id=3, v2name=3DES, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: v1id=8, v1name=OAKLEY_CAMELLIA_CBC, v2id=23, v2name=CAMELLIA_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=20, v2name=AES_GCM_C, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=19, v2name=AES_GCM_B, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=18, v2name=AES_GCM_A, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=13, v1name=OAKLEY_AES_CTR, v2id=13, v2name=AES_CTR, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=7, v1name=OAKLEY_AES_CBC, v2id=12, v2name=AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=65004, v1name=OAKLEY_SERPENT_CBC, v2id=65004, v2name=SERPENT_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=65005, v1name=OAKLEY_TWOFISH_CBC, v2id=65005, v2name=TWOFISH_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=65289, v1name=OAKLEY_TWOFISH_CBC_SSH, v2id=65289, v2name=TWOFISH_CBC_SSH, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=28, v2name=CHACHA20_POLY1305, blocksize=16, keydeflen=256
000 algorithm IKE PRF: name=HMAC_MD5, hashlen=16
000 algorithm IKE PRF: name=HMAC_SHA1, hashlen=20
000 algorithm IKE PRF: name=HMAC_SHA2_256, hashlen=32
000 algorithm IKE PRF: name=HMAC_SHA2_384, hashlen=48
000 algorithm IKE PRF: name=HMAC_SHA2_512, hashlen=64
000 algorithm IKE PRF: name=AES_XCBC, hashlen=16
000 algorithm IKE DH Key Exchange: name=MODP1024, bits=1024
000 algorithm IKE DH Key Exchange: name=MODP1536, bits=1536
000 algorithm IKE DH Key Exchange: name=MODP2048, bits=2048
000 algorithm IKE DH Key Exchange: name=MODP3072, bits=3072
000 algorithm IKE DH Key Exchange: name=MODP4096, bits=4096
000 algorithm IKE DH Key Exchange: name=MODP6144, bits=6144
000 algorithm IKE DH Key Exchange: name=MODP8192, bits=8192
000 algorithm IKE DH Key Exchange: name=DH19, bits=512
000 algorithm IKE DH Key Exchange: name=DH20, bits=768
000 algorithm IKE DH Key Exchange: name=DH21, bits=1056
000
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0}
000
000 Connection list:
000
000 "l2tp-psk": 172.17.0.3[212.237.32.41]:17/1701---172.17.0.1...%any:17/%any; unrouted; eroute owner: #0
000 "l2tp-psk": oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown;
000 "l2tp-psk": xauth us:none, xauth them:none, my_username=[any]; their_username=[any]
000 "l2tp-psk": our auth:secret, their auth:secret
000 "l2tp-psk": modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, banner:unset, cat:unset;
000 "l2tp-psk": labeled_ipsec:no;
000 "l2tp-psk": policy_label:unset;
000 "l2tp-psk": ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 5;
000 "l2tp-psk": retransmit-interval: 500ms; retransmit-timeout: 60s;
000 "l2tp-psk": initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "l2tp-psk": policy: PSK+ENCRYPT+DONT_REKEY+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO;
000 "l2tp-psk": conn_prio: 32,32; interface: eth0; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "l2tp-psk": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto;
000 "l2tp-psk": our idtype: ID_IPV4_ADDR; our id=212.237.32.41; their idtype: %none; their id=(none)
000 "l2tp-psk": dpd: action:clear; delay:30; timeout:120; nat-t: encaps:yes; nat_keepalive:yes; ikev1_natt:both
000 "l2tp-psk": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "l2tp-psk": IKE algorithms: AES_CBC_256-HMAC_SHA2_256-MODP2048, AES_CBC_256-HMAC_SHA2_256-MODP1536, AES_CBC_128-HMAC_SHA2_256-MODP2048, AES_CBC_128-HMAC_SHA2_256-MODP1536, AES_CBC_256-HMAC_SHA1-MODP2048, AES_CBC_256-HMAC_SHA1-MODP1536, AES_CBC_128-HMAC_SHA1-MODP2048, AES_CBC_128-HMAC_SHA1-MODP1536, AES_CBC_256-HMAC_SHA2_256-MODP1024, AES_CBC_128-HMAC_SHA1-MODP1024
000 "l2tp-psk": ESP algorithms: AES_GCM_16-NONE, AES_CBC_128-HMAC_SHA1_96, AES_CBC_256-HMAC_SHA1_96, AES_CBC_128-HMAC_SHA2_256_128, AES_CBC_256-HMAC_SHA2_256_128
000 "l2tp-psk"[3]: 172.17.0.3[212.237.32.41]:17/1701---172.17.0.1...216.218.206.102:17/%any; unrouted; eroute owner: #0
000 "l2tp-psk"[3]: oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown;
000 "l2tp-psk"[3]: xauth us:none, xauth them:none, my_username=[any]; their_username=[any]
000 "l2tp-psk"[3]: our auth:secret, their auth:secret
000 "l2tp-psk"[3]: modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, banner:unset, cat:unset;
000 "l2tp-psk"[3]: labeled_ipsec:no;
000 "l2tp-psk"[3]: policy_label:unset;
000 "l2tp-psk"[3]: ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 5;
000 "l2tp-psk"[3]: retransmit-interval: 500ms; retransmit-timeout: 60s;
000 "l2tp-psk"[3]: initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "l2tp-psk"[3]: policy: PSK+ENCRYPT+DONT_REKEY+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO;
000 "l2tp-psk"[3]: conn_prio: 32,32; interface: eth0; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "l2tp-psk"[3]: nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto;
000 "l2tp-psk"[3]: our idtype: ID_IPV4_ADDR; our id=212.237.32.41; their idtype: ID_IPV4_ADDR; their id=216.218.206.102
000 "l2tp-psk"[3]: dpd: action:clear; delay:30; timeout:120; nat-t: encaps:yes; nat_keepalive:yes; ikev1_natt:both
000 "l2tp-psk"[3]: newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "l2tp-psk"[3]: IKE algorithms: AES_CBC_256-HMAC_SHA2_256-MODP2048, AES_CBC_256-HMAC_SHA2_256-MODP1536, AES_CBC_128-HMAC_SHA2_256-MODP2048, AES_CBC_128-HMAC_SHA2_256-MODP1536, AES_CBC_256-HMAC_SHA1-MODP2048, AES_CBC_256-HMAC_SHA1-MODP1536, AES_CBC_128-HMAC_SHA1-MODP2048, AES_CBC_128-HMAC_SHA1-MODP1536, AES_CBC_256-HMAC_SHA2_256-MODP1024, AES_CBC_128-HMAC_SHA1-MODP1024
000 "l2tp-psk"[3]: ESP algorithms: AES_GCM_16-NONE, AES_CBC_128-HMAC_SHA1_96, AES_CBC_256-HMAC_SHA1_96, AES_CBC_128-HMAC_SHA2_256_128, AES_CBC_256-HMAC_SHA2_256_128
000 "xauth-psk": 0.0.0.0/0===172.17.0.3[212.237.32.41,MS+XS+S=C]---172.17.0.1...%any[+MC+XC+S=C]; unrouted; eroute owner: #0
000 "xauth-psk": oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown;
000 "xauth-psk": xauth us:server, xauth them:client, xauthby:file; my_username=[any]; their_username=[any]
000 "xauth-psk": our auth:secret, their auth:secret
000 "xauth-psk": modecfg info: us:server, them:client, modecfg policy:pull, dns:8.8.8.8 8.8.4.4, domains:unset, banner:unset, cat:unset;
000 "xauth-psk": labeled_ipsec:no;
000 "xauth-psk": policy_label:unset;
000 "xauth-psk": ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 5;
000 "xauth-psk": retransmit-interval: 500ms; retransmit-timeout: 60s;
000 "xauth-psk": initial-contact:no; cisco-unity:yes; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "xauth-psk": policy: PSK+ENCRYPT+TUNNEL+DONT_REKEY+XAUTH+MODECFG_PULL+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO;
000 "xauth-psk": conn_prio: 0,32; interface: eth0; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "xauth-psk": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto;
000 "xauth-psk": our idtype: ID_IPV4_ADDR; our id=212.237.32.41; their idtype: %none; their id=(none)
000 "xauth-psk": dpd: action:clear; delay:30; timeout:120; nat-t: encaps:yes; nat_keepalive:yes; ikev1_natt:both
000 "xauth-psk": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "xauth-psk": IKE algorithms: AES_CBC_256-HMAC_SHA2_256-MODP2048, AES_CBC_256-HMAC_SHA2_256-MODP1536, AES_CBC_128-HMAC_SHA2_256-MODP2048, AES_CBC_128-HMAC_SHA2_256-MODP1536, AES_CBC_256-HMAC_SHA1-MODP2048, AES_CBC_256-HMAC_SHA1-MODP1536, AES_CBC_128-HMAC_SHA1-MODP2048, AES_CBC_128-HMAC_SHA1-MODP1536, AES_CBC_256-HMAC_SHA2_256-MODP1024, AES_CBC_128-HMAC_SHA1-MODP1024
000 "xauth-psk": ESP algorithms: AES_GCM_16-NONE, AES_CBC_128-HMAC_SHA1_96, AES_CBC_256-HMAC_SHA1_96, AES_CBC_128-HMAC_SHA2_256_128, AES_CBC_256-HMAC_SHA2_256_128
000
000 Total IPsec connections: loaded 3, active 0
000
000 State Information: DDoS cookies not required, Accepting new IKE connections
000 IKE SAs: total(1), half-open(1), open(0), authenticated(0), anonymous(0)
000 IPsec SAs: total(0), authenticated(0), anonymous(0)
000
000 #3: "l2tp-psk"[3] 216.218.206.102:36409 STATE_MAIN_R0 (expecting MI1); none in -1s; nodpd; idle;
000
000 Bare Shunt list:

I trying resolve problem with your tutorial, but this not helping me

Originally created by @monkeycatdog on GitHub (Mar 29, 2019). Original GitHub issue: https://github.com/hwdsl2/docker-ipsec-vpn-server/issues/132 Hello! I have device huawei p20 lite with android 8 and i cannot connect to a vpn (failure) logs admin@admin:~$ docker exec -it ipsec-vpn-server ipsec status 000 using kernel interface: netkey 000 interface lo/lo 127.0.0.1@4500 000 interface lo/lo 127.0.0.1@500 000 interface eth0/eth0 172.17.0.3@4500 000 interface eth0/eth0 172.17.0.3@500 000 000 000 fips mode=disabled; 000 SElinux=disabled 000 seccomp=unsupported 000 000 config setup options: 000 000 configdir=/etc, configfile=/etc/ipsec.conf, secrets=/etc/ipsec.secrets, ipsecdir=/etc/ipsec.d 000 nssdir=/etc/ipsec.d, dumpdir=/run/pluto, statsbin=unset 000 sbindir=/usr/local/sbin, libexecdir=/usr/local/libexec/ipsec 000 pluto_version=3.27, pluto_vendorid=OE-Libreswan-3.27 000 nhelpers=-1, uniqueids=no, dnssec-enable=no, perpeerlog=no, logappend=yes, logip=yes, shuntlifetime=900s, xfrmlifetime=300s 000 ddos-cookies-threshold=50000, ddos-max-halfopen=25000, ddos-mode=auto 000 ikeport=500, ikebuf=0, msg_errqueue=yes, strictcrlpolicy=no, crlcheckinterval=0, listen=<any>, nflog-all=0 000 ocsp-enable=no, ocsp-strict=no, ocsp-timeout=2, ocsp-uri=<unset> 000 ocsp-trust-name=<unset> 000 ocsp-cache-size=1000, ocsp-cache-min-age=3600, ocsp-cache-max-age=86400, ocsp-method=get 000 secctx-attr-type=32001 000 debug: 000 000 nat-traversal=yes, keep-alive=20, nat-ikeport=4500 000 virtual-private (%priv): 000 - allowed subnets: 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12 000 - excluded subnets: 192.168.42.0/24, 192.168.43.0/24 000 000 Kernel algorithms supported: 000 000 algorithm ESP encrypt: name=3DES_CBC, keysizemin=192, keysizemax=192 000 algorithm ESP encrypt: name=AES_CBC, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: name=AES_CCM_12, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: name=AES_CCM_16, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: name=AES_CCM_8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: name=AES_CTR, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: name=AES_GCM_12, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: name=AES_GCM_16, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: name=AES_GCM_8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: name=CAMELLIA_CBC, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: name=CHACHA20_POLY1305, keysizemin=256, keysizemax=256 000 algorithm ESP encrypt: name=NULL, keysizemin=0, keysizemax=0 000 algorithm ESP encrypt: name=NULL_AUTH_AES_GMAC, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: name=SERPENT_CBC, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: name=TWOFISH_CBC, keysizemin=128, keysizemax=256 000 algorithm AH/ESP auth: name=AES_CMAC_96, key-length=128 000 algorithm AH/ESP auth: name=AES_XCBC_96, key-length=128 000 algorithm AH/ESP auth: name=HMAC_MD5_96, key-length=128 000 algorithm AH/ESP auth: name=HMAC_SHA1_96, key-length=160 000 algorithm AH/ESP auth: name=HMAC_SHA2_256_128, key-length=256 000 algorithm AH/ESP auth: name=HMAC_SHA2_256_TRUNCBUG, key-length=256 000 algorithm AH/ESP auth: name=HMAC_SHA2_384_192, key-length=384 000 algorithm AH/ESP auth: name=HMAC_SHA2_512_256, key-length=512 000 algorithm AH/ESP auth: name=NONE, key-length=0 000 000 IKE algorithms supported: 000 000 algorithm IKE encrypt: v1id=5, v1name=OAKLEY_3DES_CBC, v2id=3, v2name=3DES, blocksize=8, keydeflen=192 000 algorithm IKE encrypt: v1id=8, v1name=OAKLEY_CAMELLIA_CBC, v2id=23, v2name=CAMELLIA_CBC, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=20, v2name=AES_GCM_C, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=19, v2name=AES_GCM_B, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=18, v2name=AES_GCM_A, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: v1id=13, v1name=OAKLEY_AES_CTR, v2id=13, v2name=AES_CTR, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: v1id=7, v1name=OAKLEY_AES_CBC, v2id=12, v2name=AES_CBC, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: v1id=65004, v1name=OAKLEY_SERPENT_CBC, v2id=65004, v2name=SERPENT_CBC, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: v1id=65005, v1name=OAKLEY_TWOFISH_CBC, v2id=65005, v2name=TWOFISH_CBC, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: v1id=65289, v1name=OAKLEY_TWOFISH_CBC_SSH, v2id=65289, v2name=TWOFISH_CBC_SSH, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=28, v2name=CHACHA20_POLY1305, blocksize=16, keydeflen=256 000 algorithm IKE PRF: name=HMAC_MD5, hashlen=16 000 algorithm IKE PRF: name=HMAC_SHA1, hashlen=20 000 algorithm IKE PRF: name=HMAC_SHA2_256, hashlen=32 000 algorithm IKE PRF: name=HMAC_SHA2_384, hashlen=48 000 algorithm IKE PRF: name=HMAC_SHA2_512, hashlen=64 000 algorithm IKE PRF: name=AES_XCBC, hashlen=16 000 algorithm IKE DH Key Exchange: name=MODP1024, bits=1024 000 algorithm IKE DH Key Exchange: name=MODP1536, bits=1536 000 algorithm IKE DH Key Exchange: name=MODP2048, bits=2048 000 algorithm IKE DH Key Exchange: name=MODP3072, bits=3072 000 algorithm IKE DH Key Exchange: name=MODP4096, bits=4096 000 algorithm IKE DH Key Exchange: name=MODP6144, bits=6144 000 algorithm IKE DH Key Exchange: name=MODP8192, bits=8192 000 algorithm IKE DH Key Exchange: name=DH19, bits=512 000 algorithm IKE DH Key Exchange: name=DH20, bits=768 000 algorithm IKE DH Key Exchange: name=DH21, bits=1056 000 000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0} 000 000 Connection list: 000 000 "l2tp-psk": 172.17.0.3[212.237.32.41]:17/1701---172.17.0.1...%any:17/%any; unrouted; eroute owner: #0 000 "l2tp-psk": oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown; 000 "l2tp-psk": xauth us:none, xauth them:none, my_username=[any]; their_username=[any] 000 "l2tp-psk": our auth:secret, their auth:secret 000 "l2tp-psk": modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, banner:unset, cat:unset; 000 "l2tp-psk": labeled_ipsec:no; 000 "l2tp-psk": policy_label:unset; 000 "l2tp-psk": ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 5; 000 "l2tp-psk": retransmit-interval: 500ms; retransmit-timeout: 60s; 000 "l2tp-psk": initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no; 000 "l2tp-psk": policy: PSK+ENCRYPT+DONT_REKEY+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO; 000 "l2tp-psk": conn_prio: 32,32; interface: eth0; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none; 000 "l2tp-psk": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto; 000 "l2tp-psk": our idtype: ID_IPV4_ADDR; our id=212.237.32.41; their idtype: %none; their id=(none) 000 "l2tp-psk": dpd: action:clear; delay:30; timeout:120; nat-t: encaps:yes; nat_keepalive:yes; ikev1_natt:both 000 "l2tp-psk": newest ISAKMP SA: #0; newest IPsec SA: #0; 000 "l2tp-psk": IKE algorithms: AES_CBC_256-HMAC_SHA2_256-MODP2048, AES_CBC_256-HMAC_SHA2_256-MODP1536, AES_CBC_128-HMAC_SHA2_256-MODP2048, AES_CBC_128-HMAC_SHA2_256-MODP1536, AES_CBC_256-HMAC_SHA1-MODP2048, AES_CBC_256-HMAC_SHA1-MODP1536, AES_CBC_128-HMAC_SHA1-MODP2048, AES_CBC_128-HMAC_SHA1-MODP1536, AES_CBC_256-HMAC_SHA2_256-MODP1024, AES_CBC_128-HMAC_SHA1-MODP1024 000 "l2tp-psk": ESP algorithms: AES_GCM_16-NONE, AES_CBC_128-HMAC_SHA1_96, AES_CBC_256-HMAC_SHA1_96, AES_CBC_128-HMAC_SHA2_256_128, AES_CBC_256-HMAC_SHA2_256_128 000 "l2tp-psk"[3]: 172.17.0.3[212.237.32.41]:17/1701---172.17.0.1...216.218.206.102:17/%any; unrouted; eroute owner: #0 000 "l2tp-psk"[3]: oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown; 000 "l2tp-psk"[3]: xauth us:none, xauth them:none, my_username=[any]; their_username=[any] 000 "l2tp-psk"[3]: our auth:secret, their auth:secret 000 "l2tp-psk"[3]: modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, banner:unset, cat:unset; 000 "l2tp-psk"[3]: labeled_ipsec:no; 000 "l2tp-psk"[3]: policy_label:unset; 000 "l2tp-psk"[3]: ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 5; 000 "l2tp-psk"[3]: retransmit-interval: 500ms; retransmit-timeout: 60s; 000 "l2tp-psk"[3]: initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no; 000 "l2tp-psk"[3]: policy: PSK+ENCRYPT+DONT_REKEY+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO; 000 "l2tp-psk"[3]: conn_prio: 32,32; interface: eth0; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none; 000 "l2tp-psk"[3]: nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto; 000 "l2tp-psk"[3]: our idtype: ID_IPV4_ADDR; our id=212.237.32.41; their idtype: ID_IPV4_ADDR; their id=216.218.206.102 000 "l2tp-psk"[3]: dpd: action:clear; delay:30; timeout:120; nat-t: encaps:yes; nat_keepalive:yes; ikev1_natt:both 000 "l2tp-psk"[3]: newest ISAKMP SA: #0; newest IPsec SA: #0; 000 "l2tp-psk"[3]: IKE algorithms: AES_CBC_256-HMAC_SHA2_256-MODP2048, AES_CBC_256-HMAC_SHA2_256-MODP1536, AES_CBC_128-HMAC_SHA2_256-MODP2048, AES_CBC_128-HMAC_SHA2_256-MODP1536, AES_CBC_256-HMAC_SHA1-MODP2048, AES_CBC_256-HMAC_SHA1-MODP1536, AES_CBC_128-HMAC_SHA1-MODP2048, AES_CBC_128-HMAC_SHA1-MODP1536, AES_CBC_256-HMAC_SHA2_256-MODP1024, AES_CBC_128-HMAC_SHA1-MODP1024 000 "l2tp-psk"[3]: ESP algorithms: AES_GCM_16-NONE, AES_CBC_128-HMAC_SHA1_96, AES_CBC_256-HMAC_SHA1_96, AES_CBC_128-HMAC_SHA2_256_128, AES_CBC_256-HMAC_SHA2_256_128 000 "xauth-psk": 0.0.0.0/0===172.17.0.3[212.237.32.41,MS+XS+S=C]---172.17.0.1...%any[+MC+XC+S=C]; unrouted; eroute owner: #0 000 "xauth-psk": oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown; 000 "xauth-psk": xauth us:server, xauth them:client, xauthby:file; my_username=[any]; their_username=[any] 000 "xauth-psk": our auth:secret, their auth:secret 000 "xauth-psk": modecfg info: us:server, them:client, modecfg policy:pull, dns:8.8.8.8 8.8.4.4, domains:unset, banner:unset, cat:unset; 000 "xauth-psk": labeled_ipsec:no; 000 "xauth-psk": policy_label:unset; 000 "xauth-psk": ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 5; 000 "xauth-psk": retransmit-interval: 500ms; retransmit-timeout: 60s; 000 "xauth-psk": initial-contact:no; cisco-unity:yes; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no; 000 "xauth-psk": policy: PSK+ENCRYPT+TUNNEL+DONT_REKEY+XAUTH+MODECFG_PULL+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO; 000 "xauth-psk": conn_prio: 0,32; interface: eth0; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none; 000 "xauth-psk": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto; 000 "xauth-psk": our idtype: ID_IPV4_ADDR; our id=212.237.32.41; their idtype: %none; their id=(none) 000 "xauth-psk": dpd: action:clear; delay:30; timeout:120; nat-t: encaps:yes; nat_keepalive:yes; ikev1_natt:both 000 "xauth-psk": newest ISAKMP SA: #0; newest IPsec SA: #0; 000 "xauth-psk": IKE algorithms: AES_CBC_256-HMAC_SHA2_256-MODP2048, AES_CBC_256-HMAC_SHA2_256-MODP1536, AES_CBC_128-HMAC_SHA2_256-MODP2048, AES_CBC_128-HMAC_SHA2_256-MODP1536, AES_CBC_256-HMAC_SHA1-MODP2048, AES_CBC_256-HMAC_SHA1-MODP1536, AES_CBC_128-HMAC_SHA1-MODP2048, AES_CBC_128-HMAC_SHA1-MODP1536, AES_CBC_256-HMAC_SHA2_256-MODP1024, AES_CBC_128-HMAC_SHA1-MODP1024 000 "xauth-psk": ESP algorithms: AES_GCM_16-NONE, AES_CBC_128-HMAC_SHA1_96, AES_CBC_256-HMAC_SHA1_96, AES_CBC_128-HMAC_SHA2_256_128, AES_CBC_256-HMAC_SHA2_256_128 000 000 Total IPsec connections: loaded 3, active 0 000 000 State Information: DDoS cookies not required, Accepting new IKE connections 000 IKE SAs: total(1), half-open(1), open(0), authenticated(0), anonymous(0) 000 IPsec SAs: total(0), authenticated(0), anonymous(0) 000 000 #3: "l2tp-psk"[3] 216.218.206.102:36409 STATE_MAIN_R0 (expecting MI1); none in -1s; nodpd; idle; 000 000 Bare Shunt list: I trying resolve problem with your [tutorial](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients.md#android-6-and-above), but this not helping me
kerem closed this issue 2026-03-02 07:27:53 +03:00
kerem commented 2026-03-02 07:27:54 +03:00
Author
Owner
Copy link

@hwdsl2 commented on GitHub (Apr 11, 2019):

@iamruslanbakirov Hello! Some Huawei devices require the cipher aes256-sha2_512 to be included [1] on the phase2alg= line of /etc/ipsec.conf on the VPN server.

This Docker image does include the above mentioned cipher [2]. However, it is missing from your ipsec status output above. One reason could be that you are using "CoreOS" which lacks support of this cipher. Or you may be using an outdated version of this Docker image.

[1] https://github.com/hwdsl2/setup-ipsec-vpn/issues/330#issuecomment-374102703
[2] https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/run.sh#L177

<!-- gh-comment-id:481967484 --> @hwdsl2 commented on GitHub (Apr 11, 2019): @iamruslanbakirov Hello! Some Huawei devices require the cipher `aes256-sha2_512` to be included [1] on the `phase2alg=` line of `/etc/ipsec.conf` on the VPN server. This Docker image does include the above mentioned cipher [2]. However, it is missing from your `ipsec status` output above. One reason could be that you are using "CoreOS" which lacks support of this cipher. Or you may be using an outdated version of this Docker image. [1] https://github.com/hwdsl2/setup-ipsec-vpn/issues/330#issuecomment-374102703 [2] https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/run.sh#L177
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
No results found.
Labels
Clear labels   
bug

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question
No labels
bug
pull-request
question
question
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/docker-ipsec-vpn-server#118
No description provided.