starred/docker-ipsec-vpn-server
1
0
Fork 0
mirror of https://github.com/hwdsl2/docker-ipsec-vpn-server.git synced 2026-04-26 01:55:53 +03:00
Code Issues Projects Releases Packages Wiki Activity

[GH-ISSUE #157] Android 9 connects to server via IPSec/XAuth, but doesn't have any traffic. #141

New issue
Closed
opened 2026-03-02 07:28:03 +03:00 by kerem · 6 comments
kerem commented 2026-03-02 07:28:03 +03:00
Owner
Copy link

Originally created by @shaomeng on GitHub (Aug 6, 2019).
Original GitHub issue: https://github.com/hwdsl2/docker-ipsec-vpn-server/issues/157

Summary:
I set up the vpn server on a raspberry pi using docker. Android 9 shows the VPN is successfully connected in IPSec/XAuth mode, but the phone fails to open any website or perform any Google Search.

Hardware and software:

  • Raspberry Pi 3B running Raspbian 10 Buster; Linux kernel 4.19.58-v7+.
  • Pixel 2 cell phone with Android 9.
  • Docker was installed from the Docker official site.
  • The server image was built from source following the tutorial, and also applied the change to /etc/ipsec.conf following steps. Note that Android 9 does NOT have a Backward compatible mode as the screenshot shows.
  • LibreSwan logs are enabled following steps here.

The logs from LibreSwan is attached.

I'm thinking this issue might be related to issue 595 and 584 on the other repo.

Appreciate any help!

xauth.log.gz

Originally created by @shaomeng on GitHub (Aug 6, 2019). Original GitHub issue: https://github.com/hwdsl2/docker-ipsec-vpn-server/issues/157 Summary: I set up the vpn server on a raspberry pi [using docker](https://github.com/hwdsl2/docker-ipsec-vpn-server). Android 9 shows the VPN is successfully connected in IPSec/XAuth mode, but the phone fails to open any website or perform any Google Search. Hardware and software: - Raspberry Pi 3B running Raspbian 10 Buster; Linux kernel 4.19.58-v7+. - Pixel 2 cell phone with Android 9. - Docker was installed from the [Docker official site](https://blog.docker.com/2019/03/happy-pi-day-docker-raspberry-pi/). - The server image was built from source following the [tutorial](https://github.com/hwdsl2/docker-ipsec-vpn-server), and also applied the change to `/etc/ipsec.conf` following [steps](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients.md#android-6-and-above). Note that Android 9 does NOT have a `Backward compatible mode` as the screenshot shows. - LibreSwan logs are enabled following steps [here](https://github.com/hwdsl2/docker-ipsec-vpn-server#enable-libreswan-logs). The logs from LibreSwan is attached. I'm thinking this issue might be related to [issue 595](https://github.com/hwdsl2/setup-ipsec-vpn/issues/595) and [584](https://github.com/hwdsl2/setup-ipsec-vpn/issues/595) on the other repo. Appreciate any help! [xauth.log.gz](https://github.com/hwdsl2/docker-ipsec-vpn-server/files/3470578/xauth.log.gz)
kerem closed this issue 2026-03-02 07:28:03 +03:00
kerem commented 2026-03-02 07:28:04 +03:00
Author
Owner
Copy link

@shaomeng commented on GitHub (Aug 6, 2019):

An update, the VPN actually works well if my phone is connected to wifi, and the problem described above only occurs when it connects to LTE network. My phone is on TMobile network...

<!-- gh-comment-id:518864514 --> @shaomeng commented on GitHub (Aug 6, 2019): An update, the VPN actually works well if my phone is connected to wifi, and the problem described above only occurs when it connects to LTE network. My phone is on TMobile network...
kerem commented 2026-03-02 07:28:04 +03:00
Author
Owner
Copy link

@hwdsl2 commented on GitHub (Aug 8, 2019):

@shaomeng Hello! As your T-Mobile LTE IPv4 address is from the subnet 192.0.0.0/24, try adding it to the virtual-private line in /etc/ipsec.conf, like so:

virtual-private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:192.0.0.0/24,%v4:!192.168.42.0/24,%v4:!192.168.43.0/24

To make this change to /etc/ipsec.conf, you may need to rebuild the Docker image from source and re-create the Docker container. Alternatively, start a Bash shell in the container and edit this file, then comment out the relevant parts of /opt/src/run.sh to avoid overwriting your changes after container restart.

Let us know if this works. More background info can be found under the "virtual-private" keyword in this manual [1].

[1] https://libreswan.org/man/ipsec.conf.5.html

<!-- gh-comment-id:519372047 --> @hwdsl2 commented on GitHub (Aug 8, 2019): @shaomeng Hello! As your T-Mobile LTE IPv4 address is from the subnet `192.0.0.0/24`, try adding it to the `virtual-private` line in `/etc/ipsec.conf`, like so: ``` virtual-private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:192.0.0.0/24,%v4:!192.168.42.0/24,%v4:!192.168.43.0/24 ``` To make this change to `/etc/ipsec.conf`, you may need to rebuild the Docker image from source and re-create the Docker container. Alternatively, start a Bash shell in the container and edit this file, then comment out the relevant parts of `/opt/src/run.sh` to avoid overwriting your changes after container restart. Let us know if this works. More background info can be found under the "virtual-private" keyword in this manual [1]. [1] https://libreswan.org/man/ipsec.conf.5.html
kerem commented 2026-03-02 07:28:04 +03:00
Author
Owner
Copy link

@shaomeng commented on GitHub (Aug 9, 2019):

Hi @hwdsl2 , I made the changes you suggested to /etc/ipsec.conf, and also modified /opt/src/run.sh to be like:

config setup
  #virtual-private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!$L2TP_NET,%v4:!$XAUTH_NET
  virtual-private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:192.0.0.0/24,%v4:!$L2TP_NET,%v4:!$XAUTH_NET
...
sha2-truncbug=no

Then I executed service ipsec restart inside of the container. The problem remains.

Also, I wonder why you decide my TMobile IPV4 address is from the subnet of 192.0.0.0/24, since when I type what's my ip on google, it clearly shows a non-192.168.x.x address...

<!-- gh-comment-id:519793547 --> @shaomeng commented on GitHub (Aug 9, 2019): Hi @hwdsl2 , I made the changes you suggested to `/etc/ipsec.conf`, and also modified `/opt/src/run.sh` to be like: ``` config setup #virtual-private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!$L2TP_NET,%v4:!$XAUTH_NET virtual-private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:192.0.0.0/24,%v4:!$L2TP_NET,%v4:!$XAUTH_NET ... sha2-truncbug=no ``` Then I executed `service ipsec restart` inside of the container. The problem remains. Also, I wonder why you decide my TMobile IPV4 address is from the subnet of `192.0.0.0/24`, since when I type `what's my ip` on google, it clearly shows a non-192.168.x.x address...
kerem commented 2026-03-02 07:28:04 +03:00
Author
Owner
Copy link

@hwdsl2 commented on GitHub (Aug 9, 2019):

@shaomeng Thanks for the update. The logs you attached show the T-Mobile IP of 192.0.0.4. Your issue might be related to https://github.com/hwdsl2/setup-ipsec-vpn/issues/476 where the user is unable to connect from T-Mobile network due to the device having only an IPv6 address. I suggest that you ask the VPN experts on the Libreswan users mailing list.

<!-- gh-comment-id:519798243 --> @hwdsl2 commented on GitHub (Aug 9, 2019): @shaomeng Thanks for the update. The logs you attached show the T-Mobile IP of 192.0.0.4. Your issue might be related to https://github.com/hwdsl2/setup-ipsec-vpn/issues/476 where the user is unable to connect from T-Mobile network due to the device having only an IPv6 address. I suggest that you ask the VPN experts on the Libreswan users mailing list.
kerem commented 2026-03-02 07:28:04 +03:00
Author
Owner
Copy link

@shaomeng commented on GitHub (Aug 9, 2019):

Hi @hwdsl2 , really appreciate your help. I looked at the discussion on issue 476, and it's very similar to mine. Also, I should report that when I type what's my ip in Google on TMobile, it does return an IPV6 address on the Google page, and I only know my IPV4 address from one of the 3rd party sites. In this case, I think we could conclude that LibreSwan or this server setup doesn't support IPV6 very well...

Thanks again for the very easy to use docker image!

<!-- gh-comment-id:519808338 --> @shaomeng commented on GitHub (Aug 9, 2019): Hi @hwdsl2 , really appreciate your help. I looked at the discussion on issue 476, and it's very similar to mine. Also, I should report that when I type `what's my ip` in Google on TMobile, it does return an IPV6 address on the Google page, and I only know my IPV4 address from one of the 3rd party sites. In this case, I think we could conclude that LibreSwan or this server setup doesn't support IPV6 very well... Thanks again for the very easy to use docker image!
kerem commented 2026-03-02 07:28:04 +03:00
Author
Owner
Copy link

@hwdsl2 commented on GitHub (Aug 9, 2019):

@shaomeng You’re welcome. Based on our discussion, I think this is a known issue with Libreswan and IPv6 only networks such as T-Mobile. Closing this issue and FYI @letoams.

<!-- gh-comment-id:519937753 --> @hwdsl2 commented on GitHub (Aug 9, 2019): @shaomeng You’re welcome. Based on our discussion, I think this is a known issue with Libreswan and IPv6 only networks such as T-Mobile. Closing this issue and FYI @letoams.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
No results found.
Labels
Clear labels   
bug

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question
No labels
bug
pull-request
question
question
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/docker-ipsec-vpn-server#141
No description provided.