starred/docker-ipsec-vpn-server

Fork 0

mirror of https://github.com/hwdsl2/docker-ipsec-vpn-server.git synced 2026-04-26 18:15:50 +03:00

[GH-ISSUE #195] Can login to VPN but cannot access internet #182

New issue

Closed

opened 2026-03-02 07:44:32 +03:00 by kerem · 10 comments

kerem commented

2026-03-02 07:44:32 +03:00

Owner

Originally created by @jsdnhk-devops on GitHub (May 27, 2020).
Original GitHub issue: https://github.com/hwdsl2/docker-ipsec-vpn-server/issues/195

Message from ipsec status inside the container:
Help with thanks.

000 using kernel interface: netkey
000 interface lo/lo [::1]:500
000 interface lo/lo 127.0.0.1:4500
000 interface lo/lo 127.0.0.1:500
000 interface eth0/eth0 10.88.90.208:4500
000 interface eth0/eth0 10.88.90.208:500
000
000
000 fips mode=disabled;
000 SElinux=disabled
000 seccomp=unsupported
000
000 config setup options:
000
000 configdir=/etc, configfile=/etc/ipsec.conf, secrets=/etc/ipsec.secrets, ipsecdir=/etc/ipsec.d
000 nssdir=/etc/ipsec.d, dumpdir=/run/pluto, statsbin=unset
000 sbindir=/usr/local/sbin, libexecdir=/usr/local/libexec/ipsec
000 pluto_version=3.32, pluto_vendorid=OE-Libreswan-3.32, audit-log=yes
000 nhelpers=-1, uniqueids=no, dnssec-enable=no, perpeerlog=no, logappend=yes, logip=yes, shuntlifetime=900s, xfrmlifetime=30s
000 ddos-cookies-threshold=50000, ddos-max-halfopen=25000, ddos-mode=auto
000 ikeport=500, ikebuf=0, msg_errqueue=yes, strictcrlpolicy=no, crlcheckinterval=0, listen=<any>, nflog-all=0
000 ocsp-enable=no, ocsp-strict=no, ocsp-timeout=2, ocsp-uri=<unset>
000 ocsp-trust-name=<unset>
000 ocsp-cache-size=1000, ocsp-cache-min-age=3600, ocsp-cache-max-age=86400, ocsp-method=get
000 global-redirect=no, global-redirect-to=<unset>
000 secctx-attr-type=<unsupported>
000 debug:
000
000 nat-traversal=yes, keep-alive=20, nat-ikeport=4500
000 virtual-private (%priv):
000 - allowed subnets: 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12
000 - excluded subnets: 192.168.42.0/24, 192.168.43.0/24
000
000 Kernel algorithms supported:
000
000 algorithm ESP encrypt: name=3DES_CBC, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: name=AES_CBC, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_CCM_12, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_CCM_16, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_CCM_8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_CTR, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_GCM_12, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_GCM_16, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_GCM_8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=CAMELLIA_CBC, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=CHACHA20_POLY1305, keysizemin=256, keysizemax=256
000 algorithm ESP encrypt: name=NULL, keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: name=NULL_AUTH_AES_GMAC, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=SERPENT_CBC, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=TWOFISH_CBC, keysizemin=128, keysizemax=256
000 algorithm AH/ESP auth: name=AES_CMAC_96, key-length=128
000 algorithm AH/ESP auth: name=AES_XCBC_96, key-length=128
000 algorithm AH/ESP auth: name=HMAC_MD5_96, key-length=128
000 algorithm AH/ESP auth: name=HMAC_SHA1_96, key-length=160
000 algorithm AH/ESP auth: name=HMAC_SHA2_256_128, key-length=256
000 algorithm AH/ESP auth: name=HMAC_SHA2_256_TRUNCBUG, key-length=256
000 algorithm AH/ESP auth: name=HMAC_SHA2_384_192, key-length=384
000 algorithm AH/ESP auth: name=HMAC_SHA2_512_256, key-length=512
000 algorithm AH/ESP auth: name=NONE, key-length=0
000
000 IKE algorithms supported:
000
000 algorithm IKE encrypt: v1id=5, v1name=OAKLEY_3DES_CBC, v2id=3, v2name=3DES, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: v1id=8, v1name=OAKLEY_CAMELLIA_CBC, v2id=23, v2name=CAMELLIA_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=20, v2name=AES_GCM_C, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=19, v2name=AES_GCM_B, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=18, v2name=AES_GCM_A, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=13, v1name=OAKLEY_AES_CTR, v2id=13, v2name=AES_CTR, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=7, v1name=OAKLEY_AES_CBC, v2id=12, v2name=AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=65004, v1name=OAKLEY_SERPENT_CBC, v2id=65004, v2name=SERPENT_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=65005, v1name=OAKLEY_TWOFISH_CBC, v2id=65005, v2name=TWOFISH_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=65289, v1name=OAKLEY_TWOFISH_CBC_SSH, v2id=65289, v2name=TWOFISH_CBC_SSH, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=28, v2name=CHACHA20_POLY1305, blocksize=16, keydeflen=256
000 algorithm IKE PRF: name=HMAC_MD5, hashlen=16
000 algorithm IKE PRF: name=HMAC_SHA1, hashlen=20
000 algorithm IKE PRF: name=HMAC_SHA2_256, hashlen=32
000 algorithm IKE PRF: name=HMAC_SHA2_384, hashlen=48
000 algorithm IKE PRF: name=HMAC_SHA2_512, hashlen=64
000 algorithm IKE PRF: name=AES_XCBC, hashlen=16
000 algorithm IKE DH Key Exchange: name=MODP1024, bits=1024
000 algorithm IKE DH Key Exchange: name=MODP1536, bits=1536
000 algorithm IKE DH Key Exchange: name=MODP2048, bits=2048
000 algorithm IKE DH Key Exchange: name=MODP3072, bits=3072
000 algorithm IKE DH Key Exchange: name=MODP4096, bits=4096
000 algorithm IKE DH Key Exchange: name=MODP6144, bits=6144
000 algorithm IKE DH Key Exchange: name=MODP8192, bits=8192
000 algorithm IKE DH Key Exchange: name=DH19, bits=512
000 algorithm IKE DH Key Exchange: name=DH20, bits=768
000 algorithm IKE DH Key Exchange: name=DH21, bits=1056
000
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0}
000
000 Connection list:
000
000 "l2tp-psk": 10.88.90.208[210.6.114.113]:17/1701---10.88.0.1...%any:17/%any; unrouted; eroute owner: #0
000 "l2tp-psk":     oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown;
000 "l2tp-psk":   xauth us:none, xauth them:none,  my_username=[any]; their_username=[any]
000 "l2tp-psk":   our auth:secret, their auth:secret
000 "l2tp-psk":   modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, banner:unset, cat:unset;
000 "l2tp-psk":   policy_label:unset;
000 "l2tp-psk":   ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 5;
000 "l2tp-psk":   retransmit-interval: 500ms; retransmit-timeout: 60s;
000 "l2tp-psk":   initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "l2tp-psk":   policy: PSK+ENCRYPT+DONT_REKEY+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO;
000 "l2tp-psk":   conn_prio: 32,32; interface: eth0; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "l2tp-psk":   nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto;
000 "l2tp-psk":   our idtype: ID_IPV4_ADDR; our id=210.6.114.113; their idtype: %none; their id=(none)
000 "l2tp-psk":   dpd: action:clear; delay:30; timeout:120; nat-t: encaps:yes; nat_keepalive:yes; ikev1_natt:both
000 "l2tp-psk":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "l2tp-psk":   IKE algorithms: AES_CBC_256-HMAC_SHA2_256-MODP2048, AES_CBC_256-HMAC_SHA2_256-MODP1536, AES_CBC_128-HMAC_SHA2_256-MODP2048, AES_CBC_128-HMAC_SHA2_256-MODP1536, AES_CBC_256-HMAC_SHA1-MODP2048, AES_CBC_256-HMAC_SHA1-MODP1536, AES_CBC_128-HMAC_SHA1-MODP2048, AES_CBC_128-HMAC_SHA1-MODP1536, AES_CBC_256-HMAC_SHA2_256-MODP1024, AES_CBC_128-HMAC_SHA1-MODP1024
000 "l2tp-psk":   ESP algorithms: AES_GCM_16-NONE, AES_CBC_128-HMAC_SHA1_96, AES_CBC_256-HMAC_SHA1_96, AES_CBC_256-HMAC_SHA2_512_256, AES_CBC_128-HMAC_SHA2_256_128, AES_CBC_256-HMAC_SHA2_256_128
000 "xauth-psk": 0.0.0.0/0===10.88.90.208[210.6.114.113,MS+XS+S=C]---10.88.0.1...%any[+MC+XC+S=C]; unrouted; eroute owner: #0
000 "xauth-psk":     oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown;
000 "xauth-psk":   xauth us:server, xauth them:client, xauthby:file; my_username=[any]; their_username=[any]
000 "xauth-psk":   our auth:secret, their auth:secret
000 "xauth-psk":   modecfg info: us:server, them:client, modecfg policy:pull, dns:208.67.222.222 208.67.220.220, domains:unset, banner:unset, cat:unset;
000 "xauth-psk":   policy_label:unset;
000 "xauth-psk":   ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 5;
000 "xauth-psk":   retransmit-interval: 500ms; retransmit-timeout: 60s;
000 "xauth-psk":   initial-contact:no; cisco-unity:yes; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "xauth-psk":   policy: PSK+ENCRYPT+TUNNEL+DONT_REKEY+XAUTH+MODECFG_PULL+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO;
000 "xauth-psk":   conn_prio: 0,32; interface: eth0; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "xauth-psk":   nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto;
000 "xauth-psk":   our idtype: ID_IPV4_ADDR; our id=210.6.114.113; their idtype: %none; their id=(none)
000 "xauth-psk":   dpd: action:clear; delay:30; timeout:120; nat-t: encaps:yes; nat_keepalive:yes; ikev1_natt:both
000 "xauth-psk":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "xauth-psk":   IKE algorithms: AES_CBC_256-HMAC_SHA2_256-MODP2048, AES_CBC_256-HMAC_SHA2_256-MODP1536, AES_CBC_128-HMAC_SHA2_256-MODP2048, AES_CBC_128-HMAC_SHA2_256-MODP1536, AES_CBC_256-HMAC_SHA1-MODP2048, AES_CBC_256-HMAC_SHA1-MODP1536, AES_CBC_128-HMAC_SHA1-MODP2048, AES_CBC_128-HMAC_SHA1-MODP1536, AES_CBC_256-HMAC_SHA2_256-MODP1024, AES_CBC_128-HMAC_SHA1-MODP1024
000 "xauth-psk":   ESP algorithms: AES_GCM_16-NONE, AES_CBC_128-HMAC_SHA1_96, AES_CBC_256-HMAC_SHA1_96, AES_CBC_256-HMAC_SHA2_512_256, AES_CBC_128-HMAC_SHA2_256_128, AES_CBC_256-HMAC_SHA2_256_128
000 "xauth-psk"[2]: 0.0.0.0/0===10.88.90.208[210.6.114.113,MS+XS+S=C]---10.88.0.1...182.239.88.245[10.128.38.69,+MC+XC+S=C]===192.168.43.10/32; erouted; eroute owner: #2
000 "xauth-psk"[2]:     oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown;
000 "xauth-psk"[2]:   xauth us:server, xauth them:client, xauthby:file; my_username=[any]; their_username=[any]
000 "xauth-psk"[2]:   our auth:secret, their auth:secret
000 "xauth-psk"[2]:   modecfg info: us:server, them:client, modecfg policy:pull, dns:208.67.222.222, domains:unset, banner:unset, cat:unset;
000 "xauth-psk"[2]:   policy_label:unset;
000 "xauth-psk"[2]:   ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 5;
000 "xauth-psk"[2]:   retransmit-interval: 500ms; retransmit-timeout: 60s;
000 "xauth-psk"[2]:   initial-contact:no; cisco-unity:yes; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "xauth-psk"[2]:   policy: PSK+ENCRYPT+TUNNEL+DONT_REKEY+XAUTH+MODECFG_PULL+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO;
000 "xauth-psk"[2]:   conn_prio: 0,32; interface: eth0; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "xauth-psk"[2]:   nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto;
000 "xauth-psk"[2]:   our idtype: ID_IPV4_ADDR; our id=210.6.114.113; their idtype: ID_IPV4_ADDR; their id=10.128.38.69
000 "xauth-psk"[2]:   dpd: action:clear; delay:30; timeout:120; nat-t: encaps:yes; nat_keepalive:yes; ikev1_natt:both
000 "xauth-psk"[2]:   newest ISAKMP SA: #1; newest IPsec SA: #2;
000 "xauth-psk"[2]:   IKE algorithms: AES_CBC_256-HMAC_SHA2_256-MODP2048, AES_CBC_256-HMAC_SHA2_256-MODP1536, AES_CBC_128-HMAC_SHA2_256-MODP2048, AES_CBC_128-HMAC_SHA2_256-MODP1536, AES_CBC_256-HMAC_SHA1-MODP2048, AES_CBC_256-HMAC_SHA1-MODP1536, AES_CBC_128-HMAC_SHA1-MODP2048, AES_CBC_128-HMAC_SHA1-MODP1536, AES_CBC_256-HMAC_SHA2_256-MODP1024, AES_CBC_128-HMAC_SHA1-MODP1024
000 "xauth-psk"[2]:   IKEv1 algorithm newest: AES_CBC_256-HMAC_SHA2_256-MODP1024
000 "xauth-psk"[2]:   ESP algorithms: AES_GCM_16-NONE, AES_CBC_128-HMAC_SHA1_96, AES_CBC_256-HMAC_SHA1_96, AES_CBC_256-HMAC_SHA2_512_256, AES_CBC_128-HMAC_SHA2_256_128, AES_CBC_256-HMAC_SHA2_256_128
000 "xauth-psk"[2]:   ESP algorithm newest: AES_CBC_256-HMAC_SHA2_512_256; pfsgroup=<N/A>
000
000 Total IPsec connections: loaded 3, active 1
000
000 State Information: DDoS cookies not required, Accepting new IKE connections
000 IKE SAs: total(1), half-open(0), open(0), authenticated(1), anonymous(0)
000 IPsec SAs: total(1), authenticated(1), anonymous(0)
000
000 #1: "xauth-psk"[2] 182.239.88.245:39402 STATE_MODE_CFG_R1 (ModeCfg Set sent, expecting Ack); EVENT_SA_EXPIRE in 28620s; newest ISAKMP; lastdpd=28s(seq in:904 out:0); idle;
000 #2: "xauth-psk"[2] 182.239.88.245:39402 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_EXPIRE in 28620s; newest IPSEC; eroute owner; isakmp#1; idle;
000 #2: "xauth-psk"[2] 182.239.88.245 esp.ed0fec6@182.239.88.245 esp.26820ea@10.88.90.208 tun.0@182.239.88.245 tun.0@10.88.90.208 ref=0 refhim=0 Traffic: ESPin=66KB ESPout=16KB! ESPmax=4194303B username=vpnuser
000
000 Bare Shunt list:
000

Originally created by @jsdnhk-devops on GitHub (May 27, 2020). Original GitHub issue: https://github.com/hwdsl2/docker-ipsec-vpn-server/issues/195 Message from `ipsec status` inside the container: Help with thanks. ``` 000 using kernel interface: netkey 000 interface lo/lo [::1]:500 000 interface lo/lo 127.0.0.1:4500 000 interface lo/lo 127.0.0.1:500 000 interface eth0/eth0 10.88.90.208:4500 000 interface eth0/eth0 10.88.90.208:500 000 000 000 fips mode=disabled; 000 SElinux=disabled 000 seccomp=unsupported 000 000 config setup options: 000 000 configdir=/etc, configfile=/etc/ipsec.conf, secrets=/etc/ipsec.secrets, ipsecdir=/etc/ipsec.d 000 nssdir=/etc/ipsec.d, dumpdir=/run/pluto, statsbin=unset 000 sbindir=/usr/local/sbin, libexecdir=/usr/local/libexec/ipsec 000 pluto_version=3.32, pluto_vendorid=OE-Libreswan-3.32, audit-log=yes 000 nhelpers=-1, uniqueids=no, dnssec-enable=no, perpeerlog=no, logappend=yes, logip=yes, shuntlifetime=900s, xfrmlifetime=30s 000 ddos-cookies-threshold=50000, ddos-max-halfopen=25000, ddos-mode=auto 000 ikeport=500, ikebuf=0, msg_errqueue=yes, strictcrlpolicy=no, crlcheckinterval=0, listen=<any>, nflog-all=0 000 ocsp-enable=no, ocsp-strict=no, ocsp-timeout=2, ocsp-uri=<unset> 000 ocsp-trust-name=<unset> 000 ocsp-cache-size=1000, ocsp-cache-min-age=3600, ocsp-cache-max-age=86400, ocsp-method=get 000 global-redirect=no, global-redirect-to=<unset> 000 secctx-attr-type=<unsupported> 000 debug: 000 000 nat-traversal=yes, keep-alive=20, nat-ikeport=4500 000 virtual-private (%priv): 000 - allowed subnets: 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12 000 - excluded subnets: 192.168.42.0/24, 192.168.43.0/24 000 000 Kernel algorithms supported: 000 000 algorithm ESP encrypt: name=3DES_CBC, keysizemin=192, keysizemax=192 000 algorithm ESP encrypt: name=AES_CBC, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: name=AES_CCM_12, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: name=AES_CCM_16, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: name=AES_CCM_8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: name=AES_CTR, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: name=AES_GCM_12, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: name=AES_GCM_16, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: name=AES_GCM_8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: name=CAMELLIA_CBC, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: name=CHACHA20_POLY1305, keysizemin=256, keysizemax=256 000 algorithm ESP encrypt: name=NULL, keysizemin=0, keysizemax=0 000 algorithm ESP encrypt: name=NULL_AUTH_AES_GMAC, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: name=SERPENT_CBC, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: name=TWOFISH_CBC, keysizemin=128, keysizemax=256 000 algorithm AH/ESP auth: name=AES_CMAC_96, key-length=128 000 algorithm AH/ESP auth: name=AES_XCBC_96, key-length=128 000 algorithm AH/ESP auth: name=HMAC_MD5_96, key-length=128 000 algorithm AH/ESP auth: name=HMAC_SHA1_96, key-length=160 000 algorithm AH/ESP auth: name=HMAC_SHA2_256_128, key-length=256 000 algorithm AH/ESP auth: name=HMAC_SHA2_256_TRUNCBUG, key-length=256 000 algorithm AH/ESP auth: name=HMAC_SHA2_384_192, key-length=384 000 algorithm AH/ESP auth: name=HMAC_SHA2_512_256, key-length=512 000 algorithm AH/ESP auth: name=NONE, key-length=0 000 000 IKE algorithms supported: 000 000 algorithm IKE encrypt: v1id=5, v1name=OAKLEY_3DES_CBC, v2id=3, v2name=3DES, blocksize=8, keydeflen=192 000 algorithm IKE encrypt: v1id=8, v1name=OAKLEY_CAMELLIA_CBC, v2id=23, v2name=CAMELLIA_CBC, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=20, v2name=AES_GCM_C, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=19, v2name=AES_GCM_B, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=18, v2name=AES_GCM_A, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: v1id=13, v1name=OAKLEY_AES_CTR, v2id=13, v2name=AES_CTR, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: v1id=7, v1name=OAKLEY_AES_CBC, v2id=12, v2name=AES_CBC, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: v1id=65004, v1name=OAKLEY_SERPENT_CBC, v2id=65004, v2name=SERPENT_CBC, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: v1id=65005, v1name=OAKLEY_TWOFISH_CBC, v2id=65005, v2name=TWOFISH_CBC, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: v1id=65289, v1name=OAKLEY_TWOFISH_CBC_SSH, v2id=65289, v2name=TWOFISH_CBC_SSH, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=28, v2name=CHACHA20_POLY1305, blocksize=16, keydeflen=256 000 algorithm IKE PRF: name=HMAC_MD5, hashlen=16 000 algorithm IKE PRF: name=HMAC_SHA1, hashlen=20 000 algorithm IKE PRF: name=HMAC_SHA2_256, hashlen=32 000 algorithm IKE PRF: name=HMAC_SHA2_384, hashlen=48 000 algorithm IKE PRF: name=HMAC_SHA2_512, hashlen=64 000 algorithm IKE PRF: name=AES_XCBC, hashlen=16 000 algorithm IKE DH Key Exchange: name=MODP1024, bits=1024 000 algorithm IKE DH Key Exchange: name=MODP1536, bits=1536 000 algorithm IKE DH Key Exchange: name=MODP2048, bits=2048 000 algorithm IKE DH Key Exchange: name=MODP3072, bits=3072 000 algorithm IKE DH Key Exchange: name=MODP4096, bits=4096 000 algorithm IKE DH Key Exchange: name=MODP6144, bits=6144 000 algorithm IKE DH Key Exchange: name=MODP8192, bits=8192 000 algorithm IKE DH Key Exchange: name=DH19, bits=512 000 algorithm IKE DH Key Exchange: name=DH20, bits=768 000 algorithm IKE DH Key Exchange: name=DH21, bits=1056 000 000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0} 000 000 Connection list: 000 000 "l2tp-psk": 10.88.90.208[210.6.114.113]:17/1701---10.88.0.1...%any:17/%any; unrouted; eroute owner: #0 000 "l2tp-psk": oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown; 000 "l2tp-psk": xauth us:none, xauth them:none, my_username=[any]; their_username=[any] 000 "l2tp-psk": our auth:secret, their auth:secret 000 "l2tp-psk": modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, banner:unset, cat:unset; 000 "l2tp-psk": policy_label:unset; 000 "l2tp-psk": ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 5; 000 "l2tp-psk": retransmit-interval: 500ms; retransmit-timeout: 60s; 000 "l2tp-psk": initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no; 000 "l2tp-psk": policy: PSK+ENCRYPT+DONT_REKEY+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO; 000 "l2tp-psk": conn_prio: 32,32; interface: eth0; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none; 000 "l2tp-psk": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto; 000 "l2tp-psk": our idtype: ID_IPV4_ADDR; our id=210.6.114.113; their idtype: %none; their id=(none) 000 "l2tp-psk": dpd: action:clear; delay:30; timeout:120; nat-t: encaps:yes; nat_keepalive:yes; ikev1_natt:both 000 "l2tp-psk": newest ISAKMP SA: #0; newest IPsec SA: #0; 000 "l2tp-psk": IKE algorithms: AES_CBC_256-HMAC_SHA2_256-MODP2048, AES_CBC_256-HMAC_SHA2_256-MODP1536, AES_CBC_128-HMAC_SHA2_256-MODP2048, AES_CBC_128-HMAC_SHA2_256-MODP1536, AES_CBC_256-HMAC_SHA1-MODP2048, AES_CBC_256-HMAC_SHA1-MODP1536, AES_CBC_128-HMAC_SHA1-MODP2048, AES_CBC_128-HMAC_SHA1-MODP1536, AES_CBC_256-HMAC_SHA2_256-MODP1024, AES_CBC_128-HMAC_SHA1-MODP1024 000 "l2tp-psk": ESP algorithms: AES_GCM_16-NONE, AES_CBC_128-HMAC_SHA1_96, AES_CBC_256-HMAC_SHA1_96, AES_CBC_256-HMAC_SHA2_512_256, AES_CBC_128-HMAC_SHA2_256_128, AES_CBC_256-HMAC_SHA2_256_128 000 "xauth-psk": 0.0.0.0/0===10.88.90.208[210.6.114.113,MS+XS+S=C]---10.88.0.1...%any[+MC+XC+S=C]; unrouted; eroute owner: #0 000 "xauth-psk": oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown; 000 "xauth-psk": xauth us:server, xauth them:client, xauthby:file; my_username=[any]; their_username=[any] 000 "xauth-psk": our auth:secret, their auth:secret 000 "xauth-psk": modecfg info: us:server, them:client, modecfg policy:pull, dns:208.67.222.222 208.67.220.220, domains:unset, banner:unset, cat:unset; 000 "xauth-psk": policy_label:unset; 000 "xauth-psk": ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 5; 000 "xauth-psk": retransmit-interval: 500ms; retransmit-timeout: 60s; 000 "xauth-psk": initial-contact:no; cisco-unity:yes; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no; 000 "xauth-psk": policy: PSK+ENCRYPT+TUNNEL+DONT_REKEY+XAUTH+MODECFG_PULL+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO; 000 "xauth-psk": conn_prio: 0,32; interface: eth0; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none; 000 "xauth-psk": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto; 000 "xauth-psk": our idtype: ID_IPV4_ADDR; our id=210.6.114.113; their idtype: %none; their id=(none) 000 "xauth-psk": dpd: action:clear; delay:30; timeout:120; nat-t: encaps:yes; nat_keepalive:yes; ikev1_natt:both 000 "xauth-psk": newest ISAKMP SA: #0; newest IPsec SA: #0; 000 "xauth-psk": IKE algorithms: AES_CBC_256-HMAC_SHA2_256-MODP2048, AES_CBC_256-HMAC_SHA2_256-MODP1536, AES_CBC_128-HMAC_SHA2_256-MODP2048, AES_CBC_128-HMAC_SHA2_256-MODP1536, AES_CBC_256-HMAC_SHA1-MODP2048, AES_CBC_256-HMAC_SHA1-MODP1536, AES_CBC_128-HMAC_SHA1-MODP2048, AES_CBC_128-HMAC_SHA1-MODP1536, AES_CBC_256-HMAC_SHA2_256-MODP1024, AES_CBC_128-HMAC_SHA1-MODP1024 000 "xauth-psk": ESP algorithms: AES_GCM_16-NONE, AES_CBC_128-HMAC_SHA1_96, AES_CBC_256-HMAC_SHA1_96, AES_CBC_256-HMAC_SHA2_512_256, AES_CBC_128-HMAC_SHA2_256_128, AES_CBC_256-HMAC_SHA2_256_128 000 "xauth-psk"[2]: 0.0.0.0/0===10.88.90.208[210.6.114.113,MS+XS+S=C]---10.88.0.1...182.239.88.245[10.128.38.69,+MC+XC+S=C]===192.168.43.10/32; erouted; eroute owner: #2 000 "xauth-psk"[2]: oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown; 000 "xauth-psk"[2]: xauth us:server, xauth them:client, xauthby:file; my_username=[any]; their_username=[any] 000 "xauth-psk"[2]: our auth:secret, their auth:secret 000 "xauth-psk"[2]: modecfg info: us:server, them:client, modecfg policy:pull, dns:208.67.222.222, domains:unset, banner:unset, cat:unset; 000 "xauth-psk"[2]: policy_label:unset; 000 "xauth-psk"[2]: ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 5; 000 "xauth-psk"[2]: retransmit-interval: 500ms; retransmit-timeout: 60s; 000 "xauth-psk"[2]: initial-contact:no; cisco-unity:yes; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no; 000 "xauth-psk"[2]: policy: PSK+ENCRYPT+TUNNEL+DONT_REKEY+XAUTH+MODECFG_PULL+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO; 000 "xauth-psk"[2]: conn_prio: 0,32; interface: eth0; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none; 000 "xauth-psk"[2]: nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto; 000 "xauth-psk"[2]: our idtype: ID_IPV4_ADDR; our id=210.6.114.113; their idtype: ID_IPV4_ADDR; their id=10.128.38.69 000 "xauth-psk"[2]: dpd: action:clear; delay:30; timeout:120; nat-t: encaps:yes; nat_keepalive:yes; ikev1_natt:both 000 "xauth-psk"[2]: newest ISAKMP SA: #1; newest IPsec SA: #2; 000 "xauth-psk"[2]: IKE algorithms: AES_CBC_256-HMAC_SHA2_256-MODP2048, AES_CBC_256-HMAC_SHA2_256-MODP1536, AES_CBC_128-HMAC_SHA2_256-MODP2048, AES_CBC_128-HMAC_SHA2_256-MODP1536, AES_CBC_256-HMAC_SHA1-MODP2048, AES_CBC_256-HMAC_SHA1-MODP1536, AES_CBC_128-HMAC_SHA1-MODP2048, AES_CBC_128-HMAC_SHA1-MODP1536, AES_CBC_256-HMAC_SHA2_256-MODP1024, AES_CBC_128-HMAC_SHA1-MODP1024 000 "xauth-psk"[2]: IKEv1 algorithm newest: AES_CBC_256-HMAC_SHA2_256-MODP1024 000 "xauth-psk"[2]: ESP algorithms: AES_GCM_16-NONE, AES_CBC_128-HMAC_SHA1_96, AES_CBC_256-HMAC_SHA1_96, AES_CBC_256-HMAC_SHA2_512_256, AES_CBC_128-HMAC_SHA2_256_128, AES_CBC_256-HMAC_SHA2_256_128 000 "xauth-psk"[2]: ESP algorithm newest: AES_CBC_256-HMAC_SHA2_512_256; pfsgroup=<N/A> 000 000 Total IPsec connections: loaded 3, active 1 000 000 State Information: DDoS cookies not required, Accepting new IKE connections 000 IKE SAs: total(1), half-open(0), open(0), authenticated(1), anonymous(0) 000 IPsec SAs: total(1), authenticated(1), anonymous(0) 000 000 #1: "xauth-psk"[2] 182.239.88.245:39402 STATE_MODE_CFG_R1 (ModeCfg Set sent, expecting Ack); EVENT_SA_EXPIRE in 28620s; newest ISAKMP; lastdpd=28s(seq in:904 out:0); idle; 000 #2: "xauth-psk"[2] 182.239.88.245:39402 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_EXPIRE in 28620s; newest IPSEC; eroute owner; isakmp#1; idle; 000 #2: "xauth-psk"[2] 182.239.88.245 esp.ed0fec6@182.239.88.245 esp.26820ea@10.88.90.208 tun.0@182.239.88.245 tun.0@10.88.90.208 ref=0 refhim=0 Traffic: ESPin=66KB ESPout=16KB! ESPmax=4194303B username=vpnuser 000 000 Bare Shunt list: 000 ```

kerem closed this issue

2026-03-02 07:44:33 +03:00

kerem commented

2026-03-02 07:44:34 +03:00

Author

Owner

@hwdsl2 commented on GitHub (May 27, 2020):

@jsdnhk-devops Are you using an Android device? Please try the instructions in "important notes" section [1]. You must re-create the Docker container after modifying vpn.env. If not working, try also running these commands inside your Docker container [2]. Let us know if this works.

[1] https://github.com/hwdsl2/docker-ipsec-vpn-server#important-notes
[2] https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients.md#android-mtumss-issues

@hwdsl2 commented on GitHub (May 27, 2020): @jsdnhk-devops Are you using an Android device? Please try the instructions in "important notes" section [1]. You must re-create the Docker container after modifying `vpn.env`. If not working, try also running these commands inside your Docker container [2]. Let us know if this works. [1] https://github.com/hwdsl2/docker-ipsec-vpn-server#important-notes [2] https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients.md#android-mtumss-issues

kerem commented

2026-03-02 07:44:34 +03:00

Author

Owner

@jsdnhk-devops commented on GitHub (May 30, 2020):

@hwdsl2 yes it's using android mobiles to connect.
For point 1, i added the line VPN_SHA2_TRUNCBUG=yes into vpn.env included in docker run process.
For point 2, i run these commands before executing /opt/src/run.sh in /etc/rc.local, which is the file volumed and executed in docker run command.
The modified settings is occupied in the container, while still can login to VPN but cannot access internet.
There is ipsec status output in the container for lookup.

000 using kernel interface: netkey
000 interface lo/lo [::1]:500
000 interface lo/lo 127.0.0.1:4500
000 interface lo/lo 127.0.0.1:500
000 interface eth0/eth0 10.88.90.255:4500
000 interface eth0/eth0 10.88.90.255:500
000
000
000 fips mode=disabled;
000 SElinux=disabled
000 seccomp=unsupported
000
000 config setup options:
000
000 configdir=/etc, configfile=/etc/ipsec.conf, secrets=/etc/ipsec.secrets, ipsecdir=/etc/ipsec.d
000 nssdir=/etc/ipsec.d, dumpdir=/run/pluto, statsbin=unset
000 sbindir=/usr/local/sbin, libexecdir=/usr/local/libexec/ipsec
000 pluto_version=3.32, pluto_vendorid=OE-Libreswan-3.32, audit-log=yes
000 nhelpers=-1, uniqueids=no, dnssec-enable=no, perpeerlog=no, logappend=yes, logip=yes, shuntlifetime=900s, xfrmlifetime=30s
000 ddos-cookies-threshold=50000, ddos-max-halfopen=25000, ddos-mode=auto
000 ikeport=500, ikebuf=0, msg_errqueue=yes, strictcrlpolicy=no, crlcheckinterval=0, listen=<any>, nflog-all=0
000 ocsp-enable=no, ocsp-strict=no, ocsp-timeout=2, ocsp-uri=<unset>
000 ocsp-trust-name=<unset>
000 ocsp-cache-size=1000, ocsp-cache-min-age=3600, ocsp-cache-max-age=86400, ocsp-method=get
000 global-redirect=no, global-redirect-to=<unset>
000 secctx-attr-type=<unsupported>
000 debug:
000
000 nat-traversal=yes, keep-alive=20, nat-ikeport=4500
000 virtual-private (%priv):
000 - allowed subnets: 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12
000 - excluded subnets: 192.168.42.0/24, 192.168.43.0/24
000
000 Kernel algorithms supported:
000
000 algorithm ESP encrypt: name=3DES_CBC, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: name=AES_CBC, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_CCM_12, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_CCM_16, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_CCM_8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_CTR, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_GCM_12, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_GCM_16, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_GCM_8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=CAMELLIA_CBC, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=CHACHA20_POLY1305, keysizemin=256, keysizemax=256
000 algorithm ESP encrypt: name=NULL, keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: name=NULL_AUTH_AES_GMAC, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=SERPENT_CBC, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=TWOFISH_CBC, keysizemin=128, keysizemax=256
000 algorithm AH/ESP auth: name=AES_CMAC_96, key-length=128
000 algorithm AH/ESP auth: name=AES_XCBC_96, key-length=128
000 algorithm AH/ESP auth: name=HMAC_MD5_96, key-length=128
000 algorithm AH/ESP auth: name=HMAC_SHA1_96, key-length=160
000 algorithm AH/ESP auth: name=HMAC_SHA2_256_128, key-length=256
000 algorithm AH/ESP auth: name=HMAC_SHA2_256_TRUNCBUG, key-length=256
000 algorithm AH/ESP auth: name=HMAC_SHA2_384_192, key-length=384
000 algorithm AH/ESP auth: name=HMAC_SHA2_512_256, key-length=512
000 algorithm AH/ESP auth: name=NONE, key-length=0
000
000 IKE algorithms supported:
000
000 algorithm IKE encrypt: v1id=5, v1name=OAKLEY_3DES_CBC, v2id=3, v2name=3DES, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: v1id=8, v1name=OAKLEY_CAMELLIA_CBC, v2id=23, v2name=CAMELLIA_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=20, v2name=AES_GCM_C, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=19, v2name=AES_GCM_B, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=18, v2name=AES_GCM_A, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=13, v1name=OAKLEY_AES_CTR, v2id=13, v2name=AES_CTR, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=7, v1name=OAKLEY_AES_CBC, v2id=12, v2name=AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=65004, v1name=OAKLEY_SERPENT_CBC, v2id=65004, v2name=SERPENT_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=65005, v1name=OAKLEY_TWOFISH_CBC, v2id=65005, v2name=TWOFISH_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=65289, v1name=OAKLEY_TWOFISH_CBC_SSH, v2id=65289, v2name=TWOFISH_CBC_SSH, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=28, v2name=CHACHA20_POLY1305, blocksize=16, keydeflen=256
000 algorithm IKE PRF: name=HMAC_MD5, hashlen=16
000 algorithm IKE PRF: name=HMAC_SHA1, hashlen=20
000 algorithm IKE PRF: name=HMAC_SHA2_256, hashlen=32
000 algorithm IKE PRF: name=HMAC_SHA2_384, hashlen=48
000 algorithm IKE PRF: name=HMAC_SHA2_512, hashlen=64
000 algorithm IKE PRF: name=AES_XCBC, hashlen=16
000 algorithm IKE DH Key Exchange: name=MODP1024, bits=1024
000 algorithm IKE DH Key Exchange: name=MODP1536, bits=1536
000 algorithm IKE DH Key Exchange: name=MODP2048, bits=2048
000 algorithm IKE DH Key Exchange: name=MODP3072, bits=3072
000 algorithm IKE DH Key Exchange: name=MODP4096, bits=4096
000 algorithm IKE DH Key Exchange: name=MODP6144, bits=6144
000 algorithm IKE DH Key Exchange: name=MODP8192, bits=8192
000 algorithm IKE DH Key Exchange: name=DH19, bits=512
000 algorithm IKE DH Key Exchange: name=DH20, bits=768
000 algorithm IKE DH Key Exchange: name=DH21, bits=1056
000
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0}
000
000 Connection list:
000
000 "l2tp-psk": 10.88.90.255[210.6.114.113]:17/1701---10.88.0.1...%any:17/%any; unrouted; eroute owner: #0
000 "l2tp-psk":     oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown;
000 "l2tp-psk":   xauth us:none, xauth them:none,  my_username=[any]; their_username=[any]
000 "l2tp-psk":   our auth:secret, their auth:secret
000 "l2tp-psk":   modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, banner:unset, cat:unset;
000 "l2tp-psk":   policy_label:unset;
000 "l2tp-psk":   ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 5;
000 "l2tp-psk":   retransmit-interval: 500ms; retransmit-timeout: 60s;
000 "l2tp-psk":   initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "l2tp-psk":   policy: PSK+ENCRYPT+SHA2_TRUNCBUG+DONT_REKEY+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO;
000 "l2tp-psk":   conn_prio: 32,32; interface: eth0; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "l2tp-psk":   nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto;
000 "l2tp-psk":   our idtype: ID_IPV4_ADDR; our id=210.6.114.113; their idtype: %none; their id=(none)
000 "l2tp-psk":   dpd: action:clear; delay:30; timeout:120; nat-t: encaps:yes; nat_keepalive:yes; ikev1_natt:both
000 "l2tp-psk":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "l2tp-psk":   IKE algorithms: AES_CBC_256-HMAC_SHA2_256-MODP2048, AES_CBC_256-HMAC_SHA2_256-MODP1536, AES_CBC_128-HMAC_SHA2_256-MODP2048, AES_CBC_128-HMAC_SHA2_256-MODP1536, AES_CBC_256-HMAC_SHA1-MODP2048, AES_CBC_256-HMAC_SHA1-MODP1536, AES_CBC_128-HMAC_SHA1-MODP2048, AES_CBC_128-HMAC_SHA1-MODP1536, AES_CBC_256-HMAC_SHA2_256-MODP1024, AES_CBC_128-HMAC_SHA1-MODP1024
000 "l2tp-psk":   ESP algorithms: AES_GCM_16-NONE, AES_CBC_128-HMAC_SHA1_96, AES_CBC_256-HMAC_SHA1_96, AES_CBC_256-HMAC_SHA2_512_256, AES_CBC_128-HMAC_SHA2_256_128, AES_CBC_256-HMAC_SHA2_256_128
000 "xauth-psk": 0.0.0.0/0===10.88.90.255[210.6.114.113,MS+XS+S=C]---10.88.0.1...%any[+MC+XC+S=C]; unrouted; eroute owner: #0
000 "xauth-psk":     oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown;
000 "xauth-psk":   xauth us:server, xauth them:client, xauthby:file; my_username=[any]; their_username=[any]
000 "xauth-psk":   our auth:secret, their auth:secret
000 "xauth-psk":   modecfg info: us:server, them:client, modecfg policy:pull, dns:208.67.222.222 208.67.220.220, domains:unset, banner:unset, cat:unset;
000 "xauth-psk":   policy_label:unset;
000 "xauth-psk":   ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 5;
000 "xauth-psk":   retransmit-interval: 500ms; retransmit-timeout: 60s;
000 "xauth-psk":   initial-contact:no; cisco-unity:yes; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "xauth-psk":   policy: PSK+ENCRYPT+TUNNEL+SHA2_TRUNCBUG+DONT_REKEY+XAUTH+MODECFG_PULL+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO;
000 "xauth-psk":   conn_prio: 0,32; interface: eth0; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "xauth-psk":   nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto;
000 "xauth-psk":   our idtype: ID_IPV4_ADDR; our id=210.6.114.113; their idtype: %none; their id=(none)
000 "xauth-psk":   dpd: action:clear; delay:30; timeout:120; nat-t: encaps:yes; nat_keepalive:yes; ikev1_natt:both
000 "xauth-psk":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "xauth-psk":   IKE algorithms: AES_CBC_256-HMAC_SHA2_256-MODP2048, AES_CBC_256-HMAC_SHA2_256-MODP1536, AES_CBC_128-HMAC_SHA2_256-MODP2048, AES_CBC_128-HMAC_SHA2_256-MODP1536, AES_CBC_256-HMAC_SHA1-MODP2048, AES_CBC_256-HMAC_SHA1-MODP1536, AES_CBC_128-HMAC_SHA1-MODP2048, AES_CBC_128-HMAC_SHA1-MODP1536, AES_CBC_256-HMAC_SHA2_256-MODP1024, AES_CBC_128-HMAC_SHA1-MODP1024
000 "xauth-psk":   ESP algorithms: AES_GCM_16-NONE, AES_CBC_128-HMAC_SHA1_96, AES_CBC_256-HMAC_SHA1_96, AES_CBC_256-HMAC_SHA2_512_256, AES_CBC_128-HMAC_SHA2_256_128, AES_CBC_256-HMAC_SHA2_256_128
000 "xauth-psk"[4]: 0.0.0.0/0===10.88.90.255[210.6.114.113,MS+XS+S=C]---10.88.0.1...203.160.69.172[10.120.177.202,+MC+XC+S=C]===192.168.43.10/32; erouted; eroute owner: #4
000 "xauth-psk"[4]:     oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown;
000 "xauth-psk"[4]:   xauth us:server, xauth them:client, xauthby:file; my_username=[any]; their_username=[any]
000 "xauth-psk"[4]:   our auth:secret, their auth:secret
000 "xauth-psk"[4]:   modecfg info: us:server, them:client, modecfg policy:pull, dns:208.67.222.222, domains:unset, banner:unset, cat:unset;
000 "xauth-psk"[4]:   policy_label:unset;
000 "xauth-psk"[4]:   ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 5;
000 "xauth-psk"[4]:   retransmit-interval: 500ms; retransmit-timeout: 60s;
000 "xauth-psk"[4]:   initial-contact:no; cisco-unity:yes; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "xauth-psk"[4]:   policy: PSK+ENCRYPT+TUNNEL+SHA2_TRUNCBUG+DONT_REKEY+XAUTH+MODECFG_PULL+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO;
000 "xauth-psk"[4]:   conn_prio: 0,32; interface: eth0; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "xauth-psk"[4]:   nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto;
000 "xauth-psk"[4]:   our idtype: ID_IPV4_ADDR; our id=210.6.114.113; their idtype: ID_IPV4_ADDR; their id=10.120.177.202
000 "xauth-psk"[4]:   dpd: action:clear; delay:30; timeout:120; nat-t: encaps:yes; nat_keepalive:yes; ikev1_natt:both
000 "xauth-psk"[4]:   newest ISAKMP SA: #3; newest IPsec SA: #4;
000 "xauth-psk"[4]:   IKE algorithms: AES_CBC_256-HMAC_SHA2_256-MODP2048, AES_CBC_256-HMAC_SHA2_256-MODP1536, AES_CBC_128-HMAC_SHA2_256-MODP2048, AES_CBC_128-HMAC_SHA2_256-MODP1536, AES_CBC_256-HMAC_SHA1-MODP2048, AES_CBC_256-HMAC_SHA1-MODP1536, AES_CBC_128-HMAC_SHA1-MODP2048, AES_CBC_128-HMAC_SHA1-MODP1536, AES_CBC_256-HMAC_SHA2_256-MODP1024, AES_CBC_128-HMAC_SHA1-MODP1024
000 "xauth-psk"[4]:   IKEv1 algorithm newest: AES_CBC_256-HMAC_SHA2_256-MODP1024
000 "xauth-psk"[4]:   ESP algorithms: AES_GCM_16-NONE, AES_CBC_128-HMAC_SHA1_96, AES_CBC_256-HMAC_SHA1_96, AES_CBC_256-HMAC_SHA2_512_256, AES_CBC_128-HMAC_SHA2_256_128, AES_CBC_256-HMAC_SHA2_256_128
000 "xauth-psk"[4]:   ESP algorithm newest: AES_CBC_256-HMAC_SHA2_512_256; pfsgroup=<N/A>
000
000 Total IPsec connections: loaded 3, active 1
000
000 State Information: DDoS cookies not required, Accepting new IKE connections
000 IKE SAs: total(1), half-open(0), open(0), authenticated(1), anonymous(0)
000 IPsec SAs: total(1), authenticated(1), anonymous(0)
000
000 #3: "xauth-psk"[4] 203.160.69.172:13753 STATE_MODE_CFG_R1 (ModeCfg Set sent, expecting Ack); EVENT_SA_EXPIRE in 28728s; newest ISAKMP; lastdpd=11s(seq in:10473 out:0); idle;
000 #4: "xauth-psk"[4] 203.160.69.172:13753 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_EXPIRE in 28728s; newest IPSEC; eroute owner; isakmp#3; idle;
000 #4: "xauth-psk"[4] 203.160.69.172 esp.e927787@203.160.69.172 esp.e516f42c@10.88.90.255 tun.0@203.160.69.172 tun.0@10.88.90.255 ref=0 refhim=0 Traffic: ESPin=34KB ESPout=6KB! ESPmax=4194303B username=vpnuser
000
000 Bare Shunt list:
000

@jsdnhk-devops commented on GitHub (May 30, 2020): @hwdsl2 yes it's using android mobiles to connect. For point 1, i added the line `VPN_SHA2_TRUNCBUG=yes` into vpn.env included in `docker run` process. For point 2, i run these commands before executing `/opt/src/run.sh` in `/etc/rc.local`, which is the file volumed and executed in `docker run` command. The modified settings is occupied in the container, while still can login to VPN but cannot access internet. There is `ipsec status` output in the container for lookup. ``` 000 using kernel interface: netkey 000 interface lo/lo [::1]:500 000 interface lo/lo 127.0.0.1:4500 000 interface lo/lo 127.0.0.1:500 000 interface eth0/eth0 10.88.90.255:4500 000 interface eth0/eth0 10.88.90.255:500 000 000 000 fips mode=disabled; 000 SElinux=disabled 000 seccomp=unsupported 000 000 config setup options: 000 000 configdir=/etc, configfile=/etc/ipsec.conf, secrets=/etc/ipsec.secrets, ipsecdir=/etc/ipsec.d 000 nssdir=/etc/ipsec.d, dumpdir=/run/pluto, statsbin=unset 000 sbindir=/usr/local/sbin, libexecdir=/usr/local/libexec/ipsec 000 pluto_version=3.32, pluto_vendorid=OE-Libreswan-3.32, audit-log=yes 000 nhelpers=-1, uniqueids=no, dnssec-enable=no, perpeerlog=no, logappend=yes, logip=yes, shuntlifetime=900s, xfrmlifetime=30s 000 ddos-cookies-threshold=50000, ddos-max-halfopen=25000, ddos-mode=auto 000 ikeport=500, ikebuf=0, msg_errqueue=yes, strictcrlpolicy=no, crlcheckinterval=0, listen=<any>, nflog-all=0 000 ocsp-enable=no, ocsp-strict=no, ocsp-timeout=2, ocsp-uri=<unset> 000 ocsp-trust-name=<unset> 000 ocsp-cache-size=1000, ocsp-cache-min-age=3600, ocsp-cache-max-age=86400, ocsp-method=get 000 global-redirect=no, global-redirect-to=<unset> 000 secctx-attr-type=<unsupported> 000 debug: 000 000 nat-traversal=yes, keep-alive=20, nat-ikeport=4500 000 virtual-private (%priv): 000 - allowed subnets: 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12 000 - excluded subnets: 192.168.42.0/24, 192.168.43.0/24 000 000 Kernel algorithms supported: 000 000 algorithm ESP encrypt: name=3DES_CBC, keysizemin=192, keysizemax=192 000 algorithm ESP encrypt: name=AES_CBC, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: name=AES_CCM_12, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: name=AES_CCM_16, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: name=AES_CCM_8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: name=AES_CTR, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: name=AES_GCM_12, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: name=AES_GCM_16, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: name=AES_GCM_8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: name=CAMELLIA_CBC, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: name=CHACHA20_POLY1305, keysizemin=256, keysizemax=256 000 algorithm ESP encrypt: name=NULL, keysizemin=0, keysizemax=0 000 algorithm ESP encrypt: name=NULL_AUTH_AES_GMAC, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: name=SERPENT_CBC, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: name=TWOFISH_CBC, keysizemin=128, keysizemax=256 000 algorithm AH/ESP auth: name=AES_CMAC_96, key-length=128 000 algorithm AH/ESP auth: name=AES_XCBC_96, key-length=128 000 algorithm AH/ESP auth: name=HMAC_MD5_96, key-length=128 000 algorithm AH/ESP auth: name=HMAC_SHA1_96, key-length=160 000 algorithm AH/ESP auth: name=HMAC_SHA2_256_128, key-length=256 000 algorithm AH/ESP auth: name=HMAC_SHA2_256_TRUNCBUG, key-length=256 000 algorithm AH/ESP auth: name=HMAC_SHA2_384_192, key-length=384 000 algorithm AH/ESP auth: name=HMAC_SHA2_512_256, key-length=512 000 algorithm AH/ESP auth: name=NONE, key-length=0 000 000 IKE algorithms supported: 000 000 algorithm IKE encrypt: v1id=5, v1name=OAKLEY_3DES_CBC, v2id=3, v2name=3DES, blocksize=8, keydeflen=192 000 algorithm IKE encrypt: v1id=8, v1name=OAKLEY_CAMELLIA_CBC, v2id=23, v2name=CAMELLIA_CBC, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=20, v2name=AES_GCM_C, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=19, v2name=AES_GCM_B, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=18, v2name=AES_GCM_A, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: v1id=13, v1name=OAKLEY_AES_CTR, v2id=13, v2name=AES_CTR, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: v1id=7, v1name=OAKLEY_AES_CBC, v2id=12, v2name=AES_CBC, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: v1id=65004, v1name=OAKLEY_SERPENT_CBC, v2id=65004, v2name=SERPENT_CBC, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: v1id=65005, v1name=OAKLEY_TWOFISH_CBC, v2id=65005, v2name=TWOFISH_CBC, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: v1id=65289, v1name=OAKLEY_TWOFISH_CBC_SSH, v2id=65289, v2name=TWOFISH_CBC_SSH, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=28, v2name=CHACHA20_POLY1305, blocksize=16, keydeflen=256 000 algorithm IKE PRF: name=HMAC_MD5, hashlen=16 000 algorithm IKE PRF: name=HMAC_SHA1, hashlen=20 000 algorithm IKE PRF: name=HMAC_SHA2_256, hashlen=32 000 algorithm IKE PRF: name=HMAC_SHA2_384, hashlen=48 000 algorithm IKE PRF: name=HMAC_SHA2_512, hashlen=64 000 algorithm IKE PRF: name=AES_XCBC, hashlen=16 000 algorithm IKE DH Key Exchange: name=MODP1024, bits=1024 000 algorithm IKE DH Key Exchange: name=MODP1536, bits=1536 000 algorithm IKE DH Key Exchange: name=MODP2048, bits=2048 000 algorithm IKE DH Key Exchange: name=MODP3072, bits=3072 000 algorithm IKE DH Key Exchange: name=MODP4096, bits=4096 000 algorithm IKE DH Key Exchange: name=MODP6144, bits=6144 000 algorithm IKE DH Key Exchange: name=MODP8192, bits=8192 000 algorithm IKE DH Key Exchange: name=DH19, bits=512 000 algorithm IKE DH Key Exchange: name=DH20, bits=768 000 algorithm IKE DH Key Exchange: name=DH21, bits=1056 000 000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0} 000 000 Connection list: 000 000 "l2tp-psk": 10.88.90.255[210.6.114.113]:17/1701---10.88.0.1...%any:17/%any; unrouted; eroute owner: #0 000 "l2tp-psk": oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown; 000 "l2tp-psk": xauth us:none, xauth them:none, my_username=[any]; their_username=[any] 000 "l2tp-psk": our auth:secret, their auth:secret 000 "l2tp-psk": modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, banner:unset, cat:unset; 000 "l2tp-psk": policy_label:unset; 000 "l2tp-psk": ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 5; 000 "l2tp-psk": retransmit-interval: 500ms; retransmit-timeout: 60s; 000 "l2tp-psk": initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no; 000 "l2tp-psk": policy: PSK+ENCRYPT+SHA2_TRUNCBUG+DONT_REKEY+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO; 000 "l2tp-psk": conn_prio: 32,32; interface: eth0; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none; 000 "l2tp-psk": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto; 000 "l2tp-psk": our idtype: ID_IPV4_ADDR; our id=210.6.114.113; their idtype: %none; their id=(none) 000 "l2tp-psk": dpd: action:clear; delay:30; timeout:120; nat-t: encaps:yes; nat_keepalive:yes; ikev1_natt:both 000 "l2tp-psk": newest ISAKMP SA: #0; newest IPsec SA: #0; 000 "l2tp-psk": IKE algorithms: AES_CBC_256-HMAC_SHA2_256-MODP2048, AES_CBC_256-HMAC_SHA2_256-MODP1536, AES_CBC_128-HMAC_SHA2_256-MODP2048, AES_CBC_128-HMAC_SHA2_256-MODP1536, AES_CBC_256-HMAC_SHA1-MODP2048, AES_CBC_256-HMAC_SHA1-MODP1536, AES_CBC_128-HMAC_SHA1-MODP2048, AES_CBC_128-HMAC_SHA1-MODP1536, AES_CBC_256-HMAC_SHA2_256-MODP1024, AES_CBC_128-HMAC_SHA1-MODP1024 000 "l2tp-psk": ESP algorithms: AES_GCM_16-NONE, AES_CBC_128-HMAC_SHA1_96, AES_CBC_256-HMAC_SHA1_96, AES_CBC_256-HMAC_SHA2_512_256, AES_CBC_128-HMAC_SHA2_256_128, AES_CBC_256-HMAC_SHA2_256_128 000 "xauth-psk": 0.0.0.0/0===10.88.90.255[210.6.114.113,MS+XS+S=C]---10.88.0.1...%any[+MC+XC+S=C]; unrouted; eroute owner: #0 000 "xauth-psk": oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown; 000 "xauth-psk": xauth us:server, xauth them:client, xauthby:file; my_username=[any]; their_username=[any] 000 "xauth-psk": our auth:secret, their auth:secret 000 "xauth-psk": modecfg info: us:server, them:client, modecfg policy:pull, dns:208.67.222.222 208.67.220.220, domains:unset, banner:unset, cat:unset; 000 "xauth-psk": policy_label:unset; 000 "xauth-psk": ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 5; 000 "xauth-psk": retransmit-interval: 500ms; retransmit-timeout: 60s; 000 "xauth-psk": initial-contact:no; cisco-unity:yes; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no; 000 "xauth-psk": policy: PSK+ENCRYPT+TUNNEL+SHA2_TRUNCBUG+DONT_REKEY+XAUTH+MODECFG_PULL+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO; 000 "xauth-psk": conn_prio: 0,32; interface: eth0; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none; 000 "xauth-psk": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto; 000 "xauth-psk": our idtype: ID_IPV4_ADDR; our id=210.6.114.113; their idtype: %none; their id=(none) 000 "xauth-psk": dpd: action:clear; delay:30; timeout:120; nat-t: encaps:yes; nat_keepalive:yes; ikev1_natt:both 000 "xauth-psk": newest ISAKMP SA: #0; newest IPsec SA: #0; 000 "xauth-psk": IKE algorithms: AES_CBC_256-HMAC_SHA2_256-MODP2048, AES_CBC_256-HMAC_SHA2_256-MODP1536, AES_CBC_128-HMAC_SHA2_256-MODP2048, AES_CBC_128-HMAC_SHA2_256-MODP1536, AES_CBC_256-HMAC_SHA1-MODP2048, AES_CBC_256-HMAC_SHA1-MODP1536, AES_CBC_128-HMAC_SHA1-MODP2048, AES_CBC_128-HMAC_SHA1-MODP1536, AES_CBC_256-HMAC_SHA2_256-MODP1024, AES_CBC_128-HMAC_SHA1-MODP1024 000 "xauth-psk": ESP algorithms: AES_GCM_16-NONE, AES_CBC_128-HMAC_SHA1_96, AES_CBC_256-HMAC_SHA1_96, AES_CBC_256-HMAC_SHA2_512_256, AES_CBC_128-HMAC_SHA2_256_128, AES_CBC_256-HMAC_SHA2_256_128 000 "xauth-psk"[4]: 0.0.0.0/0===10.88.90.255[210.6.114.113,MS+XS+S=C]---10.88.0.1...203.160.69.172[10.120.177.202,+MC+XC+S=C]===192.168.43.10/32; erouted; eroute owner: #4 000 "xauth-psk"[4]: oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown; 000 "xauth-psk"[4]: xauth us:server, xauth them:client, xauthby:file; my_username=[any]; their_username=[any] 000 "xauth-psk"[4]: our auth:secret, their auth:secret 000 "xauth-psk"[4]: modecfg info: us:server, them:client, modecfg policy:pull, dns:208.67.222.222, domains:unset, banner:unset, cat:unset; 000 "xauth-psk"[4]: policy_label:unset; 000 "xauth-psk"[4]: ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 5; 000 "xauth-psk"[4]: retransmit-interval: 500ms; retransmit-timeout: 60s; 000 "xauth-psk"[4]: initial-contact:no; cisco-unity:yes; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no; 000 "xauth-psk"[4]: policy: PSK+ENCRYPT+TUNNEL+SHA2_TRUNCBUG+DONT_REKEY+XAUTH+MODECFG_PULL+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO; 000 "xauth-psk"[4]: conn_prio: 0,32; interface: eth0; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none; 000 "xauth-psk"[4]: nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto; 000 "xauth-psk"[4]: our idtype: ID_IPV4_ADDR; our id=210.6.114.113; their idtype: ID_IPV4_ADDR; their id=10.120.177.202 000 "xauth-psk"[4]: dpd: action:clear; delay:30; timeout:120; nat-t: encaps:yes; nat_keepalive:yes; ikev1_natt:both 000 "xauth-psk"[4]: newest ISAKMP SA: #3; newest IPsec SA: #4; 000 "xauth-psk"[4]: IKE algorithms: AES_CBC_256-HMAC_SHA2_256-MODP2048, AES_CBC_256-HMAC_SHA2_256-MODP1536, AES_CBC_128-HMAC_SHA2_256-MODP2048, AES_CBC_128-HMAC_SHA2_256-MODP1536, AES_CBC_256-HMAC_SHA1-MODP2048, AES_CBC_256-HMAC_SHA1-MODP1536, AES_CBC_128-HMAC_SHA1-MODP2048, AES_CBC_128-HMAC_SHA1-MODP1536, AES_CBC_256-HMAC_SHA2_256-MODP1024, AES_CBC_128-HMAC_SHA1-MODP1024 000 "xauth-psk"[4]: IKEv1 algorithm newest: AES_CBC_256-HMAC_SHA2_256-MODP1024 000 "xauth-psk"[4]: ESP algorithms: AES_GCM_16-NONE, AES_CBC_128-HMAC_SHA1_96, AES_CBC_256-HMAC_SHA1_96, AES_CBC_256-HMAC_SHA2_512_256, AES_CBC_128-HMAC_SHA2_256_128, AES_CBC_256-HMAC_SHA2_256_128 000 "xauth-psk"[4]: ESP algorithm newest: AES_CBC_256-HMAC_SHA2_512_256; pfsgroup=<N/A> 000 000 Total IPsec connections: loaded 3, active 1 000 000 State Information: DDoS cookies not required, Accepting new IKE connections 000 IKE SAs: total(1), half-open(0), open(0), authenticated(1), anonymous(0) 000 IPsec SAs: total(1), authenticated(1), anonymous(0) 000 000 #3: "xauth-psk"[4] 203.160.69.172:13753 STATE_MODE_CFG_R1 (ModeCfg Set sent, expecting Ack); EVENT_SA_EXPIRE in 28728s; newest ISAKMP; lastdpd=11s(seq in:10473 out:0); idle; 000 #4: "xauth-psk"[4] 203.160.69.172:13753 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_EXPIRE in 28728s; newest IPSEC; eroute owner; isakmp#3; idle; 000 #4: "xauth-psk"[4] 203.160.69.172 esp.e927787@203.160.69.172 esp.e516f42c@10.88.90.255 tun.0@203.160.69.172 tun.0@10.88.90.255 ref=0 refhim=0 Traffic: ESPin=34KB ESPout=6KB! ESPmax=4194303B username=vpnuser 000 000 Bare Shunt list: 000 ```

kerem commented

2026-03-02 07:44:34 +03:00

Author

Owner

@hwdsl2 commented on GitHub (May 30, 2020):

@jsdnhk-devops Please try the latest version of the Docker image using these instructions [1]. I have added a new variable VPN_ANDROID_MTU_FIX [2] to automatically apply the Android MTU/MSS fix [3] inside the container. Add VPN_ANDROID_MTU_FIX=yes to your env file to enable.

In the latest image, I also added output line Setting sha2-truncbug to yes in ipsec.conf... that you will see from docker logs ipsec-vpn-server, if you put VPN_SHA2_TRUNCBUG=yes in your env file.

From your logs, it does seem related to the sha2-truncbug issue. Note that you must re-create the Docker container (refer to [1]) every time you modify your env file, otherwise the changes won't take effect. After updating to the latest Docker image, look for the output line above to confirm that sha2-truncbug=yes has been set correctly.

[1] https://github.com/hwdsl2/docker-ipsec-vpn-server#update-docker-image
[2] a156117
[3] https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients.md#android-mtumss-issues

@hwdsl2 commented on GitHub (May 30, 2020): @jsdnhk-devops Please try the latest version of the Docker image using these instructions [1]. I have added a new variable `VPN_ANDROID_MTU_FIX` [2] to automatically apply the Android MTU/MSS fix [3] inside the container. Add `VPN_ANDROID_MTU_FIX=yes` to your `env` file to enable. In the latest image, I also added output line `Setting sha2-truncbug to yes in ipsec.conf...` that you will see from `docker logs ipsec-vpn-server`, if you put `VPN_SHA2_TRUNCBUG=yes` in your `env` file. From your logs, it does seem related to the sha2-truncbug issue. Note that you must re-create the Docker container (refer to [1]) every time you modify your `env` file, otherwise the changes won't take effect. After updating to the latest Docker image, look for the output line above to confirm that `sha2-truncbug=yes` has been set correctly. [1] https://github.com/hwdsl2/docker-ipsec-vpn-server#update-docker-image [2] a156117 [3] https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients.md#android-mtumss-issues

kerem commented

2026-03-02 07:44:34 +03:00

Author

Owner

@jsdnhk-devops commented on GitHub (May 31, 2020):

After setting VPN_ANDROID_MTU_FIX=yes, VPN_SHA2_TRUNCBUG=yes in env file included,
then recreate the container, next using android mobile to connect via IPSec Xauth PSK,
the condition keeps the same and give the following status report.

000 using kernel interface: netkey
000 interface lo/lo [::1]:500
000 interface lo/lo 127.0.0.1:4500
000 interface lo/lo 127.0.0.1:500
000 interface eth0/eth0 10.88.91.12:4500
000 interface eth0/eth0 10.88.91.12:500
000
000
000 fips mode=disabled;
000 SElinux=disabled
000 seccomp=unsupported
000
000 config setup options:
000
000 configdir=/etc, configfile=/etc/ipsec.conf, secrets=/etc/ipsec.secrets, ipsecdir=/etc/ipsec.d
000 nssdir=/etc/ipsec.d, dumpdir=/run/pluto, statsbin=unset
000 sbindir=/usr/local/sbin, libexecdir=/usr/local/libexec/ipsec
000 pluto_version=3.32, pluto_vendorid=OE-Libreswan-3.32, audit-log=yes
000 nhelpers=-1, uniqueids=no, dnssec-enable=no, perpeerlog=no, logappend=yes, logip=yes, shuntlifetime=900s, xfrmlifetime=30s
000 ddos-cookies-threshold=50000, ddos-max-halfopen=25000, ddos-mode=auto
000 ikeport=500, ikebuf=0, msg_errqueue=yes, strictcrlpolicy=no, crlcheckinterval=0, listen=<any>, nflog-all=0
000 ocsp-enable=no, ocsp-strict=no, ocsp-timeout=2, ocsp-uri=<unset>
000 ocsp-trust-name=<unset>
000 ocsp-cache-size=1000, ocsp-cache-min-age=3600, ocsp-cache-max-age=86400, ocsp-method=get
000 global-redirect=no, global-redirect-to=<unset>
000 secctx-attr-type=<unsupported>
000 debug:
000
000 nat-traversal=yes, keep-alive=20, nat-ikeport=4500
000 virtual-private (%priv):
000 - allowed subnets: 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12
000 - excluded subnets: 192.168.42.0/24, 192.168.43.0/24
000
000 Kernel algorithms supported:
000
000 algorithm ESP encrypt: name=3DES_CBC, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: name=AES_CBC, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_CCM_12, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_CCM_16, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_CCM_8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_CTR, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_GCM_12, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_GCM_16, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_GCM_8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=CAMELLIA_CBC, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=CHACHA20_POLY1305, keysizemin=256, keysizemax=256
000 algorithm ESP encrypt: name=NULL, keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: name=NULL_AUTH_AES_GMAC, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=SERPENT_CBC, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=TWOFISH_CBC, keysizemin=128, keysizemax=256
000 algorithm AH/ESP auth: name=AES_CMAC_96, key-length=128
000 algorithm AH/ESP auth: name=AES_XCBC_96, key-length=128
000 algorithm AH/ESP auth: name=HMAC_MD5_96, key-length=128
000 algorithm AH/ESP auth: name=HMAC_SHA1_96, key-length=160
000 algorithm AH/ESP auth: name=HMAC_SHA2_256_128, key-length=256
000 algorithm AH/ESP auth: name=HMAC_SHA2_256_TRUNCBUG, key-length=256
000 algorithm AH/ESP auth: name=HMAC_SHA2_384_192, key-length=384
000 algorithm AH/ESP auth: name=HMAC_SHA2_512_256, key-length=512
000 algorithm AH/ESP auth: name=NONE, key-length=0
000
000 IKE algorithms supported:
000
000 algorithm IKE encrypt: v1id=5, v1name=OAKLEY_3DES_CBC, v2id=3, v2name=3DES, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: v1id=8, v1name=OAKLEY_CAMELLIA_CBC, v2id=23, v2name=CAMELLIA_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=20, v2name=AES_GCM_C, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=19, v2name=AES_GCM_B, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=18, v2name=AES_GCM_A, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=13, v1name=OAKLEY_AES_CTR, v2id=13, v2name=AES_CTR, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=7, v1name=OAKLEY_AES_CBC, v2id=12, v2name=AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=65004, v1name=OAKLEY_SERPENT_CBC, v2id=65004, v2name=SERPENT_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=65005, v1name=OAKLEY_TWOFISH_CBC, v2id=65005, v2name=TWOFISH_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=65289, v1name=OAKLEY_TWOFISH_CBC_SSH, v2id=65289, v2name=TWOFISH_CBC_SSH, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=28, v2name=CHACHA20_POLY1305, blocksize=16, keydeflen=256
000 algorithm IKE PRF: name=HMAC_MD5, hashlen=16
000 algorithm IKE PRF: name=HMAC_SHA1, hashlen=20
000 algorithm IKE PRF: name=HMAC_SHA2_256, hashlen=32
000 algorithm IKE PRF: name=HMAC_SHA2_384, hashlen=48
000 algorithm IKE PRF: name=HMAC_SHA2_512, hashlen=64
000 algorithm IKE PRF: name=AES_XCBC, hashlen=16
000 algorithm IKE DH Key Exchange: name=MODP1024, bits=1024
000 algorithm IKE DH Key Exchange: name=MODP1536, bits=1536
000 algorithm IKE DH Key Exchange: name=MODP2048, bits=2048
000 algorithm IKE DH Key Exchange: name=MODP3072, bits=3072
000 algorithm IKE DH Key Exchange: name=MODP4096, bits=4096
000 algorithm IKE DH Key Exchange: name=MODP6144, bits=6144
000 algorithm IKE DH Key Exchange: name=MODP8192, bits=8192
000 algorithm IKE DH Key Exchange: name=DH19, bits=512
000 algorithm IKE DH Key Exchange: name=DH20, bits=768
000 algorithm IKE DH Key Exchange: name=DH21, bits=1056
000
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0}
000
000 Connection list:
000
000 "l2tp-psk": 10.88.91.12[210.6.114.113]:17/1701---10.88.0.1...%any:17/%any; unrouted; eroute owner: #0
000 "l2tp-psk":     oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown;
000 "l2tp-psk":   xauth us:none, xauth them:none,  my_username=[any]; their_username=[any]
000 "l2tp-psk":   our auth:secret, their auth:secret
000 "l2tp-psk":   modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, banner:unset, cat:unset;
000 "l2tp-psk":   policy_label:unset;
000 "l2tp-psk":   ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 5;
000 "l2tp-psk":   retransmit-interval: 500ms; retransmit-timeout: 60s;
000 "l2tp-psk":   initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "l2tp-psk":   policy: PSK+ENCRYPT+SHA2_TRUNCBUG+DONT_REKEY+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO;
000 "l2tp-psk":   conn_prio: 32,32; interface: eth0; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "l2tp-psk":   nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto;
000 "l2tp-psk":   our idtype: ID_IPV4_ADDR; our id=210.6.114.113; their idtype: %none; their id=(none)
000 "l2tp-psk":   dpd: action:clear; delay:30; timeout:120; nat-t: encaps:yes; nat_keepalive:yes; ikev1_natt:both
000 "l2tp-psk":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "l2tp-psk":   IKE algorithms: AES_CBC_256-HMAC_SHA2_256-MODP2048, AES_CBC_256-HMAC_SHA2_256-MODP1536, AES_CBC_128-HMAC_SHA2_256-MODP2048, AES_CBC_128-HMAC_SHA2_256-MODP1536, AES_CBC_256-HMAC_SHA1-MODP2048, AES_CBC_256-HMAC_SHA1-MODP1536, AES_CBC_128-HMAC_SHA1-MODP2048, AES_CBC_128-HMAC_SHA1-MODP1536, AES_CBC_256-HMAC_SHA2_256-MODP1024, AES_CBC_128-HMAC_SHA1-MODP1024
000 "l2tp-psk":   ESP algorithms: AES_GCM_16-NONE, AES_CBC_128-HMAC_SHA1_96, AES_CBC_256-HMAC_SHA1_96, AES_CBC_256-HMAC_SHA2_512_256, AES_CBC_128-HMAC_SHA2_256_128, AES_CBC_256-HMAC_SHA2_256_128
000 "xauth-psk": 0.0.0.0/0===10.88.91.12[210.6.114.113,MS+XS+S=C]---10.88.0.1...%any[+MC+XC+S=C]; unrouted; eroute owner: #0
000 "xauth-psk":     oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown;
000 "xauth-psk":   xauth us:server, xauth them:client, xauthby:file; my_username=[any]; their_username=[any]
000 "xauth-psk":   our auth:secret, their auth:secret
000 "xauth-psk":   modecfg info: us:server, them:client, modecfg policy:pull, dns:1.1.1.1 1.0.0.1, domains:unset, banner:unset, cat:unset;
000 "xauth-psk":   policy_label:unset;
000 "xauth-psk":   ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 5;
000 "xauth-psk":   retransmit-interval: 500ms; retransmit-timeout: 60s;
000 "xauth-psk":   initial-contact:no; cisco-unity:yes; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "xauth-psk":   policy: PSK+ENCRYPT+TUNNEL+SHA2_TRUNCBUG+DONT_REKEY+XAUTH+MODECFG_PULL+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO;
000 "xauth-psk":   conn_prio: 0,32; interface: eth0; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "xauth-psk":   nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto;
000 "xauth-psk":   our idtype: ID_IPV4_ADDR; our id=210.6.114.113; their idtype: %none; their id=(none)
000 "xauth-psk":   dpd: action:clear; delay:30; timeout:120; nat-t: encaps:yes; nat_keepalive:yes; ikev1_natt:both
000 "xauth-psk":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "xauth-psk":   IKE algorithms: AES_CBC_256-HMAC_SHA2_256-MODP2048, AES_CBC_256-HMAC_SHA2_256-MODP1536, AES_CBC_128-HMAC_SHA2_256-MODP2048, AES_CBC_128-HMAC_SHA2_256-MODP1536, AES_CBC_256-HMAC_SHA1-MODP2048, AES_CBC_256-HMAC_SHA1-MODP1536, AES_CBC_128-HMAC_SHA1-MODP2048, AES_CBC_128-HMAC_SHA1-MODP1536, AES_CBC_256-HMAC_SHA2_256-MODP1024, AES_CBC_128-HMAC_SHA1-MODP1024
000 "xauth-psk":   ESP algorithms: AES_GCM_16-NONE, AES_CBC_128-HMAC_SHA1_96, AES_CBC_256-HMAC_SHA1_96, AES_CBC_256-HMAC_SHA2_512_256, AES_CBC_128-HMAC_SHA2_256_128, AES_CBC_256-HMAC_SHA2_256_128
000 "xauth-psk"[1]: 0.0.0.0/0===10.88.91.12[210.6.114.113,MS+XS+S=C]---10.88.0.1...203.160.69.172[+MC+XC+S=C]; unrouted; eroute owner: #0
000 "xauth-psk"[1]:     oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown;
000 "xauth-psk"[1]:   xauth us:server, xauth them:client, xauthby:file; my_username=[any]; their_username=[any]
000 "xauth-psk"[1]:   our auth:secret, their auth:secret
000 "xauth-psk"[1]:   modecfg info: us:server, them:client, modecfg policy:pull, dns:1.1.1.1 1.0.0.1, domains:unset, banner:unset, cat:unset;
000 "xauth-psk"[1]:   policy_label:unset;
000 "xauth-psk"[1]:   ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 5;
000 "xauth-psk"[1]:   retransmit-interval: 500ms; retransmit-timeout: 60s;
000 "xauth-psk"[1]:   initial-contact:no; cisco-unity:yes; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "xauth-psk"[1]:   policy: PSK+ENCRYPT+TUNNEL+SHA2_TRUNCBUG+DONT_REKEY+XAUTH+MODECFG_PULL+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO;
000 "xauth-psk"[1]:   conn_prio: 0,32; interface: eth0; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "xauth-psk"[1]:   nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto;
000 "xauth-psk"[1]:   our idtype: ID_IPV4_ADDR; our id=210.6.114.113; their idtype: ID_IPV4_ADDR; their id=203.160.69.172
000 "xauth-psk"[1]:   dpd: action:clear; delay:30; timeout:120; nat-t: encaps:yes; nat_keepalive:yes; ikev1_natt:both
000 "xauth-psk"[1]:   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "xauth-psk"[1]:   IKE algorithms: AES_CBC_256-HMAC_SHA2_256-MODP2048, AES_CBC_256-HMAC_SHA2_256-MODP1536, AES_CBC_128-HMAC_SHA2_256-MODP2048, AES_CBC_128-HMAC_SHA2_256-MODP1536, AES_CBC_256-HMAC_SHA1-MODP2048, AES_CBC_256-HMAC_SHA1-MODP1536, AES_CBC_128-HMAC_SHA1-MODP2048, AES_CBC_128-HMAC_SHA1-MODP1536, AES_CBC_256-HMAC_SHA2_256-MODP1024, AES_CBC_128-HMAC_SHA1-MODP1024
000 "xauth-psk"[1]:   ESP algorithms: AES_GCM_16-NONE, AES_CBC_128-HMAC_SHA1_96, AES_CBC_256-HMAC_SHA1_96, AES_CBC_256-HMAC_SHA2_512_256, AES_CBC_128-HMAC_SHA2_256_128, AES_CBC_256-HMAC_SHA2_256_128
000 "xauth-psk"[3]: 0.0.0.0/0===10.88.91.12[210.6.114.113,MS+XS+S=C]---10.88.0.1...182.239.89.90[10.67.82.149,+MC+XC+S=C]===192.168.43.10/32; erouted; eroute owner: #3
000 "xauth-psk"[3]:     oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown;
000 "xauth-psk"[3]:   xauth us:server, xauth them:client, xauthby:file; my_username=[any]; their_username=[any]
000 "xauth-psk"[3]:   our auth:secret, their auth:secret
000 "xauth-psk"[3]:   modecfg info: us:server, them:client, modecfg policy:pull, dns:1.1.1.1, domains:unset, banner:unset, cat:unset;
000 "xauth-psk"[3]:   policy_label:unset;
000 "xauth-psk"[3]:   ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 5;
000 "xauth-psk"[3]:   retransmit-interval: 500ms; retransmit-timeout: 60s;
000 "xauth-psk"[3]:   initial-contact:no; cisco-unity:yes; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "xauth-psk"[3]:   policy: PSK+ENCRYPT+TUNNEL+SHA2_TRUNCBUG+DONT_REKEY+XAUTH+MODECFG_PULL+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO;
000 "xauth-psk"[3]:   conn_prio: 0,32; interface: eth0; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "xauth-psk"[3]:   nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto;
000 "xauth-psk"[3]:   our idtype: ID_IPV4_ADDR; our id=210.6.114.113; their idtype: ID_IPV4_ADDR; their id=10.67.82.149
000 "xauth-psk"[3]:   dpd: action:clear; delay:30; timeout:120; nat-t: encaps:yes; nat_keepalive:yes; ikev1_natt:both
000 "xauth-psk"[3]:   newest ISAKMP SA: #2; newest IPsec SA: #3;
000 "xauth-psk"[3]:   IKE algorithms: AES_CBC_256-HMAC_SHA2_256-MODP2048, AES_CBC_256-HMAC_SHA2_256-MODP1536, AES_CBC_128-HMAC_SHA2_256-MODP2048, AES_CBC_128-HMAC_SHA2_256-MODP1536, AES_CBC_256-HMAC_SHA1-MODP2048, AES_CBC_256-HMAC_SHA1-MODP1536, AES_CBC_128-HMAC_SHA1-MODP2048, AES_CBC_128-HMAC_SHA1-MODP1536, AES_CBC_256-HMAC_SHA2_256-MODP1024, AES_CBC_128-HMAC_SHA1-MODP1024
000 "xauth-psk"[3]:   IKEv1 algorithm newest: AES_CBC_256-HMAC_SHA2_256-MODP1024
000 "xauth-psk"[3]:   ESP algorithms: AES_GCM_16-NONE, AES_CBC_128-HMAC_SHA1_96, AES_CBC_256-HMAC_SHA1_96, AES_CBC_256-HMAC_SHA2_512_256, AES_CBC_128-HMAC_SHA2_256_128, AES_CBC_256-HMAC_SHA2_256_128
000 "xauth-psk"[3]:   ESP algorithm newest: AES_CBC_256-HMAC_SHA2_512_256; pfsgroup=<N/A>
000
000 Total IPsec connections: loaded 4, active 1
000
000 State Information: DDoS cookies not required, Accepting new IKE connections
000 IKE SAs: total(2), half-open(0), open(1), authenticated(1), anonymous(0)
000 IPsec SAs: total(1), authenticated(1), anonymous(0)
000
000 #1: "xauth-psk"[1] 203.160.69.172:43378 STATE_MAIN_R2 (sent MR2, expecting MI3); EVENT_RETRANSMIT in 5s; lastdpd=-1s(seq in:0 out:0); idle;
000 #2: "xauth-psk"[3] 182.239.89.90:11097 STATE_MODE_CFG_R1 (ModeCfg Set sent, expecting Ack); EVENT_SA_EXPIRE in 28755s; newest ISAKMP; lastdpd=12s(seq in:17982 out:0); idle;
000 #3: "xauth-psk"[3] 182.239.89.90:11097 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_EXPIRE in 28756s; newest IPSEC; eroute owner; isakmp#2; idle;
000 #3: "xauth-psk"[3] 182.239.89.90 esp.8c3055c@182.239.89.90 esp.9029e5b1@10.88.91.12 tun.0@182.239.89.90 tun.0@10.88.91.12 ref=0 refhim=0 Traffic: ESPin=23KB ESPout=5KB! ESPmax=4194303B username=vpnuser
000
000 Bare Shunt list:
000

@jsdnhk-devops commented on GitHub (May 31, 2020): After setting `VPN_ANDROID_MTU_FIX=yes`, `VPN_SHA2_TRUNCBUG=yes` in env file included, then recreate the container, next using android mobile to connect via IPSec Xauth PSK, the condition keeps the same and give the following status report. ``` 000 using kernel interface: netkey 000 interface lo/lo [::1]:500 000 interface lo/lo 127.0.0.1:4500 000 interface lo/lo 127.0.0.1:500 000 interface eth0/eth0 10.88.91.12:4500 000 interface eth0/eth0 10.88.91.12:500 000 000 000 fips mode=disabled; 000 SElinux=disabled 000 seccomp=unsupported 000 000 config setup options: 000 000 configdir=/etc, configfile=/etc/ipsec.conf, secrets=/etc/ipsec.secrets, ipsecdir=/etc/ipsec.d 000 nssdir=/etc/ipsec.d, dumpdir=/run/pluto, statsbin=unset 000 sbindir=/usr/local/sbin, libexecdir=/usr/local/libexec/ipsec 000 pluto_version=3.32, pluto_vendorid=OE-Libreswan-3.32, audit-log=yes 000 nhelpers=-1, uniqueids=no, dnssec-enable=no, perpeerlog=no, logappend=yes, logip=yes, shuntlifetime=900s, xfrmlifetime=30s 000 ddos-cookies-threshold=50000, ddos-max-halfopen=25000, ddos-mode=auto 000 ikeport=500, ikebuf=0, msg_errqueue=yes, strictcrlpolicy=no, crlcheckinterval=0, listen=<any>, nflog-all=0 000 ocsp-enable=no, ocsp-strict=no, ocsp-timeout=2, ocsp-uri=<unset> 000 ocsp-trust-name=<unset> 000 ocsp-cache-size=1000, ocsp-cache-min-age=3600, ocsp-cache-max-age=86400, ocsp-method=get 000 global-redirect=no, global-redirect-to=<unset> 000 secctx-attr-type=<unsupported> 000 debug: 000 000 nat-traversal=yes, keep-alive=20, nat-ikeport=4500 000 virtual-private (%priv): 000 - allowed subnets: 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12 000 - excluded subnets: 192.168.42.0/24, 192.168.43.0/24 000 000 Kernel algorithms supported: 000 000 algorithm ESP encrypt: name=3DES_CBC, keysizemin=192, keysizemax=192 000 algorithm ESP encrypt: name=AES_CBC, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: name=AES_CCM_12, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: name=AES_CCM_16, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: name=AES_CCM_8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: name=AES_CTR, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: name=AES_GCM_12, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: name=AES_GCM_16, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: name=AES_GCM_8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: name=CAMELLIA_CBC, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: name=CHACHA20_POLY1305, keysizemin=256, keysizemax=256 000 algorithm ESP encrypt: name=NULL, keysizemin=0, keysizemax=0 000 algorithm ESP encrypt: name=NULL_AUTH_AES_GMAC, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: name=SERPENT_CBC, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: name=TWOFISH_CBC, keysizemin=128, keysizemax=256 000 algorithm AH/ESP auth: name=AES_CMAC_96, key-length=128 000 algorithm AH/ESP auth: name=AES_XCBC_96, key-length=128 000 algorithm AH/ESP auth: name=HMAC_MD5_96, key-length=128 000 algorithm AH/ESP auth: name=HMAC_SHA1_96, key-length=160 000 algorithm AH/ESP auth: name=HMAC_SHA2_256_128, key-length=256 000 algorithm AH/ESP auth: name=HMAC_SHA2_256_TRUNCBUG, key-length=256 000 algorithm AH/ESP auth: name=HMAC_SHA2_384_192, key-length=384 000 algorithm AH/ESP auth: name=HMAC_SHA2_512_256, key-length=512 000 algorithm AH/ESP auth: name=NONE, key-length=0 000 000 IKE algorithms supported: 000 000 algorithm IKE encrypt: v1id=5, v1name=OAKLEY_3DES_CBC, v2id=3, v2name=3DES, blocksize=8, keydeflen=192 000 algorithm IKE encrypt: v1id=8, v1name=OAKLEY_CAMELLIA_CBC, v2id=23, v2name=CAMELLIA_CBC, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=20, v2name=AES_GCM_C, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=19, v2name=AES_GCM_B, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=18, v2name=AES_GCM_A, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: v1id=13, v1name=OAKLEY_AES_CTR, v2id=13, v2name=AES_CTR, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: v1id=7, v1name=OAKLEY_AES_CBC, v2id=12, v2name=AES_CBC, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: v1id=65004, v1name=OAKLEY_SERPENT_CBC, v2id=65004, v2name=SERPENT_CBC, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: v1id=65005, v1name=OAKLEY_TWOFISH_CBC, v2id=65005, v2name=TWOFISH_CBC, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: v1id=65289, v1name=OAKLEY_TWOFISH_CBC_SSH, v2id=65289, v2name=TWOFISH_CBC_SSH, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=28, v2name=CHACHA20_POLY1305, blocksize=16, keydeflen=256 000 algorithm IKE PRF: name=HMAC_MD5, hashlen=16 000 algorithm IKE PRF: name=HMAC_SHA1, hashlen=20 000 algorithm IKE PRF: name=HMAC_SHA2_256, hashlen=32 000 algorithm IKE PRF: name=HMAC_SHA2_384, hashlen=48 000 algorithm IKE PRF: name=HMAC_SHA2_512, hashlen=64 000 algorithm IKE PRF: name=AES_XCBC, hashlen=16 000 algorithm IKE DH Key Exchange: name=MODP1024, bits=1024 000 algorithm IKE DH Key Exchange: name=MODP1536, bits=1536 000 algorithm IKE DH Key Exchange: name=MODP2048, bits=2048 000 algorithm IKE DH Key Exchange: name=MODP3072, bits=3072 000 algorithm IKE DH Key Exchange: name=MODP4096, bits=4096 000 algorithm IKE DH Key Exchange: name=MODP6144, bits=6144 000 algorithm IKE DH Key Exchange: name=MODP8192, bits=8192 000 algorithm IKE DH Key Exchange: name=DH19, bits=512 000 algorithm IKE DH Key Exchange: name=DH20, bits=768 000 algorithm IKE DH Key Exchange: name=DH21, bits=1056 000 000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0} 000 000 Connection list: 000 000 "l2tp-psk": 10.88.91.12[210.6.114.113]:17/1701---10.88.0.1...%any:17/%any; unrouted; eroute owner: #0 000 "l2tp-psk": oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown; 000 "l2tp-psk": xauth us:none, xauth them:none, my_username=[any]; their_username=[any] 000 "l2tp-psk": our auth:secret, their auth:secret 000 "l2tp-psk": modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, banner:unset, cat:unset; 000 "l2tp-psk": policy_label:unset; 000 "l2tp-psk": ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 5; 000 "l2tp-psk": retransmit-interval: 500ms; retransmit-timeout: 60s; 000 "l2tp-psk": initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no; 000 "l2tp-psk": policy: PSK+ENCRYPT+SHA2_TRUNCBUG+DONT_REKEY+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO; 000 "l2tp-psk": conn_prio: 32,32; interface: eth0; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none; 000 "l2tp-psk": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto; 000 "l2tp-psk": our idtype: ID_IPV4_ADDR; our id=210.6.114.113; their idtype: %none; their id=(none) 000 "l2tp-psk": dpd: action:clear; delay:30; timeout:120; nat-t: encaps:yes; nat_keepalive:yes; ikev1_natt:both 000 "l2tp-psk": newest ISAKMP SA: #0; newest IPsec SA: #0; 000 "l2tp-psk": IKE algorithms: AES_CBC_256-HMAC_SHA2_256-MODP2048, AES_CBC_256-HMAC_SHA2_256-MODP1536, AES_CBC_128-HMAC_SHA2_256-MODP2048, AES_CBC_128-HMAC_SHA2_256-MODP1536, AES_CBC_256-HMAC_SHA1-MODP2048, AES_CBC_256-HMAC_SHA1-MODP1536, AES_CBC_128-HMAC_SHA1-MODP2048, AES_CBC_128-HMAC_SHA1-MODP1536, AES_CBC_256-HMAC_SHA2_256-MODP1024, AES_CBC_128-HMAC_SHA1-MODP1024 000 "l2tp-psk": ESP algorithms: AES_GCM_16-NONE, AES_CBC_128-HMAC_SHA1_96, AES_CBC_256-HMAC_SHA1_96, AES_CBC_256-HMAC_SHA2_512_256, AES_CBC_128-HMAC_SHA2_256_128, AES_CBC_256-HMAC_SHA2_256_128 000 "xauth-psk": 0.0.0.0/0===10.88.91.12[210.6.114.113,MS+XS+S=C]---10.88.0.1...%any[+MC+XC+S=C]; unrouted; eroute owner: #0 000 "xauth-psk": oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown; 000 "xauth-psk": xauth us:server, xauth them:client, xauthby:file; my_username=[any]; their_username=[any] 000 "xauth-psk": our auth:secret, their auth:secret 000 "xauth-psk": modecfg info: us:server, them:client, modecfg policy:pull, dns:1.1.1.1 1.0.0.1, domains:unset, banner:unset, cat:unset; 000 "xauth-psk": policy_label:unset; 000 "xauth-psk": ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 5; 000 "xauth-psk": retransmit-interval: 500ms; retransmit-timeout: 60s; 000 "xauth-psk": initial-contact:no; cisco-unity:yes; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no; 000 "xauth-psk": policy: PSK+ENCRYPT+TUNNEL+SHA2_TRUNCBUG+DONT_REKEY+XAUTH+MODECFG_PULL+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO; 000 "xauth-psk": conn_prio: 0,32; interface: eth0; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none; 000 "xauth-psk": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto; 000 "xauth-psk": our idtype: ID_IPV4_ADDR; our id=210.6.114.113; their idtype: %none; their id=(none) 000 "xauth-psk": dpd: action:clear; delay:30; timeout:120; nat-t: encaps:yes; nat_keepalive:yes; ikev1_natt:both 000 "xauth-psk": newest ISAKMP SA: #0; newest IPsec SA: #0; 000 "xauth-psk": IKE algorithms: AES_CBC_256-HMAC_SHA2_256-MODP2048, AES_CBC_256-HMAC_SHA2_256-MODP1536, AES_CBC_128-HMAC_SHA2_256-MODP2048, AES_CBC_128-HMAC_SHA2_256-MODP1536, AES_CBC_256-HMAC_SHA1-MODP2048, AES_CBC_256-HMAC_SHA1-MODP1536, AES_CBC_128-HMAC_SHA1-MODP2048, AES_CBC_128-HMAC_SHA1-MODP1536, AES_CBC_256-HMAC_SHA2_256-MODP1024, AES_CBC_128-HMAC_SHA1-MODP1024 000 "xauth-psk": ESP algorithms: AES_GCM_16-NONE, AES_CBC_128-HMAC_SHA1_96, AES_CBC_256-HMAC_SHA1_96, AES_CBC_256-HMAC_SHA2_512_256, AES_CBC_128-HMAC_SHA2_256_128, AES_CBC_256-HMAC_SHA2_256_128 000 "xauth-psk"[1]: 0.0.0.0/0===10.88.91.12[210.6.114.113,MS+XS+S=C]---10.88.0.1...203.160.69.172[+MC+XC+S=C]; unrouted; eroute owner: #0 000 "xauth-psk"[1]: oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown; 000 "xauth-psk"[1]: xauth us:server, xauth them:client, xauthby:file; my_username=[any]; their_username=[any] 000 "xauth-psk"[1]: our auth:secret, their auth:secret 000 "xauth-psk"[1]: modecfg info: us:server, them:client, modecfg policy:pull, dns:1.1.1.1 1.0.0.1, domains:unset, banner:unset, cat:unset; 000 "xauth-psk"[1]: policy_label:unset; 000 "xauth-psk"[1]: ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 5; 000 "xauth-psk"[1]: retransmit-interval: 500ms; retransmit-timeout: 60s; 000 "xauth-psk"[1]: initial-contact:no; cisco-unity:yes; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no; 000 "xauth-psk"[1]: policy: PSK+ENCRYPT+TUNNEL+SHA2_TRUNCBUG+DONT_REKEY+XAUTH+MODECFG_PULL+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO; 000 "xauth-psk"[1]: conn_prio: 0,32; interface: eth0; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none; 000 "xauth-psk"[1]: nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto; 000 "xauth-psk"[1]: our idtype: ID_IPV4_ADDR; our id=210.6.114.113; their idtype: ID_IPV4_ADDR; their id=203.160.69.172 000 "xauth-psk"[1]: dpd: action:clear; delay:30; timeout:120; nat-t: encaps:yes; nat_keepalive:yes; ikev1_natt:both 000 "xauth-psk"[1]: newest ISAKMP SA: #0; newest IPsec SA: #0; 000 "xauth-psk"[1]: IKE algorithms: AES_CBC_256-HMAC_SHA2_256-MODP2048, AES_CBC_256-HMAC_SHA2_256-MODP1536, AES_CBC_128-HMAC_SHA2_256-MODP2048, AES_CBC_128-HMAC_SHA2_256-MODP1536, AES_CBC_256-HMAC_SHA1-MODP2048, AES_CBC_256-HMAC_SHA1-MODP1536, AES_CBC_128-HMAC_SHA1-MODP2048, AES_CBC_128-HMAC_SHA1-MODP1536, AES_CBC_256-HMAC_SHA2_256-MODP1024, AES_CBC_128-HMAC_SHA1-MODP1024 000 "xauth-psk"[1]: ESP algorithms: AES_GCM_16-NONE, AES_CBC_128-HMAC_SHA1_96, AES_CBC_256-HMAC_SHA1_96, AES_CBC_256-HMAC_SHA2_512_256, AES_CBC_128-HMAC_SHA2_256_128, AES_CBC_256-HMAC_SHA2_256_128 000 "xauth-psk"[3]: 0.0.0.0/0===10.88.91.12[210.6.114.113,MS+XS+S=C]---10.88.0.1...182.239.89.90[10.67.82.149,+MC+XC+S=C]===192.168.43.10/32; erouted; eroute owner: #3 000 "xauth-psk"[3]: oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown; 000 "xauth-psk"[3]: xauth us:server, xauth them:client, xauthby:file; my_username=[any]; their_username=[any] 000 "xauth-psk"[3]: our auth:secret, their auth:secret 000 "xauth-psk"[3]: modecfg info: us:server, them:client, modecfg policy:pull, dns:1.1.1.1, domains:unset, banner:unset, cat:unset; 000 "xauth-psk"[3]: policy_label:unset; 000 "xauth-psk"[3]: ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 5; 000 "xauth-psk"[3]: retransmit-interval: 500ms; retransmit-timeout: 60s; 000 "xauth-psk"[3]: initial-contact:no; cisco-unity:yes; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no; 000 "xauth-psk"[3]: policy: PSK+ENCRYPT+TUNNEL+SHA2_TRUNCBUG+DONT_REKEY+XAUTH+MODECFG_PULL+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO; 000 "xauth-psk"[3]: conn_prio: 0,32; interface: eth0; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none; 000 "xauth-psk"[3]: nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto; 000 "xauth-psk"[3]: our idtype: ID_IPV4_ADDR; our id=210.6.114.113; their idtype: ID_IPV4_ADDR; their id=10.67.82.149 000 "xauth-psk"[3]: dpd: action:clear; delay:30; timeout:120; nat-t: encaps:yes; nat_keepalive:yes; ikev1_natt:both 000 "xauth-psk"[3]: newest ISAKMP SA: #2; newest IPsec SA: #3; 000 "xauth-psk"[3]: IKE algorithms: AES_CBC_256-HMAC_SHA2_256-MODP2048, AES_CBC_256-HMAC_SHA2_256-MODP1536, AES_CBC_128-HMAC_SHA2_256-MODP2048, AES_CBC_128-HMAC_SHA2_256-MODP1536, AES_CBC_256-HMAC_SHA1-MODP2048, AES_CBC_256-HMAC_SHA1-MODP1536, AES_CBC_128-HMAC_SHA1-MODP2048, AES_CBC_128-HMAC_SHA1-MODP1536, AES_CBC_256-HMAC_SHA2_256-MODP1024, AES_CBC_128-HMAC_SHA1-MODP1024 000 "xauth-psk"[3]: IKEv1 algorithm newest: AES_CBC_256-HMAC_SHA2_256-MODP1024 000 "xauth-psk"[3]: ESP algorithms: AES_GCM_16-NONE, AES_CBC_128-HMAC_SHA1_96, AES_CBC_256-HMAC_SHA1_96, AES_CBC_256-HMAC_SHA2_512_256, AES_CBC_128-HMAC_SHA2_256_128, AES_CBC_256-HMAC_SHA2_256_128 000 "xauth-psk"[3]: ESP algorithm newest: AES_CBC_256-HMAC_SHA2_512_256; pfsgroup=<N/A> 000 000 Total IPsec connections: loaded 4, active 1 000 000 State Information: DDoS cookies not required, Accepting new IKE connections 000 IKE SAs: total(2), half-open(0), open(1), authenticated(1), anonymous(0) 000 IPsec SAs: total(1), authenticated(1), anonymous(0) 000 000 #1: "xauth-psk"[1] 203.160.69.172:43378 STATE_MAIN_R2 (sent MR2, expecting MI3); EVENT_RETRANSMIT in 5s; lastdpd=-1s(seq in:0 out:0); idle; 000 #2: "xauth-psk"[3] 182.239.89.90:11097 STATE_MODE_CFG_R1 (ModeCfg Set sent, expecting Ack); EVENT_SA_EXPIRE in 28755s; newest ISAKMP; lastdpd=12s(seq in:17982 out:0); idle; 000 #3: "xauth-psk"[3] 182.239.89.90:11097 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_EXPIRE in 28756s; newest IPSEC; eroute owner; isakmp#2; idle; 000 #3: "xauth-psk"[3] 182.239.89.90 esp.8c3055c@182.239.89.90 esp.9029e5b1@10.88.91.12 tun.0@182.239.89.90 tun.0@10.88.91.12 ref=0 refhim=0 Traffic: ESPin=23KB ESPout=5KB! ESPmax=4194303B username=vpnuser 000 000 Bare Shunt list: 000 ```

kerem commented

2026-03-02 07:44:34 +03:00

Author

Owner

@hwdsl2 commented on GitHub (May 31, 2020):

@jsdnhk-devops Thanks for the update. Reading your logs output again, I see that AES_CBC_256-HMAC_SHA2_512_256 is used, therefore it's not an issue with sha2-truncbug. You can remove VPN_SHA2_TRUNCBUG=yes from your env file.

Can you successfully connect using IPsec/L2TP mode [1]? If you cannot, this is likely an IPTables problem. Check the output of docker logs ipsec-vpn-server to see if there is any error, if so, post the error details here.

[1] https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients.md

@hwdsl2 commented on GitHub (May 31, 2020): @jsdnhk-devops Thanks for the update. Reading your logs output again, I see that `AES_CBC_256-HMAC_SHA2_512_256` is used, therefore it's not an issue with sha2-truncbug. You can remove `VPN_SHA2_TRUNCBUG=yes` from your `env` file. Can you successfully connect using IPsec/L2TP mode [1]? If you cannot, this is likely an IPTables problem. Check the output of `docker logs ipsec-vpn-server` to see if there is any error, if so, post the error details here. [1] https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients.md

kerem commented

2026-03-02 07:44:34 +03:00

Author

Owner

@jsdnhk-devops commented on GitHub (Jun 1, 2020):

thanks for helping, this situation started to happen currently, it worked in few month before.
It sets to 500/udp, 4500/udp exposed in container, host(fw), gateway as well.
when using android via IPsec/L2TP, docker logs repeats showing,
while it shows nothing if using IPSec Xauth PSK on docker logs,

xl2tpd[1]: Can not find tunnel 24343 (refhim=0)
xl2tpd[1]: network_thread: unable to find call or tunnel to handle packet.  call = 51918, tunnel = 24343 Dumping.

ipsec status message via IPsec/L2TP,

000 using kernel interface: netkey
000 interface lo/lo [::1]:500
000 interface lo/lo 127.0.0.1:4500
000 interface lo/lo 127.0.0.1:500
000 interface eth0/eth0 10.88.91.21:4500
000 interface eth0/eth0 10.88.91.21:500
000
000
000 fips mode=disabled;
000 SElinux=disabled
000 seccomp=unsupported
000
000 config setup options:
000
000 configdir=/etc, configfile=/etc/ipsec.conf, secrets=/etc/ipsec.secrets, ipsecdir=/etc/ipsec.d
000 nssdir=/etc/ipsec.d, dumpdir=/run/pluto, statsbin=unset
000 sbindir=/usr/local/sbin, libexecdir=/usr/local/libexec/ipsec
000 pluto_version=3.32, pluto_vendorid=OE-Libreswan-3.32, audit-log=yes
000 nhelpers=-1, uniqueids=no, dnssec-enable=no, perpeerlog=no, logappend=yes, logip=yes, shuntlifetime=900s, xfrmlifetime=30s
000 ddos-cookies-threshold=50000, ddos-max-halfopen=25000, ddos-mode=auto
000 ikeport=500, ikebuf=0, msg_errqueue=yes, strictcrlpolicy=no, crlcheckinterval=0, listen=<any>, nflog-all=0
000 ocsp-enable=no, ocsp-strict=no, ocsp-timeout=2, ocsp-uri=<unset>
000 ocsp-trust-name=<unset>
000 ocsp-cache-size=1000, ocsp-cache-min-age=3600, ocsp-cache-max-age=86400, ocsp-method=get
000 global-redirect=no, global-redirect-to=<unset>
000 secctx-attr-type=<unsupported>
000 debug:
000
000 nat-traversal=yes, keep-alive=20, nat-ikeport=4500
000 virtual-private (%priv):
000 - allowed subnets: 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12
000 - excluded subnets: 192.168.42.0/24, 192.168.43.0/24
000
000 Kernel algorithms supported:
000
000 algorithm ESP encrypt: name=3DES_CBC, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: name=AES_CBC, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_CCM_12, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_CCM_16, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_CCM_8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_CTR, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_GCM_12, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_GCM_16, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_GCM_8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=CAMELLIA_CBC, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=CHACHA20_POLY1305, keysizemin=256, keysizemax=256
000 algorithm ESP encrypt: name=NULL, keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: name=NULL_AUTH_AES_GMAC, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=SERPENT_CBC, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=TWOFISH_CBC, keysizemin=128, keysizemax=256
000 algorithm AH/ESP auth: name=AES_CMAC_96, key-length=128
000 algorithm AH/ESP auth: name=AES_XCBC_96, key-length=128
000 algorithm AH/ESP auth: name=HMAC_MD5_96, key-length=128
000 algorithm AH/ESP auth: name=HMAC_SHA1_96, key-length=160
000 algorithm AH/ESP auth: name=HMAC_SHA2_256_128, key-length=256
000 algorithm AH/ESP auth: name=HMAC_SHA2_256_TRUNCBUG, key-length=256
000 algorithm AH/ESP auth: name=HMAC_SHA2_384_192, key-length=384
000 algorithm AH/ESP auth: name=HMAC_SHA2_512_256, key-length=512
000 algorithm AH/ESP auth: name=NONE, key-length=0
000
000 IKE algorithms supported:
000
000 algorithm IKE encrypt: v1id=5, v1name=OAKLEY_3DES_CBC, v2id=3, v2name=3DES, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: v1id=8, v1name=OAKLEY_CAMELLIA_CBC, v2id=23, v2name=CAMELLIA_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=20, v2name=AES_GCM_C, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=19, v2name=AES_GCM_B, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=18, v2name=AES_GCM_A, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=13, v1name=OAKLEY_AES_CTR, v2id=13, v2name=AES_CTR, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=7, v1name=OAKLEY_AES_CBC, v2id=12, v2name=AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=65004, v1name=OAKLEY_SERPENT_CBC, v2id=65004, v2name=SERPENT_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=65005, v1name=OAKLEY_TWOFISH_CBC, v2id=65005, v2name=TWOFISH_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=65289, v1name=OAKLEY_TWOFISH_CBC_SSH, v2id=65289, v2name=TWOFISH_CBC_SSH, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=28, v2name=CHACHA20_POLY1305, blocksize=16, keydeflen=256
000 algorithm IKE PRF: name=HMAC_MD5, hashlen=16
000 algorithm IKE PRF: name=HMAC_SHA1, hashlen=20
000 algorithm IKE PRF: name=HMAC_SHA2_256, hashlen=32
000 algorithm IKE PRF: name=HMAC_SHA2_384, hashlen=48
000 algorithm IKE PRF: name=HMAC_SHA2_512, hashlen=64
000 algorithm IKE PRF: name=AES_XCBC, hashlen=16
000 algorithm IKE DH Key Exchange: name=MODP1024, bits=1024
000 algorithm IKE DH Key Exchange: name=MODP1536, bits=1536
000 algorithm IKE DH Key Exchange: name=MODP2048, bits=2048
000 algorithm IKE DH Key Exchange: name=MODP3072, bits=3072
000 algorithm IKE DH Key Exchange: name=MODP4096, bits=4096
000 algorithm IKE DH Key Exchange: name=MODP6144, bits=6144
000 algorithm IKE DH Key Exchange: name=MODP8192, bits=8192
000 algorithm IKE DH Key Exchange: name=DH19, bits=512
000 algorithm IKE DH Key Exchange: name=DH20, bits=768
000 algorithm IKE DH Key Exchange: name=DH21, bits=1056
000
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0}
000
000 Connection list:
000
000 "l2tp-psk": 10.88.91.21[210.6.114.113]:17/1701---10.88.0.1...%any:17/%any; unrouted; eroute owner: #0
000 "l2tp-psk":     oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown;
000 "l2tp-psk":   xauth us:none, xauth them:none,  my_username=[any]; their_username=[any]
000 "l2tp-psk":   our auth:secret, their auth:secret
000 "l2tp-psk":   modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, banner:unset, cat:unset;
000 "l2tp-psk":   policy_label:unset;
000 "l2tp-psk":   ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 5;
000 "l2tp-psk":   retransmit-interval: 500ms; retransmit-timeout: 60s;
000 "l2tp-psk":   initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "l2tp-psk":   policy: PSK+ENCRYPT+DONT_REKEY+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO;
000 "l2tp-psk":   conn_prio: 32,32; interface: eth0; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "l2tp-psk":   nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto;
000 "l2tp-psk":   our idtype: ID_IPV4_ADDR; our id=210.6.114.113; their idtype: %none; their id=(none)
000 "l2tp-psk":   dpd: action:clear; delay:30; timeout:120; nat-t: encaps:yes; nat_keepalive:yes; ikev1_natt:both
000 "l2tp-psk":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "l2tp-psk":   IKE algorithms: AES_CBC_256-HMAC_SHA2_256-MODP2048, AES_CBC_256-HMAC_SHA2_256-MODP1536, AES_CBC_128-HMAC_SHA2_256-MODP2048, AES_CBC_128-HMAC_SHA2_256-MODP1536, AES_CBC_256-HMAC_SHA1-MODP2048, AES_CBC_256-HMAC_SHA1-MODP1536, AES_CBC_128-HMAC_SHA1-MODP2048, AES_CBC_128-HMAC_SHA1-MODP1536, AES_CBC_256-HMAC_SHA2_256-MODP1024, AES_CBC_128-HMAC_SHA1-MODP1024
000 "l2tp-psk":   ESP algorithms: AES_GCM_16-NONE, AES_CBC_128-HMAC_SHA1_96, AES_CBC_256-HMAC_SHA1_96, AES_CBC_256-HMAC_SHA2_512_256, AES_CBC_128-HMAC_SHA2_256_128, AES_CBC_256-HMAC_SHA2_256_128
000 "xauth-psk": 0.0.0.0/0===10.88.91.21[210.6.114.113,MS+XS+S=C]---10.88.0.1...%any[+MC+XC+S=C]; unrouted; eroute owner: #0
000 "xauth-psk":     oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown;
000 "xauth-psk":   xauth us:server, xauth them:client, xauthby:file; my_username=[any]; their_username=[any]
000 "xauth-psk":   our auth:secret, their auth:secret
000 "xauth-psk":   modecfg info: us:server, them:client, modecfg policy:pull, dns:1.1.1.1 1.0.0.1, domains:unset, banner:unset, cat:unset;
000 "xauth-psk":   policy_label:unset;
000 "xauth-psk":   ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 5;
000 "xauth-psk":   retransmit-interval: 500ms; retransmit-timeout: 60s;
000 "xauth-psk":   initial-contact:no; cisco-unity:yes; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "xauth-psk":   policy: PSK+ENCRYPT+TUNNEL+DONT_REKEY+XAUTH+MODECFG_PULL+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO;
000 "xauth-psk":   conn_prio: 0,32; interface: eth0; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "xauth-psk":   nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto;
000 "xauth-psk":   our idtype: ID_IPV4_ADDR; our id=210.6.114.113; their idtype: %none; their id=(none)
000 "xauth-psk":   dpd: action:clear; delay:30; timeout:120; nat-t: encaps:yes; nat_keepalive:yes; ikev1_natt:both
000 "xauth-psk":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "xauth-psk":   IKE algorithms: AES_CBC_256-HMAC_SHA2_256-MODP2048, AES_CBC_256-HMAC_SHA2_256-MODP1536, AES_CBC_128-HMAC_SHA2_256-MODP2048, AES_CBC_128-HMAC_SHA2_256-MODP1536, AES_CBC_256-HMAC_SHA1-MODP2048, AES_CBC_256-HMAC_SHA1-MODP1536, AES_CBC_128-HMAC_SHA1-MODP2048, AES_CBC_128-HMAC_SHA1-MODP1536, AES_CBC_256-HMAC_SHA2_256-MODP1024, AES_CBC_128-HMAC_SHA1-MODP1024
000 "xauth-psk":   ESP algorithms: AES_GCM_16-NONE, AES_CBC_128-HMAC_SHA1_96, AES_CBC_256-HMAC_SHA1_96, AES_CBC_256-HMAC_SHA2_512_256, AES_CBC_128-HMAC_SHA2_256_128, AES_CBC_256-HMAC_SHA2_256_128
000 "xauth-psk"[2]: 0.0.0.0/0===10.88.91.21[210.6.114.113,MS+XS+S=C]---10.88.0.1...182.239.88.6[10.42.172.101,+MC+XC+S=C]===192.168.43.10/32; erouted; eroute owner: #2
000 "xauth-psk"[2]:     oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown;
000 "xauth-psk"[2]:   xauth us:server, xauth them:client, xauthby:file; my_username=[any]; their_username=[any]
000 "xauth-psk"[2]:   our auth:secret, their auth:secret
000 "xauth-psk"[2]:   modecfg info: us:server, them:client, modecfg policy:pull, dns:1.1.1.1, domains:unset, banner:unset, cat:unset;
000 "xauth-psk"[2]:   policy_label:unset;
000 "xauth-psk"[2]:   ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 5;
000 "xauth-psk"[2]:   retransmit-interval: 500ms; retransmit-timeout: 60s;
000 "xauth-psk"[2]:   initial-contact:no; cisco-unity:yes; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "xauth-psk"[2]:   policy: PSK+ENCRYPT+TUNNEL+DONT_REKEY+XAUTH+MODECFG_PULL+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO;
000 "xauth-psk"[2]:   conn_prio: 0,32; interface: eth0; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "xauth-psk"[2]:   nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto;
000 "xauth-psk"[2]:   our idtype: ID_IPV4_ADDR; our id=210.6.114.113; their idtype: ID_IPV4_ADDR; their id=10.42.172.101
000 "xauth-psk"[2]:   dpd: action:clear; delay:30; timeout:120; nat-t: encaps:yes; nat_keepalive:yes; ikev1_natt:both
000 "xauth-psk"[2]:   newest ISAKMP SA: #1; newest IPsec SA: #2;
000 "xauth-psk"[2]:   IKE algorithms: AES_CBC_256-HMAC_SHA2_256-MODP2048, AES_CBC_256-HMAC_SHA2_256-MODP1536, AES_CBC_128-HMAC_SHA2_256-MODP2048, AES_CBC_128-HMAC_SHA2_256-MODP1536, AES_CBC_256-HMAC_SHA1-MODP2048, AES_CBC_256-HMAC_SHA1-MODP1536, AES_CBC_128-HMAC_SHA1-MODP2048, AES_CBC_128-HMAC_SHA1-MODP1536, AES_CBC_256-HMAC_SHA2_256-MODP1024, AES_CBC_128-HMAC_SHA1-MODP1024
000 "xauth-psk"[2]:   IKEv1 algorithm newest: AES_CBC_256-HMAC_SHA2_256-MODP1024
000 "xauth-psk"[2]:   ESP algorithms: AES_GCM_16-NONE, AES_CBC_128-HMAC_SHA1_96, AES_CBC_256-HMAC_SHA1_96, AES_CBC_256-HMAC_SHA2_512_256, AES_CBC_128-HMAC_SHA2_256_128, AES_CBC_256-HMAC_SHA2_256_128
000 "xauth-psk"[2]:   ESP algorithm newest: AES_CBC_256-HMAC_SHA2_512_256; pfsgroup=<N/A>
000
000 Total IPsec connections: loaded 3, active 1
000
000 State Information: DDoS cookies not required, Accepting new IKE connections
000 IKE SAs: total(1), half-open(0), open(0), authenticated(1), anonymous(0)
000 IPsec SAs: total(1), authenticated(1), anonymous(0)
000
000 #1: "xauth-psk"[2] 182.239.88.6:31232 STATE_MODE_CFG_R1 (ModeCfg Set sent, expecting Ack); EVENT_SA_EXPIRE in 28589s; newest ISAKMP; lastdpd=28s(seq in:24032 out:0); idle;
000 #2: "xauth-psk"[2] 182.239.88.6:31232 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_EXPIRE in 28590s; newest IPSEC; eroute owner; isakmp#1; idle;
000 #2: "xauth-psk"[2] 182.239.88.6 esp.e0cef89@182.239.88.6 esp.53d36b6d@10.88.91.21 tun.0@182.239.88.6 tun.0@10.88.91.21 ref=0 refhim=0 Traffic: ESPin=100KB ESPout=19KB! ESPmax=4194303B username=vpnuser
000
000 Bare Shunt list:
000

@jsdnhk-devops commented on GitHub (Jun 1, 2020): thanks for helping, this situation started to happen currently, it worked in few month before. It sets to 500/udp, 4500/udp exposed in container, host(fw), gateway as well. when using android via IPsec/L2TP, `docker logs` repeats showing, while it shows nothing if using IPSec Xauth PSK on `docker logs`, ``` xl2tpd[1]: Can not find tunnel 24343 (refhim=0) xl2tpd[1]: network_thread: unable to find call or tunnel to handle packet. call = 51918, tunnel = 24343 Dumping. ``` `ipsec status` message via IPsec/L2TP, ``` 000 using kernel interface: netkey 000 interface lo/lo [::1]:500 000 interface lo/lo 127.0.0.1:4500 000 interface lo/lo 127.0.0.1:500 000 interface eth0/eth0 10.88.91.21:4500 000 interface eth0/eth0 10.88.91.21:500 000 000 000 fips mode=disabled; 000 SElinux=disabled 000 seccomp=unsupported 000 000 config setup options: 000 000 configdir=/etc, configfile=/etc/ipsec.conf, secrets=/etc/ipsec.secrets, ipsecdir=/etc/ipsec.d 000 nssdir=/etc/ipsec.d, dumpdir=/run/pluto, statsbin=unset 000 sbindir=/usr/local/sbin, libexecdir=/usr/local/libexec/ipsec 000 pluto_version=3.32, pluto_vendorid=OE-Libreswan-3.32, audit-log=yes 000 nhelpers=-1, uniqueids=no, dnssec-enable=no, perpeerlog=no, logappend=yes, logip=yes, shuntlifetime=900s, xfrmlifetime=30s 000 ddos-cookies-threshold=50000, ddos-max-halfopen=25000, ddos-mode=auto 000 ikeport=500, ikebuf=0, msg_errqueue=yes, strictcrlpolicy=no, crlcheckinterval=0, listen=<any>, nflog-all=0 000 ocsp-enable=no, ocsp-strict=no, ocsp-timeout=2, ocsp-uri=<unset> 000 ocsp-trust-name=<unset> 000 ocsp-cache-size=1000, ocsp-cache-min-age=3600, ocsp-cache-max-age=86400, ocsp-method=get 000 global-redirect=no, global-redirect-to=<unset> 000 secctx-attr-type=<unsupported> 000 debug: 000 000 nat-traversal=yes, keep-alive=20, nat-ikeport=4500 000 virtual-private (%priv): 000 - allowed subnets: 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12 000 - excluded subnets: 192.168.42.0/24, 192.168.43.0/24 000 000 Kernel algorithms supported: 000 000 algorithm ESP encrypt: name=3DES_CBC, keysizemin=192, keysizemax=192 000 algorithm ESP encrypt: name=AES_CBC, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: name=AES_CCM_12, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: name=AES_CCM_16, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: name=AES_CCM_8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: name=AES_CTR, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: name=AES_GCM_12, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: name=AES_GCM_16, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: name=AES_GCM_8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: name=CAMELLIA_CBC, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: name=CHACHA20_POLY1305, keysizemin=256, keysizemax=256 000 algorithm ESP encrypt: name=NULL, keysizemin=0, keysizemax=0 000 algorithm ESP encrypt: name=NULL_AUTH_AES_GMAC, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: name=SERPENT_CBC, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: name=TWOFISH_CBC, keysizemin=128, keysizemax=256 000 algorithm AH/ESP auth: name=AES_CMAC_96, key-length=128 000 algorithm AH/ESP auth: name=AES_XCBC_96, key-length=128 000 algorithm AH/ESP auth: name=HMAC_MD5_96, key-length=128 000 algorithm AH/ESP auth: name=HMAC_SHA1_96, key-length=160 000 algorithm AH/ESP auth: name=HMAC_SHA2_256_128, key-length=256 000 algorithm AH/ESP auth: name=HMAC_SHA2_256_TRUNCBUG, key-length=256 000 algorithm AH/ESP auth: name=HMAC_SHA2_384_192, key-length=384 000 algorithm AH/ESP auth: name=HMAC_SHA2_512_256, key-length=512 000 algorithm AH/ESP auth: name=NONE, key-length=0 000 000 IKE algorithms supported: 000 000 algorithm IKE encrypt: v1id=5, v1name=OAKLEY_3DES_CBC, v2id=3, v2name=3DES, blocksize=8, keydeflen=192 000 algorithm IKE encrypt: v1id=8, v1name=OAKLEY_CAMELLIA_CBC, v2id=23, v2name=CAMELLIA_CBC, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=20, v2name=AES_GCM_C, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=19, v2name=AES_GCM_B, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=18, v2name=AES_GCM_A, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: v1id=13, v1name=OAKLEY_AES_CTR, v2id=13, v2name=AES_CTR, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: v1id=7, v1name=OAKLEY_AES_CBC, v2id=12, v2name=AES_CBC, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: v1id=65004, v1name=OAKLEY_SERPENT_CBC, v2id=65004, v2name=SERPENT_CBC, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: v1id=65005, v1name=OAKLEY_TWOFISH_CBC, v2id=65005, v2name=TWOFISH_CBC, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: v1id=65289, v1name=OAKLEY_TWOFISH_CBC_SSH, v2id=65289, v2name=TWOFISH_CBC_SSH, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=28, v2name=CHACHA20_POLY1305, blocksize=16, keydeflen=256 000 algorithm IKE PRF: name=HMAC_MD5, hashlen=16 000 algorithm IKE PRF: name=HMAC_SHA1, hashlen=20 000 algorithm IKE PRF: name=HMAC_SHA2_256, hashlen=32 000 algorithm IKE PRF: name=HMAC_SHA2_384, hashlen=48 000 algorithm IKE PRF: name=HMAC_SHA2_512, hashlen=64 000 algorithm IKE PRF: name=AES_XCBC, hashlen=16 000 algorithm IKE DH Key Exchange: name=MODP1024, bits=1024 000 algorithm IKE DH Key Exchange: name=MODP1536, bits=1536 000 algorithm IKE DH Key Exchange: name=MODP2048, bits=2048 000 algorithm IKE DH Key Exchange: name=MODP3072, bits=3072 000 algorithm IKE DH Key Exchange: name=MODP4096, bits=4096 000 algorithm IKE DH Key Exchange: name=MODP6144, bits=6144 000 algorithm IKE DH Key Exchange: name=MODP8192, bits=8192 000 algorithm IKE DH Key Exchange: name=DH19, bits=512 000 algorithm IKE DH Key Exchange: name=DH20, bits=768 000 algorithm IKE DH Key Exchange: name=DH21, bits=1056 000 000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0} 000 000 Connection list: 000 000 "l2tp-psk": 10.88.91.21[210.6.114.113]:17/1701---10.88.0.1...%any:17/%any; unrouted; eroute owner: #0 000 "l2tp-psk": oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown; 000 "l2tp-psk": xauth us:none, xauth them:none, my_username=[any]; their_username=[any] 000 "l2tp-psk": our auth:secret, their auth:secret 000 "l2tp-psk": modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, banner:unset, cat:unset; 000 "l2tp-psk": policy_label:unset; 000 "l2tp-psk": ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 5; 000 "l2tp-psk": retransmit-interval: 500ms; retransmit-timeout: 60s; 000 "l2tp-psk": initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no; 000 "l2tp-psk": policy: PSK+ENCRYPT+DONT_REKEY+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO; 000 "l2tp-psk": conn_prio: 32,32; interface: eth0; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none; 000 "l2tp-psk": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto; 000 "l2tp-psk": our idtype: ID_IPV4_ADDR; our id=210.6.114.113; their idtype: %none; their id=(none) 000 "l2tp-psk": dpd: action:clear; delay:30; timeout:120; nat-t: encaps:yes; nat_keepalive:yes; ikev1_natt:both 000 "l2tp-psk": newest ISAKMP SA: #0; newest IPsec SA: #0; 000 "l2tp-psk": IKE algorithms: AES_CBC_256-HMAC_SHA2_256-MODP2048, AES_CBC_256-HMAC_SHA2_256-MODP1536, AES_CBC_128-HMAC_SHA2_256-MODP2048, AES_CBC_128-HMAC_SHA2_256-MODP1536, AES_CBC_256-HMAC_SHA1-MODP2048, AES_CBC_256-HMAC_SHA1-MODP1536, AES_CBC_128-HMAC_SHA1-MODP2048, AES_CBC_128-HMAC_SHA1-MODP1536, AES_CBC_256-HMAC_SHA2_256-MODP1024, AES_CBC_128-HMAC_SHA1-MODP1024 000 "l2tp-psk": ESP algorithms: AES_GCM_16-NONE, AES_CBC_128-HMAC_SHA1_96, AES_CBC_256-HMAC_SHA1_96, AES_CBC_256-HMAC_SHA2_512_256, AES_CBC_128-HMAC_SHA2_256_128, AES_CBC_256-HMAC_SHA2_256_128 000 "xauth-psk": 0.0.0.0/0===10.88.91.21[210.6.114.113,MS+XS+S=C]---10.88.0.1...%any[+MC+XC+S=C]; unrouted; eroute owner: #0 000 "xauth-psk": oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown; 000 "xauth-psk": xauth us:server, xauth them:client, xauthby:file; my_username=[any]; their_username=[any] 000 "xauth-psk": our auth:secret, their auth:secret 000 "xauth-psk": modecfg info: us:server, them:client, modecfg policy:pull, dns:1.1.1.1 1.0.0.1, domains:unset, banner:unset, cat:unset; 000 "xauth-psk": policy_label:unset; 000 "xauth-psk": ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 5; 000 "xauth-psk": retransmit-interval: 500ms; retransmit-timeout: 60s; 000 "xauth-psk": initial-contact:no; cisco-unity:yes; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no; 000 "xauth-psk": policy: PSK+ENCRYPT+TUNNEL+DONT_REKEY+XAUTH+MODECFG_PULL+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO; 000 "xauth-psk": conn_prio: 0,32; interface: eth0; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none; 000 "xauth-psk": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto; 000 "xauth-psk": our idtype: ID_IPV4_ADDR; our id=210.6.114.113; their idtype: %none; their id=(none) 000 "xauth-psk": dpd: action:clear; delay:30; timeout:120; nat-t: encaps:yes; nat_keepalive:yes; ikev1_natt:both 000 "xauth-psk": newest ISAKMP SA: #0; newest IPsec SA: #0; 000 "xauth-psk": IKE algorithms: AES_CBC_256-HMAC_SHA2_256-MODP2048, AES_CBC_256-HMAC_SHA2_256-MODP1536, AES_CBC_128-HMAC_SHA2_256-MODP2048, AES_CBC_128-HMAC_SHA2_256-MODP1536, AES_CBC_256-HMAC_SHA1-MODP2048, AES_CBC_256-HMAC_SHA1-MODP1536, AES_CBC_128-HMAC_SHA1-MODP2048, AES_CBC_128-HMAC_SHA1-MODP1536, AES_CBC_256-HMAC_SHA2_256-MODP1024, AES_CBC_128-HMAC_SHA1-MODP1024 000 "xauth-psk": ESP algorithms: AES_GCM_16-NONE, AES_CBC_128-HMAC_SHA1_96, AES_CBC_256-HMAC_SHA1_96, AES_CBC_256-HMAC_SHA2_512_256, AES_CBC_128-HMAC_SHA2_256_128, AES_CBC_256-HMAC_SHA2_256_128 000 "xauth-psk"[2]: 0.0.0.0/0===10.88.91.21[210.6.114.113,MS+XS+S=C]---10.88.0.1...182.239.88.6[10.42.172.101,+MC+XC+S=C]===192.168.43.10/32; erouted; eroute owner: #2 000 "xauth-psk"[2]: oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown; 000 "xauth-psk"[2]: xauth us:server, xauth them:client, xauthby:file; my_username=[any]; their_username=[any] 000 "xauth-psk"[2]: our auth:secret, their auth:secret 000 "xauth-psk"[2]: modecfg info: us:server, them:client, modecfg policy:pull, dns:1.1.1.1, domains:unset, banner:unset, cat:unset; 000 "xauth-psk"[2]: policy_label:unset; 000 "xauth-psk"[2]: ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 5; 000 "xauth-psk"[2]: retransmit-interval: 500ms; retransmit-timeout: 60s; 000 "xauth-psk"[2]: initial-contact:no; cisco-unity:yes; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no; 000 "xauth-psk"[2]: policy: PSK+ENCRYPT+TUNNEL+DONT_REKEY+XAUTH+MODECFG_PULL+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO; 000 "xauth-psk"[2]: conn_prio: 0,32; interface: eth0; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none; 000 "xauth-psk"[2]: nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto; 000 "xauth-psk"[2]: our idtype: ID_IPV4_ADDR; our id=210.6.114.113; their idtype: ID_IPV4_ADDR; their id=10.42.172.101 000 "xauth-psk"[2]: dpd: action:clear; delay:30; timeout:120; nat-t: encaps:yes; nat_keepalive:yes; ikev1_natt:both 000 "xauth-psk"[2]: newest ISAKMP SA: #1; newest IPsec SA: #2; 000 "xauth-psk"[2]: IKE algorithms: AES_CBC_256-HMAC_SHA2_256-MODP2048, AES_CBC_256-HMAC_SHA2_256-MODP1536, AES_CBC_128-HMAC_SHA2_256-MODP2048, AES_CBC_128-HMAC_SHA2_256-MODP1536, AES_CBC_256-HMAC_SHA1-MODP2048, AES_CBC_256-HMAC_SHA1-MODP1536, AES_CBC_128-HMAC_SHA1-MODP2048, AES_CBC_128-HMAC_SHA1-MODP1536, AES_CBC_256-HMAC_SHA2_256-MODP1024, AES_CBC_128-HMAC_SHA1-MODP1024 000 "xauth-psk"[2]: IKEv1 algorithm newest: AES_CBC_256-HMAC_SHA2_256-MODP1024 000 "xauth-psk"[2]: ESP algorithms: AES_GCM_16-NONE, AES_CBC_128-HMAC_SHA1_96, AES_CBC_256-HMAC_SHA1_96, AES_CBC_256-HMAC_SHA2_512_256, AES_CBC_128-HMAC_SHA2_256_128, AES_CBC_256-HMAC_SHA2_256_128 000 "xauth-psk"[2]: ESP algorithm newest: AES_CBC_256-HMAC_SHA2_512_256; pfsgroup=<N/A> 000 000 Total IPsec connections: loaded 3, active 1 000 000 State Information: DDoS cookies not required, Accepting new IKE connections 000 IKE SAs: total(1), half-open(0), open(0), authenticated(1), anonymous(0) 000 IPsec SAs: total(1), authenticated(1), anonymous(0) 000 000 #1: "xauth-psk"[2] 182.239.88.6:31232 STATE_MODE_CFG_R1 (ModeCfg Set sent, expecting Ack); EVENT_SA_EXPIRE in 28589s; newest ISAKMP; lastdpd=28s(seq in:24032 out:0); idle; 000 #2: "xauth-psk"[2] 182.239.88.6:31232 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_EXPIRE in 28590s; newest IPSEC; eroute owner; isakmp#1; idle; 000 #2: "xauth-psk"[2] 182.239.88.6 esp.e0cef89@182.239.88.6 esp.53d36b6d@10.88.91.21 tun.0@182.239.88.6 tun.0@10.88.91.21 ref=0 refhim=0 Traffic: ESPin=100KB ESPout=19KB! ESPmax=4194303B username=vpnuser 000 000 Bare Shunt list: 000 ```

kerem commented

2026-03-02 07:44:34 +03:00

Author

Owner

@hwdsl2 commented on GitHub (Jun 1, 2020):

@jsdnhk-devops This looks like an IPTables issue, but I'm not sure. Does docker logs ipsec-vpn-server show any IPTables-related errors when the container starts?

You can enable Libreswan logs [1] for further troubleshooting. After enabling, try to re-connect the VPN, then check logs with:

docker exec -it ipsec-vpn-server grep pluto /var/log/auth.log

[1] https://github.com/hwdsl2/docker-ipsec-vpn-server#enable-libreswan-logs

@hwdsl2 commented on GitHub (Jun 1, 2020): @jsdnhk-devops This looks like an IPTables issue, but I'm not sure. Does `docker logs ipsec-vpn-server` show any IPTables-related errors when the container starts? You can enable Libreswan logs [1] for further troubleshooting. After enabling, try to re-connect the VPN, then check logs with: ``` docker exec -it ipsec-vpn-server grep pluto /var/log/auth.log ``` [1] https://github.com/hwdsl2/docker-ipsec-vpn-server#enable-libreswan-logs

kerem commented

2026-03-02 07:44:35 +03:00

Author

Owner

@jsdnhk-devops commented on GitHub (Jun 2, 2020):

@hwdsl2 thanks reminding the firewall issue, it got fixed by following which is podman internal bug,
https://bugzilla.redhat.com/show_bug.cgi?id=1805212
that would cause the container's network packages cannot be sent out.

@jsdnhk-devops commented on GitHub (Jun 2, 2020): @hwdsl2 thanks reminding the firewall issue, it got fixed by following which is podman internal bug, https://bugzilla.redhat.com/show_bug.cgi?id=1805212 that would cause the container's network packages cannot be sent out.

kerem commented

2026-03-02 07:44:35 +03:00

Author

Owner

@jsdnhk-devops commented on GitHub (Jun 2, 2020):

Curiously, would like to ask that are there any methods or healthcheck tools to check and keep VPN service working?
As sometimes I connected to use the service, and found that was disabled then have to recreate the container again to use.
For ensuring the process running supervisor can help.

@jsdnhk-devops commented on GitHub (Jun 2, 2020): Curiously, would like to ask that are there any methods or healthcheck tools to check and keep VPN service working? As sometimes I connected to use the service, and found that was disabled then have to recreate the container again to use. For ensuring the process running [supervisor](http://supervisord.org) can help.

kerem commented

2026-03-02 07:44:35 +03:00

Author

Owner

@hwdsl2 commented on GitHub (Jun 2, 2020):

@jsdnhk-devops Glad that you resolved the issue. For checking and keeping the VPN service running, the --restart=always parameter [1] of docker run can help to auto restart the container on exit. Maybe you can also check that UDP port 500 is open, and the pluto process is running.

[1] https://github.com/hwdsl2/docker-ipsec-vpn-server#start-the-ipsec-vpn-server

@hwdsl2 commented on GitHub (Jun 2, 2020): @jsdnhk-devops Glad that you resolved the issue. For checking and keeping the VPN service running, the `--restart=always` parameter [1] of `docker run` can help to auto restart the container on exit. Maybe you can also check that UDP port 500 is open, and the `pluto` process is running. [1] https://github.com/hwdsl2/docker-ipsec-vpn-server#start-the-ipsec-vpn-server

No labels

bug

pull-request

question

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/docker-ipsec-vpn-server#182

No description provided.

Rows
Columns