[GH-ISSUE #199] xauth 协议正常连接，ikev2连接提示鉴权失败

kerem commented

2026-03-02 07:44:35 +03:00

Owner

Originally created by @SuperCatss on GitHub (Jul 1, 2020).
Original GitHub issue: https://github.com/hwdsl2/docker-ipsec-vpn-server/issues/199

IPSec架设在路由的docker里面。
使用的手机安卓10，三星s10。
架设成功后，使用xauth 协议，手机连接正常。正常使用。
随后开始折腾ikev2，使用自签名证书，教程都参考md 里面写的。
域名使用白群晖ddns 中的域名（群晖提供的ddns 服务），不知道是不是这里的原因导致的。
在手机上导入证书，并安装以后，使用strongwan 客户端，连接提示鉴权失败。
电脑上现在都没有测试成功，想先解决手机上的情况，方便定位是服务设置的问题，还是电脑使用设置的问题。
请大佬指点一下，是哪里的问题。

Originally created by @SuperCatss on GitHub (Jul 1, 2020). Original GitHub issue: https://github.com/hwdsl2/docker-ipsec-vpn-server/issues/199 IPSec架设在路由的docker里面。使用的手机安卓10，三星s10。架设成功后，使用xauth 协议，手机连接正常。正常使用。随后开始折腾ikev2，使用自签名证书，教程都参考md 里面写的。域名使用白群晖ddns 中的域名（群晖提供的ddns 服务），不知道是不是这里的原因导致的。在手机上导入证书，并安装以后，使用strongwan 客户端，连接提示鉴权失败。电脑上现在都没有测试成功，想先解决手机上的情况，方便定位是服务设置的问题，还是电脑使用设置的问题。请大佬指点一下，是哪里的问题。

kerem closed this issue

2026-03-02 07:44:35 +03:00

kerem commented

2026-03-02 07:44:36 +03:00

Author

Owner

@hwdsl2 commented on GitHub (Jul 1, 2020):

@SuperCatss 你好！如果你是正确地按照这里的说明 [1] 配置 IKEv2 的话，我觉得可能是你的 DDNS 域名的问题。你试一下从外网是否可以 ping 通该 DDNS 域名？或者不使用 DDNS 重新配置。另外你可以启用服务器日志 [2]，重新尝试连接然后检查服务器以及客户端日志，具体有哪些错误？

[1] https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README-zh.md#%E9%85%8D%E7%BD%AE%E5%B9%B6%E4%BD%BF%E7%94%A8-ikev2-vpn
[2] https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README-zh.md#%E5%90%AF%E7%94%A8-libreswan-%E6%97%A5%E5%BF%97

@hwdsl2 commented on GitHub (Jul 1, 2020): @SuperCatss 你好！如果你是正确地按照这里的说明 [1] 配置 IKEv2 的话，我觉得可能是你的 DDNS 域名的问题。你试一下从外网是否可以 ping 通该 DDNS 域名？或者不使用 DDNS 重新配置。另外你可以启用服务器日志 [2]，重新尝试连接然后检查服务器以及客户端日志，具体有哪些错误？ [1] https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README-zh.md#%E9%85%8D%E7%BD%AE%E5%B9%B6%E4%BD%BF%E7%94%A8-ikev2-vpn [2] https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README-zh.md#%E5%90%AF%E7%94%A8-libreswan-%E6%97%A5%E5%BF%97

kerem commented

2026-03-02 07:44:36 +03:00

Author

Owner

@SuperCatss commented on GitHub (Jul 1, 2020):

@SuperCatss 你好！如果你是正确地按照这里的说明 [1] 配置 IKEv2 的话，我觉得可能是你的 DDNS 域名的问题。你试一下从外网是否可以 ping 通该 DDNS 域名？或者不使用 DDNS 重新配置。另外你可以启用服务器日志 [2]，重新尝试连接然后检查服务器以及客户端日志，具体有哪些错误？

[1] https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README-zh.md#%E9%85%8D%E7%BD%AE%E5%B9%B6%E4%BD%BF%E7%94%A8-ikev2-vpn
[2] https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README-zh.md#%E5%90%AF%E7%94%A8-libreswan-%E6%97%A5%E5%BF%97

ddns 域名的问题我也有想过，但是我使用xauth 链接的时候，也是使用域名链接，通过在线的域名解析，的确是能解析到我公网的ip。目前不清楚，ikev2 是否和xauth 是否都支持用ddns 域名链接。

@SuperCatss 这样的话，可能不是 DDNS 的问题。你可以尝试启用服务器日志（如上所述），重新尝试连接然后检查服务器以及客户端日志，具体有哪些错误。

这是我通过手机 strongwan 客户端链接的异常信息，pc端也有问题，但是我想先定位一下问题是在服务器还是在客户端配置

@SuperCatss commented on GitHub (Jul 1, 2020): > @SuperCatss 你好！如果你是正确地按照这里的说明 [1] 配置 IKEv2 的话，我觉得可能是你的 DDNS 域名的问题。你试一下从外网是否可以 ping 通该 DDNS 域名？或者不使用 DDNS 重新配置。另外你可以启用服务器日志 [2]，重新尝试连接然后检查服务器以及客户端日志，具体有哪些错误？ > > [1] https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README-zh.md#%E9%85%8D%E7%BD%AE%E5%B9%B6%E4%BD%BF%E7%94%A8-ikev2-vpn > [2] https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README-zh.md#%E5%90%AF%E7%94%A8-libreswan-%E6%97%A5%E5%BF%97 ddns 域名的问题我也有想过，但是我使用xauth 链接的时候，也是使用域名链接，通过在线的域名解析，的确是能解析到我公网的ip。目前不清楚，ikev2 是否和xauth 是否都支持用ddns 域名链接。 > @SuperCatss 这样的话，可能不是 DDNS 的问题。你可以尝试启用服务器日志（如上所述），重新尝试连接然后检查服务器以及客户端日志，具体有哪些错误。 ![image](https://user-images.githubusercontent.com/24800663/86265646-9d157700-bbf6-11ea-8f2f-e938499d75a5.png) 这是我通过手机 strongwan 客户端链接的异常信息，pc端也有问题，但是我想先定位一下问题是在服务器还是在客户端配置

kerem commented

2026-03-02 07:44:36 +03:00

Author

Owner

@hwdsl2 commented on GitHub (Jul 1, 2020):

@SuperCatss 这样的话，可能不是 DDNS 的问题。你可以尝试启用服务器日志（如上所述），重新尝试连接然后检查服务器以及客户端日志，具体有哪些错误。

@hwdsl2 commented on GitHub (Jul 1, 2020): @SuperCatss 这样的话，可能不是 DDNS 的问题。你可以尝试启用服务器日志（如上所述），重新尝试连接然后检查服务器以及客户端日志，具体有哪些错误。

kerem commented

2026-03-02 07:44:36 +03:00

Author

Owner

@SuperCatss commented on GitHub (Jul 1, 2020):

@SuperCatss 这样的话，可能不是 DDNS 的问题。你可以尝试启用服务器日志（如上所述），重新尝试连接然后检查服务器以及客户端日志，具体有哪些错误。

客户端的报错信息，已经贴上了

@SuperCatss commented on GitHub (Jul 1, 2020): > @SuperCatss 这样的话，可能不是 DDNS 的问题。你可以尝试启用服务器日志（如上所述），重新尝试连接然后检查服务器以及客户端日志，具体有哪些错误。客户端的报错信息，已经贴上了

kerem commented

2026-03-02 07:44:36 +03:00

Author

Owner

@SuperCatss commented on GitHub (Jul 1, 2020):

Jul 1 16:03:19 475be817578b pluto[339]: shutting down
Jul 1 16:03:19 475be817578b pluto[339]: 3 crypto helpers shutdown
Jul 1 16:03:19 475be817578b pluto[339]: forgetting secrets
Jul 1 16:03:19 475be817578b pluto[339]: "l2tp-psk"[3] 182.139.182.247: deleting connection "l2tp-psk"[3] 182.139.182.247 instance with peer 182.139.182.247 {isakmp=#0/ipsec=#0}
Jul 1 16:03:19 475be817578b pluto[339]: "l2tp-psk"[3] 182.139.182.247 #8: deleting state (STATE_MAIN_R0) aged 120799.427s and NOT sending notification
Jul 1 16:03:19 475be817578b pluto[339]: "l2tp-psk"[3] 182.139.182.247 #7: deleting state (STATE_MAIN_R0) aged 120902.929s and NOT sending notification
Jul 1 16:03:19 475be817578b pluto[339]: "l2tp-psk"[3] 182.139.182.247 #6: deleting state (STATE_MAIN_R0) aged 120957.162s and NOT sending notification
Jul 1 16:03:19 475be817578b pluto[339]: "l2tp-psk"[3] 182.139.182.247 #5: deleting state (STATE_MAIN_R0) aged 121030.296s and NOT sending notification
Jul 1 16:03:19 475be817578b pluto[339]: "l2tp-psk"[2] 216.218.206.82: deleting connection "l2tp-psk"[2] 216.218.206.82 instance with peer 216.218.206.82 {isakmp=#0/ipsec=#0}
Jul 1 16:03:19 475be817578b pluto[339]: "l2tp-psk"[2] 216.218.206.82 #4: deleting state (STATE_MAIN_R0) aged 143138.618s and NOT sending notification
Jul 1 16:03:19 475be817578b pluto[339]: shutting down interface lo/lo 127.0.0.1:4500
Jul 1 16:03:19 475be817578b pluto[339]: shutting down interface lo/lo 127.0.0.1:500
Jul 1 16:03:19 475be817578b pluto[339]: shutting down interface eth0/eth0 172.17.0.2:4500
Jul 1 16:03:19 475be817578b pluto[339]: shutting down interface eth0/eth0 172.17.0.2:500
Jul 1 16:03:19 475be817578b ipsec__plutorun: pluto killed by SIGTERM, terminating without restart
Jul 1 16:03:19 475be817578b ipsec__plutorun: Starting Pluto
Jul 1 16:03:20 475be817578b pluto[2279]: NSS DB directory: sql:/etc/ipsec.d
Jul 1 16:03:20 475be817578b pluto[2279]: Initializing NSS
Jul 1 16:03:20 475be817578b pluto[2279]: Opening NSS database "sql:/etc/ipsec.d" read-only
Jul 1 16:03:20 475be817578b pluto[2279]: NSS crypto library initialized
Jul 1 16:03:20 475be817578b pluto[2279]: FIPS Mode: NO
Jul 1 16:03:20 475be817578b pluto[2279]: FIPS mode disabled for pluto daemon
Jul 1 16:03:20 475be817578b pluto[2279]: FIPS HMAC integrity support [disabled]
Jul 1 16:03:20 475be817578b pluto[2279]: libcap-ng support [enabled]
Jul 1 16:03:20 475be817578b pluto[2279]: Linux audit support [disabled]
Jul 1 16:03:20 475be817578b pluto[2279]: Starting Pluto (Libreswan Version 3.32 XFRM(netkey) XFRMI esp-hw-offload FORK PTHREAD_SETSCHEDPRIO NSS (AVA copy) (native-PRF) LIBCAP_NG XAUTH_PAM NETWORKMANAGER CURL(non-NSS)) pid:2279
Jul 1 16:03:20 475be817578b pluto[2279]: core dump dir: /run/pluto
Jul 1 16:03:20 475be817578b pluto[2279]: secrets file: /etc/ipsec.secrets
Jul 1 16:03:20 475be817578b pluto[2279]: leak-detective disabled
Jul 1 16:03:20 475be817578b pluto[2279]: NSS crypto [enabled]
Jul 1 16:03:20 475be817578b pluto[2279]: XAUTH PAM support [enabled]
Jul 1 16:03:20 475be817578b pluto[2279]: Initializing libevent in pthreads mode: headers: 2.1.8-stable (2010800); library: 2.1.8-stable (2010800)
Jul 1 16:03:20 475be817578b pluto[2279]: NAT-Traversal support [enabled]
Jul 1 16:03:20 475be817578b pluto[2279]: Encryption algorithms:
Jul 1 16:03:20 475be817578b pluto[2279]: AES_CCM_16 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm, aes_ccm_c
Jul 1 16:03:20 475be817578b pluto[2279]: AES_CCM_12 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm_b
Jul 1 16:03:20 475be817578b pluto[2279]: AES_CCM_8 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm_a
Jul 1 16:03:20 475be817578b pluto[2279]: 3DES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS [*192] 3des
Jul 1 16:03:20 475be817578b pluto[2279]: CAMELLIA_CTR IKEv1: ESP IKEv2: ESP {256,192,*128}
Jul 1 16:03:20 475be817578b pluto[2279]: CAMELLIA_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} camellia
Jul 1 16:03:20 475be817578b pluto[2279]: AES_GCM_16 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm, aes_gcm_c
Jul 1 16:03:20 475be817578b pluto[2279]: AES_GCM_12 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm_b
Jul 1 16:03:20 475be817578b pluto[2279]: AES_GCM_8 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm_a
Jul 1 16:03:20 475be817578b pluto[2279]: AES_CTR IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} aesctr
Jul 1 16:03:20 475be817578b pluto[2279]: AES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} aes
Jul 1 16:03:20 475be817578b pluto[2279]: SERPENT_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} serpent
Jul 1 16:03:20 475be817578b pluto[2279]: TWOFISH_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} twofish
Jul 1 16:03:20 475be817578b pluto[2279]: TWOFISH_SSH IKEv1: IKE IKEv2: IKE ESP {256,192,*128} twofish_cbc_ssh
Jul 1 16:03:20 475be817578b pluto[2279]: NULL_AUTH_AES_GMAC IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_gmac
Jul 1 16:03:20 475be817578b pluto[2279]: NULL IKEv1: ESP IKEv2: ESP []
Jul 1 16:03:20 475be817578b pluto[2279]: CHACHA20_POLY1305 IKEv1: IKEv2: IKE ESP [*256] chacha20poly1305
Jul 1 16:03:20 475be817578b pluto[2279]: Hash algorithms:
Jul 1 16:03:20 475be817578b pluto[2279]: MD5 IKEv1: IKE IKEv2:
Jul 1 16:03:20 475be817578b pluto[2279]: SHA1 IKEv1: IKE IKEv2: FIPS sha
Jul 1 16:03:20 475be817578b pluto[2279]: SHA2_256 IKEv1: IKE IKEv2: FIPS sha2, sha256
Jul 1 16:03:20 475be817578b pluto[2279]: SHA2_384 IKEv1: IKE IKEv2: FIPS sha384
Jul 1 16:03:20 475be817578b pluto[2279]: SHA2_512 IKEv1: IKE IKEv2: FIPS sha512
Jul 1 16:03:20 475be817578b pluto[2279]: PRF algorithms:
Jul 1 16:03:20 475be817578b pluto[2279]: HMAC_MD5 IKEv1: IKE IKEv2: IKE md5
Jul 1 16:03:20 475be817578b pluto[2279]: HMAC_SHA1 IKEv1: IKE IKEv2: IKE FIPS sha, sha1
Jul 1 16:03:20 475be817578b pluto[2279]: HMAC_SHA2_256 IKEv1: IKE IKEv2: IKE FIPS sha2, sha256, sha2_256
Jul 1 16:03:20 475be817578b pluto[2279]: HMAC_SHA2_384 IKEv1: IKE IKEv2: IKE FIPS sha384, sha2_384
Jul 1 16:03:20 475be817578b pluto[2279]: HMAC_SHA2_512 IKEv1: IKE IKEv2: IKE FIPS sha512, sha2_512
Jul 1 16:03:20 475be817578b pluto[2279]: AES_XCBC IKEv1: IKEv2: IKE aes128_xcbc
Jul 1 16:03:20 475be817578b pluto[2279]: Integrity algorithms:
Jul 1 16:03:20 475be817578b pluto[2279]: HMAC_MD5_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH md5, hmac_md5
Jul 1 16:03:20 475be817578b pluto[2279]: HMAC_SHA1_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha, sha1, sha1_96, hmac_sha1
Jul 1 16:03:20 475be817578b pluto[2279]: HMAC_SHA2_512_256 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha512, sha2_512, sha2_512_256, hmac_sha2_512
Jul 1 16:03:20 475be817578b pluto[2279]: HMAC_SHA2_384_192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha384, sha2_384, sha2_384_192, hmac_sha2_384
Jul 1 16:03:20 475be817578b pluto[2279]: HMAC_SHA2_256_128 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha2, sha256, sha2_256, sha2_256_128, hmac_sha2_256
Jul 1 16:03:20 475be817578b pluto[2279]: HMAC_SHA2_256_TRUNCBUG IKEv1: ESP AH IKEv2: AH
Jul 1 16:03:20 475be817578b pluto[2279]: AES_XCBC_96 IKEv1: ESP AH IKEv2: IKE ESP AH aes_xcbc, aes128_xcbc, aes128_xcbc_96
Jul 1 16:03:20 475be817578b pluto[2279]: AES_CMAC_96 IKEv1: ESP AH IKEv2: ESP AH FIPS aes_cmac
Jul 1 16:03:20 475be817578b pluto[2279]: NONE IKEv1: ESP IKEv2: IKE ESP FIPS null
Jul 1 16:03:20 475be817578b pluto[2279]: DH algorithms:
Jul 1 16:03:20 475be817578b pluto[2279]: NONE IKEv1: IKEv2: IKE ESP AH FIPS null, dh0
Jul 1 16:03:20 475be817578b pluto[2279]: MODP1024 IKEv1: IKE ESP AH IKEv2: IKE ESP AH dh2
Jul 1 16:03:20 475be817578b pluto[2279]: MODP1536 IKEv1: IKE ESP AH IKEv2: IKE ESP AH dh5
Jul 1 16:03:20 475be817578b pluto[2279]: MODP2048 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh14
Jul 1 16:03:20 475be817578b pluto[2279]: MODP3072 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh15
Jul 1 16:03:20 475be817578b pluto[2279]: MODP4096 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh16
Jul 1 16:03:20 475be817578b pluto[2279]: MODP6144 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh17
Jul 1 16:03:20 475be817578b pluto[2279]: MODP8192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh18
Jul 1 16:03:20 475be817578b pluto[2279]: DH19 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_256, ecp256
Jul 1 16:03:20 475be817578b pluto[2279]: DH20 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_384, ecp384
Jul 1 16:03:20 475be817578b pluto[2279]: DH21 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_521, ecp521
Jul 1 16:03:20 475be817578b pluto[2279]: testing CAMELLIA_CBC:
Jul 1 16:03:20 475be817578b pluto[2279]: Camellia: 16 bytes with 128-bit key
Jul 1 16:03:20 475be817578b pluto[2279]: Camellia: 16 bytes with 128-bit key
Jul 1 16:03:20 475be817578b pluto[2279]: Camellia: 16 bytes with 256-bit key
Jul 1 16:03:20 475be817578b pluto[2279]: Camellia: 16 bytes with 256-bit key
Jul 1 16:03:20 475be817578b pluto[2279]: testing AES_GCM_16:
Jul 1 16:03:20 475be817578b pluto[2279]: empty string
Jul 1 16:03:20 475be817578b pluto[2279]: one block
Jul 1 16:03:20 475be817578b pluto[2279]: two blocks
Jul 1 16:03:20 475be817578b pluto[2279]: two blocks with associated data
Jul 1 16:03:20 475be817578b pluto[2279]: testing AES_CTR:
Jul 1 16:03:20 475be817578b pluto[2279]: Encrypting 16 octets using AES-CTR with 128-bit key
Jul 1 16:03:20 475be817578b pluto[2279]: Encrypting 32 octets using AES-CTR with 128-bit key
Jul 1 16:03:20 475be817578b pluto[2279]: Encrypting 36 octets using AES-CTR with 128-bit key
Jul 1 16:03:20 475be817578b pluto[2279]: Encrypting 16 octets using AES-CTR with 192-bit key
Jul 1 16:03:20 475be817578b pluto[2279]: Encrypting 32 octets using AES-CTR with 192-bit key
Jul 1 16:03:20 475be817578b pluto[2279]: Encrypting 36 octets using AES-CTR with 192-bit key
Jul 1 16:03:20 475be817578b pluto[2279]: Encrypting 16 octets using AES-CTR with 256-bit key
Jul 1 16:03:20 475be817578b pluto[2279]: Encrypting 32 octets using AES-CTR with 256-bit key
Jul 1 16:03:20 475be817578b pluto[2279]: Encrypting 36 octets using AES-CTR with 256-bit key
Jul 1 16:03:20 475be817578b pluto[2279]: testing AES_CBC:
Jul 1 16:03:20 475be817578b pluto[2279]: Encrypting 16 bytes (1 block) using AES-CBC with 128-bit key
Jul 1 16:03:20 475be817578b pluto[2279]: Encrypting 32 bytes (2 blocks) using AES-CBC with 128-bit key
Jul 1 16:03:20 475be817578b pluto[2279]: Encrypting 48 bytes (3 blocks) using AES-CBC with 128-bit key
Jul 1 16:03:20 475be817578b pluto[2279]: Encrypting 64 bytes (4 blocks) using AES-CBC with 128-bit key
Jul 1 16:03:20 475be817578b pluto[2279]: testing AES_XCBC:
Jul 1 16:03:20 475be817578b pluto[2279]: RFC 3566 Test Case 1: AES-XCBC-MAC-96 with 0-byte input
Jul 1 16:03:20 475be817578b pluto[2279]: RFC 3566 Test Case 2: AES-XCBC-MAC-96 with 3-byte input
Jul 1 16:03:20 475be817578b pluto[2279]: RFC 3566 Test Case 3: AES-XCBC-MAC-96 with 16-byte input
Jul 1 16:03:20 475be817578b pluto[2279]: RFC 3566 Test Case 4: AES-XCBC-MAC-96 with 20-byte input
Jul 1 16:03:20 475be817578b pluto[2279]: RFC 3566 Test Case 5: AES-XCBC-MAC-96 with 32-byte input
Jul 1 16:03:20 475be817578b pluto[2279]: RFC 3566 Test Case 6: AES-XCBC-MAC-96 with 34-byte input
Jul 1 16:03:20 475be817578b pluto[2279]: RFC 3566 Test Case 7: AES-XCBC-MAC-96 with 1000-byte input
Jul 1 16:03:20 475be817578b pluto[2279]: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 16)
Jul 1 16:03:20 475be817578b pluto[2279]: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 10)
Jul 1 16:03:20 475be817578b pluto[2279]: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 18)
Jul 1 16:03:20 475be817578b pluto[2279]: testing HMAC_MD5:
Jul 1 16:03:20 475be817578b pluto[2279]: RFC 2104: MD5_HMAC test 1
Jul 1 16:03:20 475be817578b pluto[2279]: RFC 2104: MD5_HMAC test 2
Jul 1 16:03:20 475be817578b pluto[2279]: RFC 2104: MD5_HMAC test 3
Jul 1 16:03:20 475be817578b pluto[2279]: 4 CPU cores online
Jul 1 16:03:20 475be817578b pluto[2279]: starting up 3 crypto helpers
Jul 1 16:03:20 475be817578b pluto[2279]: started thread for crypto helper 0
Jul 1 16:03:20 475be817578b pluto[2279]: seccomp security for crypto helper not supported
Jul 1 16:03:20 475be817578b pluto[2279]: started thread for crypto helper 1
Jul 1 16:03:20 475be817578b pluto[2279]: seccomp security for crypto helper not supported
Jul 1 16:03:20 475be817578b pluto[2279]: started thread for crypto helper 2
Jul 1 16:03:20 475be817578b pluto[2279]: seccomp security for crypto helper not supported
Jul 1 16:03:20 475be817578b pluto[2279]: Using Linux XFRM/NETKEY IPsec kernel support code on 4.19.122
Jul 1 16:03:20 475be817578b pluto[2279]: seccomp security not supported
Jul 1 16:03:20 475be817578b pluto[2279]: added connection description "l2tp-psk"
Jul 1 16:03:20 475be817578b pluto[2279]: added connection description "xauth-psk"
Jul 1 16:03:20 475be817578b pluto[2279]: MOBIKE kernel support missing for netkey interface: CONFIG_XFRM_MIGRATE
Jul 1 16:03:20 475be817578b pluto[2279]: listening for IKE messages
Jul 1 16:03:20 475be817578b pluto[2279]: Kernel supports NIC esp-hw-offload
Jul 1 16:03:20 475be817578b pluto[2279]: adding interface eth0/eth0 (esp-hw-offload not supported by kernel) 172.17.0.2:500
Jul 1 16:03:20 475be817578b pluto[2279]: adding interface eth0/eth0 172.17.0.2:4500
Jul 1 16:03:20 475be817578b pluto[2279]: adding interface lo/lo (esp-hw-offload not supported by kernel) 127.0.0.1:500
Jul 1 16:03:20 475be817578b pluto[2279]: adding interface lo/lo 127.0.0.1:4500
Jul 1 16:03:20 475be817578b pluto[2279]: loading secrets from "/etc/ipsec.secrets"
Jul 1 16:04:26 475be817578b pluto[2279]: packet from 119.4.253.57:61154: initial parent SA message received on 172.17.0.2:500 but no suitable connection found with IKEv2 policy
Jul 1 16:04:26 475be817578b pluto[2279]: packet from 119.4.253.57:61154: responding to IKE_SA_INIT (34) message (Message ID 0) from 119.4.253.57:61154 with unencrypted notification NO_PROPOSAL_CHOSEN
Jul 1 16:04:37 475be817578b pluto[2279]: packet from 119.4.253.57:61155: initial parent SA message received on 172.17.0.2:500 but no suitable connection found with IKEv2 policy
Jul 1 16:04:37 475be817578b pluto[2279]: packet from 119.4.253.57:61155: responding to IKE_SA_INIT (34) message (Message ID 0) from 119.4.253.57:61155 with unencrypted notification NO_PROPOSAL_CHOSEN
Jul 1 16:04:48 475be817578b pluto[2279]: packet from 119.4.253.57:61156: initial parent SA message received on 172.17.0.2:500 but no suitable connection found with IKEv2 policy
Jul 1 16:04:48 475be817578b pluto[2279]: packet from 119.4.253.57:61156: responding to IKE_SA_INIT (34) message (Message ID 0) from 119.4.253.57:61156 with unencrypted notification NO_PROPOSAL_CHOSEN
Jul 1 16:05:08 475be817578b pluto[2279]: packet from 119.4.253.57:61157: initial parent SA message received on 172.17.0.2:500 but no suitable connection found with IKEv2 policy
Jul 1 16:05:08 475be817578b pluto[2279]: packet from 119.4.253.57:61157: responding to IKE_SA_INIT (34) message (Message ID 0) from 119.4.253.57:61157 with unencrypted notification NO_PROPOSAL_CHOSEN
Jul 1 16:06:33 475be817578b pluto[2279]: packet from 119.4.253.57:61158: initial parent SA message received on 172.17.0.2:500 but no suitable connection found with IKEv2 policy
Jul 1 16:06:33 475be817578b pluto[2279]: packet from 119.4.253.57:61158: responding to IKE_SA_INIT (34) message (Message ID 0) from 119.4.253.57:61158 with unencrypted notification NO_PROPOSAL_CHOSEN
Jul 1 16:06:36 475be817578b pluto[2279]: packet from 119.4.253.57:61159: initial parent SA message received on 172.17.0.2:500 but no suitable connection found with IKEv2 policy
Jul 1 16:06:36 475be817578b pluto[2279]: packet from 119.4.253.57:61159: responding to IKE_SA_INIT (34) message (Message ID 0) from 119.4.253.57:61159 with unencrypted notification NO_PROPOSAL_CHOSEN
Jul 1 16:06:38 475be817578b pluto[2279]: packet from 119.4.253.57:61160: initial parent SA message received on 172.17.0.2:500 but no suitable connection found with IKEv2 policy
Jul 1 16:06:38 475be817578b pluto[2279]: packet from 119.4.253.57:61160: responding to IKE_SA_INIT (34) message (Message ID 0) from 119.4.253.57:61160 with unencrypted notification NO_PROPOSAL_CHOSEN
Jul 1 16:06:41 475be817578b pluto[2279]: packet from 119.4.253.57:61161: initial parent SA message received on 172.17.0.2:500 but no suitable connection found with IKEv2 policy
Jul 1 16:06:41 475be817578b pluto[2279]: packet from 119.4.253.57:61161: responding to IKE_SA_INIT (34) message (Message ID 0) from 119.4.253.57:61161 with unencrypted notification NO_PROPOSAL_CHOSEN
Jul 1 16:06:51 475be817578b pluto[2279]: packet from 119.4.253.57:61162: initial parent SA message received on 172.17.0.2:500 but no suitable connection found with IKEv2 policy
Jul 1 16:06:51 475be817578b pluto[2279]: packet from 119.4.253.57:61162: responding to IKE_SA_INIT (34) message (Message ID 0) from 119.4.253.57:61162 with unencrypted notification NO_PROPOSAL_CHOSEN
Jul 1 16:07:12 475be817578b pluto[2279]: packet from 119.4.253.57:61163: initial parent SA message received on 172.17.0.2:500 but no suitable connection found with IKEv2 policy
Jul 1 16:07:12 475be817578b pluto[2279]: packet from 119.4.253.57:61163: responding to IKE_SA_INIT (34) message (Message ID 0) from 119.4.253.57:61163 with unencrypted notification NO_PROPOSAL_CHOSEN
Jul 1 16:10:52 475be817578b pluto[2279]: "xauth-psk"[1] 119.4.253.57 #1: responding to Main Mode from unknown peer 119.4.253.57:61164
Jul 1 16:10:52 475be817578b pluto[2279]: "xauth-psk"[1] 119.4.253.57 #1: WARNING: connection xauth-psk PSK length of 11 bytes is too short for sha2_256 PRF in FIPS mode (16 bytes required)
Jul 1 16:10:52 475be817578b pluto[2279]: "xauth-psk"[1] 119.4.253.57 #1: STATE_MAIN_R1: sent MR1, expecting MI2
Jul 1 16:10:52 475be817578b pluto[2279]: "xauth-psk"[1] 119.4.253.57 #1: STATE_MAIN_R2: sent MR2, expecting MI3
Jul 1 16:10:52 475be817578b pluto[2279]: "xauth-psk"[1] 119.4.253.57 #1: Peer ID is ID_IPV4_ADDR: '10.162.196.12'
Jul 1 16:10:52 475be817578b pluto[2279]: "xauth-psk"[1] 119.4.253.57 #1: switched from "xauth-psk"[1] 119.4.253.57 to "xauth-psk"
Jul 1 16:10:52 475be817578b pluto[2279]: "xauth-psk"[2] 119.4.253.57 #1: deleting connection "xauth-psk"[1] 119.4.253.57 instance with peer 119.4.253.57 {isakmp=#0/ipsec=#0}
Jul 1 16:10:52 475be817578b pluto[2279]: "xauth-psk"[2] 119.4.253.57 #1: Peer ID is ID_IPV4_ADDR: '10.162.196.12'
Jul 1 16:10:52 475be817578b pluto[2279]: "xauth-psk"[2] 119.4.253.57 #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA2_256 group=MODP1024}
Jul 1 16:10:52 475be817578b pluto[2279]: "xauth-psk"[2] 119.4.253.57 #1: XAUTH: Sending Username/Password request (MAIN_R3->XAUTH_R0)
Jul 1 16:10:52 475be817578b pluto[2279]: "xauth-psk"[2] 119.4.253.57 #1: XAUTH: password file authentication method requested to authenticate user 'admin'
Jul 1 16:10:52 475be817578b pluto[2279]: "xauth-psk"[2] 119.4.253.57 #1: XAUTH: password file (/etc/ipsec.d/passwd) open.
Jul 1 16:10:52 475be817578b pluto[2279]: "xauth-psk"[2] 119.4.253.57 #1: XAUTH: success user(admin:xauth-psk)
Jul 1 16:10:52 475be817578b pluto[2279]: "xauth-psk"[2] 119.4.253.57 #1: XAUTH: User admin: Authentication Successful
Jul 1 16:10:52 475be817578b pluto[2279]: "xauth-psk"[2] 119.4.253.57 #1: XAUTH: xauth_inR1(STF_OK)
Jul 1 16:10:52 475be817578b pluto[2279]: "xauth-psk"[2] 119.4.253.57 #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA2_256 group=MODP1024}
Jul 1 16:10:52 475be817578b pluto[2279]: | pool 192.168.43.10-192.168.43.250: growing address pool from 0 to 1
Jul 1 16:10:52 475be817578b pluto[2279]: "xauth-psk"[2] 119.4.253.57 #1: modecfg_inR0(STF_OK)
Jul 1 16:10:52 475be817578b pluto[2279]: "xauth-psk"[2] 119.4.253.57 #1: STATE_MODE_CFG_R1: ModeCfg Set sent, expecting Ack {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA2_256 group=MODP1024}
Jul 1 16:10:52 475be817578b pluto[2279]: "xauth-psk"[2] 119.4.253.57 #1: the peer proposed: 0.0.0.0/0:0/0 -> 192.168.43.10/32:0/0
Jul 1 16:10:52 475be817578b pluto[2279]: "xauth-psk"[2] 119.4.253.57 #2: responding to Quick Mode proposal {msgid:18c9ae5a}
Jul 1 16:10:52 475be817578b pluto[2279]: "xauth-psk"[2] 119.4.253.57 #2: us: 0.0.0.0/0===172.17.0.2[125.70.1.227,MS+XS+S=C]
Jul 1 16:10:52 475be817578b pluto[2279]: "xauth-psk"[2] 119.4.253.57 #2: them: 119.4.253.57[10.162.196.12,+MC+XC+S=C]===192.168.43.10/32
Jul 1 16:10:52 475be817578b pluto[2279]: "xauth-psk"[2] 119.4.253.57 #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2 tunnel mode {ESP/NAT=>0xce4e6564 <0x0fe5512d xfrm=AES_CBC_256-HMAC_SHA2_256_128 NATOA=none NATD=119.4.253.57:52585 DPD=active username=admin}
Jul 1 16:10:52 475be817578b pluto[2279]: "xauth-psk"[2] 119.4.253.57 #2: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP/NAT=>0xce4e6564 <0x0fe5512d xfrm=AES_CBC_256-HMAC_SHA2_256_128 NATOA=none NATD=119.4.253.57:52585 DPD=active username=admin}
Jul 1 16:11:14 475be817578b pluto[2279]: "xauth-psk"[2] 119.4.253.57 #1: received Delete SA(0xce4e6564) payload: deleting IPsec State #2
Jul 1 16:11:14 475be817578b pluto[2279]: "xauth-psk"[2] 119.4.253.57 #2: deleting other state #2 (STATE_QUICK_R2) aged 22.159s and sending notification
Jul 1 16:11:14 475be817578b pluto[2279]: "xauth-psk"[2] 119.4.253.57 #2: ESP traffic information: in=12KB out=19KB XAUTHuser=admin
Jul 1 16:11:14 475be817578b pluto[2279]: "xauth-psk"[2] 119.4.253.57 #1: deleting state (STATE_MODE_CFG_R1) aged 22.503s and sending notification
Jul 1 16:11:14 475be817578b pluto[2279]: "xauth-psk"[2] 119.4.253.57: deleting connection "xauth-psk"[2] 119.4.253.57 instance with peer 119.4.253.57 {isakmp=#0/ipsec=#0}
Jul 1 16:11:35 475be817578b pluto[2279]: packet from 119.4.253.57:62374: initial parent SA message received on 172.17.0.2:500 but no suitable connection found with IKEv2 policy
Jul 1 16:11:35 475be817578b pluto[2279]: packet from 119.4.253.57:62374: responding to IKE_SA_INIT (34) message (Message ID 0) from 119.4.253.57:62374 with unencrypted notification NO_PROPOSAL_CHOSEN
Jul 1 16:11:45 475be817578b pluto[2279]: packet from 119.4.253.57:62375: initial parent SA message received on 172.17.0.2:500 but no suitable connection found with IKEv2 policy
Jul 1 16:11:45 475be817578b pluto[2279]: packet from 119.4.253.57:62375: responding to IKE_SA_INIT (34) message (Message ID 0) from 119.4.253.57:62375 with unencrypted notification NO_PROPOSAL_CHOSEN
Jul 1 16:12:06 475be817578b pluto[2279]: packet from 119.4.253.57:62376: initial parent SA message received on 172.17.0.2:500 but no suitable connection found with IKEv2 policy
Jul 1 16:12:06 475be817578b pluto[2279]: packet from 119.4.253.57:62376: responding to IKE_SA_INIT (34) message (Message ID 0) from 119.4.253.57:62376 with unencrypted notification NO_PROPOSAL_CHOSEN

这是服务端的日志，我特地使用xauth链接再断开，再使用strongwan 链接。

@SuperCatss commented on GitHub (Jul 1, 2020): Jul 1 16:03:19 475be817578b pluto[339]: shutting down Jul 1 16:03:19 475be817578b pluto[339]: 3 crypto helpers shutdown Jul 1 16:03:19 475be817578b pluto[339]: forgetting secrets Jul 1 16:03:19 475be817578b pluto[339]: "l2tp-psk"[3] 182.139.182.247: deleting connection "l2tp-psk"[3] 182.139.182.247 instance with peer 182.139.182.247 {isakmp=#0/ipsec=#0} Jul 1 16:03:19 475be817578b pluto[339]: "l2tp-psk"[3] 182.139.182.247 #8: deleting state (STATE_MAIN_R0) aged 120799.427s and NOT sending notification Jul 1 16:03:19 475be817578b pluto[339]: "l2tp-psk"[3] 182.139.182.247 #7: deleting state (STATE_MAIN_R0) aged 120902.929s and NOT sending notification Jul 1 16:03:19 475be817578b pluto[339]: "l2tp-psk"[3] 182.139.182.247 #6: deleting state (STATE_MAIN_R0) aged 120957.162s and NOT sending notification Jul 1 16:03:19 475be817578b pluto[339]: "l2tp-psk"[3] 182.139.182.247 #5: deleting state (STATE_MAIN_R0) aged 121030.296s and NOT sending notification Jul 1 16:03:19 475be817578b pluto[339]: "l2tp-psk"[2] 216.218.206.82: deleting connection "l2tp-psk"[2] 216.218.206.82 instance with peer 216.218.206.82 {isakmp=#0/ipsec=#0} Jul 1 16:03:19 475be817578b pluto[339]: "l2tp-psk"[2] 216.218.206.82 #4: deleting state (STATE_MAIN_R0) aged 143138.618s and NOT sending notification Jul 1 16:03:19 475be817578b pluto[339]: shutting down interface lo/lo 127.0.0.1:4500 Jul 1 16:03:19 475be817578b pluto[339]: shutting down interface lo/lo 127.0.0.1:500 Jul 1 16:03:19 475be817578b pluto[339]: shutting down interface eth0/eth0 172.17.0.2:4500 Jul 1 16:03:19 475be817578b pluto[339]: shutting down interface eth0/eth0 172.17.0.2:500 Jul 1 16:03:19 475be817578b ipsec__plutorun: pluto killed by SIGTERM, terminating without restart Jul 1 16:03:19 475be817578b ipsec__plutorun: Starting Pluto Jul 1 16:03:20 475be817578b pluto[2279]: NSS DB directory: sql:/etc/ipsec.d Jul 1 16:03:20 475be817578b pluto[2279]: Initializing NSS Jul 1 16:03:20 475be817578b pluto[2279]: Opening NSS database "sql:/etc/ipsec.d" read-only Jul 1 16:03:20 475be817578b pluto[2279]: NSS crypto library initialized Jul 1 16:03:20 475be817578b pluto[2279]: FIPS Mode: NO Jul 1 16:03:20 475be817578b pluto[2279]: FIPS mode disabled for pluto daemon Jul 1 16:03:20 475be817578b pluto[2279]: FIPS HMAC integrity support [disabled] Jul 1 16:03:20 475be817578b pluto[2279]: libcap-ng support [enabled] Jul 1 16:03:20 475be817578b pluto[2279]: Linux audit support [disabled] Jul 1 16:03:20 475be817578b pluto[2279]: Starting Pluto (Libreswan Version 3.32 XFRM(netkey) XFRMI esp-hw-offload FORK PTHREAD_SETSCHEDPRIO NSS (AVA copy) (native-PRF) LIBCAP_NG XAUTH_PAM NETWORKMANAGER CURL(non-NSS)) pid:2279 Jul 1 16:03:20 475be817578b pluto[2279]: core dump dir: /run/pluto Jul 1 16:03:20 475be817578b pluto[2279]: secrets file: /etc/ipsec.secrets Jul 1 16:03:20 475be817578b pluto[2279]: leak-detective disabled Jul 1 16:03:20 475be817578b pluto[2279]: NSS crypto [enabled] Jul 1 16:03:20 475be817578b pluto[2279]: XAUTH PAM support [enabled] Jul 1 16:03:20 475be817578b pluto[2279]: Initializing libevent in pthreads mode: headers: 2.1.8-stable (2010800); library: 2.1.8-stable (2010800) Jul 1 16:03:20 475be817578b pluto[2279]: NAT-Traversal support [enabled] Jul 1 16:03:20 475be817578b pluto[2279]: Encryption algorithms: Jul 1 16:03:20 475be817578b pluto[2279]: AES_CCM_16 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm, aes_ccm_c Jul 1 16:03:20 475be817578b pluto[2279]: AES_CCM_12 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm_b Jul 1 16:03:20 475be817578b pluto[2279]: AES_CCM_8 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm_a Jul 1 16:03:20 475be817578b pluto[2279]: 3DES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS [*192] 3des Jul 1 16:03:20 475be817578b pluto[2279]: CAMELLIA_CTR IKEv1: ESP IKEv2: ESP {256,192,*128} Jul 1 16:03:20 475be817578b pluto[2279]: CAMELLIA_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} camellia Jul 1 16:03:20 475be817578b pluto[2279]: AES_GCM_16 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm, aes_gcm_c Jul 1 16:03:20 475be817578b pluto[2279]: AES_GCM_12 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm_b Jul 1 16:03:20 475be817578b pluto[2279]: AES_GCM_8 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm_a Jul 1 16:03:20 475be817578b pluto[2279]: AES_CTR IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} aesctr Jul 1 16:03:20 475be817578b pluto[2279]: AES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} aes Jul 1 16:03:20 475be817578b pluto[2279]: SERPENT_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} serpent Jul 1 16:03:20 475be817578b pluto[2279]: TWOFISH_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} twofish Jul 1 16:03:20 475be817578b pluto[2279]: TWOFISH_SSH IKEv1: IKE IKEv2: IKE ESP {256,192,*128} twofish_cbc_ssh Jul 1 16:03:20 475be817578b pluto[2279]: NULL_AUTH_AES_GMAC IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_gmac Jul 1 16:03:20 475be817578b pluto[2279]: NULL IKEv1: ESP IKEv2: ESP [] Jul 1 16:03:20 475be817578b pluto[2279]: CHACHA20_POLY1305 IKEv1: IKEv2: IKE ESP [*256] chacha20poly1305 Jul 1 16:03:20 475be817578b pluto[2279]: Hash algorithms: Jul 1 16:03:20 475be817578b pluto[2279]: MD5 IKEv1: IKE IKEv2: Jul 1 16:03:20 475be817578b pluto[2279]: SHA1 IKEv1: IKE IKEv2: FIPS sha Jul 1 16:03:20 475be817578b pluto[2279]: SHA2_256 IKEv1: IKE IKEv2: FIPS sha2, sha256 Jul 1 16:03:20 475be817578b pluto[2279]: SHA2_384 IKEv1: IKE IKEv2: FIPS sha384 Jul 1 16:03:20 475be817578b pluto[2279]: SHA2_512 IKEv1: IKE IKEv2: FIPS sha512 Jul 1 16:03:20 475be817578b pluto[2279]: PRF algorithms: Jul 1 16:03:20 475be817578b pluto[2279]: HMAC_MD5 IKEv1: IKE IKEv2: IKE md5 Jul 1 16:03:20 475be817578b pluto[2279]: HMAC_SHA1 IKEv1: IKE IKEv2: IKE FIPS sha, sha1 Jul 1 16:03:20 475be817578b pluto[2279]: HMAC_SHA2_256 IKEv1: IKE IKEv2: IKE FIPS sha2, sha256, sha2_256 Jul 1 16:03:20 475be817578b pluto[2279]: HMAC_SHA2_384 IKEv1: IKE IKEv2: IKE FIPS sha384, sha2_384 Jul 1 16:03:20 475be817578b pluto[2279]: HMAC_SHA2_512 IKEv1: IKE IKEv2: IKE FIPS sha512, sha2_512 Jul 1 16:03:20 475be817578b pluto[2279]: AES_XCBC IKEv1: IKEv2: IKE aes128_xcbc Jul 1 16:03:20 475be817578b pluto[2279]: Integrity algorithms: Jul 1 16:03:20 475be817578b pluto[2279]: HMAC_MD5_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH md5, hmac_md5 Jul 1 16:03:20 475be817578b pluto[2279]: HMAC_SHA1_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha, sha1, sha1_96, hmac_sha1 Jul 1 16:03:20 475be817578b pluto[2279]: HMAC_SHA2_512_256 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha512, sha2_512, sha2_512_256, hmac_sha2_512 Jul 1 16:03:20 475be817578b pluto[2279]: HMAC_SHA2_384_192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha384, sha2_384, sha2_384_192, hmac_sha2_384 Jul 1 16:03:20 475be817578b pluto[2279]: HMAC_SHA2_256_128 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha2, sha256, sha2_256, sha2_256_128, hmac_sha2_256 Jul 1 16:03:20 475be817578b pluto[2279]: HMAC_SHA2_256_TRUNCBUG IKEv1: ESP AH IKEv2: AH Jul 1 16:03:20 475be817578b pluto[2279]: AES_XCBC_96 IKEv1: ESP AH IKEv2: IKE ESP AH aes_xcbc, aes128_xcbc, aes128_xcbc_96 Jul 1 16:03:20 475be817578b pluto[2279]: AES_CMAC_96 IKEv1: ESP AH IKEv2: ESP AH FIPS aes_cmac Jul 1 16:03:20 475be817578b pluto[2279]: NONE IKEv1: ESP IKEv2: IKE ESP FIPS null Jul 1 16:03:20 475be817578b pluto[2279]: DH algorithms: Jul 1 16:03:20 475be817578b pluto[2279]: NONE IKEv1: IKEv2: IKE ESP AH FIPS null, dh0 Jul 1 16:03:20 475be817578b pluto[2279]: MODP1024 IKEv1: IKE ESP AH IKEv2: IKE ESP AH dh2 Jul 1 16:03:20 475be817578b pluto[2279]: MODP1536 IKEv1: IKE ESP AH IKEv2: IKE ESP AH dh5 Jul 1 16:03:20 475be817578b pluto[2279]: MODP2048 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh14 Jul 1 16:03:20 475be817578b pluto[2279]: MODP3072 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh15 Jul 1 16:03:20 475be817578b pluto[2279]: MODP4096 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh16 Jul 1 16:03:20 475be817578b pluto[2279]: MODP6144 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh17 Jul 1 16:03:20 475be817578b pluto[2279]: MODP8192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh18 Jul 1 16:03:20 475be817578b pluto[2279]: DH19 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_256, ecp256 Jul 1 16:03:20 475be817578b pluto[2279]: DH20 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_384, ecp384 Jul 1 16:03:20 475be817578b pluto[2279]: DH21 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_521, ecp521 Jul 1 16:03:20 475be817578b pluto[2279]: testing CAMELLIA_CBC: Jul 1 16:03:20 475be817578b pluto[2279]: Camellia: 16 bytes with 128-bit key Jul 1 16:03:20 475be817578b pluto[2279]: Camellia: 16 bytes with 128-bit key Jul 1 16:03:20 475be817578b pluto[2279]: Camellia: 16 bytes with 256-bit key Jul 1 16:03:20 475be817578b pluto[2279]: Camellia: 16 bytes with 256-bit key Jul 1 16:03:20 475be817578b pluto[2279]: testing AES_GCM_16: Jul 1 16:03:20 475be817578b pluto[2279]: empty string Jul 1 16:03:20 475be817578b pluto[2279]: one block Jul 1 16:03:20 475be817578b pluto[2279]: two blocks Jul 1 16:03:20 475be817578b pluto[2279]: two blocks with associated data Jul 1 16:03:20 475be817578b pluto[2279]: testing AES_CTR: Jul 1 16:03:20 475be817578b pluto[2279]: Encrypting 16 octets using AES-CTR with 128-bit key Jul 1 16:03:20 475be817578b pluto[2279]: Encrypting 32 octets using AES-CTR with 128-bit key Jul 1 16:03:20 475be817578b pluto[2279]: Encrypting 36 octets using AES-CTR with 128-bit key Jul 1 16:03:20 475be817578b pluto[2279]: Encrypting 16 octets using AES-CTR with 192-bit key Jul 1 16:03:20 475be817578b pluto[2279]: Encrypting 32 octets using AES-CTR with 192-bit key Jul 1 16:03:20 475be817578b pluto[2279]: Encrypting 36 octets using AES-CTR with 192-bit key Jul 1 16:03:20 475be817578b pluto[2279]: Encrypting 16 octets using AES-CTR with 256-bit key Jul 1 16:03:20 475be817578b pluto[2279]: Encrypting 32 octets using AES-CTR with 256-bit key Jul 1 16:03:20 475be817578b pluto[2279]: Encrypting 36 octets using AES-CTR with 256-bit key Jul 1 16:03:20 475be817578b pluto[2279]: testing AES_CBC: Jul 1 16:03:20 475be817578b pluto[2279]: Encrypting 16 bytes (1 block) using AES-CBC with 128-bit key Jul 1 16:03:20 475be817578b pluto[2279]: Encrypting 32 bytes (2 blocks) using AES-CBC with 128-bit key Jul 1 16:03:20 475be817578b pluto[2279]: Encrypting 48 bytes (3 blocks) using AES-CBC with 128-bit key Jul 1 16:03:20 475be817578b pluto[2279]: Encrypting 64 bytes (4 blocks) using AES-CBC with 128-bit key Jul 1 16:03:20 475be817578b pluto[2279]: testing AES_XCBC: Jul 1 16:03:20 475be817578b pluto[2279]: RFC 3566 Test Case 1: AES-XCBC-MAC-96 with 0-byte input Jul 1 16:03:20 475be817578b pluto[2279]: RFC 3566 Test Case 2: AES-XCBC-MAC-96 with 3-byte input Jul 1 16:03:20 475be817578b pluto[2279]: RFC 3566 Test Case 3: AES-XCBC-MAC-96 with 16-byte input Jul 1 16:03:20 475be817578b pluto[2279]: RFC 3566 Test Case 4: AES-XCBC-MAC-96 with 20-byte input Jul 1 16:03:20 475be817578b pluto[2279]: RFC 3566 Test Case 5: AES-XCBC-MAC-96 with 32-byte input Jul 1 16:03:20 475be817578b pluto[2279]: RFC 3566 Test Case 6: AES-XCBC-MAC-96 with 34-byte input Jul 1 16:03:20 475be817578b pluto[2279]: RFC 3566 Test Case 7: AES-XCBC-MAC-96 with 1000-byte input Jul 1 16:03:20 475be817578b pluto[2279]: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 16) Jul 1 16:03:20 475be817578b pluto[2279]: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 10) Jul 1 16:03:20 475be817578b pluto[2279]: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 18) Jul 1 16:03:20 475be817578b pluto[2279]: testing HMAC_MD5: Jul 1 16:03:20 475be817578b pluto[2279]: RFC 2104: MD5_HMAC test 1 Jul 1 16:03:20 475be817578b pluto[2279]: RFC 2104: MD5_HMAC test 2 Jul 1 16:03:20 475be817578b pluto[2279]: RFC 2104: MD5_HMAC test 3 Jul 1 16:03:20 475be817578b pluto[2279]: 4 CPU cores online Jul 1 16:03:20 475be817578b pluto[2279]: starting up 3 crypto helpers Jul 1 16:03:20 475be817578b pluto[2279]: started thread for crypto helper 0 Jul 1 16:03:20 475be817578b pluto[2279]: seccomp security for crypto helper not supported Jul 1 16:03:20 475be817578b pluto[2279]: started thread for crypto helper 1 Jul 1 16:03:20 475be817578b pluto[2279]: seccomp security for crypto helper not supported Jul 1 16:03:20 475be817578b pluto[2279]: started thread for crypto helper 2 Jul 1 16:03:20 475be817578b pluto[2279]: seccomp security for crypto helper not supported Jul 1 16:03:20 475be817578b pluto[2279]: Using Linux XFRM/NETKEY IPsec kernel support code on 4.19.122 Jul 1 16:03:20 475be817578b pluto[2279]: seccomp security not supported Jul 1 16:03:20 475be817578b pluto[2279]: added connection description "l2tp-psk" Jul 1 16:03:20 475be817578b pluto[2279]: added connection description "xauth-psk" Jul 1 16:03:20 475be817578b pluto[2279]: MOBIKE kernel support missing for netkey interface: CONFIG_XFRM_MIGRATE Jul 1 16:03:20 475be817578b pluto[2279]: listening for IKE messages Jul 1 16:03:20 475be817578b pluto[2279]: Kernel supports NIC esp-hw-offload Jul 1 16:03:20 475be817578b pluto[2279]: adding interface eth0/eth0 (esp-hw-offload not supported by kernel) 172.17.0.2:500 Jul 1 16:03:20 475be817578b pluto[2279]: adding interface eth0/eth0 172.17.0.2:4500 Jul 1 16:03:20 475be817578b pluto[2279]: adding interface lo/lo (esp-hw-offload not supported by kernel) 127.0.0.1:500 Jul 1 16:03:20 475be817578b pluto[2279]: adding interface lo/lo 127.0.0.1:4500 Jul 1 16:03:20 475be817578b pluto[2279]: loading secrets from "/etc/ipsec.secrets" Jul 1 16:04:26 475be817578b pluto[2279]: packet from 119.4.253.57:61154: initial parent SA message received on 172.17.0.2:500 but no suitable connection found with IKEv2 policy Jul 1 16:04:26 475be817578b pluto[2279]: packet from 119.4.253.57:61154: responding to IKE_SA_INIT (34) message (Message ID 0) from 119.4.253.57:61154 with unencrypted notification NO_PROPOSAL_CHOSEN Jul 1 16:04:37 475be817578b pluto[2279]: packet from 119.4.253.57:61155: initial parent SA message received on 172.17.0.2:500 but no suitable connection found with IKEv2 policy Jul 1 16:04:37 475be817578b pluto[2279]: packet from 119.4.253.57:61155: responding to IKE_SA_INIT (34) message (Message ID 0) from 119.4.253.57:61155 with unencrypted notification NO_PROPOSAL_CHOSEN Jul 1 16:04:48 475be817578b pluto[2279]: packet from 119.4.253.57:61156: initial parent SA message received on 172.17.0.2:500 but no suitable connection found with IKEv2 policy Jul 1 16:04:48 475be817578b pluto[2279]: packet from 119.4.253.57:61156: responding to IKE_SA_INIT (34) message (Message ID 0) from 119.4.253.57:61156 with unencrypted notification NO_PROPOSAL_CHOSEN Jul 1 16:05:08 475be817578b pluto[2279]: packet from 119.4.253.57:61157: initial parent SA message received on 172.17.0.2:500 but no suitable connection found with IKEv2 policy Jul 1 16:05:08 475be817578b pluto[2279]: packet from 119.4.253.57:61157: responding to IKE_SA_INIT (34) message (Message ID 0) from 119.4.253.57:61157 with unencrypted notification NO_PROPOSAL_CHOSEN Jul 1 16:06:33 475be817578b pluto[2279]: packet from 119.4.253.57:61158: initial parent SA message received on 172.17.0.2:500 but no suitable connection found with IKEv2 policy Jul 1 16:06:33 475be817578b pluto[2279]: packet from 119.4.253.57:61158: responding to IKE_SA_INIT (34) message (Message ID 0) from 119.4.253.57:61158 with unencrypted notification NO_PROPOSAL_CHOSEN Jul 1 16:06:36 475be817578b pluto[2279]: packet from 119.4.253.57:61159: initial parent SA message received on 172.17.0.2:500 but no suitable connection found with IKEv2 policy Jul 1 16:06:36 475be817578b pluto[2279]: packet from 119.4.253.57:61159: responding to IKE_SA_INIT (34) message (Message ID 0) from 119.4.253.57:61159 with unencrypted notification NO_PROPOSAL_CHOSEN Jul 1 16:06:38 475be817578b pluto[2279]: packet from 119.4.253.57:61160: initial parent SA message received on 172.17.0.2:500 but no suitable connection found with IKEv2 policy Jul 1 16:06:38 475be817578b pluto[2279]: packet from 119.4.253.57:61160: responding to IKE_SA_INIT (34) message (Message ID 0) from 119.4.253.57:61160 with unencrypted notification NO_PROPOSAL_CHOSEN Jul 1 16:06:41 475be817578b pluto[2279]: packet from 119.4.253.57:61161: initial parent SA message received on 172.17.0.2:500 but no suitable connection found with IKEv2 policy Jul 1 16:06:41 475be817578b pluto[2279]: packet from 119.4.253.57:61161: responding to IKE_SA_INIT (34) message (Message ID 0) from 119.4.253.57:61161 with unencrypted notification NO_PROPOSAL_CHOSEN Jul 1 16:06:51 475be817578b pluto[2279]: packet from 119.4.253.57:61162: initial parent SA message received on 172.17.0.2:500 but no suitable connection found with IKEv2 policy Jul 1 16:06:51 475be817578b pluto[2279]: packet from 119.4.253.57:61162: responding to IKE_SA_INIT (34) message (Message ID 0) from 119.4.253.57:61162 with unencrypted notification NO_PROPOSAL_CHOSEN Jul 1 16:07:12 475be817578b pluto[2279]: packet from 119.4.253.57:61163: initial parent SA message received on 172.17.0.2:500 but no suitable connection found with IKEv2 policy Jul 1 16:07:12 475be817578b pluto[2279]: packet from 119.4.253.57:61163: responding to IKE_SA_INIT (34) message (Message ID 0) from 119.4.253.57:61163 with unencrypted notification NO_PROPOSAL_CHOSEN Jul 1 16:10:52 475be817578b pluto[2279]: "xauth-psk"[1] 119.4.253.57 #1: responding to Main Mode from unknown peer 119.4.253.57:61164 Jul 1 16:10:52 475be817578b pluto[2279]: "xauth-psk"[1] 119.4.253.57 #1: WARNING: connection xauth-psk PSK length of 11 bytes is too short for sha2_256 PRF in FIPS mode (16 bytes required) Jul 1 16:10:52 475be817578b pluto[2279]: "xauth-psk"[1] 119.4.253.57 #1: STATE_MAIN_R1: sent MR1, expecting MI2 Jul 1 16:10:52 475be817578b pluto[2279]: "xauth-psk"[1] 119.4.253.57 #1: STATE_MAIN_R2: sent MR2, expecting MI3 Jul 1 16:10:52 475be817578b pluto[2279]: "xauth-psk"[1] 119.4.253.57 #1: Peer ID is ID_IPV4_ADDR: '10.162.196.12' Jul 1 16:10:52 475be817578b pluto[2279]: "xauth-psk"[1] 119.4.253.57 #1: switched from "xauth-psk"[1] 119.4.253.57 to "xauth-psk" Jul 1 16:10:52 475be817578b pluto[2279]: "xauth-psk"[2] 119.4.253.57 #1: deleting connection "xauth-psk"[1] 119.4.253.57 instance with peer 119.4.253.57 {isakmp=#0/ipsec=#0} Jul 1 16:10:52 475be817578b pluto[2279]: "xauth-psk"[2] 119.4.253.57 #1: Peer ID is ID_IPV4_ADDR: '10.162.196.12' Jul 1 16:10:52 475be817578b pluto[2279]: "xauth-psk"[2] 119.4.253.57 #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA2_256 group=MODP1024} Jul 1 16:10:52 475be817578b pluto[2279]: "xauth-psk"[2] 119.4.253.57 #1: XAUTH: Sending Username/Password request (MAIN_R3->XAUTH_R0) Jul 1 16:10:52 475be817578b pluto[2279]: "xauth-psk"[2] 119.4.253.57 #1: XAUTH: password file authentication method requested to authenticate user 'admin' Jul 1 16:10:52 475be817578b pluto[2279]: "xauth-psk"[2] 119.4.253.57 #1: XAUTH: password file (/etc/ipsec.d/passwd) open. Jul 1 16:10:52 475be817578b pluto[2279]: "xauth-psk"[2] 119.4.253.57 #1: XAUTH: success user(admin:xauth-psk) Jul 1 16:10:52 475be817578b pluto[2279]: "xauth-psk"[2] 119.4.253.57 #1: XAUTH: User admin: Authentication Successful Jul 1 16:10:52 475be817578b pluto[2279]: "xauth-psk"[2] 119.4.253.57 #1: XAUTH: xauth_inR1(STF_OK) Jul 1 16:10:52 475be817578b pluto[2279]: "xauth-psk"[2] 119.4.253.57 #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA2_256 group=MODP1024} Jul 1 16:10:52 475be817578b pluto[2279]: | pool 192.168.43.10-192.168.43.250: growing address pool from 0 to 1 Jul 1 16:10:52 475be817578b pluto[2279]: "xauth-psk"[2] 119.4.253.57 #1: modecfg_inR0(STF_OK) Jul 1 16:10:52 475be817578b pluto[2279]: "xauth-psk"[2] 119.4.253.57 #1: STATE_MODE_CFG_R1: ModeCfg Set sent, expecting Ack {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA2_256 group=MODP1024} Jul 1 16:10:52 475be817578b pluto[2279]: "xauth-psk"[2] 119.4.253.57 #1: the peer proposed: 0.0.0.0/0:0/0 -> 192.168.43.10/32:0/0 Jul 1 16:10:52 475be817578b pluto[2279]: "xauth-psk"[2] 119.4.253.57 #2: responding to Quick Mode proposal {msgid:18c9ae5a} Jul 1 16:10:52 475be817578b pluto[2279]: "xauth-psk"[2] 119.4.253.57 #2: us: 0.0.0.0/0===172.17.0.2[125.70.1.227,MS+XS+S=C] Jul 1 16:10:52 475be817578b pluto[2279]: "xauth-psk"[2] 119.4.253.57 #2: them: 119.4.253.57[10.162.196.12,+MC+XC+S=C]===192.168.43.10/32 Jul 1 16:10:52 475be817578b pluto[2279]: "xauth-psk"[2] 119.4.253.57 #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2 tunnel mode {ESP/NAT=>0xce4e6564 <0x0fe5512d xfrm=AES_CBC_256-HMAC_SHA2_256_128 NATOA=none NATD=119.4.253.57:52585 DPD=active username=admin} Jul 1 16:10:52 475be817578b pluto[2279]: "xauth-psk"[2] 119.4.253.57 #2: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP/NAT=>0xce4e6564 <0x0fe5512d xfrm=AES_CBC_256-HMAC_SHA2_256_128 NATOA=none NATD=119.4.253.57:52585 DPD=active username=admin} Jul 1 16:11:14 475be817578b pluto[2279]: "xauth-psk"[2] 119.4.253.57 #1: received Delete SA(0xce4e6564) payload: deleting IPsec State #2 Jul 1 16:11:14 475be817578b pluto[2279]: "xauth-psk"[2] 119.4.253.57 #2: deleting other state #2 (STATE_QUICK_R2) aged 22.159s and sending notification Jul 1 16:11:14 475be817578b pluto[2279]: "xauth-psk"[2] 119.4.253.57 #2: ESP traffic information: in=12KB out=19KB XAUTHuser=admin Jul 1 16:11:14 475be817578b pluto[2279]: "xauth-psk"[2] 119.4.253.57 #1: deleting state (STATE_MODE_CFG_R1) aged 22.503s and sending notification Jul 1 16:11:14 475be817578b pluto[2279]: "xauth-psk"[2] 119.4.253.57: deleting connection "xauth-psk"[2] 119.4.253.57 instance with peer 119.4.253.57 {isakmp=#0/ipsec=#0} Jul 1 16:11:35 475be817578b pluto[2279]: packet from 119.4.253.57:62374: initial parent SA message received on 172.17.0.2:500 but no suitable connection found with IKEv2 policy Jul 1 16:11:35 475be817578b pluto[2279]: packet from 119.4.253.57:62374: responding to IKE_SA_INIT (34) message (Message ID 0) from 119.4.253.57:62374 with unencrypted notification NO_PROPOSAL_CHOSEN Jul 1 16:11:45 475be817578b pluto[2279]: packet from 119.4.253.57:62375: initial parent SA message received on 172.17.0.2:500 but no suitable connection found with IKEv2 policy Jul 1 16:11:45 475be817578b pluto[2279]: packet from 119.4.253.57:62375: responding to IKE_SA_INIT (34) message (Message ID 0) from 119.4.253.57:62375 with unencrypted notification NO_PROPOSAL_CHOSEN Jul 1 16:12:06 475be817578b pluto[2279]: packet from 119.4.253.57:62376: initial parent SA message received on 172.17.0.2:500 but no suitable connection found with IKEv2 policy Jul 1 16:12:06 475be817578b pluto[2279]: packet from 119.4.253.57:62376: responding to IKE_SA_INIT (34) message (Message ID 0) from 119.4.253.57:62376 with unencrypted notification NO_PROPOSAL_CHOSEN 这是服务端的日志，我特地使用xauth链接再断开，再使用strongwan 链接。

kerem commented

2026-03-02 07:44:36 +03:00

Author

Owner

@SuperCatss commented on GitHub (Jul 1, 2020):

在docker 挂载的路径下已经生成了两个客户证书和一个 ca 证书。

@SuperCatss commented on GitHub (Jul 1, 2020): ![image](https://user-images.githubusercontent.com/24800663/86269040-be2c9680-bbfb-11ea-9712-7a7d690ead2a.png) 在docker 挂载的路径下已经生成了两个客户证书和一个 ca 证书。

kerem commented

2026-03-02 07:44:36 +03:00

Author

Owner

@hwdsl2 commented on GitHub (Jul 2, 2020):

@SuperCatss 你的服务器上的 IKEv2 并没有配置成功。日志中显示：

Jul 1 16:03:20 475be817578b pluto[2279]: added connection description "l2tp-psk"
Jul 1 16:03:20 475be817578b pluto[2279]: added connection description "xauth-psk"

如果配置成功，应该显示：

Jul 1 16:03:20 475be817578b pluto[2279]: added connection description "l2tp-psk"
Jul 1 16:03:20 475be817578b pluto[2279]: added connection description "xauth-psk"
Jul 1 16:03:20 475be817578b pluto[2279]: added connection description "ikev2-cp"

说明在配置 IKEv2 时可能有问题。请检查一下是否使用了最新版本的 Docker 镜像 [1]？如果没有，更新 Docker 镜像并重新创建容器。另外看一下你的 Docker 容器中的 /etc/ipsec.conf 最后一行是不是 include /etc/ipsec.d/*.conf。这一行在新版镜像中已添加。

[1] https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README-zh.md#%E6%9B%B4%E6%96%B0-docker-%E9%95%9C%E5%83%8F

@hwdsl2 commented on GitHub (Jul 2, 2020): @SuperCatss 你的服务器上的 IKEv2 并没有配置成功。日志中显示： ``` Jul 1 16:03:20 475be817578b pluto[2279]: added connection description "l2tp-psk" Jul 1 16:03:20 475be817578b pluto[2279]: added connection description "xauth-psk" ``` 如果配置成功，应该显示： ``` Jul 1 16:03:20 475be817578b pluto[2279]: added connection description "l2tp-psk" Jul 1 16:03:20 475be817578b pluto[2279]: added connection description "xauth-psk" Jul 1 16:03:20 475be817578b pluto[2279]: added connection description "ikev2-cp" ``` 说明在配置 IKEv2 时可能有问题。请检查一下是否使用了最新版本的 Docker 镜像 [1]？如果没有，更新 Docker 镜像并重新创建容器。另外看一下你的 Docker 容器中的 `/etc/ipsec.conf` 最后一行是不是 `include /etc/ipsec.d/*.conf`。这一行在新版镜像中已添加。 [1] https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README-zh.md#%E6%9B%B4%E6%96%B0-docker-%E9%95%9C%E5%83%8F

kerem commented

2026-03-02 07:44:36 +03:00

Author

Owner

@SuperCatss commented on GitHub (Jul 2, 2020):

@SuperCatss 你的服务器上的 IKEv2 并没有配置成功。日志中显示：
Jul 1 16:03:20 475be817578b pluto[2279]: added connection description "l2tp-psk"
Jul 1 16:03:20 475be817578b pluto[2279]: added connection description "xauth-psk"
如果配置成功，应该显示：
Jul 1 16:03:20 475be817578b pluto[2279]: added connection description "l2tp-psk"
Jul 1 16:03:20 475be817578b pluto[2279]: added connection description "xauth-psk"
Jul 1 16:03:20 475be817578b pluto[2279]: added connection description "ikev2-cp"
说明在配置 IKEv2 时可能有问题。请检查一下是否使用了最新版本的 Docker 镜像 [1]？如果没有，更新 Docker 镜像并重新创建容器。另外看一下你的 Docker 容器中的 /etc/ipsec.conf 最后一行是不是 include /etc/ipsec.d/*.conf。这一行在新版镜像中已添加。

[1] https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README-zh.md#%E6%9B%B4%E6%96%B0-docker-%E9%95%9C%E5%83%8F

查看了一下镜像是6天前拉取的。id 0c3d6112c025
ipsec.conf 最后一行的确是include /etc/ipsec.d/*.conf

这是ipsec.conf 内容

version 2.0

config setup
virtual-private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.42.0/24,%v4:!192.168.43.0/24
protostack=netkey
interfaces=%defaultroute
uniqueids=no

conn shared
left=%defaultroute
leftid=public IP
right=%any
encapsulation=yes
authby=secret
pfs=no
rekey=no
keyingtries=5
dpddelay=30
dpdtimeout=120
dpdaction=clear
ikev2=never
ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024
phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2
sha2-truncbug=no

conn l2tp-psk
auto=add
leftprotoport=17/1701
rightprotoport=17/%any
type=transport
phase2=esp
also=shared

conn xauth-psk
auto=add
leftsubnet=0.0.0.0/0
rightaddresspool=192.168.43.10-192.168.43.250
modecfgdns=192.168.2.1
leftxauthserver=yes
rightxauthclient=yes
leftmodecfgserver=yes
rightmodecfgclient=yes
modecfgpull=yes
xauthby=file
ike-frag=yes
cisco-unity=yes
also=shared

include /etc/ipsec.d/*.conf

@SuperCatss commented on GitHub (Jul 2, 2020): > @SuperCatss 你的服务器上的 IKEv2 并没有配置成功。日志中显示： > > ``` > Jul 1 16:03:20 475be817578b pluto[2279]: added connection description "l2tp-psk" > Jul 1 16:03:20 475be817578b pluto[2279]: added connection description "xauth-psk" > ``` > > 如果配置成功，应该显示： > > ``` > Jul 1 16:03:20 475be817578b pluto[2279]: added connection description "l2tp-psk" > Jul 1 16:03:20 475be817578b pluto[2279]: added connection description "xauth-psk" > Jul 1 16:03:20 475be817578b pluto[2279]: added connection description "ikev2-cp" > ``` > > 说明在配置 IKEv2 时可能有问题。请检查一下是否使用了最新版本的 Docker 镜像 [1]？如果没有，更新 Docker 镜像并重新创建容器。另外看一下你的 Docker 容器中的 `/etc/ipsec.conf` 最后一行是不是 `include /etc/ipsec.d/*.conf`。这一行在新版镜像中已添加。 > > [1] https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README-zh.md#%E6%9B%B4%E6%96%B0-docker-%E9%95%9C%E5%83%8F 查看了一下镜像是6天前拉取的。id 0c3d6112c025 ipsec.conf 最后一行的确是include /etc/ipsec.d/*.conf 这是ipsec.conf 内容 version 2.0 config setup virtual-private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.42.0/24,%v4:!192.168.43.0/24 protostack=netkey interfaces=%defaultroute uniqueids=no conn shared left=%defaultroute leftid=**public IP** right=%any encapsulation=yes authby=secret pfs=no rekey=no keyingtries=5 dpddelay=30 dpdtimeout=120 dpdaction=clear ikev2=never ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024 phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2 sha2-truncbug=no conn l2tp-psk auto=add leftprotoport=17/1701 rightprotoport=17/%any type=transport phase2=esp also=shared conn xauth-psk auto=add leftsubnet=0.0.0.0/0 rightaddresspool=192.168.43.10-192.168.43.250 modecfgdns=192.168.2.1 leftxauthserver=yes rightxauthclient=yes leftmodecfgserver=yes rightmodecfgclient=yes modecfgpull=yes xauthby=file ike-frag=yes cisco-unity=yes also=shared include /etc/ipsec.d/*.conf

kerem commented

2026-03-02 07:44:36 +03:00

Author

Owner

@hwdsl2 commented on GitHub (Jul 2, 2020):

@SuperCatss 配置文件看起来没问题。如上所述，如果 IKEv2 配置成功，日志中应该显示：

Jul 1 16:03:20 475be817578b pluto[2279]: added connection description "l2tp-psk"
Jul 1 16:03:20 475be817578b pluto[2279]: added connection description "xauth-psk"
Jul 1 16:03:20 475be817578b pluto[2279]: added connection description "ikev2-cp"

所以可能是你的 Docker 卷没有正确挂载到容器内的 /etc/ipsec.d 目录。可以这样进入容器检查 [1]。或者，可能需要重启容器中的 IPsec 服务。

[1] https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README-zh.md#%E5%9C%A8%E5%AE%B9%E5%99%A8%E4%B8%AD%E8%BF%90%E8%A1%8C-bash-shell

@hwdsl2 commented on GitHub (Jul 2, 2020): @SuperCatss 配置文件看起来没问题。如上所述，如果 IKEv2 配置成功，日志中应该显示： ``` Jul 1 16:03:20 475be817578b pluto[2279]: added connection description "l2tp-psk" Jul 1 16:03:20 475be817578b pluto[2279]: added connection description "xauth-psk" Jul 1 16:03:20 475be817578b pluto[2279]: added connection description "ikev2-cp" ``` 所以可能是你的 Docker 卷没有正确挂载到容器内的 `/etc/ipsec.d` 目录。可以这样进入容器检查 [1]。或者，可能需要重启容器中的 IPsec 服务。 [1] https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README-zh.md#%E5%9C%A8%E5%AE%B9%E5%99%A8%E4%B8%AD%E8%BF%90%E8%A1%8C-bash-shell

kerem commented

2026-03-02 07:44:37 +03:00

Author

Owner

@SuperCatss commented on GitHub (Jul 2, 2020):

@SuperCatss 配置文件看起来没问题。如上所述，如果 IKEv2 配置成功，日志中应该显示：
Jul 1 16:03:20 475be817578b pluto[2279]: added connection description "l2tp-psk"
Jul 1 16:03:20 475be817578b pluto[2279]: added connection description "xauth-psk"
Jul 1 16:03:20 475be817578b pluto[2279]: added connection description "ikev2-cp"
所以可能是你的 Docker 卷没有正确挂载到容器内的 /etc/ipsec.d 目录。可以这样进入容器检查 [1]。或者，可能需要重启容器中的 IPsec 服务。

[1] https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README-zh.md#%E5%9C%A8%E5%AE%B9%E5%99%A8%E4%B8%AD%E8%BF%90%E8%A1%8C-bash-shell

容器服务，已经在配置ikev2后，已经重启过了。
挂载应该是正确的
docker inspect ipsec-vpn-server | grep Mounts -A 20
"Mounts": [
{
"Type": "volume",
"Name": "ikev2-vpn-data",
"Source": "/opt/docker/volumes/ikev2-vpn-data/_data",
"Destination": "/etc/ipsec.d",
"Driver": "local",
"Mode": "z",
"RW": true,
"Propagation": ""
}
],
"Config": {
"Hostname": "475be817578b",
"Domainname": "",
"User": "",
"AttachStdin": false,
"AttachStdout": false,
"AttachStderr": false,
"ExposedPorts": {
"4500/udp": {},

生成的证书文件也的确存在于 "/opt/docker/volumes/ikev2-vpn-data/_data" 路径下

@SuperCatss commented on GitHub (Jul 2, 2020): > @SuperCatss 配置文件看起来没问题。如上所述，如果 IKEv2 配置成功，日志中应该显示： > > ``` > Jul 1 16:03:20 475be817578b pluto[2279]: added connection description "l2tp-psk" > Jul 1 16:03:20 475be817578b pluto[2279]: added connection description "xauth-psk" > Jul 1 16:03:20 475be817578b pluto[2279]: added connection description "ikev2-cp" > ``` > > 所以可能是你的 Docker 卷没有正确挂载到容器内的 `/etc/ipsec.d` 目录。可以这样进入容器检查 [1]。或者，可能需要重启容器中的 IPsec 服务。 > > [1] https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README-zh.md#%E5%9C%A8%E5%AE%B9%E5%99%A8%E4%B8%AD%E8%BF%90%E8%A1%8C-bash-shell 容器服务，已经在配置ikev2后，已经重启过了。挂载应该是正确的 **docker inspect ipsec-vpn-server | grep Mounts -A 20** "Mounts": [ { "Type": "volume", "Name": "ikev2-vpn-data", "Source": "/opt/docker/volumes/ikev2-vpn-data/_data", "Destination": "/etc/ipsec.d", "Driver": "local", "Mode": "z", "RW": true, "Propagation": "" } ], "Config": { "Hostname": "475be817578b", "Domainname": "", "User": "", "AttachStdin": false, "AttachStdout": false, "AttachStderr": false, "ExposedPorts": { "4500/udp": {}, 生成的证书文件也的确存在于 **"/opt/docker/volumes/ikev2-vpn-data/_data"** 路径下

kerem commented

2026-03-02 07:44:37 +03:00

Author

Owner

@hwdsl2 commented on GitHub (Jul 2, 2020):

@SuperCatss 成功配置 IKEv2 的话，日志里应该有 added connection description "ikev2-cp" 字样。你的配置看起来没有什么问题，我也不知道问题在哪里。如果你想重新试一次的话，可以删除卷 ikev2-vpn-data 并按照说明再尝试一下 [1]。

[1] https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README-zh.md#%E9%85%8D%E7%BD%AE%E5%B9%B6%E4%BD%BF%E7%94%A8-ikev2-vpn

@hwdsl2 commented on GitHub (Jul 2, 2020): @SuperCatss 成功配置 IKEv2 的话，日志里应该有 `added connection description "ikev2-cp"` 字样。你的配置看起来没有什么问题，我也不知道问题在哪里。如果你想重新试一次的话，可以删除卷 `ikev2-vpn-data` 并按照说明再尝试一下 [1]。 [1] https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README-zh.md#%E9%85%8D%E7%BD%AE%E5%B9%B6%E4%BD%BF%E7%94%A8-ikev2-vpn

kerem commented

2026-03-02 07:44:37 +03:00

Author

Owner

@SuperCatss commented on GitHub (Jul 2, 2020):

@SuperCatss 成功配置 IKEv2 的话，日志里应该有 added connection description "ikev2-cp" 字样。你的配置看起来没有什么问题，我也不知道问题在哪里。如果你想重新试一次的话，可以删除卷 ikev2-vpn-data 并按照说明再尝试一下 [1]。

[1] https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README-zh.md#%E9%85%8D%E7%BD%AE%E5%B9%B6%E4%BD%BF%E7%94%A8-ikev2-vpn

我晚上通过手动重新配置一次。

@SuperCatss commented on GitHub (Jul 2, 2020): > @SuperCatss 成功配置 IKEv2 的话，日志里应该有 `added connection description "ikev2-cp"` 字样。你的配置看起来没有什么问题，我也不知道问题在哪里。如果你想重新试一次的话，可以删除卷 `ikev2-vpn-data` 并按照说明再尝试一下 [1]。 > > [1] https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README-zh.md#%E9%85%8D%E7%BD%AE%E5%B9%B6%E4%BD%BF%E7%94%A8-ikev2-vpn 我晚上通过手动重新配置一次。

kerem commented

2026-03-02 07:44:37 +03:00

Author

Owner

@hwdsl2 commented on GitHub (Jul 2, 2020):

@SuperCatss 我又看了一下你的日志，找到问题在哪了。日志中有 MOBIKE kernel support missing for netkey interface: CONFIG_XFRM_MIGRATE 字样，说明你的 Docker 主机系统运行 Ubuntu，它不支持 MOBIKE，所以当你在安装时启用 MOBIKE 选项后，IKEv2 连接无法载入。要修复，只需按上面说过的步骤进入 Docker 容器，然后编辑 /etc/ipsec.d/ikev2.conf，将 mobike=yes 替换为 mobike=no，然后重启 IPsec 服务 service ipsec restart。你试一下，有问题可以继续回复。

@hwdsl2 commented on GitHub (Jul 2, 2020): @SuperCatss 我又看了一下你的日志，找到问题在哪了。日志中有 `MOBIKE kernel support missing for netkey interface: CONFIG_XFRM_MIGRATE` 字样，说明你的 Docker 主机系统运行 Ubuntu，它不支持 MOBIKE，所以当你在安装时启用 MOBIKE 选项后，IKEv2 连接无法载入。要修复，只需按上面说过的步骤进入 Docker 容器，然后编辑 `/etc/ipsec.d/ikev2.conf`，将 `mobike=yes` 替换为 `mobike=no`，然后重启 IPsec 服务 `service ipsec restart`。你试一下，有问题可以继续回复。

kerem commented

2026-03-02 07:44:37 +03:00

Author

Owner

@SuperCatss commented on GitHub (Jul 2, 2020):

@SuperCatss 我又看了一下你的日志，找到问题在哪了。日志中有 MOBIKE kernel support missing for netkey interface: CONFIG_XFRM_MIGRATE 字样，说明你的 Docker 主机系统运行 Ubuntu，它不支持 MOBIKE，所以当你在安装时启用 MOBIKE 选项后，IKEv2 连接无法载入。要修复，只需按上面说过的步骤进入 Docker 容器，然后编辑 /etc/ipsec.d/ikev2.conf，将 mobike=yes 替换为 mobike=no，然后重启 IPsec 服务 service ipsec restart。你试一下，有问题可以继续回复。

感谢你的帮助，的确是这个问题，现在手机已经能正常连接了。我现在开始测试win10 的使用。
另外，请问，一个客户端证书是否可以同时分发给多个客户端同时连接使用？
日志能否手动关闭，以保持容器的容量和性能？

@SuperCatss commented on GitHub (Jul 2, 2020): > @SuperCatss 我又看了一下你的日志，找到问题在哪了。日志中有 `MOBIKE kernel support missing for netkey interface: CONFIG_XFRM_MIGRATE` 字样，说明你的 Docker 主机系统运行 Ubuntu，它不支持 MOBIKE，所以当你在安装时启用 MOBIKE 选项后，IKEv2 连接无法载入。要修复，只需按上面说过的步骤进入 Docker 容器，然后编辑 `/etc/ipsec.d/ikev2.conf`，将 `mobike=yes` 替换为 `mobike=no`，然后重启 IPsec 服务 `service ipsec restart`。你试一下，有问题可以继续回复。感谢你的帮助，的确是这个问题，现在手机已经能正常连接了。我现在开始测试win10 的使用。另外，请问，一个客户端证书是否可以同时分发给多个客户端同时连接使用？日志能否手动关闭，以保持容器的容量和性能？

kerem commented

2026-03-02 07:44:37 +03:00

Author

Owner

@hwdsl2 commented on GitHub (Jul 2, 2020):

@SuperCatss 可以分发给多个客户端，但是不能同时连接使用。要同时连接，必须为每个客户端生成唯一的证书。

要关闭日志，你可以尝试在容器内运行 apt-get remove rsyslog，或者，编辑 /etc/ipsec.conf 并在 config setup 下面添加 logfile=/dev/null [1]，开头必须空两格。然后重启 IPsec 服务。

[1] https://libreswan.org/man/ipsec.conf.5.html

@hwdsl2 commented on GitHub (Jul 2, 2020): @SuperCatss 可以分发给多个客户端，但是不能同时连接使用。要同时连接，必须为每个客户端生成唯一的证书。要关闭日志，你可以尝试在容器内运行 `apt-get remove rsyslog`，或者，编辑 `/etc/ipsec.conf` 并在 `config setup` 下面添加 `logfile=/dev/null` [1]，开头必须空两格。然后重启 IPsec 服务。 [1] https://libreswan.org/man/ipsec.conf.5.html

Rows
Columns

[GH-ISSUE #199] xauth 协议正常连接，ikev2连接提示鉴权失败 #185