[GH-ISSUE #204] Unable to have 2 vpn clients connected via IKEv2 #191

New issue

Closed

opened 2026-03-02 07:44:38 +03:00 by kerem · 6 comments

kerem commented 2026-03-02 07:44:38 +03:00

Owner

Copy link

Originally created by @usmcfiredog on GitHub (Oct 2, 2020).
Original GitHub issue: https://github.com/hwdsl2/docker-ipsec-vpn-server/issues/204

Checklist

• I read the README
• I read the Important notes
• I followed instructions to configure VPN clients
• I checked Troubleshooting, enabled logs and checked VPN status
• I searched existing Issues
• This bug is about the IPsec VPN server Docker image, and not IPsec VPN itself

Describe the issue
A clear and concise description of what the bug is.

To Reproduce
Steps to reproduce the behavior:

1. ... When connected via IKEv2 server using cert vpnclient1 and then try to connect on a different client with cert vpnclient2 I get an authentication error
2. ...

Expected behavior
A clear and concise description of what you expected to happen.
Have multiple devices log in with different certs

Logs
ID_DER_ASN1_DN 'O=IKEv2 VPN,CN=vpnclient2' does not match expected 'CN=vpnclient1, O=IKEv2 VPN'
Peer CERT payload SubjectAltName does not match peer ID for this connection
X509: connection failed due to unmatched IKE ID in certificate SAN
Peer ID '@vpnclient2' is not specified on the certificate SubjectAltName (SAN) and no better connection found responding to IKE_AUTH message (ID 1) from 172.17.0.1:55157 with encrypted notification AUTHENTICATION_FAILED

Server (please complete the following information)

• Docker host OS: macOS 10.15.7

Client (please complete the following information)

• Device: iPhone Xs and MacBook Pro
• OS: iOS 14.0.1 and 11.0
• VPN mode: IKEv2

Additional context
Add any other context about the problem here.

Originally created by @usmcfiredog on GitHub (Oct 2, 2020). Original GitHub issue: https://github.com/hwdsl2/docker-ipsec-vpn-server/issues/204 **Checklist** - [X] I read the [README](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README.md) - [X] I read the [Important notes](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README.md#important-notes) - [X] I followed instructions to [configure VPN clients](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README.md#next-steps) - [X] I checked [Troubleshooting](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients.md#troubleshooting), [enabled logs](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README.md#enable-libreswan-logs) and checked [VPN status](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients.md#check-logs-and-vpn-status) - [X] I searched existing [Issues](https://github.com/hwdsl2/docker-ipsec-vpn-server/issues?q=is%3Aissue) - [x] This bug is about the IPsec VPN server Docker image, and not IPsec VPN itself <!--- If you need help with IPsec VPN itself, please see [Bugs & Questions](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/README.md#bugs--questions). Ask VPN-related questions on the [Libreswan](https://lists.libreswan.org/mailman/listinfo/swan) or [strongSwan](https://lists.strongswan.org/mailman/listinfo/users) mailing list, or search e.g. [Stack Overflow](https://stackoverflow.com/questions/tagged/vpn). ---> **Describe the issue** A clear and concise description of what the bug is. **To Reproduce** Steps to reproduce the behavior: 1. ... When connected via IKEv2 server using cert vpnclient1 and then try to connect on a different client with cert vpnclient2 I get an authentication error 2. ... **Expected behavior** A clear and concise description of what you expected to happen. Have multiple devices log in with different certs **Logs** ID_DER_ASN1_DN 'O=IKEv2 VPN,CN=vpnclient2' does not match expected 'CN=vpnclient1, O=IKEv2 VPN' Peer CERT payload SubjectAltName does not match peer ID for this connection X509: connection failed due to unmatched IKE ID in certificate SAN Peer ID '@vpnclient2' is not specified on the certificate SubjectAltName (SAN) and no better connection found responding to IKE_AUTH message (ID 1) from 172.17.0.1:55157 with encrypted notification AUTHENTICATION_FAILED **Server (please complete the following information)** - Docker host OS: macOS 10.15.7 **Client (please complete the following information)** - Device: iPhone Xs and MacBook Pro - OS: iOS 14.0.1 and 11.0 - VPN mode: IKEv2 **Additional context** Add any other context about the problem here.

kerem closed this issue 2026-03-02 07:44:38 +03:00

kerem commented 2026-03-02 07:44:39 +03:00

Author

Owner

Copy link

@hwdsl2 commented on GitHub (Nov 7, 2020):

@usmcfiredog Thanks for reporting this issue. Connecting multiple IKEv2 clients from behind the same NAT requires setting the "local ID" field to match the VPN client name. Please follow these client configuration instructions [1], make sure to complete the "local ID" step. For context, see [2] [3].

[1] https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/ikev2-howto.md#configure-ikev2-vpn-clients
[2] github.com/hwdsl2/setup-ipsec-vpn@71dc5bab01
[3] libreswan/libreswan#237

<!-- gh-comment-id:723397050 --> @hwdsl2 commented on GitHub (Nov 7, 2020): @usmcfiredog Thanks for reporting this issue. Connecting multiple IKEv2 clients from behind the same NAT requires setting the "local ID" field to match the VPN client name. Please follow these client configuration instructions [1], make sure to complete the "local ID" step. For context, see [2] [3]. [1] https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/ikev2-howto.md#configure-ikev2-vpn-clients [2] https://github.com/hwdsl2/setup-ipsec-vpn/commit/71dc5bab01d316e986f46ac1a61f9eb110cc6d6a [3] libreswan/libreswan#237

kerem commented 2026-03-02 07:44:39 +03:00

Author

Owner

Copy link

@usmcfiredog commented on GitHub (Nov 7, 2020):

I have followed those steps and it is still referring to the local ID of the already connected device and won't let the second device connect.

<!-- gh-comment-id:723470230 --> @usmcfiredog commented on GitHub (Nov 7, 2020): I have followed those steps and it is still referring to the local ID of the already connected device and won't let the second device connect.

kerem commented 2026-03-02 07:44:39 +03:00

Author

Owner

Copy link

@hwdsl2 commented on GitHub (Nov 7, 2020):

@usmcfiredog Did you fill in the "Local ID" field for both the first and second VPN client devices in their VPN configurations? In addition, those IDs must match the VPN client names you specified during IKEv2 setup, respectively (same as the filename without extension of your .p12 files). This did work fine in my tests.

<!-- gh-comment-id:723488017 --> @hwdsl2 commented on GitHub (Nov 7, 2020): @usmcfiredog Did you fill in the "Local ID" field for both the first and second VPN client devices in their VPN configurations? In addition, those IDs must match the VPN client names you specified during IKEv2 setup, respectively (same as the filename without extension of your `.p12` files). This did work fine in my tests.

kerem commented 2026-03-02 07:44:39 +03:00

Author

Owner

Copy link

@usmcfiredog commented on GitHub (Nov 7, 2020):

yes I did. for the first client I put the same exact name in the local id as I used to create the .p12. I used a different name for the second client and made sure that local id matched exactly.

<!-- gh-comment-id:723488374 --> @usmcfiredog commented on GitHub (Nov 7, 2020): yes I did. for the first client I put the same exact name in the local id as I used to create the .p12. I used a different name for the second client and made sure that local id matched exactly.

kerem commented 2026-03-02 07:44:39 +03:00

Author

Owner

Copy link

@hwdsl2 commented on GitHub (Feb 2, 2021):

@usmcfiredog Update - The root cause for this issue (connecting multiple IKEv2 clients simultaneously from behind the same NAT) has been identified, and a fix was submitted in github.com/hwdsl2/setup-ipsec-vpn@954b2acb7c. To fix this issue on your VPN server, see https://github.com/hwdsl2/setup-ipsec-vpn/issues/924#issuecomment-771327878.

<!-- gh-comment-id:771337252 --> @hwdsl2 commented on GitHub (Feb 2, 2021): @usmcfiredog Update - The root cause for this issue (connecting multiple IKEv2 clients simultaneously from behind the same NAT) has been identified, and a fix was submitted in https://github.com/hwdsl2/setup-ipsec-vpn/commit/954b2acb7c3150b6b641fed431a7d518e6abf94d. To fix this issue on your VPN server, see https://github.com/hwdsl2/setup-ipsec-vpn/issues/924#issuecomment-771327878.

kerem commented 2026-03-02 07:44:39 +03:00

Author

Owner

Copy link

@usmcfiredog commented on GitHub (Feb 2, 2021):

@hwdsl2 I went into the config file and removed the '@' next to the IP address and it works as expected. Thank you.

<!-- gh-comment-id:771670410 --> @usmcfiredog commented on GitHub (Feb 2, 2021): @hwdsl2 I went into the config file and removed the '@' next to the IP address and it works as expected. Thank you.

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

No results found.

Labels

Clear labels   

bug

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

question

No labels

bug

pull-request

question

question

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/docker-ipsec-vpn-server#191

No description provided.