[GH-ISSUE #216] Connecting but not passing any traffic #201

New issue

Closed

opened 2026-03-02 07:44:43 +03:00 by kerem · 5 comments

kerem commented 2026-03-02 07:44:43 +03:00

Owner

Copy link

Originally created by @AjayP13 on GitHub (Nov 27, 2020).
Original GitHub issue: https://github.com/hwdsl2/docker-ipsec-vpn-server/issues/216

Checklist

• I read the README
• I read the Important notes
• I followed instructions to configure VPN clients
• I checked Troubleshooting, enabled logs and checked VPN status
• I searched existing Issues
• This bug is about the IPsec VPN server Docker image, and not IPsec VPN itself

Describe the issue
The VPN is running on Ubuntu 20.04 (Raspberry Pi). I am connecting from a Mac, I tried selecting both the "L2TP" and "Cisco IPSec" options on Mac. In both cases, it will connect successfully, but the traffic is not being passed through the VPN. I have used this Docker image before on servers and it's worked fine. I tried reading some other GitHub issues and it seems like PPP is enabled in the kernel based on running:

sudo modprobe l2tp_ppp

which doesn't yield any errors.

Have any idea what's happening or anything else I can try? Thanks.

Logs

xl2tpd[1]: Listening on IP address 0.0.0.0, port 1701
xl2tpd[1]: Connection established to 172.17.0.1, 60964.  Local: 39111, Remote: 9 (ref=0/0).  LNS session is 'default'
xl2tpd[1]: start_pppd: I'm running: 
xl2tpd[1]: "/usr/sbin/pppd" 
xl2tpd[1]: "plugin" 
xl2tpd[1]: "pppol2tp.so" 
xl2tpd[1]: "pppol2tp" 
xl2tpd[1]: "7" 
xl2tpd[1]: "pppol2tp_lns_mode" 
xl2tpd[1]: "pppol2tp_tunnel_id" 
xl2tpd[1]: "39111" 
xl2tpd[1]: "pppol2tp_session_id" 
xl2tpd[1]: "51270" 
xl2tpd[1]: "passive" 
xl2tpd[1]: "nodetach" 
xl2tpd[1]: "192.168.42.1:192.168.42.10" 
xl2tpd[1]: "refuse-pap" 
xl2tpd[1]: "auth" 
xl2tpd[1]: "require-chap" 
xl2tpd[1]: "name" 
xl2tpd[1]: "l2tpd" 
xl2tpd[1]: "file" 
xl2tpd[1]: "/etc/ppp/options.xl2tpd" 
xl2tpd[1]: Call established with 172.17.0.1, PID: 274, Local: 51270, Remote: 45950, Serial: 1
xl2tpd[1]: write_packet: tty is not open yet.
xl2tpd[1]: result_code_avp: result code endianness fix for buggy Apple client. network=768, le=3
xl2tpd[1]: control_finish: Connection closed to 172.17.0.1, serial 1 ()
xl2tpd[1]: Terminating pppd: sending TERM signal to pid 274
xl2tpd[1]: result_code_avp: result code endianness fix for buggy Apple client. network=256, le=1
xl2tpd[1]: control_finish: Connection closed to 172.17.0.1, port 60964 (), Local: 39111, Remote: 9
xl2tpd[1]: Connection established to 172.17.0.1, 63354.  Local: 49967, Remote: 10 (ref=0/0).  LNS session is 'default'
xl2tpd[1]: start_pppd: I'm running: 
xl2tpd[1]: "/usr/sbin/pppd" 
xl2tpd[1]: "plugin" 
xl2tpd[1]: "pppol2tp.so" 
xl2tpd[1]: "pppol2tp" 
xl2tpd[1]: "7" 
xl2tpd[1]: "pppol2tp_lns_mode" 
xl2tpd[1]: "pppol2tp_tunnel_id" 
xl2tpd[1]: "49967" 
xl2tpd[1]: "pppol2tp_session_id" 
xl2tpd[1]: "27718" 
xl2tpd[1]: "passive" 
xl2tpd[1]: "nodetach" 
xl2tpd[1]: "192.168.42.1:192.168.42.10" 
xl2tpd[1]: "refuse-pap" 
xl2tpd[1]: "auth" 
xl2tpd[1]: "require-chap" 
xl2tpd[1]: "name" 
xl2tpd[1]: "l2tpd" 
xl2tpd[1]: "file" 
xl2tpd[1]: "/etc/ppp/options.xl2tpd" 
xl2tpd[1]: Call established with 172.17.0.1, PID: 298, Local: 27718, Remote: 46099, Serial: 1
xl2tpd[1]: result_code_avp: result code endianness fix for buggy Apple client. network=768, le=3
xl2tpd[1]: control_finish: Connection closed to 172.17.0.1, serial 1 ()
xl2tpd[1]: Terminating pppd: sending TERM signal to pid 298
xl2tpd[1]: result_code_avp: result code endianness fix for buggy Apple client. network=256, le=1
xl2tpd[1]: control_finish: Connection closed to 172.17.0.1, port 63354 (), Local: 49967, Remote: 10

Server (please complete the following information)

• Docker host OS: Ubuntu 20.04 Server Edition (Raspberry Pi) (https://ubuntu.com/download/raspberry-pi)
• Hosting provider (if applicable): N/A

Client (please complete the following information)

• Device: Mac OS
• OS: 10.15
• VPN mode: Both IPsec/L2TP and IPsec/XAuth ("Cisco IPsec") don't work

Additional context
N/A

Originally created by @AjayP13 on GitHub (Nov 27, 2020). Original GitHub issue: https://github.com/hwdsl2/docker-ipsec-vpn-server/issues/216 **Checklist** - [X] I read the [README](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README.md) - [X] I read the [Important notes](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README.md#important-notes) - [X] I followed instructions to [configure VPN clients](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README.md#next-steps) - [X] I checked [Troubleshooting](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients.md#troubleshooting), [enabled logs](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README.md#enable-libreswan-logs) and checked [VPN status](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients.md#check-logs-and-vpn-status) - [X] I searched existing [Issues](https://github.com/hwdsl2/docker-ipsec-vpn-server/issues?q=is%3Aissue) - [X] This bug is about the IPsec VPN server Docker image, and not IPsec VPN itself <!--- If you need help with IPsec VPN itself, please see [Bugs & Questions](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/README.md#bugs--questions). Ask VPN-related questions on the [Libreswan](https://lists.libreswan.org/mailman/listinfo/swan) or [strongSwan](https://lists.strongswan.org/mailman/listinfo/users) mailing list, or search e.g. [Stack Overflow](https://stackoverflow.com/questions/tagged/vpn). ---> **Describe the issue** The VPN is running on Ubuntu 20.04 (Raspberry Pi). I am connecting from a Mac, I tried selecting both the "L2TP" and "Cisco IPSec" options on Mac. In both cases, it will connect successfully, but the traffic is not being passed through the VPN. I have used this Docker image before on servers and it's worked fine. I tried reading some other GitHub issues and it seems like PPP is enabled in the kernel based on running: ``` sudo modprobe l2tp_ppp ``` which doesn't yield any errors. Have any idea what's happening or anything else I can try? Thanks. **Logs** ``` xl2tpd[1]: Listening on IP address 0.0.0.0, port 1701 xl2tpd[1]: Connection established to 172.17.0.1, 60964. Local: 39111, Remote: 9 (ref=0/0). LNS session is 'default' xl2tpd[1]: start_pppd: I'm running: xl2tpd[1]: "/usr/sbin/pppd" xl2tpd[1]: "plugin" xl2tpd[1]: "pppol2tp.so" xl2tpd[1]: "pppol2tp" xl2tpd[1]: "7" xl2tpd[1]: "pppol2tp_lns_mode" xl2tpd[1]: "pppol2tp_tunnel_id" xl2tpd[1]: "39111" xl2tpd[1]: "pppol2tp_session_id" xl2tpd[1]: "51270" xl2tpd[1]: "passive" xl2tpd[1]: "nodetach" xl2tpd[1]: "192.168.42.1:192.168.42.10" xl2tpd[1]: "refuse-pap" xl2tpd[1]: "auth" xl2tpd[1]: "require-chap" xl2tpd[1]: "name" xl2tpd[1]: "l2tpd" xl2tpd[1]: "file" xl2tpd[1]: "/etc/ppp/options.xl2tpd" xl2tpd[1]: Call established with 172.17.0.1, PID: 274, Local: 51270, Remote: 45950, Serial: 1 xl2tpd[1]: write_packet: tty is not open yet. xl2tpd[1]: result_code_avp: result code endianness fix for buggy Apple client. network=768, le=3 xl2tpd[1]: control_finish: Connection closed to 172.17.0.1, serial 1 () xl2tpd[1]: Terminating pppd: sending TERM signal to pid 274 xl2tpd[1]: result_code_avp: result code endianness fix for buggy Apple client. network=256, le=1 xl2tpd[1]: control_finish: Connection closed to 172.17.0.1, port 60964 (), Local: 39111, Remote: 9 xl2tpd[1]: Connection established to 172.17.0.1, 63354. Local: 49967, Remote: 10 (ref=0/0). LNS session is 'default' xl2tpd[1]: start_pppd: I'm running: xl2tpd[1]: "/usr/sbin/pppd" xl2tpd[1]: "plugin" xl2tpd[1]: "pppol2tp.so" xl2tpd[1]: "pppol2tp" xl2tpd[1]: "7" xl2tpd[1]: "pppol2tp_lns_mode" xl2tpd[1]: "pppol2tp_tunnel_id" xl2tpd[1]: "49967" xl2tpd[1]: "pppol2tp_session_id" xl2tpd[1]: "27718" xl2tpd[1]: "passive" xl2tpd[1]: "nodetach" xl2tpd[1]: "192.168.42.1:192.168.42.10" xl2tpd[1]: "refuse-pap" xl2tpd[1]: "auth" xl2tpd[1]: "require-chap" xl2tpd[1]: "name" xl2tpd[1]: "l2tpd" xl2tpd[1]: "file" xl2tpd[1]: "/etc/ppp/options.xl2tpd" xl2tpd[1]: Call established with 172.17.0.1, PID: 298, Local: 27718, Remote: 46099, Serial: 1 xl2tpd[1]: result_code_avp: result code endianness fix for buggy Apple client. network=768, le=3 xl2tpd[1]: control_finish: Connection closed to 172.17.0.1, serial 1 () xl2tpd[1]: Terminating pppd: sending TERM signal to pid 298 xl2tpd[1]: result_code_avp: result code endianness fix for buggy Apple client. network=256, le=1 xl2tpd[1]: control_finish: Connection closed to 172.17.0.1, port 63354 (), Local: 49967, Remote: 10 ``` **Server (please complete the following information)** - Docker host OS: Ubuntu 20.04 Server Edition (Raspberry Pi) ([https://ubuntu.com/download/raspberry-pi](https://ubuntu.com/download/raspberry-pi)) - Hosting provider (if applicable): N/A **Client (please complete the following information)** - Device: Mac OS - OS: 10.15 - VPN mode: Both IPsec/L2TP and IPsec/XAuth ("Cisco IPsec") don't work **Additional context** N/A

kerem closed this issue 2026-03-02 07:44:43 +03:00

kerem commented 2026-03-02 07:44:44 +03:00

Author

Owner

Copy link

@hwdsl2 commented on GitHub (Nov 27, 2020):

@AjayP13 Hello! This does not seem to be a ppp issue. Can you enable Libreswan logs [1], try re-connecting the VPN, then post the logs here with IPs redacted? Also, how did you create/run the VPN container, did you use the same command as in [2]?

In addition, please make sure you are using the latest version of this Docker image, and VPN_SHA2_TRUNCBUG=yes is NOT set in your env file.

[1] https://github.com/hwdsl2/docker-ipsec-vpn-server#enable-libreswan-logs
[2] https://github.com/hwdsl2/docker-ipsec-vpn-server#start-the-ipsec-vpn-server

<!-- gh-comment-id:735001668 --> @hwdsl2 commented on GitHub (Nov 27, 2020): @AjayP13 Hello! This does not seem to be a `ppp` issue. Can you enable Libreswan logs [1], try re-connecting the VPN, then post the logs here with IPs redacted? Also, how did you create/run the VPN container, did you use the same command as in [2]? In addition, please make sure you are using the latest version of this Docker image, and `VPN_SHA2_TRUNCBUG=yes` is NOT set in your `env` file. [1] https://github.com/hwdsl2/docker-ipsec-vpn-server#enable-libreswan-logs [2] https://github.com/hwdsl2/docker-ipsec-vpn-server#start-the-ipsec-vpn-server

kerem commented 2026-03-02 07:44:44 +03:00

Author

Owner

Copy link

@AjayP13 commented on GitHub (Nov 27, 2020):

Thanks for the quick reply.

Yes, I am running the latest Docker image and do not have that env variable set. I am running it exactly as how it is shown in the link.

Here are the libreswan logs:

Nov 27 22:25:04 cb98743e08a8 pluto[256]: shutting down
Nov 27 22:25:04 cb98743e08a8 pluto[256]: 3 helper threads shutdown
Nov 27 22:25:04 cb98743e08a8 pluto[256]: forgetting secrets
Nov 27 22:25:04 cb98743e08a8 pluto[256]: shutting down interface lo 127.0.0.1:4500
Nov 27 22:25:04 cb98743e08a8 pluto[256]: shutting down interface lo 127.0.0.1:500
Nov 27 22:25:04 cb98743e08a8 pluto[256]: shutting down interface eth0 172.17.0.2:4500
Nov 27 22:25:04 cb98743e08a8 pluto[256]: shutting down interface eth0 172.17.0.2:500
Nov 27 22:25:04 cb98743e08a8 ipsec__plutorun: pluto killed by SIGTERM, terminating without restart
Nov 27 22:25:05 cb98743e08a8 ipsec__plutorun: Starting Pluto
Nov 27 22:25:06 cb98743e08a8 pluto[1708]: NSS DB directory: sql:/etc/ipsec.d
Nov 27 22:25:06 cb98743e08a8 pluto[1708]: Initializing NSS
Nov 27 22:25:06 cb98743e08a8 pluto[1708]: Opening NSS database "sql:/etc/ipsec.d" read-only
Nov 27 22:25:06 cb98743e08a8 pluto[1708]: FIPS Mode: NO
Nov 27 22:25:06 cb98743e08a8 pluto[1708]: NSS crypto library initialized
Nov 27 22:25:06 cb98743e08a8 pluto[1708]: FIPS mode disabled for pluto daemon
Nov 27 22:25:06 cb98743e08a8 pluto[1708]: FIPS HMAC integrity support [disabled]
Nov 27 22:25:06 cb98743e08a8 pluto[1708]: libcap-ng support [enabled]
Nov 27 22:25:06 cb98743e08a8 pluto[1708]: Linux audit support [disabled]
Nov 27 22:25:06 cb98743e08a8 pluto[1708]: Starting Pluto (Libreswan Version 4.1 XFRM(netkey) XFRMI esp-hw-offload FORK PTHREAD_SETSCHEDPRIO NSS (AVA copy) (native-PRF) LIBCAP_NG XAUTH_PAM NETWORKMANAGER CURL(non-NSS)) pid:1708
Nov 27 22:25:06 cb98743e08a8 pluto[1708]: core dump dir: /run/pluto
Nov 27 22:25:06 cb98743e08a8 pluto[1708]: secrets file: /etc/ipsec.secrets
Nov 27 22:25:06 cb98743e08a8 pluto[1708]: leak-detective disabled
Nov 27 22:25:06 cb98743e08a8 pluto[1708]: NSS crypto [enabled]
Nov 27 22:25:06 cb98743e08a8 pluto[1708]: XAUTH PAM support [enabled]
Nov 27 22:25:06 cb98743e08a8 pluto[1708]: Initializing libevent in pthreads mode: headers: 2.1.8-stable (2010800); library: 2.1.8-stable (2010800)
Nov 27 22:25:06 cb98743e08a8 pluto[1708]: NAT-Traversal support  [enabled]
Nov 27 22:25:06 cb98743e08a8 pluto[1708]: Encryption algorithms:
Nov 27 22:25:06 cb98743e08a8 pluto[1708]:   AES_CCM_16         {256,192,*128} IKEv1:     ESP     IKEv2:     ESP     FIPS              aes_ccm, aes_ccm_c
Nov 27 22:25:06 cb98743e08a8 pluto[1708]:   AES_CCM_12         {256,192,*128} IKEv1:     ESP     IKEv2:     ESP     FIPS              aes_ccm_b
Nov 27 22:25:06 cb98743e08a8 pluto[1708]:   AES_CCM_8          {256,192,*128} IKEv1:     ESP     IKEv2:     ESP     FIPS              aes_ccm_a
Nov 27 22:25:06 cb98743e08a8 pluto[1708]:   3DES_CBC           [*192]         IKEv1: IKE ESP     IKEv2: IKE ESP     FIPS NSS(CBC)     3des
Nov 27 22:25:06 cb98743e08a8 pluto[1708]:   CAMELLIA_CTR       {256,192,*128} IKEv1:     ESP     IKEv2:     ESP                      
Nov 27 22:25:06 cb98743e08a8 pluto[1708]:   CAMELLIA_CBC       {256,192,*128} IKEv1: IKE ESP     IKEv2: IKE ESP          NSS(CBC)     camellia
Nov 27 22:25:06 cb98743e08a8 pluto[1708]:   AES_GCM_16         {256,192,*128} IKEv1:     ESP     IKEv2: IKE ESP     FIPS NSS(GCM)     aes_gcm, aes_gcm_c
Nov 27 22:25:06 cb98743e08a8 pluto[1708]:   AES_GCM_12         {256,192,*128} IKEv1:     ESP     IKEv2: IKE ESP     FIPS NSS(GCM)     aes_gcm_b
Nov 27 22:25:06 cb98743e08a8 pluto[1708]:   AES_GCM_8          {256,192,*128} IKEv1:     ESP     IKEv2: IKE ESP     FIPS NSS(GCM)     aes_gcm_a
Nov 27 22:25:06 cb98743e08a8 pluto[1708]:   AES_CTR            {256,192,*128} IKEv1: IKE ESP     IKEv2: IKE ESP     FIPS NSS(CTR)     aesctr
Nov 27 22:25:06 cb98743e08a8 pluto[1708]:   AES_CBC            {256,192,*128} IKEv1: IKE ESP     IKEv2: IKE ESP     FIPS NSS(CBC)     aes
Nov 27 22:25:06 cb98743e08a8 pluto[1708]:   NULL_AUTH_AES_GMAC {256,192,*128} IKEv1:     ESP     IKEv2:     ESP     FIPS              aes_gmac
Nov 27 22:25:06 cb98743e08a8 pluto[1708]:   NULL               []             IKEv1:     ESP     IKEv2:     ESP                      
Nov 27 22:25:06 cb98743e08a8 pluto[1708]:   CHACHA20_POLY1305  [*256]         IKEv1:             IKEv2: IKE ESP          NSS(AEAD)    chacha20poly1305
Nov 27 22:25:06 cb98743e08a8 pluto[1708]: Hash algorithms:
Nov 27 22:25:06 cb98743e08a8 pluto[1708]:   MD5                               IKEv1: IKE         IKEv2:                  NSS         
Nov 27 22:25:06 cb98743e08a8 pluto[1708]:   SHA1                              IKEv1: IKE         IKEv2: IKE         FIPS NSS          sha
Nov 27 22:25:06 cb98743e08a8 pluto[1708]:   SHA2_256                          IKEv1: IKE         IKEv2: IKE         FIPS NSS          sha2, sha256
Nov 27 22:25:06 cb98743e08a8 pluto[1708]:   SHA2_384                          IKEv1: IKE         IKEv2: IKE         FIPS NSS          sha384
Nov 27 22:25:06 cb98743e08a8 pluto[1708]:   SHA2_512                          IKEv1: IKE         IKEv2: IKE         FIPS NSS          sha512
Nov 27 22:25:06 cb98743e08a8 pluto[1708]: PRF algorithms:
Nov 27 22:25:06 cb98743e08a8 pluto[1708]:   HMAC_MD5                          IKEv1: IKE         IKEv2: IKE              native(HMAC) md5
Nov 27 22:25:06 cb98743e08a8 pluto[1708]:   HMAC_SHA1                         IKEv1: IKE         IKEv2: IKE         FIPS NSS          sha, sha1
Nov 27 22:25:06 cb98743e08a8 pluto[1708]:   HMAC_SHA2_256                     IKEv1: IKE         IKEv2: IKE         FIPS NSS          sha2, sha256, sha2_256
Nov 27 22:25:06 cb98743e08a8 pluto[1708]:   HMAC_SHA2_384                     IKEv1: IKE         IKEv2: IKE         FIPS NSS          sha384, sha2_384
Nov 27 22:25:06 cb98743e08a8 pluto[1708]:   HMAC_SHA2_512                     IKEv1: IKE         IKEv2: IKE         FIPS NSS          sha512, sha2_512
Nov 27 22:25:06 cb98743e08a8 pluto[1708]:   AES_XCBC                          IKEv1:             IKEv2: IKE              native(XCBC) aes128_xcbc
Nov 27 22:25:06 cb98743e08a8 pluto[1708]: Integrity algorithms:
Nov 27 22:25:06 cb98743e08a8 pluto[1708]:   HMAC_MD5_96                       IKEv1: IKE ESP AH  IKEv2: IKE ESP AH       native(HMAC) md5, hmac_md5
Nov 27 22:25:06 cb98743e08a8 pluto[1708]:   HMAC_SHA1_96                      IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS NSS          sha, sha1, sha1_96, hmac_sha1
Nov 27 22:25:06 cb98743e08a8 pluto[1708]:   HMAC_SHA2_512_256                 IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS NSS          sha512, sha2_512, sha2_512_256, hmac_sha2_512
Nov 27 22:25:06 cb98743e08a8 pluto[1708]:   HMAC_SHA2_384_192                 IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS NSS          sha384, sha2_384, sha2_384_192, hmac_sha2_384
Nov 27 22:25:06 cb98743e08a8 pluto[1708]:   HMAC_SHA2_256_128                 IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS NSS          sha2, sha256, sha2_256, sha2_256_128, hmac_sha2_256
Nov 27 22:25:06 cb98743e08a8 pluto[1708]:   HMAC_SHA2_256_TRUNCBUG            IKEv1:     ESP AH  IKEv2:         AH                   
Nov 27 22:25:06 cb98743e08a8 pluto[1708]:   AES_XCBC_96                       IKEv1:     ESP AH  IKEv2: IKE ESP AH       native(XCBC) aes_xcbc, aes128_xcbc, aes128_xcbc_96
Nov 27 22:25:06 cb98743e08a8 pluto[1708]:   AES_CMAC_96                       IKEv1:     ESP AH  IKEv2:     ESP AH  FIPS              aes_cmac
Nov 27 22:25:06 cb98743e08a8 pluto[1708]:   NONE                              IKEv1:     ESP     IKEv2: IKE ESP     FIPS              null
Nov 27 22:25:06 cb98743e08a8 pluto[1708]: DH algorithms:
Nov 27 22:25:06 cb98743e08a8 pluto[1708]:   NONE                              IKEv1:             IKEv2: IKE ESP AH  FIPS NSS(MODP)    null, dh0
Nov 27 22:25:06 cb98743e08a8 pluto[1708]:   MODP1024                          IKEv1: IKE ESP AH  IKEv2: IKE ESP AH       NSS(MODP)    dh2
Nov 27 22:25:06 cb98743e08a8 pluto[1708]:   MODP1536                          IKEv1: IKE ESP AH  IKEv2: IKE ESP AH       NSS(MODP)    dh5
Nov 27 22:25:06 cb98743e08a8 pluto[1708]:   MODP2048                          IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS NSS(MODP)    dh14
Nov 27 22:25:06 cb98743e08a8 pluto[1708]:   MODP3072                          IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS NSS(MODP)    dh15
Nov 27 22:25:06 cb98743e08a8 pluto[1708]:   MODP4096                          IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS NSS(MODP)    dh16
Nov 27 22:25:06 cb98743e08a8 pluto[1708]:   MODP6144                          IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS NSS(MODP)    dh17
Nov 27 22:25:06 cb98743e08a8 pluto[1708]:   MODP8192                          IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS NSS(MODP)    dh18
Nov 27 22:25:06 cb98743e08a8 pluto[1708]:   DH19                              IKEv1: IKE         IKEv2: IKE ESP AH  FIPS NSS(ECP)     ecp_256, ecp256
Nov 27 22:25:06 cb98743e08a8 pluto[1708]:   DH20                              IKEv1: IKE         IKEv2: IKE ESP AH  FIPS NSS(ECP)     ecp_384, ecp384
Nov 27 22:25:06 cb98743e08a8 pluto[1708]:   DH21                              IKEv1: IKE         IKEv2: IKE ESP AH  FIPS NSS(ECP)     ecp_521, ecp521
Nov 27 22:25:06 cb98743e08a8 pluto[1708]: testing CAMELLIA_CBC:
Nov 27 22:25:06 cb98743e08a8 pluto[1708]:   Camellia: 16 bytes with 128-bit key
Nov 27 22:25:06 cb98743e08a8 pluto[1708]:   Camellia: 16 bytes with 128-bit key
Nov 27 22:25:06 cb98743e08a8 pluto[1708]:   Camellia: 16 bytes with 256-bit key
Nov 27 22:25:06 cb98743e08a8 pluto[1708]:   Camellia: 16 bytes with 256-bit key
Nov 27 22:25:06 cb98743e08a8 pluto[1708]: testing AES_GCM_16:
Nov 27 22:25:06 cb98743e08a8 pluto[1708]:   empty string
Nov 27 22:25:06 cb98743e08a8 pluto[1708]:   one block
Nov 27 22:25:06 cb98743e08a8 pluto[1708]:   two blocks
Nov 27 22:25:06 cb98743e08a8 pluto[1708]:   two blocks with associated data
Nov 27 22:25:06 cb98743e08a8 pluto[1708]: testing AES_CTR:
Nov 27 22:25:06 cb98743e08a8 pluto[1708]:   Encrypting 16 octets using AES-CTR with 128-bit key
Nov 27 22:25:06 cb98743e08a8 pluto[1708]:   Encrypting 32 octets using AES-CTR with 128-bit key
Nov 27 22:25:06 cb98743e08a8 pluto[1708]:   Encrypting 36 octets using AES-CTR with 128-bit key
Nov 27 22:25:06 cb98743e08a8 pluto[1708]:   Encrypting 16 octets using AES-CTR with 192-bit key
Nov 27 22:25:06 cb98743e08a8 pluto[1708]:   Encrypting 32 octets using AES-CTR with 192-bit key
Nov 27 22:25:06 cb98743e08a8 pluto[1708]:   Encrypting 36 octets using AES-CTR with 192-bit key
Nov 27 22:25:06 cb98743e08a8 pluto[1708]:   Encrypting 16 octets using AES-CTR with 256-bit key
Nov 27 22:25:06 cb98743e08a8 pluto[1708]:   Encrypting 32 octets using AES-CTR with 256-bit key
Nov 27 22:25:06 cb98743e08a8 pluto[1708]:   Encrypting 36 octets using AES-CTR with 256-bit key
Nov 27 22:25:06 cb98743e08a8 pluto[1708]: testing AES_CBC:
Nov 27 22:25:06 cb98743e08a8 pluto[1708]:   Encrypting 16 bytes (1 block) using AES-CBC with 128-bit key
Nov 27 22:25:06 cb98743e08a8 pluto[1708]:   Encrypting 32 bytes (2 blocks) using AES-CBC with 128-bit key
Nov 27 22:25:06 cb98743e08a8 pluto[1708]:   Encrypting 48 bytes (3 blocks) using AES-CBC with 128-bit key
Nov 27 22:25:06 cb98743e08a8 pluto[1708]:   Encrypting 64 bytes (4 blocks) using AES-CBC with 128-bit key
Nov 27 22:25:06 cb98743e08a8 pluto[1708]: testing AES_XCBC:
Nov 27 22:25:06 cb98743e08a8 pluto[1708]:   RFC 3566 Test Case 1: AES-XCBC-MAC-96 with 0-byte input
Nov 27 22:25:06 cb98743e08a8 pluto[1708]:   RFC 3566 Test Case 2: AES-XCBC-MAC-96 with 3-byte input
Nov 27 22:25:06 cb98743e08a8 pluto[1708]:   RFC 3566 Test Case 3: AES-XCBC-MAC-96 with 16-byte input
Nov 27 22:25:06 cb98743e08a8 pluto[1708]:   RFC 3566 Test Case 4: AES-XCBC-MAC-96 with 20-byte input
Nov 27 22:25:06 cb98743e08a8 pluto[1708]:   RFC 3566 Test Case 5: AES-XCBC-MAC-96 with 32-byte input
Nov 27 22:25:06 cb98743e08a8 pluto[1708]:   RFC 3566 Test Case 6: AES-XCBC-MAC-96 with 34-byte input
Nov 27 22:25:06 cb98743e08a8 pluto[1708]:   RFC 3566 Test Case 7: AES-XCBC-MAC-96 with 1000-byte input
Nov 27 22:25:06 cb98743e08a8 pluto[1708]:   RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 16)
Nov 27 22:25:06 cb98743e08a8 pluto[1708]:   RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 10)
Nov 27 22:25:06 cb98743e08a8 pluto[1708]:   RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 18)
Nov 27 22:25:06 cb98743e08a8 pluto[1708]: testing HMAC_MD5:
Nov 27 22:25:06 cb98743e08a8 pluto[1708]:   RFC 2104: MD5_HMAC test 1
Nov 27 22:25:06 cb98743e08a8 pluto[1708]:   RFC 2104: MD5_HMAC test 2
Nov 27 22:25:06 cb98743e08a8 pluto[1708]:   RFC 2104: MD5_HMAC test 3
Nov 27 22:25:06 cb98743e08a8 pluto[1708]: 4 CPU cores online
Nov 27 22:25:06 cb98743e08a8 pluto[1708]: starting up 3 helper threads
Nov 27 22:25:06 cb98743e08a8 pluto[1708]: started thread for helper 0
Nov 27 22:25:06 cb98743e08a8 pluto[1708]: started thread for helper 1
Nov 27 22:25:06 cb98743e08a8 pluto[1708]: started thread for helper 2
Nov 27 22:25:06 cb98743e08a8 pluto[1708]: Using Linux XFRM/NETKEY IPsec kernel support code on 5.4.0-1015-raspi
Nov 27 22:25:06 cb98743e08a8 pluto[1708]: seccomp security for helper not supported
Nov 27 22:25:06 cb98743e08a8 pluto[1708]: seccomp security not supported
Nov 27 22:25:06 cb98743e08a8 pluto[1708]: seccomp security for helper not supported
Nov 27 22:25:06 cb98743e08a8 pluto[1708]: added IKEv1 connection "l2tp-psk"
Nov 27 22:25:06 cb98743e08a8 pluto[1708]: seccomp security for helper not supported
Nov 27 22:25:06 cb98743e08a8 pluto[1708]: added IKEv1 connection "xauth-psk"
Nov 27 22:25:06 cb98743e08a8 pluto[1708]: listening for IKE messages
Nov 27 22:25:06 cb98743e08a8 pluto[1708]: Kernel supports NIC esp-hw-offload
Nov 27 22:25:06 cb98743e08a8 pluto[1708]: adding UDP interface eth0 172.17.0.2:500
Nov 27 22:25:06 cb98743e08a8 pluto[1708]: adding UDP interface eth0 172.17.0.2:4500
Nov 27 22:25:06 cb98743e08a8 pluto[1708]: adding UDP interface lo 127.0.0.1:500
Nov 27 22:25:06 cb98743e08a8 pluto[1708]: adding UDP interface lo 127.0.0.1:4500
Nov 27 22:25:06 cb98743e08a8 pluto[1708]: loading secrets from "/etc/ipsec.secrets"
Nov 27 22:25:56 cb98743e08a8 pluto[1708]: "l2tp-psk"[1] 172.17.0.1 #1: responding to Main Mode from unknown peer 172.17.0.1:58015
Nov 27 22:25:56 cb98743e08a8 pluto[1708]: "l2tp-psk"[1] 172.17.0.1 #1: sent Main Mode R1
Nov 27 22:25:56 cb98743e08a8 pluto[1708]: "l2tp-psk"[1] 172.17.0.1 #1: sent Main Mode R2
Nov 27 22:25:56 cb98743e08a8 pluto[1708]: "l2tp-psk"[1] 172.17.0.1 #1: ignoring informational payload IPSEC_INITIAL_CONTACT, msgid=00000000, length=28
Nov 27 22:25:56 cb98743e08a8 pluto[1708]: "l2tp-psk"[1] 172.17.0.1 #1: Peer ID is ID_IPV4_ADDR: '192.168.0.131'
Nov 27 22:25:56 cb98743e08a8 pluto[1708]: "l2tp-psk"[1] 172.17.0.1 #1: switched from "l2tp-psk"[1] 172.17.0.1 to "l2tp-psk"
Nov 27 22:25:56 cb98743e08a8 pluto[1708]: "l2tp-psk"[1] 172.17.0.1: deleting connection instance with peer 172.17.0.1 {isakmp=#0/ipsec=#0}
Nov 27 22:25:56 cb98743e08a8 pluto[1708]: "l2tp-psk"[2] 172.17.0.1 #1: Peer ID is ID_IPV4_ADDR: '192.168.0.131'
Nov 27 22:25:56 cb98743e08a8 pluto[1708]: "l2tp-psk"[2] 172.17.0.1 #1: IKE SA established {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA2_256 group=MODP2048}
Nov 27 22:25:57 cb98743e08a8 pluto[1708]: "l2tp-psk"[2] 172.17.0.1 #1: the peer proposed: XX.XX.XX.XX/32:17/1701 -> 192.168.0.131/32:17/0
Nov 27 22:25:57 cb98743e08a8 pluto[1708]: "l2tp-psk"[2] 172.17.0.1 #1: NAT-Traversal: received 2 NAT-OA. Using first; ignoring others
Nov 27 22:25:57 cb98743e08a8 pluto[1708]: "l2tp-psk"[2] 172.17.0.1 #2: responding to Quick Mode proposal {msgid:442d6ac2}
Nov 27 22:25:57 cb98743e08a8 pluto[1708]: "l2tp-psk"[2] 172.17.0.1 #2:     us: 172.17.0.2[XX.XX.XX.XX]:17/1701
Nov 27 22:25:57 cb98743e08a8 pluto[1708]: "l2tp-psk"[2] 172.17.0.1 #2:   them: 172.17.0.1[192.168.0.131]:17/65196
Nov 27 22:25:57 cb98743e08a8 pluto[1708]: "l2tp-psk"[2] 172.17.0.1 #2: sent Quick Mode reply, inbound IPsec SA installed, expecting confirmation transport mode {ESPinUDP=>0x09494a6c <0x181e9da1 xfrm=AES_CBC_256-HMAC_SHA1_96 NATOA=192.168.0.131 NATD=172.17.0.1:50688 DPD=active}
Nov 27 22:25:57 cb98743e08a8 pluto[1708]: "l2tp-psk"[2] 172.17.0.1 #2: IPsec SA established transport mode {ESPinUDP=>0x09494a6c <0x181e9da1 xfrm=AES_CBC_256-HMAC_SHA1_96 NATOA=192.168.0.131 NATD=172.17.0.1:50688 DPD=active}
Nov 27 22:26:11 cb98743e08a8 pluto[1708]: "l2tp-psk"[2] 172.17.0.1 #1: received Delete SA(0x09494a6c) payload: deleting IPsec State #2
Nov 27 22:26:11 cb98743e08a8 pluto[1708]: "l2tp-psk"[2] 172.17.0.1 #2: deleting other state #2 (STATE_QUICK_R2) aged 14.503364s and sending notification
Nov 27 22:26:11 cb98743e08a8 pluto[1708]: "l2tp-psk"[2] 172.17.0.1 #2: ESP traffic information: in=9KB out=6KB
Nov 27 22:26:11 cb98743e08a8 pluto[1708]: "l2tp-psk"[2] 172.17.0.1 #1: deleting state (STATE_MAIN_R3) aged 15.694599s and sending notification
Nov 27 22:26:11 cb98743e08a8 pluto[1708]: "l2tp-psk"[2] 172.17.0.1: deleting connection instance with peer 172.17.0.1 {isakmp=#0/ipsec=#0}

<!-- gh-comment-id:735002895 --> @AjayP13 commented on GitHub (Nov 27, 2020): Thanks for the quick reply. Yes, I am running the latest Docker image and do not have that env variable set. I am running it exactly as how it is shown in the link. Here are the libreswan logs: ``` Nov 27 22:25:04 cb98743e08a8 pluto[256]: shutting down Nov 27 22:25:04 cb98743e08a8 pluto[256]: 3 helper threads shutdown Nov 27 22:25:04 cb98743e08a8 pluto[256]: forgetting secrets Nov 27 22:25:04 cb98743e08a8 pluto[256]: shutting down interface lo 127.0.0.1:4500 Nov 27 22:25:04 cb98743e08a8 pluto[256]: shutting down interface lo 127.0.0.1:500 Nov 27 22:25:04 cb98743e08a8 pluto[256]: shutting down interface eth0 172.17.0.2:4500 Nov 27 22:25:04 cb98743e08a8 pluto[256]: shutting down interface eth0 172.17.0.2:500 Nov 27 22:25:04 cb98743e08a8 ipsec__plutorun: pluto killed by SIGTERM, terminating without restart Nov 27 22:25:05 cb98743e08a8 ipsec__plutorun: Starting Pluto Nov 27 22:25:06 cb98743e08a8 pluto[1708]: NSS DB directory: sql:/etc/ipsec.d Nov 27 22:25:06 cb98743e08a8 pluto[1708]: Initializing NSS Nov 27 22:25:06 cb98743e08a8 pluto[1708]: Opening NSS database "sql:/etc/ipsec.d" read-only Nov 27 22:25:06 cb98743e08a8 pluto[1708]: FIPS Mode: NO Nov 27 22:25:06 cb98743e08a8 pluto[1708]: NSS crypto library initialized Nov 27 22:25:06 cb98743e08a8 pluto[1708]: FIPS mode disabled for pluto daemon Nov 27 22:25:06 cb98743e08a8 pluto[1708]: FIPS HMAC integrity support [disabled] Nov 27 22:25:06 cb98743e08a8 pluto[1708]: libcap-ng support [enabled] Nov 27 22:25:06 cb98743e08a8 pluto[1708]: Linux audit support [disabled] Nov 27 22:25:06 cb98743e08a8 pluto[1708]: Starting Pluto (Libreswan Version 4.1 XFRM(netkey) XFRMI esp-hw-offload FORK PTHREAD_SETSCHEDPRIO NSS (AVA copy) (native-PRF) LIBCAP_NG XAUTH_PAM NETWORKMANAGER CURL(non-NSS)) pid:1708 Nov 27 22:25:06 cb98743e08a8 pluto[1708]: core dump dir: /run/pluto Nov 27 22:25:06 cb98743e08a8 pluto[1708]: secrets file: /etc/ipsec.secrets Nov 27 22:25:06 cb98743e08a8 pluto[1708]: leak-detective disabled Nov 27 22:25:06 cb98743e08a8 pluto[1708]: NSS crypto [enabled] Nov 27 22:25:06 cb98743e08a8 pluto[1708]: XAUTH PAM support [enabled] Nov 27 22:25:06 cb98743e08a8 pluto[1708]: Initializing libevent in pthreads mode: headers: 2.1.8-stable (2010800); library: 2.1.8-stable (2010800) Nov 27 22:25:06 cb98743e08a8 pluto[1708]: NAT-Traversal support [enabled] Nov 27 22:25:06 cb98743e08a8 pluto[1708]: Encryption algorithms: Nov 27 22:25:06 cb98743e08a8 pluto[1708]: AES_CCM_16 {256,192,*128} IKEv1: ESP IKEv2: ESP FIPS aes_ccm, aes_ccm_c Nov 27 22:25:06 cb98743e08a8 pluto[1708]: AES_CCM_12 {256,192,*128} IKEv1: ESP IKEv2: ESP FIPS aes_ccm_b Nov 27 22:25:06 cb98743e08a8 pluto[1708]: AES_CCM_8 {256,192,*128} IKEv1: ESP IKEv2: ESP FIPS aes_ccm_a Nov 27 22:25:06 cb98743e08a8 pluto[1708]: 3DES_CBC [*192] IKEv1: IKE ESP IKEv2: IKE ESP FIPS NSS(CBC) 3des Nov 27 22:25:06 cb98743e08a8 pluto[1708]: CAMELLIA_CTR {256,192,*128} IKEv1: ESP IKEv2: ESP Nov 27 22:25:06 cb98743e08a8 pluto[1708]: CAMELLIA_CBC {256,192,*128} IKEv1: IKE ESP IKEv2: IKE ESP NSS(CBC) camellia Nov 27 22:25:06 cb98743e08a8 pluto[1708]: AES_GCM_16 {256,192,*128} IKEv1: ESP IKEv2: IKE ESP FIPS NSS(GCM) aes_gcm, aes_gcm_c Nov 27 22:25:06 cb98743e08a8 pluto[1708]: AES_GCM_12 {256,192,*128} IKEv1: ESP IKEv2: IKE ESP FIPS NSS(GCM) aes_gcm_b Nov 27 22:25:06 cb98743e08a8 pluto[1708]: AES_GCM_8 {256,192,*128} IKEv1: ESP IKEv2: IKE ESP FIPS NSS(GCM) aes_gcm_a Nov 27 22:25:06 cb98743e08a8 pluto[1708]: AES_CTR {256,192,*128} IKEv1: IKE ESP IKEv2: IKE ESP FIPS NSS(CTR) aesctr Nov 27 22:25:06 cb98743e08a8 pluto[1708]: AES_CBC {256,192,*128} IKEv1: IKE ESP IKEv2: IKE ESP FIPS NSS(CBC) aes Nov 27 22:25:06 cb98743e08a8 pluto[1708]: NULL_AUTH_AES_GMAC {256,192,*128} IKEv1: ESP IKEv2: ESP FIPS aes_gmac Nov 27 22:25:06 cb98743e08a8 pluto[1708]: NULL [] IKEv1: ESP IKEv2: ESP Nov 27 22:25:06 cb98743e08a8 pluto[1708]: CHACHA20_POLY1305 [*256] IKEv1: IKEv2: IKE ESP NSS(AEAD) chacha20poly1305 Nov 27 22:25:06 cb98743e08a8 pluto[1708]: Hash algorithms: Nov 27 22:25:06 cb98743e08a8 pluto[1708]: MD5 IKEv1: IKE IKEv2: NSS Nov 27 22:25:06 cb98743e08a8 pluto[1708]: SHA1 IKEv1: IKE IKEv2: IKE FIPS NSS sha Nov 27 22:25:06 cb98743e08a8 pluto[1708]: SHA2_256 IKEv1: IKE IKEv2: IKE FIPS NSS sha2, sha256 Nov 27 22:25:06 cb98743e08a8 pluto[1708]: SHA2_384 IKEv1: IKE IKEv2: IKE FIPS NSS sha384 Nov 27 22:25:06 cb98743e08a8 pluto[1708]: SHA2_512 IKEv1: IKE IKEv2: IKE FIPS NSS sha512 Nov 27 22:25:06 cb98743e08a8 pluto[1708]: PRF algorithms: Nov 27 22:25:06 cb98743e08a8 pluto[1708]: HMAC_MD5 IKEv1: IKE IKEv2: IKE native(HMAC) md5 Nov 27 22:25:06 cb98743e08a8 pluto[1708]: HMAC_SHA1 IKEv1: IKE IKEv2: IKE FIPS NSS sha, sha1 Nov 27 22:25:06 cb98743e08a8 pluto[1708]: HMAC_SHA2_256 IKEv1: IKE IKEv2: IKE FIPS NSS sha2, sha256, sha2_256 Nov 27 22:25:06 cb98743e08a8 pluto[1708]: HMAC_SHA2_384 IKEv1: IKE IKEv2: IKE FIPS NSS sha384, sha2_384 Nov 27 22:25:06 cb98743e08a8 pluto[1708]: HMAC_SHA2_512 IKEv1: IKE IKEv2: IKE FIPS NSS sha512, sha2_512 Nov 27 22:25:06 cb98743e08a8 pluto[1708]: AES_XCBC IKEv1: IKEv2: IKE native(XCBC) aes128_xcbc Nov 27 22:25:06 cb98743e08a8 pluto[1708]: Integrity algorithms: Nov 27 22:25:06 cb98743e08a8 pluto[1708]: HMAC_MD5_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH native(HMAC) md5, hmac_md5 Nov 27 22:25:06 cb98743e08a8 pluto[1708]: HMAC_SHA1_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS sha, sha1, sha1_96, hmac_sha1 Nov 27 22:25:06 cb98743e08a8 pluto[1708]: HMAC_SHA2_512_256 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS sha512, sha2_512, sha2_512_256, hmac_sha2_512 Nov 27 22:25:06 cb98743e08a8 pluto[1708]: HMAC_SHA2_384_192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS sha384, sha2_384, sha2_384_192, hmac_sha2_384 Nov 27 22:25:06 cb98743e08a8 pluto[1708]: HMAC_SHA2_256_128 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS sha2, sha256, sha2_256, sha2_256_128, hmac_sha2_256 Nov 27 22:25:06 cb98743e08a8 pluto[1708]: HMAC_SHA2_256_TRUNCBUG IKEv1: ESP AH IKEv2: AH Nov 27 22:25:06 cb98743e08a8 pluto[1708]: AES_XCBC_96 IKEv1: ESP AH IKEv2: IKE ESP AH native(XCBC) aes_xcbc, aes128_xcbc, aes128_xcbc_96 Nov 27 22:25:06 cb98743e08a8 pluto[1708]: AES_CMAC_96 IKEv1: ESP AH IKEv2: ESP AH FIPS aes_cmac Nov 27 22:25:06 cb98743e08a8 pluto[1708]: NONE IKEv1: ESP IKEv2: IKE ESP FIPS null Nov 27 22:25:06 cb98743e08a8 pluto[1708]: DH algorithms: Nov 27 22:25:06 cb98743e08a8 pluto[1708]: NONE IKEv1: IKEv2: IKE ESP AH FIPS NSS(MODP) null, dh0 Nov 27 22:25:06 cb98743e08a8 pluto[1708]: MODP1024 IKEv1: IKE ESP AH IKEv2: IKE ESP AH NSS(MODP) dh2 Nov 27 22:25:06 cb98743e08a8 pluto[1708]: MODP1536 IKEv1: IKE ESP AH IKEv2: IKE ESP AH NSS(MODP) dh5 Nov 27 22:25:06 cb98743e08a8 pluto[1708]: MODP2048 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS(MODP) dh14 Nov 27 22:25:06 cb98743e08a8 pluto[1708]: MODP3072 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS(MODP) dh15 Nov 27 22:25:06 cb98743e08a8 pluto[1708]: MODP4096 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS(MODP) dh16 Nov 27 22:25:06 cb98743e08a8 pluto[1708]: MODP6144 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS(MODP) dh17 Nov 27 22:25:06 cb98743e08a8 pluto[1708]: MODP8192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS(MODP) dh18 Nov 27 22:25:06 cb98743e08a8 pluto[1708]: DH19 IKEv1: IKE IKEv2: IKE ESP AH FIPS NSS(ECP) ecp_256, ecp256 Nov 27 22:25:06 cb98743e08a8 pluto[1708]: DH20 IKEv1: IKE IKEv2: IKE ESP AH FIPS NSS(ECP) ecp_384, ecp384 Nov 27 22:25:06 cb98743e08a8 pluto[1708]: DH21 IKEv1: IKE IKEv2: IKE ESP AH FIPS NSS(ECP) ecp_521, ecp521 Nov 27 22:25:06 cb98743e08a8 pluto[1708]: testing CAMELLIA_CBC: Nov 27 22:25:06 cb98743e08a8 pluto[1708]: Camellia: 16 bytes with 128-bit key Nov 27 22:25:06 cb98743e08a8 pluto[1708]: Camellia: 16 bytes with 128-bit key Nov 27 22:25:06 cb98743e08a8 pluto[1708]: Camellia: 16 bytes with 256-bit key Nov 27 22:25:06 cb98743e08a8 pluto[1708]: Camellia: 16 bytes with 256-bit key Nov 27 22:25:06 cb98743e08a8 pluto[1708]: testing AES_GCM_16: Nov 27 22:25:06 cb98743e08a8 pluto[1708]: empty string Nov 27 22:25:06 cb98743e08a8 pluto[1708]: one block Nov 27 22:25:06 cb98743e08a8 pluto[1708]: two blocks Nov 27 22:25:06 cb98743e08a8 pluto[1708]: two blocks with associated data Nov 27 22:25:06 cb98743e08a8 pluto[1708]: testing AES_CTR: Nov 27 22:25:06 cb98743e08a8 pluto[1708]: Encrypting 16 octets using AES-CTR with 128-bit key Nov 27 22:25:06 cb98743e08a8 pluto[1708]: Encrypting 32 octets using AES-CTR with 128-bit key Nov 27 22:25:06 cb98743e08a8 pluto[1708]: Encrypting 36 octets using AES-CTR with 128-bit key Nov 27 22:25:06 cb98743e08a8 pluto[1708]: Encrypting 16 octets using AES-CTR with 192-bit key Nov 27 22:25:06 cb98743e08a8 pluto[1708]: Encrypting 32 octets using AES-CTR with 192-bit key Nov 27 22:25:06 cb98743e08a8 pluto[1708]: Encrypting 36 octets using AES-CTR with 192-bit key Nov 27 22:25:06 cb98743e08a8 pluto[1708]: Encrypting 16 octets using AES-CTR with 256-bit key Nov 27 22:25:06 cb98743e08a8 pluto[1708]: Encrypting 32 octets using AES-CTR with 256-bit key Nov 27 22:25:06 cb98743e08a8 pluto[1708]: Encrypting 36 octets using AES-CTR with 256-bit key Nov 27 22:25:06 cb98743e08a8 pluto[1708]: testing AES_CBC: Nov 27 22:25:06 cb98743e08a8 pluto[1708]: Encrypting 16 bytes (1 block) using AES-CBC with 128-bit key Nov 27 22:25:06 cb98743e08a8 pluto[1708]: Encrypting 32 bytes (2 blocks) using AES-CBC with 128-bit key Nov 27 22:25:06 cb98743e08a8 pluto[1708]: Encrypting 48 bytes (3 blocks) using AES-CBC with 128-bit key Nov 27 22:25:06 cb98743e08a8 pluto[1708]: Encrypting 64 bytes (4 blocks) using AES-CBC with 128-bit key Nov 27 22:25:06 cb98743e08a8 pluto[1708]: testing AES_XCBC: Nov 27 22:25:06 cb98743e08a8 pluto[1708]: RFC 3566 Test Case 1: AES-XCBC-MAC-96 with 0-byte input Nov 27 22:25:06 cb98743e08a8 pluto[1708]: RFC 3566 Test Case 2: AES-XCBC-MAC-96 with 3-byte input Nov 27 22:25:06 cb98743e08a8 pluto[1708]: RFC 3566 Test Case 3: AES-XCBC-MAC-96 with 16-byte input Nov 27 22:25:06 cb98743e08a8 pluto[1708]: RFC 3566 Test Case 4: AES-XCBC-MAC-96 with 20-byte input Nov 27 22:25:06 cb98743e08a8 pluto[1708]: RFC 3566 Test Case 5: AES-XCBC-MAC-96 with 32-byte input Nov 27 22:25:06 cb98743e08a8 pluto[1708]: RFC 3566 Test Case 6: AES-XCBC-MAC-96 with 34-byte input Nov 27 22:25:06 cb98743e08a8 pluto[1708]: RFC 3566 Test Case 7: AES-XCBC-MAC-96 with 1000-byte input Nov 27 22:25:06 cb98743e08a8 pluto[1708]: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 16) Nov 27 22:25:06 cb98743e08a8 pluto[1708]: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 10) Nov 27 22:25:06 cb98743e08a8 pluto[1708]: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 18) Nov 27 22:25:06 cb98743e08a8 pluto[1708]: testing HMAC_MD5: Nov 27 22:25:06 cb98743e08a8 pluto[1708]: RFC 2104: MD5_HMAC test 1 Nov 27 22:25:06 cb98743e08a8 pluto[1708]: RFC 2104: MD5_HMAC test 2 Nov 27 22:25:06 cb98743e08a8 pluto[1708]: RFC 2104: MD5_HMAC test 3 Nov 27 22:25:06 cb98743e08a8 pluto[1708]: 4 CPU cores online Nov 27 22:25:06 cb98743e08a8 pluto[1708]: starting up 3 helper threads Nov 27 22:25:06 cb98743e08a8 pluto[1708]: started thread for helper 0 Nov 27 22:25:06 cb98743e08a8 pluto[1708]: started thread for helper 1 Nov 27 22:25:06 cb98743e08a8 pluto[1708]: started thread for helper 2 Nov 27 22:25:06 cb98743e08a8 pluto[1708]: Using Linux XFRM/NETKEY IPsec kernel support code on 5.4.0-1015-raspi Nov 27 22:25:06 cb98743e08a8 pluto[1708]: seccomp security for helper not supported Nov 27 22:25:06 cb98743e08a8 pluto[1708]: seccomp security not supported Nov 27 22:25:06 cb98743e08a8 pluto[1708]: seccomp security for helper not supported Nov 27 22:25:06 cb98743e08a8 pluto[1708]: added IKEv1 connection "l2tp-psk" Nov 27 22:25:06 cb98743e08a8 pluto[1708]: seccomp security for helper not supported Nov 27 22:25:06 cb98743e08a8 pluto[1708]: added IKEv1 connection "xauth-psk" Nov 27 22:25:06 cb98743e08a8 pluto[1708]: listening for IKE messages Nov 27 22:25:06 cb98743e08a8 pluto[1708]: Kernel supports NIC esp-hw-offload Nov 27 22:25:06 cb98743e08a8 pluto[1708]: adding UDP interface eth0 172.17.0.2:500 Nov 27 22:25:06 cb98743e08a8 pluto[1708]: adding UDP interface eth0 172.17.0.2:4500 Nov 27 22:25:06 cb98743e08a8 pluto[1708]: adding UDP interface lo 127.0.0.1:500 Nov 27 22:25:06 cb98743e08a8 pluto[1708]: adding UDP interface lo 127.0.0.1:4500 Nov 27 22:25:06 cb98743e08a8 pluto[1708]: loading secrets from "/etc/ipsec.secrets" Nov 27 22:25:56 cb98743e08a8 pluto[1708]: "l2tp-psk"[1] 172.17.0.1 #1: responding to Main Mode from unknown peer 172.17.0.1:58015 Nov 27 22:25:56 cb98743e08a8 pluto[1708]: "l2tp-psk"[1] 172.17.0.1 #1: sent Main Mode R1 Nov 27 22:25:56 cb98743e08a8 pluto[1708]: "l2tp-psk"[1] 172.17.0.1 #1: sent Main Mode R2 Nov 27 22:25:56 cb98743e08a8 pluto[1708]: "l2tp-psk"[1] 172.17.0.1 #1: ignoring informational payload IPSEC_INITIAL_CONTACT, msgid=00000000, length=28 Nov 27 22:25:56 cb98743e08a8 pluto[1708]: "l2tp-psk"[1] 172.17.0.1 #1: Peer ID is ID_IPV4_ADDR: '192.168.0.131' Nov 27 22:25:56 cb98743e08a8 pluto[1708]: "l2tp-psk"[1] 172.17.0.1 #1: switched from "l2tp-psk"[1] 172.17.0.1 to "l2tp-psk" Nov 27 22:25:56 cb98743e08a8 pluto[1708]: "l2tp-psk"[1] 172.17.0.1: deleting connection instance with peer 172.17.0.1 {isakmp=#0/ipsec=#0} Nov 27 22:25:56 cb98743e08a8 pluto[1708]: "l2tp-psk"[2] 172.17.0.1 #1: Peer ID is ID_IPV4_ADDR: '192.168.0.131' Nov 27 22:25:56 cb98743e08a8 pluto[1708]: "l2tp-psk"[2] 172.17.0.1 #1: IKE SA established {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA2_256 group=MODP2048} Nov 27 22:25:57 cb98743e08a8 pluto[1708]: "l2tp-psk"[2] 172.17.0.1 #1: the peer proposed: XX.XX.XX.XX/32:17/1701 -> 192.168.0.131/32:17/0 Nov 27 22:25:57 cb98743e08a8 pluto[1708]: "l2tp-psk"[2] 172.17.0.1 #1: NAT-Traversal: received 2 NAT-OA. Using first; ignoring others Nov 27 22:25:57 cb98743e08a8 pluto[1708]: "l2tp-psk"[2] 172.17.0.1 #2: responding to Quick Mode proposal {msgid:442d6ac2} Nov 27 22:25:57 cb98743e08a8 pluto[1708]: "l2tp-psk"[2] 172.17.0.1 #2: us: 172.17.0.2[XX.XX.XX.XX]:17/1701 Nov 27 22:25:57 cb98743e08a8 pluto[1708]: "l2tp-psk"[2] 172.17.0.1 #2: them: 172.17.0.1[192.168.0.131]:17/65196 Nov 27 22:25:57 cb98743e08a8 pluto[1708]: "l2tp-psk"[2] 172.17.0.1 #2: sent Quick Mode reply, inbound IPsec SA installed, expecting confirmation transport mode {ESPinUDP=>0x09494a6c <0x181e9da1 xfrm=AES_CBC_256-HMAC_SHA1_96 NATOA=192.168.0.131 NATD=172.17.0.1:50688 DPD=active} Nov 27 22:25:57 cb98743e08a8 pluto[1708]: "l2tp-psk"[2] 172.17.0.1 #2: IPsec SA established transport mode {ESPinUDP=>0x09494a6c <0x181e9da1 xfrm=AES_CBC_256-HMAC_SHA1_96 NATOA=192.168.0.131 NATD=172.17.0.1:50688 DPD=active} Nov 27 22:26:11 cb98743e08a8 pluto[1708]: "l2tp-psk"[2] 172.17.0.1 #1: received Delete SA(0x09494a6c) payload: deleting IPsec State #2 Nov 27 22:26:11 cb98743e08a8 pluto[1708]: "l2tp-psk"[2] 172.17.0.1 #2: deleting other state #2 (STATE_QUICK_R2) aged 14.503364s and sending notification Nov 27 22:26:11 cb98743e08a8 pluto[1708]: "l2tp-psk"[2] 172.17.0.1 #2: ESP traffic information: in=9KB out=6KB Nov 27 22:26:11 cb98743e08a8 pluto[1708]: "l2tp-psk"[2] 172.17.0.1 #1: deleting state (STATE_MAIN_R3) aged 15.694599s and sending notification Nov 27 22:26:11 cb98743e08a8 pluto[1708]: "l2tp-psk"[2] 172.17.0.1: deleting connection instance with peer 172.17.0.1 {isakmp=#0/ipsec=#0} ```

kerem commented 2026-03-02 07:44:44 +03:00

Author

Owner

Copy link

@AjayP13 commented on GitHub (Nov 27, 2020):

The previous log was from connecting from my laptop on the same WiFi network as the VPN Ubuntu server. Here's my laptop connecting from a mobile 4G tether (connects but still no traffic pass-through) in case that makes a difference:

Nov 27 22:31:40 cb98743e08a8 pluto[1708]: "l2tp-psk"[3] 172.17.0.1 #3: responding to Main Mode from unknown peer 172.17.0.1:48088
Nov 27 22:31:40 cb98743e08a8 pluto[1708]: "l2tp-psk"[3] 172.17.0.1 #3: sent Main Mode R1
Nov 27 22:31:40 cb98743e08a8 pluto[1708]: "l2tp-psk"[3] 172.17.0.1 #3: sent Main Mode R2
Nov 27 22:31:40 cb98743e08a8 pluto[1708]: "l2tp-psk"[3] 172.17.0.1 #3: ignoring informational payload IPSEC_INITIAL_CONTACT, msgid=00000000, length=28
Nov 27 22:31:40 cb98743e08a8 pluto[1708]: "l2tp-psk"[3] 172.17.0.1 #3: Peer ID is ID_IPV4_ADDR: '192.168.43.87'
Nov 27 22:31:40 cb98743e08a8 pluto[1708]: "l2tp-psk"[3] 172.17.0.1 #3: switched from "l2tp-psk"[3] 172.17.0.1 to "l2tp-psk"
Nov 27 22:31:40 cb98743e08a8 pluto[1708]: "l2tp-psk"[3] 172.17.0.1: deleting connection instance with peer 172.17.0.1 {isakmp=#0/ipsec=#0}
Nov 27 22:31:40 cb98743e08a8 pluto[1708]: "l2tp-psk"[4] 172.17.0.1 #3: Peer ID is ID_IPV4_ADDR: '192.168.43.87'
Nov 27 22:31:40 cb98743e08a8 pluto[1708]: "l2tp-psk"[4] 172.17.0.1 #3: IKE SA established {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA2_256 group=MODP2048}
Nov 27 22:31:41 cb98743e08a8 pluto[1708]: "l2tp-psk"[4] 172.17.0.1 #3: the peer proposed: XX.XX.XX.XX/32:17/1701 -> 192.168.43.87/32:17/0
Nov 27 22:31:41 cb98743e08a8 pluto[1708]: "l2tp-psk"[4] 172.17.0.1 #3: NAT-Traversal: received 2 NAT-OA. Using first; ignoring others
Nov 27 22:31:41 cb98743e08a8 pluto[1708]: "l2tp-psk"[4] 172.17.0.1 #4: responding to Quick Mode proposal {msgid:7b6a293b}
Nov 27 22:31:41 cb98743e08a8 pluto[1708]: "l2tp-psk"[4] 172.17.0.1 #4:     us: 172.17.0.2[XX.XX.XX.XX]:17/1701
Nov 27 22:31:41 cb98743e08a8 pluto[1708]: "l2tp-psk"[4] 172.17.0.1 #4:   them: 172.17.0.1[192.168.43.87]:17/58336
Nov 27 22:31:41 cb98743e08a8 pluto[1708]: "l2tp-psk"[4] 172.17.0.1 #4: sent Quick Mode reply, inbound IPsec SA installed, expecting confirmation transport mode {ESPinUDP=>0x0c7f856d <0xadc15723 xfrm=AES_CBC_256-HMAC_SHA1_96 NATOA=192.168.43.87 NATD=172.17.0.1:60053 DPD=active}
Nov 27 22:31:41 cb98743e08a8 pluto[1708]: "l2tp-psk"[4] 172.17.0.1 #4: IPsec SA established transport mode {ESPinUDP=>0x0c7f856d <0xadc15723 xfrm=AES_CBC_256-HMAC_SHA1_96 NATOA=192.168.43.87 NATD=172.17.0.1:60053 DPD=active}
Nov 27 22:31:57 cb98743e08a8 pluto[1708]: "l2tp-psk"[4] 172.17.0.1 #3: received Delete SA(0x0c7f856d) payload: deleting IPsec State #4
Nov 27 22:31:57 cb98743e08a8 pluto[1708]: "l2tp-psk"[4] 172.17.0.1 #4: deleting other state #4 (STATE_QUICK_R2) aged 16.816418s and sending notification
Nov 27 22:31:57 cb98743e08a8 pluto[1708]: "l2tp-psk"[4] 172.17.0.1 #4: ESP traffic information: in=18KB out=23KB
Nov 27 22:31:57 cb98743e08a8 pluto[1708]: "l2tp-psk"[4] 172.17.0.1 #3: deleting state (STATE_MAIN_R3) aged 17.923057s and sending notification
Nov 27 22:31:57 cb98743e08a8 pluto[1708]: "l2tp-psk"[4] 172.17.0.1: deleting connection instance with peer 172.17.0.1 {isakmp=#0/ipsec=#0}

<!-- gh-comment-id:735003951 --> @AjayP13 commented on GitHub (Nov 27, 2020): The previous log was from connecting from my laptop on the same WiFi network as the VPN Ubuntu server. Here's my laptop connecting from a mobile 4G tether (connects but still no traffic pass-through) in case that makes a difference: ``` Nov 27 22:31:40 cb98743e08a8 pluto[1708]: "l2tp-psk"[3] 172.17.0.1 #3: responding to Main Mode from unknown peer 172.17.0.1:48088 Nov 27 22:31:40 cb98743e08a8 pluto[1708]: "l2tp-psk"[3] 172.17.0.1 #3: sent Main Mode R1 Nov 27 22:31:40 cb98743e08a8 pluto[1708]: "l2tp-psk"[3] 172.17.0.1 #3: sent Main Mode R2 Nov 27 22:31:40 cb98743e08a8 pluto[1708]: "l2tp-psk"[3] 172.17.0.1 #3: ignoring informational payload IPSEC_INITIAL_CONTACT, msgid=00000000, length=28 Nov 27 22:31:40 cb98743e08a8 pluto[1708]: "l2tp-psk"[3] 172.17.0.1 #3: Peer ID is ID_IPV4_ADDR: '192.168.43.87' Nov 27 22:31:40 cb98743e08a8 pluto[1708]: "l2tp-psk"[3] 172.17.0.1 #3: switched from "l2tp-psk"[3] 172.17.0.1 to "l2tp-psk" Nov 27 22:31:40 cb98743e08a8 pluto[1708]: "l2tp-psk"[3] 172.17.0.1: deleting connection instance with peer 172.17.0.1 {isakmp=#0/ipsec=#0} Nov 27 22:31:40 cb98743e08a8 pluto[1708]: "l2tp-psk"[4] 172.17.0.1 #3: Peer ID is ID_IPV4_ADDR: '192.168.43.87' Nov 27 22:31:40 cb98743e08a8 pluto[1708]: "l2tp-psk"[4] 172.17.0.1 #3: IKE SA established {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA2_256 group=MODP2048} Nov 27 22:31:41 cb98743e08a8 pluto[1708]: "l2tp-psk"[4] 172.17.0.1 #3: the peer proposed: XX.XX.XX.XX/32:17/1701 -> 192.168.43.87/32:17/0 Nov 27 22:31:41 cb98743e08a8 pluto[1708]: "l2tp-psk"[4] 172.17.0.1 #3: NAT-Traversal: received 2 NAT-OA. Using first; ignoring others Nov 27 22:31:41 cb98743e08a8 pluto[1708]: "l2tp-psk"[4] 172.17.0.1 #4: responding to Quick Mode proposal {msgid:7b6a293b} Nov 27 22:31:41 cb98743e08a8 pluto[1708]: "l2tp-psk"[4] 172.17.0.1 #4: us: 172.17.0.2[XX.XX.XX.XX]:17/1701 Nov 27 22:31:41 cb98743e08a8 pluto[1708]: "l2tp-psk"[4] 172.17.0.1 #4: them: 172.17.0.1[192.168.43.87]:17/58336 Nov 27 22:31:41 cb98743e08a8 pluto[1708]: "l2tp-psk"[4] 172.17.0.1 #4: sent Quick Mode reply, inbound IPsec SA installed, expecting confirmation transport mode {ESPinUDP=>0x0c7f856d <0xadc15723 xfrm=AES_CBC_256-HMAC_SHA1_96 NATOA=192.168.43.87 NATD=172.17.0.1:60053 DPD=active} Nov 27 22:31:41 cb98743e08a8 pluto[1708]: "l2tp-psk"[4] 172.17.0.1 #4: IPsec SA established transport mode {ESPinUDP=>0x0c7f856d <0xadc15723 xfrm=AES_CBC_256-HMAC_SHA1_96 NATOA=192.168.43.87 NATD=172.17.0.1:60053 DPD=active} Nov 27 22:31:57 cb98743e08a8 pluto[1708]: "l2tp-psk"[4] 172.17.0.1 #3: received Delete SA(0x0c7f856d) payload: deleting IPsec State #4 Nov 27 22:31:57 cb98743e08a8 pluto[1708]: "l2tp-psk"[4] 172.17.0.1 #4: deleting other state #4 (STATE_QUICK_R2) aged 16.816418s and sending notification Nov 27 22:31:57 cb98743e08a8 pluto[1708]: "l2tp-psk"[4] 172.17.0.1 #4: ESP traffic information: in=18KB out=23KB Nov 27 22:31:57 cb98743e08a8 pluto[1708]: "l2tp-psk"[4] 172.17.0.1 #3: deleting state (STATE_MAIN_R3) aged 17.923057s and sending notification Nov 27 22:31:57 cb98743e08a8 pluto[1708]: "l2tp-psk"[4] 172.17.0.1: deleting connection instance with peer 172.17.0.1 {isakmp=#0/ipsec=#0} ```

kerem commented 2026-03-02 07:44:44 +03:00

Author

Owner

Copy link

@hwdsl2 commented on GitHub (Nov 27, 2020):

@AjayP13 Your Libreswan logs look normal. For macOS, make sure that the "Send all traffic over VPN connection" option is enabled, and check the service order. See [1] for more details. Let me know if this fixes the issue for you.

[1] https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients.md#macos-send-traffic-over-vpn

<!-- gh-comment-id:735005484 --> @hwdsl2 commented on GitHub (Nov 27, 2020): @AjayP13 Your Libreswan logs look normal. For macOS, make sure that the "Send all traffic over VPN connection" option is enabled, and check the service order. See [1] for more details. Let me know if this fixes the issue for you. [1] https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients.md#macos-send-traffic-over-vpn

kerem commented 2026-03-02 07:44:44 +03:00

Author

Owner

Copy link

@AjayP13 commented on GitHub (Nov 27, 2020):

Awesome, that worked. Thanks a lot, it's a great project! I isolated it to the service order being the problem here for future reference.

<!-- gh-comment-id:735007345 --> @AjayP13 commented on GitHub (Nov 27, 2020): Awesome, that worked. Thanks a lot, it's a great project! I isolated it to the service order being the problem here for future reference.

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

No results found.

Labels

Clear labels   

bug

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

question

No labels

bug

pull-request

question

question

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/docker-ipsec-vpn-server#201

No description provided.