[GH-ISSUE #330] Unable to connect via IKEv2 #308

New issue

Closed

opened 2026-03-02 08:01:15 +03:00 by kerem · 5 comments

kerem commented 2026-03-02 08:01:15 +03:00

Owner

Copy link

Originally created by @ejhsu on GitHub (Nov 30, 2022).
Original GitHub issue: https://github.com/hwdsl2/docker-ipsec-vpn-server/issues/330

Checklist

• I read the README
• I read the Important notes
• I followed instructions to configure VPN clients
• I checked Troubleshooting, IKEv2 troubleshooting, enabled logs and checked VPN status
• I searched existing Issues
• This bug is about the IPsec VPN server Docker image, and not IPsec VPN itself

Describe the issue
After following the instructions at Start the IPsec VPN server, the server can be run successfully and could be connected via L2TP/IPSec PSK mode on my Mac.
But it cannot be connected via IKEv2 mode on Mac and Android.

To Reproduce
0. Prepare vpn.env file with content

VPN_IPSEC_PSK=12345678
VPN_USER=vpnuser
VPN_PASSWORD=vpnpassword

1. Start the server by

docker run \
    --name ipsec-vpn-server \
    --env-file ./vpn.env \
    --restart=always \
    -v ikev2-vpn-data:/etc/ipsec.d \
    -v /lib/modules:/lib/modules:ro \
    -p 500:500/udp \
    -p 4500:4500/udp \
    -d --privileged \
    hwdsl2/ipsec-vpn-server

3. Download .mobileconfig to Mac and .sswan to Android device.
4. Use native client on Mac and Strongswan on Android
5. Following instructions to setup clients
6. Error occurred

• "An unexpected error occurred" on Mac
  
• "Failed to establist VPN: User authentication failed" on Android Strongswan

Nov 30 19:31:50 00[DMN] +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Nov 30 19:31:50 00[DMN] Starting IKE service (strongSwan 5.9.3rc1, Android 13 - TP1A.221105.002/2022-11-05, Pixel 5 - google/redfin/Google, Linux 4.19.239-g248fa42a73b2-ab9062766, aarch64)
Nov 30 19:31:50 00[LIB] loaded plugins: androidbridge charon android-log openssl fips-prf random nonce pubkey chapoly curve25519 pkcs1 pkcs8 pem xcbc hmac socket-default revocation eap-identity eap-mschapv2 eap-md5 eap-gtc eap-tls x509
Nov 30 19:31:50 00[JOB] spawning 16 worker threads
Nov 30 19:31:50 07[CFG] loaded user certificate 'CN=vpnclient, O=IKEv2 VPN' and private key
Nov 30 19:31:50 07[CFG] loaded CA certificate 'CN=IKEv2 VPN CA, O=IKEv2 VPN'
Nov 30 19:31:50 07[IKE] initiating IKE_SA android[9] to **SERVER IP**
Nov 30 19:31:50 07[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Nov 30 19:31:50 07[NET] sending packet: from 10.35.152.69[38611] to **SERVER IP**[500] (464 bytes)
Nov 30 19:31:50 10[NET] received packet: from **SERVER IP**[500] to 10.35.152.69[38611] (36 bytes)
Nov 30 19:31:50 10[ENC] parsed IKE_SA_INIT response 0 [ N(NO_PROP) ]
Nov 30 19:31:50 10[IKE] received NO_PROPOSAL_CHOSEN notify error

Expected behavior
VPN Connected

Logs

Server Logs

connecting on Mac

2022-11-30T11:20:20.586516+00:00 45d27ece040a pluto[1583]: packet from 111.241.113.68:1674: ISAKMP_v2_IKE_SA_INIT message received on 172.17.0.2:500 but no suitable connection found with IKEv2 policy
2022-11-30T11:20:20.586535+00:00 45d27ece040a pluto[1583]: packet from 111.241.113.68:1674: responding to IKE_SA_INIT (34) message (Message ID 0) with unencrypted notification NO_PROPOSAL_CHOSEN
2022-11-30T11:20:20.730408+00:00 45d27ece040a pluto[1583]: packet from 111.241.113.68:1674: ISAKMP_v2_IKE_SA_INIT message received on 172.17.0.2:500 but no suitable connection found with IKEv2 policy
2022-11-30T11:20:20.730429+00:00 45d27ece040a pluto[1583]: packet from 111.241.113.68:1674: responding to IKE_SA_INIT (34) message (Message ID 0) with unencrypted notification NO_PROPOSAL_CHOSEN

connecting on Android

2022-11-30T11:23:41.643563+00:00 45d27ece040a pluto[1583]: packet from 223.140.152.69:58440: ISAKMP_v2_IKE_SA_INIT message received on 172.17.0.2:500 but no suitable connection found with IKEv2 policy
2022-11-30T11:23:41.643584+00:00 45d27ece040a pluto[1583]: packet from 223.140.152.69:58440: responding to IKE_SA_INIT (34) message (Message ID 0) with unencrypted notification NO_PROPOSAL_CHOSEN

Server

• Docker host OS: Google, Container-Optimized OS, 101-17162.40.34 LTS, Kernel: COS-5.15.65 Kubernetes: 1.23.10 Docker: 20.10.12 Family: cos-101-lts, supports Shielded VM features
• Hosting provider: GCP

Client

Device#1

• Device: Macbook
• OS: MacOS 12.6
• VPN mode: IKEv2

Device#2

• Device: Pixel5
• OS: Android 13
• VPN mode: IKEv2

Are there mismatches between cipher suites accepted by server and specified in client config file or something?

Thanks!

Originally created by @ejhsu on GitHub (Nov 30, 2022). Original GitHub issue: https://github.com/hwdsl2/docker-ipsec-vpn-server/issues/330 **Checklist** - [x] I read the [README](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README.md) - [x] I read the [Important notes](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README.md#important-notes) - [x] I followed instructions to [configure VPN clients](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README.md#next-steps) - [x] I checked [Troubleshooting](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients.md#troubleshooting), [IKEv2 troubleshooting](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/ikev2-howto.md#troubleshooting), [enabled logs](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/docs/advanced-usage.md#enable-libreswan-logs) and checked [VPN status](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients.md#check-logs-and-vpn-status) - [x] I searched existing [Issues](https://github.com/hwdsl2/docker-ipsec-vpn-server/issues?q=is%3Aissue) - [x] This bug is about the IPsec VPN server Docker image, and not IPsec VPN itself **Describe the issue** After following the instructions at [Start the IPsec VPN server](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README.md#start-the-ipsec-vpn-server), the server can be run successfully and could be connected via **L2TP/IPSec** PSK mode on my Mac. But it cannot be connected via IKEv2 mode on Mac and Android. **To Reproduce** 0. Prepare vpn.env file with content ``` VPN_IPSEC_PSK=12345678 VPN_USER=vpnuser VPN_PASSWORD=vpnpassword ``` 1. Start the server by ``` docker run \ --name ipsec-vpn-server \ --env-file ./vpn.env \ --restart=always \ -v ikev2-vpn-data:/etc/ipsec.d \ -v /lib/modules:/lib/modules:ro \ -p 500:500/udp \ -p 4500:4500/udp \ -d --privileged \ hwdsl2/ipsec-vpn-server ``` 3. Download .mobileconfig to Mac and .sswan to Android device. 4. Use native client on Mac and Strongswan on Android 5. Following [instructions](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/ikev2-howto.md#configure-ikev2-vpn-clients) to setup clients 6. Error occurred - "An unexpected error occurred" on Mac  - "Failed to establist VPN: User authentication failed" on Android Strongswan ``` Nov 30 19:31:50 00[DMN] +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Nov 30 19:31:50 00[DMN] Starting IKE service (strongSwan 5.9.3rc1, Android 13 - TP1A.221105.002/2022-11-05, Pixel 5 - google/redfin/Google, Linux 4.19.239-g248fa42a73b2-ab9062766, aarch64) Nov 30 19:31:50 00[LIB] loaded plugins: androidbridge charon android-log openssl fips-prf random nonce pubkey chapoly curve25519 pkcs1 pkcs8 pem xcbc hmac socket-default revocation eap-identity eap-mschapv2 eap-md5 eap-gtc eap-tls x509 Nov 30 19:31:50 00[JOB] spawning 16 worker threads Nov 30 19:31:50 07[CFG] loaded user certificate 'CN=vpnclient, O=IKEv2 VPN' and private key Nov 30 19:31:50 07[CFG] loaded CA certificate 'CN=IKEv2 VPN CA, O=IKEv2 VPN' Nov 30 19:31:50 07[IKE] initiating IKE_SA android[9] to **SERVER IP** Nov 30 19:31:50 07[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] Nov 30 19:31:50 07[NET] sending packet: from 10.35.152.69[38611] to **SERVER IP**[500] (464 bytes) Nov 30 19:31:50 10[NET] received packet: from **SERVER IP**[500] to 10.35.152.69[38611] (36 bytes) Nov 30 19:31:50 10[ENC] parsed IKE_SA_INIT response 0 [ N(NO_PROP) ] Nov 30 19:31:50 10[IKE] received NO_PROPOSAL_CHOSEN notify error ``` **Expected behavior** VPN Connected **Logs** Server Logs connecting on Mac ``` 2022-11-30T11:20:20.586516+00:00 45d27ece040a pluto[1583]: packet from 111.241.113.68:1674: ISAKMP_v2_IKE_SA_INIT message received on 172.17.0.2:500 but no suitable connection found with IKEv2 policy 2022-11-30T11:20:20.586535+00:00 45d27ece040a pluto[1583]: packet from 111.241.113.68:1674: responding to IKE_SA_INIT (34) message (Message ID 0) with unencrypted notification NO_PROPOSAL_CHOSEN 2022-11-30T11:20:20.730408+00:00 45d27ece040a pluto[1583]: packet from 111.241.113.68:1674: ISAKMP_v2_IKE_SA_INIT message received on 172.17.0.2:500 but no suitable connection found with IKEv2 policy 2022-11-30T11:20:20.730429+00:00 45d27ece040a pluto[1583]: packet from 111.241.113.68:1674: responding to IKE_SA_INIT (34) message (Message ID 0) with unencrypted notification NO_PROPOSAL_CHOSEN ``` connecting on Android ``` 2022-11-30T11:23:41.643563+00:00 45d27ece040a pluto[1583]: packet from 223.140.152.69:58440: ISAKMP_v2_IKE_SA_INIT message received on 172.17.0.2:500 but no suitable connection found with IKEv2 policy 2022-11-30T11:23:41.643584+00:00 45d27ece040a pluto[1583]: packet from 223.140.152.69:58440: responding to IKE_SA_INIT (34) message (Message ID 0) with unencrypted notification NO_PROPOSAL_CHOSEN ``` **Server** - Docker host OS: Google, Container-Optimized OS, 101-17162.40.34 LTS, Kernel: COS-5.15.65 Kubernetes: 1.23.10 Docker: 20.10.12 Family: cos-101-lts, supports Shielded VM features - Hosting provider: GCP **Client** Device#1 - Device: Macbook - OS: MacOS 12.6 - VPN mode: IKEv2 Device#2 - Device: Pixel5 - OS: Android 13 - VPN mode: IKEv2 Are there mismatches between cipher suites accepted by server and specified in client config file or something? Thanks!

kerem closed this issue 2026-03-02 08:01:15 +03:00

kerem commented 2026-03-02 08:01:16 +03:00

Author

Owner

Copy link

@hwdsl2 commented on GitHub (Nov 30, 2022):

@ejhsu Hello! Thanks for reporting this issue with details. Your issue is similar to #323. The "no suitable connection" error typically means that either the IKEv2 connection did not load successfully at Libreswan startup, or it could be that Libreswan listens to an IP address that is NOT where the connection request came from. The latter is less likely.

It looks like you already enabled Libreswan logs:

https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/docs/advanced-usage.md#enable-libreswan-logs

Restart the Docker container docker restart ipsec-vpn-server, then check the logs again. See if there is a specific error in the logs why the IKEv2 connection did not load.

You can also run:

docker exec -it ipsec-vpn-server ipsec status

Check if the output contains 3 loaded connections. "ikev2-cp" is the IKEv2 connection.

<!-- gh-comment-id:1332206347 --> @hwdsl2 commented on GitHub (Nov 30, 2022): @ejhsu Hello! Thanks for reporting this issue with details. Your issue is similar to #323. The "no suitable connection" error typically means that either the IKEv2 connection did not load successfully at Libreswan startup, or it could be that Libreswan listens to an IP address that is NOT where the connection request came from. The latter is less likely. It looks like you already enabled Libreswan logs: https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/docs/advanced-usage.md#enable-libreswan-logs Restart the Docker container `docker restart ipsec-vpn-server`, then check the logs again. See if there is a specific error in the logs why the IKEv2 connection did not load. You can also run: docker exec -it ipsec-vpn-server ipsec status Check if the output contains 3 loaded connections. "ikev2-cp" is the IKEv2 connection.

kerem commented 2026-03-02 08:01:16 +03:00

Author

Owner

Copy link

@ejhsu commented on GitHub (Nov 30, 2022):

Thanks for your reply.

After restarting the container and investigating the log at /var/log/auth.log, I found the line with IKEv2 error:

2022-11-30T14:16:47.772425+00:00 45d27ece040a pluto[396]: "l2tp-psk": added IKEv1 connection
2022-11-30T14:16:47.772898+00:00 45d27ece040a pluto[396]: "xauth-psk": added IKEv1 connection
2022-11-30T14:16:47.773193+00:00 45d27ece040a pluto[396]: "ikev2-cp": failed to add connection: MOBIKE kernel support missing for xfrm interface: CONFIG_XFRM_MIGRATE

Seems that it's failed to load IKEv2 connection, but I'm not sure how to fix it.

Updated:
Given the error message, I found the related previous issue https://github.com/hwdsl2/docker-ipsec-vpn-server/issues/199#issuecomment-652821751
Following the instructions in the comment, I can connect to the server via IKEv2 now.

Thanks @hwdsl2!

<!-- gh-comment-id:1332244622 --> @ejhsu commented on GitHub (Nov 30, 2022): Thanks for your reply. After restarting the container and investigating the log at /var/log/auth.log, I found the line with IKEv2 error: ``` 2022-11-30T14:16:47.772425+00:00 45d27ece040a pluto[396]: "l2tp-psk": added IKEv1 connection 2022-11-30T14:16:47.772898+00:00 45d27ece040a pluto[396]: "xauth-psk": added IKEv1 connection 2022-11-30T14:16:47.773193+00:00 45d27ece040a pluto[396]: "ikev2-cp": failed to add connection: MOBIKE kernel support missing for xfrm interface: CONFIG_XFRM_MIGRATE ``` Seems that it's failed to load IKEv2 connection, but I'm not sure how to fix it. Updated: Given the error message, I found the related previous issue https://github.com/hwdsl2/docker-ipsec-vpn-server/issues/199#issuecomment-652821751 Following the instructions in the comment, I can connect to the server via IKEv2 now. Thanks @hwdsl2!

kerem commented 2026-03-02 08:01:16 +03:00

Author

Owner

Copy link

@hwdsl2 commented on GitHub (Nov 30, 2022):

@ejhsu The root cause for this issue is that MOBIKE was enabled (by the IKEv2 script) in the container, but your Docker host's kernel does not support MOBIKE. The fix is straightforward:

First, open a Bash shell inside the Docker container, and install the nano editor. Instructions at:
https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/docs/advanced-usage.md#bash-shell-inside-container

After that, edit /etc/ipsec.d/ikev2.conf inside the Docker container:

nano /etc/ipsec.d/ikev2.conf

Find the line mobike=yes and replace yes with no. Then exit the Bash shell and restart the Docker container. You will find that the IKEv2 connection now loads successfully.

What is your Docker host's Linux kernel? Check using uname -a and post the output here. I'd like to add a fix in the IKEv2 script to prevent this issue on this OS for future users.

<!-- gh-comment-id:1332271939 --> @hwdsl2 commented on GitHub (Nov 30, 2022): @ejhsu The root cause for this issue is that MOBIKE was enabled (by the IKEv2 script) in the container, but your Docker host's kernel does not support MOBIKE. The fix is straightforward: First, open a Bash shell inside the Docker container, and install the `nano` editor. Instructions at: https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/docs/advanced-usage.md#bash-shell-inside-container After that, edit `/etc/ipsec.d/ikev2.conf` inside the Docker container: ``` nano /etc/ipsec.d/ikev2.conf ``` Find the line `mobike=yes` and replace `yes` with `no`. Then exit the Bash shell and restart the Docker container. You will find that the IKEv2 connection now loads successfully. What is your Docker host's Linux kernel? Check using `uname -a` and post the output here. I'd like to add a fix in the IKEv2 script to prevent this issue on this OS for future users.

kerem commented 2026-03-02 08:01:16 +03:00

Author

Owner

Copy link

@hwdsl2 commented on GitHub (Nov 30, 2022):

@ejhsu Thanks for the update. Please post here your Docker host's Linux kernel version. Check using uname -a. I'd like to add a fix in the IKEv2 script to prevent this issue on this OS for future users.

<!-- gh-comment-id:1332284930 --> @hwdsl2 commented on GitHub (Nov 30, 2022): @ejhsu Thanks for the update. Please post here your Docker host's Linux kernel version. Check using `uname -a`. I'd like to add a fix in the IKEv2 script to prevent this issue on this OS for future users.

kerem commented 2026-03-02 08:01:16 +03:00

Author

Owner

Copy link

@ejhsu commented on GitHub (Nov 30, 2022):

The Docker host information and Linux kernal version lists below:

• host: Google, Container-Optimized OS, 101-17162.40.34 LTS, Kernel: COS-5.15.65 Kubernetes: 1.23.10 Docker: 20.10.12 Family: cos-101-lts, supports Shielded VM features
• uname -a: Linux 45d27ece040a 5.15.65+ #1 SMP Thu Nov 10 10:13:28 UTC 2022 x86_64 GNU/Linux

<!-- gh-comment-id:1332294143 --> @ejhsu commented on GitHub (Nov 30, 2022): The Docker host information and Linux kernal version lists below: - host: Google, [Container-Optimized OS](https://cloud.google.com/container-optimized-os/docs/concepts/features-and-benefits), 101-17162.40.34 LTS, Kernel: COS-5.15.65 Kubernetes: 1.23.10 Docker: 20.10.12 Family: cos-101-lts, supports Shielded VM features - `uname -a`: `Linux 45d27ece040a 5.15.65+ #1 SMP Thu Nov 10 10:13:28 UTC 2022 x86_64 GNU/Linux`

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

No results found.

Labels

Clear labels   

bug

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

question

No labels

bug

pull-request

question

question

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/docker-ipsec-vpn-server#308

No description provided.