[GH-ISSUE #351] 更新镜像导致无法链接？deleting state (STATE_V2_PARENT_R0) aged 0.000293s and NOT sending notification #326

New issue

Closed

opened 2026-03-02 08:01:22 +03:00 by kerem · 4 comments

kerem commented 2026-03-02 08:01:22 +03:00

Owner

Copy link

Originally created by @SuperCatss on GitHub (Feb 20, 2023).
Original GitHub issue: https://github.com/hwdsl2/docker-ipsec-vpn-server/issues/351

任务列表

• 我已阅读 自述文件
• 我已阅读 重要提示
• 我已按照说明 配置 VPN 客户端
• 我检查了 IKEv1 故障排除，IKEv2 故障排除，启用日志 并查看了 VPN 状态
• 我搜索了已有的 Issues
• 这个 bug 是关于 IPsec VPN 服务器 Docker 镜像，而不是 IPsec VPN 本身

问题描述
使用清楚简明的语言描述这个 bug。

重现步骤
重现该 bug 的步骤：

1. ...
2. ...

期待的正确结果
简要地描述你期望的正确结果。

日志
启用日志，检查 VPN 状态，并且添加错误日志以帮助解释该问题（如果适用）。

服务器信息（请填写以下信息）

• Docker 主机操作系统: [UbuntuServer 22.04]
• 服务提供商（如果适用）: [个人家用]

客户端信息（请填写以下信息）

• 操作系统: [比如 iOS 15，安卓13]
• VPN 模式: [IPsec/XAuth ("Cisco IPsec") 和 IKEv2]

其它信息
两种vpn模式都无法正常链接。服务器为exsi，虚拟 ubuntu 22.04 server。主要用于连回家查看摄像头使用。
部署很长一段时间都正常工作，现在使用频率减少，今天使用无法正常链接。所有配置，自成功配置以后都没有变动。只有镜像有时会更新镜像并重新使用原有配置，原有脚本重新部署。(不能排除是否是由更新镜像导致。)

Originally created by @SuperCatss on GitHub (Feb 20, 2023). Original GitHub issue: https://github.com/hwdsl2/docker-ipsec-vpn-server/issues/351 **任务列表** - [x] 我已阅读 [自述文件](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README-zh.md) - [x] 我已阅读 [重要提示](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README-zh.md#重要提示) - [x] 我已按照说明 [配置 VPN 客户端](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README-zh.md#下一步) - [x] 我检查了 [IKEv1 故障排除](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients-zh.md#ikev1-故障排除)，[IKEv2 故障排除](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/ikev2-howto-zh.md#ikev2-故障排除)，[启用日志](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/docs/advanced-usage-zh.md#启用-libreswan-日志) 并查看了 [VPN 状态](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients-zh.md#检查日志及-vpn-状态) - [x] 我搜索了已有的 [Issues](https://github.com/hwdsl2/docker-ipsec-vpn-server/issues?q=is%3Aissue) - [x] 这个 bug 是关于 IPsec VPN 服务器 Docker 镜像，而不是 IPsec VPN 本身 <!--- 如果你发现了 IPsec VPN 的一个可重复的程序漏洞，请在 https://github.com/libreswan/libreswan 提交一个错误报告。VPN 的相关问题可在 [Libreswan](https://lists.libreswan.org/mailman/listinfo/swan) 或 [strongSwan](https://lists.strongswan.org/mailman/listinfo/users) 用户邮件列表提问，或者搜索比如 [Stack Overflow](https://stackoverflow.com/questions/tagged/vpn) 等网站。 ---> **问题描述** 使用清楚简明的语言描述这个 bug。 **重现步骤** 重现该 bug 的步骤： 1. ... 2. ... **期待的正确结果** 简要地描述你期望的正确结果。 **日志** [启用日志](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/docs/advanced-usage-zh.md#启用-libreswan-日志)，检查 [VPN 状态](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients-zh.md#检查日志及-vpn-状态)，并且添加错误日志以帮助解释该问题（如果适用）。 **服务器信息（请填写以下信息）** - Docker 主机操作系统: [UbuntuServer 22.04] - 服务提供商（如果适用）: [个人家用] **客户端信息（请填写以下信息）** - 操作系统: [比如 iOS 15，安卓13] - VPN 模式: [IPsec/XAuth ("Cisco IPsec") 和 IKEv2] **其它信息** 两种vpn模式都无法正常链接。服务器为exsi，虚拟 ubuntu 22.04 server。主要用于连回家查看摄像头使用。 部署很长一段时间都正常工作，现在使用频率减少，今天使用无法正常链接。所有配置，自成功配置以后都没有变动。只有镜像有时会更新镜像并重新使用原有配置，原有脚本重新部署。(不能排除是否是由更新镜像导致。)

kerem closed this issue 2026-03-02 08:01:22 +03:00

kerem commented 2026-03-02 08:01:23 +03:00

Author

Owner

Copy link

@SuperCatss commented on GitHub (Feb 20, 2023):

以下为使用ikev2 ipsec 链接时的日志，ip 已被替换

2023-02-21T00:47:24.400697+08:00 ipsec-server pluto[422]: "ikev2-cp"[1] 1.1.1.1 #1: proposal 1:IKE=AES_CBC_256-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_CBC_256;ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_384_192;INTEG=HMAC_SHA2_256_128;INTEG=HMAC_SHA1_96;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;DH=DH24;DH=ECP_384;DH=ECP_256;DH=MODP2048;DH=MODP1536[first-match] 2:IKE:ENCR=AES_GCM_C_256;ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;DH=DH24;DH=ECP_384;DH=ECP_256;DH=MODP2048;DH=MODP1536
2023-02-21T00:47:24.400750+08:00 ipsec-server pluto[422]: "ikev2-cp"[1] 1.1.1.1 #1: initiator guessed wrong keying material group (DH24); responding with INVALID_KE_PAYLOAD requesting MODP2048
2023-02-21T00:47:24.400780+08:00 ipsec-server pluto[422]: "ikev2-cp"[1] 1.1.1.1 #1: responding to IKE_SA_INIT message (ID 0) from 1.1.1.1:41615 with unencrypted notification INVALID_KE_PAYLOAD
2023-02-21T00:47:24.400801+08:00 ipsec-server pluto[422]: "ikev2-cp"[1] 1.1.1.1 #1: encountered fatal error in state STATE_V2_PARENT_R0
2023-02-21T00:47:24.400949+08:00 ipsec-server pluto[422]: "ikev2-cp"[1] 1.1.1.1 #1: deleting state (STATE_V2_PARENT_R0) aged 0.000334s and NOT sending notification
2023-02-21T00:47:24.400988+08:00 ipsec-server pluto[422]: "ikev2-cp"[1] 1.1.1.1: deleting connection instance with peer 1.1.1.1 {isakmp=#0/ipsec=#0}
2023-02-21T00:47:25.460639+08:00 ipsec-server pluto[422]: "ikev2-cp"[2] 1.1.1.1 #2: proposal 1:IKE=AES_CBC_256-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_CBC_256;ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_384_192;INTEG=HMAC_SHA2_256_128;INTEG=HMAC_SHA1_96;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;DH=DH24;DH=ECP_384;DH=ECP_256;DH=MODP2048;DH=MODP1536[first-match] 2:IKE:ENCR=AES_GCM_C_256;ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;DH=DH24;DH=ECP_384;DH=ECP_256;DH=MODP2048;DH=MODP1536
2023-02-21T00:47:25.460679+08:00 ipsec-server pluto[422]: "ikev2-cp"[2] 1.1.1.1 #2: initiator guessed wrong keying material group (DH24); responding with INVALID_KE_PAYLOAD requesting MODP2048
2023-02-21T00:47:25.460709+08:00 ipsec-server pluto[422]: "ikev2-cp"[2] 1.1.1.1 #2: responding to IKE_SA_INIT message (ID 0) from 1.1.1.1:41615 with unencrypted notification INVALID_KE_PAYLOAD
2023-02-21T00:47:25.460730+08:00 ipsec-server pluto[422]: "ikev2-cp"[2] 1.1.1.1 #2: encountered fatal error in state STATE_V2_PARENT_R0
2023-02-21T00:47:25.460825+08:00 ipsec-server pluto[422]: "ikev2-cp"[2] 1.1.1.1 #2: deleting state (STATE_V2_PARENT_R0) aged 0.000256s and NOT sending notification
2023-02-21T00:47:25.460860+08:00 ipsec-server pluto[422]: "ikev2-cp"[2] 1.1.1.1: deleting connection instance with peer 1.1.1.1 {isakmp=#0/ipsec=#0}
2023-02-21T00:47:27.252077+08:00 ipsec-server pluto[422]: "ikev2-cp"[3] 1.1.1.1 #3: proposal 1:IKE=AES_CBC_256-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_CBC_256;ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_384_192;INTEG=HMAC_SHA2_256_128;INTEG=HMAC_SHA1_96;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;DH=DH24;DH=ECP_384;DH=ECP_256;DH=MODP2048;DH=MODP1536[first-match] 2:IKE:ENCR=AES_GCM_C_256;ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;DH=DH24;DH=ECP_384;DH=ECP_256;DH=MODP2048;DH=MODP1536
2023-02-21T00:47:27.252137+08:00 ipsec-server pluto[422]: "ikev2-cp"[3] 1.1.1.1 #3: initiator guessed wrong keying material group (DH24); responding with INVALID_KE_PAYLOAD requesting MODP2048
2023-02-21T00:47:27.252186+08:00 ipsec-server pluto[422]: "ikev2-cp"[3] 1.1.1.1 #3: responding to IKE_SA_INIT message (ID 0) from 1.1.1.1:41615 with unencrypted notification INVALID_KE_PAYLOAD
2023-02-21T00:47:27.252221+08:00 ipsec-server pluto[422]: "ikev2-cp"[3] 1.1.1.1 #3: encountered fatal error in state STATE_V2_PARENT_R0
2023-02-21T00:47:27.252364+08:00 ipsec-server pluto[422]: "ikev2-cp"[3] 1.1.1.1 #3: deleting state (STATE_V2_PARENT_R0) aged 0.000346s and NOT sending notification
2023-02-21T00:47:27.252417+08:00 ipsec-server pluto[422]: "ikev2-cp"[3] 1.1.1.1: deleting connection instance with peer 1.1.1.1 {isakmp=#0/ipsec=#0}
2023-02-21T00:47:30.431968+08:00 ipsec-server pluto[422]: "ikev2-cp"[4] 1.1.1.1 #4: proposal 1:IKE=AES_CBC_256-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_CBC_256;ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_384_192;INTEG=HMAC_SHA2_256_128;INTEG=HMAC_SHA1_96;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;DH=DH24;DH=ECP_384;DH=ECP_256;DH=MODP2048;DH=MODP1536[first-match] 2:IKE:ENCR=AES_GCM_C_256;ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;DH=DH24;DH=ECP_384;DH=ECP_256;DH=MODP2048;DH=MODP1536
2023-02-21T00:47:30.432008+08:00 ipsec-server pluto[422]: "ikev2-cp"[4] 1.1.1.1 #4: initiator guessed wrong keying material group (DH24); responding with INVALID_KE_PAYLOAD requesting MODP2048
2023-02-21T00:47:30.432038+08:00 ipsec-server pluto[422]: "ikev2-cp"[4] 1.1.1.1 #4: responding to IKE_SA_INIT message (ID 0) from 1.1.1.1:41615 with unencrypted notification INVALID_KE_PAYLOAD
2023-02-21T00:47:30.432060+08:00 ipsec-server pluto[422]: "ikev2-cp"[4] 1.1.1.1 #4: encountered fatal error in state STATE_V2_PARENT_R0
2023-02-21T00:47:30.432170+08:00 ipsec-server pluto[422]: "ikev2-cp"[4] 1.1.1.1 #4: deleting state (STATE_V2_PARENT_R0) aged 0.000293s and NOT sending notification
2023-02-21T00:47:30.432203+08:00 ipsec-server pluto[422]: "ikev2-cp"[4] 1.1.1.1: deleting connection instance with peer 1.1.1.1 {isakmp=#0/ipsec=#0}
2023-02-21T00:47:36.279901+08:00 ipsec-server pluto[422]: "ikev2-cp"[5] 1.1.1.1 #5: proposal 1:IKE=AES_CBC_256-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_CBC_256;ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_384_192;INTEG=HMAC_SHA2_256_128;INTEG=HMAC_SHA1_96;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;DH=DH24;DH=ECP_384;DH=ECP_256;DH=MODP2048;DH=MODP1536[first-match] 2:IKE:ENCR=AES_GCM_C_256;ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;DH=DH24;DH=ECP_384;DH=ECP_256;DH=MODP2048;DH=MODP1536
2023-02-21T00:47:36.279972+08:00 ipsec-server pluto[422]: "ikev2-cp"[5] 1.1.1.1 #5: initiator guessed wrong keying material group (DH24); responding with INVALID_KE_PAYLOAD requesting MODP2048
2023-02-21T00:47:36.280001+08:00 ipsec-server pluto[422]: "ikev2-cp"[5] 1.1.1.1 #5: responding to IKE_SA_INIT message (ID 0) from 1.1.1.1:41615 with unencrypted notification INVALID_KE_PAYLOAD
2023-02-21T00:47:36.280023+08:00 ipsec-server pluto[422]: "ikev2-cp"[5] 1.1.1.1 #5: encountered fatal error in state STATE_V2_PARENT_R0
2023-02-21T00:47:36.280138+08:00 ipsec-server pluto[422]: "ikev2-cp"[5] 1.1.1.1 #5: deleting state (STATE_V2_PARENT_R0) aged 0.0003s and NOT sending notification
2023-02-21T00:47:36.280185+08:00 ipsec-server pluto[422]: "ikev2-cp"[5] 1.1.1.1: deleting connection instance with peer 1.1.1.1 {isakmp=#0/ipsec=#0}
2023-02-21T00:47:46.799877+08:00 ipsec-server pluto[422]: "ikev2-cp"[6] 1.1.1.1 #6: proposal 1:IKE=AES_CBC_256-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_CBC_256;ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_384_192;INTEG=HMAC_SHA2_256_128;INTEG=HMAC_SHA1_96;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;DH=DH24;DH=ECP_384;DH=ECP_256;DH=MODP2048;DH=MODP1536[first-match] 2:IKE:ENCR=AES_GCM_C_256;ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;DH=DH24;DH=ECP_384;DH=ECP_256;DH=MODP2048;DH=MODP1536
2023-02-21T00:47:46.799951+08:00 ipsec-server pluto[422]: "ikev2-cp"[6] 1.1.1.1 #6: initiator guessed wrong keying material group (DH24); responding with INVALID_KE_PAYLOAD requesting MODP2048
2023-02-21T00:47:46.800002+08:00 ipsec-server pluto[422]: "ikev2-cp"[6] 1.1.1.1 #6: responding to IKE_SA_INIT message (ID 0) from 1.1.1.1:41615 with unencrypted notification INVALID_KE_PAYLOAD
2023-02-21T00:47:46.800027+08:00 ipsec-server pluto[422]: "ikev2-cp"[6] 1.1.1.1 #6: encountered fatal error in state STATE_V2_PARENT_R0
2023-02-21T00:47:46.800134+08:00 ipsec-server pluto[422]: "ikev2-cp"[6] 1.1.1.1 #6: deleting state (STATE_V2_PARENT_R0) aged 0.000325s and NOT sending notification
2023-02-21T00:47:46.800170+08:00 ipsec-server pluto[422]: "ikev2-cp"[6] 1.1.1.1: deleting connection instance with peer 1.1.1.1 {isakmp=#0/ipsec=#0}
2023-02-21T00:48:21.502681+08:00 ipsec-server pluto[422]: "ikev2-cp"[7] 1.1.1.1 #7: proposal 1:IKE=AES_CBC_256-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_CBC_256;ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_384_192;INTEG=HMAC_SHA2_256_128;INTEG=HMAC_SHA1_96;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;DH=DH24;DH=ECP_384;DH=ECP_256;DH=MODP2048;DH=MODP1536[first-match] 2:IKE:ENCR=AES_GCM_C_256;ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;DH=DH24;DH=ECP_384;DH=ECP_256;DH=MODP2048;DH=MODP1536
2023-02-21T00:48:21.502723+08:00 ipsec-server pluto[422]: "ikev2-cp"[7] 1.1.1.1 #7: initiator guessed wrong keying material group (DH24); responding with INVALID_KE_PAYLOAD requesting MODP2048
2023-02-21T00:48:21.502751+08:00 ipsec-server pluto[422]: "ikev2-cp"[7] 1.1.1.1 #7: responding to IKE_SA_INIT message (ID 0) from 1.1.1.1:41615 with unencrypted notification INVALID_KE_PAYLOAD
2023-02-21T00:48:21.502772+08:00 ipsec-server pluto[422]: "ikev2-cp"[7] 1.1.1.1 #7: encountered fatal error in state STATE_V2_PARENT_R0
2023-02-21T00:48:21.502876+08:00 ipsec-server pluto[422]: "ikev2-cp"[7] 1.1.1.1 #7: deleting state (STATE_V2_PARENT_R0) aged 0.000264s and NOT sending notification
2023-02-21T00:48:21.502907+08:00 ipsec-server pluto[422]: "ikev2-cp"[7] 1.1.1.1: deleting connection instance with peer 1.1.1.1 {isakmp=#0/ipsec=#0}

<!-- gh-comment-id:1437310035 --> @SuperCatss commented on GitHub (Feb 20, 2023): 以下为使用ikev2 ipsec 链接时的日志，ip 已被替换 > 2023-02-21T00:47:24.400697+08:00 ipsec-server pluto[422]: "ikev2-cp"[1] 1.1.1.1 #1: proposal 1:IKE=AES_CBC_256-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_CBC_256;ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_384_192;INTEG=HMAC_SHA2_256_128;INTEG=HMAC_SHA1_96;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;DH=DH24;DH=ECP_384;DH=ECP_256;DH=MODP2048;DH=MODP1536[first-match] 2:IKE:ENCR=AES_GCM_C_256;ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;DH=DH24;DH=ECP_384;DH=ECP_256;DH=MODP2048;DH=MODP1536 2023-02-21T00:47:24.400750+08:00 ipsec-server pluto[422]: "ikev2-cp"[1] 1.1.1.1 #1: initiator guessed wrong keying material group (DH24); responding with INVALID_KE_PAYLOAD requesting MODP2048 2023-02-21T00:47:24.400780+08:00 ipsec-server pluto[422]: "ikev2-cp"[1] 1.1.1.1 #1: responding to IKE_SA_INIT message (ID 0) from 1.1.1.1:41615 with unencrypted notification INVALID_KE_PAYLOAD 2023-02-21T00:47:24.400801+08:00 ipsec-server pluto[422]: "ikev2-cp"[1] 1.1.1.1 #1: encountered fatal error in state STATE_V2_PARENT_R0 2023-02-21T00:47:24.400949+08:00 ipsec-server pluto[422]: "ikev2-cp"[1] 1.1.1.1 #1: deleting state (STATE_V2_PARENT_R0) aged 0.000334s and NOT sending notification 2023-02-21T00:47:24.400988+08:00 ipsec-server pluto[422]: "ikev2-cp"[1] 1.1.1.1: deleting connection instance with peer 1.1.1.1 {isakmp=#0/ipsec=#0} 2023-02-21T00:47:25.460639+08:00 ipsec-server pluto[422]: "ikev2-cp"[2] 1.1.1.1 #2: proposal 1:IKE=AES_CBC_256-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_CBC_256;ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_384_192;INTEG=HMAC_SHA2_256_128;INTEG=HMAC_SHA1_96;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;DH=DH24;DH=ECP_384;DH=ECP_256;DH=MODP2048;DH=MODP1536[first-match] 2:IKE:ENCR=AES_GCM_C_256;ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;DH=DH24;DH=ECP_384;DH=ECP_256;DH=MODP2048;DH=MODP1536 2023-02-21T00:47:25.460679+08:00 ipsec-server pluto[422]: "ikev2-cp"[2] 1.1.1.1 #2: initiator guessed wrong keying material group (DH24); responding with INVALID_KE_PAYLOAD requesting MODP2048 2023-02-21T00:47:25.460709+08:00 ipsec-server pluto[422]: "ikev2-cp"[2] 1.1.1.1 #2: responding to IKE_SA_INIT message (ID 0) from 1.1.1.1:41615 with unencrypted notification INVALID_KE_PAYLOAD 2023-02-21T00:47:25.460730+08:00 ipsec-server pluto[422]: "ikev2-cp"[2] 1.1.1.1 #2: encountered fatal error in state STATE_V2_PARENT_R0 2023-02-21T00:47:25.460825+08:00 ipsec-server pluto[422]: "ikev2-cp"[2] 1.1.1.1 #2: deleting state (STATE_V2_PARENT_R0) aged 0.000256s and NOT sending notification 2023-02-21T00:47:25.460860+08:00 ipsec-server pluto[422]: "ikev2-cp"[2] 1.1.1.1: deleting connection instance with peer 1.1.1.1 {isakmp=#0/ipsec=#0} 2023-02-21T00:47:27.252077+08:00 ipsec-server pluto[422]: "ikev2-cp"[3] 1.1.1.1 #3: proposal 1:IKE=AES_CBC_256-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_CBC_256;ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_384_192;INTEG=HMAC_SHA2_256_128;INTEG=HMAC_SHA1_96;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;DH=DH24;DH=ECP_384;DH=ECP_256;DH=MODP2048;DH=MODP1536[first-match] 2:IKE:ENCR=AES_GCM_C_256;ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;DH=DH24;DH=ECP_384;DH=ECP_256;DH=MODP2048;DH=MODP1536 2023-02-21T00:47:27.252137+08:00 ipsec-server pluto[422]: "ikev2-cp"[3] 1.1.1.1 #3: initiator guessed wrong keying material group (DH24); responding with INVALID_KE_PAYLOAD requesting MODP2048 2023-02-21T00:47:27.252186+08:00 ipsec-server pluto[422]: "ikev2-cp"[3] 1.1.1.1 #3: responding to IKE_SA_INIT message (ID 0) from 1.1.1.1:41615 with unencrypted notification INVALID_KE_PAYLOAD 2023-02-21T00:47:27.252221+08:00 ipsec-server pluto[422]: "ikev2-cp"[3] 1.1.1.1 #3: encountered fatal error in state STATE_V2_PARENT_R0 2023-02-21T00:47:27.252364+08:00 ipsec-server pluto[422]: "ikev2-cp"[3] 1.1.1.1 #3: deleting state (STATE_V2_PARENT_R0) aged 0.000346s and NOT sending notification 2023-02-21T00:47:27.252417+08:00 ipsec-server pluto[422]: "ikev2-cp"[3] 1.1.1.1: deleting connection instance with peer 1.1.1.1 {isakmp=#0/ipsec=#0} 2023-02-21T00:47:30.431968+08:00 ipsec-server pluto[422]: "ikev2-cp"[4] 1.1.1.1 #4: proposal 1:IKE=AES_CBC_256-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_CBC_256;ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_384_192;INTEG=HMAC_SHA2_256_128;INTEG=HMAC_SHA1_96;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;DH=DH24;DH=ECP_384;DH=ECP_256;DH=MODP2048;DH=MODP1536[first-match] 2:IKE:ENCR=AES_GCM_C_256;ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;DH=DH24;DH=ECP_384;DH=ECP_256;DH=MODP2048;DH=MODP1536 2023-02-21T00:47:30.432008+08:00 ipsec-server pluto[422]: "ikev2-cp"[4] 1.1.1.1 #4: initiator guessed wrong keying material group (DH24); responding with INVALID_KE_PAYLOAD requesting MODP2048 2023-02-21T00:47:30.432038+08:00 ipsec-server pluto[422]: "ikev2-cp"[4] 1.1.1.1 #4: responding to IKE_SA_INIT message (ID 0) from 1.1.1.1:41615 with unencrypted notification INVALID_KE_PAYLOAD 2023-02-21T00:47:30.432060+08:00 ipsec-server pluto[422]: "ikev2-cp"[4] 1.1.1.1 #4: encountered fatal error in state STATE_V2_PARENT_R0 2023-02-21T00:47:30.432170+08:00 ipsec-server pluto[422]: "ikev2-cp"[4] 1.1.1.1 #4: deleting state (STATE_V2_PARENT_R0) aged 0.000293s and NOT sending notification 2023-02-21T00:47:30.432203+08:00 ipsec-server pluto[422]: "ikev2-cp"[4] 1.1.1.1: deleting connection instance with peer 1.1.1.1 {isakmp=#0/ipsec=#0} 2023-02-21T00:47:36.279901+08:00 ipsec-server pluto[422]: "ikev2-cp"[5] 1.1.1.1 #5: proposal 1:IKE=AES_CBC_256-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_CBC_256;ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_384_192;INTEG=HMAC_SHA2_256_128;INTEG=HMAC_SHA1_96;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;DH=DH24;DH=ECP_384;DH=ECP_256;DH=MODP2048;DH=MODP1536[first-match] 2:IKE:ENCR=AES_GCM_C_256;ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;DH=DH24;DH=ECP_384;DH=ECP_256;DH=MODP2048;DH=MODP1536 2023-02-21T00:47:36.279972+08:00 ipsec-server pluto[422]: "ikev2-cp"[5] 1.1.1.1 #5: initiator guessed wrong keying material group (DH24); responding with INVALID_KE_PAYLOAD requesting MODP2048 2023-02-21T00:47:36.280001+08:00 ipsec-server pluto[422]: "ikev2-cp"[5] 1.1.1.1 #5: responding to IKE_SA_INIT message (ID 0) from 1.1.1.1:41615 with unencrypted notification INVALID_KE_PAYLOAD 2023-02-21T00:47:36.280023+08:00 ipsec-server pluto[422]: "ikev2-cp"[5] 1.1.1.1 #5: encountered fatal error in state STATE_V2_PARENT_R0 2023-02-21T00:47:36.280138+08:00 ipsec-server pluto[422]: "ikev2-cp"[5] 1.1.1.1 #5: deleting state (STATE_V2_PARENT_R0) aged 0.0003s and NOT sending notification 2023-02-21T00:47:36.280185+08:00 ipsec-server pluto[422]: "ikev2-cp"[5] 1.1.1.1: deleting connection instance with peer 1.1.1.1 {isakmp=#0/ipsec=#0} 2023-02-21T00:47:46.799877+08:00 ipsec-server pluto[422]: "ikev2-cp"[6] 1.1.1.1 #6: proposal 1:IKE=AES_CBC_256-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_CBC_256;ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_384_192;INTEG=HMAC_SHA2_256_128;INTEG=HMAC_SHA1_96;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;DH=DH24;DH=ECP_384;DH=ECP_256;DH=MODP2048;DH=MODP1536[first-match] 2:IKE:ENCR=AES_GCM_C_256;ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;DH=DH24;DH=ECP_384;DH=ECP_256;DH=MODP2048;DH=MODP1536 2023-02-21T00:47:46.799951+08:00 ipsec-server pluto[422]: "ikev2-cp"[6] 1.1.1.1 #6: initiator guessed wrong keying material group (DH24); responding with INVALID_KE_PAYLOAD requesting MODP2048 2023-02-21T00:47:46.800002+08:00 ipsec-server pluto[422]: "ikev2-cp"[6] 1.1.1.1 #6: responding to IKE_SA_INIT message (ID 0) from 1.1.1.1:41615 with unencrypted notification INVALID_KE_PAYLOAD 2023-02-21T00:47:46.800027+08:00 ipsec-server pluto[422]: "ikev2-cp"[6] 1.1.1.1 #6: encountered fatal error in state STATE_V2_PARENT_R0 2023-02-21T00:47:46.800134+08:00 ipsec-server pluto[422]: "ikev2-cp"[6] 1.1.1.1 #6: deleting state (STATE_V2_PARENT_R0) aged 0.000325s and NOT sending notification 2023-02-21T00:47:46.800170+08:00 ipsec-server pluto[422]: "ikev2-cp"[6] 1.1.1.1: deleting connection instance with peer 1.1.1.1 {isakmp=#0/ipsec=#0} 2023-02-21T00:48:21.502681+08:00 ipsec-server pluto[422]: "ikev2-cp"[7] 1.1.1.1 #7: proposal 1:IKE=AES_CBC_256-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_CBC_256;ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_384_192;INTEG=HMAC_SHA2_256_128;INTEG=HMAC_SHA1_96;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;DH=DH24;DH=ECP_384;DH=ECP_256;DH=MODP2048;DH=MODP1536[first-match] 2:IKE:ENCR=AES_GCM_C_256;ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;DH=DH24;DH=ECP_384;DH=ECP_256;DH=MODP2048;DH=MODP1536 2023-02-21T00:48:21.502723+08:00 ipsec-server pluto[422]: "ikev2-cp"[7] 1.1.1.1 #7: initiator guessed wrong keying material group (DH24); responding with INVALID_KE_PAYLOAD requesting MODP2048 2023-02-21T00:48:21.502751+08:00 ipsec-server pluto[422]: "ikev2-cp"[7] 1.1.1.1 #7: responding to IKE_SA_INIT message (ID 0) from 1.1.1.1:41615 with unencrypted notification INVALID_KE_PAYLOAD 2023-02-21T00:48:21.502772+08:00 ipsec-server pluto[422]: "ikev2-cp"[7] 1.1.1.1 #7: encountered fatal error in state STATE_V2_PARENT_R0 2023-02-21T00:48:21.502876+08:00 ipsec-server pluto[422]: "ikev2-cp"[7] 1.1.1.1 #7: deleting state (STATE_V2_PARENT_R0) aged 0.000264s and NOT sending notification 2023-02-21T00:48:21.502907+08:00 ipsec-server pluto[422]: "ikev2-cp"[7] 1.1.1.1: deleting connection instance with peer 1.1.1.1 {isakmp=#0/ipsec=#0}

kerem commented 2026-03-02 08:01:23 +03:00

Author

Owner

Copy link

@hwdsl2 commented on GitHub (Feb 22, 2023):

@SuperCatss 你好！镜像的 IKEv2 算法最近并没有更改。IKEv1 算法去掉了 MODP1024 和 MODP1536 支持，因为它们安全性较低。参见这里。

从你的日志来看，可能是客户端 VPN 连接的 IKEv2 算法的问题。你可以尝试编辑容器内的 /etc/ipsec.d/ikev2.conf，并将这一行

ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1

替换为

ike=aes_gcm-sha2-modp2048,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1

保存文件并重启 Docker 容器。如果仍然无法解决，你可以尝试在 Libreswan users mailing list 问一下。

<!-- gh-comment-id:1439414256 --> @hwdsl2 commented on GitHub (Feb 22, 2023): @SuperCatss 你好！镜像的 IKEv2 算法最近并没有更改。IKEv1 算法去掉了 MODP1024 和 MODP1536 支持，因为它们安全性较低。参见[这里](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients-zh.md#android)。 从你的日志来看，可能是客户端 VPN 连接的 IKEv2 算法的问题。你可以尝试编辑[容器内](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/docs/advanced-usage-zh.md#%E5%9C%A8%E5%AE%B9%E5%99%A8%E4%B8%AD%E8%BF%90%E8%A1%8C-bash-shell)的 `/etc/ipsec.d/ikev2.conf`，并将这一行 ``` ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1 ``` 替换为 ``` ike=aes_gcm-sha2-modp2048,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1 ``` 保存文件并重启 Docker 容器。如果仍然无法解决，你可以尝试在 [Libreswan users mailing list](https://lists.libreswan.org/mailman/listinfo/swan) 问一下。

kerem commented 2026-03-02 08:01:23 +03:00

Author

Owner

Copy link

@SuperCatss commented on GitHub (Feb 22, 2023):

@SuperCatss 你好！镜像的 IKEv2 算法最近并没有更改。IKEv1 算法去掉了 MODP1024 和 MODP1536 支持，因为它们安全性较低。参见这里。

从你的日志来看，可能是客户端 VPN 连接的 IKEv2 算法的问题。你可以尝试编辑容器内的 /etc/ipsec.d/ikev2.conf，并将这一行

ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1

替换为

ike=aes_gcm-sha2-modp2048,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1

保存文件并重启 Docker 容器。如果仍然无法解决，你可以尝试在 Libreswan users mailing list 问一下。

@hwdsl2 你好，按照建议修改后两种协议仍然无法连接。补上 IPSec/Xauth 模式下链接日志

2023-02-22T14:21:38.381540+08:00 ipsec-server pluto[422]: "xauth-psk"[1] 1.1.1.1 #15: responding to Main Mode from unknown peer 1.1.1.1:51478
2023-02-22T14:21:38.381663+08:00 ipsec-server pluto[422]: "xauth-psk"[1] 1.1.1.1 #15: WARNING: connection xauth-psk PSK length of 11 bytes is too short for HMAC_SHA2_256 PRF in FIPS mode (16 bytes required)
2023-02-22T14:21:38.381694+08:00 ipsec-server pluto[422]: "xauth-psk"[1] 1.1.1.1 #15: Oakley Transform [AES_CBC (256), HMAC_SHA2_256, MODP1024] refused
2023-02-22T14:21:38.381716+08:00 ipsec-server pluto[422]: "xauth-psk"[1] 1.1.1.1 #15: WARNING: connection xauth-psk PSK length of 11 bytes is too short for HMAC_SHA2_256 PRF in FIPS mode (16 bytes required)
2023-02-22T14:21:38.381735+08:00 ipsec-server pluto[422]: "xauth-psk"[1] 1.1.1.1 #15: Oakley Transform [AES_CBC (128), HMAC_SHA2_256, MODP1024] refused
2023-02-22T14:21:38.381757+08:00 ipsec-server pluto[422]: "xauth-psk"[1] 1.1.1.1 #15: Oakley Transform [AES_CBC (256), HMAC_SHA1, MODP1024] refused
2023-02-22T14:21:38.381777+08:00 ipsec-server pluto[422]: "xauth-psk"[1] 1.1.1.1 #15: Oakley Transform [AES_CBC (128), HMAC_SHA1, MODP1024] refused
2023-02-22T14:21:38.381804+08:00 ipsec-server pluto[422]: "xauth-psk"[1] 1.1.1.1 #15: Oakley Transform [AES_CBC (256), HMAC_MD5, MODP1024] refused
2023-02-22T14:21:38.381824+08:00 ipsec-server pluto[422]: "xauth-psk"[1] 1.1.1.1 #15: Oakley Transform [AES_CBC (128), HMAC_MD5, MODP1024] refused
2023-02-22T14:21:38.381845+08:00 ipsec-server pluto[422]: "xauth-psk"[1] 1.1.1.1 #15: Oakley Transform [3DES_CBC (192), HMAC_SHA1, MODP1024] refused
2023-02-22T14:21:38.381869+08:00 ipsec-server pluto[422]: "xauth-psk"[1] 1.1.1.1 #15: Oakley Transform [3DES_CBC (192), HMAC_MD5, MODP1024] refused
2023-02-22T14:21:38.381886+08:00 ipsec-server pluto[422]: "xauth-psk"[1] 1.1.1.1 #15: no acceptable Oakley Transform
2023-02-22T14:21:38.381927+08:00 ipsec-server pluto[422]: "xauth-psk"[1] 1.1.1.1 #15: sending notification NO_PROPOSAL_CHOSEN to 1.1.1.1:51478
2023-02-22T14:21:39.326165+08:00 ipsec-server pluto[422]: "xauth-psk"[1] 1.1.1.1 #15: discarding initial packet; already STATE_MAIN_R0
2023-02-22T14:21:41.134775+08:00 ipsec-server pluto[422]: "xauth-psk"[1] 1.1.1.1 #15: discarding initial packet; already STATE_MAIN_R0
2023-02-22T14:21:44.393343+08:00 ipsec-server pluto[422]: "xauth-psk"[1] 1.1.1.1 #15: discarding initial packet; already STATE_MAIN_R0
2023-02-22T14:21:50.194250+08:00 ipsec-server pluto[422]: "xauth-psk"[1] 1.1.1.1 #15: discarding initial packet; already STATE_MAIN_R0
2023-02-22T14:22:00.755178+08:00 ipsec-server pluto[422]: "xauth-psk"[1] 1.1.1.1 #15: discarding initial packet; already STATE_MAIN_R0
2023-02-22T14:22:19.597606+08:00 ipsec-server pluto[422]: "xauth-psk"[1] 1.1.1.1 #15: discarding initial packet; already STATE_MAIN_R0

补充修改conf 文件后的IPSec/ikev2 的链接日志

2023-02-22T14:34:26.574540+08:00 ipsec-server pluto[422]: "ikev2-cp"[15] 1.1.1.1 #16: proposal 2:IKE=AES_GCM_C_256-HMAC_SHA2_256-MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_CBC_256;ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_384_192;INTEG=HMAC_SHA2_256_128;INTEG=HMAC_SHA1_96;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;DH=DH24;DH=ECP_384;DH=ECP_256;DH=MODP2048;DH=MODP1536[first-match] 2:IKE:ENCR=AES_GCM_C_256;ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;DH=DH24;DH=ECP_384;DH=ECP_256;DH=MODP2048;DH=MODP1536[better-match]
2023-02-22T14:34:26.574582+08:00 ipsec-server pluto[422]: "ikev2-cp"[15] 1.1.1.1 #16: initiator guessed wrong keying material group (DH24); responding with INVALID_KE_PAYLOAD requesting MODP2048
2023-02-22T14:34:26.574611+08:00 ipsec-server pluto[422]: "ikev2-cp"[15] 1.1.1.1 #16: responding to IKE_SA_INIT message (ID 0) from 1.1.1.1:51480 with unencrypted notification INVALID_KE_PAYLOAD
2023-02-22T14:34:26.574632+08:00 ipsec-server pluto[422]: "ikev2-cp"[15] 1.1.1.1 #16: encountered fatal error in state STATE_V2_PARENT_R0
2023-02-22T14:34:26.574775+08:00 ipsec-server pluto[422]: "ikev2-cp"[15] 1.1.1.1 #16: deleting state (STATE_V2_PARENT_R0) aged 0.000283s and NOT sending notification
2023-02-22T14:34:26.574807+08:00 ipsec-server pluto[422]: "ikev2-cp"[15] 1.1.1.1: deleting connection instance with peer 1.1.1.1 {isakmp=#0/ipsec=#0}
2023-02-22T14:34:27.561966+08:00 ipsec-server pluto[422]: "ikev2-cp"[16] 1.1.1.1 #17: proposal 2:IKE=AES_GCM_C_256-HMAC_SHA2_256-MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_CBC_256;ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_384_192;INTEG=HMAC_SHA2_256_128;INTEG=HMAC_SHA1_96;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;DH=DH24;DH=ECP_384;DH=ECP_256;DH=MODP2048;DH=MODP1536[first-match] 2:IKE:ENCR=AES_GCM_C_256;ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;DH=DH24;DH=ECP_384;DH=ECP_256;DH=MODP2048;DH=MODP1536[better-match]
2023-02-22T14:34:27.562024+08:00 ipsec-server pluto[422]: "ikev2-cp"[16] 1.1.1.1 #17: initiator guessed wrong keying material group (DH24); responding with INVALID_KE_PAYLOAD requesting MODP2048
2023-02-22T14:34:27.562074+08:00 ipsec-server pluto[422]: "ikev2-cp"[16] 1.1.1.1 #17: responding to IKE_SA_INIT message (ID 0) from 1.1.1.1:51480 with unencrypted notification INVALID_KE_PAYLOAD
2023-02-22T14:34:27.562113+08:00 ipsec-server pluto[422]: "ikev2-cp"[16] 1.1.1.1 #17: encountered fatal error in state STATE_V2_PARENT_R0
2023-02-22T14:34:27.562272+08:00 ipsec-server pluto[422]: "ikev2-cp"[16] 1.1.1.1 #17: deleting state (STATE_V2_PARENT_R0) aged 0.000353s and NOT sending notification
2023-02-22T14:34:27.562319+08:00 ipsec-server pluto[422]: "ikev2-cp"[16] 1.1.1.1: deleting connection instance with peer 1.1.1.1 {isakmp=#0/ipsec=#0}
2023-02-22T14:34:29.368644+08:00 ipsec-server pluto[422]: "ikev2-cp"[17] 1.1.1.1 #18: proposal 2:IKE=AES_GCM_C_256-HMAC_SHA2_256-MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_CBC_256;ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_384_192;INTEG=HMAC_SHA2_256_128;INTEG=HMAC_SHA1_96;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;DH=DH24;DH=ECP_384;DH=ECP_256;DH=MODP2048;DH=MODP1536[first-match] 2:IKE:ENCR=AES_GCM_C_256;ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;DH=DH24;DH=ECP_384;DH=ECP_256;DH=MODP2048;DH=MODP1536[better-match]
2023-02-22T14:34:29.368686+08:00 ipsec-server pluto[422]: "ikev2-cp"[17] 1.1.1.1 #18: initiator guessed wrong keying material group (DH24); responding with INVALID_KE_PAYLOAD requesting MODP2048
2023-02-22T14:34:29.368716+08:00 ipsec-server pluto[422]: "ikev2-cp"[17] 1.1.1.1 #18: responding to IKE_SA_INIT message (ID 0) from 1.1.1.1:51480 with unencrypted notification INVALID_KE_PAYLOAD
2023-02-22T14:34:29.368737+08:00 ipsec-server pluto[422]: "ikev2-cp"[17] 1.1.1.1 #18: encountered fatal error in state STATE_V2_PARENT_R0
2023-02-22T14:34:29.368850+08:00 ipsec-server pluto[422]: "ikev2-cp"[17] 1.1.1.1 #18: deleting state (STATE_V2_PARENT_R0) aged 0.000254s and NOT sending notification
2023-02-22T14:34:29.368882+08:00 ipsec-server pluto[422]: "ikev2-cp"[17] 1.1.1.1: deleting connection instance with peer 1.1.1.1 {isakmp=#0/ipsec=#0}
2023-02-22T14:34:32.614497+08:00 ipsec-server pluto[422]: "ikev2-cp"[18] 1.1.1.1 #19: proposal 2:IKE=AES_GCM_C_256-HMAC_SHA2_256-MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_CBC_256;ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_384_192;INTEG=HMAC_SHA2_256_128;INTEG=HMAC_SHA1_96;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;DH=DH24;DH=ECP_384;DH=ECP_256;DH=MODP2048;DH=MODP1536[first-match] 2:IKE:ENCR=AES_GCM_C_256;ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;DH=DH24;DH=ECP_384;DH=ECP_256;DH=MODP2048;DH=MODP1536[better-match]
2023-02-22T14:34:32.614541+08:00 ipsec-server pluto[422]: "ikev2-cp"[18] 1.1.1.1 #19: initiator guessed wrong keying material group (DH24); responding with INVALID_KE_PAYLOAD requesting MODP2048
2023-02-22T14:34:32.614571+08:00 ipsec-server pluto[422]: "ikev2-cp"[18] 1.1.1.1 #19: responding to IKE_SA_INIT message (ID 0) from 1.1.1.1:51480 with unencrypted notification INVALID_KE_PAYLOAD
2023-02-22T14:34:32.614593+08:00 ipsec-server pluto[422]: "ikev2-cp"[18] 1.1.1.1 #19: encountered fatal error in state STATE_V2_PARENT_R0
2023-02-22T14:34:32.614715+08:00 ipsec-server pluto[422]: "ikev2-cp"[18] 1.1.1.1 #19: deleting state (STATE_V2_PARENT_R0) aged 0.000257s and NOT sending notification
2023-02-22T14:34:32.614761+08:00 ipsec-server pluto[422]: "ikev2-cp"[18] 1.1.1.1: deleting connection instance with peer 1.1.1.1 {isakmp=#0/ipsec=#0}
2023-02-22T14:34:38.436052+08:00 ipsec-server pluto[422]: "ikev2-cp"[19] 1.1.1.1 #20: proposal 2:IKE=AES_GCM_C_256-HMAC_SHA2_256-MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_CBC_256;ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_384_192;INTEG=HMAC_SHA2_256_128;INTEG=HMAC_SHA1_96;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;DH=DH24;DH=ECP_384;DH=ECP_256;DH=MODP2048;DH=MODP1536[first-match] 2:IKE:ENCR=AES_GCM_C_256;ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;DH=DH24;DH=ECP_384;DH=ECP_256;DH=MODP2048;DH=MODP1536[better-match]
2023-02-22T14:34:38.436094+08:00 ipsec-server pluto[422]: "ikev2-cp"[19] 1.1.1.1 #20: initiator guessed wrong keying material group (DH24); responding with INVALID_KE_PAYLOAD requesting MODP2048
2023-02-22T14:34:38.436123+08:00 ipsec-server pluto[422]: "ikev2-cp"[19] 1.1.1.1 #20: responding to IKE_SA_INIT message (ID 0) from 1.1.1.1:51480 with unencrypted notification INVALID_KE_PAYLOAD
2023-02-22T14:34:38.436145+08:00 ipsec-server pluto[422]: "ikev2-cp"[19] 1.1.1.1 #20: encountered fatal error in state STATE_V2_PARENT_R0
2023-02-22T14:34:38.436256+08:00 ipsec-server pluto[422]: "ikev2-cp"[19] 1.1.1.1 #20: deleting state (STATE_V2_PARENT_R0) aged 0.000267s and NOT sending notification
2023-02-22T14:34:38.436292+08:00 ipsec-server pluto[422]: "ikev2-cp"[19] 1.1.1.1: deleting connection instance with peer 1.1.1.1 {isakmp=#0/ipsec=#0}

另外想请教一下，是否可以拉取特定版本镜像，进行对比，如果可以建议拉取哪一个版本的镜像。
ikev2和wireguard 流量特征都明显的话，作为ISP，是否能查看流量内部的内容呢？

<!-- gh-comment-id:1439507232 --> @SuperCatss commented on GitHub (Feb 22, 2023): > @SuperCatss 你好！镜像的 IKEv2 算法最近并没有更改。IKEv1 算法去掉了 MODP1024 和 MODP1536 支持，因为它们安全性较低。参见[这里](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients-zh.md#android)。 > > 从你的日志来看，可能是客户端 VPN 连接的 IKEv2 算法的问题。你可以尝试编辑[容器内](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/docs/advanced-usage-zh.md#%E5%9C%A8%E5%AE%B9%E5%99%A8%E4%B8%AD%E8%BF%90%E8%A1%8C-bash-shell)的 `/etc/ipsec.d/ikev2.conf`，并将这一行 > > ``` > ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1 > ``` > > 替换为 > > ``` > ike=aes_gcm-sha2-modp2048,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1 > ``` > > 保存文件并重启 Docker 容器。如果仍然无法解决，你可以尝试在 [Libreswan users mailing list](https://lists.libreswan.org/mailman/listinfo/swan) 问一下。 @hwdsl2 你好，按照建议修改后两种协议仍然无法连接。补上 IPSec/Xauth 模式下链接日志 > 2023-02-22T14:21:38.381540+08:00 ipsec-server pluto[422]: "xauth-psk"[1] 1.1.1.1 #15: responding to Main Mode from unknown peer 1.1.1.1:51478 2023-02-22T14:21:38.381663+08:00 ipsec-server pluto[422]: "xauth-psk"[1] 1.1.1.1 #15: WARNING: connection xauth-psk PSK length of 11 bytes is too short for HMAC_SHA2_256 PRF in FIPS mode (16 bytes required) 2023-02-22T14:21:38.381694+08:00 ipsec-server pluto[422]: "xauth-psk"[1] 1.1.1.1 #15: Oakley Transform [AES_CBC (256), HMAC_SHA2_256, MODP1024] refused 2023-02-22T14:21:38.381716+08:00 ipsec-server pluto[422]: "xauth-psk"[1] 1.1.1.1 #15: WARNING: connection xauth-psk PSK length of 11 bytes is too short for HMAC_SHA2_256 PRF in FIPS mode (16 bytes required) 2023-02-22T14:21:38.381735+08:00 ipsec-server pluto[422]: "xauth-psk"[1] 1.1.1.1 #15: Oakley Transform [AES_CBC (128), HMAC_SHA2_256, MODP1024] refused 2023-02-22T14:21:38.381757+08:00 ipsec-server pluto[422]: "xauth-psk"[1] 1.1.1.1 #15: Oakley Transform [AES_CBC (256), HMAC_SHA1, MODP1024] refused 2023-02-22T14:21:38.381777+08:00 ipsec-server pluto[422]: "xauth-psk"[1] 1.1.1.1 #15: Oakley Transform [AES_CBC (128), HMAC_SHA1, MODP1024] refused 2023-02-22T14:21:38.381804+08:00 ipsec-server pluto[422]: "xauth-psk"[1] 1.1.1.1 #15: Oakley Transform [AES_CBC (256), HMAC_MD5, MODP1024] refused 2023-02-22T14:21:38.381824+08:00 ipsec-server pluto[422]: "xauth-psk"[1] 1.1.1.1 #15: Oakley Transform [AES_CBC (128), HMAC_MD5, MODP1024] refused 2023-02-22T14:21:38.381845+08:00 ipsec-server pluto[422]: "xauth-psk"[1] 1.1.1.1 #15: Oakley Transform [3DES_CBC (192), HMAC_SHA1, MODP1024] refused 2023-02-22T14:21:38.381869+08:00 ipsec-server pluto[422]: "xauth-psk"[1] 1.1.1.1 #15: Oakley Transform [3DES_CBC (192), HMAC_MD5, MODP1024] refused 2023-02-22T14:21:38.381886+08:00 ipsec-server pluto[422]: "xauth-psk"[1] 1.1.1.1 #15: no acceptable Oakley Transform 2023-02-22T14:21:38.381927+08:00 ipsec-server pluto[422]: "xauth-psk"[1] 1.1.1.1 #15: sending notification NO_PROPOSAL_CHOSEN to 1.1.1.1:51478 2023-02-22T14:21:39.326165+08:00 ipsec-server pluto[422]: "xauth-psk"[1] 1.1.1.1 #15: discarding initial packet; already STATE_MAIN_R0 2023-02-22T14:21:41.134775+08:00 ipsec-server pluto[422]: "xauth-psk"[1] 1.1.1.1 #15: discarding initial packet; already STATE_MAIN_R0 2023-02-22T14:21:44.393343+08:00 ipsec-server pluto[422]: "xauth-psk"[1] 1.1.1.1 #15: discarding initial packet; already STATE_MAIN_R0 2023-02-22T14:21:50.194250+08:00 ipsec-server pluto[422]: "xauth-psk"[1] 1.1.1.1 #15: discarding initial packet; already STATE_MAIN_R0 2023-02-22T14:22:00.755178+08:00 ipsec-server pluto[422]: "xauth-psk"[1] 1.1.1.1 #15: discarding initial packet; already STATE_MAIN_R0 2023-02-22T14:22:19.597606+08:00 ipsec-server pluto[422]: "xauth-psk"[1] 1.1.1.1 #15: discarding initial packet; already STATE_MAIN_R0 补充修改conf 文件后的IPSec/ikev2 的链接日志 > 2023-02-22T14:34:26.574540+08:00 ipsec-server pluto[422]: "ikev2-cp"[15] 1.1.1.1 #16: proposal 2:IKE=AES_GCM_C_256-HMAC_SHA2_256-MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_CBC_256;ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_384_192;INTEG=HMAC_SHA2_256_128;INTEG=HMAC_SHA1_96;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;DH=DH24;DH=ECP_384;DH=ECP_256;DH=MODP2048;DH=MODP1536[first-match] 2:IKE:ENCR=AES_GCM_C_256;ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;DH=DH24;DH=ECP_384;DH=ECP_256;DH=MODP2048;DH=MODP1536[better-match] 2023-02-22T14:34:26.574582+08:00 ipsec-server pluto[422]: "ikev2-cp"[15] 1.1.1.1 #16: initiator guessed wrong keying material group (DH24); responding with INVALID_KE_PAYLOAD requesting MODP2048 2023-02-22T14:34:26.574611+08:00 ipsec-server pluto[422]: "ikev2-cp"[15] 1.1.1.1 #16: responding to IKE_SA_INIT message (ID 0) from 1.1.1.1:51480 with unencrypted notification INVALID_KE_PAYLOAD 2023-02-22T14:34:26.574632+08:00 ipsec-server pluto[422]: "ikev2-cp"[15] 1.1.1.1 #16: encountered fatal error in state STATE_V2_PARENT_R0 2023-02-22T14:34:26.574775+08:00 ipsec-server pluto[422]: "ikev2-cp"[15] 1.1.1.1 #16: deleting state (STATE_V2_PARENT_R0) aged 0.000283s and NOT sending notification 2023-02-22T14:34:26.574807+08:00 ipsec-server pluto[422]: "ikev2-cp"[15] 1.1.1.1: deleting connection instance with peer 1.1.1.1 {isakmp=#0/ipsec=#0} 2023-02-22T14:34:27.561966+08:00 ipsec-server pluto[422]: "ikev2-cp"[16] 1.1.1.1 #17: proposal 2:IKE=AES_GCM_C_256-HMAC_SHA2_256-MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_CBC_256;ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_384_192;INTEG=HMAC_SHA2_256_128;INTEG=HMAC_SHA1_96;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;DH=DH24;DH=ECP_384;DH=ECP_256;DH=MODP2048;DH=MODP1536[first-match] 2:IKE:ENCR=AES_GCM_C_256;ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;DH=DH24;DH=ECP_384;DH=ECP_256;DH=MODP2048;DH=MODP1536[better-match] 2023-02-22T14:34:27.562024+08:00 ipsec-server pluto[422]: "ikev2-cp"[16] 1.1.1.1 #17: initiator guessed wrong keying material group (DH24); responding with INVALID_KE_PAYLOAD requesting MODP2048 2023-02-22T14:34:27.562074+08:00 ipsec-server pluto[422]: "ikev2-cp"[16] 1.1.1.1 #17: responding to IKE_SA_INIT message (ID 0) from 1.1.1.1:51480 with unencrypted notification INVALID_KE_PAYLOAD 2023-02-22T14:34:27.562113+08:00 ipsec-server pluto[422]: "ikev2-cp"[16] 1.1.1.1 #17: encountered fatal error in state STATE_V2_PARENT_R0 2023-02-22T14:34:27.562272+08:00 ipsec-server pluto[422]: "ikev2-cp"[16] 1.1.1.1 #17: deleting state (STATE_V2_PARENT_R0) aged 0.000353s and NOT sending notification 2023-02-22T14:34:27.562319+08:00 ipsec-server pluto[422]: "ikev2-cp"[16] 1.1.1.1: deleting connection instance with peer 1.1.1.1 {isakmp=#0/ipsec=#0} 2023-02-22T14:34:29.368644+08:00 ipsec-server pluto[422]: "ikev2-cp"[17] 1.1.1.1 #18: proposal 2:IKE=AES_GCM_C_256-HMAC_SHA2_256-MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_CBC_256;ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_384_192;INTEG=HMAC_SHA2_256_128;INTEG=HMAC_SHA1_96;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;DH=DH24;DH=ECP_384;DH=ECP_256;DH=MODP2048;DH=MODP1536[first-match] 2:IKE:ENCR=AES_GCM_C_256;ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;DH=DH24;DH=ECP_384;DH=ECP_256;DH=MODP2048;DH=MODP1536[better-match] 2023-02-22T14:34:29.368686+08:00 ipsec-server pluto[422]: "ikev2-cp"[17] 1.1.1.1 #18: initiator guessed wrong keying material group (DH24); responding with INVALID_KE_PAYLOAD requesting MODP2048 2023-02-22T14:34:29.368716+08:00 ipsec-server pluto[422]: "ikev2-cp"[17] 1.1.1.1 #18: responding to IKE_SA_INIT message (ID 0) from 1.1.1.1:51480 with unencrypted notification INVALID_KE_PAYLOAD 2023-02-22T14:34:29.368737+08:00 ipsec-server pluto[422]: "ikev2-cp"[17] 1.1.1.1 #18: encountered fatal error in state STATE_V2_PARENT_R0 2023-02-22T14:34:29.368850+08:00 ipsec-server pluto[422]: "ikev2-cp"[17] 1.1.1.1 #18: deleting state (STATE_V2_PARENT_R0) aged 0.000254s and NOT sending notification 2023-02-22T14:34:29.368882+08:00 ipsec-server pluto[422]: "ikev2-cp"[17] 1.1.1.1: deleting connection instance with peer 1.1.1.1 {isakmp=#0/ipsec=#0} 2023-02-22T14:34:32.614497+08:00 ipsec-server pluto[422]: "ikev2-cp"[18] 1.1.1.1 #19: proposal 2:IKE=AES_GCM_C_256-HMAC_SHA2_256-MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_CBC_256;ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_384_192;INTEG=HMAC_SHA2_256_128;INTEG=HMAC_SHA1_96;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;DH=DH24;DH=ECP_384;DH=ECP_256;DH=MODP2048;DH=MODP1536[first-match] 2:IKE:ENCR=AES_GCM_C_256;ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;DH=DH24;DH=ECP_384;DH=ECP_256;DH=MODP2048;DH=MODP1536[better-match] 2023-02-22T14:34:32.614541+08:00 ipsec-server pluto[422]: "ikev2-cp"[18] 1.1.1.1 #19: initiator guessed wrong keying material group (DH24); responding with INVALID_KE_PAYLOAD requesting MODP2048 2023-02-22T14:34:32.614571+08:00 ipsec-server pluto[422]: "ikev2-cp"[18] 1.1.1.1 #19: responding to IKE_SA_INIT message (ID 0) from 1.1.1.1:51480 with unencrypted notification INVALID_KE_PAYLOAD 2023-02-22T14:34:32.614593+08:00 ipsec-server pluto[422]: "ikev2-cp"[18] 1.1.1.1 #19: encountered fatal error in state STATE_V2_PARENT_R0 2023-02-22T14:34:32.614715+08:00 ipsec-server pluto[422]: "ikev2-cp"[18] 1.1.1.1 #19: deleting state (STATE_V2_PARENT_R0) aged 0.000257s and NOT sending notification 2023-02-22T14:34:32.614761+08:00 ipsec-server pluto[422]: "ikev2-cp"[18] 1.1.1.1: deleting connection instance with peer 1.1.1.1 {isakmp=#0/ipsec=#0} 2023-02-22T14:34:38.436052+08:00 ipsec-server pluto[422]: "ikev2-cp"[19] 1.1.1.1 #20: proposal 2:IKE=AES_GCM_C_256-HMAC_SHA2_256-MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_CBC_256;ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_384_192;INTEG=HMAC_SHA2_256_128;INTEG=HMAC_SHA1_96;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;DH=DH24;DH=ECP_384;DH=ECP_256;DH=MODP2048;DH=MODP1536[first-match] 2:IKE:ENCR=AES_GCM_C_256;ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;DH=DH24;DH=ECP_384;DH=ECP_256;DH=MODP2048;DH=MODP1536[better-match] 2023-02-22T14:34:38.436094+08:00 ipsec-server pluto[422]: "ikev2-cp"[19] 1.1.1.1 #20: initiator guessed wrong keying material group (DH24); responding with INVALID_KE_PAYLOAD requesting MODP2048 2023-02-22T14:34:38.436123+08:00 ipsec-server pluto[422]: "ikev2-cp"[19] 1.1.1.1 #20: responding to IKE_SA_INIT message (ID 0) from 1.1.1.1:51480 with unencrypted notification INVALID_KE_PAYLOAD 2023-02-22T14:34:38.436145+08:00 ipsec-server pluto[422]: "ikev2-cp"[19] 1.1.1.1 #20: encountered fatal error in state STATE_V2_PARENT_R0 2023-02-22T14:34:38.436256+08:00 ipsec-server pluto[422]: "ikev2-cp"[19] 1.1.1.1 #20: deleting state (STATE_V2_PARENT_R0) aged 0.000267s and NOT sending notification 2023-02-22T14:34:38.436292+08:00 ipsec-server pluto[422]: "ikev2-cp"[19] 1.1.1.1: deleting connection instance with peer 1.1.1.1 {isakmp=#0/ipsec=#0} 另外想请教一下，是否可以拉取特定版本镜像，进行对比，如果可以建议拉取哪一个版本的镜像。 ikev2和wireguard 流量特征都明显的话，作为ISP，是否能查看流量内部的内容呢？

kerem commented 2026-03-02 08:01:23 +03:00

Author

Owner

Copy link

@hwdsl2 commented on GitHub (Feb 23, 2023):

@SuperCatss 从你的新的日志来看，IPsec/XAuth 模式的问题可以这样解决：在 你的 env 文件 中添加 VPN_ENABLE_MODP1024=yes，然后重新创建（不是重新启动）Docker 容器。相关的说明请参见这里。请注意，这将重新启用安全性较低的 MODP1024 算法。

VPN 连接对你传输的数据进行了加密，请确保使用较安全的算法（比如脚本默认支持的 MODP2048 或以上）。

目前本项目不提供之前版本的镜像，但是你可以自己从源代码构建。

<!-- gh-comment-id:1441235843 --> @hwdsl2 commented on GitHub (Feb 23, 2023): @SuperCatss 从你的新的日志来看，IPsec/XAuth 模式的问题可以这样解决：在 [你的 env 文件](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README-zh.md#%E5%A6%82%E4%BD%95%E4%BD%BF%E7%94%A8%E6%9C%AC%E9%95%9C%E5%83%8F) 中添加 VPN_ENABLE_MODP1024=yes，然后重新创建（不是重新启动）Docker 容器。相关的说明请参见[这里](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients-zh.md#android)。请注意，这将重新启用安全性较低的 MODP1024 算法。 VPN 连接对你传输的数据进行了加密，请确保使用较安全的算法（比如脚本默认支持的 MODP2048 或以上）。 目前本项目不提供之前版本的镜像，但是你可以自己[从源代码构建](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/docs/advanced-usage-zh.md#%E4%BB%8E%E6%BA%90%E4%BB%A3%E7%A0%81%E6%9E%84%E5%BB%BA)。

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

No results found.

Labels

Clear labels   

bug

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

question

No labels

bug

pull-request

question

question

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/docker-ipsec-vpn-server#326

No description provided.