[GH-ISSUE #357] ipsec-vpn-server on Synology NAS (Docker) won't work. #332

New issue

Closed

opened 2026-03-02 08:01:25 +03:00 by kerem · 4 comments

kerem commented 2026-03-02 08:01:25 +03:00

Owner

Copy link

Originally created by @Dieterm5 on GitHub (Mar 19, 2023).
Original GitHub issue: https://github.com/hwdsl2/docker-ipsec-vpn-server/issues/357

Checklist

• I read the README
• I read the Important notes
• I followed instructions to configure VPN clients
• I checked IKEv1 troubleshooting, IKEv2 troubleshooting, enabled logs and checked VPN status
• I searched existing Issues
• This bug is about the IPsec VPN server Docker image, and not IPsec VPN itself

Describe the issue
After a successfull connection to the server via IKEv2 option, the DSM on Synology NAS are not reacting anymore.
On my phone it doesn't have internet access, the local network are also not responding (es. my pihole didn't respond).
All the other containers on Docker crashes immediately. After a few minutes Synology restarts and it says there were a black-out. The docker says "error gathering device information while adding custom device /dev/ppp: no such file or directory".

This image can run without problems, the problem is starting when I try to connect to my server via IKEv2 option.

To Reproduce
Steps to reproduce the behavior:

1. Follow the steps to install ipsec-vpn-server, running WITHOUT privilege
   SSH to Synology, get root access and then this:

docker run \
    --name IKEv2-IPSec  \
    --env-file path-to-enf.file/vpn.env \
    --restart=always \
    -v ipsec-server-data:/etc/ipsec.d \
    -p 500:500/udp \
    -p 4500:4500/udp \
    -d --cap-add=NET_ADMIN \
    --device=/dev/ppp \
    --sysctl net.ipv4.ip_forward=1 \
    --sysctl net.ipv4.conf.all.accept_redirects=0 \
    --sysctl net.ipv4.conf.all.send_redirects=0 \
    --sysctl net.ipv4.conf.all.rp_filter=0 \
    --sysctl net.ipv4.conf.default.accept_redirects=0 \
    --sysctl net.ipv4.conf.default.send_redirects=0 \
    --sysctl net.ipv4.conf.default.rp_filter=0 \
    --sysctl net.ipv4.conf.eth0.send_redirects=0 \
    --sysctl net.ipv4.conf.eth0.rp_filter=0 \
    --sysctl net.ipv4.ip_no_pmtu_disc=1 \
    hwdsl2/ipsec-vpn-server

env file looks like this:

# Note: All the variables to this image are optional.
# See README for more information.
# To use, uncomment and replace with your own values.

# Define IPsec PSK, VPN username and password
# - DO NOT put "" or '' around values, or add space around =
# - DO NOT use these special characters within values: \ " '
# VPN_IPSEC_PSK=
# VPN_USER=
# VPN_PASSWORD=

# Define additional VPN users
# - DO NOT put "" or '' around values, or add space around =
# - DO NOT use these special characters within values: \ " '
# - Usernames and passwords must be separated by spaces
# VPN_ADDL_USERS=additional_username_1 additional_username_2
# VPN_ADDL_PASSWORDS=additional_password_1 additional_password_2

# Use a DNS name for the VPN server
# - The DNS name must be a fully qualified domain name (FQDN)
VPN_DNS_NAME=myname.synology.me

# Specify a name for the first IKEv2 client
# - Use one word only, no special characters except '-' and '_'
# - The default is 'vpnclient' if not specified
VPN_CLIENT_NAME=USER

# Use alternative DNS servers
# - By default, clients are set to use Google Public DNS
# - Example below shows Cloudflare's DNS service
# DNS 1 = PiHole on my NAS
VPN_DNS_SRV1=xxx.xxx.xxx.xxx

# Protect IKEv2 client config files using a password
# - By default, no password is required when importing IKEv2 client configuration
# - Uncomment if you want to protect these files using a random password
VPN_PROTECT_CONFIG=yes

# To run this container only in IKEv2 mode (recommend)
VPN_IKEV2_ONLY=yes

# Subnet conf (all these variables must be specified)
VPN_XAUTH_NET=10.7.0.0/24
VPN_XAUTH_POOL=10.7.0.2-10.7.0.254

2. Portforward 500 and 4500, also the firewall rules set to accept port 500 and 4500
3. Import my .p12 file to my Android phone (Samsung S22+) and follow the steps to connect

Expected behavior
The connection works and I still can work on my DSM on synology and also I should have access to internet on my phone during the connection

Logs
Enable logs, check VPN status, and add error logs to help explain the problem, if applicable.

Logs on synology docker:

2023-03-19T16:54:36.872327488Z | stderr | xl2tpd[1]: death_handler: Fatal signal 15 received
2023-03-19T16:53:47.449058132Z | stderr | xl2tpd[1]: Listening on IP address 0.0.0.0, port 1701
2023-03-19T16:53:47.449025386Z | stderr | xl2tpd[1]: Forked again by Xelerance (www.xelerance.com) (C) 2006-2016
2023-03-19T16:53:47.448993119Z | stderr | xl2tpd[1]: Inherited by Jeff McAdams, (C) 2002
2023-03-19T16:53:47.448951845Z | stderr | xl2tpd[1]: Forked by Scott Balmos and David Stipp, (C) 2001
2023-03-19T16:53:47.448913723Z | stderr | xl2tpd[1]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
2023-03-19T16:53:47.448815776Z | stderr | xl2tpd[1]: xl2tpd version xl2tpd-1.3.18 started on 9a34d7676071 PID:1
2023-03-19T16:53:47.448581457Z | stderr | xl2tpd[1]: Using l2tp kernel support.
2023-03-19T16:53:47.333453924Z | stderr | xl2tpd[1]: Not looking for kernel SAref support.
2023-03-19T16:53:47.144628108Z | stdout |  
2023-03-19T16:53:47.144597722Z | stdout | ================================================
2023-03-19T16:53:47.144571828Z | stdout |  
2023-03-19T16:53:47.144493127Z | stdout | https://vpnsetup.net/clients2
2023-03-19T16:53:47.143719197Z | stdout | Next steps: Configure IKEv2 clients. See:
2023-03-19T16:53:47.143692324Z | stdout |  
2023-03-19T16:53:47.143648155Z | stdout | Write this down, you'll need it for import!
2023-03-19T16:53:47.143620756Z | stdout | passwordhidden
2023-03-19T16:53:47.143579536Z | stdout | *IMPORTANT* Password for client config files:
2023-03-19T16:53:47.143553004Z | stdout |  
2023-03-19T16:53:47.143504565Z | stdout | /etc/ipsec.d/USER.mobileconfig (for iOS & macOS)
2023-03-19T16:53:47.143472956Z | stdout | /etc/ipsec.d/USER.sswan (for Android)
2023-03-19T16:53:47.143425400Z | stdout | /etc/ipsec.d/USER.p12 (for Windows & Linux)
2023-03-19T16:53:47.143395764Z | stdout | Docker container at:
2023-03-19T16:53:47.143350827Z | stdout | Client configuration is available inside the
2023-03-19T16:53:47.143322920Z | stdout |  
2023-03-19T16:53:47.143272370Z | stdout | VPN client name: USER
2023-03-19T16:53:47.143095982Z | stdout | VPN server address: myname.synology.me
2023-03-19T16:53:47.119127519Z | stdout |  
2023-03-19T16:53:47.119085426Z | stdout | IKEv2 is already set up. Details for IKEv2 mode:
2023-03-19T16:53:47.119057428Z | stdout |  
2023-03-19T16:53:47.119002188Z | stdout | ================================================
2023-03-19T16:53:47.118458815Z | stdout |  
2023-03-19T16:53:45.077062629Z | stdout | Starting IPsec service...
2023-03-19T16:53:44.890870092Z | stdout |  
2023-03-19T16:53:44.112788288Z | stdout | IPsec/L2TP and IPsec/XAuth ("Cisco IPsec") modes are disabled.
2023-03-19T16:53:44.112748197Z | stdout | Note: Running in IKEv2-only mode via env file option.
2023-03-19T16:53:44.112704565Z | stdout |  
2023-03-19T16:53:44.111524354Z | stdout | Setting DNS servers to xxx.xxx.xxx.xxx...
2023-03-19T16:53:44.111404243Z | stdout |  
2023-03-19T16:53:43.949416791Z | stdout | Retrieving previously generated VPN credentials...
2023-03-19T16:53:43.949293176Z | stdout |  
2023-03-19T16:53:43.935059665Z | stdout | Debian 11/10 users, see https://vpnsetup.net/debian10
2023-03-19T16:53:43.935022817Z | stdout | Please use IKEv2 or IPsec/XAuth mode to connect.
2023-03-19T16:53:43.927276359Z | stdout |  
2023-03-19T16:49:25.909814843Z | stderr | xl2tpd[1]: Listening on IP address 0.0.0.0, port 1701
2023-03-19T16:49:25.909782154Z | stderr | xl2tpd[1]: Forked again by Xelerance (www.xelerance.com) (C) 2006-2016
2023-03-19T16:49:25.909752670Z | stderr | xl2tpd[1]: Inherited by Jeff McAdams, (C) 2002
2023-03-19T16:49:25.909718975Z | stderr | xl2tpd[1]: Forked by Scott Balmos and David Stipp, (C) 2001
2023-03-19T16:49:25.909684798Z | stderr | xl2tpd[1]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
2023-03-19T16:49:25.909633614Z | stderr | xl2tpd[1]: xl2tpd version xl2tpd-1.3.18 started on 9a34d7676071 PID:1
2023-03-19T16:49:25.909496851Z | stderr | xl2tpd[1]: Using l2tp kernel support.
2023-03-19T16:49:25.872574854Z | stderr | xl2tpd[1]: Not looking for kernel SAref support.
2023-03-19T16:49:25.036292799Z | stdout |  
2023-03-19T16:49:25.036267320Z | stdout | ================================================
2023-03-19T16:49:25.036239181Z | stdout |  
2023-03-19T16:49:25.036176057Z | stdout | https://vpnsetup.net/clients2
2023-03-19T16:49:25.035480090Z | stdout | Next steps: Configure IKEv2 clients. See:
2023-03-19T16:49:25.035455950Z | stdout |  
2023-03-19T16:49:25.035425638Z | stdout | Write this down, you'll need it for import!
2023-03-19T16:49:25.035399723Z | stdout | passwordhidden
2023-03-19T16:49:25.035368728Z | stdout | *IMPORTANT* Password for client config files:
2023-03-19T16:49:25.035344640Z | stdout |  
2023-03-19T16:49:25.035307318Z | stdout | /etc/ipsec.d/USER.mobileconfig (for iOS & macOS)
2023-03-19T16:49:25.035279291Z | stdout | /etc/ipsec.d/USER.sswan (for Android)
2023-03-19T16:49:25.035245077Z | stdout | /etc/ipsec.d/USER.p12 (for Windows & Linux)
2023-03-19T16:49:25.035193614Z | stdout | Docker container at:
2023-03-19T16:49:25.035158791Z | stdout | Client configuration is available inside the
2023-03-19T16:49:25.035131185Z | stdout |  
2023-03-19T16:49:25.035096049Z | stdout | VPN client name: USER
2023-03-19T16:49:25.035041966Z | stdout | VPN server address: myname.synology.me
2023-03-19T16:49:25.034578344Z | stdout |  
2023-03-19T16:49:25.034536860Z | stdout | IKEv2 is already set up. Details for IKEv2 mode:
2023-03-19T16:49:25.034511251Z | stdout |  
2023-03-19T16:49:25.034472521Z | stdout | ================================================
2023-03-19T16:49:25.034112416Z | stdout |  
2023-03-19T16:49:23.376963617Z | stdout | Starting IPsec service...
2023-03-19T16:49:23.376840437Z | stdout |  
2023-03-19T16:49:22.949072421Z | stdout | IPsec/L2TP and IPsec/XAuth ("Cisco IPsec") modes are disabled.
2023-03-19T16:49:22.949023666Z | stdout | Note: Running in IKEv2-only mode via env file option.
2023-03-19T16:49:22.948961978Z | stdout |  
2023-03-19T16:49:22.947758137Z | stdout | Setting DNS servers to xxx.xxx.xxx.xxx...
2023-03-19T16:49:22.947643393Z | stdout |  
2023-03-19T16:49:22.859576130Z | stdout | Retrieving previously generated VPN credentials...
2023-03-19T16:49:22.859449896Z | stdout |  
2023-03-19T16:49:22.827709636Z | stdout | Debian 11/10 users, see https://vpnsetup.net/debian10
2023-03-19T16:49:22.827673332Z | stdout | Please use IKEv2 or IPsec/XAuth mode to connect.
2023-03-19T16:49:22.827120621Z | stdout

Libreswan logs:

2023-03-19T17:55:36.528226+00:00 9a34d7676071 pluto[417]: Pluto is shutting down
2023-03-19T17:55:36.528547+00:00 9a34d7676071 pluto[417]: forgetting secrets
2023-03-19T17:55:36.528590+00:00 9a34d7676071 pluto[417]: shutting down interface lo 127.0.0.1:4500
2023-03-19T17:55:36.528606+00:00 9a34d7676071 pluto[417]: shutting down interface lo 127.0.0.1:500
2023-03-19T17:55:36.528616+00:00 9a34d7676071 pluto[417]: shutting down interface eth0 172.17.0.5:4500
2023-03-19T17:55:36.528626+00:00 9a34d7676071 pluto[417]: shutting down interface eth0 172.17.0.5:500
2023-03-19T17:55:37.492658+00:00 9a34d7676071 pluto[775]: Initializing NSS using read-write database "sql:/etc/ipsec.d"
2023-03-19T17:55:37.497995+00:00 9a34d7676071 pluto[775]: FIPS Mode: NO
2023-03-19T17:55:37.498011+00:00 9a34d7676071 pluto[775]: NSS crypto library initialized
2023-03-19T17:55:37.498055+00:00 9a34d7676071 pluto[775]: FIPS mode disabled for pluto daemon
2023-03-19T17:55:37.498064+00:00 9a34d7676071 pluto[775]: FIPS HMAC integrity support [disabled]
2023-03-19T17:55:37.498290+00:00 9a34d7676071 pluto[775]: libcap-ng support [enabled]
2023-03-19T17:55:37.498304+00:00 9a34d7676071 pluto[775]: Linux audit support [disabled]
2023-03-19T17:55:37.498321+00:00 9a34d7676071 pluto[775]: Starting Pluto (Libreswan Version 4.10 IKEv2 IKEv1 XFRM XFRMI esp-hw-offload FORK PTHREAD_SETSCHEDPRIO NSS (IPsec profile) (NSS-KDF) LIBCAP_NG AUTH_PAM NETWORKMANAGER CURL(non-NSS)) pid:775
2023-03-19T17:55:37.498328+00:00 9a34d7676071 pluto[775]: core dump dir: /run/pluto
2023-03-19T17:55:37.498336+00:00 9a34d7676071 pluto[775]: secrets file: /etc/ipsec.secrets
2023-03-19T17:55:37.498343+00:00 9a34d7676071 pluto[775]: leak-detective disabled
2023-03-19T17:55:37.498350+00:00 9a34d7676071 pluto[775]: NSS crypto [enabled]
2023-03-19T17:55:37.498358+00:00 9a34d7676071 pluto[775]: XAUTH PAM support [enabled]
2023-03-19T17:55:37.498383+00:00 9a34d7676071 pluto[775]: initializing libevent in pthreads mode: headers: 2.1.12-stable (2010c00); library: 2.1.12-stable (2010c00)
2023-03-19T17:55:37.498446+00:00 9a34d7676071 pluto[775]: NAT-Traversal support  [enabled]
2023-03-19T17:55:37.498670+00:00 9a34d7676071 pluto[775]: Encryption algorithms:
2023-03-19T17:55:37.498689+00:00 9a34d7676071 pluto[775]:   AES_CCM_16         {256,192,*128} IKEv1:     ESP     IKEv2:     ESP     FIPS              aes_ccm, aes_ccm_c
2023-03-19T17:55:37.498701+00:00 9a34d7676071 pluto[775]:   AES_CCM_12         {256,192,*128} IKEv1:     ESP     IKEv2:     ESP     FIPS              aes_ccm_b
2023-03-19T17:55:37.498713+00:00 9a34d7676071 pluto[775]:   AES_CCM_8          {256,192,*128} IKEv1:     ESP     IKEv2:     ESP     FIPS              aes_ccm_a
2023-03-19T17:55:37.498724+00:00 9a34d7676071 pluto[775]:   3DES_CBC           [*192]         IKEv1: IKE ESP     IKEv2: IKE ESP     FIPS NSS(CBC)     3des
2023-03-19T17:55:37.498735+00:00 9a34d7676071 pluto[775]:   CAMELLIA_CTR       {256,192,*128} IKEv1:     ESP     IKEv2:     ESP                      
2023-03-19T17:55:37.498747+00:00 9a34d7676071 pluto[775]:   CAMELLIA_CBC       {256,192,*128} IKEv1: IKE ESP     IKEv2: IKE ESP          NSS(CBC)     camellia
2023-03-19T17:55:37.498759+00:00 9a34d7676071 pluto[775]:   AES_GCM_16         {256,192,*128} IKEv1:     ESP     IKEv2: IKE ESP     FIPS NSS(GCM)     aes_gcm, aes_gcm_c
2023-03-19T17:55:37.498770+00:00 9a34d7676071 pluto[775]:   AES_GCM_12         {256,192,*128} IKEv1:     ESP     IKEv2: IKE ESP     FIPS NSS(GCM)     aes_gcm_b
2023-03-19T17:55:37.498782+00:00 9a34d7676071 pluto[775]:   AES_GCM_8          {256,192,*128} IKEv1:     ESP     IKEv2: IKE ESP     FIPS NSS(GCM)     aes_gcm_a
2023-03-19T17:55:37.498794+00:00 9a34d7676071 pluto[775]:   AES_CTR            {256,192,*128} IKEv1: IKE ESP     IKEv2: IKE ESP     FIPS NSS(CTR)     aesctr
2023-03-19T17:55:37.498804+00:00 9a34d7676071 pluto[775]:   AES_CBC            {256,192,*128} IKEv1: IKE ESP     IKEv2: IKE ESP     FIPS NSS(CBC)     aes
2023-03-19T17:55:37.498816+00:00 9a34d7676071 pluto[775]:   NULL_AUTH_AES_GMAC {256,192,*128} IKEv1:     ESP     IKEv2:     ESP     FIPS              aes_gmac
2023-03-19T17:55:37.498826+00:00 9a34d7676071 pluto[775]:   NULL               []             IKEv1:     ESP     IKEv2:     ESP                      
2023-03-19T17:55:37.498838+00:00 9a34d7676071 pluto[775]:   CHACHA20_POLY1305  [*256]         IKEv1:             IKEv2: IKE ESP          NSS(AEAD)    chacha20poly1305
2023-03-19T17:55:37.498846+00:00 9a34d7676071 pluto[775]: Hash algorithms:
2023-03-19T17:55:37.498884+00:00 9a34d7676071 pluto[775]:   MD5                               IKEv1: IKE         IKEv2:                  NSS         
2023-03-19T17:55:37.498954+00:00 9a34d7676071 pluto[775]:   SHA1                              IKEv1: IKE         IKEv2: IKE         FIPS NSS          sha
2023-03-19T17:55:37.498970+00:00 9a34d7676071 pluto[775]:   SHA2_256                          IKEv1: IKE         IKEv2: IKE         FIPS NSS          sha2, sha256
2023-03-19T17:55:37.498981+00:00 9a34d7676071 pluto[775]:   SHA2_384                          IKEv1: IKE         IKEv2: IKE         FIPS NSS          sha384
2023-03-19T17:55:37.499008+00:00 9a34d7676071 pluto[775]:   SHA2_512                          IKEv1: IKE         IKEv2: IKE         FIPS NSS          sha512
2023-03-19T17:55:37.499035+00:00 9a34d7676071 pluto[775]:   IDENTITY                          IKEv1:             IKEv2:             FIPS             
2023-03-19T17:55:37.499060+00:00 9a34d7676071 pluto[775]: PRF algorithms:
2023-03-19T17:55:37.499089+00:00 9a34d7676071 pluto[775]:   HMAC_MD5                          IKEv1: IKE         IKEv2: IKE              native(HMAC) md5
2023-03-19T17:55:37.499113+00:00 9a34d7676071 pluto[775]:   HMAC_SHA1                         IKEv1: IKE         IKEv2: IKE         FIPS NSS          sha, sha1
2023-03-19T17:55:37.499139+00:00 9a34d7676071 pluto[775]:   HMAC_SHA2_256                     IKEv1: IKE         IKEv2: IKE         FIPS NSS          sha2, sha256, sha2_256
2023-03-19T17:55:37.499173+00:00 9a34d7676071 pluto[775]:   HMAC_SHA2_384                     IKEv1: IKE         IKEv2: IKE         FIPS NSS          sha384, sha2_384
2023-03-19T17:55:37.499202+00:00 9a34d7676071 pluto[775]:   HMAC_SHA2_512                     IKEv1: IKE         IKEv2: IKE         FIPS NSS          sha512, sha2_512
2023-03-19T17:55:37.499235+00:00 9a34d7676071 pluto[775]:   AES_XCBC                          IKEv1:             IKEv2: IKE              native(XCBC) aes128_xcbc
2023-03-19T17:55:37.499269+00:00 9a34d7676071 pluto[775]: Integrity algorithms:
2023-03-19T17:55:37.499304+00:00 9a34d7676071 pluto[775]:   HMAC_MD5_96                       IKEv1: IKE ESP AH  IKEv2: IKE ESP AH       native(HMAC) md5, hmac_md5
2023-03-19T17:55:37.499339+00:00 9a34d7676071 pluto[775]:   HMAC_SHA1_96                      IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS NSS          sha, sha1, sha1_96, hmac_sha1
2023-03-19T17:55:37.499372+00:00 9a34d7676071 pluto[775]:   HMAC_SHA2_512_256                 IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS NSS          sha512, sha2_512, sha2_512_256, hmac_sha2_512
2023-03-19T17:55:37.499405+00:00 9a34d7676071 pluto[775]:   HMAC_SHA2_384_192                 IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS NSS          sha384, sha2_384, sha2_384_192, hmac_sha2_384
2023-03-19T17:55:37.499437+00:00 9a34d7676071 pluto[775]:   HMAC_SHA2_256_128                 IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS NSS          sha2, sha256, sha2_256, sha2_256_128, hmac_sha2_256
2023-03-19T17:55:37.499469+00:00 9a34d7676071 pluto[775]:   HMAC_SHA2_256_TRUNCBUG            IKEv1:     ESP AH  IKEv2:         AH                   
2023-03-19T17:55:37.499502+00:00 9a34d7676071 pluto[775]:   AES_XCBC_96                       IKEv1:     ESP AH  IKEv2: IKE ESP AH       native(XCBC) aes_xcbc, aes128_xcbc, aes128_xcbc_96
2023-03-19T17:55:37.499534+00:00 9a34d7676071 pluto[775]:   AES_CMAC_96                       IKEv1:     ESP AH  IKEv2:     ESP AH  FIPS              aes_cmac
2023-03-19T17:55:37.499566+00:00 9a34d7676071 pluto[775]:   NONE                              IKEv1:     ESP     IKEv2: IKE ESP     FIPS              null
2023-03-19T17:55:37.499598+00:00 9a34d7676071 pluto[775]: DH algorithms:
2023-03-19T17:55:37.499631+00:00 9a34d7676071 pluto[775]:   NONE                              IKEv1:             IKEv2: IKE ESP AH  FIPS NSS(MODP)    null, dh0
2023-03-19T17:55:37.499664+00:00 9a34d7676071 pluto[775]:   MODP1024                          IKEv1: IKE ESP AH  IKEv2: IKE ESP AH       NSS(MODP)    dh2
2023-03-19T17:55:37.499702+00:00 9a34d7676071 pluto[775]:   MODP1536                          IKEv1: IKE ESP AH  IKEv2: IKE ESP AH       NSS(MODP)    dh5
2023-03-19T17:55:37.499735+00:00 9a34d7676071 pluto[775]:   MODP2048                          IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS NSS(MODP)    dh14
2023-03-19T17:55:37.499769+00:00 9a34d7676071 pluto[775]:   MODP3072                          IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS NSS(MODP)    dh15
2023-03-19T17:55:37.499802+00:00 9a34d7676071 pluto[775]:   MODP4096                          IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS NSS(MODP)    dh16
2023-03-19T17:55:37.499834+00:00 9a34d7676071 pluto[775]:   MODP6144                          IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS NSS(MODP)    dh17
2023-03-19T17:55:37.499867+00:00 9a34d7676071 pluto[775]:   MODP8192                          IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS NSS(MODP)    dh18
2023-03-19T17:55:37.499905+00:00 9a34d7676071 pluto[775]:   DH19                              IKEv1: IKE         IKEv2: IKE ESP AH  FIPS NSS(ECP)     ecp_256, ecp256
2023-03-19T17:55:37.499938+00:00 9a34d7676071 pluto[775]:   DH20                              IKEv1: IKE         IKEv2: IKE ESP AH  FIPS NSS(ECP)     ecp_384, ecp384
2023-03-19T17:55:37.499971+00:00 9a34d7676071 pluto[775]:   DH21                              IKEv1: IKE         IKEv2: IKE ESP AH  FIPS NSS(ECP)     ecp_521, ecp521
2023-03-19T17:55:37.500003+00:00 9a34d7676071 pluto[775]:   DH31                              IKEv1: IKE         IKEv2: IKE ESP AH       NSS(ECP)     curve25519
2023-03-19T17:55:37.500037+00:00 9a34d7676071 pluto[775]: IPCOMP algorithms:
2023-03-19T17:55:37.500070+00:00 9a34d7676071 pluto[775]:   DEFLATE                           IKEv1:     ESP AH  IKEv2:     ESP AH  FIPS             
2023-03-19T17:55:37.500103+00:00 9a34d7676071 pluto[775]:   LZS                               IKEv1:             IKEv2:     ESP AH  FIPS             
2023-03-19T17:55:37.500135+00:00 9a34d7676071 pluto[775]:   LZJH                              IKEv1:             IKEv2:     ESP AH  FIPS             
2023-03-19T17:55:37.500172+00:00 9a34d7676071 pluto[775]: testing CAMELLIA_CBC:
2023-03-19T17:55:37.500206+00:00 9a34d7676071 pluto[775]:   Camellia: 16 bytes with 128-bit key
2023-03-19T17:55:37.500359+00:00 9a34d7676071 pluto[775]:   Camellia: 16 bytes with 128-bit key
2023-03-19T17:55:37.500412+00:00 9a34d7676071 pluto[775]:   Camellia: 16 bytes with 256-bit key
2023-03-19T17:55:37.500466+00:00 9a34d7676071 pluto[775]:   Camellia: 16 bytes with 256-bit key
2023-03-19T17:55:37.500518+00:00 9a34d7676071 pluto[775]: testing AES_GCM_16:
2023-03-19T17:55:37.500525+00:00 9a34d7676071 pluto[775]:   empty string
2023-03-19T17:55:37.500576+00:00 9a34d7676071 pluto[775]:   one block
2023-03-19T17:55:37.500621+00:00 9a34d7676071 pluto[775]:   two blocks
2023-03-19T17:55:37.500668+00:00 9a34d7676071 pluto[775]:   two blocks with associated data
2023-03-19T17:55:37.500717+00:00 9a34d7676071 pluto[775]: testing AES_CTR:
2023-03-19T17:55:37.500725+00:00 9a34d7676071 pluto[775]:   Encrypting 16 octets using AES-CTR with 128-bit key
2023-03-19T17:55:37.500773+00:00 9a34d7676071 pluto[775]:   Encrypting 32 octets using AES-CTR with 128-bit key
2023-03-19T17:55:37.500824+00:00 9a34d7676071 pluto[775]:   Encrypting 36 octets using AES-CTR with 128-bit key
2023-03-19T17:55:37.500883+00:00 9a34d7676071 pluto[775]:   Encrypting 16 octets using AES-CTR with 192-bit key
2023-03-19T17:55:37.500933+00:00 9a34d7676071 pluto[775]:   Encrypting 32 octets using AES-CTR with 192-bit key
2023-03-19T17:55:37.500983+00:00 9a34d7676071 pluto[775]:   Encrypting 36 octets using AES-CTR with 192-bit key
2023-03-19T17:55:37.501034+00:00 9a34d7676071 pluto[775]:   Encrypting 16 octets using AES-CTR with 256-bit key
2023-03-19T17:55:37.501086+00:00 9a34d7676071 pluto[775]:   Encrypting 32 octets using AES-CTR with 256-bit key
2023-03-19T17:55:37.501140+00:00 9a34d7676071 pluto[775]:   Encrypting 36 octets using AES-CTR with 256-bit key
2023-03-19T17:55:37.501195+00:00 9a34d7676071 pluto[775]: testing AES_CBC:
2023-03-19T17:55:37.501203+00:00 9a34d7676071 pluto[775]:   Encrypting 16 bytes (1 block) using AES-CBC with 128-bit key
2023-03-19T17:55:37.501251+00:00 9a34d7676071 pluto[775]:   Encrypting 32 bytes (2 blocks) using AES-CBC with 128-bit key
2023-03-19T17:55:37.501308+00:00 9a34d7676071 pluto[775]:   Encrypting 48 bytes (3 blocks) using AES-CBC with 128-bit key
2023-03-19T17:55:37.501364+00:00 9a34d7676071 pluto[775]:   Encrypting 64 bytes (4 blocks) using AES-CBC with 128-bit key
2023-03-19T17:55:37.501427+00:00 9a34d7676071 pluto[775]: testing AES_XCBC:
2023-03-19T17:55:37.501439+00:00 9a34d7676071 pluto[775]:   RFC 3566 Test Case 1: AES-XCBC-MAC-96 with 0-byte input
2023-03-19T17:55:37.501633+00:00 9a34d7676071 pluto[775]:   RFC 3566 Test Case 2: AES-XCBC-MAC-96 with 3-byte input
2023-03-19T17:55:37.501837+00:00 9a34d7676071 pluto[775]:   RFC 3566 Test Case 3: AES-XCBC-MAC-96 with 16-byte input
2023-03-19T17:55:37.502036+00:00 9a34d7676071 pluto[775]:   RFC 3566 Test Case 4: AES-XCBC-MAC-96 with 20-byte input
2023-03-19T17:55:37.502225+00:00 9a34d7676071 pluto[775]:   RFC 3566 Test Case 5: AES-XCBC-MAC-96 with 32-byte input
2023-03-19T17:55:37.502415+00:00 9a34d7676071 pluto[775]:   RFC 3566 Test Case 6: AES-XCBC-MAC-96 with 34-byte input
2023-03-19T17:55:37.502610+00:00 9a34d7676071 pluto[775]:   RFC 3566 Test Case 7: AES-XCBC-MAC-96 with 1000-byte input
2023-03-19T17:55:37.503075+00:00 9a34d7676071 pluto[775]:   RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 16)
2023-03-19T17:55:37.503265+00:00 9a34d7676071 pluto[775]:   RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 10)
2023-03-19T17:55:37.503467+00:00 9a34d7676071 pluto[775]:   RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 18)
2023-03-19T17:55:37.503803+00:00 9a34d7676071 pluto[775]: testing HMAC_MD5:
2023-03-19T17:55:37.503815+00:00 9a34d7676071 pluto[775]:   RFC 2104: MD5_HMAC test 1
2023-03-19T17:55:37.504076+00:00 9a34d7676071 pluto[775]:   RFC 2104: MD5_HMAC test 2
2023-03-19T17:55:37.504306+00:00 9a34d7676071 pluto[775]:   RFC 2104: MD5_HMAC test 3
2023-03-19T17:55:37.504534+00:00 9a34d7676071 pluto[775]: testing HMAC_SHA1:
2023-03-19T17:55:37.504546+00:00 9a34d7676071 pluto[775]:   CAVP: IKEv2 key derivation with HMAC-SHA1
2023-03-19T17:55:37.506691+00:00 9a34d7676071 pluto[775]: 4 CPU cores online
2023-03-19T17:55:37.506701+00:00 9a34d7676071 pluto[775]: starting up 3 helper threads
2023-03-19T17:55:37.506744+00:00 9a34d7676071 pluto[775]: started thread for helper 0
2023-03-19T17:55:37.506780+00:00 9a34d7676071 pluto[775]: started thread for helper 1
2023-03-19T17:55:37.506808+00:00 9a34d7676071 pluto[775]: helper(1) seccomp security for helper not supported
2023-03-19T17:55:37.506832+00:00 9a34d7676071 pluto[775]: helper(2) seccomp security for helper not supported
2023-03-19T17:55:37.506850+00:00 9a34d7676071 pluto[775]: started thread for helper 2
2023-03-19T17:55:37.506870+00:00 9a34d7676071 pluto[775]: helper(3) seccomp security for helper not supported
2023-03-19T17:55:37.506888+00:00 9a34d7676071 pluto[775]: using Linux xfrm kernel support code on #42962 SMP Tue Jan 31 23:18:09 CST 2023
2023-03-19T17:55:37.506968+00:00 9a34d7676071 pluto[775]: kernel: /proc/sys/net/ipv6/conf/all/disable_ipv6=1 ignore ipv6 holes
2023-03-19T17:55:37.507239+00:00 9a34d7676071 pluto[775]: seccomp security not supported
2023-03-19T17:55:37.508472+00:00 9a34d7676071 pluto[775]: "ikev2-cp": IKE SA proposals (connection add):
2023-03-19T17:55:37.508491+00:00 9a34d7676071 pluto[775]: "ikev2-cp":   1:IKE=AES_CBC_256-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE25519
2023-03-19T17:55:37.508503+00:00 9a34d7676071 pluto[775]: "ikev2-cp":   2:IKE=AES_CBC_128-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE25519
2023-03-19T17:55:37.508515+00:00 9a34d7676071 pluto[775]: "ikev2-cp":   3:IKE=AES_CBC_256-HMAC_SHA1-HMAC_SHA1_96-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE25519
2023-03-19T17:55:37.508527+00:00 9a34d7676071 pluto[775]: "ikev2-cp":   4:IKE=AES_CBC_128-HMAC_SHA1-HMAC_SHA1_96-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE25519
2023-03-19T17:55:37.508633+00:00 9a34d7676071 pluto[775]: "ikev2-cp": Child SA proposals (connection add):
2023-03-19T17:55:37.508648+00:00 9a34d7676071 pluto[775]: "ikev2-cp":   1:ESP=AES_GCM_C_128+AES_GCM_C_256-NONE-NONE-ENABLED+DISABLED
2023-03-19T17:55:37.508659+00:00 9a34d7676071 pluto[775]: "ikev2-cp":   2:ESP=AES_CBC_128-HMAC_SHA1_96-NONE-ENABLED+DISABLED
2023-03-19T17:55:37.508669+00:00 9a34d7676071 pluto[775]: "ikev2-cp":   3:ESP=AES_CBC_256-HMAC_SHA1_96-NONE-ENABLED+DISABLED
2023-03-19T17:55:37.508680+00:00 9a34d7676071 pluto[775]: "ikev2-cp":   4:ESP=AES_CBC_128-HMAC_SHA2_256_128-NONE-ENABLED+DISABLED
2023-03-19T17:55:37.508690+00:00 9a34d7676071 pluto[775]: "ikev2-cp":   5:ESP=AES_CBC_256-HMAC_SHA2_256_128-NONE-ENABLED+DISABLED
2023-03-19T17:55:37.517173+00:00 9a34d7676071 pluto[775]: "ikev2-cp": loaded private key matching left certificate 'myname.synology.me'
2023-03-19T17:55:37.517202+00:00 9a34d7676071 pluto[775]: "ikev2-cp": added IKEv2 connection
2023-03-19T17:55:37.517323+00:00 9a34d7676071 pluto[775]: listening for IKE messages
2023-03-19T17:55:37.517373+00:00 9a34d7676071 pluto[775]: Kernel does not support NIC esp-hw-offload (ETHTOOL_GSSET_INFO failed)
2023-03-19T17:55:37.517465+00:00 9a34d7676071 pluto[775]: adding UDP interface eth0 172.17.0.5:500
2023-03-19T17:55:37.517501+00:00 9a34d7676071 pluto[775]: adding UDP interface eth0 172.17.0.5:4500
2023-03-19T17:55:37.517535+00:00 9a34d7676071 pluto[775]: adding UDP interface lo 127.0.0.1:500
2023-03-19T17:55:37.517567+00:00 9a34d7676071 pluto[775]: adding UDP interface lo 127.0.0.1:4500
2023-03-19T17:55:37.518647+00:00 9a34d7676071 pluto[775]: forgetting secrets
2023-03-19T17:55:37.518715+00:00 9a34d7676071 pluto[775]: loading secrets from "/etc/ipsec.secrets"

Messages:

2023-03-19T17:55:05.393350+00:00 9a34d7676071 : imklog: cannot open kernel log (/proc/kmsg): Operation not permitted.
2023-03-19T17:55:05.393408+00:00 9a34d7676071 : activation of module imklog failed [v8.2212.0 try https://www.rsyslog.com/e/2145 ]
2023-03-19T17:55:05.393441+00:00 9a34d7676071 : [origin software="rsyslogd" swVersion="8.2212.0" x-pid="474" x-info="https://www.rsyslog.com"] start
2023-03-19T17:55:36.579937+00:00 9a34d7676071 /etc/init.d/ipsec[629]: checkpath: /var/run/pluto: could not open run: No such device or address

Server (please complete the following information)

• Device: Synology NAS DS920+
• Docker host OS: [DSM 7.1.1-42962 Update 4]
• Hosting provider (if applicable): []

Client (please complete the following information)

• Device: [Samsung Galaxy S22+]
• OS: [Android 13, One UI 5.1] => Model SM-S906B/DS
• VPN mode: [IKEv2 only]

Additional context
Add any other context about the problem here.

Enabling Libreswan logs:

**docker exec -it IKEv2-IPSec env TERM=xterm bash -l**

**apk add --no-cache rsyslog**
fetch https://dl-cdn.alpinelinux.org/alpine/v3.17/main/x86_64/APKINDEX.tar.gz
fetch https://dl-cdn.alpinelinux.org/alpine/v3.17/community/x86_64/APKINDEX.tar.gz
(1/4) Installing libestr (0.1.11-r2)
(2/4) Installing libfastjson (0.99.9-r0)
(3/4) Installing rsyslog (8.2212.0-r0)
(4/4) Installing rsyslog-openrc (8.2212.0-r0)
Executing busybox-1.35.0-r29.trigger
OK: 46 MiB in 79 packages

**rsyslogd**
rsyslogd: imklog: cannot open kernel log (/proc/kmsg): Operation not permitted.
rsyslogd: activation of module imklog failed [v8.2212.0 try https://www.rsyslog.com/e/2145 ]

**rc-service ipsec stop; rc-service -D ipsec start >/dev/null 2>&1**
 * Caching service dependencies ...
Service `hwdrivers' needs non existent service `dev'
Service `machine-id' needs non existent service `dev'                                                                  [ ok ]
/lib/rc/sh/openrc-run.sh: line 108: can't create /sys/fs/cgroup/blkio/tasks: Read-only file system
/lib/rc/sh/openrc-run.sh: line 108: can't create /sys/fs/cgroup/cpu/tasks: Read-only file system
/lib/rc/sh/openrc-run.sh: line 108: can't create /sys/fs/cgroup/cpuacct/tasks: Read-only file system
/lib/rc/sh/openrc-run.sh: line 108: can't create /sys/fs/cgroup/cpuset/tasks: Read-only file system
/lib/rc/sh/openrc-run.sh: line 108: can't create /sys/fs/cgroup/devices/tasks: Read-only file system
/lib/rc/sh/openrc-run.sh: line 108: can't create /sys/fs/cgroup/freezer/tasks: Read-only file system
/lib/rc/sh/openrc-run.sh: line 108: can't create /sys/fs/cgroup/memory/tasks: Read-only file system
/lib/rc/sh/openrc-run.sh: line 108: can't create /sys/fs/cgroup/synomonitor/tasks: Read-only file system
/lib/rc/sh/openrc-run.sh: line 108: can't create /sys/fs/cgroup/systemd/tasks: Read-only file system
 * Stopping ipsec ...

**sed -i '/pluto\.pid/a rsyslogd' /opt/src/run.sh**

Hope I didn't fuck up somewhere and didn't something right.
But this seems very strange and after 1 week of a lot research I'm posting this issue now.
I have filled it in as completely as possible.

Thanks

Originally created by @Dieterm5 on GitHub (Mar 19, 2023). Original GitHub issue: https://github.com/hwdsl2/docker-ipsec-vpn-server/issues/357 **Checklist** - [x] I read the [README](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README.md) - [x] I read the [Important notes](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README.md#important-notes) - [x] I followed instructions to [configure VPN clients](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README.md#next-steps) - [x] I checked [IKEv1 troubleshooting](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients.md#ikev1-troubleshooting), [IKEv2 troubleshooting](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/ikev2-howto.md#ikev2-troubleshooting), [enabled logs](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/docs/advanced-usage.md#enable-libreswan-logs) and checked [VPN status](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients.md#check-logs-and-vpn-status) - [x] I searched existing [Issues](https://github.com/hwdsl2/docker-ipsec-vpn-server/issues?q=is%3Aissue) - [x] This bug is about the IPsec VPN server Docker image, and not IPsec VPN itself <!--- If you found a reproducible bug for the IPsec VPN, open a bug report at https://github.com/libreswan/libreswan. Ask VPN-related questions on the [Libreswan](https://lists.libreswan.org/mailman/listinfo/swan) or [strongSwan](https://lists.strongswan.org/mailman/listinfo/users) users mailing list, or search e.g. [Stack Overflow](https://stackoverflow.com/questions/tagged/vpn). ---> **Describe the issue** After a successfull connection to the server via IKEv2 option, the DSM on Synology NAS are not reacting anymore. On my phone it doesn't have internet access, the local network are also not responding (es. my pihole didn't respond). All the other containers on Docker crashes immediately. After a few minutes Synology restarts and it says there were a black-out. The docker says "error gathering device information while adding custom device /dev/ppp: no such file or directory". This image can run without problems, the problem is starting when I try to connect to my server via IKEv2 option. **To Reproduce** Steps to reproduce the behavior: 1. Follow the steps to install ipsec-vpn-server, running WITHOUT privilege SSH to Synology, get root access and then this: ``` docker run \ --name IKEv2-IPSec \ --env-file path-to-enf.file/vpn.env \ --restart=always \ -v ipsec-server-data:/etc/ipsec.d \ -p 500:500/udp \ -p 4500:4500/udp \ -d --cap-add=NET_ADMIN \ --device=/dev/ppp \ --sysctl net.ipv4.ip_forward=1 \ --sysctl net.ipv4.conf.all.accept_redirects=0 \ --sysctl net.ipv4.conf.all.send_redirects=0 \ --sysctl net.ipv4.conf.all.rp_filter=0 \ --sysctl net.ipv4.conf.default.accept_redirects=0 \ --sysctl net.ipv4.conf.default.send_redirects=0 \ --sysctl net.ipv4.conf.default.rp_filter=0 \ --sysctl net.ipv4.conf.eth0.send_redirects=0 \ --sysctl net.ipv4.conf.eth0.rp_filter=0 \ --sysctl net.ipv4.ip_no_pmtu_disc=1 \ hwdsl2/ipsec-vpn-server ``` env file looks like this: ``` # Note: All the variables to this image are optional. # See README for more information. # To use, uncomment and replace with your own values. # Define IPsec PSK, VPN username and password # - DO NOT put "" or '' around values, or add space around = # - DO NOT use these special characters within values: \ " ' # VPN_IPSEC_PSK= # VPN_USER= # VPN_PASSWORD= # Define additional VPN users # - DO NOT put "" or '' around values, or add space around = # - DO NOT use these special characters within values: \ " ' # - Usernames and passwords must be separated by spaces # VPN_ADDL_USERS=additional_username_1 additional_username_2 # VPN_ADDL_PASSWORDS=additional_password_1 additional_password_2 # Use a DNS name for the VPN server # - The DNS name must be a fully qualified domain name (FQDN) VPN_DNS_NAME=myname.synology.me # Specify a name for the first IKEv2 client # - Use one word only, no special characters except '-' and '_' # - The default is 'vpnclient' if not specified VPN_CLIENT_NAME=USER # Use alternative DNS servers # - By default, clients are set to use Google Public DNS # - Example below shows Cloudflare's DNS service # DNS 1 = PiHole on my NAS VPN_DNS_SRV1=xxx.xxx.xxx.xxx # Protect IKEv2 client config files using a password # - By default, no password is required when importing IKEv2 client configuration # - Uncomment if you want to protect these files using a random password VPN_PROTECT_CONFIG=yes # To run this container only in IKEv2 mode (recommend) VPN_IKEV2_ONLY=yes # Subnet conf (all these variables must be specified) VPN_XAUTH_NET=10.7.0.0/24 VPN_XAUTH_POOL=10.7.0.2-10.7.0.254 ``` 2. Portforward 500 and 4500, also the firewall rules set to accept port 500 and 4500 3. Import my .p12 file to my Android phone (Samsung S22+) and follow the steps to connect **Expected behavior** The connection works and I still can work on my DSM on synology and also I should have access to internet on my phone during the connection **Logs** [Enable logs](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/docs/advanced-usage.md#enable-libreswan-logs), check [VPN status](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients.md#check-logs-and-vpn-status), and add error logs to help explain the problem, if applicable. Logs on synology docker: ``` 2023-03-19T16:54:36.872327488Z | stderr | xl2tpd[1]: death_handler: Fatal signal 15 received 2023-03-19T16:53:47.449058132Z | stderr | xl2tpd[1]: Listening on IP address 0.0.0.0, port 1701 2023-03-19T16:53:47.449025386Z | stderr | xl2tpd[1]: Forked again by Xelerance (www.xelerance.com) (C) 2006-2016 2023-03-19T16:53:47.448993119Z | stderr | xl2tpd[1]: Inherited by Jeff McAdams, (C) 2002 2023-03-19T16:53:47.448951845Z | stderr | xl2tpd[1]: Forked by Scott Balmos and David Stipp, (C) 2001 2023-03-19T16:53:47.448913723Z | stderr | xl2tpd[1]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc. 2023-03-19T16:53:47.448815776Z | stderr | xl2tpd[1]: xl2tpd version xl2tpd-1.3.18 started on 9a34d7676071 PID:1 2023-03-19T16:53:47.448581457Z | stderr | xl2tpd[1]: Using l2tp kernel support. 2023-03-19T16:53:47.333453924Z | stderr | xl2tpd[1]: Not looking for kernel SAref support. 2023-03-19T16:53:47.144628108Z | stdout |   2023-03-19T16:53:47.144597722Z | stdout | ================================================ 2023-03-19T16:53:47.144571828Z | stdout |   2023-03-19T16:53:47.144493127Z | stdout | https://vpnsetup.net/clients2 2023-03-19T16:53:47.143719197Z | stdout | Next steps: Configure IKEv2 clients. See: 2023-03-19T16:53:47.143692324Z | stdout |   2023-03-19T16:53:47.143648155Z | stdout | Write this down, you'll need it for import! 2023-03-19T16:53:47.143620756Z | stdout | passwordhidden 2023-03-19T16:53:47.143579536Z | stdout | *IMPORTANT* Password for client config files: 2023-03-19T16:53:47.143553004Z | stdout |   2023-03-19T16:53:47.143504565Z | stdout | /etc/ipsec.d/USER.mobileconfig (for iOS & macOS) 2023-03-19T16:53:47.143472956Z | stdout | /etc/ipsec.d/USER.sswan (for Android) 2023-03-19T16:53:47.143425400Z | stdout | /etc/ipsec.d/USER.p12 (for Windows & Linux) 2023-03-19T16:53:47.143395764Z | stdout | Docker container at: 2023-03-19T16:53:47.143350827Z | stdout | Client configuration is available inside the 2023-03-19T16:53:47.143322920Z | stdout |   2023-03-19T16:53:47.143272370Z | stdout | VPN client name: USER 2023-03-19T16:53:47.143095982Z | stdout | VPN server address: myname.synology.me 2023-03-19T16:53:47.119127519Z | stdout |   2023-03-19T16:53:47.119085426Z | stdout | IKEv2 is already set up. Details for IKEv2 mode: 2023-03-19T16:53:47.119057428Z | stdout |   2023-03-19T16:53:47.119002188Z | stdout | ================================================ 2023-03-19T16:53:47.118458815Z | stdout |   2023-03-19T16:53:45.077062629Z | stdout | Starting IPsec service... 2023-03-19T16:53:44.890870092Z | stdout |   2023-03-19T16:53:44.112788288Z | stdout | IPsec/L2TP and IPsec/XAuth ("Cisco IPsec") modes are disabled. 2023-03-19T16:53:44.112748197Z | stdout | Note: Running in IKEv2-only mode via env file option. 2023-03-19T16:53:44.112704565Z | stdout |   2023-03-19T16:53:44.111524354Z | stdout | Setting DNS servers to xxx.xxx.xxx.xxx... 2023-03-19T16:53:44.111404243Z | stdout |   2023-03-19T16:53:43.949416791Z | stdout | Retrieving previously generated VPN credentials... 2023-03-19T16:53:43.949293176Z | stdout |   2023-03-19T16:53:43.935059665Z | stdout | Debian 11/10 users, see https://vpnsetup.net/debian10 2023-03-19T16:53:43.935022817Z | stdout | Please use IKEv2 or IPsec/XAuth mode to connect. 2023-03-19T16:53:43.927276359Z | stdout |   2023-03-19T16:49:25.909814843Z | stderr | xl2tpd[1]: Listening on IP address 0.0.0.0, port 1701 2023-03-19T16:49:25.909782154Z | stderr | xl2tpd[1]: Forked again by Xelerance (www.xelerance.com) (C) 2006-2016 2023-03-19T16:49:25.909752670Z | stderr | xl2tpd[1]: Inherited by Jeff McAdams, (C) 2002 2023-03-19T16:49:25.909718975Z | stderr | xl2tpd[1]: Forked by Scott Balmos and David Stipp, (C) 2001 2023-03-19T16:49:25.909684798Z | stderr | xl2tpd[1]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc. 2023-03-19T16:49:25.909633614Z | stderr | xl2tpd[1]: xl2tpd version xl2tpd-1.3.18 started on 9a34d7676071 PID:1 2023-03-19T16:49:25.909496851Z | stderr | xl2tpd[1]: Using l2tp kernel support. 2023-03-19T16:49:25.872574854Z | stderr | xl2tpd[1]: Not looking for kernel SAref support. 2023-03-19T16:49:25.036292799Z | stdout |   2023-03-19T16:49:25.036267320Z | stdout | ================================================ 2023-03-19T16:49:25.036239181Z | stdout |   2023-03-19T16:49:25.036176057Z | stdout | https://vpnsetup.net/clients2 2023-03-19T16:49:25.035480090Z | stdout | Next steps: Configure IKEv2 clients. See: 2023-03-19T16:49:25.035455950Z | stdout |   2023-03-19T16:49:25.035425638Z | stdout | Write this down, you'll need it for import! 2023-03-19T16:49:25.035399723Z | stdout | passwordhidden 2023-03-19T16:49:25.035368728Z | stdout | *IMPORTANT* Password for client config files: 2023-03-19T16:49:25.035344640Z | stdout |   2023-03-19T16:49:25.035307318Z | stdout | /etc/ipsec.d/USER.mobileconfig (for iOS & macOS) 2023-03-19T16:49:25.035279291Z | stdout | /etc/ipsec.d/USER.sswan (for Android) 2023-03-19T16:49:25.035245077Z | stdout | /etc/ipsec.d/USER.p12 (for Windows & Linux) 2023-03-19T16:49:25.035193614Z | stdout | Docker container at: 2023-03-19T16:49:25.035158791Z | stdout | Client configuration is available inside the 2023-03-19T16:49:25.035131185Z | stdout |   2023-03-19T16:49:25.035096049Z | stdout | VPN client name: USER 2023-03-19T16:49:25.035041966Z | stdout | VPN server address: myname.synology.me 2023-03-19T16:49:25.034578344Z | stdout |   2023-03-19T16:49:25.034536860Z | stdout | IKEv2 is already set up. Details for IKEv2 mode: 2023-03-19T16:49:25.034511251Z | stdout |   2023-03-19T16:49:25.034472521Z | stdout | ================================================ 2023-03-19T16:49:25.034112416Z | stdout |   2023-03-19T16:49:23.376963617Z | stdout | Starting IPsec service... 2023-03-19T16:49:23.376840437Z | stdout |   2023-03-19T16:49:22.949072421Z | stdout | IPsec/L2TP and IPsec/XAuth ("Cisco IPsec") modes are disabled. 2023-03-19T16:49:22.949023666Z | stdout | Note: Running in IKEv2-only mode via env file option. 2023-03-19T16:49:22.948961978Z | stdout |   2023-03-19T16:49:22.947758137Z | stdout | Setting DNS servers to xxx.xxx.xxx.xxx... 2023-03-19T16:49:22.947643393Z | stdout |   2023-03-19T16:49:22.859576130Z | stdout | Retrieving previously generated VPN credentials... 2023-03-19T16:49:22.859449896Z | stdout |   2023-03-19T16:49:22.827709636Z | stdout | Debian 11/10 users, see https://vpnsetup.net/debian10 2023-03-19T16:49:22.827673332Z | stdout | Please use IKEv2 or IPsec/XAuth mode to connect. 2023-03-19T16:49:22.827120621Z | stdout ``` Libreswan logs: ``` 2023-03-19T17:55:36.528226+00:00 9a34d7676071 pluto[417]: Pluto is shutting down 2023-03-19T17:55:36.528547+00:00 9a34d7676071 pluto[417]: forgetting secrets 2023-03-19T17:55:36.528590+00:00 9a34d7676071 pluto[417]: shutting down interface lo 127.0.0.1:4500 2023-03-19T17:55:36.528606+00:00 9a34d7676071 pluto[417]: shutting down interface lo 127.0.0.1:500 2023-03-19T17:55:36.528616+00:00 9a34d7676071 pluto[417]: shutting down interface eth0 172.17.0.5:4500 2023-03-19T17:55:36.528626+00:00 9a34d7676071 pluto[417]: shutting down interface eth0 172.17.0.5:500 2023-03-19T17:55:37.492658+00:00 9a34d7676071 pluto[775]: Initializing NSS using read-write database "sql:/etc/ipsec.d" 2023-03-19T17:55:37.497995+00:00 9a34d7676071 pluto[775]: FIPS Mode: NO 2023-03-19T17:55:37.498011+00:00 9a34d7676071 pluto[775]: NSS crypto library initialized 2023-03-19T17:55:37.498055+00:00 9a34d7676071 pluto[775]: FIPS mode disabled for pluto daemon 2023-03-19T17:55:37.498064+00:00 9a34d7676071 pluto[775]: FIPS HMAC integrity support [disabled] 2023-03-19T17:55:37.498290+00:00 9a34d7676071 pluto[775]: libcap-ng support [enabled] 2023-03-19T17:55:37.498304+00:00 9a34d7676071 pluto[775]: Linux audit support [disabled] 2023-03-19T17:55:37.498321+00:00 9a34d7676071 pluto[775]: Starting Pluto (Libreswan Version 4.10 IKEv2 IKEv1 XFRM XFRMI esp-hw-offload FORK PTHREAD_SETSCHEDPRIO NSS (IPsec profile) (NSS-KDF) LIBCAP_NG AUTH_PAM NETWORKMANAGER CURL(non-NSS)) pid:775 2023-03-19T17:55:37.498328+00:00 9a34d7676071 pluto[775]: core dump dir: /run/pluto 2023-03-19T17:55:37.498336+00:00 9a34d7676071 pluto[775]: secrets file: /etc/ipsec.secrets 2023-03-19T17:55:37.498343+00:00 9a34d7676071 pluto[775]: leak-detective disabled 2023-03-19T17:55:37.498350+00:00 9a34d7676071 pluto[775]: NSS crypto [enabled] 2023-03-19T17:55:37.498358+00:00 9a34d7676071 pluto[775]: XAUTH PAM support [enabled] 2023-03-19T17:55:37.498383+00:00 9a34d7676071 pluto[775]: initializing libevent in pthreads mode: headers: 2.1.12-stable (2010c00); library: 2.1.12-stable (2010c00) 2023-03-19T17:55:37.498446+00:00 9a34d7676071 pluto[775]: NAT-Traversal support [enabled] 2023-03-19T17:55:37.498670+00:00 9a34d7676071 pluto[775]: Encryption algorithms: 2023-03-19T17:55:37.498689+00:00 9a34d7676071 pluto[775]: AES_CCM_16 {256,192,*128} IKEv1: ESP IKEv2: ESP FIPS aes_ccm, aes_ccm_c 2023-03-19T17:55:37.498701+00:00 9a34d7676071 pluto[775]: AES_CCM_12 {256,192,*128} IKEv1: ESP IKEv2: ESP FIPS aes_ccm_b 2023-03-19T17:55:37.498713+00:00 9a34d7676071 pluto[775]: AES_CCM_8 {256,192,*128} IKEv1: ESP IKEv2: ESP FIPS aes_ccm_a 2023-03-19T17:55:37.498724+00:00 9a34d7676071 pluto[775]: 3DES_CBC [*192] IKEv1: IKE ESP IKEv2: IKE ESP FIPS NSS(CBC) 3des 2023-03-19T17:55:37.498735+00:00 9a34d7676071 pluto[775]: CAMELLIA_CTR {256,192,*128} IKEv1: ESP IKEv2: ESP 2023-03-19T17:55:37.498747+00:00 9a34d7676071 pluto[775]: CAMELLIA_CBC {256,192,*128} IKEv1: IKE ESP IKEv2: IKE ESP NSS(CBC) camellia 2023-03-19T17:55:37.498759+00:00 9a34d7676071 pluto[775]: AES_GCM_16 {256,192,*128} IKEv1: ESP IKEv2: IKE ESP FIPS NSS(GCM) aes_gcm, aes_gcm_c 2023-03-19T17:55:37.498770+00:00 9a34d7676071 pluto[775]: AES_GCM_12 {256,192,*128} IKEv1: ESP IKEv2: IKE ESP FIPS NSS(GCM) aes_gcm_b 2023-03-19T17:55:37.498782+00:00 9a34d7676071 pluto[775]: AES_GCM_8 {256,192,*128} IKEv1: ESP IKEv2: IKE ESP FIPS NSS(GCM) aes_gcm_a 2023-03-19T17:55:37.498794+00:00 9a34d7676071 pluto[775]: AES_CTR {256,192,*128} IKEv1: IKE ESP IKEv2: IKE ESP FIPS NSS(CTR) aesctr 2023-03-19T17:55:37.498804+00:00 9a34d7676071 pluto[775]: AES_CBC {256,192,*128} IKEv1: IKE ESP IKEv2: IKE ESP FIPS NSS(CBC) aes 2023-03-19T17:55:37.498816+00:00 9a34d7676071 pluto[775]: NULL_AUTH_AES_GMAC {256,192,*128} IKEv1: ESP IKEv2: ESP FIPS aes_gmac 2023-03-19T17:55:37.498826+00:00 9a34d7676071 pluto[775]: NULL [] IKEv1: ESP IKEv2: ESP 2023-03-19T17:55:37.498838+00:00 9a34d7676071 pluto[775]: CHACHA20_POLY1305 [*256] IKEv1: IKEv2: IKE ESP NSS(AEAD) chacha20poly1305 2023-03-19T17:55:37.498846+00:00 9a34d7676071 pluto[775]: Hash algorithms: 2023-03-19T17:55:37.498884+00:00 9a34d7676071 pluto[775]: MD5 IKEv1: IKE IKEv2: NSS 2023-03-19T17:55:37.498954+00:00 9a34d7676071 pluto[775]: SHA1 IKEv1: IKE IKEv2: IKE FIPS NSS sha 2023-03-19T17:55:37.498970+00:00 9a34d7676071 pluto[775]: SHA2_256 IKEv1: IKE IKEv2: IKE FIPS NSS sha2, sha256 2023-03-19T17:55:37.498981+00:00 9a34d7676071 pluto[775]: SHA2_384 IKEv1: IKE IKEv2: IKE FIPS NSS sha384 2023-03-19T17:55:37.499008+00:00 9a34d7676071 pluto[775]: SHA2_512 IKEv1: IKE IKEv2: IKE FIPS NSS sha512 2023-03-19T17:55:37.499035+00:00 9a34d7676071 pluto[775]: IDENTITY IKEv1: IKEv2: FIPS 2023-03-19T17:55:37.499060+00:00 9a34d7676071 pluto[775]: PRF algorithms: 2023-03-19T17:55:37.499089+00:00 9a34d7676071 pluto[775]: HMAC_MD5 IKEv1: IKE IKEv2: IKE native(HMAC) md5 2023-03-19T17:55:37.499113+00:00 9a34d7676071 pluto[775]: HMAC_SHA1 IKEv1: IKE IKEv2: IKE FIPS NSS sha, sha1 2023-03-19T17:55:37.499139+00:00 9a34d7676071 pluto[775]: HMAC_SHA2_256 IKEv1: IKE IKEv2: IKE FIPS NSS sha2, sha256, sha2_256 2023-03-19T17:55:37.499173+00:00 9a34d7676071 pluto[775]: HMAC_SHA2_384 IKEv1: IKE IKEv2: IKE FIPS NSS sha384, sha2_384 2023-03-19T17:55:37.499202+00:00 9a34d7676071 pluto[775]: HMAC_SHA2_512 IKEv1: IKE IKEv2: IKE FIPS NSS sha512, sha2_512 2023-03-19T17:55:37.499235+00:00 9a34d7676071 pluto[775]: AES_XCBC IKEv1: IKEv2: IKE native(XCBC) aes128_xcbc 2023-03-19T17:55:37.499269+00:00 9a34d7676071 pluto[775]: Integrity algorithms: 2023-03-19T17:55:37.499304+00:00 9a34d7676071 pluto[775]: HMAC_MD5_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH native(HMAC) md5, hmac_md5 2023-03-19T17:55:37.499339+00:00 9a34d7676071 pluto[775]: HMAC_SHA1_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS sha, sha1, sha1_96, hmac_sha1 2023-03-19T17:55:37.499372+00:00 9a34d7676071 pluto[775]: HMAC_SHA2_512_256 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS sha512, sha2_512, sha2_512_256, hmac_sha2_512 2023-03-19T17:55:37.499405+00:00 9a34d7676071 pluto[775]: HMAC_SHA2_384_192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS sha384, sha2_384, sha2_384_192, hmac_sha2_384 2023-03-19T17:55:37.499437+00:00 9a34d7676071 pluto[775]: HMAC_SHA2_256_128 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS sha2, sha256, sha2_256, sha2_256_128, hmac_sha2_256 2023-03-19T17:55:37.499469+00:00 9a34d7676071 pluto[775]: HMAC_SHA2_256_TRUNCBUG IKEv1: ESP AH IKEv2: AH 2023-03-19T17:55:37.499502+00:00 9a34d7676071 pluto[775]: AES_XCBC_96 IKEv1: ESP AH IKEv2: IKE ESP AH native(XCBC) aes_xcbc, aes128_xcbc, aes128_xcbc_96 2023-03-19T17:55:37.499534+00:00 9a34d7676071 pluto[775]: AES_CMAC_96 IKEv1: ESP AH IKEv2: ESP AH FIPS aes_cmac 2023-03-19T17:55:37.499566+00:00 9a34d7676071 pluto[775]: NONE IKEv1: ESP IKEv2: IKE ESP FIPS null 2023-03-19T17:55:37.499598+00:00 9a34d7676071 pluto[775]: DH algorithms: 2023-03-19T17:55:37.499631+00:00 9a34d7676071 pluto[775]: NONE IKEv1: IKEv2: IKE ESP AH FIPS NSS(MODP) null, dh0 2023-03-19T17:55:37.499664+00:00 9a34d7676071 pluto[775]: MODP1024 IKEv1: IKE ESP AH IKEv2: IKE ESP AH NSS(MODP) dh2 2023-03-19T17:55:37.499702+00:00 9a34d7676071 pluto[775]: MODP1536 IKEv1: IKE ESP AH IKEv2: IKE ESP AH NSS(MODP) dh5 2023-03-19T17:55:37.499735+00:00 9a34d7676071 pluto[775]: MODP2048 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS(MODP) dh14 2023-03-19T17:55:37.499769+00:00 9a34d7676071 pluto[775]: MODP3072 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS(MODP) dh15 2023-03-19T17:55:37.499802+00:00 9a34d7676071 pluto[775]: MODP4096 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS(MODP) dh16 2023-03-19T17:55:37.499834+00:00 9a34d7676071 pluto[775]: MODP6144 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS(MODP) dh17 2023-03-19T17:55:37.499867+00:00 9a34d7676071 pluto[775]: MODP8192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS(MODP) dh18 2023-03-19T17:55:37.499905+00:00 9a34d7676071 pluto[775]: DH19 IKEv1: IKE IKEv2: IKE ESP AH FIPS NSS(ECP) ecp_256, ecp256 2023-03-19T17:55:37.499938+00:00 9a34d7676071 pluto[775]: DH20 IKEv1: IKE IKEv2: IKE ESP AH FIPS NSS(ECP) ecp_384, ecp384 2023-03-19T17:55:37.499971+00:00 9a34d7676071 pluto[775]: DH21 IKEv1: IKE IKEv2: IKE ESP AH FIPS NSS(ECP) ecp_521, ecp521 2023-03-19T17:55:37.500003+00:00 9a34d7676071 pluto[775]: DH31 IKEv1: IKE IKEv2: IKE ESP AH NSS(ECP) curve25519 2023-03-19T17:55:37.500037+00:00 9a34d7676071 pluto[775]: IPCOMP algorithms: 2023-03-19T17:55:37.500070+00:00 9a34d7676071 pluto[775]: DEFLATE IKEv1: ESP AH IKEv2: ESP AH FIPS 2023-03-19T17:55:37.500103+00:00 9a34d7676071 pluto[775]: LZS IKEv1: IKEv2: ESP AH FIPS 2023-03-19T17:55:37.500135+00:00 9a34d7676071 pluto[775]: LZJH IKEv1: IKEv2: ESP AH FIPS 2023-03-19T17:55:37.500172+00:00 9a34d7676071 pluto[775]: testing CAMELLIA_CBC: 2023-03-19T17:55:37.500206+00:00 9a34d7676071 pluto[775]: Camellia: 16 bytes with 128-bit key 2023-03-19T17:55:37.500359+00:00 9a34d7676071 pluto[775]: Camellia: 16 bytes with 128-bit key 2023-03-19T17:55:37.500412+00:00 9a34d7676071 pluto[775]: Camellia: 16 bytes with 256-bit key 2023-03-19T17:55:37.500466+00:00 9a34d7676071 pluto[775]: Camellia: 16 bytes with 256-bit key 2023-03-19T17:55:37.500518+00:00 9a34d7676071 pluto[775]: testing AES_GCM_16: 2023-03-19T17:55:37.500525+00:00 9a34d7676071 pluto[775]: empty string 2023-03-19T17:55:37.500576+00:00 9a34d7676071 pluto[775]: one block 2023-03-19T17:55:37.500621+00:00 9a34d7676071 pluto[775]: two blocks 2023-03-19T17:55:37.500668+00:00 9a34d7676071 pluto[775]: two blocks with associated data 2023-03-19T17:55:37.500717+00:00 9a34d7676071 pluto[775]: testing AES_CTR: 2023-03-19T17:55:37.500725+00:00 9a34d7676071 pluto[775]: Encrypting 16 octets using AES-CTR with 128-bit key 2023-03-19T17:55:37.500773+00:00 9a34d7676071 pluto[775]: Encrypting 32 octets using AES-CTR with 128-bit key 2023-03-19T17:55:37.500824+00:00 9a34d7676071 pluto[775]: Encrypting 36 octets using AES-CTR with 128-bit key 2023-03-19T17:55:37.500883+00:00 9a34d7676071 pluto[775]: Encrypting 16 octets using AES-CTR with 192-bit key 2023-03-19T17:55:37.500933+00:00 9a34d7676071 pluto[775]: Encrypting 32 octets using AES-CTR with 192-bit key 2023-03-19T17:55:37.500983+00:00 9a34d7676071 pluto[775]: Encrypting 36 octets using AES-CTR with 192-bit key 2023-03-19T17:55:37.501034+00:00 9a34d7676071 pluto[775]: Encrypting 16 octets using AES-CTR with 256-bit key 2023-03-19T17:55:37.501086+00:00 9a34d7676071 pluto[775]: Encrypting 32 octets using AES-CTR with 256-bit key 2023-03-19T17:55:37.501140+00:00 9a34d7676071 pluto[775]: Encrypting 36 octets using AES-CTR with 256-bit key 2023-03-19T17:55:37.501195+00:00 9a34d7676071 pluto[775]: testing AES_CBC: 2023-03-19T17:55:37.501203+00:00 9a34d7676071 pluto[775]: Encrypting 16 bytes (1 block) using AES-CBC with 128-bit key 2023-03-19T17:55:37.501251+00:00 9a34d7676071 pluto[775]: Encrypting 32 bytes (2 blocks) using AES-CBC with 128-bit key 2023-03-19T17:55:37.501308+00:00 9a34d7676071 pluto[775]: Encrypting 48 bytes (3 blocks) using AES-CBC with 128-bit key 2023-03-19T17:55:37.501364+00:00 9a34d7676071 pluto[775]: Encrypting 64 bytes (4 blocks) using AES-CBC with 128-bit key 2023-03-19T17:55:37.501427+00:00 9a34d7676071 pluto[775]: testing AES_XCBC: 2023-03-19T17:55:37.501439+00:00 9a34d7676071 pluto[775]: RFC 3566 Test Case 1: AES-XCBC-MAC-96 with 0-byte input 2023-03-19T17:55:37.501633+00:00 9a34d7676071 pluto[775]: RFC 3566 Test Case 2: AES-XCBC-MAC-96 with 3-byte input 2023-03-19T17:55:37.501837+00:00 9a34d7676071 pluto[775]: RFC 3566 Test Case 3: AES-XCBC-MAC-96 with 16-byte input 2023-03-19T17:55:37.502036+00:00 9a34d7676071 pluto[775]: RFC 3566 Test Case 4: AES-XCBC-MAC-96 with 20-byte input 2023-03-19T17:55:37.502225+00:00 9a34d7676071 pluto[775]: RFC 3566 Test Case 5: AES-XCBC-MAC-96 with 32-byte input 2023-03-19T17:55:37.502415+00:00 9a34d7676071 pluto[775]: RFC 3566 Test Case 6: AES-XCBC-MAC-96 with 34-byte input 2023-03-19T17:55:37.502610+00:00 9a34d7676071 pluto[775]: RFC 3566 Test Case 7: AES-XCBC-MAC-96 with 1000-byte input 2023-03-19T17:55:37.503075+00:00 9a34d7676071 pluto[775]: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 16) 2023-03-19T17:55:37.503265+00:00 9a34d7676071 pluto[775]: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 10) 2023-03-19T17:55:37.503467+00:00 9a34d7676071 pluto[775]: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 18) 2023-03-19T17:55:37.503803+00:00 9a34d7676071 pluto[775]: testing HMAC_MD5: 2023-03-19T17:55:37.503815+00:00 9a34d7676071 pluto[775]: RFC 2104: MD5_HMAC test 1 2023-03-19T17:55:37.504076+00:00 9a34d7676071 pluto[775]: RFC 2104: MD5_HMAC test 2 2023-03-19T17:55:37.504306+00:00 9a34d7676071 pluto[775]: RFC 2104: MD5_HMAC test 3 2023-03-19T17:55:37.504534+00:00 9a34d7676071 pluto[775]: testing HMAC_SHA1: 2023-03-19T17:55:37.504546+00:00 9a34d7676071 pluto[775]: CAVP: IKEv2 key derivation with HMAC-SHA1 2023-03-19T17:55:37.506691+00:00 9a34d7676071 pluto[775]: 4 CPU cores online 2023-03-19T17:55:37.506701+00:00 9a34d7676071 pluto[775]: starting up 3 helper threads 2023-03-19T17:55:37.506744+00:00 9a34d7676071 pluto[775]: started thread for helper 0 2023-03-19T17:55:37.506780+00:00 9a34d7676071 pluto[775]: started thread for helper 1 2023-03-19T17:55:37.506808+00:00 9a34d7676071 pluto[775]: helper(1) seccomp security for helper not supported 2023-03-19T17:55:37.506832+00:00 9a34d7676071 pluto[775]: helper(2) seccomp security for helper not supported 2023-03-19T17:55:37.506850+00:00 9a34d7676071 pluto[775]: started thread for helper 2 2023-03-19T17:55:37.506870+00:00 9a34d7676071 pluto[775]: helper(3) seccomp security for helper not supported 2023-03-19T17:55:37.506888+00:00 9a34d7676071 pluto[775]: using Linux xfrm kernel support code on #42962 SMP Tue Jan 31 23:18:09 CST 2023 2023-03-19T17:55:37.506968+00:00 9a34d7676071 pluto[775]: kernel: /proc/sys/net/ipv6/conf/all/disable_ipv6=1 ignore ipv6 holes 2023-03-19T17:55:37.507239+00:00 9a34d7676071 pluto[775]: seccomp security not supported 2023-03-19T17:55:37.508472+00:00 9a34d7676071 pluto[775]: "ikev2-cp": IKE SA proposals (connection add): 2023-03-19T17:55:37.508491+00:00 9a34d7676071 pluto[775]: "ikev2-cp": 1:IKE=AES_CBC_256-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE25519 2023-03-19T17:55:37.508503+00:00 9a34d7676071 pluto[775]: "ikev2-cp": 2:IKE=AES_CBC_128-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE25519 2023-03-19T17:55:37.508515+00:00 9a34d7676071 pluto[775]: "ikev2-cp": 3:IKE=AES_CBC_256-HMAC_SHA1-HMAC_SHA1_96-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE25519 2023-03-19T17:55:37.508527+00:00 9a34d7676071 pluto[775]: "ikev2-cp": 4:IKE=AES_CBC_128-HMAC_SHA1-HMAC_SHA1_96-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE25519 2023-03-19T17:55:37.508633+00:00 9a34d7676071 pluto[775]: "ikev2-cp": Child SA proposals (connection add): 2023-03-19T17:55:37.508648+00:00 9a34d7676071 pluto[775]: "ikev2-cp": 1:ESP=AES_GCM_C_128+AES_GCM_C_256-NONE-NONE-ENABLED+DISABLED 2023-03-19T17:55:37.508659+00:00 9a34d7676071 pluto[775]: "ikev2-cp": 2:ESP=AES_CBC_128-HMAC_SHA1_96-NONE-ENABLED+DISABLED 2023-03-19T17:55:37.508669+00:00 9a34d7676071 pluto[775]: "ikev2-cp": 3:ESP=AES_CBC_256-HMAC_SHA1_96-NONE-ENABLED+DISABLED 2023-03-19T17:55:37.508680+00:00 9a34d7676071 pluto[775]: "ikev2-cp": 4:ESP=AES_CBC_128-HMAC_SHA2_256_128-NONE-ENABLED+DISABLED 2023-03-19T17:55:37.508690+00:00 9a34d7676071 pluto[775]: "ikev2-cp": 5:ESP=AES_CBC_256-HMAC_SHA2_256_128-NONE-ENABLED+DISABLED 2023-03-19T17:55:37.517173+00:00 9a34d7676071 pluto[775]: "ikev2-cp": loaded private key matching left certificate 'myname.synology.me' 2023-03-19T17:55:37.517202+00:00 9a34d7676071 pluto[775]: "ikev2-cp": added IKEv2 connection 2023-03-19T17:55:37.517323+00:00 9a34d7676071 pluto[775]: listening for IKE messages 2023-03-19T17:55:37.517373+00:00 9a34d7676071 pluto[775]: Kernel does not support NIC esp-hw-offload (ETHTOOL_GSSET_INFO failed) 2023-03-19T17:55:37.517465+00:00 9a34d7676071 pluto[775]: adding UDP interface eth0 172.17.0.5:500 2023-03-19T17:55:37.517501+00:00 9a34d7676071 pluto[775]: adding UDP interface eth0 172.17.0.5:4500 2023-03-19T17:55:37.517535+00:00 9a34d7676071 pluto[775]: adding UDP interface lo 127.0.0.1:500 2023-03-19T17:55:37.517567+00:00 9a34d7676071 pluto[775]: adding UDP interface lo 127.0.0.1:4500 2023-03-19T17:55:37.518647+00:00 9a34d7676071 pluto[775]: forgetting secrets 2023-03-19T17:55:37.518715+00:00 9a34d7676071 pluto[775]: loading secrets from "/etc/ipsec.secrets" ``` Messages: ``` 2023-03-19T17:55:05.393350+00:00 9a34d7676071 : imklog: cannot open kernel log (/proc/kmsg): Operation not permitted. 2023-03-19T17:55:05.393408+00:00 9a34d7676071 : activation of module imklog failed [v8.2212.0 try https://www.rsyslog.com/e/2145 ] 2023-03-19T17:55:05.393441+00:00 9a34d7676071 : [origin software="rsyslogd" swVersion="8.2212.0" x-pid="474" x-info="https://www.rsyslog.com"] start 2023-03-19T17:55:36.579937+00:00 9a34d7676071 /etc/init.d/ipsec[629]: checkpath: /var/run/pluto: could not open run: No such device or address ``` **Server (please complete the following information)** - Device: Synology NAS DS920+ - Docker host OS: [DSM 7.1.1-42962 Update 4] - Hosting provider (if applicable): [] **Client (please complete the following information)** - Device: [Samsung Galaxy S22+] - OS: [Android 13, One UI 5.1] => Model SM-S906B/DS - VPN mode: [IKEv2 only] **Additional context** Add any other context about the problem here. Enabling Libreswan logs: ``` **docker exec -it IKEv2-IPSec env TERM=xterm bash -l** **apk add --no-cache rsyslog** fetch https://dl-cdn.alpinelinux.org/alpine/v3.17/main/x86_64/APKINDEX.tar.gz fetch https://dl-cdn.alpinelinux.org/alpine/v3.17/community/x86_64/APKINDEX.tar.gz (1/4) Installing libestr (0.1.11-r2) (2/4) Installing libfastjson (0.99.9-r0) (3/4) Installing rsyslog (8.2212.0-r0) (4/4) Installing rsyslog-openrc (8.2212.0-r0) Executing busybox-1.35.0-r29.trigger OK: 46 MiB in 79 packages **rsyslogd** rsyslogd: imklog: cannot open kernel log (/proc/kmsg): Operation not permitted. rsyslogd: activation of module imklog failed [v8.2212.0 try https://www.rsyslog.com/e/2145 ] **rc-service ipsec stop; rc-service -D ipsec start >/dev/null 2>&1** * Caching service dependencies ... Service `hwdrivers' needs non existent service `dev' Service `machine-id' needs non existent service `dev' [ ok ] /lib/rc/sh/openrc-run.sh: line 108: can't create /sys/fs/cgroup/blkio/tasks: Read-only file system /lib/rc/sh/openrc-run.sh: line 108: can't create /sys/fs/cgroup/cpu/tasks: Read-only file system /lib/rc/sh/openrc-run.sh: line 108: can't create /sys/fs/cgroup/cpuacct/tasks: Read-only file system /lib/rc/sh/openrc-run.sh: line 108: can't create /sys/fs/cgroup/cpuset/tasks: Read-only file system /lib/rc/sh/openrc-run.sh: line 108: can't create /sys/fs/cgroup/devices/tasks: Read-only file system /lib/rc/sh/openrc-run.sh: line 108: can't create /sys/fs/cgroup/freezer/tasks: Read-only file system /lib/rc/sh/openrc-run.sh: line 108: can't create /sys/fs/cgroup/memory/tasks: Read-only file system /lib/rc/sh/openrc-run.sh: line 108: can't create /sys/fs/cgroup/synomonitor/tasks: Read-only file system /lib/rc/sh/openrc-run.sh: line 108: can't create /sys/fs/cgroup/systemd/tasks: Read-only file system * Stopping ipsec ... **sed -i '/pluto\.pid/a rsyslogd' /opt/src/run.sh** ``` Hope I didn't fuck up somewhere and didn't something right. But this seems very strange and after 1 week of a lot research I'm posting this issue now. I have filled it in as completely as possible. Thanks

kerem closed this issue 2026-03-02 08:01:25 +03:00

kerem commented 2026-03-02 08:01:26 +03:00

Author

Owner

Copy link

@seemebreakthis commented on GitHub (Mar 23, 2023):

Per this comment
https://github.com/hwdsl2/docker-ipsec-vpn-server/issues/298#issuecomment-1158593803

@hwdsl2 says himself this docker image does not work with Synology for unknown reasons.

I wish they would put this caveat up prominently in README.md. You and many others (myself included) have wasted so much time trying to get this docker image to work on Synology NAS I am sure, because of Android's limitation on types of VPN connections allowed + VPN server being a common use case for Synology NAS owners.

(Edit: Ended up installing kylemanna/docker-vpn per instructions here, working flawlessly)

<!-- gh-comment-id:1480468001 --> @seemebreakthis commented on GitHub (Mar 23, 2023): Per this comment https://github.com/hwdsl2/docker-ipsec-vpn-server/issues/298#issuecomment-1158593803 @hwdsl2 says himself this docker image does not work with Synology for unknown reasons. I wish they would put this caveat up prominently in README.md. You and many others (myself included) have wasted so much time trying to get this docker image to work on Synology NAS I am sure, because of Android's limitation on types of VPN connections allowed + VPN server being a common use case for Synology NAS owners. (Edit: Ended up installing [kylemanna/docker-vpn](https://github.com/kylemanna/docker-openvpn) per instructions [here](https://www.derekseaman.com/2019/06/how-to-synology-openvpn-server-in-a-docker-container.html), working flawlessly)

kerem commented 2026-03-02 08:01:26 +03:00

Author

Owner

Copy link

@hwdsl2 commented on GitHub (Mar 23, 2023):

@Dieterm5 Hello! Thank you for reporting this issue. I looked at your description and logs, you mentioned that the DiskStation Manager (DSM) on Synology NAS crashes as soon as an IKEv2 connection is established. This is most likely a bug with IPsec VPN support in the DSM system. The exact cause is unclear from your provided logs.

As @seemebreakthis suggested, I can add a note in the README regarding using this Docker image on Synology NAS systems. Note that the separate issue in #298 was related to MOBIKE support and it was already fixed earlier. This can be seen from your logs that the IKEv2 connection was added successfully at Libreswan startup.

<!-- gh-comment-id:1481645195 --> @hwdsl2 commented on GitHub (Mar 23, 2023): @Dieterm5 Hello! Thank you for reporting this issue. I looked at your description and logs, you mentioned that the DiskStation Manager (DSM) on Synology NAS crashes as soon as an IKEv2 connection is established. This is most likely a bug with IPsec VPN support in the DSM system. The exact cause is unclear from your provided logs. As @seemebreakthis suggested, I can add a note in the README regarding using this Docker image on Synology NAS systems. Note that the separate issue in #298 was related to MOBIKE support and it was already fixed earlier. This can be seen from your logs that the IKEv2 connection was added successfully at Libreswan startup.

kerem commented 2026-03-02 08:01:26 +03:00

Author

Owner

Copy link

@Dieterm5 commented on GitHub (Mar 25, 2023):

@seemebreakthis Hi thanks for your message, I also ended up installing openvpn from Kylemanna's image and it works perfectly. Thanks for referring me to this.
Actually I wish to get IKEv2 connection because that's the only way to use 'routines' on Android to autoconnect via IKEv2-VPN when I open an app that requires a specify IP (for example an IP from a specify country to be able see the videos).
If I can autoconnect my phone using openvpn opening a specified app, all helps are welcome too 🎉

@hwdsl2 Thanks for your fast reply! Ok I will contact synology's team about this situation and hopefully they will fix something so this wouldn't happen again. I'll keep you updated.
Also I've watchtower installed on my docker, so after every update of this image I'll get a notify and I'll keep a watch on this.

<!-- gh-comment-id:1483790992 --> @Dieterm5 commented on GitHub (Mar 25, 2023): @seemebreakthis Hi thanks for your message, I also ended up installing openvpn from Kylemanna's image and it works perfectly. Thanks for referring me to this. Actually I wish to get IKEv2 connection because that's the only way to use 'routines' on Android to autoconnect via IKEv2-VPN when I open an app that requires a specify IP (for example an IP from a specify country to be able see the videos). If I can autoconnect my phone using openvpn opening a specified app, all helps are welcome too 🎉 @hwdsl2 Thanks for your fast reply! Ok I will contact synology's team about this situation and hopefully they will fix something so this wouldn't happen again. I'll keep you updated. Also I've watchtower installed on my docker, so after every update of this image I'll get a notify and I'll keep a watch on this.

kerem commented 2026-03-02 08:01:26 +03:00

Author

Owner

Copy link

@Dieterm5 commented on GitHub (Mar 28, 2023):

@hwdsl2, @seemebreakthis

I got a reply from Synology:
You have to run this image in privileged mode, set local ports to automatic (container port to 4500 and 500 udp)

I'm not going to test this btw, I'm afraid to break my NAS, maybe someone can test this?

<!-- gh-comment-id:1486860625 --> @Dieterm5 commented on GitHub (Mar 28, 2023): @hwdsl2, @seemebreakthis I got a reply from Synology: `You have to run this image in privileged mode, set local ports to automatic (container port to 4500 and 500 udp)` I'm not going to test this btw, I'm afraid to break my NAS, maybe someone can test this?

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

No results found.

Labels

Clear labels   

bug

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

question

No labels

bug

pull-request

question

question

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/docker-ipsec-vpn-server#332

No description provided.