starred/docker-ipsec-vpn-server
1
0
Fork 0
mirror of https://github.com/hwdsl2/docker-ipsec-vpn-server.git synced 2026-04-26 18:15:50 +03:00
Code Issues Projects Releases Packages Wiki Activity

[GH-ISSUE #368] Libreswan: Protocol not supported (errno 93) #343

New issue
Closed
opened 2026-03-02 08:01:30 +03:00 by kerem · 1 comment
kerem commented 2026-03-02 08:01:30 +03:00
Owner
Copy link

Originally created by @keelfy-lilly on GitHub (Apr 20, 2023).
Original GitHub issue: https://github.com/hwdsl2/docker-ipsec-vpn-server/issues/368

Checklist

Describe the issue
None of my devices can connect to IKEv2 VPN. I've tried macOS 13, Windows 11, and Android 11.
Windows says that the problem is unknown and macOS just stops connecting after 1-2 sec.

After finding out about this issue I've enabled logs of Libreswan to look at what happens on the server side. You can find them down below.
The logs are the same for each device I've tried. By the same I mean the same steps and errors.
I've tried to recreate VPS 2 times (installed CentOS and the problem was the same), I've tried to re-clone the repo, restart the container, and recreate the container.
I'm thinking about the problem with my network preferences, but I don't know where to look or what to fix.

To Reproduce

  1. clone this repo
  2. Change variable VPN_DNS_NAME to my domain (previously I've added A record pointing to VPS)
  3. Add VPN_IKEV2_ONLY=yes because I'm planning to use only IKEv2 (I've also tried without this variable)
  4. Using the latest docker type 'docker compose up -d'
  5. Copy certs from the container and use them according to your guide.

Expected behavior

  1. Copy certs from container
  2. Transfer them to device
  3. Add VPN according to your guide
  4. Use VPN

Logs

I've replaced my actual domain with 'mydomain'

Libreswan log 
ipsec-vpn-server pluto[836]: "ikev2-cp"[1] 94.189.154.13 #1: proposal 1:IKE=AES_CBC_256-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048[first-match]
ipsec-vpn-server pluto[836]: "ikev2-cp"[1] 94.189.154.13 #1: sent IKE_SA_INIT reply {cipher=AES_CBC_256 integ=HMAC_SHA2_256_128 prf=HMAC_SHA2_256 group=MODP2048}
ipsec-vpn-server pluto[836]: "ikev2-cp"[1] 94.189.154.13 #1: processing decrypted IKE_AUTH request: SK{IDi,CERT,N(INITIAL_CONTACT),IDr,AUTH,CP,N(ESP_TFC_PADDING_NOT_SUPPORTED),N(NON_FIRST_FRAGMENTS_ALSO),SA,TSi,TSr,N(MOBIKE_SUPPORTED)} 
ipsec-vpn-server pluto[836]: "ikev2-cp"[1] 94.189.154.13 #1: reloaded private key matching left certificate 'mydomain' 
ipsec-vpn-server pluto[836]: "ikev2-cp"[1] 94.189.154.13 #1: responder established IKE SA; authenticated peer '3072-bit PKCS#1 1.5 RSA with SHA1' signature using peer certificate 'CN=vpnclient, O=IKEv2 VPN' issued by CA 'CN=IKEv2 VPN CA, O=IKEv2 VPN' 
ipsec-vpn-server pluto[836]: | pool 192.168.43.10-192.168.43.250: growing address pool from 0 to 1
ipsec-vpn-server pluto[836]: "ikev2-cp"[1] 94.189.154.13 #2: proposal 1:ESP=AES_GCM_C_128-DISABLED SPI=066d85fa chosen from remote proposals 1:ESP:ENCR=AES_GCM_C_128;ESN=DISABLED[first-match]
ipsec-vpn-server pluto[836]: ERROR: "ikev2-cp"[1] 94.189.154.13 #2: netlink response for Add SA esp.66d85fa@94.189.154.13: Protocol not supported (errno 93)
ipsec-vpn-server pluto[836]: "ikev2-cp"[1] 94.189.154.13 #2: setup_half_ipsec_sa() hit fail:
Status log 
000 using kernel interface: xfrm
000  
000 interface lo UDP 127.0.0.1:4500
000 interface lo UDP 127.0.0.1:500
000 interface eth0 UDP 172.18.0.2:4500
000 interface eth0 UDP 172.18.0.2:500
000  
000 fips mode=disabled;
000 SElinux=disabled
000 seccomp=unsupported
000  
000 config setup options:
000  
000 configdir=/etc, configfile=/etc/ipsec.conf, secrets=/etc/ipsec.secrets, ipsecdir=/etc/ipsec.d
000 nssdir=/etc/ipsec.d, dumpdir=/run/pluto, statsbin=unset
000 sbindir=/usr/local/sbin, libexecdir=/usr/local/libexec/ipsec
000 pluto_version=4.10, pluto_vendorid=OE-Libreswan-4.10, audit-log=yes
000 nhelpers=-1, uniqueids=no, dnssec-enable=no, logappend=yes, logip=yes, shuntlifetime=900s, xfrmlifetime=30s
000 ddos-cookies-threshold=25000, ddos-max-halfopen=50000, ddos-mode=auto, ikev1-policy=accept
000 ikebuf=0, msg_errqueue=yes, crl-strict=no, crlcheckinterval=0, listen=<any>, nflog-all=0
000 ocsp-enable=no, ocsp-strict=no, ocsp-timeout=2, ocsp-uri=<unset>
000 ocsp-trust-name=<unset>
000 ocsp-cache-size=1000, ocsp-cache-min-age=3600, ocsp-cache-max-age=86400, ocsp-method=get
000 global-redirect=no, global-redirect-to=<unset>
000 secctx-attr-type=<unsupported>
000 debug:
000  
000 nat-traversal=yes, keep-alive=20, nat-ikeport=4500
000 virtual-private (%priv):
000 - allowed subnets: 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12
000 - excluded subnets: 192.168.42.0/24, 192.168.43.0/24
000  
000 Kernel algorithms supported:
000  
000 algorithm ESP encrypt: name=3DES_CBC, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: name=AES_CBC, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_CCM_12, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_CCM_16, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_CCM_8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_CTR, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_GCM_12, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_GCM_16, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_GCM_8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=CAMELLIA_CBC, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=CHACHA20_POLY1305, keysizemin=256, keysizemax=256
000 algorithm ESP encrypt: name=NULL, keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: name=NULL_AUTH_AES_GMAC, keysizemin=128, keysizemax=256
000 algorithm AH/ESP auth: name=AES_CMAC_96, key-length=128
000 algorithm AH/ESP auth: name=AES_XCBC_96, key-length=128
000 algorithm AH/ESP auth: name=HMAC_MD5_96, key-length=128
000 algorithm AH/ESP auth: name=HMAC_SHA1_96, key-length=160
000 algorithm AH/ESP auth: name=HMAC_SHA2_256_128, key-length=256
000 algorithm AH/ESP auth: name=HMAC_SHA2_256_TRUNCBUG, key-length=256
000 algorithm AH/ESP auth: name=HMAC_SHA2_384_192, key-length=384
000 algorithm AH/ESP auth: name=HMAC_SHA2_512_256, key-length=512
000 algorithm AH/ESP auth: name=NONE, key-length=0
000  
000 IKE algorithms supported:
000  
000 algorithm IKE encrypt: v1id=5, v1name=OAKLEY_3DES_CBC, v2id=3, v2name=3DES, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: v1id=8, v1name=OAKLEY_CAMELLIA_CBC, v2id=23, v2name=CAMELLIA_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=20, v2name=AES_GCM_C, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=19, v2name=AES_GCM_B, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=18, v2name=AES_GCM_A, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=13, v1name=OAKLEY_AES_CTR, v2id=13, v2name=AES_CTR, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=7, v1name=OAKLEY_AES_CBC, v2id=12, v2name=AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=28, v2name=CHACHA20_POLY1305, blocksize=16, keydeflen=256
000 algorithm IKE PRF: name=HMAC_MD5, hashlen=16
000 algorithm IKE PRF: name=HMAC_SHA1, hashlen=20
000 algorithm IKE PRF: name=HMAC_SHA2_256, hashlen=32
000 algorithm IKE PRF: name=HMAC_SHA2_384, hashlen=48
000 algorithm IKE PRF: name=HMAC_SHA2_512, hashlen=64
000 algorithm IKE PRF: name=AES_XCBC, hashlen=16
000 algorithm IKE DH Key Exchange: name=MODP1024, bits=1024
000 algorithm IKE DH Key Exchange: name=MODP1536, bits=1536
000 algorithm IKE DH Key Exchange: name=MODP2048, bits=2048
000 algorithm IKE DH Key Exchange: name=MODP3072, bits=3072
000 algorithm IKE DH Key Exchange: name=MODP4096, bits=4096
000 algorithm IKE DH Key Exchange: name=MODP6144, bits=6144
000 algorithm IKE DH Key Exchange: name=MODP8192, bits=8192
000 algorithm IKE DH Key Exchange: name=DH19, bits=512
000 algorithm IKE DH Key Exchange: name=DH20, bits=768
000 algorithm IKE DH Key Exchange: name=DH21, bits=1056
000 algorithm IKE DH Key Exchange: name=DH31, bits=256
000  
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0} 
000  
000 Connection list:
000  
000 "ikev2-cp": 0.0.0.0/0===172.18.0.2[@mydomain,MS+S=C]---172.18.0.1...%any[%fromcert,+MC+S=C]; unrouted; eroute owner: #0
000 "ikev2-cp":     oriented; my_ip=unset; their_ip=unset; mycert=mydomain; my_updown=ipsec _updown;
000 "ikev2-cp":   xauth us:none, xauth them:none,  my_username=[any]; their_username=[any]
000 "ikev2-cp":   our auth:rsasig(RSASIG+RSASIG_v1_5), their auth:RSASIG+ECDSA+RSASIG_v1_5, our autheap:none, their autheap:none;
000 "ikev2-cp":   modecfg info: us:server, them:client, modecfg policy:push, dns:8.8.8.8, 8.8.4.4, domains:unset, cat:unset;
000 "ikev2-cp":   sec_label:unset;
000 "ikev2-cp":   CAs: 'CN=IKEv2 VPN CA, O=IKEv2 VPN'...'CN=IKEv2 VPN CA, O=IKEv2 VPN'
000 "ikev2-cp":   ike_life: 86400s; ipsec_life: 86400s; ipsec_max_bytes: 2^63B; ipsec_max_packets: 2^63; replay_window: 128; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;
000 "ikev2-cp":   retransmit-interval: 500ms; retransmit-timeout: 300s; iketcp:no; iketcp-port:4500;
000 "ikev2-cp":   initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "ikev2-cp":   policy: IKEv2+RSASIG+ECDSA+RSASIG_v1_5+ENCRYPT+TUNNEL+DONT_REKEY+IKEV2_ALLOW_NARROWING+IKE_FRAG_ALLOW+MOBIKE+ESN_NO+ESN_YES;
000 "ikev2-cp":   v2-auth-hash-policy: SHA2_256+SHA2_384+SHA2_512;
000 "ikev2-cp":   conn_prio: 0,0; interface: eth0; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "ikev2-cp":   nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto;
000 "ikev2-cp":   our idtype: ID_FQDN; our id=@mydomain; their idtype: %fromcert; their id=%fromcert
000 "ikev2-cp":   liveness: active; dpdaction:clear; dpddelay:30s; retransmit-timeout:300s
000 "ikev2-cp":   nat-traversal: encaps:yes; keepalive:20s
000 "ikev2-cp":   newest IKE SA: #0; newest IPsec SA: #0; conn serial: $1;
000 "ikev2-cp":   IKE algorithms: AES_CBC_256-HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_128-HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_256-HMAC_SHA1-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_128-HMAC_SHA1-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31
000 "ikev2-cp":   ESP algorithms: AES_GCM_16-NONE, AES_CBC_128-HMAC_SHA1_96, AES_CBC_256-HMAC_SHA1_96, AES_CBC_128-HMAC_SHA2_256_128, AES_CBC_256-HMAC_SHA2_256_128
000  
000 Total IPsec connections: loaded 1, active 0
000  
000 State Information: DDoS cookies not required, Accepting new IKE connections
000 IKE SAs: total(0), half-open(0), open(0), authenticated(0), anonymous(0)
000 IPsec SAs: total(0), authenticated(0), anonymous(0)
000  
000 Bare Shunt list:
000

Server (please complete the following information)

  • Ubuntu 22.04 64 bit
  • Hostinger VPS

Client (please complete the following information)

  • Xiaomi Redmi Note 8 Pro
  • Android 11
  • IKEv2

Client (please complete the following information)

  • Apple Macbook Pro
  • macOS 13.3
  • IKEv2

Client (please complete the following information)

  • PC
  • Windows 11 Pro
  • IKEv2

Additional context
I newbie in that kind of stuff, but I created one not containerized VPN using strongswan-starter under ubuntu system which worked fine.

Originally created by @keelfy-lilly on GitHub (Apr 20, 2023). Original GitHub issue: https://github.com/hwdsl2/docker-ipsec-vpn-server/issues/368 **Checklist** - [x] I read the [README](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README.md) - [x] I read the [Important notes](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README.md#important-notes) - [x] I followed instructions to [configure VPN clients](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README.md#next-steps) - [x] I checked [IKEv1 troubleshooting](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients.md#ikev1-troubleshooting), [IKEv2 troubleshooting](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/ikev2-howto.md#ikev2-troubleshooting), [enabled logs](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/docs/advanced-usage.md#enable-libreswan-logs) and checked [VPN status](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients.md#check-logs-and-vpn-status) - [x] I searched existing [Issues](https://github.com/hwdsl2/docker-ipsec-vpn-server/issues?q=is%3Aissue) - [x] This bug is about the IPsec VPN server Docker image, and not IPsec VPN itself <!--- If you found a reproducible bug for the IPsec VPN, open a bug report at https://github.com/libreswan/libreswan. Ask VPN-related questions on the [Libreswan](https://lists.libreswan.org/mailman/listinfo/swan) or [strongSwan](https://lists.strongswan.org/mailman/listinfo/users) users mailing list, or search e.g. [Stack Overflow](https://stackoverflow.com/questions/tagged/vpn). ---> **Describe the issue** None of my devices can connect to IKEv2 VPN. I've tried macOS 13, Windows 11, and Android 11. Windows says that **the problem is unknown** and macOS just stops connecting after 1-2 sec. After finding out about this issue I've enabled logs of Libreswan to look at what happens on the server side. You can find them down below. The logs are the same for each device I've tried. By the **same** I mean the same steps and errors. I've tried to recreate VPS 2 times (installed CentOS and the problem was the same), I've tried to re-clone the repo, restart the container, and recreate the container. I'm thinking about the problem with my network preferences, but I don't know where to look or what to fix. **To Reproduce** 1. clone this repo 2. Change variable `VPN_DNS_NAME` to my domain (previously I've added A record pointing to VPS) 3. Add `VPN_IKEV2_ONLY=yes` because I'm planning to use only IKEv2 (I've also tried without this variable) 4. Using the latest docker type 'docker compose up -d' 5. Copy certs from the container and use them according to your guide. **Expected behavior** 1. Copy certs from container 2. Transfer them to device 3. Add VPN according to your guide 4. Use VPN **Logs** **I've replaced my actual domain with 'mydomain'** <details> <summary>Libreswan log</summary> ```log ipsec-vpn-server pluto[836]: "ikev2-cp"[1] 94.189.154.13 #1: proposal 1:IKE=AES_CBC_256-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048[first-match] ipsec-vpn-server pluto[836]: "ikev2-cp"[1] 94.189.154.13 #1: sent IKE_SA_INIT reply {cipher=AES_CBC_256 integ=HMAC_SHA2_256_128 prf=HMAC_SHA2_256 group=MODP2048} ipsec-vpn-server pluto[836]: "ikev2-cp"[1] 94.189.154.13 #1: processing decrypted IKE_AUTH request: SK{IDi,CERT,N(INITIAL_CONTACT),IDr,AUTH,CP,N(ESP_TFC_PADDING_NOT_SUPPORTED),N(NON_FIRST_FRAGMENTS_ALSO),SA,TSi,TSr,N(MOBIKE_SUPPORTED)} ipsec-vpn-server pluto[836]: "ikev2-cp"[1] 94.189.154.13 #1: reloaded private key matching left certificate 'mydomain' ipsec-vpn-server pluto[836]: "ikev2-cp"[1] 94.189.154.13 #1: responder established IKE SA; authenticated peer '3072-bit PKCS#1 1.5 RSA with SHA1' signature using peer certificate 'CN=vpnclient, O=IKEv2 VPN' issued by CA 'CN=IKEv2 VPN CA, O=IKEv2 VPN' ipsec-vpn-server pluto[836]: | pool 192.168.43.10-192.168.43.250: growing address pool from 0 to 1 ipsec-vpn-server pluto[836]: "ikev2-cp"[1] 94.189.154.13 #2: proposal 1:ESP=AES_GCM_C_128-DISABLED SPI=066d85fa chosen from remote proposals 1:ESP:ENCR=AES_GCM_C_128;ESN=DISABLED[first-match] ipsec-vpn-server pluto[836]: ERROR: "ikev2-cp"[1] 94.189.154.13 #2: netlink response for Add SA esp.66d85fa@94.189.154.13: Protocol not supported (errno 93) ipsec-vpn-server pluto[836]: "ikev2-cp"[1] 94.189.154.13 #2: setup_half_ipsec_sa() hit fail: ``` </details> <details> <summary>Status log</summary> ``` 000 using kernel interface: xfrm 000 000 interface lo UDP 127.0.0.1:4500 000 interface lo UDP 127.0.0.1:500 000 interface eth0 UDP 172.18.0.2:4500 000 interface eth0 UDP 172.18.0.2:500 000 000 fips mode=disabled; 000 SElinux=disabled 000 seccomp=unsupported 000 000 config setup options: 000 000 configdir=/etc, configfile=/etc/ipsec.conf, secrets=/etc/ipsec.secrets, ipsecdir=/etc/ipsec.d 000 nssdir=/etc/ipsec.d, dumpdir=/run/pluto, statsbin=unset 000 sbindir=/usr/local/sbin, libexecdir=/usr/local/libexec/ipsec 000 pluto_version=4.10, pluto_vendorid=OE-Libreswan-4.10, audit-log=yes 000 nhelpers=-1, uniqueids=no, dnssec-enable=no, logappend=yes, logip=yes, shuntlifetime=900s, xfrmlifetime=30s 000 ddos-cookies-threshold=25000, ddos-max-halfopen=50000, ddos-mode=auto, ikev1-policy=accept 000 ikebuf=0, msg_errqueue=yes, crl-strict=no, crlcheckinterval=0, listen=<any>, nflog-all=0 000 ocsp-enable=no, ocsp-strict=no, ocsp-timeout=2, ocsp-uri=<unset> 000 ocsp-trust-name=<unset> 000 ocsp-cache-size=1000, ocsp-cache-min-age=3600, ocsp-cache-max-age=86400, ocsp-method=get 000 global-redirect=no, global-redirect-to=<unset> 000 secctx-attr-type=<unsupported> 000 debug: 000 000 nat-traversal=yes, keep-alive=20, nat-ikeport=4500 000 virtual-private (%priv): 000 - allowed subnets: 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12 000 - excluded subnets: 192.168.42.0/24, 192.168.43.0/24 000 000 Kernel algorithms supported: 000 000 algorithm ESP encrypt: name=3DES_CBC, keysizemin=192, keysizemax=192 000 algorithm ESP encrypt: name=AES_CBC, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: name=AES_CCM_12, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: name=AES_CCM_16, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: name=AES_CCM_8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: name=AES_CTR, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: name=AES_GCM_12, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: name=AES_GCM_16, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: name=AES_GCM_8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: name=CAMELLIA_CBC, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: name=CHACHA20_POLY1305, keysizemin=256, keysizemax=256 000 algorithm ESP encrypt: name=NULL, keysizemin=0, keysizemax=0 000 algorithm ESP encrypt: name=NULL_AUTH_AES_GMAC, keysizemin=128, keysizemax=256 000 algorithm AH/ESP auth: name=AES_CMAC_96, key-length=128 000 algorithm AH/ESP auth: name=AES_XCBC_96, key-length=128 000 algorithm AH/ESP auth: name=HMAC_MD5_96, key-length=128 000 algorithm AH/ESP auth: name=HMAC_SHA1_96, key-length=160 000 algorithm AH/ESP auth: name=HMAC_SHA2_256_128, key-length=256 000 algorithm AH/ESP auth: name=HMAC_SHA2_256_TRUNCBUG, key-length=256 000 algorithm AH/ESP auth: name=HMAC_SHA2_384_192, key-length=384 000 algorithm AH/ESP auth: name=HMAC_SHA2_512_256, key-length=512 000 algorithm AH/ESP auth: name=NONE, key-length=0 000 000 IKE algorithms supported: 000 000 algorithm IKE encrypt: v1id=5, v1name=OAKLEY_3DES_CBC, v2id=3, v2name=3DES, blocksize=8, keydeflen=192 000 algorithm IKE encrypt: v1id=8, v1name=OAKLEY_CAMELLIA_CBC, v2id=23, v2name=CAMELLIA_CBC, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=20, v2name=AES_GCM_C, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=19, v2name=AES_GCM_B, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=18, v2name=AES_GCM_A, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: v1id=13, v1name=OAKLEY_AES_CTR, v2id=13, v2name=AES_CTR, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: v1id=7, v1name=OAKLEY_AES_CBC, v2id=12, v2name=AES_CBC, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=28, v2name=CHACHA20_POLY1305, blocksize=16, keydeflen=256 000 algorithm IKE PRF: name=HMAC_MD5, hashlen=16 000 algorithm IKE PRF: name=HMAC_SHA1, hashlen=20 000 algorithm IKE PRF: name=HMAC_SHA2_256, hashlen=32 000 algorithm IKE PRF: name=HMAC_SHA2_384, hashlen=48 000 algorithm IKE PRF: name=HMAC_SHA2_512, hashlen=64 000 algorithm IKE PRF: name=AES_XCBC, hashlen=16 000 algorithm IKE DH Key Exchange: name=MODP1024, bits=1024 000 algorithm IKE DH Key Exchange: name=MODP1536, bits=1536 000 algorithm IKE DH Key Exchange: name=MODP2048, bits=2048 000 algorithm IKE DH Key Exchange: name=MODP3072, bits=3072 000 algorithm IKE DH Key Exchange: name=MODP4096, bits=4096 000 algorithm IKE DH Key Exchange: name=MODP6144, bits=6144 000 algorithm IKE DH Key Exchange: name=MODP8192, bits=8192 000 algorithm IKE DH Key Exchange: name=DH19, bits=512 000 algorithm IKE DH Key Exchange: name=DH20, bits=768 000 algorithm IKE DH Key Exchange: name=DH21, bits=1056 000 algorithm IKE DH Key Exchange: name=DH31, bits=256 000 000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0} 000 000 Connection list: 000 000 "ikev2-cp": 0.0.0.0/0===172.18.0.2[@mydomain,MS+S=C]---172.18.0.1...%any[%fromcert,+MC+S=C]; unrouted; eroute owner: #0 000 "ikev2-cp": oriented; my_ip=unset; their_ip=unset; mycert=mydomain; my_updown=ipsec _updown; 000 "ikev2-cp": xauth us:none, xauth them:none, my_username=[any]; their_username=[any] 000 "ikev2-cp": our auth:rsasig(RSASIG+RSASIG_v1_5), their auth:RSASIG+ECDSA+RSASIG_v1_5, our autheap:none, their autheap:none; 000 "ikev2-cp": modecfg info: us:server, them:client, modecfg policy:push, dns:8.8.8.8, 8.8.4.4, domains:unset, cat:unset; 000 "ikev2-cp": sec_label:unset; 000 "ikev2-cp": CAs: 'CN=IKEv2 VPN CA, O=IKEv2 VPN'...'CN=IKEv2 VPN CA, O=IKEv2 VPN' 000 "ikev2-cp": ike_life: 86400s; ipsec_life: 86400s; ipsec_max_bytes: 2^63B; ipsec_max_packets: 2^63; replay_window: 128; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; 000 "ikev2-cp": retransmit-interval: 500ms; retransmit-timeout: 300s; iketcp:no; iketcp-port:4500; 000 "ikev2-cp": initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no; 000 "ikev2-cp": policy: IKEv2+RSASIG+ECDSA+RSASIG_v1_5+ENCRYPT+TUNNEL+DONT_REKEY+IKEV2_ALLOW_NARROWING+IKE_FRAG_ALLOW+MOBIKE+ESN_NO+ESN_YES; 000 "ikev2-cp": v2-auth-hash-policy: SHA2_256+SHA2_384+SHA2_512; 000 "ikev2-cp": conn_prio: 0,0; interface: eth0; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none; 000 "ikev2-cp": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto; 000 "ikev2-cp": our idtype: ID_FQDN; our id=@mydomain; their idtype: %fromcert; their id=%fromcert 000 "ikev2-cp": liveness: active; dpdaction:clear; dpddelay:30s; retransmit-timeout:300s 000 "ikev2-cp": nat-traversal: encaps:yes; keepalive:20s 000 "ikev2-cp": newest IKE SA: #0; newest IPsec SA: #0; conn serial: $1; 000 "ikev2-cp": IKE algorithms: AES_CBC_256-HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_128-HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_256-HMAC_SHA1-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_128-HMAC_SHA1-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 000 "ikev2-cp": ESP algorithms: AES_GCM_16-NONE, AES_CBC_128-HMAC_SHA1_96, AES_CBC_256-HMAC_SHA1_96, AES_CBC_128-HMAC_SHA2_256_128, AES_CBC_256-HMAC_SHA2_256_128 000 000 Total IPsec connections: loaded 1, active 0 000 000 State Information: DDoS cookies not required, Accepting new IKE connections 000 IKE SAs: total(0), half-open(0), open(0), authenticated(0), anonymous(0) 000 IPsec SAs: total(0), authenticated(0), anonymous(0) 000 000 Bare Shunt list: 000 ``` </details> **Server (please complete the following information)** - Ubuntu 22.04 64 bit - Hostinger VPS **Client (please complete the following information)** - Xiaomi Redmi Note 8 Pro - Android 11 - IKEv2 **Client (please complete the following information)** - Apple Macbook Pro - macOS 13.3 - IKEv2 **Client (please complete the following information)** - PC - Windows 11 Pro - IKEv2 **Additional context** I newbie in that kind of stuff, but I created one not containerized VPN using strongswan-starter under ubuntu system which worked fine.
kerem closed this issue 2026-03-02 08:01:30 +03:00
kerem commented 2026-03-02 08:01:31 +03:00
Author
Owner
Copy link

@hwdsl2 commented on GitHub (Apr 21, 2023):

@keelfy-lilly Hello! Thanks for reporting this issue and providing details. The error netlink response for Add SA ... Protocol not supported (errno 93) typically means that your Docker host's Linux kernel does not properly support the IPsec protocol. If your VPS is OpenVZ or lxc based, it may run a shared Linux kernel which lacks IPsec support. Otherwise, if it's KVM-based, it should generally work fine, unless there's an issue with your hosting provider's VM implementation.

Alternatively, you can try creating a non-containerized VPN on a new VPS using scripts in this repo.

<!-- gh-comment-id:1518275094 --> @hwdsl2 commented on GitHub (Apr 21, 2023): @keelfy-lilly Hello! Thanks for reporting this issue and providing details. The error `netlink response for Add SA ... Protocol not supported (errno 93)` typically means that your Docker host's Linux kernel does not properly support the IPsec protocol. If your VPS is OpenVZ or lxc based, it may run a shared Linux kernel which lacks IPsec support. Otherwise, if it's KVM-based, it should generally work fine, unless there's an issue with your hosting provider's VM implementation. Alternatively, you can try creating a non-containerized VPN on a new VPS using scripts in [this repo](https://github.com/hwdsl2/setup-ipsec-vpn).
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
No results found.
Labels
Clear labels   
bug

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question
No labels
bug
pull-request
question
question
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/docker-ipsec-vpn-server#343
No description provided.