starred/docker-ipsec-vpn-server
1
0
Fork 0
mirror of https://github.com/hwdsl2/docker-ipsec-vpn-server.git synced 2026-04-26 10:05:48 +03:00
Code Issues Projects Releases Packages Wiki Activity

[GH-ISSUE #387] Xiaomi Phone Can't Connect #362

New issue
Closed
opened 2026-03-02 08:01:38 +03:00 by kerem · 5 comments
kerem commented 2026-03-02 08:01:38 +03:00
Owner
Copy link

Originally created by @Ran-Xing on GitHub (Jun 16, 2023).
Original GitHub issue: https://github.com/hwdsl2/docker-ipsec-vpn-server/issues/387

Skip some tedious tasks

Current server: other systems can connect (using ddns)

Other AMD64 servers: all can be connected

info

client:
# miui 14.0.4.0
~ uname -a
Linux localhost 5.15.41-android13-8-00001-ga3c6366a9085-ab9291088 hwdsl2/setup-ipsec-vpn#1 SMP PREEMPT Mon Nov 14 15:03:54 UTC 2022 aarch64 Android


server:
# hwdsl2/ipsec-vpn-server:latest
Linux N1 6.0.13-flippy-80+ hwdsl2/setup-ipsec-vpn#42 SMP Wed Dec 14 20:45:43 CST 2022 aarch64 GNU/Linux

install command

docker run -it -d \
--name myvpn \
--restart=always \
-v /docker/myvpn:/etc/ipsec.d \
--privileged \
-p 500:500/udp \
-p 4500:4500/udp \
-e 'VPN_IPSEC_PSK=xxx' \
-e "VPN_USER=xxx" \
-e 'VPN_PASSWORD=xxx' \
-e "VPN_DNS_SRV1=8.8.8.8" \
-e "VPN_DNS_SRV2=223.5.5.5" \
-e "VPN_DNS_NAME=xxx.xxx.xxx" \
-e "VPN_CLIENT_NAME=xxx" \
hwdsl2/ipsec-vpn-server

log

Setting DNS servers to 8.8.8.8 and 223.5.5.5...

Starting IPsec service...
pluto[393]: Initializing NSS using read-write database "sql:/etc/ipsec.d"
pluto[393]: FIPS Mode: NO
pluto[393]: NSS crypto library initialized
pluto[393]: FIPS mode disabled for pluto daemon
pluto[393]: FIPS HMAC integrity support [disabled]
pluto[393]: libcap-ng support [enabled]
pluto[393]: Linux audit support [disabled]
pluto[393]: Starting Pluto (Libreswan Version 4.11 IKEv2 IKEv1 XFRM XFRMI esp-hw-offload FORK PTHREAD_SETSCHEDPRIO NSS (IPsec profile) (NSS-KDF) LIBCAP_NG AUTH_PAM NETWORKMANAGER CURL(non-NSS)) pid:393
pluto[393]: core dump dir: /run/pluto
pluto[393]: secrets file: /etc/ipsec.secrets
pluto[393]: leak-detective disabled
pluto[393]: NSS crypto [enabled]
pluto[393]: XAUTH PAM support [enabled]
pluto[393]: initializing libevent in pthreads mode: headers: 2.1.12-stable (2010c00); library: 2.1.12-stable (2010c00)
pluto[393]: NAT-Traversal support  [enabled]
pluto[393]: Encryption algorithms:
pluto[393]:   AES_CCM_16         {256,192,*128} IKEv1:     ESP     IKEv2:     ESP     FIPS              aes_ccm, aes_ccm_c
pluto[393]:   AES_CCM_12         {256,192,*128} IKEv1:     ESP     IKEv2:     ESP     FIPS              aes_ccm_b
pluto[393]:   AES_CCM_8          {256,192,*128} IKEv1:     ESP     IKEv2:     ESP     FIPS              aes_ccm_a
pluto[393]:   3DES_CBC           [*192]         IKEv1: IKE ESP     IKEv2: IKE ESP     FIPS NSS(CBC)     3des
pluto[393]:   CAMELLIA_CTR       {256,192,*128} IKEv1:     ESP     IKEv2:     ESP                      
pluto[393]:   CAMELLIA_CBC       {256,192,*128} IKEv1: IKE ESP     IKEv2: IKE ESP          NSS(CBC)     camellia
pluto[393]:   AES_GCM_16         {256,192,*128} IKEv1:     ESP     IKEv2: IKE ESP     FIPS NSS(GCM)     aes_gcm, aes_gcm_c
pluto[393]:   AES_GCM_12         {256,192,*128} IKEv1:     ESP     IKEv2: IKE ESP     FIPS NSS(GCM)     aes_gcm_b
pluto[393]:   AES_GCM_8          {256,192,*128} IKEv1:     ESP     IKEv2: IKE ESP     FIPS NSS(GCM)     aes_gcm_a
pluto[393]:   AES_CTR            {256,192,*128} IKEv1: IKE ESP     IKEv2: IKE ESP     FIPS NSS(CTR)     aesctr
pluto[393]:   AES_CBC            {256,192,*128} IKEv1: IKE ESP     IKEv2: IKE ESP     FIPS NSS(CBC)     aes
pluto[393]:   NULL_AUTH_AES_GMAC {256,192,*128} IKEv1:     ESP     IKEv2:     ESP     FIPS              aes_gmac
pluto[393]:   NULL               []             IKEv1:     ESP     IKEv2:     ESP                      
pluto[393]:   CHACHA20_POLY1305  [*256]         IKEv1:             IKEv2: IKE ESP          NSS(AEAD)    chacha20poly1305
pluto[393]: Hash algorithms:
pluto[393]:   MD5                               IKEv1: IKE         IKEv2:                  NSS         
pluto[393]:   SHA1                              IKEv1: IKE         IKEv2: IKE         FIPS NSS          sha
pluto[393]:   SHA2_256                          IKEv1: IKE         IKEv2: IKE         FIPS NSS          sha2, sha256
pluto[393]:   SHA2_384                          IKEv1: IKE         IKEv2: IKE         FIPS NSS          sha384
pluto[393]:   SHA2_512                          IKEv1: IKE         IKEv2: IKE         FIPS NSS          sha512
pluto[393]:   IDENTITY                          IKEv1:             IKEv2:             FIPS             
pluto[393]: PRF algorithms:
pluto[393]:   HMAC_MD5                          IKEv1: IKE         IKEv2: IKE              native(HMAC) md5
pluto[393]:   HMAC_SHA1                         IKEv1: IKE         IKEv2: IKE         FIPS NSS          sha, sha1
pluto[393]:   HMAC_SHA2_256                     IKEv1: IKE         IKEv2: IKE         FIPS NSS          sha2, sha256, sha2_256
pluto[393]:   HMAC_SHA2_384                     IKEv1: IKE         IKEv2: IKE         FIPS NSS          sha384, sha2_384
pluto[393]:   HMAC_SHA2_512                     IKEv1: IKE         IKEv2: IKE         FIPS NSS          sha512, sha2_512
pluto[393]:   AES_XCBC                          IKEv1:             IKEv2: IKE              native(XCBC) aes128_xcbc
pluto[393]: Integrity algorithms:
pluto[393]:   HMAC_MD5_96                       IKEv1: IKE ESP AH  IKEv2: IKE ESP AH       native(HMAC) md5, hmac_md5
pluto[393]:   HMAC_SHA1_96                      IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS NSS          sha, sha1, sha1_96, hmac_sha1
pluto[393]:   HMAC_SHA2_512_256                 IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS NSS          sha512, sha2_512, sha2_512_256, hmac_sha2_512
pluto[393]:   HMAC_SHA2_384_192                 IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS NSS          sha384, sha2_384, sha2_384_192, hmac_sha2_384
pluto[393]:   HMAC_SHA2_256_128                 IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS NSS          sha2, sha256, sha2_256, sha2_256_128, hmac_sha2_256
pluto[393]:   HMAC_SHA2_256_TRUNCBUG            IKEv1:     ESP AH  IKEv2:         AH                   
pluto[393]:   AES_XCBC_96                       IKEv1:     ESP AH  IKEv2: IKE ESP AH       native(XCBC) aes_xcbc, aes128_xcbc, aes128_xcbc_96
pluto[393]:   AES_CMAC_96                       IKEv1:     ESP AH  IKEv2:     ESP AH  FIPS              aes_cmac
pluto[393]:   NONE                              IKEv1:     ESP     IKEv2: IKE ESP     FIPS              null
pluto[393]: DH algorithms:
pluto[393]:   NONE                              IKEv1:             IKEv2: IKE ESP AH  FIPS NSS(MODP)    null, dh0
pluto[393]:   MODP1024                          IKEv1: IKE ESP AH  IKEv2: IKE ESP AH       NSS(MODP)    dh2
pluto[393]:   MODP1536                          IKEv1: IKE ESP AH  IKEv2: IKE ESP AH       NSS(MODP)    dh5
pluto[393]:   MODP2048                          IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS NSS(MODP)    dh14
pluto[393]:   MODP3072                          IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS NSS(MODP)    dh15
pluto[393]:   MODP4096                          IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS NSS(MODP)    dh16
pluto[393]:   MODP6144                          IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS NSS(MODP)    dh17
pluto[393]:   MODP8192                          IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS NSS(MODP)    dh18
pluto[393]:   DH19                              IKEv1: IKE         IKEv2: IKE ESP AH  FIPS NSS(ECP)     ecp_256, ecp256
pluto[393]:   DH20                              IKEv1: IKE         IKEv2: IKE ESP AH  FIPS NSS(ECP)     ecp_384, ecp384
pluto[393]:   DH21                              IKEv1: IKE         IKEv2: IKE ESP AH  FIPS NSS(ECP)     ecp_521, ecp521
pluto[393]:   DH31                              IKEv1: IKE         IKEv2: IKE ESP AH       NSS(ECP)     curve25519
pluto[393]: IPCOMP algorithms:
pluto[393]:   DEFLATE                           IKEv1:     ESP AH  IKEv2:     ESP AH  FIPS             
pluto[393]:   LZS                               IKEv1:             IKEv2:     ESP AH  FIPS             
pluto[393]:   LZJH                              IKEv1:             IKEv2:     ESP AH  FIPS             
pluto[393]: testing CAMELLIA_CBC:
pluto[393]:   Camellia: 16 bytes with 128-bit key
pluto[393]:   Camellia: 16 bytes with 128-bit key
pluto[393]:   Camellia: 16 bytes with 256-bit key
pluto[393]:   Camellia: 16 bytes with 256-bit key
pluto[393]: testing AES_GCM_16:
pluto[393]:   empty string
pluto[393]:   one block
pluto[393]:   two blocks
pluto[393]:   two blocks with associated data
pluto[393]: testing AES_CTR:
pluto[393]:   Encrypting 16 octets using AES-CTR with 128-bit key
pluto[393]:   Encrypting 32 octets using AES-CTR with 128-bit key
pluto[393]:   Encrypting 36 octets using AES-CTR with 128-bit key
pluto[393]:   Encrypting 16 octets using AES-CTR with 192-bit key
pluto[393]:   Encrypting 32 octets using AES-CTR with 192-bit key
pluto[393]:   Encrypting 36 octets using AES-CTR with 192-bit key
pluto[393]:   Encrypting 16 octets using AES-CTR with 256-bit key
pluto[393]:   Encrypting 32 octets using AES-CTR with 256-bit key
pluto[393]:   Encrypting 36 octets using AES-CTR with 256-bit key
pluto[393]: testing AES_CBC:
pluto[393]:   Encrypting 16 bytes (1 block) using AES-CBC with 128-bit key
pluto[393]:   Encrypting 32 bytes (2 blocks) using AES-CBC with 128-bit key
pluto[393]:   Encrypting 48 bytes (3 blocks) using AES-CBC with 128-bit key
pluto[393]:   Encrypting 64 bytes (4 blocks) using AES-CBC with 128-bit key

================================================

IPsec VPN server is now ready for use!

Connect to your new VPN with these details:

Server: xxx.xxx.xxx
IPsec PSK: xxx
Username: xxx
Password: xxx
pluto[393]: testing AES_XCBC:
pluto[393]:   RFC 3566 Test Case 1: AES-XCBC-MAC-96 with 0-byte input
pluto[393]:   RFC 3566 Test Case 2: AES-XCBC-MAC-96 with 3-byte input
pluto[393]:   RFC 3566 Test Case 3: AES-XCBC-MAC-96 with 16-byte input
pluto[393]:   RFC 3566 Test Case 4: AES-XCBC-MAC-96 with 20-byte input

Write these down. You'll need them to connect!

VPN client setup: https://vpnsetup.net/clients2

================================================
pluto[393]:   RFC 3566 Test Case 5: AES-XCBC-MAC-96 with 32-byte input
pluto[393]:   RFC 3566 Test Case 6: AES-XCBC-MAC-96 with 34-byte input
pluto[393]:   RFC 3566 Test Case 7: AES-XCBC-MAC-96 with 1000-byte input
pluto[393]:   RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 16)
pluto[393]:   RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 10)
pluto[393]:   RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 18)
pluto[393]: testing HMAC_MD5:
pluto[393]:   RFC 2104: MD5_HMAC test 1
pluto[393]:   RFC 2104: MD5_HMAC test 2

================================================

IKEv2 is already set up. Details for IKEv2 mode:

pluto[393]:   RFC 2104: MD5_HMAC test 3
pluto[393]: testing HMAC_SHA1:
pluto[393]:   CAVP: IKEv2 key derivation with HMAC-SHA1
VPN server address: xxx.xxx.xxx.xxx
VPN client name: N1

Client configuration is available inside the
Docker container at:
/etc/ipsec.d/N1.p12 (for Windows & Linux)
/etc/ipsec.d/N1.sswan (for Android)
/etc/ipsec.d/N1.mobileconfig (for iOS & macOS)

Next steps: Configure IKEv2 clients. See:
pluto[393]: 4 CPU cores online
pluto[393]: starting up 3 helper threads
pluto[393]: started thread for helper 0
pluto[393]: helper(1) seccomp security for helper not supported
pluto[393]: started thread for helper 1
pluto[393]: helper(2) seccomp security for helper not supported
pluto[393]: started thread for helper 2
pluto[393]: using Linux xfrm kernel support code on hwdsl2/setup-ipsec-vpn#42 SMP Wed Dec 14 20:45:43 CST 2022
pluto[393]: helper(3) seccomp security for helper not supported
pluto[393]: kernel: /proc/sys/net/ipv6/conf/all/disable_ipv6=1 ignore ipv6 holes
pluto[393]: seccomp security not supported
https://vpnsetup.net/clients2

================================================

Warning: The VPN_DNS_NAME variable you specified has no effect
         for IKEv2 mode, because IKEv2 is already set up in this
         container. To change the IKEv2 server address, see:
         https://vpnsetup.net/ikev2docker

pluto[393]: "l2tp-psk": added IKEv1 connection
pluto[393]: "xauth-psk": added IKEv1 connection
pluto[393]: "ikev2-cp": IKE SA proposals (connection add):
pluto[393]: "ikev2-cp":   1:IKE=AES_CBC_256-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE25519
pluto[393]: "ikev2-cp":   2:IKE=AES_CBC_128-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE25519
pluto[393]: "ikev2-cp":   3:IKE=AES_CBC_256-HMAC_SHA1-HMAC_SHA1_96-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE25519
pluto[393]: "ikev2-cp":   4:IKE=AES_CBC_128-HMAC_SHA1-HMAC_SHA1_96-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE25519
pluto[393]: "ikev2-cp": Child SA proposals (connection add):
pluto[393]: "ikev2-cp":   1:ESP=AES_GCM_C_128+AES_GCM_C_256-NONE-NONE-ENABLED+DISABLED
pluto[393]: "ikev2-cp":   2:ESP=AES_CBC_128-HMAC_SHA1_96-NONE-ENABLED+DISABLED
pluto[393]: "ikev2-cp":   3:ESP=AES_CBC_256-HMAC_SHA1_96-NONE-ENABLED+DISABLED
pluto[393]: "ikev2-cp":   4:ESP=AES_CBC_128-HMAC_SHA2_256_128-NONE-ENABLED+DISABLED
pluto[393]: "ikev2-cp":   5:ESP=AES_CBC_256-HMAC_SHA2_256_128-NONE-ENABLED+DISABLED
pluto[393]: "ikev2-cp": loaded private key matching left certificate 'xxx.xxx.xxx.xxx
pluto[393]: "ikev2-cp": added IKEv2 connection
pluto[393]: listening for IKE messages
pluto[393]: Kernel supports NIC esp-hw-offload
pluto[393]: adding UDP interface eth0 172.31.0.2:500
pluto[393]: adding UDP interface eth0 172.31.0.2:4500
pluto[393]: adding UDP interface lo 127.0.0.1:500
pluto[393]: adding UDP interface lo 127.0.0.1:4500
pluto[393]: forgetting secrets
pluto[393]: loading secrets from "/etc/ipsec.secrets"
xl2tpd[1]: Not looking for kernel SAref support.
xl2tpd[1]: L2TP kernel support not detected (try modprobing l2tp_ppp and pppol2tp)
xl2tpd[1]: xl2tpd version xl2tpd-1.3.18 started on b0e45a4e8591 PID:1
xl2tpd[1]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
xl2tpd[1]: Forked by Scott Balmos and David Stipp, (C) 2001
xl2tpd[1]: Inherited by Jeff McAdams, (C) 2002
xl2tpd[1]: Forked again by Xelerance (www.xelerance.com) (C) 2006-2016
xl2tpd[1]: Listening on IP address 0.0.0.0, port 1701
pluto[393]: packet from 192.168.2.253:500: responding to IKE_SA_INIT (34) message (Message ID 0) with unencrypted notification INVALID_SYNTAX
pluto[393]: packet from 192.168.2.253:500: responding to IKE_SA_INIT (34) message (Message ID 0) with unencrypted notification INVALID_SYNTAX
pluto[393]: packet from 192.168.2.253:500: responding to IKE_SA_INIT (34) message (Message ID 0) with unencrypted notification INVALID_SYNTAX
pluto[393]: "ikev2-cp"[1] 192.168.2.253 hwdsl2/setup-ipsec-vpn#1: proposal 1:IKE=AES_CBC_256-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_CTR_256;ENCR=AES_CBC_256;ENCR=AES_CTR_192;ENCR=AES_CBC_192;ENCR=AES_CTR_128;ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_384_192;INTEG=HMAC_SHA2_256_128;INTEG=AES_XCBC_96;INTEG=AES_CMAC_96;DH=MODP4096;DH=CURVE25519;DH=MODP3072;DH=MODP2048;PRF=HMAC_SHA1;PRF=AES128_XCBC;PRF=HMAC_SHA2_256;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_512;PRF=AES128_CMAC[first-match] 2:IKE:ENCR=CHACHA20_POLY1305;ENCR=AES_GCM_C_256;ENCR=AES_GCM_B_256;ENCR=AES_GCM_A_256;ENCR=AES_GCM_C_192;ENCR=AES_GCM_B_192;ENCR=AES_GCM_A_192;ENCR=AES_GCM_C_128;ENCR=AES_GCM_B_128;ENCR=AES_GCM_A_128;DH=MODP4096;DH=CURVE25519;DH=MODP3072;DH=MODP2048;PRF=HMAC_SHA1;PRF=AES128_XCBC;PRF=HMAC_SHA2_256;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_512;PRF=AES128_CMAC
pluto[393]: "ikev2-cp"[1] 192.168.2.253 hwdsl2/setup-ipsec-vpn#1: initiator guessed wrong keying material group (MODP4096); responding with INVALID_KE_PAYLOAD requesting MODP2048
pluto[393]: "ikev2-cp"[1] 192.168.2.253 hwdsl2/setup-ipsec-vpn#1: responding to IKE_SA_INIT message (ID 0) from 192.168.2.253:61134 with unencrypted notification INVALID_KE_PAYLOAD
pluto[393]: "ikev2-cp"[1] 192.168.2.253 hwdsl2/setup-ipsec-vpn#1: encountered fatal error in state STATE_V2_PARENT_R0
pluto[393]: "ikev2-cp"[1] 192.168.2.253 hwdsl2/setup-ipsec-vpn#1: deleting state (STATE_V2_PARENT_R0) aged 0.002182s and NOT sending notification
pluto[393]: "ikev2-cp"[1] 192.168.2.253: deleting connection instance with peer 192.168.2.253 {isakmp=#0/ipsec=#0}
pluto[393]: "ikev2-cp"[2] 192.168.2.253 hwdsl2/setup-ipsec-vpn#2: proposal 1:IKE=AES_CBC_256-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_CTR_256;ENCR=AES_CBC_256;ENCR=AES_CTR_192;ENCR=AES_CBC_192;ENCR=AES_CTR_128;ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_384_192;INTEG=HMAC_SHA2_256_128;INTEG=AES_XCBC_96;INTEG=AES_CMAC_96;DH=MODP4096;DH=CURVE25519;DH=MODP3072;DH=MODP2048;PRF=HMAC_SHA1;PRF=AES128_XCBC;PRF=HMAC_SHA2_256;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_512;PRF=AES128_CMAC[first-match] 2:IKE:ENCR=CHACHA20_POLY1305;ENCR=AES_GCM_C_256;ENCR=AES_GCM_B_256;ENCR=AES_GCM_A_256;ENCR=AES_GCM_C_192;ENCR=AES_GCM_B_192;ENCR=AES_GCM_A_192;ENCR=AES_GCM_C_128;ENCR=AES_GCM_B_128;ENCR=AES_GCM_A_128;DH=MODP4096;DH=CURVE25519;DH=MODP3072;DH=MODP2048;PRF=HMAC_SHA1;PRF=AES128_XCBC;PRF=HMAC_SHA2_256;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_512;PRF=AES128_CMAC
pluto[393]: "ikev2-cp"[2] 192.168.2.253 hwdsl2/setup-ipsec-vpn#2: sent IKE_SA_INIT reply {cipher=AES_CBC_256 integ=HMAC_SHA2_256_128 prf=HMAC_SHA2_256 group=MODP2048}
pluto[393]: "ikev2-cp"[2] 192.168.2.253 hwdsl2/setup-ipsec-vpn#2: processing decrypted IKE_AUTH request: SK{IDi,IDr,CERT,AUTH,SA,TSi,TSr,CP}
pluto[393]: "ikev2-cp"[2] 192.168.2.253 hwdsl2/setup-ipsec-vpn#2: peer certificate subjectAltName extension does not match ID_FQDN 'xxx.xxx.xxx'
pluto[393]: "ikev2-cp"[2] 192.168.2.253 hwdsl2/setup-ipsec-vpn#2: peer certificate subjectAltName extension does not match ID_FQDN 'xxx.xxx.xxx'
pluto[393]: "ikev2-cp"[2] 192.168.2.253 hwdsl2/setup-ipsec-vpn#2: responder established IKE SA; authenticated peer '3072-bit PKCS#1 1.5 RSA with SHA2_512' digital signature using peer certificate 'CN=N1, O=IKEv2 VPN' issued by CA 'CN=IKEv2 VPN CA, O=IKEv2 VPN'
pluto[393]: "ikev2-cp"[2] 192.168.2.253 hwdsl2/setup-ipsec-vpn#2: reloaded private key matching left certificate 'xxx.xxx.xxx.xxx
pluto[393]: | pool 192.168.43.10-192.168.43.250: growing address pool from 0 to 1
pluto[393]: "ikev2-cp"[2] 192.168.2.253 hwdsl2/setup-ipsec-vpn#3: proposal 2:ESP=AES_GCM_C_128-DISABLED SPI=60900910 chosen from remote proposals 1:ESP:ENCR=AES_CTR_256;ENCR=AES_CBC_256;ENCR=AES_CTR_192;ENCR=AES_CBC_192;ENCR=AES_CTR_128;ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_384_192;INTEG=HMAC_SHA2_256_128;INTEG=AES_XCBC_96;INTEG=AES_CMAC_96;ESN=DISABLED[first-match] 2:ESP:ENCR=CHACHA20_POLY1305;ENCR=AES_GCM_C_256;ENCR=AES_GCM_B_256;ENCR=AES_GCM_A_256;ENCR=AES_GCM_C_192;ENCR=AES_GCM_B_192;ENCR=AES_GCM_A_192;ENCR=AES_GCM_C_128;ENCR=AES_GCM_B_128;ENCR=AES_GCM_A_128;ESN=DISABLED[better-match]
pluto[393]: "ikev2-cp"[2] 192.168.2.253 hwdsl2/setup-ipsec-vpn#3: responder established Child SA using hwdsl2/setup-ipsec-vpn#2; IPsec tunnel [0.0.0.0-255.255.255.255:0-65535 0] -> [192.168.43.10-192.168.43.10:0-65535 0] {ESPinUDP=>0x60900910 <0x028e8fbd xfrm=AES_GCM_16_128-NONE NATD=192.168.2.253:61136 DPD=active}
pluto[393]: "ikev2-cp"[2] 192.168.2.253 hwdsl2/setup-ipsec-vpn#3: ESP traffic information: in=0B out=0B
pluto[393]: "ikev2-cp"[2] 192.168.2.253 hwdsl2/setup-ipsec-vpn#2: deleting state (STATE_V2_ESTABLISHED_IKE_SA) aged 0.617979s and NOT sending notification
pluto[393]: "ikev2-cp"[2] 192.168.2.253: deleting connection instance with peer 192.168.2.253 {isakmp=#0/ipsec=#0}
Originally created by @Ran-Xing on GitHub (Jun 16, 2023). Original GitHub issue: https://github.com/hwdsl2/docker-ipsec-vpn-server/issues/387 > Skip some tedious tasks > > Current server: other systems can connect (using ddns) > > Other AMD64 servers: all can be connected ### info ```ini client: # miui 14.0.4.0 ~ uname -a Linux localhost 5.15.41-android13-8-00001-ga3c6366a9085-ab9291088 hwdsl2/setup-ipsec-vpn#1 SMP PREEMPT Mon Nov 14 15:03:54 UTC 2022 aarch64 Android server: # hwdsl2/ipsec-vpn-server:latest Linux N1 6.0.13-flippy-80+ hwdsl2/setup-ipsec-vpn#42 SMP Wed Dec 14 20:45:43 CST 2022 aarch64 GNU/Linux ``` ### install command ```bash docker run -it -d \ --name myvpn \ --restart=always \ -v /docker/myvpn:/etc/ipsec.d \ --privileged \ -p 500:500/udp \ -p 4500:4500/udp \ -e 'VPN_IPSEC_PSK=xxx' \ -e "VPN_USER=xxx" \ -e 'VPN_PASSWORD=xxx' \ -e "VPN_DNS_SRV1=8.8.8.8" \ -e "VPN_DNS_SRV2=223.5.5.5" \ -e "VPN_DNS_NAME=xxx.xxx.xxx" \ -e "VPN_CLIENT_NAME=xxx" \ hwdsl2/ipsec-vpn-server ``` ### log ```log Setting DNS servers to 8.8.8.8 and 223.5.5.5... Starting IPsec service... pluto[393]: Initializing NSS using read-write database "sql:/etc/ipsec.d" pluto[393]: FIPS Mode: NO pluto[393]: NSS crypto library initialized pluto[393]: FIPS mode disabled for pluto daemon pluto[393]: FIPS HMAC integrity support [disabled] pluto[393]: libcap-ng support [enabled] pluto[393]: Linux audit support [disabled] pluto[393]: Starting Pluto (Libreswan Version 4.11 IKEv2 IKEv1 XFRM XFRMI esp-hw-offload FORK PTHREAD_SETSCHEDPRIO NSS (IPsec profile) (NSS-KDF) LIBCAP_NG AUTH_PAM NETWORKMANAGER CURL(non-NSS)) pid:393 pluto[393]: core dump dir: /run/pluto pluto[393]: secrets file: /etc/ipsec.secrets pluto[393]: leak-detective disabled pluto[393]: NSS crypto [enabled] pluto[393]: XAUTH PAM support [enabled] pluto[393]: initializing libevent in pthreads mode: headers: 2.1.12-stable (2010c00); library: 2.1.12-stable (2010c00) pluto[393]: NAT-Traversal support [enabled] pluto[393]: Encryption algorithms: pluto[393]: AES_CCM_16 {256,192,*128} IKEv1: ESP IKEv2: ESP FIPS aes_ccm, aes_ccm_c pluto[393]: AES_CCM_12 {256,192,*128} IKEv1: ESP IKEv2: ESP FIPS aes_ccm_b pluto[393]: AES_CCM_8 {256,192,*128} IKEv1: ESP IKEv2: ESP FIPS aes_ccm_a pluto[393]: 3DES_CBC [*192] IKEv1: IKE ESP IKEv2: IKE ESP FIPS NSS(CBC) 3des pluto[393]: CAMELLIA_CTR {256,192,*128} IKEv1: ESP IKEv2: ESP pluto[393]: CAMELLIA_CBC {256,192,*128} IKEv1: IKE ESP IKEv2: IKE ESP NSS(CBC) camellia pluto[393]: AES_GCM_16 {256,192,*128} IKEv1: ESP IKEv2: IKE ESP FIPS NSS(GCM) aes_gcm, aes_gcm_c pluto[393]: AES_GCM_12 {256,192,*128} IKEv1: ESP IKEv2: IKE ESP FIPS NSS(GCM) aes_gcm_b pluto[393]: AES_GCM_8 {256,192,*128} IKEv1: ESP IKEv2: IKE ESP FIPS NSS(GCM) aes_gcm_a pluto[393]: AES_CTR {256,192,*128} IKEv1: IKE ESP IKEv2: IKE ESP FIPS NSS(CTR) aesctr pluto[393]: AES_CBC {256,192,*128} IKEv1: IKE ESP IKEv2: IKE ESP FIPS NSS(CBC) aes pluto[393]: NULL_AUTH_AES_GMAC {256,192,*128} IKEv1: ESP IKEv2: ESP FIPS aes_gmac pluto[393]: NULL [] IKEv1: ESP IKEv2: ESP pluto[393]: CHACHA20_POLY1305 [*256] IKEv1: IKEv2: IKE ESP NSS(AEAD) chacha20poly1305 pluto[393]: Hash algorithms: pluto[393]: MD5 IKEv1: IKE IKEv2: NSS pluto[393]: SHA1 IKEv1: IKE IKEv2: IKE FIPS NSS sha pluto[393]: SHA2_256 IKEv1: IKE IKEv2: IKE FIPS NSS sha2, sha256 pluto[393]: SHA2_384 IKEv1: IKE IKEv2: IKE FIPS NSS sha384 pluto[393]: SHA2_512 IKEv1: IKE IKEv2: IKE FIPS NSS sha512 pluto[393]: IDENTITY IKEv1: IKEv2: FIPS pluto[393]: PRF algorithms: pluto[393]: HMAC_MD5 IKEv1: IKE IKEv2: IKE native(HMAC) md5 pluto[393]: HMAC_SHA1 IKEv1: IKE IKEv2: IKE FIPS NSS sha, sha1 pluto[393]: HMAC_SHA2_256 IKEv1: IKE IKEv2: IKE FIPS NSS sha2, sha256, sha2_256 pluto[393]: HMAC_SHA2_384 IKEv1: IKE IKEv2: IKE FIPS NSS sha384, sha2_384 pluto[393]: HMAC_SHA2_512 IKEv1: IKE IKEv2: IKE FIPS NSS sha512, sha2_512 pluto[393]: AES_XCBC IKEv1: IKEv2: IKE native(XCBC) aes128_xcbc pluto[393]: Integrity algorithms: pluto[393]: HMAC_MD5_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH native(HMAC) md5, hmac_md5 pluto[393]: HMAC_SHA1_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS sha, sha1, sha1_96, hmac_sha1 pluto[393]: HMAC_SHA2_512_256 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS sha512, sha2_512, sha2_512_256, hmac_sha2_512 pluto[393]: HMAC_SHA2_384_192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS sha384, sha2_384, sha2_384_192, hmac_sha2_384 pluto[393]: HMAC_SHA2_256_128 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS sha2, sha256, sha2_256, sha2_256_128, hmac_sha2_256 pluto[393]: HMAC_SHA2_256_TRUNCBUG IKEv1: ESP AH IKEv2: AH pluto[393]: AES_XCBC_96 IKEv1: ESP AH IKEv2: IKE ESP AH native(XCBC) aes_xcbc, aes128_xcbc, aes128_xcbc_96 pluto[393]: AES_CMAC_96 IKEv1: ESP AH IKEv2: ESP AH FIPS aes_cmac pluto[393]: NONE IKEv1: ESP IKEv2: IKE ESP FIPS null pluto[393]: DH algorithms: pluto[393]: NONE IKEv1: IKEv2: IKE ESP AH FIPS NSS(MODP) null, dh0 pluto[393]: MODP1024 IKEv1: IKE ESP AH IKEv2: IKE ESP AH NSS(MODP) dh2 pluto[393]: MODP1536 IKEv1: IKE ESP AH IKEv2: IKE ESP AH NSS(MODP) dh5 pluto[393]: MODP2048 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS(MODP) dh14 pluto[393]: MODP3072 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS(MODP) dh15 pluto[393]: MODP4096 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS(MODP) dh16 pluto[393]: MODP6144 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS(MODP) dh17 pluto[393]: MODP8192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS(MODP) dh18 pluto[393]: DH19 IKEv1: IKE IKEv2: IKE ESP AH FIPS NSS(ECP) ecp_256, ecp256 pluto[393]: DH20 IKEv1: IKE IKEv2: IKE ESP AH FIPS NSS(ECP) ecp_384, ecp384 pluto[393]: DH21 IKEv1: IKE IKEv2: IKE ESP AH FIPS NSS(ECP) ecp_521, ecp521 pluto[393]: DH31 IKEv1: IKE IKEv2: IKE ESP AH NSS(ECP) curve25519 pluto[393]: IPCOMP algorithms: pluto[393]: DEFLATE IKEv1: ESP AH IKEv2: ESP AH FIPS pluto[393]: LZS IKEv1: IKEv2: ESP AH FIPS pluto[393]: LZJH IKEv1: IKEv2: ESP AH FIPS pluto[393]: testing CAMELLIA_CBC: pluto[393]: Camellia: 16 bytes with 128-bit key pluto[393]: Camellia: 16 bytes with 128-bit key pluto[393]: Camellia: 16 bytes with 256-bit key pluto[393]: Camellia: 16 bytes with 256-bit key pluto[393]: testing AES_GCM_16: pluto[393]: empty string pluto[393]: one block pluto[393]: two blocks pluto[393]: two blocks with associated data pluto[393]: testing AES_CTR: pluto[393]: Encrypting 16 octets using AES-CTR with 128-bit key pluto[393]: Encrypting 32 octets using AES-CTR with 128-bit key pluto[393]: Encrypting 36 octets using AES-CTR with 128-bit key pluto[393]: Encrypting 16 octets using AES-CTR with 192-bit key pluto[393]: Encrypting 32 octets using AES-CTR with 192-bit key pluto[393]: Encrypting 36 octets using AES-CTR with 192-bit key pluto[393]: Encrypting 16 octets using AES-CTR with 256-bit key pluto[393]: Encrypting 32 octets using AES-CTR with 256-bit key pluto[393]: Encrypting 36 octets using AES-CTR with 256-bit key pluto[393]: testing AES_CBC: pluto[393]: Encrypting 16 bytes (1 block) using AES-CBC with 128-bit key pluto[393]: Encrypting 32 bytes (2 blocks) using AES-CBC with 128-bit key pluto[393]: Encrypting 48 bytes (3 blocks) using AES-CBC with 128-bit key pluto[393]: Encrypting 64 bytes (4 blocks) using AES-CBC with 128-bit key ================================================ IPsec VPN server is now ready for use! Connect to your new VPN with these details: Server: xxx.xxx.xxx IPsec PSK: xxx Username: xxx Password: xxx pluto[393]: testing AES_XCBC: pluto[393]: RFC 3566 Test Case 1: AES-XCBC-MAC-96 with 0-byte input pluto[393]: RFC 3566 Test Case 2: AES-XCBC-MAC-96 with 3-byte input pluto[393]: RFC 3566 Test Case 3: AES-XCBC-MAC-96 with 16-byte input pluto[393]: RFC 3566 Test Case 4: AES-XCBC-MAC-96 with 20-byte input Write these down. You'll need them to connect! VPN client setup: https://vpnsetup.net/clients2 ================================================ pluto[393]: RFC 3566 Test Case 5: AES-XCBC-MAC-96 with 32-byte input pluto[393]: RFC 3566 Test Case 6: AES-XCBC-MAC-96 with 34-byte input pluto[393]: RFC 3566 Test Case 7: AES-XCBC-MAC-96 with 1000-byte input pluto[393]: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 16) pluto[393]: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 10) pluto[393]: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 18) pluto[393]: testing HMAC_MD5: pluto[393]: RFC 2104: MD5_HMAC test 1 pluto[393]: RFC 2104: MD5_HMAC test 2 ================================================ IKEv2 is already set up. Details for IKEv2 mode: pluto[393]: RFC 2104: MD5_HMAC test 3 pluto[393]: testing HMAC_SHA1: pluto[393]: CAVP: IKEv2 key derivation with HMAC-SHA1 VPN server address: xxx.xxx.xxx.xxx VPN client name: N1 Client configuration is available inside the Docker container at: /etc/ipsec.d/N1.p12 (for Windows & Linux) /etc/ipsec.d/N1.sswan (for Android) /etc/ipsec.d/N1.mobileconfig (for iOS & macOS) Next steps: Configure IKEv2 clients. See: pluto[393]: 4 CPU cores online pluto[393]: starting up 3 helper threads pluto[393]: started thread for helper 0 pluto[393]: helper(1) seccomp security for helper not supported pluto[393]: started thread for helper 1 pluto[393]: helper(2) seccomp security for helper not supported pluto[393]: started thread for helper 2 pluto[393]: using Linux xfrm kernel support code on hwdsl2/setup-ipsec-vpn#42 SMP Wed Dec 14 20:45:43 CST 2022 pluto[393]: helper(3) seccomp security for helper not supported pluto[393]: kernel: /proc/sys/net/ipv6/conf/all/disable_ipv6=1 ignore ipv6 holes pluto[393]: seccomp security not supported https://vpnsetup.net/clients2 ================================================ Warning: The VPN_DNS_NAME variable you specified has no effect for IKEv2 mode, because IKEv2 is already set up in this container. To change the IKEv2 server address, see: https://vpnsetup.net/ikev2docker pluto[393]: "l2tp-psk": added IKEv1 connection pluto[393]: "xauth-psk": added IKEv1 connection pluto[393]: "ikev2-cp": IKE SA proposals (connection add): pluto[393]: "ikev2-cp": 1:IKE=AES_CBC_256-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE25519 pluto[393]: "ikev2-cp": 2:IKE=AES_CBC_128-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE25519 pluto[393]: "ikev2-cp": 3:IKE=AES_CBC_256-HMAC_SHA1-HMAC_SHA1_96-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE25519 pluto[393]: "ikev2-cp": 4:IKE=AES_CBC_128-HMAC_SHA1-HMAC_SHA1_96-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE25519 pluto[393]: "ikev2-cp": Child SA proposals (connection add): pluto[393]: "ikev2-cp": 1:ESP=AES_GCM_C_128+AES_GCM_C_256-NONE-NONE-ENABLED+DISABLED pluto[393]: "ikev2-cp": 2:ESP=AES_CBC_128-HMAC_SHA1_96-NONE-ENABLED+DISABLED pluto[393]: "ikev2-cp": 3:ESP=AES_CBC_256-HMAC_SHA1_96-NONE-ENABLED+DISABLED pluto[393]: "ikev2-cp": 4:ESP=AES_CBC_128-HMAC_SHA2_256_128-NONE-ENABLED+DISABLED pluto[393]: "ikev2-cp": 5:ESP=AES_CBC_256-HMAC_SHA2_256_128-NONE-ENABLED+DISABLED pluto[393]: "ikev2-cp": loaded private key matching left certificate 'xxx.xxx.xxx.xxx pluto[393]: "ikev2-cp": added IKEv2 connection pluto[393]: listening for IKE messages pluto[393]: Kernel supports NIC esp-hw-offload pluto[393]: adding UDP interface eth0 172.31.0.2:500 pluto[393]: adding UDP interface eth0 172.31.0.2:4500 pluto[393]: adding UDP interface lo 127.0.0.1:500 pluto[393]: adding UDP interface lo 127.0.0.1:4500 pluto[393]: forgetting secrets pluto[393]: loading secrets from "/etc/ipsec.secrets" xl2tpd[1]: Not looking for kernel SAref support. xl2tpd[1]: L2TP kernel support not detected (try modprobing l2tp_ppp and pppol2tp) xl2tpd[1]: xl2tpd version xl2tpd-1.3.18 started on b0e45a4e8591 PID:1 xl2tpd[1]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc. xl2tpd[1]: Forked by Scott Balmos and David Stipp, (C) 2001 xl2tpd[1]: Inherited by Jeff McAdams, (C) 2002 xl2tpd[1]: Forked again by Xelerance (www.xelerance.com) (C) 2006-2016 xl2tpd[1]: Listening on IP address 0.0.0.0, port 1701 pluto[393]: packet from 192.168.2.253:500: responding to IKE_SA_INIT (34) message (Message ID 0) with unencrypted notification INVALID_SYNTAX pluto[393]: packet from 192.168.2.253:500: responding to IKE_SA_INIT (34) message (Message ID 0) with unencrypted notification INVALID_SYNTAX pluto[393]: packet from 192.168.2.253:500: responding to IKE_SA_INIT (34) message (Message ID 0) with unencrypted notification INVALID_SYNTAX pluto[393]: "ikev2-cp"[1] 192.168.2.253 hwdsl2/setup-ipsec-vpn#1: proposal 1:IKE=AES_CBC_256-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_CTR_256;ENCR=AES_CBC_256;ENCR=AES_CTR_192;ENCR=AES_CBC_192;ENCR=AES_CTR_128;ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_384_192;INTEG=HMAC_SHA2_256_128;INTEG=AES_XCBC_96;INTEG=AES_CMAC_96;DH=MODP4096;DH=CURVE25519;DH=MODP3072;DH=MODP2048;PRF=HMAC_SHA1;PRF=AES128_XCBC;PRF=HMAC_SHA2_256;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_512;PRF=AES128_CMAC[first-match] 2:IKE:ENCR=CHACHA20_POLY1305;ENCR=AES_GCM_C_256;ENCR=AES_GCM_B_256;ENCR=AES_GCM_A_256;ENCR=AES_GCM_C_192;ENCR=AES_GCM_B_192;ENCR=AES_GCM_A_192;ENCR=AES_GCM_C_128;ENCR=AES_GCM_B_128;ENCR=AES_GCM_A_128;DH=MODP4096;DH=CURVE25519;DH=MODP3072;DH=MODP2048;PRF=HMAC_SHA1;PRF=AES128_XCBC;PRF=HMAC_SHA2_256;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_512;PRF=AES128_CMAC pluto[393]: "ikev2-cp"[1] 192.168.2.253 hwdsl2/setup-ipsec-vpn#1: initiator guessed wrong keying material group (MODP4096); responding with INVALID_KE_PAYLOAD requesting MODP2048 pluto[393]: "ikev2-cp"[1] 192.168.2.253 hwdsl2/setup-ipsec-vpn#1: responding to IKE_SA_INIT message (ID 0) from 192.168.2.253:61134 with unencrypted notification INVALID_KE_PAYLOAD pluto[393]: "ikev2-cp"[1] 192.168.2.253 hwdsl2/setup-ipsec-vpn#1: encountered fatal error in state STATE_V2_PARENT_R0 pluto[393]: "ikev2-cp"[1] 192.168.2.253 hwdsl2/setup-ipsec-vpn#1: deleting state (STATE_V2_PARENT_R0) aged 0.002182s and NOT sending notification pluto[393]: "ikev2-cp"[1] 192.168.2.253: deleting connection instance with peer 192.168.2.253 {isakmp=#0/ipsec=#0} pluto[393]: "ikev2-cp"[2] 192.168.2.253 hwdsl2/setup-ipsec-vpn#2: proposal 1:IKE=AES_CBC_256-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_CTR_256;ENCR=AES_CBC_256;ENCR=AES_CTR_192;ENCR=AES_CBC_192;ENCR=AES_CTR_128;ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_384_192;INTEG=HMAC_SHA2_256_128;INTEG=AES_XCBC_96;INTEG=AES_CMAC_96;DH=MODP4096;DH=CURVE25519;DH=MODP3072;DH=MODP2048;PRF=HMAC_SHA1;PRF=AES128_XCBC;PRF=HMAC_SHA2_256;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_512;PRF=AES128_CMAC[first-match] 2:IKE:ENCR=CHACHA20_POLY1305;ENCR=AES_GCM_C_256;ENCR=AES_GCM_B_256;ENCR=AES_GCM_A_256;ENCR=AES_GCM_C_192;ENCR=AES_GCM_B_192;ENCR=AES_GCM_A_192;ENCR=AES_GCM_C_128;ENCR=AES_GCM_B_128;ENCR=AES_GCM_A_128;DH=MODP4096;DH=CURVE25519;DH=MODP3072;DH=MODP2048;PRF=HMAC_SHA1;PRF=AES128_XCBC;PRF=HMAC_SHA2_256;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_512;PRF=AES128_CMAC pluto[393]: "ikev2-cp"[2] 192.168.2.253 hwdsl2/setup-ipsec-vpn#2: sent IKE_SA_INIT reply {cipher=AES_CBC_256 integ=HMAC_SHA2_256_128 prf=HMAC_SHA2_256 group=MODP2048} pluto[393]: "ikev2-cp"[2] 192.168.2.253 hwdsl2/setup-ipsec-vpn#2: processing decrypted IKE_AUTH request: SK{IDi,IDr,CERT,AUTH,SA,TSi,TSr,CP} pluto[393]: "ikev2-cp"[2] 192.168.2.253 hwdsl2/setup-ipsec-vpn#2: peer certificate subjectAltName extension does not match ID_FQDN 'xxx.xxx.xxx' pluto[393]: "ikev2-cp"[2] 192.168.2.253 hwdsl2/setup-ipsec-vpn#2: peer certificate subjectAltName extension does not match ID_FQDN 'xxx.xxx.xxx' pluto[393]: "ikev2-cp"[2] 192.168.2.253 hwdsl2/setup-ipsec-vpn#2: responder established IKE SA; authenticated peer '3072-bit PKCS#1 1.5 RSA with SHA2_512' digital signature using peer certificate 'CN=N1, O=IKEv2 VPN' issued by CA 'CN=IKEv2 VPN CA, O=IKEv2 VPN' pluto[393]: "ikev2-cp"[2] 192.168.2.253 hwdsl2/setup-ipsec-vpn#2: reloaded private key matching left certificate 'xxx.xxx.xxx.xxx pluto[393]: | pool 192.168.43.10-192.168.43.250: growing address pool from 0 to 1 pluto[393]: "ikev2-cp"[2] 192.168.2.253 hwdsl2/setup-ipsec-vpn#3: proposal 2:ESP=AES_GCM_C_128-DISABLED SPI=60900910 chosen from remote proposals 1:ESP:ENCR=AES_CTR_256;ENCR=AES_CBC_256;ENCR=AES_CTR_192;ENCR=AES_CBC_192;ENCR=AES_CTR_128;ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_384_192;INTEG=HMAC_SHA2_256_128;INTEG=AES_XCBC_96;INTEG=AES_CMAC_96;ESN=DISABLED[first-match] 2:ESP:ENCR=CHACHA20_POLY1305;ENCR=AES_GCM_C_256;ENCR=AES_GCM_B_256;ENCR=AES_GCM_A_256;ENCR=AES_GCM_C_192;ENCR=AES_GCM_B_192;ENCR=AES_GCM_A_192;ENCR=AES_GCM_C_128;ENCR=AES_GCM_B_128;ENCR=AES_GCM_A_128;ESN=DISABLED[better-match] pluto[393]: "ikev2-cp"[2] 192.168.2.253 hwdsl2/setup-ipsec-vpn#3: responder established Child SA using hwdsl2/setup-ipsec-vpn#2; IPsec tunnel [0.0.0.0-255.255.255.255:0-65535 0] -> [192.168.43.10-192.168.43.10:0-65535 0] {ESPinUDP=>0x60900910 <0x028e8fbd xfrm=AES_GCM_16_128-NONE NATD=192.168.2.253:61136 DPD=active} pluto[393]: "ikev2-cp"[2] 192.168.2.253 hwdsl2/setup-ipsec-vpn#3: ESP traffic information: in=0B out=0B pluto[393]: "ikev2-cp"[2] 192.168.2.253 hwdsl2/setup-ipsec-vpn#2: deleting state (STATE_V2_ESTABLISHED_IKE_SA) aged 0.617979s and NOT sending notification pluto[393]: "ikev2-cp"[2] 192.168.2.253: deleting connection instance with peer 192.168.2.253 {isakmp=#0/ipsec=#0} ```
kerem closed this issue 2026-03-02 08:01:38 +03:00
kerem commented 2026-03-02 08:01:39 +03:00
Author
Owner
Copy link

@hwdsl2 commented on GitHub (Jun 16, 2023):

@Ran-Xing Hello! It looks like you specified VPN_DNS_NAME in your env file, but it has no effect for IKEv2 mode because IKEv2 was already set up. Related message from your logs:

Warning: The VPN_DNS_NAME variable you specified has no effect
         for IKEv2 mode, because IKEv2 is already set up in this
         container. To change the IKEv2 server address, see:
         https://vpnsetup.net/ikev2docker

You will probably need to change the IKEv2 server address to the DNS name you specified in your env file. To do that, read section Configure and use IKEv2 VPN and expand "Learn how to change the IKEv2 server address". Then follow those instructions.

When finished, make sure that you generate new client configuration files and import to your Android device. Instructions can be found at the same link above, by expanding "Learn how to manage IKEv2 clients". After that, you should be able to connect.

<!-- gh-comment-id:1595377788 --> @hwdsl2 commented on GitHub (Jun 16, 2023): @Ran-Xing Hello! It looks like you specified `VPN_DNS_NAME` in your `env` file, but it has no effect for IKEv2 mode because IKEv2 was already set up. Related message from your logs: ``` Warning: The VPN_DNS_NAME variable you specified has no effect for IKEv2 mode, because IKEv2 is already set up in this container. To change the IKEv2 server address, see: https://vpnsetup.net/ikev2docker ``` You will probably need to change the IKEv2 server address to the DNS name you specified in your `env` file. To do that, read section [Configure and use IKEv2 VPN](https://github.com/hwdsl2/docker-ipsec-vpn-server#configure-and-use-ikev2-vpn) and expand "Learn how to change the IKEv2 server address". Then follow those instructions. When finished, make sure that you generate new client configuration files and import to your Android device. Instructions can be found at the same link above, by expanding "Learn how to manage IKEv2 clients". After that, you should be able to connect.
kerem commented 2026-03-02 08:01:39 +03:00
Author
Owner
Copy link

@Ran-Xing commented on GitHub (Jun 18, 2023):

@hwdsl2 请问我的docker配置文件有问题吗?根据日志提示,我发现 有两个不一样的ip 分别是两个接口😂,我以前提交过一次issues。但最重要的是我其他的设备都能够正常的连接(ps: 我的iPhone和mac都能正常连接,也是使用的域名,也是用了DDNS) 只是现在小米手机连接不了,我猜测有可能是Android 13的问题,因为我之前用pixel android 11 连接并没有问题😂😂😂

<!-- gh-comment-id:1595932698 --> @Ran-Xing commented on GitHub (Jun 18, 2023): @hwdsl2 请问我的docker配置文件有问题吗?根据日志提示,我发现 有两个不一样的ip 分别是两个接口😂,我以前提交过一次issues。但最重要的是我其他的设备都能够正常的连接(ps: 我的iPhone和mac都能正常连接,也是使用的域名,也是用了DDNS) 只是现在小米手机连接不了,我猜测有可能是Android 13的问题,因为我之前用pixel android 11 连接并没有问题😂😂😂
kerem commented 2026-03-02 08:01:39 +03:00
Author
Owner
Copy link

@hwdsl2 commented on GitHub (Jun 21, 2023):

@Ran-Xing 你好!你的 Docker 配置文件看起来正常。你可以按照我上面回复中的建议试试看。在导入新的配置文件之前,可以移除手机中之前导入的 IKEv2 证书 (Settings -> Security & privacy -> More security settings -> Encryption & credentials -> User credentials)。

<!-- gh-comment-id:1600213242 --> @hwdsl2 commented on GitHub (Jun 21, 2023): @Ran-Xing 你好!你的 Docker 配置文件看起来正常。你可以按照我上面回复中的建议试试看。在导入新的配置文件之前,可以移除手机中之前导入的 IKEv2 证书 (Settings -> Security & privacy -> More security settings -> Encryption & credentials -> User credentials)。
kerem commented 2026-03-02 08:01:39 +03:00
Author
Owner
Copy link

@Ran-Xing commented on GitHub (Jul 10, 2023):

@hwdsl2 又出问题了,这次是正常的IP全部设备都连接不上了

pluto[398]: "ikev2-cp"[2] xxx.xxx.xxx.xxx #2: liveness action - clearing connection kind CK_INSTANCE
pluto[398]: "ikev2-cp"[2] xxx.xxx.xxx.xxx #3: ESP traffic information: in=0B out=0B
pluto[398]: "ikev2-cp"[2] xxx.xxx.xxx.xxx #2: deleting state (STATE_V2_ESTABLISHED_IKE_SA) aged 542.32205s and NOT sending notification
pluto[398]: "ikev2-cp"[2] xxx.xxx.xxx.xxx: deleting connection instance with peer xxx.xxx.xxx.xxx {isakmp=#0/ipsec=#0}
pluto[398]: "xauth-psk"[1] xxx.xxx.xxx.xxx #7: responding to Main Mode from unknown peer xxx.xxx.xxx.xxx:500
pluto[398]: "xauth-psk"[1] xxx.xxx.xxx.xxx #7: sent Main Mode R1
pluto[398]: "xauth-psk"[1] xxx.xxx.xxx.xxx #7: sent Main Mode R2
pluto[398]: "xauth-psk"[1] xxx.xxx.xxx.xxx #7: ignoring informational payload IPSEC_INITIAL_CONTACT, msgid=00000000, length=28
pluto[398]: "xauth-psk"[1] xxx.xxx.xxx.xxx #7: Peer ID is ID_IPV4_ADDR: '192.168.2.10'
pluto[398]: "xauth-psk"[1] xxx.xxx.xxx.xxx #7: switched to "xauth-psk"[2] xxx.xxx.xxx.xxx
pluto[398]: "xauth-psk"[1] xxx.xxx.xxx.xxx: deleting connection instance with peer xxx.xxx.xxx.xxx {isakmp=#0/ipsec=#0}
pluto[398]: "xauth-psk"[2] xxx.xxx.xxx.xxx #7: IKE SA established {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA2_256 group=MODP2048}
pluto[398]: "xauth-psk"[2] xxx.xxx.xxx.xxx #7: XAUTH: Sending Username/Password request (MAIN_R3->XAUTH_R0)
pluto[398]: "xauth-psk"[2] xxx.xxx.xxx.xxx #7: STATE_XAUTH_R0: retransmission; will wait 0.5 seconds for response
pluto[398]: "xauth-psk"[2] xxx.xxx.xxx.xxx #7: XAUTH: Sending Username/Password request (XAUTH_R0->XAUTH_R0)
pluto[398]: "xauth-psk"[2] xxx.xxx.xxx.xxx #7: STATE_XAUTH_R0: retransmission; will wait 1 seconds for response
pluto[398]: "xauth-psk"[2] xxx.xxx.xxx.xxx #7: XAUTH: Sending Username/Password request (XAUTH_R0->XAUTH_R0)
pluto[398]: "xauth-psk"[2] xxx.xxx.xxx.xxx #7: STATE_XAUTH_R0: retransmission; will wait 2 seconds for response
pluto[398]: "xauth-psk"[2] xxx.xxx.xxx.xxx #7: XAUTH: Sending Username/Password request (XAUTH_R0->XAUTH_R0)
pluto[398]: "xauth-psk"[2] xxx.xxx.xxx.xxx #7: STATE_XAUTH_R0: retransmission; will wait 4 seconds for response
pluto[398]: "xauth-psk"[2] xxx.xxx.xxx.xxx #7: XAUTH: Sending Username/Password request (XAUTH_R0->XAUTH_R0)
pluto[398]: "ikev2-cp"[3] xxx.xxx.xxx.xxx #5: STATE_V2_ESTABLISHED_IKE_SA: 300 second timeout exceeded after 10 retransmits.  No response (or no acceptable response) to our IKEv2 message
pluto[398]: "ikev2-cp"[3] xxx.xxx.xxx.xxx #5: liveness action - clearing connection kind CK_INSTANCE
pluto[398]: "ikev2-cp"[3] xxx.xxx.xxx.xxx #6: ESP traffic information: in=0B out=0B
pluto[398]: "ikev2-cp"[3] xxx.xxx.xxx.xxx #5: deleting state (STATE_V2_ESTABLISHED_IKE_SA) aged 542.2396s and NOT sending notification
pluto[398]: "ikev2-cp"[3] xxx.xxx.xxx.xxx: deleting connection instance with peer xxx.xxx.xxx.xxx {isakmp=#0/ipsec=#0}
pluto[398]: "xauth-psk"[2] xxx.xxx.xxx.xxx #7: STATE_XAUTH_R0: retransmission; will wait 8 seconds for response
pluto[398]: "xauth-psk"[2] xxx.xxx.xxx.xxx #7: XAUTH: Sending Username/Password request (XAUTH_R0->XAUTH_R0)
pluto[398]: "xauth-psk"[2] xxx.xxx.xxx.xxx #7: STATE_XAUTH_R0: retransmission; will wait 16 seconds for response
pluto[398]: "xauth-psk"[2] xxx.xxx.xxx.xxx #7: XAUTH: Sending Username/Password request (XAUTH_R0->XAUTH_R0)
pluto[398]: "xauth-psk"[2] xxx.xxx.xxx.xxx #7: STATE_XAUTH_R0: retransmission; will wait 32 seconds for response
pluto[398]: "xauth-psk"[2] xxx.xxx.xxx.xxx #7: XAUTH: Sending Username/Password request (XAUTH_R0->XAUTH_R0)
<!-- gh-comment-id:1629167676 --> @Ran-Xing commented on GitHub (Jul 10, 2023): @hwdsl2 又出问题了,这次是正常的IP全部设备都连接不上了 ```log pluto[398]: "ikev2-cp"[2] xxx.xxx.xxx.xxx #2: liveness action - clearing connection kind CK_INSTANCE pluto[398]: "ikev2-cp"[2] xxx.xxx.xxx.xxx #3: ESP traffic information: in=0B out=0B pluto[398]: "ikev2-cp"[2] xxx.xxx.xxx.xxx #2: deleting state (STATE_V2_ESTABLISHED_IKE_SA) aged 542.32205s and NOT sending notification pluto[398]: "ikev2-cp"[2] xxx.xxx.xxx.xxx: deleting connection instance with peer xxx.xxx.xxx.xxx {isakmp=#0/ipsec=#0} pluto[398]: "xauth-psk"[1] xxx.xxx.xxx.xxx #7: responding to Main Mode from unknown peer xxx.xxx.xxx.xxx:500 pluto[398]: "xauth-psk"[1] xxx.xxx.xxx.xxx #7: sent Main Mode R1 pluto[398]: "xauth-psk"[1] xxx.xxx.xxx.xxx #7: sent Main Mode R2 pluto[398]: "xauth-psk"[1] xxx.xxx.xxx.xxx #7: ignoring informational payload IPSEC_INITIAL_CONTACT, msgid=00000000, length=28 pluto[398]: "xauth-psk"[1] xxx.xxx.xxx.xxx #7: Peer ID is ID_IPV4_ADDR: '192.168.2.10' pluto[398]: "xauth-psk"[1] xxx.xxx.xxx.xxx #7: switched to "xauth-psk"[2] xxx.xxx.xxx.xxx pluto[398]: "xauth-psk"[1] xxx.xxx.xxx.xxx: deleting connection instance with peer xxx.xxx.xxx.xxx {isakmp=#0/ipsec=#0} pluto[398]: "xauth-psk"[2] xxx.xxx.xxx.xxx #7: IKE SA established {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA2_256 group=MODP2048} pluto[398]: "xauth-psk"[2] xxx.xxx.xxx.xxx #7: XAUTH: Sending Username/Password request (MAIN_R3->XAUTH_R0) pluto[398]: "xauth-psk"[2] xxx.xxx.xxx.xxx #7: STATE_XAUTH_R0: retransmission; will wait 0.5 seconds for response pluto[398]: "xauth-psk"[2] xxx.xxx.xxx.xxx #7: XAUTH: Sending Username/Password request (XAUTH_R0->XAUTH_R0) pluto[398]: "xauth-psk"[2] xxx.xxx.xxx.xxx #7: STATE_XAUTH_R0: retransmission; will wait 1 seconds for response pluto[398]: "xauth-psk"[2] xxx.xxx.xxx.xxx #7: XAUTH: Sending Username/Password request (XAUTH_R0->XAUTH_R0) pluto[398]: "xauth-psk"[2] xxx.xxx.xxx.xxx #7: STATE_XAUTH_R0: retransmission; will wait 2 seconds for response pluto[398]: "xauth-psk"[2] xxx.xxx.xxx.xxx #7: XAUTH: Sending Username/Password request (XAUTH_R0->XAUTH_R0) pluto[398]: "xauth-psk"[2] xxx.xxx.xxx.xxx #7: STATE_XAUTH_R0: retransmission; will wait 4 seconds for response pluto[398]: "xauth-psk"[2] xxx.xxx.xxx.xxx #7: XAUTH: Sending Username/Password request (XAUTH_R0->XAUTH_R0) pluto[398]: "ikev2-cp"[3] xxx.xxx.xxx.xxx #5: STATE_V2_ESTABLISHED_IKE_SA: 300 second timeout exceeded after 10 retransmits. No response (or no acceptable response) to our IKEv2 message pluto[398]: "ikev2-cp"[3] xxx.xxx.xxx.xxx #5: liveness action - clearing connection kind CK_INSTANCE pluto[398]: "ikev2-cp"[3] xxx.xxx.xxx.xxx #6: ESP traffic information: in=0B out=0B pluto[398]: "ikev2-cp"[3] xxx.xxx.xxx.xxx #5: deleting state (STATE_V2_ESTABLISHED_IKE_SA) aged 542.2396s and NOT sending notification pluto[398]: "ikev2-cp"[3] xxx.xxx.xxx.xxx: deleting connection instance with peer xxx.xxx.xxx.xxx {isakmp=#0/ipsec=#0} pluto[398]: "xauth-psk"[2] xxx.xxx.xxx.xxx #7: STATE_XAUTH_R0: retransmission; will wait 8 seconds for response pluto[398]: "xauth-psk"[2] xxx.xxx.xxx.xxx #7: XAUTH: Sending Username/Password request (XAUTH_R0->XAUTH_R0) pluto[398]: "xauth-psk"[2] xxx.xxx.xxx.xxx #7: STATE_XAUTH_R0: retransmission; will wait 16 seconds for response pluto[398]: "xauth-psk"[2] xxx.xxx.xxx.xxx #7: XAUTH: Sending Username/Password request (XAUTH_R0->XAUTH_R0) pluto[398]: "xauth-psk"[2] xxx.xxx.xxx.xxx #7: STATE_XAUTH_R0: retransmission; will wait 32 seconds for response pluto[398]: "xauth-psk"[2] xxx.xxx.xxx.xxx #7: XAUTH: Sending Username/Password request (XAUTH_R0->XAUTH_R0) ```
kerem commented 2026-03-02 08:01:39 +03:00
Author
Owner
Copy link

@Ran-Xing commented on GitHub (Jul 10, 2023):

这次的设备是正常的使用IP连接的服务器,重新创建过容器,但是还是连接不上,证书也是删除重新信任的

<!-- gh-comment-id:1629169669 --> @Ran-Xing commented on GitHub (Jul 10, 2023): 这次的设备是正常的使用IP连接的服务器,重新创建过容器,但是还是连接不上,证书也是删除重新信任的
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
No results found.
Labels
Clear labels   
bug

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question
No labels
bug
pull-request
question
question
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/docker-ipsec-vpn-server#362
No description provided.