starred/docker-ipsec-vpn-server
1
0
Fork 0
mirror of https://github.com/hwdsl2/docker-ipsec-vpn-server.git synced 2026-04-26 01:55:53 +03:00
Code Issues Projects Releases Packages Wiki Activity

[GH-ISSUE #435] authentication failed: peer attempted PSK authentication but we want rsasig #406

New issue
Closed
opened 2026-03-02 08:18:41 +03:00 by kerem · 1 comment
kerem commented 2026-03-02 08:18:41 +03:00
Owner
Copy link

Originally created by @ThirtySix361 on GitHub (Jun 20, 2024).
Original GitHub issue: https://github.com/hwdsl2/docker-ipsec-vpn-server/issues/435

i am trying to troubleshoot my error since 2 hours now.

i found the way to enable libreswan logging and then was able to find out why the authentication fails:
authentication failed: peer attempted PSK authentication but we want rsasig

i just want to connect with my native android client from S24 which uses: "IKEv2/IPSEC PSK"

but i cannot get it to work.

is this even possible with this container?

//edit:
i also tryed this:

If you still want to connect using IPsec/L2TP mode, you must first edit /etc/ipsec.conf on the VPN server. Find the line ike=... and append ,aes256-sha2;modp1024,aes128-sha1;modp1024 at the end. Save the file and run service ipsec restart.

but it was not successful :(

additional logs:

fd05206056cb:/opt/src# tail -f -n 0 /var/log/auth.log
2024-06-20T19:47:09.053005+00:00 fd05206056cb pluto[601]: "ikev2-cp"[3] <my ip> #3: proposal 2:IKE=AES_GCM_C_256-HMAC_SHA2_256-ECP_256 chosen from remote proposals 1:IKE:ENCR=AES_CBC_256;ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_384_192;INTEG=HMAC_SHA2_256_128;INTEG=HMAC_SHA1_96;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;DH=DH24;DH=ECP_384;DH=ECP_256;DH=MODP2048;DH=MODP1536[first-match] 2:IKE:ENCR=AES_GCM_C_256;ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;DH=DH24;DH=ECP_384;DH=ECP_256;DH=MODP2048;DH=MODP1536[better-match]
2024-06-20T19:47:09.053059+00:00 fd05206056cb pluto[601]: "ikev2-cp"[3] <my ip> #3: initiator guessed wrong keying material group (DH24); responding with INVALID_KE_PAYLOAD requesting DH19
2024-06-20T19:47:09.053103+00:00 fd05206056cb pluto[601]: "ikev2-cp"[3] <my ip> #3: responding to IKE_SA_INIT message (ID 0) from <my ip>:40031 with unencrypted notification INVALID_KE_PAYLOAD
2024-06-20T19:47:09.053136+00:00 fd05206056cb pluto[601]: "ikev2-cp"[3] <my ip> #3: encountered fatal error in state STATE_V2_PARENT_R0
2024-06-20T19:47:09.053288+00:00 fd05206056cb pluto[601]: "ikev2-cp"[3] <my ip> #3: deleting IKE SA (processing IKE_SA_INIT request)
2024-06-20T19:47:09.053368+00:00 fd05206056cb pluto[601]: "ikev2-cp"[3] <my ip>: deleting connection instance with peer <my ip>
2024-06-20T19:47:09.062256+00:00 fd05206056cb pluto[601]: "ikev2-cp"[4] <my ip> #4: proposal 2:IKE=AES_GCM_C_256-HMAC_SHA2_256-ECP_256 chosen from remote proposals 1:IKE:ENCR=AES_CBC_256;ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_384_192;INTEG=HMAC_SHA2_256_128;INTEG=HMAC_SHA1_96;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;DH=ECP_256;DH=DH24;DH=ECP_384;DH=MODP2048;DH=MODP1536[first-match] 2:IKE:ENCR=AES_GCM_C_256;ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;DH=ECP_256;DH=DH24;DH=ECP_384;DH=MODP2048;DH=MODP1536[better-match]
2024-06-20T19:47:09.065522+00:00 fd05206056cb pluto[601]: "ikev2-cp"[4] <my ip> #4: processed IKE_SA_INIT request from <my ip>:UDP/40031 {cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_256 group=DH19}
2024-06-20T19:47:09.078085+00:00 fd05206056cb pluto[601]: "ikev2-cp"[4] <my ip> #4: processing decrypted IKE_AUTH request: SK{IDi,AUTH,CP,SA,TSi,TSr,N(MOBIKE_SUPPORTED),N(ADDITIONAL_IP6_ADDRESS),N(EAP_ONLY_AUTHENTICATION),N(IKEV2_MESSAGE_ID_SYNC_SUPPORTED)}
2024-06-20T19:47:09.078213+00:00 fd05206056cb pluto[601]: "ikev2-cp"[4] <my ip> #4: authentication failed: peer attempted PSK authentication but we want rsasig
2024-06-20T19:47:09.078262+00:00 fd05206056cb pluto[601]: "ikev2-cp"[4] <my ip> #4: responding to IKE_AUTH message (ID 1) from <my ip>:60660 with encrypted notification AUTHENTICATION_FAILED
2024-06-20T19:47:09.078311+00:00 fd05206056cb pluto[601]: "ikev2-cp"[4] <my ip> #4: encountered fatal error in state STATE_V2_PARENT_R1
2024-06-20T19:47:09.078456+00:00 fd05206056cb pluto[601]: "ikev2-cp"[4] <my ip> #4: deleting IKE SA (sent IKE_SA_INIT (or IKE_INTERMEDIATE) response)
2024-06-20T19:47:09.078543+00:00 fd05206056cb pluto[601]: "ikev2-cp"[4] <my ip>: deleting connection instance with peer <my ip>
Originally created by @ThirtySix361 on GitHub (Jun 20, 2024). Original GitHub issue: https://github.com/hwdsl2/docker-ipsec-vpn-server/issues/435 i am trying to troubleshoot my error since 2 hours now. i found the way to enable libreswan logging and then was able to find out why the authentication fails: `authentication failed: peer attempted PSK authentication but we want rsasig` i just want to connect with my native android client from S24 which uses: "IKEv2/IPSEC PSK" but i cannot get it to work. is this even possible with this container? //edit: i also tryed this: ``` If you still want to connect using IPsec/L2TP mode, you must first edit /etc/ipsec.conf on the VPN server. Find the line ike=... and append ,aes256-sha2;modp1024,aes128-sha1;modp1024 at the end. Save the file and run service ipsec restart. ``` but it was not successful :( additional logs: ``` fd05206056cb:/opt/src# tail -f -n 0 /var/log/auth.log 2024-06-20T19:47:09.053005+00:00 fd05206056cb pluto[601]: "ikev2-cp"[3] <my ip> #3: proposal 2:IKE=AES_GCM_C_256-HMAC_SHA2_256-ECP_256 chosen from remote proposals 1:IKE:ENCR=AES_CBC_256;ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_384_192;INTEG=HMAC_SHA2_256_128;INTEG=HMAC_SHA1_96;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;DH=DH24;DH=ECP_384;DH=ECP_256;DH=MODP2048;DH=MODP1536[first-match] 2:IKE:ENCR=AES_GCM_C_256;ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;DH=DH24;DH=ECP_384;DH=ECP_256;DH=MODP2048;DH=MODP1536[better-match] 2024-06-20T19:47:09.053059+00:00 fd05206056cb pluto[601]: "ikev2-cp"[3] <my ip> #3: initiator guessed wrong keying material group (DH24); responding with INVALID_KE_PAYLOAD requesting DH19 2024-06-20T19:47:09.053103+00:00 fd05206056cb pluto[601]: "ikev2-cp"[3] <my ip> #3: responding to IKE_SA_INIT message (ID 0) from <my ip>:40031 with unencrypted notification INVALID_KE_PAYLOAD 2024-06-20T19:47:09.053136+00:00 fd05206056cb pluto[601]: "ikev2-cp"[3] <my ip> #3: encountered fatal error in state STATE_V2_PARENT_R0 2024-06-20T19:47:09.053288+00:00 fd05206056cb pluto[601]: "ikev2-cp"[3] <my ip> #3: deleting IKE SA (processing IKE_SA_INIT request) 2024-06-20T19:47:09.053368+00:00 fd05206056cb pluto[601]: "ikev2-cp"[3] <my ip>: deleting connection instance with peer <my ip> 2024-06-20T19:47:09.062256+00:00 fd05206056cb pluto[601]: "ikev2-cp"[4] <my ip> #4: proposal 2:IKE=AES_GCM_C_256-HMAC_SHA2_256-ECP_256 chosen from remote proposals 1:IKE:ENCR=AES_CBC_256;ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_384_192;INTEG=HMAC_SHA2_256_128;INTEG=HMAC_SHA1_96;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;DH=ECP_256;DH=DH24;DH=ECP_384;DH=MODP2048;DH=MODP1536[first-match] 2:IKE:ENCR=AES_GCM_C_256;ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;DH=ECP_256;DH=DH24;DH=ECP_384;DH=MODP2048;DH=MODP1536[better-match] 2024-06-20T19:47:09.065522+00:00 fd05206056cb pluto[601]: "ikev2-cp"[4] <my ip> #4: processed IKE_SA_INIT request from <my ip>:UDP/40031 {cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_256 group=DH19} 2024-06-20T19:47:09.078085+00:00 fd05206056cb pluto[601]: "ikev2-cp"[4] <my ip> #4: processing decrypted IKE_AUTH request: SK{IDi,AUTH,CP,SA,TSi,TSr,N(MOBIKE_SUPPORTED),N(ADDITIONAL_IP6_ADDRESS),N(EAP_ONLY_AUTHENTICATION),N(IKEV2_MESSAGE_ID_SYNC_SUPPORTED)} 2024-06-20T19:47:09.078213+00:00 fd05206056cb pluto[601]: "ikev2-cp"[4] <my ip> #4: authentication failed: peer attempted PSK authentication but we want rsasig 2024-06-20T19:47:09.078262+00:00 fd05206056cb pluto[601]: "ikev2-cp"[4] <my ip> #4: responding to IKE_AUTH message (ID 1) from <my ip>:60660 with encrypted notification AUTHENTICATION_FAILED 2024-06-20T19:47:09.078311+00:00 fd05206056cb pluto[601]: "ikev2-cp"[4] <my ip> #4: encountered fatal error in state STATE_V2_PARENT_R1 2024-06-20T19:47:09.078456+00:00 fd05206056cb pluto[601]: "ikev2-cp"[4] <my ip> #4: deleting IKE SA (sent IKE_SA_INIT (or IKE_INTERMEDIATE) response) 2024-06-20T19:47:09.078543+00:00 fd05206056cb pluto[601]: "ikev2-cp"[4] <my ip>: deleting connection instance with peer <my ip> ```
kerem closed this issue 2026-03-02 08:18:42 +03:00
kerem commented 2026-03-02 08:18:42 +03:00
Author
Owner
Copy link

@hwdsl2 commented on GitHub (Jun 20, 2024):

@ThirtySix361 Hello! Your use case, which is connecting using IKEv2/IPsec PSK mode, is not currently supported in this project. This project only supports IKEv2 with certificate-based authentication, not IKEv2 with PSK.

Please see Configure IKEv2 VPN clients for more details on how to configure your Android device(s) to connect to the VPN.

For IPsec/L2TP mode, add VPN_ENABLE_MODP1024=yes to your env file, then re-create the Docker container (reference). This is less secure and therefore not recommended.

<!-- gh-comment-id:2181720132 --> @hwdsl2 commented on GitHub (Jun 20, 2024): @ThirtySix361 Hello! Your use case, which is connecting using IKEv2/IPsec PSK mode, is not currently supported in this project. This project only supports IKEv2 with certificate-based authentication, not IKEv2 with PSK. Please see [Configure IKEv2 VPN clients](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/ikev2-howto.md#configure-ikev2-vpn-clients) for more details on how to configure your Android device(s) to connect to the VPN. For IPsec/L2TP mode, add `VPN_ENABLE_MODP1024=yes` to [your env file](https://github.com/hwdsl2/docker-ipsec-vpn-server#how-to-use-this-image), then re-create the Docker container ([reference](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients.md#android)). This is less secure and therefore not recommended.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
No results found.
Labels
Clear labels   
bug

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question
No labels
bug
pull-request
question
question
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/docker-ipsec-vpn-server#406
No description provided.