starred/docker-ipsec-vpn-server
1
0
Fork 0
mirror of https://github.com/hwdsl2/docker-ipsec-vpn-server.git synced 2026-04-28 11:05:49 +03:00
Code Issues Projects Releases Packages Wiki Activity

[GH-ISSUE #473] VPN server based on the alpine image doesn't respond (probably because of iptables) #441

New issue
Closed
opened 2026-03-02 08:18:58 +03:00 by kerem · 3 comments
kerem commented 2026-03-02 08:18:58 +03:00
Owner
Copy link

Originally created by @belegnar on GitHub (Apr 11, 2025).
Original GitHub issue: https://github.com/hwdsl2/docker-ipsec-vpn-server/issues/473

Checklist

Describe the issue
MacOS client couldn't connect to the ipsec/xauth server

Local vpn log is

2025-04-11 11:26:58.128791+0300 0xf224     Default     0x0                  2519   0    racoon: [com.apple.networkextension:] received bind command on vpn control socket.
2025-04-11 11:26:58.128837+0300 0xf224     Default     0x0                  2519   0    racoon: [com.apple.networkextension:] received connect command on vpn control socket.
2025-04-11 11:27:08.087670+0300 0xf224     Default     0x0                  2519   0    racoon: [com.apple.networkextension:] received disconnect command on vpn control socket.
2025-04-11 11:27:08.103467+0300 0xf224     Error       0x0                  2519   0    racoon: [com.apple.networkextension:] failed to send vpn_control message: Broken pipe
2025-04-11 11:27:08.105686+0300 0xf224     Default     0x0                  2519   0    racoon: [com.apple.networkextension:] vpn_control socket closed by peer.
2025-04-11 11:27:08.105803+0300 0xf224     Default     0x0                  2519   0    racoon: [com.apple.networkextension:] vpncontrol_close_comm.

During startup of the server the following messages could be found in the log

iptables v1.8.11 (nf_tables):  RULE_INSERT failed (No such file or directory): rule in chain FORWARD

There're 5 of them in response to create this rule and following

iptables -I FORWARD 2 -i eth0 -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

Also there's no ppp+ interface

ipsec-vpn-server:/opt/src# ifconfig
eth0      Link encap:Ethernet  HWaddr 02:42:AC:1B:00:02
          inet addr:172.27.0.2  Bcast:172.27.255.255  Mask:255.255.0.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:63 errors:0 dropped:0 overruns:0 frame:0
          TX packets:56 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:14391 (14.0 KiB)  TX bytes:4814 (4.7 KiB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:50 errors:0 dropped:0 overruns:0 frame:0
          TX packets:50 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1
          RX bytes:4308 (4.2 KiB)  TX bytes:4308 (4.2 KiB)

To Reproduce
Steps to reproduce the behavior:

Nothing special, just started docker image following the docs

Expected behavior
Connection established

Logs
On ipsec restart. No other logs appears on a connection attempt

2025-04-11T08:46:38.215467+00:00 ipsec-vpn-server pluto[620]: Pluto is shutting down
2025-04-11T08:46:38.228706+00:00 ipsec-vpn-server pluto[620]: forgetting secrets
2025-04-11T08:46:38.231130+00:00 ipsec-vpn-server pluto[620]: shutting down interface lo 127.0.0.1:4500
2025-04-11T08:46:38.231251+00:00 ipsec-vpn-server pluto[620]: shutting down interface lo 127.0.0.1:500
2025-04-11T08:46:38.231299+00:00 ipsec-vpn-server pluto[620]: shutting down interface eth0 172.27.0.2:4500
2025-04-11T08:46:38.231338+00:00 ipsec-vpn-server pluto[620]: shutting down interface eth0 172.27.0.2:500
2025-04-11T08:46:38.691510+00:00 ipsec-vpn-server pluto[756]: Starting Pluto (Libreswan Version 5.2 IKEv2 IKEv1 XFRM XFRMI esp-hw-offload FORK PTHREAD_SETSCHEDPRIO NSS (IPsec profile) (NSS-KDF) LIBCAP_NG AUTH_PAM NETWORKMANAGER CURL(non-NSS) NFTABLES CAT NFLOG) pid:756
2025-04-11T08:46:38.691547+00:00 ipsec-vpn-server pluto[756]: operating system: Linux 4.4.0 [Linux 4.4.0-210-generic #242-Ubuntu SMP Fri Apr 16 09:57:56 UTC 2021 x86_64]
2025-04-11T08:46:38.691556+00:00 ipsec-vpn-server pluto[756]: core dump dir: /run/pluto
2025-04-11T08:46:38.691574+00:00 ipsec-vpn-server pluto[756]: secrets file: /etc/ipsec.secrets
2025-04-11T08:46:38.694472+00:00 ipsec-vpn-server pluto[756]: Initializing NSS using read-only database "sql:/etc/ipsec.d"
2025-04-11T08:46:38.721290+00:00 ipsec-vpn-server pluto[756]: FIPS Mode: OFF
2025-04-11T08:46:38.721405+00:00 ipsec-vpn-server pluto[756]: NSS crypto library initialized
2025-04-11T08:46:38.722092+00:00 ipsec-vpn-server pluto[756]: FIPS mode disabled for pluto daemon
2025-04-11T08:46:38.722136+00:00 ipsec-vpn-server pluto[756]: FIPS HMAC integrity support [not required]
2025-04-11T08:46:38.722474+00:00 ipsec-vpn-server pluto[756]: libcap-ng support [enabled]
2025-04-11T08:46:38.722505+00:00 ipsec-vpn-server pluto[756]: Linux audit support [disabled]
2025-04-11T08:46:38.722530+00:00 ipsec-vpn-server pluto[756]: leak-detective disabled
2025-04-11T08:46:38.722556+00:00 ipsec-vpn-server pluto[756]: NSS crypto [enabled]
2025-04-11T08:46:38.722581+00:00 ipsec-vpn-server pluto[756]: XAUTH PAM support [enabled]
2025-04-11T08:46:38.722920+00:00 ipsec-vpn-server pluto[756]: initializing libevent in pthreads mode: headers: 2.1.12-stable (2010c00); library: 2.1.12-stable (2010c00)
2025-04-11T08:46:38.723109+00:00 ipsec-vpn-server pluto[756]: NAT-Traversal: keep-alive period 20s
2025-04-11T08:46:38.741255+00:00 ipsec-vpn-server pluto[756]: ERROR: xfrmi is not supported, failed to create ipsec-interface ipsec1 bound to lo
2025-04-11T08:46:38.741370+00:00 ipsec-vpn-server pluto[756]: ipsec-interface is not working: xfrmi is not supported
2025-04-11T08:46:38.741400+00:00 ipsec-vpn-server pluto[756]: IPsec Interface [disabled]
2025-04-11T08:46:38.741551+00:00 ipsec-vpn-server pluto[756]: refreshed session resume keys, issuing key 1
2025-04-11T08:46:38.741691+00:00 ipsec-vpn-server pluto[756]: Encryption algorithms:
2025-04-11T08:46:38.741725+00:00 ipsec-vpn-server pluto[756]:   AES_CCM_16         {256,192,*128} IKEv1:     ESP     IKEv2:     ESP     FIPS              aes_ccm, aes_ccm_c
2025-04-11T08:46:38.741758+00:00 ipsec-vpn-server pluto[756]:   AES_CCM_12         {256,192,*128} IKEv1:     ESP     IKEv2:     ESP     FIPS              aes_ccm_b
2025-04-11T08:46:38.741788+00:00 ipsec-vpn-server pluto[756]:   AES_CCM_8          {256,192,*128} IKEv1:     ESP     IKEv2:     ESP     FIPS              aes_ccm_a
2025-04-11T08:46:38.741849+00:00 ipsec-vpn-server pluto[756]:   3DES_CBC           [*192]         IKEv1: IKE ESP     IKEv2: IKE ESP     FIPS NSS(CBC)     3des
2025-04-11T08:46:38.741878+00:00 ipsec-vpn-server pluto[756]:   CAMELLIA_CTR       {256,192,*128} IKEv1:     ESP     IKEv2:     ESP
2025-04-11T08:46:38.741907+00:00 ipsec-vpn-server pluto[756]:   CAMELLIA_CBC       {256,192,*128} IKEv1: IKE ESP     IKEv2: IKE ESP          NSS(CBC)     camellia
2025-04-11T08:46:38.741937+00:00 ipsec-vpn-server pluto[756]:   AES_GCM_16         {256,192,*128} IKEv1:     ESP     IKEv2: IKE ESP     FIPS NSS(AEAD)    aes_gcm, aes_gcm_c
2025-04-11T08:46:38.741966+00:00 ipsec-vpn-server pluto[756]:   AES_GCM_12         {256,192,*128} IKEv1:     ESP     IKEv2: IKE ESP     FIPS NSS(AEAD)    aes_gcm_b
2025-04-11T08:46:38.741995+00:00 ipsec-vpn-server pluto[756]:   AES_GCM_8          {256,192,*128} IKEv1:     ESP     IKEv2: IKE ESP     FIPS NSS(AEAD)    aes_gcm_a
2025-04-11T08:46:38.742024+00:00 ipsec-vpn-server pluto[756]:   AES_CTR            {256,192,*128} IKEv1: IKE ESP     IKEv2: IKE ESP     FIPS NSS(CTR)     aesctr
2025-04-11T08:46:38.742052+00:00 ipsec-vpn-server pluto[756]:   AES_CBC            {256,192,*128} IKEv1: IKE ESP     IKEv2: IKE ESP     FIPS NSS(CBC)     aes
2025-04-11T08:46:38.742081+00:00 ipsec-vpn-server pluto[756]:   NULL_AUTH_AES_GMAC {256,192,*128} IKEv1:     ESP     IKEv2:     ESP     FIPS              aes_gmac
2025-04-11T08:46:38.742109+00:00 ipsec-vpn-server pluto[756]:   NULL               []             IKEv1:     ESP     IKEv2:     ESP          NULL
2025-04-11T08:46:38.742137+00:00 ipsec-vpn-server pluto[756]:   CHACHA20_POLY1305  [*256]         IKEv1:             IKEv2: IKE ESP          NSS(AEAD)    chacha20poly1305
2025-04-11T08:46:38.742164+00:00 ipsec-vpn-server pluto[756]: Hash algorithms:
2025-04-11T08:46:38.742191+00:00 ipsec-vpn-server pluto[756]:   MD5                               IKEv1: IKE         IKEv2:                  NSS
2025-04-11T08:46:38.742222+00:00 ipsec-vpn-server pluto[756]:   SHA1                              IKEv1: IKE         IKEv2: IKE         FIPS NSS          sha
2025-04-11T08:46:38.742251+00:00 ipsec-vpn-server pluto[756]:   SHA2_256                          IKEv1: IKE         IKEv2: IKE         FIPS NSS          sha2, sha256
2025-04-11T08:46:38.742278+00:00 ipsec-vpn-server pluto[756]:   SHA2_384                          IKEv1: IKE         IKEv2: IKE         FIPS NSS          sha384
2025-04-11T08:46:38.742305+00:00 ipsec-vpn-server pluto[756]:   SHA2_512                          IKEv1: IKE         IKEv2: IKE         FIPS NSS          sha512
2025-04-11T08:46:38.742332+00:00 ipsec-vpn-server pluto[756]:   IDENTITY                          IKEv1:             IKEv2:             FIPS
2025-04-11T08:46:38.742358+00:00 ipsec-vpn-server pluto[756]: PRF algorithms:
2025-04-11T08:46:38.742398+00:00 ipsec-vpn-server pluto[756]:   HMAC_MD5                          IKEv1: IKE         IKEv2: IKE              NSS          md5
2025-04-11T08:46:38.742437+00:00 ipsec-vpn-server pluto[756]:   HMAC_SHA1                         IKEv1: IKE         IKEv2: IKE         FIPS NSS          sha, sha1
2025-04-11T08:46:38.742466+00:00 ipsec-vpn-server pluto[756]:   HMAC_SHA2_256                     IKEv1: IKE         IKEv2: IKE         FIPS NSS          sha2, sha256, sha2_256
2025-04-11T08:46:38.742494+00:00 ipsec-vpn-server pluto[756]:   HMAC_SHA2_384                     IKEv1: IKE         IKEv2: IKE         FIPS NSS          sha384, sha2_384
2025-04-11T08:46:38.742522+00:00 ipsec-vpn-server pluto[756]:   HMAC_SHA2_512                     IKEv1: IKE         IKEv2: IKE         FIPS NSS          sha512, sha2_512
2025-04-11T08:46:38.742550+00:00 ipsec-vpn-server pluto[756]:   AES_XCBC                          IKEv1:             IKEv2: IKE              native(XCBC) aes128_xcbc
2025-04-11T08:46:38.742576+00:00 ipsec-vpn-server pluto[756]: Integrity algorithms:
2025-04-11T08:46:38.742607+00:00 ipsec-vpn-server pluto[756]:   HMAC_MD5_96                       IKEv1: IKE ESP AH  IKEv2: IKE ESP AH       NSS          md5, hmac_md5
2025-04-11T08:46:38.742637+00:00 ipsec-vpn-server pluto[756]:   HMAC_SHA1_96                      IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS NSS          sha, sha1, sha1_96, hmac_sha1
2025-04-11T08:46:38.742666+00:00 ipsec-vpn-server pluto[756]:   HMAC_SHA2_512_256                 IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS NSS          sha512, sha2_512, sha2_512_256, hmac_sha2_512
2025-04-11T08:46:38.742695+00:00 ipsec-vpn-server pluto[756]:   HMAC_SHA2_384_192                 IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS NSS          sha384, sha2_384, sha2_384_192, hmac_sha2_384
2025-04-11T08:46:38.742725+00:00 ipsec-vpn-server pluto[756]:   HMAC_SHA2_256_128                 IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS NSS          sha2, sha256, sha2_256, sha2_256_128, hmac_sha2_256
2025-04-11T08:46:38.742752+00:00 ipsec-vpn-server pluto[756]:   HMAC_SHA2_256_TRUNCBUG            IKEv1:     ESP AH  IKEv2:         AH
2025-04-11T08:46:38.742781+00:00 ipsec-vpn-server pluto[756]:   AES_XCBC_96                       IKEv1:     ESP AH  IKEv2: IKE ESP AH       native(XCBC) aes_xcbc, aes128_xcbc, aes128_xcbc_96
2025-04-11T08:46:38.742808+00:00 ipsec-vpn-server pluto[756]:   AES_CMAC_96                       IKEv1:     ESP AH  IKEv2:     ESP AH  FIPS              aes_cmac
2025-04-11T08:46:38.742836+00:00 ipsec-vpn-server pluto[756]:   NONE                              IKEv1:     ESP     IKEv2: IKE ESP     FIPS              null
2025-04-11T08:46:38.742862+00:00 ipsec-vpn-server pluto[756]: DH algorithms:
2025-04-11T08:46:38.742889+00:00 ipsec-vpn-server pluto[756]:   NONE                              IKEv1:             IKEv2: IKE ESP AH  FIPS NSS(MODP)    null, dh0
2025-04-11T08:46:38.742917+00:00 ipsec-vpn-server pluto[756]:   MODP1024                          IKEv1: IKE ESP AH  IKEv2: IKE ESP AH       NSS(MODP)    dh2
2025-04-11T08:46:38.742944+00:00 ipsec-vpn-server pluto[756]:   MODP1536                          IKEv1: IKE ESP AH  IKEv2: IKE ESP AH       NSS(MODP)    dh5
2025-04-11T08:46:38.742971+00:00 ipsec-vpn-server pluto[756]:   MODP2048                          IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS NSS(MODP)    dh14
2025-04-11T08:46:38.742998+00:00 ipsec-vpn-server pluto[756]:   MODP3072                          IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS NSS(MODP)    dh15
2025-04-11T08:46:38.743026+00:00 ipsec-vpn-server pluto[756]:   MODP4096                          IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS NSS(MODP)    dh16
2025-04-11T08:46:38.743053+00:00 ipsec-vpn-server pluto[756]:   MODP6144                          IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS NSS(MODP)    dh17
2025-04-11T08:46:38.743080+00:00 ipsec-vpn-server pluto[756]:   MODP8192                          IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS NSS(MODP)    dh18
2025-04-11T08:46:38.743107+00:00 ipsec-vpn-server pluto[756]:   DH19                              IKEv1: IKE         IKEv2: IKE ESP AH  FIPS NSS(ECP)     ecp_256, ecp256
2025-04-11T08:46:38.743135+00:00 ipsec-vpn-server pluto[756]:   DH20                              IKEv1: IKE         IKEv2: IKE ESP AH  FIPS NSS(ECP)     ecp_384, ecp384
2025-04-11T08:46:38.743163+00:00 ipsec-vpn-server pluto[756]:   DH21                              IKEv1: IKE         IKEv2: IKE ESP AH  FIPS NSS(ECP)     ecp_521, ecp521
2025-04-11T08:46:38.743203+00:00 ipsec-vpn-server pluto[756]:   DH31                              IKEv1: IKE         IKEv2: IKE ESP AH       NSS(ECP)     curve25519
2025-04-11T08:46:38.743230+00:00 ipsec-vpn-server pluto[756]: IPCOMP algorithms:
2025-04-11T08:46:38.743257+00:00 ipsec-vpn-server pluto[756]:   DEFLATE                           IKEv1:     ESP AH  IKEv2:     ESP AH  FIPS
2025-04-11T08:46:38.743284+00:00 ipsec-vpn-server pluto[756]:   LZS                               IKEv1:             IKEv2:     ESP AH  FIPS
2025-04-11T08:46:38.743310+00:00 ipsec-vpn-server pluto[756]:   LZJH                              IKEv1:             IKEv2:     ESP AH  FIPS
2025-04-11T08:46:38.743338+00:00 ipsec-vpn-server pluto[756]: testing CAMELLIA_CBC:
2025-04-11T08:46:38.743364+00:00 ipsec-vpn-server pluto[756]:   Camellia: 16 bytes with 128-bit key
2025-04-11T08:46:38.743496+00:00 ipsec-vpn-server pluto[756]:   Camellia: 16 bytes with 128-bit key
2025-04-11T08:46:38.743554+00:00 ipsec-vpn-server pluto[756]:   Camellia: 16 bytes with 256-bit key
2025-04-11T08:46:38.743609+00:00 ipsec-vpn-server pluto[756]:   Camellia: 16 bytes with 256-bit key
2025-04-11T08:46:38.743661+00:00 ipsec-vpn-server pluto[756]: testing AES_GCM_16:
2025-04-11T08:46:38.743688+00:00 ipsec-vpn-server pluto[756]:   empty string
2025-04-11T08:46:38.743778+00:00 ipsec-vpn-server pluto[756]:   one block
2025-04-11T08:46:38.743832+00:00 ipsec-vpn-server pluto[756]:   two blocks
2025-04-11T08:46:38.743886+00:00 ipsec-vpn-server pluto[756]:   two blocks with associated data
2025-04-11T08:46:38.743976+00:00 ipsec-vpn-server pluto[756]: testing AES_CTR:
2025-04-11T08:46:38.744004+00:00 ipsec-vpn-server pluto[756]:   Encrypting 16 octets using AES-CTR with 128-bit key
2025-04-11T08:46:38.744057+00:00 ipsec-vpn-server pluto[756]:   Encrypting 32 octets using AES-CTR with 128-bit key
2025-04-11T08:46:38.744117+00:00 ipsec-vpn-server pluto[756]:   Encrypting 36 octets using AES-CTR with 128-bit key
2025-04-11T08:46:38.744169+00:00 ipsec-vpn-server pluto[756]:   Encrypting 16 octets using AES-CTR with 192-bit key
2025-04-11T08:46:38.744219+00:00 ipsec-vpn-server pluto[756]:   Encrypting 32 octets using AES-CTR with 192-bit key
2025-04-11T08:46:38.744270+00:00 ipsec-vpn-server pluto[756]:   Encrypting 36 octets using AES-CTR with 192-bit key
2025-04-11T08:46:38.744321+00:00 ipsec-vpn-server pluto[756]:   Encrypting 16 octets using AES-CTR with 256-bit key
2025-04-11T08:46:38.744371+00:00 ipsec-vpn-server pluto[756]:   Encrypting 32 octets using AES-CTR with 256-bit key
2025-04-11T08:46:38.744434+00:00 ipsec-vpn-server pluto[756]:   Encrypting 36 octets using AES-CTR with 256-bit key
2025-04-11T08:46:38.744497+00:00 ipsec-vpn-server pluto[756]: testing AES_CBC:
2025-04-11T08:46:38.744524+00:00 ipsec-vpn-server pluto[756]:   Encrypting 16 bytes (1 block) using AES-CBC with 128-bit key
2025-04-11T08:46:38.744574+00:00 ipsec-vpn-server pluto[756]:   Encrypting 32 bytes (2 blocks) using AES-CBC with 128-bit key
2025-04-11T08:46:38.744627+00:00 ipsec-vpn-server pluto[756]:   Encrypting 48 bytes (3 blocks) using AES-CBC with 128-bit key
2025-04-11T08:46:38.744679+00:00 ipsec-vpn-server pluto[756]:   Encrypting 64 bytes (4 blocks) using AES-CBC with 128-bit key
2025-04-11T08:46:38.744737+00:00 ipsec-vpn-server pluto[756]: testing AES_XCBC:
2025-04-11T08:46:38.744764+00:00 ipsec-vpn-server pluto[756]:   RFC 3566 Test Case 1: AES-XCBC-MAC-96 with 0-byte input
2025-04-11T08:46:38.744895+00:00 ipsec-vpn-server pluto[756]:   RFC 3566 Test Case 2: AES-XCBC-MAC-96 with 3-byte input
2025-04-11T08:46:38.745038+00:00 ipsec-vpn-server pluto[756]:   RFC 3566 Test Case 3: AES-XCBC-MAC-96 with 16-byte input
2025-04-11T08:46:38.745206+00:00 ipsec-vpn-server pluto[756]:   RFC 3566 Test Case 4: AES-XCBC-MAC-96 with 20-byte input
2025-04-11T08:46:38.745374+00:00 ipsec-vpn-server pluto[756]:   RFC 3566 Test Case 5: AES-XCBC-MAC-96 with 32-byte input
2025-04-11T08:46:38.745561+00:00 ipsec-vpn-server pluto[756]:   RFC 3566 Test Case 6: AES-XCBC-MAC-96 with 34-byte input
2025-04-11T08:46:38.745740+00:00 ipsec-vpn-server pluto[756]:   RFC 3566 Test Case 7: AES-XCBC-MAC-96 with 1000-byte input
2025-04-11T08:46:38.746106+00:00 ipsec-vpn-server pluto[756]:   RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 16)
2025-04-11T08:46:38.746283+00:00 ipsec-vpn-server pluto[756]:   RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 10)
2025-04-11T08:46:38.746460+00:00 ipsec-vpn-server pluto[756]:   RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 18)
2025-04-11T08:46:38.746745+00:00 ipsec-vpn-server pluto[756]: testing HMAC_MD5:
2025-04-11T08:46:38.746779+00:00 ipsec-vpn-server pluto[756]:   RFC 2104: MD5_HMAC test 1
2025-04-11T08:46:38.746920+00:00 ipsec-vpn-server pluto[756]:   RFC 2104: MD5_HMAC test 2
2025-04-11T08:46:38.747054+00:00 ipsec-vpn-server pluto[756]:   RFC 2104: MD5_HMAC test 3
2025-04-11T08:46:38.747188+00:00 ipsec-vpn-server pluto[756]: testing HMAC_SHA1:
2025-04-11T08:46:38.747217+00:00 ipsec-vpn-server pluto[756]:   CAVP: IKEv2 key derivation with HMAC-SHA1
2025-04-11T08:46:38.747613+00:00 ipsec-vpn-server pluto[756]: 1 CPU cores online
2025-04-11T08:46:38.747645+00:00 ipsec-vpn-server pluto[756]: starting up 1 helper threads
2025-04-11T08:46:38.747704+00:00 ipsec-vpn-server pluto[756]: started thread for helper 0
2025-04-11T08:46:38.747735+00:00 ipsec-vpn-server pluto[756]: using Linux xfrm kernel support code on #242-Ubuntu SMP Fri Apr 16 09:57:56 UTC 2021
2025-04-11T08:46:38.747818+00:00 ipsec-vpn-server pluto[756]: xfrm: setsockopt(NETLINK_EXT_ACK) failed: Protocol not available (errno 92)
2025-04-11T08:46:38.747965+00:00 ipsec-vpn-server pluto[756]: kernel: /proc/sys/net/ipv6/conf/all/disable_ipv6=1 ignore ipv6 holes
2025-04-11T08:46:38.748099+00:00 ipsec-vpn-server pluto[756]: kernel: directional SA supported by kernel
2025-04-11T08:46:38.748135+00:00 ipsec-vpn-server pluto[756]: kernel: IPTFS ipsec SA error: requires option CONFIG_XFRM_IPTFS
2025-04-11T08:46:38.748178+00:00 ipsec-vpn-server pluto[756]: kernel: MIGRATE ipsec SA error: requires option CONFIG_XFRM_MIGRATE
2025-04-11T08:46:38.748559+00:00 ipsec-vpn-server pluto[756]: seccomp security not supported
2025-04-11T08:46:38.749248+00:00 ipsec-vpn-server pluto[756]: addconn: ipsec addconn: /etc/ipsec.conf:19: warning: obsolete keyword ignored: dpdaction=clear
2025-04-11T08:46:38.749317+00:00 ipsec-vpn-server pluto[756]: helper(1): seccomp security for helper not supported
2025-04-11T08:46:38.749825+00:00 ipsec-vpn-server pluto[756]: addconn:
2025-04-11T08:46:38.749833+00:00 ipsec-vpn-server pluto[756]: addconn:
2025-04-11T08:46:38.749855+00:00 ipsec-vpn-server pluto[756]: addconn: ipsec addconn: /etc/ipsec.d/ikev2.conf:16: warning: obsolete keyword ignored: dpdaction=clear
2025-04-11T08:46:38.749861+00:00 ipsec-vpn-server pluto[756]: addconn:
2025-04-11T08:46:38.751851+00:00 ipsec-vpn-server pluto[756]: "l2tp-psk": ikev2=no has been replaced by keyexchange=ikev1
2025-04-11T08:46:38.752179+00:00 ipsec-vpn-server pluto[756]: "l2tp-psk": warning: keyingtries=5 ignored, UP connection will attempt to establish until marked DOWN
2025-04-11T08:46:38.752215+00:00 ipsec-vpn-server pluto[756]: "l2tp-psk": added IKEv1 connection
2025-04-11T08:46:38.752353+00:00 ipsec-vpn-server pluto[756]: addconn: "l2tp-psk": ikev2=no has been replaced by keyexchange=ikev1
2025-04-11T08:46:38.752361+00:00 ipsec-vpn-server pluto[756]: addconn:
2025-04-11T08:46:38.752430+00:00 ipsec-vpn-server pluto[756]: addconn: "l2tp-psk": warning: keyingtries=5 ignored, UP connection will attempt to establish until marked DOWN
2025-04-11T08:46:38.752439+00:00 ipsec-vpn-server pluto[756]: addconn:
2025-04-11T08:46:38.752496+00:00 ipsec-vpn-server pluto[756]: addconn: "l2tp-psk": added IKEv1 connection
2025-04-11T08:46:38.752503+00:00 ipsec-vpn-server pluto[756]: addconn:
2025-04-11T08:46:38.753184+00:00 ipsec-vpn-server pluto[756]: "xauth-psk": ikev2=no has been replaced by keyexchange=ikev1
2025-04-11T08:46:38.753489+00:00 ipsec-vpn-server pluto[756]: "xauth-psk": warning: keyingtries=5 ignored, UP connection will attempt to establish until marked DOWN
2025-04-11T08:46:38.753517+00:00 ipsec-vpn-server pluto[756]: "xauth-psk": added IKEv1 connection
2025-04-11T08:46:38.753610+00:00 ipsec-vpn-server pluto[756]: addconn: "xauth-psk": ikev2=no has been replaced by keyexchange=ikev1
2025-04-11T08:46:38.753616+00:00 ipsec-vpn-server pluto[756]: addconn:
2025-04-11T08:46:38.753680+00:00 ipsec-vpn-server pluto[756]: addconn: "xauth-psk": warning: keyingtries=5 ignored, UP connection will attempt to establish until marked DOWN
2025-04-11T08:46:38.753687+00:00 ipsec-vpn-server pluto[756]: addconn:
2025-04-11T08:46:38.753745+00:00 ipsec-vpn-server pluto[756]: addconn: "xauth-psk": added IKEv1 connection
2025-04-11T08:46:38.753753+00:00 ipsec-vpn-server pluto[756]: addconn:
2025-04-11T08:46:38.759980+00:00 ipsec-vpn-server pluto[756]: "ikev2-cp": loaded private key matching left certificate 'XXXX'
2025-04-11T08:46:38.760076+00:00 ipsec-vpn-server pluto[756]: "ikev2-cp": ikev2=yes has been replaced by keyexchange=ikev2
2025-04-11T08:46:38.761362+00:00 ipsec-vpn-server pluto[756]: "ikev2-cp": IKE SA proposals (connection add):
2025-04-11T08:46:38.761423+00:00 ipsec-vpn-server pluto[756]: "ikev2-cp":   1:IKE=AES_GCM_16_256-HMAC_SHA2_256-NONE-ECP_256
2025-04-11T08:46:38.761459+00:00 ipsec-vpn-server pluto[756]: "ikev2-cp":   2:IKE=AES_CBC_256-HMAC_SHA2_256-HMAC_SHA2_256_128-ECP_256+ECP_384+ECP_521+CURVE25519+MODP4096+MODP3072+MODP2048+MODP8192
2025-04-11T08:46:38.761498+00:00 ipsec-vpn-server pluto[756]: "ikev2-cp":   3:IKE=AES_CBC_128-HMAC_SHA2_256-HMAC_SHA2_256_128-ECP_256+ECP_384+ECP_521+CURVE25519+MODP4096+MODP3072+MODP2048+MODP8192
2025-04-11T08:46:38.761536+00:00 ipsec-vpn-server pluto[756]: "ikev2-cp":   4:IKE=AES_CBC_256-HMAC_SHA1-HMAC_SHA1_96-ECP_256+ECP_384+ECP_521+CURVE25519+MODP4096+MODP3072+MODP2048+MODP8192
2025-04-11T08:46:38.761571+00:00 ipsec-vpn-server pluto[756]: "ikev2-cp":   5:IKE=AES_CBC_128-HMAC_SHA1-HMAC_SHA1_96-ECP_256+ECP_384+ECP_521+CURVE25519+MODP4096+MODP3072+MODP2048+MODP8192
2025-04-11T08:46:38.761603+00:00 ipsec-vpn-server pluto[756]: "ikev2-cp":   6:IKE=AES_CBC_256-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP1024
2025-04-11T08:46:38.761638+00:00 ipsec-vpn-server pluto[756]: "ikev2-cp":   7:IKE=AES_CBC_128-HMAC_SHA1-HMAC_SHA1_96-MODP1024
2025-04-11T08:46:38.761839+00:00 ipsec-vpn-server pluto[756]: "ikev2-cp": Child SA proposals (connection add):
2025-04-11T08:46:38.761893+00:00 ipsec-vpn-server pluto[756]: "ikev2-cp":   1:ESP=AES_GCM_16_128+AES_GCM_16_256-NONE-NONE-ESN:YES+NO
2025-04-11T08:46:38.761929+00:00 ipsec-vpn-server pluto[756]: "ikev2-cp":   2:ESP=AES_CBC_128-HMAC_SHA1_96-NONE-ESN:YES+NO
2025-04-11T08:46:38.761961+00:00 ipsec-vpn-server pluto[756]: "ikev2-cp":   3:ESP=AES_CBC_256-HMAC_SHA1_96-NONE-ESN:YES+NO
2025-04-11T08:46:38.761994+00:00 ipsec-vpn-server pluto[756]: "ikev2-cp":   4:ESP=AES_CBC_128-HMAC_SHA2_256_128-NONE-ESN:YES+NO
2025-04-11T08:46:38.762026+00:00 ipsec-vpn-server pluto[756]: "ikev2-cp":   5:ESP=AES_CBC_256-HMAC_SHA2_256_128-NONE-ESN:YES+NO
2025-04-11T08:46:38.762111+00:00 ipsec-vpn-server pluto[756]: "ikev2-cp": added IKEv2 connection
2025-04-11T08:46:38.762283+00:00 ipsec-vpn-server pluto[756]: listening for IKE messages
2025-04-11T08:46:38.762366+00:00 ipsec-vpn-server pluto[756]: Kernel does not support NIC esp-hw-offload (ETHTOOL_GSSET_INFO failed)
2025-04-11T08:46:38.762478+00:00 ipsec-vpn-server pluto[756]: adding interface eth0 172.27.0.2:UDP/500
2025-04-11T08:46:38.762540+00:00 ipsec-vpn-server pluto[756]: adding interface eth0 172.27.0.2:UDP/4500 (NAT)
2025-04-11T08:46:38.762610+00:00 ipsec-vpn-server pluto[756]: adding interface lo 127.0.0.1:UDP/500
2025-04-11T08:46:38.762671+00:00 ipsec-vpn-server pluto[756]: adding interface lo 127.0.0.1:UDP/4500 (NAT)
2025-04-11T08:46:38.762744+00:00 ipsec-vpn-server pluto[756]: "l2tp-psk": oriented IKEv1 connection (local: left=172.27.0.2  remote: right=0.0.0.0)
2025-04-11T08:46:38.762817+00:00 ipsec-vpn-server pluto[756]: "xauth-psk": oriented IKEv1 connection (local: left=172.27.0.2  remote: right=0.0.0.0)
2025-04-11T08:46:38.762887+00:00 ipsec-vpn-server pluto[756]: "ikev2-cp": oriented IKEv2 connection (local: left=172.27.0.2  remote: right=0.0.0.0)
2025-04-11T08:46:38.762943+00:00 ipsec-vpn-server pluto[756]: forgetting secrets
2025-04-11T08:46:38.763242+00:00 ipsec-vpn-server pluto[756]: loading secrets from "/etc/ipsec.secrets"
2025-04-11T08:46:38.763503+00:00 ipsec-vpn-server pluto[756]: addconn: "ikev2-cp": ikev2=yes has been replaced by keyexchange=ikev2
2025-04-11T08:46:38.763543+00:00 ipsec-vpn-server pluto[756]: addconn: "ikev2-cp": added IKEv2 connection
2025-04-11T08:46:38.763582+00:00 ipsec-vpn-server pluto[756]: addconn: listening for IKE messages
2025-04-11T08:46:38.763619+00:00 ipsec-vpn-server pluto[756]: addconn: Kernel does not support NIC esp-hw-offload (ETHTOOL_GSSET_INFO failed)
2025-04-11T08:46:38.763653+00:00 ipsec-vpn-server pluto[756]: addconn: adding interface eth0 172.27.0.2:UDP/500
2025-04-11T08:46:38.763688+00:00 ipsec-vpn-server pluto[756]: addconn: adding interface eth0 172.27.0.2:UDP/4500 (NAT)
2025-04-11T08:46:38.763721+00:00 ipsec-vpn-server pluto[756]: addconn: adding interface lo 127.0.0.1:UDP/500
2025-04-11T08:46:38.763755+00:00 ipsec-vpn-server pluto[756]: addconn: adding interface lo 127.0.0.1:UDP/4500 (NAT)
2025-04-11T08:46:38.763793+00:00 ipsec-vpn-server pluto[756]: addconn: "l2tp-psk": oriented IKEv1 connection (local: left=172.27.0.2  remote: right=0.0.0.0)
2025-04-11T08:46:38.763829+00:00 ipsec-vpn-server pluto[756]: addconn: "xauth-psk": oriented IKEv1 connection (local: left=172.27.0
2025-04-11T08:46:38.763869+00:00 ipsec-vpn-server pluto[756]: addconn: .2  remote: right=0.0.0.0)
2025-04-11T08:46:38.763930+00:00 ipsec-vpn-server pluto[756]: addconn: "ikev2-cp": oriented IKEv2 connection (local: left=172.27.0.2  remote: right=0.0.0.0)
2025-04-11T08:46:38.763958+00:00 ipsec-vpn-server pluto[756]: addconn: forgetting secrets
2025-04-11T08:46:38.763986+00:00 ipsec-vpn-server pluto[756]: addconn: loading secrets from "/etc/ipsec.secrets"
2025-04-11T08:46:38.764012+00:00 ipsec-vpn-server pluto[756]: addconn:

Server (please complete the following information)

  • Docker host OS: Ubuntu 16.04.7 LTS
  • Hosting provider (if applicable): DigitalOcean

Client (please complete the following information)

  • Device: mac book pro
  • OS: 15.4
  • VPN mode: [IPsec/XAuth ("Cisco IPsec")]

Additional context
Add any other context about the problem here.

Originally created by @belegnar on GitHub (Apr 11, 2025). Original GitHub issue: https://github.com/hwdsl2/docker-ipsec-vpn-server/issues/473 **Checklist** - [x] I read the [README](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README.md) - [x] I read the [Important notes](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README.md#important-notes) - [x] I followed instructions to [configure VPN clients](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README.md#next-steps) - [x] I checked [IKEv1 troubleshooting](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients.md#ikev1-troubleshooting), [IKEv2 troubleshooting](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/ikev2-howto.md#ikev2-troubleshooting), [enabled logs](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/docs/advanced-usage.md#enable-libreswan-logs) and checked [VPN status](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients.md#check-logs-and-vpn-status) - [x] I searched existing [Issues](https://github.com/hwdsl2/docker-ipsec-vpn-server/issues?q=is%3Aissue) - [x] This bug is about the IPsec VPN server Docker image, and not IPsec VPN itself <!--- If you found a reproducible bug for the IPsec VPN, open a bug report at https://github.com/libreswan/libreswan. Ask VPN-related questions on the [Libreswan](https://lists.libreswan.org) or [strongSwan](https://lists.strongswan.org) users mailing list, or search e.g. [Stack Overflow](https://stackoverflow.com/questions/tagged/vpn). ---> **Describe the issue** MacOS client couldn't connect to the ipsec/xauth server Local vpn log is ```2025-04-11 11:26:58.128744+0300 0xf1fb Default 0x0 2519 0 racoon: [com.apple.networkextension:] accepted connection on vpn control socket. 2025-04-11 11:26:58.128791+0300 0xf224 Default 0x0 2519 0 racoon: [com.apple.networkextension:] received bind command on vpn control socket. 2025-04-11 11:26:58.128837+0300 0xf224 Default 0x0 2519 0 racoon: [com.apple.networkextension:] received connect command on vpn control socket. 2025-04-11 11:27:08.087670+0300 0xf224 Default 0x0 2519 0 racoon: [com.apple.networkextension:] received disconnect command on vpn control socket. 2025-04-11 11:27:08.103467+0300 0xf224 Error 0x0 2519 0 racoon: [com.apple.networkextension:] failed to send vpn_control message: Broken pipe 2025-04-11 11:27:08.105686+0300 0xf224 Default 0x0 2519 0 racoon: [com.apple.networkextension:] vpn_control socket closed by peer. 2025-04-11 11:27:08.105803+0300 0xf224 Default 0x0 2519 0 racoon: [com.apple.networkextension:] vpncontrol_close_comm. ``` During startup of the server the following messages could be found in the log ``` iptables v1.8.11 (nf_tables): RULE_INSERT failed (No such file or directory): rule in chain FORWARD ``` There're 5 of them in response to create this rule and following ``` iptables -I FORWARD 2 -i eth0 -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT ``` Also there's no `ppp+` interface ``` ipsec-vpn-server:/opt/src# ifconfig eth0 Link encap:Ethernet HWaddr 02:42:AC:1B:00:02 inet addr:172.27.0.2 Bcast:172.27.255.255 Mask:255.255.0.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:63 errors:0 dropped:0 overruns:0 frame:0 TX packets:56 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:14391 (14.0 KiB) TX bytes:4814 (4.7 KiB) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:50 errors:0 dropped:0 overruns:0 frame:0 TX packets:50 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1 RX bytes:4308 (4.2 KiB) TX bytes:4308 (4.2 KiB) ``` **To Reproduce** Steps to reproduce the behavior: Nothing special, just started docker image following the docs **Expected behavior** Connection established **Logs** On `ipsec` restart. No other logs appears on a connection attempt ``` 2025-04-11T08:46:38.215467+00:00 ipsec-vpn-server pluto[620]: Pluto is shutting down 2025-04-11T08:46:38.228706+00:00 ipsec-vpn-server pluto[620]: forgetting secrets 2025-04-11T08:46:38.231130+00:00 ipsec-vpn-server pluto[620]: shutting down interface lo 127.0.0.1:4500 2025-04-11T08:46:38.231251+00:00 ipsec-vpn-server pluto[620]: shutting down interface lo 127.0.0.1:500 2025-04-11T08:46:38.231299+00:00 ipsec-vpn-server pluto[620]: shutting down interface eth0 172.27.0.2:4500 2025-04-11T08:46:38.231338+00:00 ipsec-vpn-server pluto[620]: shutting down interface eth0 172.27.0.2:500 2025-04-11T08:46:38.691510+00:00 ipsec-vpn-server pluto[756]: Starting Pluto (Libreswan Version 5.2 IKEv2 IKEv1 XFRM XFRMI esp-hw-offload FORK PTHREAD_SETSCHEDPRIO NSS (IPsec profile) (NSS-KDF) LIBCAP_NG AUTH_PAM NETWORKMANAGER CURL(non-NSS) NFTABLES CAT NFLOG) pid:756 2025-04-11T08:46:38.691547+00:00 ipsec-vpn-server pluto[756]: operating system: Linux 4.4.0 [Linux 4.4.0-210-generic #242-Ubuntu SMP Fri Apr 16 09:57:56 UTC 2021 x86_64] 2025-04-11T08:46:38.691556+00:00 ipsec-vpn-server pluto[756]: core dump dir: /run/pluto 2025-04-11T08:46:38.691574+00:00 ipsec-vpn-server pluto[756]: secrets file: /etc/ipsec.secrets 2025-04-11T08:46:38.694472+00:00 ipsec-vpn-server pluto[756]: Initializing NSS using read-only database "sql:/etc/ipsec.d" 2025-04-11T08:46:38.721290+00:00 ipsec-vpn-server pluto[756]: FIPS Mode: OFF 2025-04-11T08:46:38.721405+00:00 ipsec-vpn-server pluto[756]: NSS crypto library initialized 2025-04-11T08:46:38.722092+00:00 ipsec-vpn-server pluto[756]: FIPS mode disabled for pluto daemon 2025-04-11T08:46:38.722136+00:00 ipsec-vpn-server pluto[756]: FIPS HMAC integrity support [not required] 2025-04-11T08:46:38.722474+00:00 ipsec-vpn-server pluto[756]: libcap-ng support [enabled] 2025-04-11T08:46:38.722505+00:00 ipsec-vpn-server pluto[756]: Linux audit support [disabled] 2025-04-11T08:46:38.722530+00:00 ipsec-vpn-server pluto[756]: leak-detective disabled 2025-04-11T08:46:38.722556+00:00 ipsec-vpn-server pluto[756]: NSS crypto [enabled] 2025-04-11T08:46:38.722581+00:00 ipsec-vpn-server pluto[756]: XAUTH PAM support [enabled] 2025-04-11T08:46:38.722920+00:00 ipsec-vpn-server pluto[756]: initializing libevent in pthreads mode: headers: 2.1.12-stable (2010c00); library: 2.1.12-stable (2010c00) 2025-04-11T08:46:38.723109+00:00 ipsec-vpn-server pluto[756]: NAT-Traversal: keep-alive period 20s 2025-04-11T08:46:38.741255+00:00 ipsec-vpn-server pluto[756]: ERROR: xfrmi is not supported, failed to create ipsec-interface ipsec1 bound to lo 2025-04-11T08:46:38.741370+00:00 ipsec-vpn-server pluto[756]: ipsec-interface is not working: xfrmi is not supported 2025-04-11T08:46:38.741400+00:00 ipsec-vpn-server pluto[756]: IPsec Interface [disabled] 2025-04-11T08:46:38.741551+00:00 ipsec-vpn-server pluto[756]: refreshed session resume keys, issuing key 1 2025-04-11T08:46:38.741691+00:00 ipsec-vpn-server pluto[756]: Encryption algorithms: 2025-04-11T08:46:38.741725+00:00 ipsec-vpn-server pluto[756]: AES_CCM_16 {256,192,*128} IKEv1: ESP IKEv2: ESP FIPS aes_ccm, aes_ccm_c 2025-04-11T08:46:38.741758+00:00 ipsec-vpn-server pluto[756]: AES_CCM_12 {256,192,*128} IKEv1: ESP IKEv2: ESP FIPS aes_ccm_b 2025-04-11T08:46:38.741788+00:00 ipsec-vpn-server pluto[756]: AES_CCM_8 {256,192,*128} IKEv1: ESP IKEv2: ESP FIPS aes_ccm_a 2025-04-11T08:46:38.741849+00:00 ipsec-vpn-server pluto[756]: 3DES_CBC [*192] IKEv1: IKE ESP IKEv2: IKE ESP FIPS NSS(CBC) 3des 2025-04-11T08:46:38.741878+00:00 ipsec-vpn-server pluto[756]: CAMELLIA_CTR {256,192,*128} IKEv1: ESP IKEv2: ESP 2025-04-11T08:46:38.741907+00:00 ipsec-vpn-server pluto[756]: CAMELLIA_CBC {256,192,*128} IKEv1: IKE ESP IKEv2: IKE ESP NSS(CBC) camellia 2025-04-11T08:46:38.741937+00:00 ipsec-vpn-server pluto[756]: AES_GCM_16 {256,192,*128} IKEv1: ESP IKEv2: IKE ESP FIPS NSS(AEAD) aes_gcm, aes_gcm_c 2025-04-11T08:46:38.741966+00:00 ipsec-vpn-server pluto[756]: AES_GCM_12 {256,192,*128} IKEv1: ESP IKEv2: IKE ESP FIPS NSS(AEAD) aes_gcm_b 2025-04-11T08:46:38.741995+00:00 ipsec-vpn-server pluto[756]: AES_GCM_8 {256,192,*128} IKEv1: ESP IKEv2: IKE ESP FIPS NSS(AEAD) aes_gcm_a 2025-04-11T08:46:38.742024+00:00 ipsec-vpn-server pluto[756]: AES_CTR {256,192,*128} IKEv1: IKE ESP IKEv2: IKE ESP FIPS NSS(CTR) aesctr 2025-04-11T08:46:38.742052+00:00 ipsec-vpn-server pluto[756]: AES_CBC {256,192,*128} IKEv1: IKE ESP IKEv2: IKE ESP FIPS NSS(CBC) aes 2025-04-11T08:46:38.742081+00:00 ipsec-vpn-server pluto[756]: NULL_AUTH_AES_GMAC {256,192,*128} IKEv1: ESP IKEv2: ESP FIPS aes_gmac 2025-04-11T08:46:38.742109+00:00 ipsec-vpn-server pluto[756]: NULL [] IKEv1: ESP IKEv2: ESP NULL 2025-04-11T08:46:38.742137+00:00 ipsec-vpn-server pluto[756]: CHACHA20_POLY1305 [*256] IKEv1: IKEv2: IKE ESP NSS(AEAD) chacha20poly1305 2025-04-11T08:46:38.742164+00:00 ipsec-vpn-server pluto[756]: Hash algorithms: 2025-04-11T08:46:38.742191+00:00 ipsec-vpn-server pluto[756]: MD5 IKEv1: IKE IKEv2: NSS 2025-04-11T08:46:38.742222+00:00 ipsec-vpn-server pluto[756]: SHA1 IKEv1: IKE IKEv2: IKE FIPS NSS sha 2025-04-11T08:46:38.742251+00:00 ipsec-vpn-server pluto[756]: SHA2_256 IKEv1: IKE IKEv2: IKE FIPS NSS sha2, sha256 2025-04-11T08:46:38.742278+00:00 ipsec-vpn-server pluto[756]: SHA2_384 IKEv1: IKE IKEv2: IKE FIPS NSS sha384 2025-04-11T08:46:38.742305+00:00 ipsec-vpn-server pluto[756]: SHA2_512 IKEv1: IKE IKEv2: IKE FIPS NSS sha512 2025-04-11T08:46:38.742332+00:00 ipsec-vpn-server pluto[756]: IDENTITY IKEv1: IKEv2: FIPS 2025-04-11T08:46:38.742358+00:00 ipsec-vpn-server pluto[756]: PRF algorithms: 2025-04-11T08:46:38.742398+00:00 ipsec-vpn-server pluto[756]: HMAC_MD5 IKEv1: IKE IKEv2: IKE NSS md5 2025-04-11T08:46:38.742437+00:00 ipsec-vpn-server pluto[756]: HMAC_SHA1 IKEv1: IKE IKEv2: IKE FIPS NSS sha, sha1 2025-04-11T08:46:38.742466+00:00 ipsec-vpn-server pluto[756]: HMAC_SHA2_256 IKEv1: IKE IKEv2: IKE FIPS NSS sha2, sha256, sha2_256 2025-04-11T08:46:38.742494+00:00 ipsec-vpn-server pluto[756]: HMAC_SHA2_384 IKEv1: IKE IKEv2: IKE FIPS NSS sha384, sha2_384 2025-04-11T08:46:38.742522+00:00 ipsec-vpn-server pluto[756]: HMAC_SHA2_512 IKEv1: IKE IKEv2: IKE FIPS NSS sha512, sha2_512 2025-04-11T08:46:38.742550+00:00 ipsec-vpn-server pluto[756]: AES_XCBC IKEv1: IKEv2: IKE native(XCBC) aes128_xcbc 2025-04-11T08:46:38.742576+00:00 ipsec-vpn-server pluto[756]: Integrity algorithms: 2025-04-11T08:46:38.742607+00:00 ipsec-vpn-server pluto[756]: HMAC_MD5_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH NSS md5, hmac_md5 2025-04-11T08:46:38.742637+00:00 ipsec-vpn-server pluto[756]: HMAC_SHA1_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS sha, sha1, sha1_96, hmac_sha1 2025-04-11T08:46:38.742666+00:00 ipsec-vpn-server pluto[756]: HMAC_SHA2_512_256 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS sha512, sha2_512, sha2_512_256, hmac_sha2_512 2025-04-11T08:46:38.742695+00:00 ipsec-vpn-server pluto[756]: HMAC_SHA2_384_192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS sha384, sha2_384, sha2_384_192, hmac_sha2_384 2025-04-11T08:46:38.742725+00:00 ipsec-vpn-server pluto[756]: HMAC_SHA2_256_128 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS sha2, sha256, sha2_256, sha2_256_128, hmac_sha2_256 2025-04-11T08:46:38.742752+00:00 ipsec-vpn-server pluto[756]: HMAC_SHA2_256_TRUNCBUG IKEv1: ESP AH IKEv2: AH 2025-04-11T08:46:38.742781+00:00 ipsec-vpn-server pluto[756]: AES_XCBC_96 IKEv1: ESP AH IKEv2: IKE ESP AH native(XCBC) aes_xcbc, aes128_xcbc, aes128_xcbc_96 2025-04-11T08:46:38.742808+00:00 ipsec-vpn-server pluto[756]: AES_CMAC_96 IKEv1: ESP AH IKEv2: ESP AH FIPS aes_cmac 2025-04-11T08:46:38.742836+00:00 ipsec-vpn-server pluto[756]: NONE IKEv1: ESP IKEv2: IKE ESP FIPS null 2025-04-11T08:46:38.742862+00:00 ipsec-vpn-server pluto[756]: DH algorithms: 2025-04-11T08:46:38.742889+00:00 ipsec-vpn-server pluto[756]: NONE IKEv1: IKEv2: IKE ESP AH FIPS NSS(MODP) null, dh0 2025-04-11T08:46:38.742917+00:00 ipsec-vpn-server pluto[756]: MODP1024 IKEv1: IKE ESP AH IKEv2: IKE ESP AH NSS(MODP) dh2 2025-04-11T08:46:38.742944+00:00 ipsec-vpn-server pluto[756]: MODP1536 IKEv1: IKE ESP AH IKEv2: IKE ESP AH NSS(MODP) dh5 2025-04-11T08:46:38.742971+00:00 ipsec-vpn-server pluto[756]: MODP2048 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS(MODP) dh14 2025-04-11T08:46:38.742998+00:00 ipsec-vpn-server pluto[756]: MODP3072 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS(MODP) dh15 2025-04-11T08:46:38.743026+00:00 ipsec-vpn-server pluto[756]: MODP4096 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS(MODP) dh16 2025-04-11T08:46:38.743053+00:00 ipsec-vpn-server pluto[756]: MODP6144 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS(MODP) dh17 2025-04-11T08:46:38.743080+00:00 ipsec-vpn-server pluto[756]: MODP8192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS(MODP) dh18 2025-04-11T08:46:38.743107+00:00 ipsec-vpn-server pluto[756]: DH19 IKEv1: IKE IKEv2: IKE ESP AH FIPS NSS(ECP) ecp_256, ecp256 2025-04-11T08:46:38.743135+00:00 ipsec-vpn-server pluto[756]: DH20 IKEv1: IKE IKEv2: IKE ESP AH FIPS NSS(ECP) ecp_384, ecp384 2025-04-11T08:46:38.743163+00:00 ipsec-vpn-server pluto[756]: DH21 IKEv1: IKE IKEv2: IKE ESP AH FIPS NSS(ECP) ecp_521, ecp521 2025-04-11T08:46:38.743203+00:00 ipsec-vpn-server pluto[756]: DH31 IKEv1: IKE IKEv2: IKE ESP AH NSS(ECP) curve25519 2025-04-11T08:46:38.743230+00:00 ipsec-vpn-server pluto[756]: IPCOMP algorithms: 2025-04-11T08:46:38.743257+00:00 ipsec-vpn-server pluto[756]: DEFLATE IKEv1: ESP AH IKEv2: ESP AH FIPS 2025-04-11T08:46:38.743284+00:00 ipsec-vpn-server pluto[756]: LZS IKEv1: IKEv2: ESP AH FIPS 2025-04-11T08:46:38.743310+00:00 ipsec-vpn-server pluto[756]: LZJH IKEv1: IKEv2: ESP AH FIPS 2025-04-11T08:46:38.743338+00:00 ipsec-vpn-server pluto[756]: testing CAMELLIA_CBC: 2025-04-11T08:46:38.743364+00:00 ipsec-vpn-server pluto[756]: Camellia: 16 bytes with 128-bit key 2025-04-11T08:46:38.743496+00:00 ipsec-vpn-server pluto[756]: Camellia: 16 bytes with 128-bit key 2025-04-11T08:46:38.743554+00:00 ipsec-vpn-server pluto[756]: Camellia: 16 bytes with 256-bit key 2025-04-11T08:46:38.743609+00:00 ipsec-vpn-server pluto[756]: Camellia: 16 bytes with 256-bit key 2025-04-11T08:46:38.743661+00:00 ipsec-vpn-server pluto[756]: testing AES_GCM_16: 2025-04-11T08:46:38.743688+00:00 ipsec-vpn-server pluto[756]: empty string 2025-04-11T08:46:38.743778+00:00 ipsec-vpn-server pluto[756]: one block 2025-04-11T08:46:38.743832+00:00 ipsec-vpn-server pluto[756]: two blocks 2025-04-11T08:46:38.743886+00:00 ipsec-vpn-server pluto[756]: two blocks with associated data 2025-04-11T08:46:38.743976+00:00 ipsec-vpn-server pluto[756]: testing AES_CTR: 2025-04-11T08:46:38.744004+00:00 ipsec-vpn-server pluto[756]: Encrypting 16 octets using AES-CTR with 128-bit key 2025-04-11T08:46:38.744057+00:00 ipsec-vpn-server pluto[756]: Encrypting 32 octets using AES-CTR with 128-bit key 2025-04-11T08:46:38.744117+00:00 ipsec-vpn-server pluto[756]: Encrypting 36 octets using AES-CTR with 128-bit key 2025-04-11T08:46:38.744169+00:00 ipsec-vpn-server pluto[756]: Encrypting 16 octets using AES-CTR with 192-bit key 2025-04-11T08:46:38.744219+00:00 ipsec-vpn-server pluto[756]: Encrypting 32 octets using AES-CTR with 192-bit key 2025-04-11T08:46:38.744270+00:00 ipsec-vpn-server pluto[756]: Encrypting 36 octets using AES-CTR with 192-bit key 2025-04-11T08:46:38.744321+00:00 ipsec-vpn-server pluto[756]: Encrypting 16 octets using AES-CTR with 256-bit key 2025-04-11T08:46:38.744371+00:00 ipsec-vpn-server pluto[756]: Encrypting 32 octets using AES-CTR with 256-bit key 2025-04-11T08:46:38.744434+00:00 ipsec-vpn-server pluto[756]: Encrypting 36 octets using AES-CTR with 256-bit key 2025-04-11T08:46:38.744497+00:00 ipsec-vpn-server pluto[756]: testing AES_CBC: 2025-04-11T08:46:38.744524+00:00 ipsec-vpn-server pluto[756]: Encrypting 16 bytes (1 block) using AES-CBC with 128-bit key 2025-04-11T08:46:38.744574+00:00 ipsec-vpn-server pluto[756]: Encrypting 32 bytes (2 blocks) using AES-CBC with 128-bit key 2025-04-11T08:46:38.744627+00:00 ipsec-vpn-server pluto[756]: Encrypting 48 bytes (3 blocks) using AES-CBC with 128-bit key 2025-04-11T08:46:38.744679+00:00 ipsec-vpn-server pluto[756]: Encrypting 64 bytes (4 blocks) using AES-CBC with 128-bit key 2025-04-11T08:46:38.744737+00:00 ipsec-vpn-server pluto[756]: testing AES_XCBC: 2025-04-11T08:46:38.744764+00:00 ipsec-vpn-server pluto[756]: RFC 3566 Test Case 1: AES-XCBC-MAC-96 with 0-byte input 2025-04-11T08:46:38.744895+00:00 ipsec-vpn-server pluto[756]: RFC 3566 Test Case 2: AES-XCBC-MAC-96 with 3-byte input 2025-04-11T08:46:38.745038+00:00 ipsec-vpn-server pluto[756]: RFC 3566 Test Case 3: AES-XCBC-MAC-96 with 16-byte input 2025-04-11T08:46:38.745206+00:00 ipsec-vpn-server pluto[756]: RFC 3566 Test Case 4: AES-XCBC-MAC-96 with 20-byte input 2025-04-11T08:46:38.745374+00:00 ipsec-vpn-server pluto[756]: RFC 3566 Test Case 5: AES-XCBC-MAC-96 with 32-byte input 2025-04-11T08:46:38.745561+00:00 ipsec-vpn-server pluto[756]: RFC 3566 Test Case 6: AES-XCBC-MAC-96 with 34-byte input 2025-04-11T08:46:38.745740+00:00 ipsec-vpn-server pluto[756]: RFC 3566 Test Case 7: AES-XCBC-MAC-96 with 1000-byte input 2025-04-11T08:46:38.746106+00:00 ipsec-vpn-server pluto[756]: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 16) 2025-04-11T08:46:38.746283+00:00 ipsec-vpn-server pluto[756]: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 10) 2025-04-11T08:46:38.746460+00:00 ipsec-vpn-server pluto[756]: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 18) 2025-04-11T08:46:38.746745+00:00 ipsec-vpn-server pluto[756]: testing HMAC_MD5: 2025-04-11T08:46:38.746779+00:00 ipsec-vpn-server pluto[756]: RFC 2104: MD5_HMAC test 1 2025-04-11T08:46:38.746920+00:00 ipsec-vpn-server pluto[756]: RFC 2104: MD5_HMAC test 2 2025-04-11T08:46:38.747054+00:00 ipsec-vpn-server pluto[756]: RFC 2104: MD5_HMAC test 3 2025-04-11T08:46:38.747188+00:00 ipsec-vpn-server pluto[756]: testing HMAC_SHA1: 2025-04-11T08:46:38.747217+00:00 ipsec-vpn-server pluto[756]: CAVP: IKEv2 key derivation with HMAC-SHA1 2025-04-11T08:46:38.747613+00:00 ipsec-vpn-server pluto[756]: 1 CPU cores online 2025-04-11T08:46:38.747645+00:00 ipsec-vpn-server pluto[756]: starting up 1 helper threads 2025-04-11T08:46:38.747704+00:00 ipsec-vpn-server pluto[756]: started thread for helper 0 2025-04-11T08:46:38.747735+00:00 ipsec-vpn-server pluto[756]: using Linux xfrm kernel support code on #242-Ubuntu SMP Fri Apr 16 09:57:56 UTC 2021 2025-04-11T08:46:38.747818+00:00 ipsec-vpn-server pluto[756]: xfrm: setsockopt(NETLINK_EXT_ACK) failed: Protocol not available (errno 92) 2025-04-11T08:46:38.747965+00:00 ipsec-vpn-server pluto[756]: kernel: /proc/sys/net/ipv6/conf/all/disable_ipv6=1 ignore ipv6 holes 2025-04-11T08:46:38.748099+00:00 ipsec-vpn-server pluto[756]: kernel: directional SA supported by kernel 2025-04-11T08:46:38.748135+00:00 ipsec-vpn-server pluto[756]: kernel: IPTFS ipsec SA error: requires option CONFIG_XFRM_IPTFS 2025-04-11T08:46:38.748178+00:00 ipsec-vpn-server pluto[756]: kernel: MIGRATE ipsec SA error: requires option CONFIG_XFRM_MIGRATE 2025-04-11T08:46:38.748559+00:00 ipsec-vpn-server pluto[756]: seccomp security not supported 2025-04-11T08:46:38.749248+00:00 ipsec-vpn-server pluto[756]: addconn: ipsec addconn: /etc/ipsec.conf:19: warning: obsolete keyword ignored: dpdaction=clear 2025-04-11T08:46:38.749317+00:00 ipsec-vpn-server pluto[756]: helper(1): seccomp security for helper not supported 2025-04-11T08:46:38.749825+00:00 ipsec-vpn-server pluto[756]: addconn: 2025-04-11T08:46:38.749833+00:00 ipsec-vpn-server pluto[756]: addconn: 2025-04-11T08:46:38.749855+00:00 ipsec-vpn-server pluto[756]: addconn: ipsec addconn: /etc/ipsec.d/ikev2.conf:16: warning: obsolete keyword ignored: dpdaction=clear 2025-04-11T08:46:38.749861+00:00 ipsec-vpn-server pluto[756]: addconn: 2025-04-11T08:46:38.751851+00:00 ipsec-vpn-server pluto[756]: "l2tp-psk": ikev2=no has been replaced by keyexchange=ikev1 2025-04-11T08:46:38.752179+00:00 ipsec-vpn-server pluto[756]: "l2tp-psk": warning: keyingtries=5 ignored, UP connection will attempt to establish until marked DOWN 2025-04-11T08:46:38.752215+00:00 ipsec-vpn-server pluto[756]: "l2tp-psk": added IKEv1 connection 2025-04-11T08:46:38.752353+00:00 ipsec-vpn-server pluto[756]: addconn: "l2tp-psk": ikev2=no has been replaced by keyexchange=ikev1 2025-04-11T08:46:38.752361+00:00 ipsec-vpn-server pluto[756]: addconn: 2025-04-11T08:46:38.752430+00:00 ipsec-vpn-server pluto[756]: addconn: "l2tp-psk": warning: keyingtries=5 ignored, UP connection will attempt to establish until marked DOWN 2025-04-11T08:46:38.752439+00:00 ipsec-vpn-server pluto[756]: addconn: 2025-04-11T08:46:38.752496+00:00 ipsec-vpn-server pluto[756]: addconn: "l2tp-psk": added IKEv1 connection 2025-04-11T08:46:38.752503+00:00 ipsec-vpn-server pluto[756]: addconn: 2025-04-11T08:46:38.753184+00:00 ipsec-vpn-server pluto[756]: "xauth-psk": ikev2=no has been replaced by keyexchange=ikev1 2025-04-11T08:46:38.753489+00:00 ipsec-vpn-server pluto[756]: "xauth-psk": warning: keyingtries=5 ignored, UP connection will attempt to establish until marked DOWN 2025-04-11T08:46:38.753517+00:00 ipsec-vpn-server pluto[756]: "xauth-psk": added IKEv1 connection 2025-04-11T08:46:38.753610+00:00 ipsec-vpn-server pluto[756]: addconn: "xauth-psk": ikev2=no has been replaced by keyexchange=ikev1 2025-04-11T08:46:38.753616+00:00 ipsec-vpn-server pluto[756]: addconn: 2025-04-11T08:46:38.753680+00:00 ipsec-vpn-server pluto[756]: addconn: "xauth-psk": warning: keyingtries=5 ignored, UP connection will attempt to establish until marked DOWN 2025-04-11T08:46:38.753687+00:00 ipsec-vpn-server pluto[756]: addconn: 2025-04-11T08:46:38.753745+00:00 ipsec-vpn-server pluto[756]: addconn: "xauth-psk": added IKEv1 connection 2025-04-11T08:46:38.753753+00:00 ipsec-vpn-server pluto[756]: addconn: 2025-04-11T08:46:38.759980+00:00 ipsec-vpn-server pluto[756]: "ikev2-cp": loaded private key matching left certificate 'XXXX' 2025-04-11T08:46:38.760076+00:00 ipsec-vpn-server pluto[756]: "ikev2-cp": ikev2=yes has been replaced by keyexchange=ikev2 2025-04-11T08:46:38.761362+00:00 ipsec-vpn-server pluto[756]: "ikev2-cp": IKE SA proposals (connection add): 2025-04-11T08:46:38.761423+00:00 ipsec-vpn-server pluto[756]: "ikev2-cp": 1:IKE=AES_GCM_16_256-HMAC_SHA2_256-NONE-ECP_256 2025-04-11T08:46:38.761459+00:00 ipsec-vpn-server pluto[756]: "ikev2-cp": 2:IKE=AES_CBC_256-HMAC_SHA2_256-HMAC_SHA2_256_128-ECP_256+ECP_384+ECP_521+CURVE25519+MODP4096+MODP3072+MODP2048+MODP8192 2025-04-11T08:46:38.761498+00:00 ipsec-vpn-server pluto[756]: "ikev2-cp": 3:IKE=AES_CBC_128-HMAC_SHA2_256-HMAC_SHA2_256_128-ECP_256+ECP_384+ECP_521+CURVE25519+MODP4096+MODP3072+MODP2048+MODP8192 2025-04-11T08:46:38.761536+00:00 ipsec-vpn-server pluto[756]: "ikev2-cp": 4:IKE=AES_CBC_256-HMAC_SHA1-HMAC_SHA1_96-ECP_256+ECP_384+ECP_521+CURVE25519+MODP4096+MODP3072+MODP2048+MODP8192 2025-04-11T08:46:38.761571+00:00 ipsec-vpn-server pluto[756]: "ikev2-cp": 5:IKE=AES_CBC_128-HMAC_SHA1-HMAC_SHA1_96-ECP_256+ECP_384+ECP_521+CURVE25519+MODP4096+MODP3072+MODP2048+MODP8192 2025-04-11T08:46:38.761603+00:00 ipsec-vpn-server pluto[756]: "ikev2-cp": 6:IKE=AES_CBC_256-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP1024 2025-04-11T08:46:38.761638+00:00 ipsec-vpn-server pluto[756]: "ikev2-cp": 7:IKE=AES_CBC_128-HMAC_SHA1-HMAC_SHA1_96-MODP1024 2025-04-11T08:46:38.761839+00:00 ipsec-vpn-server pluto[756]: "ikev2-cp": Child SA proposals (connection add): 2025-04-11T08:46:38.761893+00:00 ipsec-vpn-server pluto[756]: "ikev2-cp": 1:ESP=AES_GCM_16_128+AES_GCM_16_256-NONE-NONE-ESN:YES+NO 2025-04-11T08:46:38.761929+00:00 ipsec-vpn-server pluto[756]: "ikev2-cp": 2:ESP=AES_CBC_128-HMAC_SHA1_96-NONE-ESN:YES+NO 2025-04-11T08:46:38.761961+00:00 ipsec-vpn-server pluto[756]: "ikev2-cp": 3:ESP=AES_CBC_256-HMAC_SHA1_96-NONE-ESN:YES+NO 2025-04-11T08:46:38.761994+00:00 ipsec-vpn-server pluto[756]: "ikev2-cp": 4:ESP=AES_CBC_128-HMAC_SHA2_256_128-NONE-ESN:YES+NO 2025-04-11T08:46:38.762026+00:00 ipsec-vpn-server pluto[756]: "ikev2-cp": 5:ESP=AES_CBC_256-HMAC_SHA2_256_128-NONE-ESN:YES+NO 2025-04-11T08:46:38.762111+00:00 ipsec-vpn-server pluto[756]: "ikev2-cp": added IKEv2 connection 2025-04-11T08:46:38.762283+00:00 ipsec-vpn-server pluto[756]: listening for IKE messages 2025-04-11T08:46:38.762366+00:00 ipsec-vpn-server pluto[756]: Kernel does not support NIC esp-hw-offload (ETHTOOL_GSSET_INFO failed) 2025-04-11T08:46:38.762478+00:00 ipsec-vpn-server pluto[756]: adding interface eth0 172.27.0.2:UDP/500 2025-04-11T08:46:38.762540+00:00 ipsec-vpn-server pluto[756]: adding interface eth0 172.27.0.2:UDP/4500 (NAT) 2025-04-11T08:46:38.762610+00:00 ipsec-vpn-server pluto[756]: adding interface lo 127.0.0.1:UDP/500 2025-04-11T08:46:38.762671+00:00 ipsec-vpn-server pluto[756]: adding interface lo 127.0.0.1:UDP/4500 (NAT) 2025-04-11T08:46:38.762744+00:00 ipsec-vpn-server pluto[756]: "l2tp-psk": oriented IKEv1 connection (local: left=172.27.0.2 remote: right=0.0.0.0) 2025-04-11T08:46:38.762817+00:00 ipsec-vpn-server pluto[756]: "xauth-psk": oriented IKEv1 connection (local: left=172.27.0.2 remote: right=0.0.0.0) 2025-04-11T08:46:38.762887+00:00 ipsec-vpn-server pluto[756]: "ikev2-cp": oriented IKEv2 connection (local: left=172.27.0.2 remote: right=0.0.0.0) 2025-04-11T08:46:38.762943+00:00 ipsec-vpn-server pluto[756]: forgetting secrets 2025-04-11T08:46:38.763242+00:00 ipsec-vpn-server pluto[756]: loading secrets from "/etc/ipsec.secrets" 2025-04-11T08:46:38.763503+00:00 ipsec-vpn-server pluto[756]: addconn: "ikev2-cp": ikev2=yes has been replaced by keyexchange=ikev2 2025-04-11T08:46:38.763543+00:00 ipsec-vpn-server pluto[756]: addconn: "ikev2-cp": added IKEv2 connection 2025-04-11T08:46:38.763582+00:00 ipsec-vpn-server pluto[756]: addconn: listening for IKE messages 2025-04-11T08:46:38.763619+00:00 ipsec-vpn-server pluto[756]: addconn: Kernel does not support NIC esp-hw-offload (ETHTOOL_GSSET_INFO failed) 2025-04-11T08:46:38.763653+00:00 ipsec-vpn-server pluto[756]: addconn: adding interface eth0 172.27.0.2:UDP/500 2025-04-11T08:46:38.763688+00:00 ipsec-vpn-server pluto[756]: addconn: adding interface eth0 172.27.0.2:UDP/4500 (NAT) 2025-04-11T08:46:38.763721+00:00 ipsec-vpn-server pluto[756]: addconn: adding interface lo 127.0.0.1:UDP/500 2025-04-11T08:46:38.763755+00:00 ipsec-vpn-server pluto[756]: addconn: adding interface lo 127.0.0.1:UDP/4500 (NAT) 2025-04-11T08:46:38.763793+00:00 ipsec-vpn-server pluto[756]: addconn: "l2tp-psk": oriented IKEv1 connection (local: left=172.27.0.2 remote: right=0.0.0.0) 2025-04-11T08:46:38.763829+00:00 ipsec-vpn-server pluto[756]: addconn: "xauth-psk": oriented IKEv1 connection (local: left=172.27.0 2025-04-11T08:46:38.763869+00:00 ipsec-vpn-server pluto[756]: addconn: .2 remote: right=0.0.0.0) 2025-04-11T08:46:38.763930+00:00 ipsec-vpn-server pluto[756]: addconn: "ikev2-cp": oriented IKEv2 connection (local: left=172.27.0.2 remote: right=0.0.0.0) 2025-04-11T08:46:38.763958+00:00 ipsec-vpn-server pluto[756]: addconn: forgetting secrets 2025-04-11T08:46:38.763986+00:00 ipsec-vpn-server pluto[756]: addconn: loading secrets from "/etc/ipsec.secrets" 2025-04-11T08:46:38.764012+00:00 ipsec-vpn-server pluto[756]: addconn: ``` **Server (please complete the following information)** - Docker host OS: Ubuntu 16.04.7 LTS - Hosting provider (if applicable): DigitalOcean **Client (please complete the following information)** - Device: mac book pro - OS: 15.4 - VPN mode: [IPsec/XAuth ("Cisco IPsec")] **Additional context** Add any other context about the problem here.
kerem closed this issue 2026-03-02 08:18:59 +03:00
kerem commented 2026-03-02 08:18:59 +03:00
Author
Owner
Copy link

@hwdsl2 commented on GitHub (Apr 11, 2025):

@belegnar Hello! Thanks for including the details in this issue. You Docker host OS, Ubuntu 16.04, is no longer officially supported by Canonical. The IPTables error you mentioned, which says rules could not be inserted into the FORWARD chain, may be because Ubuntu 16.04 does not fully support nftables rules in the kernel (see similar issue).

But normally, there should be new logs that appear after you try to connect a VPN client. If there is no new logs, check that the VPN connection request can reach the Docker container.

For your use case, I would suggest that you try this Docker image on another Docker host with newer and supported OS, such as Ubuntu 24.04 LTS.

<!-- gh-comment-id:2797123872 --> @hwdsl2 commented on GitHub (Apr 11, 2025): @belegnar Hello! Thanks for including the details in this issue. You Docker host OS, Ubuntu 16.04, is no longer officially supported by Canonical. The IPTables error you mentioned, which says rules could not be inserted into the FORWARD chain, may be because Ubuntu 16.04 does not fully support nftables rules in the kernel (see [similar issue](https://discuss.vicharak.in/t/unable-to-configure-network-firewall-ufw/99)). But normally, there should be new logs that appear after you try to connect a VPN client. If there is no new logs, check that the VPN connection request can reach the Docker container. For your use case, I would suggest that you try this Docker image on another Docker host with newer and supported OS, such as Ubuntu 24.04 LTS.
kerem commented 2026-03-02 08:18:59 +03:00
Author
Owner
Copy link

@belegnar commented on GitHub (Apr 11, 2025):

Yes, looks like the issue is somewhere within the macos vpn client. I can see incoming packets when

nc -uv -w3 host 4500

But there's no incoming packets at all when I start vpn connection. Do you have any idea how to troubleshoot this?

<!-- gh-comment-id:2797288447 --> @belegnar commented on GitHub (Apr 11, 2025): Yes, looks like the issue is somewhere within the macos vpn client. I can see incoming packets when ``` nc -uv -w3 host 4500 ``` But there's no incoming packets at all when I start vpn connection. Do you have any idea how to troubleshoot this?
kerem commented 2026-03-02 08:18:59 +03:00
Author
Owner
Copy link

@belegnar commented on GitHub (Apr 11, 2025):

) log show --last 2m --predicate 'eventMessage CONTAINS[cd] "vpn"' --info --debug
Filtering the log data using "composedMessage CONTAINS[cd] "vpn""
Timestamp                       Thread     Type        Activity             PID    TTL
2025-04-11 18:46:01.285489+0300 0x85b5c    Default     0x11bf1e             365    0    nesessionmanager: [com.apple.networkextension:] <NESMServer: 0x103444040>: Register Enterprise VPN Session: NESMLegacySession[d.zilantkon.ru:8524AD70-F900-486C-BB9A-51DDD2CBA8AE]
2025-04-11 18:46:01.287729+0300 0x85b5c    Info        0x11bf1e             365    0    nesessionmanager: [com.apple.networkextension:Large] NESMLegacySession[d.zilantkon.ru:8524AD70-F900-486C-BB9A-51DDD2CBA8AE] starting with configuration: {
    name = <14-char-str>
    identifier = 8524AD70-F900-486C-BB9A-51DDD2CBA8AE
    applicationName = VPN
    application = com.apple.NetworkExtensionSettingsUI.NESettingsUIExtension
    grade = 1
    VPN = {
        enabled = YES
        onDemandEnabled = NO
        disconnectOnDemandEnabled = NO
        onDemandUserOverrideDisabled = NO
        protocol = {
            type = ikev1
            identifier = 07C79037-9682-48AE-8C42-4034406B637B
            serverAddress = <14-char-str>
            username = <8-char-str>
            password = {
                identifier = 8524AD70-F900-486C-BB9A-51DDD2CBA8AE.XAUTH
                persistentReference = {length = 153, bytes = 0x73737569 00000020 87191ca3 0fc911d4 ... 41452e58 41555448 }
                isModernSystem = NO
                domain = system
            }
            identityDataImported = NO
            proxySettings = {
                autoProxyDiscovery = NO
                autoProxyConfigurationEnabled = NO
                HTTPEnabled = NO
                HTTPSEnabled = NO
                FTPEnabled = NO
                SOCKSEnabled = NO
                RTSPEnabled = NO
                gopherEnabled = NO
                excludeSimpleHostnames = NO
                usePassiveFTP = YES
            }
            disconnectOnSleep = NO
            disconnectOnIdle = NO
            disconnectOnIdleTimeout = 0
            disconnectOnWake = NO
            disconnectOnWakeTimeout = 0
            disconnectOnUserSwitch = NO
            disconnectOnLogout = NO
            includeAllNetworks = NO
            excludeLocalNetworks = NO
            excludeCellularServices = YES
            excludeAPNs = YES
            excludeDeviceCommunication = YES
            enforceRoutes = NO
            authenticationMethod = shared-secret
            sharedSecret = {
                identifier = 8524AD70-F900-486C-BB9A-51DDD2CBA8AE.SS
                persistentReference = {length = 142, bytes = 0x73737569 00000020 87191ca3 0fc911d4 ... 42413841 452e5353 }
                isModernSystem = NO
                domain = system
            }
            useExtendedAuthentication = YES
            extendedAuthPasswordPrompt = NO
        }
        tunnelType = packet
    }
}
2025-04-11 18:46:01.304101+0300 0x85b5c    Default     0x11bf1e             365    0    nesessionmanager: [com.apple.networkextension:] Creating session with type vpn, id 8EF5A1B3-0A7F-4CA3-9BCD-2BE8CA1B0BC2 (com.apple.preferences.networkprivacy-31E90F26-9290-4514-A1B9-DCB5841ACE57)
2025-04-11 18:46:01.304326+0300 0x85b5c    Default     0x11bf1e             365    0    nesessionmanager: [com.apple.networkextension:] Creating session with type vpn, id 861EFFB6-B065-4E5B-83AA-5AEC5652569E (com.apple.preferences.application-firewall)
2025-04-11 18:46:01.366295+0300 0x85b67    Default     0x0                  9962   0    racoon: [com.apple.networkextension:] accepted connection on vpn control socket.
2025-04-11 18:46:01.366380+0300 0x85b68    Default     0x0                  9962   0    racoon: [com.apple.networkextension:] received bind command on vpn control socket.
2025-04-11 18:46:01.366443+0300 0x85b68    Default     0x0                  9962   0    racoon: [com.apple.networkextension:] received connect command on vpn control socket.
2025-04-11 18:46:11.310265+0300 0x85b6b    Default     0x0                  9962   0    racoon: [com.apple.networkextension:] received disconnect command on vpn control socket.
2025-04-11 18:46:11.313516+0300 0x85b6b    Default     0x0                  9962   0    racoon: [com.apple.networkextension:] vpn_control socket closed by peer.
2025-04-11 18:46:11.314071+0300 0x85b6b    Default     0x0                  9962   0    racoon: [com.apple.networkextension:] vpncontrol_close_comm.
2025-04-11 18:46:11.322595+0300 0x85bdb    Default     0x0                  365    0    nesessionmanager: [com.apple.networkextension:] Creating session with type vpn, id 8EF5A1B3-0A7F-4CA3-9BCD-2BE8CA1B0BC2 (com.apple.preferences.networkprivacy-31E90F26-9290-4514-A1B9-DCB5841ACE57)
2025-04-11 18:46:11.323122+0300 0x85c17    Default     0x0                  365    0    nesessionmanager: [com.apple.networkextension:] Creating session with type vpn, id 861EFFB6-B065-4E5B-83AA-5AEC5652569E (com.apple.preferences.application-firewall)
2025-04-11 18:46:11.331335+0300 0x85b63    Default     0x0                  365    0    nesessionmanager: [com.apple.networkextension:] Creating session with type vpn, id 8EF5A1B3-0A7F-4CA3-9BCD-2BE8CA1B0BC2 (com.apple.preferences.networkprivacy-31E90F26-9290-4514-A1B9-DCB5841ACE57)
2025-04-11 18:46:11.331693+0300 0x85c17    Default     0x0                  365    0    nesessionmanager: [com.apple.networkextension:] Creating session with type vpn, id 861EFFB6-B065-4E5B-83AA-5AEC5652569E (com.apple.preferences.application-firewall)
<!-- gh-comment-id:2797306292 --> @belegnar commented on GitHub (Apr 11, 2025): ``` ) log show --last 2m --predicate 'eventMessage CONTAINS[cd] "vpn"' --info --debug Filtering the log data using "composedMessage CONTAINS[cd] "vpn"" Timestamp Thread Type Activity PID TTL 2025-04-11 18:46:01.285489+0300 0x85b5c Default 0x11bf1e 365 0 nesessionmanager: [com.apple.networkextension:] <NESMServer: 0x103444040>: Register Enterprise VPN Session: NESMLegacySession[d.zilantkon.ru:8524AD70-F900-486C-BB9A-51DDD2CBA8AE] 2025-04-11 18:46:01.287729+0300 0x85b5c Info 0x11bf1e 365 0 nesessionmanager: [com.apple.networkextension:Large] NESMLegacySession[d.zilantkon.ru:8524AD70-F900-486C-BB9A-51DDD2CBA8AE] starting with configuration: { name = <14-char-str> identifier = 8524AD70-F900-486C-BB9A-51DDD2CBA8AE applicationName = VPN application = com.apple.NetworkExtensionSettingsUI.NESettingsUIExtension grade = 1 VPN = { enabled = YES onDemandEnabled = NO disconnectOnDemandEnabled = NO onDemandUserOverrideDisabled = NO protocol = { type = ikev1 identifier = 07C79037-9682-48AE-8C42-4034406B637B serverAddress = <14-char-str> username = <8-char-str> password = { identifier = 8524AD70-F900-486C-BB9A-51DDD2CBA8AE.XAUTH persistentReference = {length = 153, bytes = 0x73737569 00000020 87191ca3 0fc911d4 ... 41452e58 41555448 } isModernSystem = NO domain = system } identityDataImported = NO proxySettings = { autoProxyDiscovery = NO autoProxyConfigurationEnabled = NO HTTPEnabled = NO HTTPSEnabled = NO FTPEnabled = NO SOCKSEnabled = NO RTSPEnabled = NO gopherEnabled = NO excludeSimpleHostnames = NO usePassiveFTP = YES } disconnectOnSleep = NO disconnectOnIdle = NO disconnectOnIdleTimeout = 0 disconnectOnWake = NO disconnectOnWakeTimeout = 0 disconnectOnUserSwitch = NO disconnectOnLogout = NO includeAllNetworks = NO excludeLocalNetworks = NO excludeCellularServices = YES excludeAPNs = YES excludeDeviceCommunication = YES enforceRoutes = NO authenticationMethod = shared-secret sharedSecret = { identifier = 8524AD70-F900-486C-BB9A-51DDD2CBA8AE.SS persistentReference = {length = 142, bytes = 0x73737569 00000020 87191ca3 0fc911d4 ... 42413841 452e5353 } isModernSystem = NO domain = system } useExtendedAuthentication = YES extendedAuthPasswordPrompt = NO } tunnelType = packet } } 2025-04-11 18:46:01.304101+0300 0x85b5c Default 0x11bf1e 365 0 nesessionmanager: [com.apple.networkextension:] Creating session with type vpn, id 8EF5A1B3-0A7F-4CA3-9BCD-2BE8CA1B0BC2 (com.apple.preferences.networkprivacy-31E90F26-9290-4514-A1B9-DCB5841ACE57) 2025-04-11 18:46:01.304326+0300 0x85b5c Default 0x11bf1e 365 0 nesessionmanager: [com.apple.networkextension:] Creating session with type vpn, id 861EFFB6-B065-4E5B-83AA-5AEC5652569E (com.apple.preferences.application-firewall) 2025-04-11 18:46:01.366295+0300 0x85b67 Default 0x0 9962 0 racoon: [com.apple.networkextension:] accepted connection on vpn control socket. 2025-04-11 18:46:01.366380+0300 0x85b68 Default 0x0 9962 0 racoon: [com.apple.networkextension:] received bind command on vpn control socket. 2025-04-11 18:46:01.366443+0300 0x85b68 Default 0x0 9962 0 racoon: [com.apple.networkextension:] received connect command on vpn control socket. 2025-04-11 18:46:11.310265+0300 0x85b6b Default 0x0 9962 0 racoon: [com.apple.networkextension:] received disconnect command on vpn control socket. 2025-04-11 18:46:11.313516+0300 0x85b6b Default 0x0 9962 0 racoon: [com.apple.networkextension:] vpn_control socket closed by peer. 2025-04-11 18:46:11.314071+0300 0x85b6b Default 0x0 9962 0 racoon: [com.apple.networkextension:] vpncontrol_close_comm. 2025-04-11 18:46:11.322595+0300 0x85bdb Default 0x0 365 0 nesessionmanager: [com.apple.networkextension:] Creating session with type vpn, id 8EF5A1B3-0A7F-4CA3-9BCD-2BE8CA1B0BC2 (com.apple.preferences.networkprivacy-31E90F26-9290-4514-A1B9-DCB5841ACE57) 2025-04-11 18:46:11.323122+0300 0x85c17 Default 0x0 365 0 nesessionmanager: [com.apple.networkextension:] Creating session with type vpn, id 861EFFB6-B065-4E5B-83AA-5AEC5652569E (com.apple.preferences.application-firewall) 2025-04-11 18:46:11.331335+0300 0x85b63 Default 0x0 365 0 nesessionmanager: [com.apple.networkextension:] Creating session with type vpn, id 8EF5A1B3-0A7F-4CA3-9BCD-2BE8CA1B0BC2 (com.apple.preferences.networkprivacy-31E90F26-9290-4514-A1B9-DCB5841ACE57) 2025-04-11 18:46:11.331693+0300 0x85c17 Default 0x0 365 0 nesessionmanager: [com.apple.networkextension:] Creating session with type vpn, id 861EFFB6-B065-4E5B-83AA-5AEC5652569E (com.apple.preferences.application-firewall) ```
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
No results found.
Labels
Clear labels   
bug

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question
No labels
bug
pull-request
question
question
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/docker-ipsec-vpn-server#441
No description provided.