mirror of
https://github.com/hwdsl2/docker-ipsec-vpn-server.git
synced 2026-04-26 01:55:53 +03:00
[GH-ISSUE #472] Android手机使用IKEv2 rsa连接上,在Android手机上无法使用网络,也无法访问任何网站,outByte为0. #443
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @HeftyL on GitHub (Mar 19, 2025).
Original GitHub issue: https://github.com/hwdsl2/docker-ipsec-vpn-server/issues/472
任务列表
问题描述
Android手机使用IKEv2 rsa连接上,在Android手机上无法使用网络,也无法访问任何网站,outByte为0.
重现步骤
期待的正确结果
能正常访问网站
日志
启用日志,检查 VPN 状态,并且添加错误日志以帮助解释该问题(如果适用)。
服务器信息(请填写以下信息)
客户端信息(请填写以下信息)
其它信息
#1.vpn.env 文件信息
[root@VM-0-14-centos ~]# cat vpn.env
VPN_IPSEC_PSK=123456789
VPN_USER=vpnuser
VPN_PASSWORD=123456789
VPN_ENABLE_MODP1024=yes
VPN_ANDROID_MTU_FIX=yes
#2.构建指令
docker run
--name ipsec-vpn-server
--env-file ./vpn.env
--restart=always
-v ikev2-vpn-data:/etc/ipsec.d
-v /lib/modules:/lib/modules:ro
-p 500:500/udp
-p 4500:4500/udp
-d --privileged
hwdsl2/ipsec-vpn-server
#3.Libreswan 日志
VPN_ANDROID_MTU_FIX=yes[root@VM-0-14-centos ~]# docker exec -it ipsec-vpn-server grep pluto /var/log/auth.log
2025-03-19T08:09:44.530048+00:00 6ffc69528090 pluto[262]: Pluto is shutting down
2025-03-19T08:09:44.530334+00:00 6ffc69528090 pluto[262]: "ikev2-cp": deleting template instances
2025-03-19T08:09:44.530354+00:00 6ffc69528090 pluto[262]: "ikev2-cp"[14] 220.196.194.64: terminating SAs using this connection
2025-03-19T08:09:44.530370+00:00 6ffc69528090 pluto[262]: "ikev2-cp"[14] 220.196.194.64 #21: deleting IKE SA (ESTABLISHED_IKE_SA) aged 211.355289s and sending notification
2025-03-19T08:09:44.547154+00:00 6ffc69528090 pluto[262]: "ikev2-cp"[14] 220.196.194.64 #22: ESP traffic information: in=36KiB out=0B
2025-03-19T08:09:44.547358+00:00 6ffc69528090 pluto[262]: "ikev2-cp"[14] 220.196.194.64: deleting connection instance with peer 220.196.194.64
2025-03-19T08:09:44.547440+00:00 6ffc69528090 pluto[262]: freeing root certificate cache
2025-03-19T08:09:44.547453+00:00 6ffc69528090 pluto[262]: forgetting secrets
2025-03-19T08:09:44.547493+00:00 6ffc69528090 pluto[262]: shutting down interface lo [::1]:4500
2025-03-19T08:09:44.547502+00:00 6ffc69528090 pluto[262]: shutting down interface lo [::1]:500
2025-03-19T08:09:44.547508+00:00 6ffc69528090 pluto[262]: shutting down interface lo 127.0.0.1:4500
2025-03-19T08:09:44.547515+00:00 6ffc69528090 pluto[262]: shutting down interface lo 127.0.0.1:500
2025-03-19T08:09:44.547521+00:00 6ffc69528090 pluto[262]: shutting down interface eth0 172.17.0.4:4500
2025-03-19T08:09:44.547528+00:00 6ffc69528090 pluto[262]: shutting down interface eth0 172.17.0.4:500
2025-03-19T08:09:44.919877+00:00 6ffc69528090 pluto[1397]: Starting Pluto (Libreswan Version 5.2 IKEv2 IKEv1 XFRM XFRMI esp-hw-offload FORK PTHREAD_SETSCHEDPRIO NSS (IPsec profile) (NSS-KDF) LIBCAP_NG AUTH_PAM NETWORKMANAGER CURL(non-NSS) NFTABLES CAT NFLOG) pid:1397
2025-03-19T08:09:44.919905+00:00 6ffc69528090 pluto[1397]: operating system: Linux 4.14.129 [Linux 4.14.129-bbrplus #1 SMP Tue Jun 25 12:23:41 UTC 2019 x86_64]
2025-03-19T08:09:44.919911+00:00 6ffc69528090 pluto[1397]: core dump dir: /run/pluto
2025-03-19T08:09:44.919931+00:00 6ffc69528090 pluto[1397]: secrets file: /etc/ipsec.secrets
2025-03-19T08:09:44.920139+00:00 6ffc69528090 pluto[1397]: Initializing NSS using read-only database "sql:/etc/ipsec.d"
2025-03-19T08:09:44.923677+00:00 6ffc69528090 pluto[1397]: FIPS Mode: OFF
2025-03-19T08:09:44.923692+00:00 6ffc69528090 pluto[1397]: NSS crypto library initialized
2025-03-19T08:09:44.923748+00:00 6ffc69528090 pluto[1397]: FIPS mode disabled for pluto daemon
2025-03-19T08:09:44.923760+00:00 6ffc69528090 pluto[1397]: FIPS HMAC integrity support [not required]
2025-03-19T08:09:44.923972+00:00 6ffc69528090 pluto[1397]: libcap-ng support [enabled]
2025-03-19T08:09:44.923983+00:00 6ffc69528090 pluto[1397]: Linux audit support [disabled]
2025-03-19T08:09:44.923988+00:00 6ffc69528090 pluto[1397]: leak-detective disabled
2025-03-19T08:09:44.923993+00:00 6ffc69528090 pluto[1397]: NSS crypto [enabled]
2025-03-19T08:09:44.923998+00:00 6ffc69528090 pluto[1397]: XAUTH PAM support [enabled]
2025-03-19T08:09:44.924016+00:00 6ffc69528090 pluto[1397]: initializing libevent in pthreads mode: headers: 2.1.12-stable (2010c00); library: 2.1.12-stable (2010c00)
2025-03-19T08:09:44.924062+00:00 6ffc69528090 pluto[1397]: NAT-Traversal: keep-alive period 20s
2025-03-19T08:09:44.926488+00:00 6ffc69528090 pluto[1397]: ERROR: xfrmi is not supported, failed to create ipsec-interface ipsec1 bound to lo
2025-03-19T08:09:44.926513+00:00 6ffc69528090 pluto[1397]: ipsec-interface is not working: xfrmi is not supported
2025-03-19T08:09:44.926520+00:00 6ffc69528090 pluto[1397]: IPsec Interface [disabled]
2025-03-19T08:09:44.926602+00:00 6ffc69528090 pluto[1397]: refreshed session resume keys, issuing key 1
2025-03-19T08:09:44.926719+00:00 6ffc69528090 pluto[1397]: Encryption algorithms:
2025-03-19T08:09:44.926733+00:00 6ffc69528090 pluto[1397]: AES_CCM_16 {256,192,*128} IKEv1: ESP IKEv2: ESP FIPS aes_ccm, aes_ccm_c
2025-03-19T08:09:44.926747+00:00 6ffc69528090 pluto[1397]: AES_CCM_12 {256,192,*128} IKEv1: ESP IKEv2: ESP FIPS aes_ccm_b
2025-03-19T08:09:44.926754+00:00 6ffc69528090 pluto[1397]: AES_CCM_8 {256,192,*128} IKEv1: ESP IKEv2: ESP FIPS aes_ccm_a
2025-03-19T08:09:44.926762+00:00 6ffc69528090 pluto[1397]: 3DES_CBC [*192] IKEv1: IKE ESP IKEv2: IKE ESP FIPS NSS(CBC) 3des
2025-03-19T08:09:44.926770+00:00 6ffc69528090 pluto[1397]: CAMELLIA_CTR {256,192,*128} IKEv1: ESP IKEv2: ESP
2025-03-19T08:09:44.926777+00:00 6ffc69528090 pluto[1397]: CAMELLIA_CBC {256,192,*128} IKEv1: IKE ESP IKEv2: IKE ESP NSS(CBC) camellia
2025-03-19T08:09:44.926785+00:00 6ffc69528090 pluto[1397]: AES_GCM_16 {256,192,*128} IKEv1: ESP IKEv2: IKE ESP FIPS NSS(AEAD) aes_gcm, aes_gcm_c
2025-03-19T08:09:44.926792+00:00 6ffc69528090 pluto[1397]: AES_GCM_12 {256,192,*128} IKEv1: ESP IKEv2: IKE ESP FIPS NSS(AEAD) aes_gcm_b
2025-03-19T08:09:44.926799+00:00 6ffc69528090 pluto[1397]: AES_GCM_8 {256,192,*128} IKEv1: ESP IKEv2: IKE ESP FIPS NSS(AEAD) aes_gcm_a
2025-03-19T08:09:44.926806+00:00 6ffc69528090 pluto[1397]: AES_CTR {256,192,*128} IKEv1: IKE ESP IKEv2: IKE ESP FIPS NSS(CTR) aesctr
2025-03-19T08:09:44.926813+00:00 6ffc69528090 pluto[1397]: AES_CBC {256,192,*128} IKEv1: IKE ESP IKEv2: IKE ESP FIPS NSS(CBC) aes
2025-03-19T08:09:44.926820+00:00 6ffc69528090 pluto[1397]: NULL_AUTH_AES_GMAC {256,192,*128} IKEv1: ESP IKEv2: ESP FIPS aes_gmac
2025-03-19T08:09:44.926827+00:00 6ffc69528090 pluto[1397]: NULL [] IKEv1: ESP IKEv2: ESP NULL
2025-03-19T08:09:44.926834+00:00 6ffc69528090 pluto[1397]: CHACHA20_POLY1305 [*256] IKEv1: IKEv2: IKE ESP NSS(AEAD) chacha20poly1305
2025-03-19T08:09:44.926839+00:00 6ffc69528090 pluto[1397]: Hash algorithms:
2025-03-19T08:09:44.926845+00:00 6ffc69528090 pluto[1397]: MD5 IKEv1: IKE IKEv2: NSS
2025-03-19T08:09:44.926851+00:00 6ffc69528090 pluto[1397]: SHA1 IKEv1: IKE IKEv2: IKE FIPS NSS sha
2025-03-19T08:09:44.926858+00:00 6ffc69528090 pluto[1397]: SHA2_256 IKEv1: IKE IKEv2: IKE FIPS NSS sha2, sha256
2025-03-19T08:09:44.926867+00:00 6ffc69528090 pluto[1397]: SHA2_384 IKEv1: IKE IKEv2: IKE FIPS NSS sha384
2025-03-19T08:09:44.926876+00:00 6ffc69528090 pluto[1397]: SHA2_512 IKEv1: IKE IKEv2: IKE FIPS NSS sha512
2025-03-19T08:09:44.926885+00:00 6ffc69528090 pluto[1397]: IDENTITY IKEv1: IKEv2: FIPS
2025-03-19T08:09:44.926892+00:00 6ffc69528090 pluto[1397]: PRF algorithms:
2025-03-19T08:09:44.926902+00:00 6ffc69528090 pluto[1397]: HMAC_MD5 IKEv1: IKE IKEv2: IKE NSS md5
2025-03-19T08:09:44.926909+00:00 6ffc69528090 pluto[1397]: HMAC_SHA1 IKEv1: IKE IKEv2: IKE FIPS NSS sha, sha1
2025-03-19T08:09:44.926916+00:00 6ffc69528090 pluto[1397]: HMAC_SHA2_256 IKEv1: IKE IKEv2: IKE FIPS NSS sha2, sha256, sha2_256
2025-03-19T08:09:44.926922+00:00 6ffc69528090 pluto[1397]: HMAC_SHA2_384 IKEv1: IKE IKEv2: IKE FIPS NSS sha384, sha2_384
2025-03-19T08:09:44.926929+00:00 6ffc69528090 pluto[1397]: HMAC_SHA2_512 IKEv1: IKE IKEv2: IKE FIPS NSS sha512, sha2_512
2025-03-19T08:09:44.926935+00:00 6ffc69528090 pluto[1397]: AES_XCBC IKEv1: IKEv2: IKE native(XCBC) aes128_xcbc
2025-03-19T08:09:44.926940+00:00 6ffc69528090 pluto[1397]: Integrity algorithms:
2025-03-19T08:09:44.926947+00:00 6ffc69528090 pluto[1397]: HMAC_MD5_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH NSS md5, hmac_md5
2025-03-19T08:09:44.926954+00:00 6ffc69528090 pluto[1397]: HMAC_SHA1_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS sha, sha1, sha1_96, hmac_sha1
2025-03-19T08:09:44.926962+00:00 6ffc69528090 pluto[1397]: HMAC_SHA2_512_256 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS sha512, sha2_512, sha2_512_256, hmac_sha2_512
2025-03-19T08:09:44.926969+00:00 6ffc69528090 pluto[1397]: HMAC_SHA2_384_192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS sha384, sha2_384, sha2_384_192, hmac_sha2_384
2025-03-19T08:09:44.926977+00:00 6ffc69528090 pluto[1397]: HMAC_SHA2_256_128 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS sha2, sha256, sha2_256, sha2_256_128, hmac_sha2_256
2025-03-19T08:09:44.926983+00:00 6ffc69528090 pluto[1397]: HMAC_SHA2_256_TRUNCBUG IKEv1: ESP AH IKEv2: AH
2025-03-19T08:09:44.926990+00:00 6ffc69528090 pluto[1397]: AES_XCBC_96 IKEv1: ESP AH IKEv2: IKE ESP AH native(XCBC) aes_xcbc, aes128_xcbc, aes128_xcbc_96
2025-03-19T08:09:44.927004+00:00 6ffc69528090 pluto[1397]: AES_CMAC_96 IKEv1: ESP AH IKEv2: ESP AH FIPS aes_cmac
2025-03-19T08:09:44.927014+00:00 6ffc69528090 pluto[1397]: NONE IKEv1: ESP IKEv2: IKE ESP FIPS null
2025-03-19T08:09:44.927032+00:00 6ffc69528090 pluto[1397]: DH algorithms:
2025-03-19T08:09:44.927044+00:00 6ffc69528090 pluto[1397]: NONE IKEv1: IKEv2: IKE ESP AH FIPS NSS(MODP) null, dh0
2025-03-19T08:09:44.927051+00:00 6ffc69528090 pluto[1397]: MODP1024 IKEv1: IKE ESP AH IKEv2: IKE ESP AH NSS(MODP) dh2
2025-03-19T08:09:44.927057+00:00 6ffc69528090 pluto[1397]: MODP1536 IKEv1: IKE ESP AH IKEv2: IKE ESP AH NSS(MODP) dh5
2025-03-19T08:09:44.927077+00:00 6ffc69528090 pluto[1397]: MODP2048 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS(MODP) dh14
2025-03-19T08:09:44.927084+00:00 6ffc69528090 pluto[1397]: MODP3072 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS(MODP) dh15
2025-03-19T08:09:44.927097+00:00 6ffc69528090 pluto[1397]: MODP4096 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS(MODP) dh16
2025-03-19T08:09:44.927103+00:00 6ffc69528090 pluto[1397]: MODP6144 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS(MODP) dh17
2025-03-19T08:09:44.927123+00:00 6ffc69528090 pluto[1397]: MODP8192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS(MODP) dh18
2025-03-19T08:09:44.927133+00:00 6ffc69528090 pluto[1397]: DH19 IKEv1: IKE IKEv2: IKE ESP AH FIPS NSS(ECP) ecp_256, ecp256
2025-03-19T08:09:44.927139+00:00 6ffc69528090 pluto[1397]: DH20 IKEv1: IKE IKEv2: IKE ESP AH FIPS NSS(ECP) ecp_384, ecp384
2025-03-19T08:09:44.927156+00:00 6ffc69528090 pluto[1397]: DH21 IKEv1: IKE IKEv2: IKE ESP AH FIPS NSS(ECP) ecp_521, ecp521
2025-03-19T08:09:44.927163+00:00 6ffc69528090 pluto[1397]: DH31 IKEv1: IKE IKEv2: IKE ESP AH NSS(ECP) curve25519
2025-03-19T08:09:44.927205+00:00 6ffc69528090 pluto[1397]: IPCOMP algorithms:
2025-03-19T08:09:44.927213+00:00 6ffc69528090 pluto[1397]: DEFLATE IKEv1: ESP AH IKEv2: ESP AH FIPS
2025-03-19T08:09:44.927230+00:00 6ffc69528090 pluto[1397]: LZS IKEv1: IKEv2: ESP AH FIPS
2025-03-19T08:09:44.927244+00:00 6ffc69528090 pluto[1397]: LZJH IKEv1: IKEv2: ESP AH FIPS
2025-03-19T08:09:44.927250+00:00 6ffc69528090 pluto[1397]: testing CAMELLIA_CBC:
2025-03-19T08:09:44.927267+00:00 6ffc69528090 pluto[1397]: Camellia: 16 bytes with 128-bit key
2025-03-19T08:09:44.927356+00:00 6ffc69528090 pluto[1397]: Camellia: 16 bytes with 128-bit key
2025-03-19T08:09:44.927409+00:00 6ffc69528090 pluto[1397]: Camellia: 16 bytes with 256-bit key
2025-03-19T08:09:44.927444+00:00 6ffc69528090 pluto[1397]: Camellia: 16 bytes with 256-bit key
2025-03-19T08:09:44.927472+00:00 6ffc69528090 pluto[1397]: testing AES_GCM_16:
2025-03-19T08:09:44.927478+00:00 6ffc69528090 pluto[1397]: empty string
2025-03-19T08:09:44.927515+00:00 6ffc69528090 pluto[1397]: one block
2025-03-19T08:09:44.927547+00:00 6ffc69528090 pluto[1397]: two blocks
2025-03-19T08:09:44.927575+00:00 6ffc69528090 pluto[1397]: two blocks with associated data
2025-03-19T08:09:44.927614+00:00 6ffc69528090 pluto[1397]: testing AES_CTR:
2025-03-19T08:09:44.927627+00:00 6ffc69528090 pluto[1397]: Encrypting 16 octets using AES-CTR with 128-bit key
2025-03-19T08:09:44.927668+00:00 6ffc69528090 pluto[1397]: Encrypting 32 octets using AES-CTR with 128-bit key
2025-03-19T08:09:44.927699+00:00 6ffc69528090 pluto[1397]: Encrypting 36 octets using AES-CTR with 128-bit key
2025-03-19T08:09:44.927730+00:00 6ffc69528090 pluto[1397]: Encrypting 16 octets using AES-CTR with 192-bit key
2025-03-19T08:09:44.927759+00:00 6ffc69528090 pluto[1397]: Encrypting 32 octets using AES-CTR with 192-bit key
2025-03-19T08:09:44.927788+00:00 6ffc69528090 pluto[1397]: Encrypting 36 octets using AES-CTR with 192-bit key
2025-03-19T08:09:44.927818+00:00 6ffc69528090 pluto[1397]: Encrypting 16 octets using AES-CTR with 256-bit key
2025-03-19T08:09:44.927847+00:00 6ffc69528090 pluto[1397]: Encrypting 32 octets using AES-CTR with 256-bit key
2025-03-19T08:09:44.927877+00:00 6ffc69528090 pluto[1397]: Encrypting 36 octets using AES-CTR with 256-bit key
2025-03-19T08:09:44.927911+00:00 6ffc69528090 pluto[1397]: testing AES_CBC:
2025-03-19T08:09:44.927919+00:00 6ffc69528090 pluto[1397]: Encrypting 16 bytes (1 block) using AES-CBC with 128-bit key
2025-03-19T08:09:44.927947+00:00 6ffc69528090 pluto[1397]: Encrypting 32 bytes (2 blocks) using AES-CBC with 128-bit key
2025-03-19T08:09:44.927982+00:00 6ffc69528090 pluto[1397]: Encrypting 48 bytes (3 blocks) using AES-CBC with 128-bit key
2025-03-19T08:09:44.928013+00:00 6ffc69528090 pluto[1397]: Encrypting 64 bytes (4 blocks) using AES-CBC with 128-bit key
2025-03-19T08:09:44.928049+00:00 6ffc69528090 pluto[1397]: testing AES_XCBC:
2025-03-19T08:09:44.928057+00:00 6ffc69528090 pluto[1397]: RFC 3566 Test Case 1: AES-XCBC-MAC-96 with 0-byte input
2025-03-19T08:09:44.928203+00:00 6ffc69528090 pluto[1397]: RFC 3566 Test Case 2: AES-XCBC-MAC-96 with 3-byte input
2025-03-19T08:09:44.928337+00:00 6ffc69528090 pluto[1397]: RFC 3566 Test Case 3: AES-XCBC-MAC-96 with 16-byte input
2025-03-19T08:09:44.928515+00:00 6ffc69528090 pluto[1397]: RFC 3566 Test Case 4: AES-XCBC-MAC-96 with 20-byte input
2025-03-19T08:09:44.928713+00:00 6ffc69528090 pluto[1397]: RFC 3566 Test Case 5: AES-XCBC-MAC-96 with 32-byte input
2025-03-19T08:09:44.928886+00:00 6ffc69528090 pluto[1397]: RFC 3566 Test Case 6: AES-XCBC-MAC-96 with 34-byte input
2025-03-19T08:09:44.929050+00:00 6ffc69528090 pluto[1397]: RFC 3566 Test Case 7: AES-XCBC-MAC-96 with 1000-byte input
2025-03-19T08:09:44.929389+00:00 6ffc69528090 pluto[1397]: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 16)
2025-03-19T08:09:44.929560+00:00 6ffc69528090 pluto[1397]: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 10)
2025-03-19T08:09:44.929719+00:00 6ffc69528090 pluto[1397]: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 18)
2025-03-19T08:09:44.930044+00:00 6ffc69528090 pluto[1397]: testing HMAC_MD5:
2025-03-19T08:09:44.930055+00:00 6ffc69528090 pluto[1397]: RFC 2104: MD5_HMAC test 1
2025-03-19T08:09:44.930209+00:00 6ffc69528090 pluto[1397]: RFC 2104: MD5_HMAC test 2
2025-03-19T08:09:44.930328+00:00 6ffc69528090 pluto[1397]: RFC 2104: MD5_HMAC test 3
2025-03-19T08:09:44.930474+00:00 6ffc69528090 pluto[1397]: testing HMAC_SHA1:
2025-03-19T08:09:44.930483+00:00 6ffc69528090 pluto[1397]: CAVP: IKEv2 key derivation with HMAC-SHA1
2025-03-19T08:09:44.930895+00:00 6ffc69528090 pluto[1397]: 2 CPU cores online
2025-03-19T08:09:44.930909+00:00 6ffc69528090 pluto[1397]: starting up 2 helper threads
2025-03-19T08:09:44.930988+00:00 6ffc69528090 pluto[1397]: started thread for helper 0
2025-03-19T08:09:44.931031+00:00 6ffc69528090 pluto[1397]: helper(1): seccomp security for helper not supported
2025-03-19T08:09:44.931073+00:00 6ffc69528090 pluto[1397]: helper(2): seccomp security for helper not supported
2025-03-19T08:09:44.931102+00:00 6ffc69528090 pluto[1397]: started thread for helper 1
2025-03-19T08:09:44.931114+00:00 6ffc69528090 pluto[1397]: using Linux xfrm kernel support code on #1 SMP Tue Jun 25 12:23:41 UTC 2019
2025-03-19T08:09:44.931496+00:00 6ffc69528090 pluto[1397]: kernel: directional SA supported by kernel
2025-03-19T08:09:44.931515+00:00 6ffc69528090 pluto[1397]: kernel: IPTFS ipsec SA error: requires option CONFIG_XFRM_IPTFS
2025-03-19T08:09:44.931544+00:00 6ffc69528090 pluto[1397]: kernel: MIGRATE SA supported by kernel
2025-03-19T08:09:44.931897+00:00 6ffc69528090 pluto[1397]: seccomp security not supported
2025-03-19T08:09:44.933056+00:00 6ffc69528090 pluto[1397]: addconn: ipsec addconn: /etc/ipsec.conf:19: warning: obsolete keyword ignored: dpdaction=clear
2025-03-19T08:09:44.933072+00:00 6ffc69528090 pluto[1397]: addconn: ipsec addconn: /etc/ipsec.d/ikev2.conf:16: warning: obsolete keyword ignored: dpdaction=clear
2025-03-19T08:09:44.933077+00:00 6ffc69528090 pluto[1397]: addconn:
2025-03-19T08:09:44.933184+00:00 6ffc69528090 pluto[1397]: "l2tp-psk": ikev2=no has been replaced by keyexchange=ikev1
2025-03-19T08:09:44.933350+00:00 6ffc69528090 pluto[1397]: "l2tp-psk": warning: keyingtries=5 ignored, UP connection will attempt to establish until marked DOWN
2025-03-19T08:09:44.933390+00:00 6ffc69528090 pluto[1397]: "l2tp-psk": added IKEv1 connection
2025-03-19T08:09:44.933432+00:00 6ffc69528090 pluto[1397]: addconn: "l2tp-psk": ikev2=no has been replaced by keyexchange=ikev1
2025-03-19T08:09:44.933443+00:00 6ffc69528090 pluto[1397]: addconn: "l2tp-psk": warning: keyingtries=5 ignored, UP connection will attempt to establish until marked DOWN
2025-03-19T08:09:44.933449+00:00 6ffc69528090 pluto[1397]: addconn: "l2tp-psk": added IKEv1 connection
2025-03-19T08:09:44.933454+00:00 6ffc69528090 pluto[1397]: addconn:
2025-03-19T08:09:44.933584+00:00 6ffc69528090 pluto[1397]: "xauth-psk": ikev2=no has been replaced by keyexchange=ikev1
2025-03-19T08:09:44.933724+00:00 6ffc69528090 pluto[1397]: "xauth-psk": warning: keyingtries=5 ignored, UP connection will attempt to establish until marked DOWN
2025-03-19T08:09:44.933753+00:00 6ffc69528090 pluto[1397]: "xauth-psk": added IKEv1 connection
2025-03-19T08:09:44.933802+00:00 6ffc69528090 pluto[1397]: addconn: "xauth-psk": ikev2=no has been replaced by keyexchange=ikev1
2025-03-19T08:09:44.933818+00:00 6ffc69528090 pluto[1397]: addconn: "xauth-psk": warning: keyingtries=5 ignored, UP connection will attempt to establish until marked DOWN
2025-03-19T08:09:44.933824+00:00 6ffc69528090 pluto[1397]: addconn: "xauth-psk": added IKEv1 connection
2025-03-19T08:09:44.933829+00:00 6ffc69528090 pluto[1397]: addconn:
2025-03-19T08:09:44.938742+00:00 6ffc69528090 pluto[1397]: "ikev2-cp": loaded private key matching left certificate '43.153.171.136'
2025-03-19T08:09:44.938767+00:00 6ffc69528090 pluto[1397]: "ikev2-cp": ikev2=yes has been replaced by keyexchange=ikev2
2025-03-19T08:09:44.938900+00:00 6ffc69528090 pluto[1397]: "ikev2-cp": IKE SA proposals (connection add):
2025-03-19T08:09:44.938955+00:00 6ffc69528090 pluto[1397]: "ikev2-cp": 1:IKE=AES_GCM_16_256-HMAC_SHA2_256-NONE-ECP_256
2025-03-19T08:09:44.938969+00:00 6ffc69528090 pluto[1397]: "ikev2-cp": 2:IKE=AES_CBC_256-HMAC_SHA2_256-HMAC_SHA2_256_128-ECP_256+ECP_384+ECP_521+CURVE25519+MODP4096+MODP3072+MODP2048+MODP8192
2025-03-19T08:09:44.938980+00:00 6ffc69528090 pluto[1397]: "ikev2-cp": 3:IKE=AES_CBC_128-HMAC_SHA2_256-HMAC_SHA2_256_128-ECP_256+ECP_384+ECP_521+CURVE25519+MODP4096+MODP3072+MODP2048+MODP8192
2025-03-19T08:09:44.938991+00:00 6ffc69528090 pluto[1397]: "ikev2-cp": 4:IKE=AES_CBC_256-HMAC_SHA1-HMAC_SHA1_96-ECP_256+ECP_384+ECP_521+CURVE25519+MODP4096+MODP3072+MODP2048+MODP8192
2025-03-19T08:09:44.938997+00:00 6ffc69528090 pluto[1397]: "ikev2-cp": 5:IKE=AES_CBC_128-HMAC_SHA1-HMAC_SHA1_96-ECP_256+ECP_384+ECP_521+CURVE25519+MODP4096+MODP3072+MODP2048+MODP8192
2025-03-19T08:09:44.939071+00:00 6ffc69528090 pluto[1397]: "ikev2-cp": Child SA proposals (connection add):
2025-03-19T08:09:44.939082+00:00 6ffc69528090 pluto[1397]: "ikev2-cp": 1:ESP=AES_GCM_16_128+AES_GCM_16_256-NONE-NONE-ESN:YES+NO
2025-03-19T08:09:44.939088+00:00 6ffc69528090 pluto[1397]: "ikev2-cp": 2:ESP=AES_CBC_128-HMAC_SHA1_96-NONE-ESN:YES+NO
2025-03-19T08:09:44.939094+00:00 6ffc69528090 pluto[1397]: "ikev2-cp": 3:ESP=AES_CBC_256-HMAC_SHA1_96-NONE-ESN:YES+NO
2025-03-19T08:09:44.939099+00:00 6ffc69528090 pluto[1397]: "ikev2-cp": 4:ESP=AES_CBC_128-HMAC_SHA2_256_128-NONE-ESN:YES+NO
2025-03-19T08:09:44.939105+00:00 6ffc69528090 pluto[1397]: "ikev2-cp": 5:ESP=AES_CBC_256-HMAC_SHA2_256_128-NONE-ESN:YES+NO
2025-03-19T08:09:44.939148+00:00 6ffc69528090 pluto[1397]: "ikev2-cp": added IKEv2 connection
2025-03-19T08:09:44.939212+00:00 6ffc69528090 pluto[1397]: addconn: "ikev2-cp": ikev2=yes has been replaced by keyexchange=ikev2
2025-03-19T08:09:44.939220+00:00 6ffc69528090 pluto[1397]: addconn:
2025-03-19T08:09:44.939228+00:00 6ffc69528090 pluto[1397]: addconn: "ikev2-cp": added IKEv2 connection
2025-03-19T08:09:44.939233+00:00 6ffc69528090 pluto[1397]: addconn:
2025-03-19T08:09:44.939313+00:00 6ffc69528090 pluto[1397]: listening for IKE messages
2025-03-19T08:09:44.939387+00:00 6ffc69528090 pluto[1397]: Kernel supports NIC esp-hw-offload
2025-03-19T08:09:44.939495+00:00 6ffc69528090 pluto[1397]: adding interface eth0 172.17.0.4:UDP/500
2025-03-19T08:09:44.939521+00:00 6ffc69528090 pluto[1397]: adding interface eth0 172.17.0.4:UDP/4500 (NAT)
2025-03-19T08:09:44.939545+00:00 6ffc69528090 pluto[1397]: adding interface lo 127.0.0.1:UDP/500
2025-03-19T08:09:44.939565+00:00 6ffc69528090 pluto[1397]: adding interface lo 127.0.0.1:UDP/4500 (NAT)
2025-03-19T08:09:44.939590+00:00 6ffc69528090 pluto[1397]: adding interface lo [::1]:UDP/500
2025-03-19T08:09:44.939612+00:00 6ffc69528090 pluto[1397]: adding interface lo [::1]:UDP/4500 (NAT)
2025-03-19T08:09:44.939642+00:00 6ffc69528090 pluto[1397]: "l2tp-psk": oriented IKEv1 connection (local: left=172.17.0.4 remote: right=0.0.0.0)
2025-03-19T08:09:44.939671+00:00 6ffc69528090 pluto[1397]: "xauth-psk": oriented IKEv1 connection (local: left=172.17.0.4 remote: right=0.0.0.0)
2025-03-19T08:09:44.939693+00:00 6ffc69528090 pluto[1397]: "ikev2-cp": oriented IKEv2 connection (local: left=172.17.0.4 remote: right=0.0.0.0)
2025-03-19T08:09:44.939719+00:00 6ffc69528090 pluto[1397]: forgetting secrets
2025-03-19T08:09:44.940353+00:00 6ffc69528090 pluto[1397]: loading secrets from "/etc/ipsec.secrets"
2025-03-19T08:09:44.940401+00:00 6ffc69528090 pluto[1397]: addconn: listening for IKE messages
2025-03-19T08:09:44.940414+00:00 6ffc69528090 pluto[1397]: addconn: Kernel supports NIC esp-hw-offload
2025-03-19T08:09:44.940423+00:00 6ffc69528090 pluto[1397]: addconn: adding interface eth0 172.17.0.4:UDP/500
2025-03-19T08:09:44.940432+00:00 6ffc69528090 pluto[1397]: addconn: adding interface eth0 172.17.0.4:UDP/4500 (NAT)
2025-03-19T08:09:44.940440+00:00 6ffc69528090 pluto[1397]: addconn: adding interface lo 127.0.0.1:UDP/500
2025-03-19T08:09:44.940446+00:00 6ffc69528090 pluto[1397]: addconn: adding interface lo 127.0.0.1:UDP/4500 (NAT)
2025-03-19T08:09:44.940452+00:00 6ffc69528090 pluto[1397]: addconn: adding interface lo [::1]:UDP/500
2025-03-19T08:09:44.940458+00:00 6ffc69528090 pluto[1397]: addconn: adding interface lo [::1]:UDP/4500 (NAT)
2025-03-19T08:09:44.940466+00:00 6ffc69528090 pluto[1397]: addconn: "l2tp-psk": oriented IKEv1 connection (local: left=172.17.0.4 remote: right=0.0.0.0)
2025-03-19T08:09:44.940473+00:00 6ffc69528090 pluto[1397]: addconn: "xauth-psk": oriented IKEv1 connection (local: left=172.17.0.4 remote: right=0.0.0.0)
2025-03-19T08:09:44.940479+00:00 6ffc69528090 pluto[1397]: addconn: "ikev2-cp": oriented IKEv2 con
2025-03-19T08:09:44.940581+00:00 6ffc69528090 pluto[1397]: addconn: nection (local: left=172.17.0.4 remote: right=0.0.0.0)
2025-03-19T08:09:44.940587+00:00 6ffc69528090 pluto[1397]: addconn: forgetting secrets
2025-03-19T08:09:44.940594+00:00 6ffc69528090 pluto[1397]: addconn: loading secrets from "/etc/ipsec.secrets"
2025-03-19T08:09:44.940599+00:00 6ffc69528090 pluto[1397]: addconn:
2025-03-19T08:09:45.739365+00:00 6ffc69528090 pluto[1397]: | rw_responder_instantiate: remote=220.196.194.64 id= kind=TEMPLATE sec_label= (find_v2_unset_peer_connection() +385 programs/pluto/ikev2_host_pair.c)
2025-03-19T08:09:45.739388+00:00 6ffc69528090 pluto[1397]: | connection $3: "ikev2-cp"
2025-03-19T08:09:45.739401+00:00 6ffc69528090 pluto[1397]: | host: 172.17.0.4->0.0.0.0
2025-03-19T08:09:45.739413+00:00 6ffc69528090 pluto[1397]: | id: 43.153.171.136 -> %fromcert
2025-03-19T08:09:45.739421+00:00 6ffc69528090 pluto[1397]: | routing+kind: UNROUTED TEMPLATE
2025-03-19T08:09:45.739439+00:00 6ffc69528090 pluto[1397]: | selectors: 0.0.0.0/0 -> 192.168.43.10-192.168.43.250 ->; lease: -> ->
2025-03-19T08:09:45.739453+00:00 6ffc69528090 pluto[1397]: | spds: 0.0.0.0/0===192.168.43.10-192.168.43.250
2025-03-19T08:09:45.739468+00:00 6ffc69528090 pluto[1397]: | policy: IKEv2+RSASIG+ECDSA+RSASIG_v1_5+ENCRYPT+TUNNEL+DONT_REKEY+IKEV2_ALLOW_NARROWING+IKE_FRAG_ALLOW+MOBIKE+ESN_NO+ESN_YES
2025-03-19T08:09:45.739552+00:00 6ffc69528090 pluto[1397]: | rw_responder_instantiate: from "ikev2-cp" (find_v2_unset_peer_connection() +385 programs/pluto/ikev2_host_pair.c)
2025-03-19T08:09:45.739564+00:00 6ffc69528090 pluto[1397]: | connection $4 clonedfrom $3: "ikev2-cp"[1] 220.196.194.64
2025-03-19T08:09:45.739576+00:00 6ffc69528090 pluto[1397]: | host: 172.17.0.4->220.196.194.64
2025-03-19T08:09:45.744203+00:00 6ffc69528090 pluto[1397]: | id: 43.153.171.136 -> %fromcert
2025-03-19T08:09:45.744255+00:00 6ffc69528090 pluto[1397]: | routing+kind: UNROUTED INSTANCE
2025-03-19T08:09:45.744275+00:00 6ffc69528090 pluto[1397]: | selectors: 0.0.0.0/0 -> 192.168.43.10-192.168.43.250 ->; lease: -> ->
2025-03-19T08:09:45.744437+00:00 6ffc69528090 pluto[1397]: | spds: 0.0.0.0/0===192.168.43.10-192.168.43.250
2025-03-19T08:09:45.744456+00:00 6ffc69528090 pluto[1397]: | policy: IKEv2+RSASIG+ECDSA+RSASIG_v1_5+ENCRYPT+TUNNEL+DONT_REKEY+IKEV2_ALLOW_NARROWING+IKE_FRAG_ALLOW+MOBIKE+ESN_NO+ESN_YES
2025-03-19T08:09:45.744619+00:00 6ffc69528090 pluto[1397]: "ikev2-cp"[1] 220.196.194.64 #1: processing IKE_SA_INIT request from 220.196.194.64:UDP/42200 containing SA,KE,Ni,N(NAT_DETECTION_SOURCE_IP),N(NAT_DETECTION_DESTINATION_IP),N(IKEV2_FRAGMENTATION_SUPPORTED),N(SIGNATURE_HASH_ALGORITHMS)
2025-03-19T08:09:45.744759+00:00 6ffc69528090 pluto[1397]: "ikev2-cp"[1] 220.196.194.64 #1: proposal 1:IKE=AES_CBC_256-HMAC_SHA2_256-HMAC_SHA2_256_128-CURVE25519 chosen from remote proposals 1:IKE:ENCR=AES_CTR_256;ENCR=AES_CBC_256;ENCR=AES_CTR_192;ENCR=AES_CBC_192;ENCR=AES_CTR_128;ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_384_192;INTEG=HMAC_SHA2_256_128;INTEG=AES_XCBC_96;INTEG=AES_CMAC_96;DH=MODP4096;DH=CURVE25519;DH=MODP3072;DH=MODP2048;PRF=HMAC_SHA1;PRF=AES128_XCBC;PRF=HMAC_SHA2_256;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_512;PRF=AES128_CMAC[first-match] 2:IKE:ENCR=CHACHA20_POLY1305;ENCR=AES_GCM_16_256;ENCR=AES_GCM_12_256;ENCR=AES_GCM_8_256;ENCR=AES_GCM_16_192;ENCR=AES_GCM_12_192;ENCR=AES_GCM_8_192;ENCR=AES_GCM_16_128;ENCR=AES_GCM_12_128;ENCR=AES_GCM_8_128;DH=MODP4096;DH=CURVE25519;DH=MODP3072;DH=MODP2048;PRF=HMAC_SHA1;PRF=AES128_XCBC;PRF=HMAC_SHA2_256;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_512;PRF=AES128_CMAC
2025-03-19T08:09:45.744776+00:00 6ffc69528090 pluto[1397]: "ikev2-cp"[1] 220.196.194.64 #1: initiator guessed wrong keying material group (MODP4096); responding with INVALID_KE_PAYLOAD requesting DH31
2025-03-19T08:09:45.744805+00:00 6ffc69528090 pluto[1397]: "ikev2-cp"[1] 220.196.194.64 #1: responding to IKE_SA_INIT message (ID 0) from 220.196.194.64:42200 with unencrypted notification INVALID_KE_PAYLOAD
2025-03-19T08:09:45.744823+00:00 6ffc69528090 pluto[1397]: "ikev2-cp"[1] 220.196.194.64 #1: encountered fatal error in state UNSECURED_R
2025-03-19T08:09:45.744913+00:00 6ffc69528090 pluto[1397]: "ikev2-cp"[1] 220.196.194.64 #1: deleting IKE SA (larval unsecured IKE SA responder)
2025-03-19T08:09:45.744952+00:00 6ffc69528090 pluto[1397]: "ikev2-cp"[1] 220.196.194.64: deleting connection instance with peer 220.196.194.64
2025-03-19T08:09:45.920354+00:00 6ffc69528090 pluto[1397]: | rw_responder_instantiate: remote=220.196.194.64 id= kind=TEMPLATE sec_label= (find_v2_unset_peer_connection() +385 programs/pluto/ikev2_host_pair.c)
2025-03-19T08:09:45.920372+00:00 6ffc69528090 pluto[1397]: | connection $3: "ikev2-cp"
2025-03-19T08:09:45.920385+00:00 6ffc69528090 pluto[1397]: | host: 172.17.0.4->0.0.0.0
2025-03-19T08:09:45.920396+00:00 6ffc69528090 pluto[1397]: | id: 43.153.171.136 -> %fromcert
2025-03-19T08:09:45.920405+00:00 6ffc69528090 pluto[1397]: | routing+kind: UNROUTED TEMPLATE
2025-03-19T08:09:45.920421+00:00 6ffc69528090 pluto[1397]: | selectors: 0.0.0.0/0 -> 192.168.43.10-192.168.43.250 ->; lease: -> ->
2025-03-19T08:09:45.920436+00:00 6ffc69528090 pluto[1397]: | spds: 0.0.0.0/0===192.168.43.10-192.168.43.250
2025-03-19T08:09:45.920454+00:00 6ffc69528090 pluto[1397]: | policy: IKEv2+RSASIG+ECDSA+RSASIG_v1_5+ENCRYPT+TUNNEL+DONT_REKEY+IKEV2_ALLOW_NARROWING+IKE_FRAG_ALLOW+MOBIKE+ESN_NO+ESN_YES
2025-03-19T08:09:45.920533+00:00 6ffc69528090 pluto[1397]: | rw_responder_instantiate: from "ikev2-cp" (find_v2_unset_peer_connection() +385 programs/pluto/ikev2_host_pair.c)
2025-03-19T08:09:45.920549+00:00 6ffc69528090 pluto[1397]: | connection $5 clonedfrom $3: "ikev2-cp"[2] 220.196.194.64
2025-03-19T08:09:45.920560+00:00 6ffc69528090 pluto[1397]: | host: 172.17.0.4->220.196.194.64
2025-03-19T08:09:45.920572+00:00 6ffc69528090 pluto[1397]: | id: 43.153.171.136 -> %fromcert
2025-03-19T08:09:45.920583+00:00 6ffc69528090 pluto[1397]: | routing+kind: UNROUTED INSTANCE
2025-03-19T08:09:45.920597+00:00 6ffc69528090 pluto[1397]: | selectors: 0.0.0.0/0 -> 192.168.43.10-192.168.43.250 ->; lease: -> ->
2025-03-19T08:09:45.920614+00:00 6ffc69528090 pluto[1397]: | spds: 0.0.0.0/0===192.168.43.10-192.168.43.250
2025-03-19T08:09:45.920627+00:00 6ffc69528090 pluto[1397]: | policy: IKEv2+RSASIG+ECDSA+RSASIG_v1_5+ENCRYPT+TUNNEL+DONT_REKEY+IKEV2_ALLOW_NARROWING+IKE_FRAG_ALLOW+MOBIKE+ESN_NO+ESN_YES
2025-03-19T08:09:45.920727+00:00 6ffc69528090 pluto[1397]: "ikev2-cp"[2] 220.196.194.64 #2: processing IKE_SA_INIT request from 220.196.194.64:UDP/33989 containing SA,KE,Ni,N(NAT_DETECTION_SOURCE_IP),N(NAT_DETECTION_DESTINATION_IP),N(IKEV2_FRAGMENTATION_SUPPORTED),N(SIGNATURE_HASH_ALGORITHMS)
2025-03-19T08:09:45.920813+00:00 6ffc69528090 pluto[1397]: "ikev2-cp"[2] 220.196.194.64 #2: proposal 1:IKE=AES_CBC_256-HMAC_SHA2_256-HMAC_SHA2_256_128-CURVE25519 chosen from remote proposals 1:IKE:ENCR=AES_CTR_256;ENCR=AES_CBC_256;ENCR=AES_CTR_192;ENCR=AES_CBC_192;ENCR=AES_CTR_128;ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_384_192;INTEG=HMAC_SHA2_256_128;INTEG=AES_XCBC_96;INTEG=AES_CMAC_96;DH=MODP4096;DH=CURVE25519;DH=MODP3072;DH=MODP2048;PRF=HMAC_SHA1;PRF=AES128_XCBC;PRF=HMAC_SHA2_256;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_512;PRF=AES128_CMAC[first-match] 2:IKE:ENCR=CHACHA20_POLY1305;ENCR=AES_GCM_16_256;ENCR=AES_GCM_12_256;ENCR=AES_GCM_8_256;ENCR=AES_GCM_16_192;ENCR=AES_GCM_12_192;ENCR=AES_GCM_8_192;ENCR=AES_GCM_16_128;ENCR=AES_GCM_12_128;ENCR=AES_GCM_8_128;DH=MODP4096;DH=CURVE25519;DH=MODP3072;DH=MODP2048;PRF=HMAC_SHA1;PRF=AES128_XCBC;PRF=HMAC_SHA2_256;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_512;PRF=AES128_CMAC
2025-03-19T08:09:45.922602+00:00 6ffc69528090 pluto[1397]: "ikev2-cp"[2] 220.196.194.64 #2: sent IKE_SA_INIT response to 220.196.194.64:UDP/33989 {cipher=AES_CBC_256 integ=HMAC_SHA2_256_128 prf=HMAC_SHA2_256 group=DH31}
2025-03-19T08:09:46.120741+00:00 6ffc69528090 pluto[1397]: "ikev2-cp"[2] 220.196.194.64 #2: received IKE_AUTH request fragment 1 (1 of 2), computing DH in the background
2025-03-19T08:09:46.121409+00:00 6ffc69528090 pluto[1397]: "ikev2-cp"[2] 220.196.194.64 #2: processing decrypted IKE_AUTH request from 220.196.194.64:UDP/38996 containing SK{IDi,IDr,N(MOBIKE_SUPPORTED),CERT,AUTH,SA,TSi,TSr,CP}
2025-03-19T08:09:46.122412+00:00 6ffc69528090 pluto[1397]: adding the CA+root cert O=IKEv2 VPN,CN=IKEv2 VPN CA
2025-03-19T08:09:46.127741+00:00 6ffc69528090 pluto[1397]: "ikev2-cp"[2] 220.196.194.64 #2: reloaded private key matching left certificate '43.153.171.136'
2025-03-19T08:09:46.128068+00:00 6ffc69528090 pluto[1397]: "ikev2-cp"[2] 220.196.194.64 #2: responder established IKE SA; authenticated peer certificate 'CN=vpnclient, O=IKEv2 VPN' and 3072-bit PKCS#1 1.5 RSA with SHA2_512 digital signature issued by 'CN=IKEv2 VPN CA, O=IKEv2 VPN'
2025-03-19T08:09:46.143397+00:00 6ffc69528090 pluto[1397]: "ikev2-cp"[2] 220.196.194.64 #3: pool 192.168.43.10-192.168.43.250: growing address pool from 0 to 1
2025-03-19T08:09:46.143485+00:00 6ffc69528090 pluto[1397]: "ikev2-cp"[2] 220.196.194.64 #3: proposal 2:ESP=AES_GCM_16_128-ESN:NO SPI=3f5b915e chosen from remote proposals 1:ESP:ENCR=AES_CTR_256;ENCR=AES_CBC_256;ENCR=AES_CTR_192;ENCR=AES_CBC_192;ENCR=AES_CTR_128;ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_384_192;INTEG=HMAC_SHA2_256_128;INTEG=AES_XCBC_96;INTEG=AES_CMAC_96;ESN=NO[first-match] 2:ESP:ENCR=CHACHA20_POLY1305;ENCR=AES_GCM_16_256;ENCR=AES_GCM_12_256;ENCR=AES_GCM_8_256;ENCR=AES_GCM_16_192;ENCR=AES_GCM_12_192;ENCR=AES_GCM_8_192;ENCR=AES_GCM_16_128;ENCR=AES_GCM_12_128;ENCR=AES_GCM_8_128;ESN=NO[better-match]
2025-03-19T08:09:46.169247+00:00 6ffc69528090 pluto[1397]: "ikev2-cp"[2] 220.196.194.64 #3: responder established Child SA using #2; IPsec tunnel [0.0.0.0/0===192.168.43.10/32] {ESPinUDP=>0x3f5b915e <0xe570f844 xfrm=AES_GCM_16_128-NONE NATD=220.196.194.64:38996 DPD=active}
2025-03-19T08:12:10.047099+00:00 6ffc69528090 pluto[1397]: "ikev2-cp"[2] 220.196.194.64 #3: ESP traffic information: in=32KiB out=0B
2025-03-19T08:12:10.047318+00:00 6ffc69528090 pluto[1397]: "ikev2-cp"[2] 220.196.194.64 #2: deleting IKE SA (established IKE SA)
2025-03-19T08:12:10.047433+00:00 6ffc69528090 pluto[1397]: "ikev2-cp"[2] 220.196.194.64: deleting connection instance with peer 220.196.194.64
2025-03-19T08:12:12.644211+00:00 6ffc69528090 pluto[1397]: | rw_responder_instantiate: remote=220.196.194.64 id= kind=TEMPLATE sec_label= (find_v2_unset_peer_connection() +385 programs/pluto/ikev2_host_pair.c)
2025-03-19T08:12:12.644225+00:00 6ffc69528090 pluto[1397]: | connection $3: "ikev2-cp"
2025-03-19T08:12:12.644233+00:00 6ffc69528090 pluto[1397]: | host: 172.17.0.4->0.0.0.0
2025-03-19T08:12:12.644240+00:00 6ffc69528090 pluto[1397]: | id: 43.153.171.136 -> %fromcert
2025-03-19T08:12:12.644247+00:00 6ffc69528090 pluto[1397]: | routing+kind: UNROUTED TEMPLATE
2025-03-19T08:12:12.644258+00:00 6ffc69528090 pluto[1397]: | selectors: 0.0.0.0/0 -> 192.168.43.10-192.168.43.250 ->; lease: -> ->
2025-03-19T08:12:12.644268+00:00 6ffc69528090 pluto[1397]: | spds: 0.0.0.0/0===192.168.43.10-192.168.43.250
2025-03-19T08:12:12.644278+00:00 6ffc69528090 pluto[1397]: | policy: IKEv2+RSASIG+ECDSA+RSASIG_v1_5+ENCRYPT+TUNNEL+DONT_REKEY+IKEV2_ALLOW_NARROWING+IKE_FRAG_ALLOW+MOBIKE+ESN_NO+ESN_YES
2025-03-19T08:12:12.644318+00:00 6ffc69528090 pluto[1397]: | rw_responder_instantiate: from "ikev2-cp" (find_v2_unset_peer_connection() +385 programs/pluto/ikev2_host_pair.c)
2025-03-19T08:12:12.644326+00:00 6ffc69528090 pluto[1397]: | connection $6 clonedfrom $3: "ikev2-cp"[3] 220.196.194.64
2025-03-19T08:12:12.644333+00:00 6ffc69528090 pluto[1397]: | host: 172.17.0.4->220.196.194.64
2025-03-19T08:12:12.644339+00:00 6ffc69528090 pluto[1397]: | id: 43.153.171.136 -> %fromcert
2025-03-19T08:12:12.644344+00:00 6ffc69528090 pluto[1397]: | routing+kind: UNROUTED INSTANCE
2025-03-19T08:12:12.644353+00:00 6ffc69528090 pluto[1397]: | selectors: 0.0.0.0/0 -> 192.168.43.10-192.168.43.250 ->; lease: -> ->
2025-03-19T08:12:12.644361+00:00 6ffc69528090 pluto[1397]: | spds: 0.0.0.0/0===192.168.43.10-192.168.43.250
2025-03-19T08:12:12.644368+00:00 6ffc69528090 pluto[1397]: | policy: IKEv2+RSASIG+ECDSA+RSASIG_v1_5+ENCRYPT+TUNNEL+DONT_REKEY+IKEV2_ALLOW_NARROWING+IKE_FRAG_ALLOW+MOBIKE+ESN_NO+ESN_YES
2025-03-19T08:12:12.644461+00:00 6ffc69528090 pluto[1397]: "ikev2-cp"[3] 220.196.194.64 #4: processing IKE_SA_INIT request from 220.196.194.64:UDP/42202 containing SA,KE,Ni,N(NAT_DETECTION_SOURCE_IP),N(NAT_DETECTION_DESTINATION_IP),N(IKEV2_FRAGMENTATION_SUPPORTED),N(SIGNATURE_HASH_ALGORITHMS)
2025-03-19T08:12:12.644531+00:00 6ffc69528090 pluto[1397]: "ikev2-cp"[3] 220.196.194.64 #4: proposal 1:IKE=AES_CBC_256-HMAC_SHA2_256-HMAC_SHA2_256_128-CURVE25519 chosen from remote proposals 1:IKE:ENCR=AES_CTR_256;ENCR=AES_CBC_256;ENCR=AES_CTR_192;ENCR=AES_CBC_192;ENCR=AES_CTR_128;ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_384_192;INTEG=HMAC_SHA2_256_128;INTEG=AES_XCBC_96;INTEG=AES_CMAC_96;DH=MODP4096;DH=CURVE25519;DH=MODP3072;DH=MODP2048;PRF=HMAC_SHA1;PRF=AES128_XCBC;PRF=HMAC_SHA2_256;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_512;PRF=AES128_CMAC[first-match] 2:IKE:ENCR=CHACHA20_POLY1305;ENCR=AES_GCM_16_256;ENCR=AES_GCM_12_256;ENCR=AES_GCM_8_256;ENCR=AES_GCM_16_192;ENCR=AES_GCM_12_192;ENCR=AES_GCM_8_192;ENCR=AES_GCM_16_128;ENCR=AES_GCM_12_128;ENCR=AES_GCM_8_128;DH=MODP4096;DH=CURVE25519;DH=MODP3072;DH=MODP2048;PRF=HMAC_SHA1;PRF=AES128_XCBC;PRF=HMAC_SHA2_256;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_512;PRF=AES128_CMAC
2025-03-19T08:12:12.644543+00:00 6ffc69528090 pluto[1397]: "ikev2-cp"[3] 220.196.194.64 #4: initiator guessed wrong keying material group (MODP4096); responding with INVALID_KE_PAYLOAD requesting DH31
2025-03-19T08:12:12.644557+00:00 6ffc69528090 pluto[1397]: "ikev2-cp"[3] 220.196.194.64 #4: responding to IKE_SA_INIT message (ID 0) from 220.196.194.64:42202 with unencrypted notification INVALID_KE_PAYLOAD
2025-03-19T08:12:12.644567+00:00 6ffc69528090 pluto[1397]: "ikev2-cp"[3] 220.196.194.64 #4: encountered fatal error in state UNSECURED_R
2025-03-19T08:12:12.644654+00:00 6ffc69528090 pluto[1397]: "ikev2-cp"[3] 220.196.194.64 #4: deleting IKE SA (larval unsecured IKE SA responder)
2025-03-19T08:12:12.644687+00:00 6ffc69528090 pluto[1397]: "ikev2-cp"[3] 220.196.194.64: deleting connection instance with peer 220.196.194.64
2025-03-19T08:12:12.816615+00:00 6ffc69528090 pluto[1397]: | rw_responder_instantiate: remote=220.196.194.64 id= kind=TEMPLATE sec_label= (find_v2_unset_peer_connection() +385 programs/pluto/ikev2_host_pair.c)
2025-03-19T08:12:12.816628+00:00 6ffc69528090 pluto[1397]: | connection $3: "ikev2-cp"
2025-03-19T08:12:12.816637+00:00 6ffc69528090 pluto[1397]: | host: 172.17.0.4->0.0.0.0
2025-03-19T08:12:12.816645+00:00 6ffc69528090 pluto[1397]: | id: 43.153.171.136 -> %fromcert
2025-03-19T08:12:12.816651+00:00 6ffc69528090 pluto[1397]: | routing+kind: UNROUTED TEMPLATE
2025-03-19T08:12:12.816662+00:00 6ffc69528090 pluto[1397]: | selectors: 0.0.0.0/0 -> 192.168.43.10-192.168.43.250 ->; lease: -> ->
2025-03-19T08:12:12.816671+00:00 6ffc69528090 pluto[1397]: | spds: 0.0.0.0/0===192.168.43.10-192.168.43.250
2025-03-19T08:12:12.816683+00:00 6ffc69528090 pluto[1397]: | policy: IKEv2+RSASIG+ECDSA+RSASIG_v1_5+ENCRYPT+TUNNEL+DONT_REKEY+IKEV2_ALLOW_NARROWING+IKE_FRAG_ALLOW+MOBIKE+ESN_NO+ESN_YES
2025-03-19T08:12:12.816719+00:00 6ffc69528090 pluto[1397]: | rw_responder_instantiate: from "ikev2-cp" (find_v2_unset_peer_connection() +385 programs/pluto/ikev2_host_pair.c)
2025-03-19T08:12:12.816730+00:00 6ffc69528090 pluto[1397]: | connection $7 clonedfrom $3: "ikev2-cp"[4] 220.196.194.64
2025-03-19T08:12:12.816737+00:00 6ffc69528090 pluto[1397]: | host: 172.17.0.4->220.196.194.64
2025-03-19T08:12:12.816743+00:00 6ffc69528090 pluto[1397]: | id: 43.153.171.136 -> %fromcert
2025-03-19T08:12:12.816749+00:00 6ffc69528090 pluto[1397]: | routing+kind: UNROUTED INSTANCE
2025-03-19T08:12:12.816760+00:00 6ffc69528090 pluto[1397]: | selectors: 0.0.0.0/0 -> 192.168.43.10-192.168.43.250 ->; lease: -> ->
2025-03-19T08:12:12.816769+00:00 6ffc69528090 pluto[1397]: | spds: 0.0.0.0/0===192.168.43.10-192.168.43.250
2025-03-19T08:12:12.816776+00:00 6ffc69528090 pluto[1397]: | policy: IKEv2+RSASIG+ECDSA+RSASIG_v1_5+ENCRYPT+TUNNEL+DONT_REKEY+IKEV2_ALLOW_NARROWING+IKE_FRAG_ALLOW+MOBIKE+ESN_NO+ESN_YES
2025-03-19T08:12:12.816859+00:00 6ffc69528090 pluto[1397]: "ikev2-cp"[4] 220.196.194.64 #5: processing IKE_SA_INIT request from 220.196.194.64:UDP/33991 containing SA,KE,Ni,N(NAT_DETECTION_SOURCE_IP),N(NAT_DETECTION_DESTINATION_IP),N(IKEV2_FRAGMENTATION_SUPPORTED),N(SIGNATURE_HASH_ALGORITHMS)
2025-03-19T08:12:12.816919+00:00 6ffc69528090 pluto[1397]: "ikev2-cp"[4] 220.196.194.64 #5: proposal 1:IKE=AES_CBC_256-HMAC_SHA2_256-HMAC_SHA2_256_128-CURVE25519 chosen from remote proposals 1:IKE:ENCR=AES_CTR_256;ENCR=AES_CBC_256;ENCR=AES_CTR_192;ENCR=AES_CBC_192;ENCR=AES_CTR_128;ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_384_192;INTEG=HMAC_SHA2_256_128;INTEG=AES_XCBC_96;INTEG=AES_CMAC_96;DH=MODP4096;DH=CURVE25519;DH=MODP3072;DH=MODP2048;PRF=HMAC_SHA1;PRF=AES128_XCBC;PRF=HMAC_SHA2_256;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_512;PRF=AES128_CMAC[first-match] 2:IKE:ENCR=CHACHA20_POLY1305;ENCR=AES_GCM_16_256;ENCR=AES_GCM_12_256;ENCR=AES_GCM_8_256;ENCR=AES_GCM_16_192;ENCR=AES_GCM_12_192;ENCR=AES_GCM_8_192;ENCR=AES_GCM_16_128;ENCR=AES_GCM_12_128;ENCR=AES_GCM_8_128;DH=MODP4096;DH=CURVE25519;DH=MODP3072;DH=MODP2048;PRF=HMAC_SHA1;PRF=AES128_XCBC;PRF=HMAC_SHA2_256;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_512;PRF=AES128_CMAC
2025-03-19T08:12:12.817686+00:00 6ffc69528090 pluto[1397]: "ikev2-cp"[4] 220.196.194.64 #5: sent IKE_SA_INIT response to 220.196.194.64:UDP/33991 {cipher=AES_CBC_256 integ=HMAC_SHA2_256_128 prf=HMAC_SHA2_256 group=DH31}
2025-03-19T08:12:13.026684+00:00 6ffc69528090 pluto[1397]: "ikev2-cp"[4] 220.196.194.64 #5: received IKE_AUTH request fragment 1 (1 of 2), computing DH in the background
2025-03-19T08:12:13.035497+00:00 6ffc69528090 pluto[1397]: "ikev2-cp"[4] 220.196.194.64 #5: processing decrypted IKE_AUTH request from 220.196.194.64:UDP/38999 containing SK{IDi,IDr,N(MOBIKE_SUPPORTED),CERT,AUTH,SA,TSi,TSr,CP}
2025-03-19T08:12:13.036912+00:00 6ffc69528090 pluto[1397]: "ikev2-cp"[4] 220.196.194.64 #5: responder established IKE SA; authenticated peer certificate 'CN=vpnclient, O=IKEv2 VPN' and 3072-bit PKCS#1 1.5 RSA with SHA2_512 digital signature issued by 'CN=IKEv2 VPN CA, O=IKEv2 VPN'
2025-03-19T08:12:13.045726+00:00 6ffc69528090 pluto[1397]: "ikev2-cp"[4] 220.196.194.64 #6: proposal 2:ESP=AES_GCM_16_128-ESN:NO SPI=610e24d7 chosen from remote proposals 1:ESP:ENCR=AES_CTR_256;ENCR=AES_CBC_256;ENCR=AES_CTR_192;ENCR=AES_CBC_192;ENCR=AES_CTR_128;ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_384_192;INTEG=HMAC_SHA2_256_128;INTEG=AES_XCBC_96;INTEG=AES_CMAC_96;ESN=NO[first-match] 2:ESP:ENCR=CHACHA20_POLY1305;ENCR=AES_GCM_16_256;ENCR=AES_GCM_12_256;ENCR=AES_GCM_8_256;ENCR=AES_GCM_16_192;ENCR=AES_GCM_12_192;ENCR=AES_GCM_8_192;ENCR=AES_GCM_16_128;ENCR=AES_GCM_12_128;ENCR=AES_GCM_8_128;ESN=NO[better-match]
2025-03-19T08:12:13.068559+00:00 6ffc69528090 pluto[1397]: "ikev2-cp"[4] 220.196.194.64 #6: responder established Child SA using #5; IPsec tunnel [0.0.0.0/0===192.168.43.10/32] {ESPinUDP=>0x610e24d7 <0xc3d7400a xfrm=AES_GCM_16_128-NONE NATD=220.196.194.64:38999 DPD=active}
2025-03-19T08:17:13.043798+00:00 6ffc69528090 pluto[1397]: freeing root certificate cache
2025-03-19T08:30:19.039302+00:00 6ffc69528090 pluto[1397]: "ikev2-cp"[4] 220.196.194.64 #6: ESP traffic information: in=144KiB out=0B
2025-03-19T08:30:19.039410+00:00 6ffc69528090 pluto[1397]: "ikev2-cp"[4] 220.196.194.64 #5: deleting IKE SA (established IKE SA)
2025-03-19T08:30:19.039495+00:00 6ffc69528090 pluto[1397]: "ikev2-cp"[4] 220.196.194.64: deleting connection instance with peer 220.196.194.64
2025-03-19T08:30:25.664368+00:00 6ffc69528090 pluto[1397]: | rw_responder_instantiate: remote=218.189.87.178 id= kind=TEMPLATE sec_label= (find_v2_unset_peer_connection() +385 programs/pluto/ikev2_host_pair.c)
2025-03-19T08:30:25.664381+00:00 6ffc69528090 pluto[1397]: | connection $3: "ikev2-cp"
2025-03-19T08:30:25.664389+00:00 6ffc69528090 pluto[1397]: | host: 172.17.0.4->0.0.0.0
2025-03-19T08:30:25.664396+00:00 6ffc69528090 pluto[1397]: | id: 43.153.171.136 -> %fromcert
2025-03-19T08:30:25.664403+00:00 6ffc69528090 pluto[1397]: | routing+kind: UNROUTED TEMPLATE
2025-03-19T08:30:25.664414+00:00 6ffc69528090 pluto[1397]: | selectors: 0.0.0.0/0 -> 192.168.43.10-192.168.43.250 ->; lease: -> ->
2025-03-19T08:30:25.664429+00:00 6ffc69528090 pluto[1397]: | spds: 0.0.0.0/0===192.168.43.10-192.168.43.250
2025-03-19T08:30:25.664440+00:00 6ffc69528090 pluto[1397]: | policy: IKEv2+RSASIG+ECDSA+RSASIG_v1_5+ENCRYPT+TUNNEL+DONT_REKEY+IKEV2_ALLOW_NARROWING+IKE_FRAG_ALLOW+MOBIKE+ESN_NO+ESN_YES
2025-03-19T08:30:25.664476+00:00 6ffc69528090 pluto[1397]: | rw_responder_instantiate: from "ikev2-cp" (find_v2_unset_peer_connection() +385 programs/pluto/ikev2_host_pair.c)
2025-03-19T08:30:25.664484+00:00 6ffc69528090 pluto[1397]: | connection $8 clonedfrom $3: "ikev2-cp"[5] 218.189.87.178
2025-03-19T08:30:25.664491+00:00 6ffc69528090 pluto[1397]: | host: 172.17.0.4->218.189.87.178
2025-03-19T08:30:25.664653+00:00 6ffc69528090 pluto[1397]: | id: 43.153.171.136 -> %fromcert
2025-03-19T08:30:25.664664+00:00 6ffc69528090 pluto[1397]: | routing+kind: UNROUTED INSTANCE
2025-03-19T08:30:25.664673+00:00 6ffc69528090 pluto[1397]: | selectors: 0.0.0.0/0 -> 192.168.43.10-192.168.43.250 ->; lease: -> ->
2025-03-19T08:30:25.664681+00:00 6ffc69528090 pluto[1397]: | spds: 0.0.0.0/0===192.168.43.10-192.168.43.250
2025-03-19T08:30:25.664689+00:00 6ffc69528090 pluto[1397]: | policy: IKEv2+RSASIG+ECDSA+RSASIG_v1_5+ENCRYPT+TUNNEL+DONT_REKEY+IKEV2_ALLOW_NARROWING+IKE_FRAG_ALLOW+MOBIKE+ESN_NO+ESN_YES
2025-03-19T08:30:25.664795+00:00 6ffc69528090 pluto[1397]: "ikev2-cp"[5] 218.189.87.178 #7: processing IKE_SA_INIT request from 218.189.87.178:UDP/18202 containing SA,KE,Ni,N(NAT_DETECTION_SOURCE_IP),N(NAT_DETECTION_DESTINATION_IP),N(IKEV2_FRAGMENTATION_SUPPORTED),N(SIGNATURE_HASH_ALGORITHMS)
2025-03-19T08:30:25.664863+00:00 6ffc69528090 pluto[1397]: "ikev2-cp"[5] 218.189.87.178 #7: proposal 1:IKE=AES_CBC_256-HMAC_SHA2_256-HMAC_SHA2_256_128-CURVE25519 chosen from remote proposals 1:IKE:ENCR=AES_CTR_256;ENCR=AES_CBC_256;ENCR=AES_CTR_192;ENCR=AES_CBC_192;ENCR=AES_CTR_128;ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_384_192;INTEG=HMAC_SHA2_256_128;INTEG=AES_XCBC_96;INTEG=AES_CMAC_96;DH=MODP4096;DH=CURVE25519;DH=MODP3072;DH=MODP2048;PRF=HMAC_SHA1;PRF=AES128_XCBC;PRF=HMAC_SHA2_256;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_512;PRF=AES128_CMAC[first-match] 2:IKE:ENCR=CHACHA20_POLY1305;ENCR=AES_GCM_16_256;ENCR=AES_GCM_12_256;ENCR=AES_GCM_8_256;ENCR=AES_GCM_16_192;ENCR=AES_GCM_12_192;ENCR=AES_GCM_8_192;ENCR=AES_GCM_16_128;ENCR=AES_GCM_12_128;ENCR=AES_GCM_8_128;DH=MODP4096;DH=CURVE25519;DH=MODP3072;DH=MODP2048;PRF=HMAC_SHA1;PRF=AES128_XCBC;PRF=HMAC_SHA2_256;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_512;PRF=AES128_CMAC
2025-03-19T08:30:25.664875+00:00 6ffc69528090 pluto[1397]: "ikev2-cp"[5] 218.189.87.178 #7: initiator guessed wrong keying material group (MODP4096); responding with INVALID_KE_PAYLOAD requesting DH31
2025-03-19T08:30:25.664888+00:00 6ffc69528090 pluto[1397]: "ikev2-cp"[5] 218.189.87.178 #7: responding to IKE_SA_INIT message (ID 0) from 218.189.87.178:18202 with unencrypted notification INVALID_KE_PAYLOAD
2025-03-19T08:30:25.664899+00:00 6ffc69528090 pluto[1397]: "ikev2-cp"[5] 218.189.87.178 #7: encountered fatal error in state UNSECURED_R
2025-03-19T08:30:25.664983+00:00 6ffc69528090 pluto[1397]: "ikev2-cp"[5] 218.189.87.178 #7: deleting IKE SA (larval unsecured IKE SA responder)
2025-03-19T08:30:25.665106+00:00 6ffc69528090 pluto[1397]: "ikev2-cp"[5] 218.189.87.178: deleting connection instance with peer 218.189.87.178
2025-03-19T08:30:25.803328+00:00 6ffc69528090 pluto[1397]: | rw_responder_instantiate: remote=218.189.87.178 id= kind=TEMPLATE sec_label= (find_v2_unset_peer_connection() +385 programs/pluto/ikev2_host_pair.c)
2025-03-19T08:30:25.803346+00:00 6ffc69528090 pluto[1397]: | connection $3: "ikev2-cp"
2025-03-19T08:30:25.803358+00:00 6ffc69528090 pluto[1397]: | host: 172.17.0.4->0.0.0.0
2025-03-19T08:30:25.803369+00:00 6ffc69528090 pluto[1397]: | id: 43.153.171.136 -> %fromcert
2025-03-19T08:30:25.803468+00:00 6ffc69528090 pluto[1397]: | routing+kind: UNROUTED TEMPLATE
2025-03-19T08:30:25.803487+00:00 6ffc69528090 pluto[1397]: | selectors: 0.0.0.0/0 -> 192.168.43.10-192.168.43.250 ->; lease: -> ->
2025-03-19T08:30:25.803503+00:00 6ffc69528090 pluto[1397]: | spds: 0.0.0.0/0===192.168.43.10-192.168.43.250
2025-03-19T08:30:25.803520+00:00 6ffc69528090 pluto[1397]: | policy: IKEv2+RSASIG+ECDSA+RSASIG_v1_5+ENCRYPT+TUNNEL+DONT_REKEY+IKEV2_ALLOW_NARROWING+IKE_FRAG_ALLOW+MOBIKE+ESN_NO+ESN_YES
2025-03-19T08:30:25.803578+00:00 6ffc69528090 pluto[1397]: | rw_responder_instantiate: from "ikev2-cp" (find_v2_unset_peer_connection() +385 programs/pluto/ikev2_host_pair.c)
2025-03-19T08:30:25.803638+00:00 6ffc69528090 pluto[1397]: | connection $9 clonedfrom $3: "ikev2-cp"[6] 218.189.87.178
2025-03-19T08:30:25.803650+00:00 6ffc69528090 pluto[1397]: | host: 172.17.0.4->218.189.87.178
2025-03-19T08:30:25.803917+00:00 6ffc69528090 pluto[1397]: | id: 43.153.171.136 -> %fromcert
2025-03-19T08:30:25.803935+00:00 6ffc69528090 pluto[1397]: | routing+kind: UNROUTED INSTANCE
2025-03-19T08:30:25.803951+00:00 6ffc69528090 pluto[1397]: | selectors: 0.0.0.0/0 -> 192.168.43.10-192.168.43.250 ->; lease: -> ->
2025-03-19T08:30:25.803966+00:00 6ffc69528090 pluto[1397]: | spds: 0.0.0.0/0===192.168.43.10-192.168.43.250
2025-03-19T08:30:25.803978+00:00 6ffc69528090 pluto[1397]: | policy: IKEv2+RSASIG+ECDSA+RSASIG_v1_5+ENCRYPT+TUNNEL+DONT_REKEY+IKEV2_ALLOW_NARROWING+IKE_FRAG_ALLOW+MOBIKE+ESN_NO+ESN_YES
2025-03-19T08:30:25.804107+00:00 6ffc69528090 pluto[1397]: "ikev2-cp"[6] 218.189.87.178 #8: processing IKE_SA_INIT request from 218.189.87.178:UDP/18205 containing SA,KE,Ni,N(NAT_DETECTION_SOURCE_IP),N(NAT_DETECTION_DESTINATION_IP),N(IKEV2_FRAGMENTATION_SUPPORTED),N(SIGNATURE_HASH_ALGORITHMS)
2025-03-19T08:30:25.804225+00:00 6ffc69528090 pluto[1397]: "ikev2-cp"[6] 218.189.87.178 #8: proposal 1:IKE=AES_CBC_256-HMAC_SHA2_256-HMAC_SHA2_256_128-CURVE25519 chosen from remote proposals 1:IKE:ENCR=AES_CTR_256;ENCR=AES_CBC_256;ENCR=AES_CTR_192;ENCR=AES_CBC_192;ENCR=AES_CTR_128;ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_384_192;INTEG=HMAC_SHA2_256_128;INTEG=AES_XCBC_96;INTEG=AES_CMAC_96;DH=MODP4096;DH=CURVE25519;DH=MODP3072;DH=MODP2048;PRF=HMAC_SHA1;PRF=AES128_XCBC;PRF=HMAC_SHA2_256;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_512;PRF=AES128_CMAC[first-match] 2:IKE:ENCR=CHACHA20_POLY1305;ENCR=AES_GCM_16_256;ENCR=AES_GCM_12_256;ENCR=AES_GCM_8_256;ENCR=AES_GCM_16_192;ENCR=AES_GCM_12_192;ENCR=AES_GCM_8_192;ENCR=AES_GCM_16_128;ENCR=AES_GCM_12_128;ENCR=AES_GCM_8_128;DH=MODP4096;DH=CURVE25519;DH=MODP3072;DH=MODP2048;PRF=HMAC_SHA1;PRF=AES128_XCBC;PRF=HMAC_SHA2_256;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_512;PRF=AES128_CMAC
2025-03-19T08:30:25.805081+00:00 6ffc69528090 pluto[1397]: "ikev2-cp"[6] 218.189.87.178 #8: sent IKE_SA_INIT response to 218.189.87.178:UDP/18205 {cipher=AES_CBC_256 integ=HMAC_SHA2_256_128 prf=HMAC_SHA2_256 group=DH31}
2025-03-19T08:30:26.133966+00:00 6ffc69528090 pluto[1397]: "ikev2-cp"[6] 218.189.87.178 #8: received IKE_AUTH request fragment 1 (1 of 2), computing DH in the background
2025-03-19T08:30:26.134533+00:00 6ffc69528090 pluto[1397]: "ikev2-cp"[6] 218.189.87.178 #8: processing decrypted IKE_AUTH request from 218.189.87.178:UDP/18212 containing SK{IDi,IDr,N(MOBIKE_SUPPORTED),CERT,AUTH,SA,TSi,TSr,CP}
2025-03-19T08:30:26.134881+00:00 6ffc69528090 pluto[1397]: adding the CA+root cert O=IKEv2 VPN,CN=IKEv2 VPN CA
2025-03-19T08:30:26.136390+00:00 6ffc69528090 pluto[1397]: "ikev2-cp"[6] 218.189.87.178 #8: responder established IKE SA; authenticated peer certificate 'CN=vpnclient, O=IKEv2 VPN' and 3072-bit PKCS#1 1.5 RSA with SHA2_512 digital signature issued by 'CN=IKEv2 VPN CA, O=IKEv2 VPN'
2025-03-19T08:30:26.144898+00:00 6ffc69528090 pluto[1397]: "ikev2-cp"[6] 218.189.87.178 #9: proposal 2:ESP=AES_GCM_16_128-ESN:NO SPI=57cd6280 chosen from remote proposals 1:ESP:ENCR=AES_CBC_256;ENCR=AES_CBC_192;ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_384_192;INTEG=HMAC_SHA2_256_128;ESN=NO[first-match] 2:ESP:ENCR=AES_GCM_16_256;ENCR=AES_GCM_12_256;ENCR=AES_GCM_8_256;ENCR=AES_GCM_16_192;ENCR=AES_GCM_12_192;ENCR=AES_GCM_8_192;ENCR=AES_GCM_16_128;ENCR=AES_GCM_12_128;ENCR=AES_GCM_8_128;ESN=NO[better-match]
2025-03-19T08:30:26.171452+00:00 6ffc69528090 pluto[1397]: "ikev2-cp"[6] 218.189.87.178 #9: responder established Child SA using #8; IPsec tunnel [0.0.0.0/0===192.168.43.10/32] {ESPinUDP=>0x57cd6280 <0x93442d8c xfrm=AES_GCM_16_128-NONE NATD=218.189.87.178:18212 DPD=active}
2025-03-19T08:34:27.135537+00:00 6ffc69528090 pluto[1397]: "ikev2-cp"[6] 218.189.87.178 #8: INFORMATIONAL request has duplicate Message ID 3; retransmitting response
2025-03-19T08:34:28.142110+00:00 6ffc69528090 pluto[1397]: "ikev2-cp"[6] 218.189.87.178 #8: INFORMATIONAL request has duplicate Message ID 3; retransmitting response
2025-03-19T08:35:26.137247+00:00 6ffc69528090 pluto[1397]: freeing root certificate cache
@HeftyL commented on GitHub (Mar 19, 2025):
#4 IPsec VPN 服务器状态
[root@VM-0-14-centos ~]# docker exec -it ipsec-vpn-server ipsec status
using kernel interface: xfrm
interface lo [::1]:UDP/4500 (NAT)
interface lo [::1]:UDP/500
interface lo 127.0.0.1:UDP/4500 (NAT)
interface lo 127.0.0.1:UDP/500
interface eth0 172.17.0.4:UDP/4500 (NAT)
interface eth0 172.17.0.4:UDP/500
fips mode=disabled;
SElinux=disabled
seccomp=unsupported
config setup options:
configdir=/etc, configfile=/etc/ipsec.conf, secrets=/etc/ipsec.secrets, ipsecdir=/etc/ipsec.d
nssdir=/etc/ipsec.d, dumpdir=/run/pluto, statsbin=unset
sbindir=/usr/local/sbin, libexecdir=/usr/local/libexec/ipsec
pluto_version=5.2, pluto_vendorid=OE-Libreswan-5.2
nhelpers=-1, uniqueids=no, dnssec-enable=no, shuntlifetime=900s, xfrmlifetime=30s
logfile='', logappend=yes, logip=yes, audit-log=yes
ddos-cookies-threshold=25000, ddos-max-halfopen=50000, ddos-mode=auto, ikev1-policy=accept
ikebuf=0, msg_errqueue=yes, crl-strict=no, crlcheckinterval=0, listen=, nflog-all=0
ocsp-enable=no, ocsp-strict=no, ocsp-timeout=2, ocsp-uri=
ocsp-trust-name=
ocsp-cache-size=1000, ocsp-cache-min-age=3600, ocsp-cache-max-age=86400, ocsp-method=get
global-redirect=no, global-redirect-to=
debug:
nat-traversal: keep-alive=20, nat-ikeport=4500
virtual-private (%priv):
Kernel algorithms supported:
algorithm ESP encrypt: name=3DES_CBC, keysizemin=192, keysizemax=192
algorithm ESP encrypt: name=AES_CBC, keysizemin=128, keysizemax=256
algorithm ESP encrypt: name=AES_CCM_12, keysizemin=128, keysizemax=256
algorithm ESP encrypt: name=AES_CCM_16, keysizemin=128, keysizemax=256
algorithm ESP encrypt: name=AES_CCM_8, keysizemin=128, keysizemax=256
algorithm ESP encrypt: name=AES_CTR, keysizemin=128, keysizemax=256
algorithm ESP encrypt: name=AES_GCM_12, keysizemin=128, keysizemax=256
algorithm ESP encrypt: name=AES_GCM_16, keysizemin=128, keysizemax=256
algorithm ESP encrypt: name=AES_GCM_8, keysizemin=128, keysizemax=256
algorithm ESP encrypt: name=CAMELLIA_CBC, keysizemin=128, keysizemax=256
algorithm ESP encrypt: name=CHACHA20_POLY1305, keysizemin=256, keysizemax=256
algorithm ESP encrypt: name=NULL, keysizemin=0, keysizemax=0
algorithm ESP encrypt: name=NULL_AUTH_AES_GMAC, keysizemin=128, keysizemax=256
algorithm AH/ESP auth: name=AES_CMAC_96, key-length=128
algorithm AH/ESP auth: name=AES_XCBC_96, key-length=128
algorithm AH/ESP auth: name=HMAC_MD5_96, key-length=128
algorithm AH/ESP auth: name=HMAC_SHA1_96, key-length=160
algorithm AH/ESP auth: name=HMAC_SHA2_256_128, key-length=256
algorithm AH/ESP auth: name=HMAC_SHA2_256_TRUNCBUG, key-length=256
algorithm AH/ESP auth: name=HMAC_SHA2_384_192, key-length=384
algorithm AH/ESP auth: name=HMAC_SHA2_512_256, key-length=512
algorithm AH/ESP auth: name=NONE, key-length=0
IKE algorithms supported:
algorithm IKE encrypt: v1id=5, v1name=OAKLEY_3DES_CBC, v2id=3, v2name=3DES, blocksize=8, keydeflen=192
algorithm IKE encrypt: v1id=8, v1name=OAKLEY_CAMELLIA_CBC, v2id=23, v2name=CAMELLIA_CBC, blocksize=16, keydeflen=128
algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=20, v2name=AES_GCM_16, blocksize=16, keydeflen=128
algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=19, v2name=AES_GCM_12, blocksize=16, keydeflen=128
algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=18, v2name=AES_GCM_8, blocksize=16, keydeflen=128
algorithm IKE encrypt: v1id=13, v1name=OAKLEY_AES_CTR, v2id=13, v2name=AES_CTR, blocksize=16, keydeflen=128
algorithm IKE encrypt: v1id=7, v1name=OAKLEY_AES_CBC, v2id=12, v2name=AES_CBC, blocksize=16, keydeflen=128
algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=28, v2name=CHACHA20_POLY1305, blocksize=16, keydeflen=256
algorithm IKE PRF: name=HMAC_MD5, hashlen=16
algorithm IKE PRF: name=HMAC_SHA1, hashlen=20
algorithm IKE PRF: name=HMAC_SHA2_256, hashlen=32
algorithm IKE PRF: name=HMAC_SHA2_384, hashlen=48
algorithm IKE PRF: name=HMAC_SHA2_512, hashlen=64
algorithm IKE PRF: name=AES_XCBC, hashlen=16
algorithm IKE DH Key Exchange: name=MODP1024, bits=1024
algorithm IKE DH Key Exchange: name=MODP1536, bits=1536
algorithm IKE DH Key Exchange: name=MODP2048, bits=2048
algorithm IKE DH Key Exchange: name=MODP3072, bits=3072
algorithm IKE DH Key Exchange: name=MODP4096, bits=4096
algorithm IKE DH Key Exchange: name=MODP6144, bits=6144
algorithm IKE DH Key Exchange: name=MODP8192, bits=8192
algorithm IKE DH Key Exchange: name=DH19, bits=512
algorithm IKE DH Key Exchange: name=DH20, bits=768
algorithm IKE DH Key Exchange: name=DH21, bits=1056
algorithm IKE DH Key Exchange: name=DH31, bits=256
stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0}
Connection list:
"ikev2-cp": 0.0.0.0/0===172.17.0.4[43.153.171.136,MS+S=C]---172.17.0.1...%any[%fromcert,+MC+S=C]==={192.168.43.10-192.168.43.250}; unrouted; my_ip=unset; their_ip=unset;
"ikev2-cp": host: oriented; local: 172.17.0.4; remote: %any;
"ikev2-cp": mycert=43.153.171.136; my_updown=ipsec _updown;
"ikev2-cp": xauth us:none, xauth them:none, my_username=[any]; their_username=[any]
"ikev2-cp": our auth:rsasig(RSASIG+RSASIG_v1_5), their auth:RSASIG+ECDSA+RSASIG_v1_5, our autheap:none, their autheap:none;
"ikev2-cp": modecfg info: us:server, them:client, modecfg policy:push, dns:8.8.8.8, 8.8.4.4, domains:unset, cat:unset;
"ikev2-cp": sec_label:unset;
"ikev2-cp": CAs: 'CN=IKEv2 VPN CA, O=IKEv2 VPN'...'CN=IKEv2 VPN CA, O=IKEv2 VPN'
"ikev2-cp": ike_life: 86400s; ipsec_life: 86400s; ipsec_max_bytes: 2^63B; ipsec_max_packets: 2^63; replay_window: 128; rekey_margin: 540s; rekey_fuzz: 100%;
"ikev2-cp": iptfs: no; fragmentation: yes; packet-size: 0; max-queue-size: 0; drop-time: 0; init-delay: 0; reorder-window: 0;
"ikev2-cp": retransmit-interval: 500ms; retransmit-timeout: 300s; iketcp:no; iketcp-port:4500;
"ikev2-cp": initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
"ikev2-cp": policy: IKEv2+RSASIG+ECDSA+RSASIG_v1_5+ENCRYPT+TUNNEL+DONT_REKEY+IKEV2_ALLOW_NARROWING+IKE_FRAG_ALLOW+MOBIKE+ESN_NO+ESN_YES;
"ikev2-cp": v2-auth-hash-policy: SHA2_256+SHA2_384+SHA2_512;
"ikev2-cp": conn_prio: 0,0,0; interface: eth0; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
"ikev2-cp": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:no;
"ikev2-cp": our idtype: ID_IPV4_ADDR; our id=43.153.171.136; their idtype: %fromcert; their id=%fromcert
"ikev2-cp": liveness: active; dpddelay:30s; retransmit-timeout:300s
"ikev2-cp": nat-traversal: encapsulation:yes; keepalive:20s
"ikev2-cp": routing: unrouted;
"ikev2-cp": conn serial: $3;
"ikev2-cp": IKE algorithms: AES_GCM_16_256-HMAC_SHA2_256-DH19, AES_CBC_256-HMAC_SHA2_256-DH19+DH20+DH21+DH31+MODP4096+MODP3072+MODP2048+MODP8192, AES_CBC_128-HMAC_SHA2_256-DH19+DH20+DH21+DH31+MODP4096+MODP3072+MODP2048+MODP8192, AES_CBC_256-HMAC_SHA1-DH19+DH20+DH21+DH31+MODP4096+MODP3072+MODP2048+MODP8192, AES_CBC_128-HMAC_SHA1-DH19+DH20+DH21+DH31+MODP4096+MODP3072+MODP2048+MODP8192
"ikev2-cp": ESP algorithms: AES_GCM_16-NONE, AES_CBC_128-HMAC_SHA1_96, AES_CBC_256-HMAC_SHA1_96, AES_CBC_128-HMAC_SHA2_256_128, AES_CBC_256-HMAC_SHA2_256_128
"ikev2-cp"[6]: 0.0.0.0/0===172.17.0.4[43.153.171.136,MS+S=C]---172.17.0.1...218.189.87.178[CN=vpnclient, O=IKEv2 VPN,+MC+S=C]==={192.168.43.10/32}; routed-tunnel; my_ip=unset; their_ip=192.168.43.10;
"ikev2-cp"[6]: host: oriented; local: 172.17.0.4; remote: 218.189.87.178; established IKE SA: #8;
"ikev2-cp"[6]: mycert=43.153.171.136; my_updown=ipsec _updown;
"ikev2-cp"[6]: xauth us:none, xauth them:none, my_username=[any]; their_username=[any]
"ikev2-cp"[6]: our auth:rsasig(RSASIG+RSASIG_v1_5), their auth:RSASIG+ECDSA+RSASIG_v1_5, our autheap:none, their autheap:none;
"ikev2-cp"[6]: modecfg info: us:server, them:client, modecfg policy:push, dns:8.8.8.8, 8.8.4.4, domains:unset, cat:unset;
"ikev2-cp"[6]: sec_label:unset;
"ikev2-cp"[6]: CAs: 'CN=IKEv2 VPN CA, O=IKEv2 VPN'...'CN=IKEv2 VPN CA, O=IKEv2 VPN'
"ikev2-cp"[6]: ike_life: 86400s; ipsec_life: 86400s; ipsec_max_bytes: 2^63B; ipsec_max_packets: 2^63; replay_window: 128; rekey_margin: 540s; rekey_fuzz: 100%;
"ikev2-cp"[6]: iptfs: no; fragmentation: yes; packet-size: 0; max-queue-size: 0; drop-time: 0; init-delay: 0; reorder-window: 0;
"ikev2-cp"[6]: retransmit-interval: 500ms; retransmit-timeout: 300s; iketcp:no; iketcp-port:4500;
"ikev2-cp"[6]: initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
"ikev2-cp"[6]: policy: IKEv2+RSASIG+ECDSA+RSASIG_v1_5+ENCRYPT+TUNNEL+DONT_REKEY+IKEV2_ALLOW_NARROWING+IKE_FRAG_ALLOW+MOBIKE+ESN_NO+ESN_YES;
"ikev2-cp"[6]: v2-auth-hash-policy: SHA2_256+SHA2_384+SHA2_512;
"ikev2-cp"[6]: conn_prio: 0,32,1; interface: eth0; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
"ikev2-cp"[6]: nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:no;
"ikev2-cp"[6]: our idtype: ID_IPV4_ADDR; our id=43.153.171.136; their idtype: ID_DER_ASN1_DN; their id=CN=vpnclient, O=IKEv2 VPN
"ikev2-cp"[6]: liveness: active; dpddelay:30s; retransmit-timeout:300s
"ikev2-cp"[6]: nat-traversal: encapsulation:yes; keepalive:20s
"ikev2-cp"[6]: routing: routed-tunnel; owner: Child SA #9; established IKE SA: #8; established Child SA: #9;
"ikev2-cp"[6]: conn serial: $9, instantiated from: $3;
"ikev2-cp"[6]: IKE algorithms: AES_GCM_16_256-HMAC_SHA2_256-DH19, AES_CBC_256-HMAC_SHA2_256-DH19+DH20+DH21+DH31+MODP4096+MODP3072+MODP2048+MODP8192, AES_CBC_128-HMAC_SHA2_256-DH19+DH20+DH21+DH31+MODP4096+MODP3072+MODP2048+MODP8192, AES_CBC_256-HMAC_SHA1-DH19+DH20+DH21+DH31+MODP4096+MODP3072+MODP2048+MODP8192, AES_CBC_128-HMAC_SHA1-DH19+DH20+DH21+DH31+MODP4096+MODP3072+MODP2048+MODP8192
"ikev2-cp"[6]: IKEv2 algorithm newest: AES_CBC_256-HMAC_SHA2_256-DH31
"ikev2-cp"[6]: ESP algorithms: AES_GCM_16-NONE, AES_CBC_128-HMAC_SHA1_96, AES_CBC_256-HMAC_SHA1_96, AES_CBC_128-HMAC_SHA2_256_128, AES_CBC_256-HMAC_SHA2_256_128
"ikev2-cp"[6]: ESP algorithm newest: AES_GCM_16_128-NONE; pfsgroup=<N/A>
"l2tp-psk": 172.17.0.4/32/UDP/1701===172.17.0.4[43.153.171.136]---172.17.0.1...%any; unrouted; my_ip=unset; their_ip=unset;
"l2tp-psk": host: oriented; local: 172.17.0.4; remote: %any;
"l2tp-psk": my_updown=ipsec _updown;
"l2tp-psk": xauth us:none, xauth them:none, my_username=[any]; their_username=[any]
"l2tp-psk": our auth:secret, their auth:secret, our autheap:none, their autheap:none;
"l2tp-psk": modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, cat:unset;
"l2tp-psk": sec_label:unset;
"l2tp-psk": ike_life: 86400s; ipsec_life: 86400s; ipsec_max_bytes: 2^63B; ipsec_max_packets: 2^63; replay_window: 128; rekey_margin: 540s; rekey_fuzz: 100%;
"l2tp-psk": iptfs: no; fragmentation: yes; packet-size: 0; max-queue-size: 0; drop-time: 0; init-delay: 0; reorder-window: 0;
"l2tp-psk": retransmit-interval: 500ms; retransmit-timeout: 60s; iketcp:no; iketcp-port:4500;
"l2tp-psk": initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
"l2tp-psk": policy: IKEv1+PSK+ENCRYPT+TRANSPORT+DONT_REKEY+IKE_FRAG_ALLOW+ESN_NO+ESN_YES;
"l2tp-psk": conn_prio: 32,0,0; interface: eth0; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
"l2tp-psk": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:no;
"l2tp-psk": our idtype: ID_IPV4_ADDR; our id=43.153.171.136; their idtype: %none; their id=(none)
"l2tp-psk": dpd: active; delay:30s; timeout:300s
"l2tp-psk": nat-traversal: encapsulation:yes; keepalive:20s; ikev1-method:rfc+drafts
"l2tp-psk": routing: unrouted;
"l2tp-psk": conn serial: $1;
"l2tp-psk": IKE algorithms: AES_CBC_256-HMAC_SHA2_256-MODP2048, AES_CBC_128-HMAC_SHA2_256-MODP2048, AES_CBC_256-HMAC_SHA1-MODP2048, AES_CBC_128-HMAC_SHA1-MODP2048, AES_CBC_256-HMAC_SHA2_256-MODP1024, AES_CBC_128-HMAC_SHA1-MODP1024
"l2tp-psk": ESP algorithms: AES_GCM_16-NONE, AES_CBC_128-HMAC_SHA1_96, AES_CBC_256-HMAC_SHA1_96, AES_CBC_256-HMAC_SHA2_512_256, AES_CBC_128-HMAC_SHA2_256_128, AES_CBC_256-HMAC_SHA2_256_128
"xauth-psk": 0.0.0.0/0===172.17.0.4[43.153.171.136,MS+XS+S=C]---172.17.0.1...%any[+MC+XC+S=C]==={192.168.43.10-192.168.43.250}; unrouted; my_ip=unset; their_ip=unset;
"xauth-psk": host: oriented; local: 172.17.0.4; remote: %any;
"xauth-psk": my_updown=ipsec _updown;
"xauth-psk": xauth us:server, xauth them:client, xauthby:file; my_username=[any]; their_username=[any]
"xauth-psk": our auth:secret, their auth:secret, our autheap:none, their autheap:none;
"xauth-psk": modecfg info: us:server, them:client, modecfg policy:pull, dns:8.8.8.8, 8.8.4.4, domains:unset, cat:unset;
"xauth-psk": sec_label:unset;
"xauth-psk": ike_life: 86400s; ipsec_life: 86400s; ipsec_max_bytes: 2^63B; ipsec_max_packets: 2^63; replay_window: 128; rekey_margin: 540s; rekey_fuzz: 100%;
"xauth-psk": iptfs: no; fragmentation: yes; packet-size: 0; max-queue-size: 0; drop-time: 0; init-delay: 0; reorder-window: 0;
"xauth-psk": retransmit-interval: 500ms; retransmit-timeout: 60s; iketcp:no; iketcp-port:4500;
"xauth-psk": initial-contact:no; cisco-unity:yes; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
"xauth-psk": policy: IKEv1+PSK+ENCRYPT+TUNNEL+DONT_REKEY+XAUTH+MODECFG_PULL+IKE_FRAG_ALLOW+ESN_NO+ESN_YES;
"xauth-psk": conn_prio: 0,0,0; interface: eth0; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
"xauth-psk": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:no;
"xauth-psk": our idtype: ID_IPV4_ADDR; our id=43.153.171.136; their idtype: %none; their id=(none)
"xauth-psk": dpd: active; delay:30s; timeout:300s
"xauth-psk": nat-traversal: encapsulation:yes; keepalive:20s; ikev1-method:rfc+drafts
"xauth-psk": routing: unrouted;
"xauth-psk": conn serial: $2;
"xauth-psk": IKE algorithms: AES_CBC_256-HMAC_SHA2_256-MODP2048, AES_CBC_128-HMAC_SHA2_256-MODP2048, AES_CBC_256-HMAC_SHA1-MODP2048, AES_CBC_128-HMAC_SHA1-MODP2048, AES_CBC_256-HMAC_SHA2_256-MODP1024, AES_CBC_128-HMAC_SHA1-MODP1024
"xauth-psk": ESP algorithms: AES_GCM_16-NONE, AES_CBC_128-HMAC_SHA1_96, AES_CBC_256-HMAC_SHA1_96, AES_CBC_256-HMAC_SHA2_512_256, AES_CBC_128-HMAC_SHA2_256_128, AES_CBC_256-HMAC_SHA2_256_128
Total IPsec connections: loaded 4, active 1
State Information: DDoS cookies not required, Accepting new IKE connections
IKE SAs: total(1), half-open(0), open(0), authenticated(1), anonymous(0)
IPsec SAs: total(1), authenticated(1), anonymous(0)
#8: "ikev2-cp"[6] 218.189.87.178:18212 ESTABLISHED_IKE_SA (established IKE SA); EXPIRE in 85196s; newest; idle;
#9: "ikev2-cp"[6] 218.189.87.178:18212 ESTABLISHED_CHILD_SA (established Child SA); LIVENESS in 26s; EXPIRE in 85196s; newest; eroute owner; IKE SA #8; idle;
#9: "ikev2-cp"[6] 218.189.87.178 esp.57cd6280@218.189.87.178 esp.93442d8c@172.17.0.4 tun.0@218.189.87.178 tun.0@172.17.0.4 Traffic: ESPin=44KB ESPout=0B ESPmax=2^63B
Bare Shunt list:
@HeftyL commented on GitHub (Mar 19, 2025):
#5 已建立的 VPN 连接
[root@VM-0-14-centos ~]# docker exec -it ipsec-vpn-server ipsec trafficstatus
#9: "ikev2-cp"[6] 218.189.87.178, type=ESP, add_time=1742373026, inBytes=72108, outBytes=0, maxBytes=2^63B, id='CN=vpnclient, O=IKEv2 VPN', lease=192.168.43.10/32
@HeftyL commented on GitHub (Mar 19, 2025):
#6 容器docker iptables规则
[root@VM-0-14-centos ~]# docker exec -it ipsec-vpn-server bash
6ffc69528090:/opt/src# iptables -nvL; iptables -nvL -t nat
Chain INPUT (policy ACCEPT 1 packets, 84 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1701 policy match dir in pol none
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
19507 5223K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
49 38871 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 500,4500
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1701 policy match dir in pol ipsec
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1701
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
0 0 ACCEPT all -- eth0 ppp+ 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- ppp+ eth0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- ppp+ ppp+ 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- eth0 * 0.0.0.0/0 192.168.43.0/24 ctstate RELATED,ESTABLISHED
9251 636K ACCEPT all -- * eth0 192.168.43.0/24 0.0.0.0/0
0 0 ACCEPT all -- * ppp+ 192.168.43.0/24 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 15 packets, 944 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * eth0 192.168.42.0/24 0.0.0.0/0
3448 222K MASQUERADE all -- * eth0 192.168.43.0/24 0.0.0.0/0 policy match dir out pol none
@hwdsl2 commented on GitHub (Mar 19, 2025):
@HeftyL 你好!你的Libreswan日志和容器内的IPTables规则看起来正常。问题的原因可能是MTU/MSS问题,或者主机上的IPTables规则问题。
请检查 docker logs ipsec-vpn-server 的输出中是否有以下字样?你好像已经添加了VPN_ANDROID_MTU_FIX=yes
Applying fix for Android MTU/MSS issues...
如果没有该字样,尝试重新创建Docker容器。env文件的改动需要重新创建容器才能生效。
另一个可能是Docker主机的 IPTables 规则阻止了该流量。你可以尝试换用一下比如Ubuntu或Debian。
如果你有新的信息可以继续在这里回复。