starred/docker-ipsec-vpn-server
1
0
Fork 0
mirror of https://github.com/hwdsl2/docker-ipsec-vpn-server.git synced 2026-04-26 01:55:53 +03:00
Code Issues Projects Releases Packages Wiki Activity

[GH-ISSUE #84] Unable to connect to Ubuntu 16.04 host with L2TP #75

New issue
Closed
opened 2026-03-02 07:11:31 +03:00 by kerem · 7 comments
kerem commented 2026-03-02 07:11:31 +03:00
Owner
Copy link

Originally created by @jsheradin on GitHub (Jul 20, 2018).
Original GitHub issue: https://github.com/hwdsl2/docker-ipsec-vpn-server/issues/84

Unable to connect from Android 8.1.0 or Windows 10 clients. Credentials are correct. Ports 500, 4500 UDP have been forwarded.

Host is Ubuntu Server 16.04.4 LTS (4.4.0-130201807041620-generic). Docker version is 18.03.1-ce.

I have tried restart container, reboot, modprobe af_key, and remove container+recreate to no effect.

Logs follow:

$ docker logs ipsec-vpn-server 
Trying to auto discover IP of this server...

================================================

IPsec VPN server is now ready for use!

Connect to your new VPN with these details:

Server IP: Redacted
IPsec PSK: Redacted
Username: Redacted
Password: Redacted

Write these down. You'll need them to connect!

Important notes:   https://git.io/vpnnotes2
Setup VPN clients: https://git.io/vpnclients

================================================

Redirecting to: /etc/init.d/ipsec start
Starting pluto IKE daemon for IPsec: .
xl2tpd[1]: Not looking for kernel SAref support.
xl2tpd[1]: Using l2tp kernel support.
xl2tpd[1]: xl2tpd version xl2tpd-1.3.12 started on d60873d39ec3 PID:1
xl2tpd[1]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
xl2tpd[1]: Forked by Scott Balmos and David Stipp, (C) 2001
xl2tpd[1]: Inherited by Jeff McAdams, (C) 2002
xl2tpd[1]: Forked again by Xelerance (www.xelerance.com) (C) 2006-2016
xl2tpd[1]: Listening on IP address 0.0.0.0, port 1701

$ docker exec -it ipsec-vpn-server ipsec status
000 using kernel interface: netkey
000 interface lo/lo 127.0.0.1@4500
000 interface lo/lo 127.0.0.1@500
000 interface eth0/eth0 172.18.0.2@4500
000 interface eth0/eth0 172.18.0.2@500
000
000
000 fips mode=disabled;
000 SElinux=disabled
000 seccomp=unsupported
000
000 config setup options:
000
000 configdir=/etc, configfile=/etc/ipsec.conf, secrets=/etc/ipsec.secrets, ipsecdir=/etc/ipsec.d
000 nssdir=/etc/ipsec.d, dumpdir=/run/pluto/, statsbin=unset
000 sbindir=/usr/local/sbin, libexecdir=/usr/local/libexec/ipsec
000 pluto_version=3.22, pluto_vendorid=OE-Libreswan-3.22
000 nhelpers=-1, uniqueids=no, perpeerlog=no, logappend=yes, logip=yes, shuntlifetime=900s, xfrmlifetime=300s
000 ddos-cookies-threshold=50000, ddos-max-halfopen=25000, ddos-mode=auto
000 ikeport=500, ikebuf=0, msg_errqueue=yes, strictcrlpolicy=no, crlcheckinterval=0, listen=<any>, nflog-all=0
000 ocsp-enable=no, ocsp-strict=no, ocsp-timeout=2, ocsp-uri=<unset>
000 ocsp-trust-name=<unset>
000 ocsp-cache-size=1000, ocsp-cache-min-age=3600, ocsp-cache-max-age=86400, ocsp-method=get
000 secctx-attr-type=32001
000 myid = (none)
000 debug none
000
000 nat-traversal=yes, keep-alive=20, nat-ikeport=4500
000 virtual-private (%priv):
000 - allowed subnets: 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12
000 - excluded subnets: 192.168.42.0/24, 192.168.43.0/24
000
000 ESP algorithms supported:
000
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=128, keysizemax=128
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=22, name=ESP_CAMELLIA, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=23, name=ESP_NULL_AUTH_AES_GMAC, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm AH/ESP auth: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
000 algorithm AH/ESP auth: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
000 algorithm AH/ESP auth: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
000 algorithm AH/ESP auth: id=6, name=AUTH_ALGORITHM_HMAC_SHA2_384, keysizemin=384, keysizemax=384
000 algorithm AH/ESP auth: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_512, keysizemin=512, keysizemax=512
000 algorithm AH/ESP auth: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD, keysizemin=160, keysizemax=160
000 algorithm AH/ESP auth: id=9, name=AUTH_ALGORITHM_AES_XCBC, keysizemin=128, keysizemax=128
000 algorithm AH/ESP auth: id=250, name=AUTH_ALGORITHM_AES_CMAC_96, keysizemin=128, keysizemax=128
000 algorithm AH/ESP auth: id=251, name=AUTH_ALGORITHM_NULL_KAME, keysizemin=0, keysizemax=0
000
000 IKE algorithms supported:
000
000 algorithm IKE encrypt: v1id=5, v1name=OAKLEY_3DES_CBC, v2id=3, v2name=3DES, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: v1id=8, v1name=OAKLEY_CAMELLIA_CBC, v2id=23, v2name=CAMELLIA_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=20, v2name=AES_GCM_C, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=19, v2name=AES_GCM_B, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=18, v2name=AES_GCM_A, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=13, v1name=OAKLEY_AES_CTR, v2id=13, v2name=AES_CTR, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=7, v1name=OAKLEY_AES_CBC, v2id=12, v2name=AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=65004, v1name=OAKLEY_SERPENT_CBC, v2id=65004, v2name=SERPENT_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=65005, v1name=OAKLEY_TWOFISH_CBC, v2id=65005, v2name=TWOFISH_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=65289, v1name=OAKLEY_TWOFISH_CBC_SSH, v2id=65289, v2name=TWOFISH_CBC_SSH, blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashlen=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashlen=20
000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashlen=32
000 algorithm IKE hash: id=5, name=OAKLEY_SHA2_384, hashlen=48
000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashlen=64
000 algorithm IKE DH Key Exchange: name=MODP1024, bits=1024
000 algorithm IKE DH Key Exchange: name=MODP1536, bits=1536
000 algorithm IKE DH Key Exchange: name=MODP2048, bits=2048
000 algorithm IKE DH Key Exchange: name=MODP3072, bits=3072
000 algorithm IKE DH Key Exchange: name=MODP4096, bits=4096
000 algorithm IKE DH Key Exchange: name=MODP6144, bits=6144
000 algorithm IKE DH Key Exchange: name=MODP8192, bits=8192
000 algorithm IKE DH Key Exchange: name=DH19, bits=512
000 algorithm IKE DH Key Exchange: name=DH20, bits=768
000 algorithm IKE DH Key Exchange: name=DH21, bits=1056
000 algorithm IKE DH Key Exchange: name=DH23, bits=2048
000 algorithm IKE DH Key Exchange: name=DH24, bits=2048
000
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0}
000
000 Connection list:
000
000 "l2tp-psk": 172.18.0.2[Redacted]:17/1701---172.18.0.1...%any:17/%any; unrouted; eroute owner: #0
000 "l2tp-psk":     oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown;
000 "l2tp-psk":   xauth us:none, xauth them:none,  my_username=[any]; their_username=[any]
000 "l2tp-psk":   our auth:secret, their auth:secret
000 "l2tp-psk":   modecfg info: us:none, them:none, modecfg policy:push, dns1:unset, dns2:unset, domain:unset, banner:unset, cat:unset;
000 "l2tp-psk":   labeled_ipsec:no;
000 "l2tp-psk":   policy_label:unset;
000 "l2tp-psk":   ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 5;
000 "l2tp-psk":   retransmit-interval: 500ms; retransmit-timeout: 60s;
000 "l2tp-psk":   sha2-truncbug:yes; initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "l2tp-psk":   policy: PSK+ENCRYPT+DONT_REKEY+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO;
000 "l2tp-psk":   conn_prio: 32,32; interface: eth0; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "l2tp-psk":   nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto;
000 "l2tp-psk":   our idtype: ID_IPV4_ADDR; our id=Redacted; their idtype: %none; their id=(none)
000 "l2tp-psk":   dpd: action:clear; delay:30; timeout:120; nat-t: encaps:yes; nat_keepalive:yes; ikev1_natt:both
000 "l2tp-psk":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "l2tp-psk":   IKE algorithms: 3DES_CBC-HMAC_SHA1-MODP2048, 3DES_CBC-HMAC_SHA1-MODP1536, 3DES_CBC-HMAC_SHA2_256-MODP2048, 3DES_CBC-HMAC_SHA2_256-MODP1536, AES_CBC-HMAC_SHA1-MODP2048, AES_CBC-HMAC_SHA1-MODP1536, AES_CBC-HMAC_SHA1-MODP1024, AES_CBC-HMAC_SHA2_256-MODP2048, AES_CBC-HMAC_SHA2_256-MODP1536, AES_CBC-HMAC_SHA2_256-MODP1024
000 "l2tp-psk":   ESP algorithms: 3DES_CBC-HMAC_SHA1_96, 3DES_CBC-HMAC_SHA2_256_128, AES_CBC-HMAC_SHA1_96, AES_CBC-HMAC_SHA2_256_128, AES_CBC_256-HMAC_SHA2_512_256
000 "l2tp-psk"[2]: 172.18.0.2[Redacted]:17/1701---172.18.0.1...Redacted[192.0.0.2]:17/0; erouted; eroute owner: #2
000 "l2tp-psk"[2]:     oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown;
000 "l2tp-psk"[2]:   xauth us:none, xauth them:none,  my_username=[any]; their_username=[any]
000 "l2tp-psk"[2]:   our auth:secret, their auth:secret
000 "l2tp-psk"[2]:   modecfg info: us:none, them:none, modecfg policy:push, dns1:unset, dns2:unset, domain:unset, banner:unset, cat:unset;
000 "l2tp-psk"[2]:   labeled_ipsec:no;
000 "l2tp-psk"[2]:   policy_label:unset;
000 "l2tp-psk"[2]:   ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 5;
000 "l2tp-psk"[2]:   retransmit-interval: 500ms; retransmit-timeout: 60s;
000 "l2tp-psk"[2]:   sha2-truncbug:yes; initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "l2tp-psk"[2]:   policy: PSK+ENCRYPT+DONT_REKEY+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO;
000 "l2tp-psk"[2]:   conn_prio: 32,32; interface: eth0; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "l2tp-psk"[2]:   nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto;
000 "l2tp-psk"[2]:   our idtype: ID_IPV4_ADDR; our id=Redacted; their idtype: ID_IPV4_ADDR; their id=192.0.0.2
000 "l2tp-psk"[2]:   dpd: action:clear; delay:30; timeout:120; nat-t: encaps:yes; nat_keepalive:yes; ikev1_natt:both
000 "l2tp-psk"[2]:   newest ISAKMP SA: #1; newest IPsec SA: #2;
000 "l2tp-psk"[2]:   IKE algorithms: 3DES_CBC-HMAC_SHA1-MODP2048, 3DES_CBC-HMAC_SHA1-MODP1536, 3DES_CBC-HMAC_SHA2_256-MODP2048, 3DES_CBC-HMAC_SHA2_256-MODP1536, AES_CBC-HMAC_SHA1-MODP2048, AES_CBC-HMAC_SHA1-MODP1536, AES_CBC-HMAC_SHA1-MODP1024, AES_CBC-HMAC_SHA2_256-MODP2048, AES_CBC-HMAC_SHA2_256-MODP1536, AES_CBC-HMAC_SHA2_256-MODP1024
000 "l2tp-psk"[2]:   IKE algorithm newest: AES_CBC_256-HMAC_SHA2_256-MODP1024
000 "l2tp-psk"[2]:   ESP algorithms: 3DES_CBC-HMAC_SHA1_96, 3DES_CBC-HMAC_SHA2_256_128, AES_CBC-HMAC_SHA1_96, AES_CBC-HMAC_SHA2_256_128, AES_CBC_256-HMAC_SHA2_512_256
000 "l2tp-psk"[2]:   ESP algorithm newest: AES_CBC_256-HMAC_SHA1_96; pfsgroup=<N/A>
000 "xauth-psk": 0.0.0.0/0===172.18.0.2[Redacted,MS+XS+S=C]---172.18.0.1...%any[+MC+XC+S=C]; unrouted; eroute owner: #0
000 "xauth-psk":     oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown;
000 "xauth-psk":   xauth us:server, xauth them:client, xauthby:file; my_username=[any]; their_username=[any]
000 "xauth-psk":   our auth:secret, their auth:secret
000 "xauth-psk":   modecfg info: us:server, them:client, modecfg policy:pull, dns1:8.8.8.8, dns2:8.8.4.4, domain:unset, banner:unset, cat:unset;
000 "xauth-psk":   labeled_ipsec:no;
000 "xauth-psk":   policy_label:unset;
000 "xauth-psk":   ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 5;
000 "xauth-psk":   retransmit-interval: 500ms; retransmit-timeout: 60s;
000 "xauth-psk":   sha2-truncbug:yes; initial-contact:no; cisco-unity:yes; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "xauth-psk":   policy: PSK+ENCRYPT+TUNNEL+DONT_REKEY+XAUTH+MODECFG_PULL+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO;
000 "xauth-psk":   conn_prio: 0,32; interface: eth0; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "xauth-psk":   nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto;
000 "xauth-psk":   our idtype: ID_IPV4_ADDR; our id=Redacted; their idtype: %none; their id=(none)
000 "xauth-psk":   dpd: action:clear; delay:30; timeout:120; nat-t: encaps:yes; nat_keepalive:yes; ikev1_natt:both
000 "xauth-psk":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "xauth-psk":   IKE algorithms: 3DES_CBC-HMAC_SHA1-MODP2048, 3DES_CBC-HMAC_SHA1-MODP1536, 3DES_CBC-HMAC_SHA2_256-MODP2048, 3DES_CBC-HMAC_SHA2_256-MODP1536, AES_CBC-HMAC_SHA1-MODP2048, AES_CBC-HMAC_SHA1-MODP1536, AES_CBC-HMAC_SHA1-MODP1024, AES_CBC-HMAC_SHA2_256-MODP2048, AES_CBC-HMAC_SHA2_256-MODP1536, AES_CBC-HMAC_SHA2_256-MODP1024
000 "xauth-psk":   ESP algorithms: 3DES_CBC-HMAC_SHA1_96, 3DES_CBC-HMAC_SHA2_256_128, AES_CBC-HMAC_SHA1_96, AES_CBC-HMAC_SHA2_256_128, AES_CBC_256-HMAC_SHA2_512_256
000
000 Total IPsec connections: loaded 3, active 1
000
000 State Information: DDoS cookies not required, Accepting new IKE connections
000 IKE SAs: total(1), half-open(0), open(0), authenticated(1), anonymous(0)
000 IPsec SAs: total(1), authenticated(1), anonymous(0)
000
000 #2: "l2tp-psk"[2] Redacted:53944 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_EXPIRE in 28739s; newest IPSEC; eroute owner; isakmp#1; idle; import:not set
000 #2: "l2tp-psk"[2] Redacted esp.6755817@Redacted esp.9528949f@172.18.0.2 ref=0 refhim=0 Traffic: ESPin=0B ESPout=0B! ESPmax=4194303B
000 #1: "l2tp-psk"[2] Redacted:53944 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_EXPIRE in 28738s; newest ISAKMP; lastdpd=1s(seq in:8477 out:8476); idle; import:not set
000
000 Bare Shunt list:
000

$ docker exec -it ipsec-vpn-server grep pluto /var/log/auth.log
Jul 20 02:20:10 d60873d39ec3 pluto[629]: shutting down
Jul 20 02:20:10 d60873d39ec3 pluto[629]: forgetting secrets
Jul 20 02:20:10 d60873d39ec3 pluto[629]: "l2tp-psk"[4] Redacted: deleting connection "l2tp-psk"[4] Redacted instance with peer Redacted {isakmp=#3/ipsec=#4}
Jul 20 02:20:10 d60873d39ec3 pluto[629]: "l2tp-psk" #4: deleting state (STATE_QUICK_R2) and sending notification
Jul 20 02:20:10 d60873d39ec3 pluto[629]: "l2tp-psk" #4: ESP traffic information: in=0B out=0B
Jul 20 02:20:10 d60873d39ec3 pluto[629]: "l2tp-psk" #3: deleting state (STATE_MAIN_R3) and sending notification
Jul 20 02:20:10 d60873d39ec3 pluto[629]: "xauth-psk": deleting non-instance connection
Jul 20 02:20:10 d60873d39ec3 pluto[629]: "l2tp-psk": deleting non-instance connection
Jul 20 02:20:10 d60873d39ec3 pluto[629]: shutting down interface lo/lo 127.0.0.1:4500
Jul 20 02:20:10 d60873d39ec3 pluto[629]: shutting down interface lo/lo 127.0.0.1:500
Jul 20 02:20:10 d60873d39ec3 pluto[629]: shutting down interface eth0/eth0 172.18.0.2:4500
Jul 20 02:20:10 d60873d39ec3 pluto[629]: shutting down interface eth0/eth0 172.18.0.2:500
Jul 20 02:20:10 d60873d39ec3 ipsec__plutorun: pluto killed by SIGTERM, terminating without restart
Jul 20 02:20:11 d60873d39ec3 ipsec__plutorun: Starting Pluto
Jul 20 02:20:11 d60873d39ec3 pluto[2147]: NSS DB directory: sql:/etc/ipsec.d
Jul 20 02:20:11 d60873d39ec3 pluto[2147]: Initializing NSS
Jul 20 02:20:11 d60873d39ec3 pluto[2147]: Opening NSS database "sql:/etc/ipsec.d" read-only
Jul 20 02:20:11 d60873d39ec3 pluto[2147]: NSS initialized
Jul 20 02:20:11 d60873d39ec3 pluto[2147]: NSS crypto library initialized
Jul 20 02:20:11 d60873d39ec3 pluto[2147]: FIPS HMAC integrity support [disabled]
Jul 20 02:20:11 d60873d39ec3 pluto[2147]: libcap-ng support [enabled]
Jul 20 02:20:11 d60873d39ec3 pluto[2147]: Linux audit support [disabled]
Jul 20 02:20:11 d60873d39ec3 pluto[2147]: Starting Pluto (Libreswan Version 3.22 XFRM(netkey) KLIPS FORK PTHREAD_SETSCHEDPRIO NSS LABELED_IPSEC LIBCAP_NG XAUTH_PAM NETWORKMANAGER CURL(non-NSS)) pid:2147
Jul 20 02:20:11 d60873d39ec3 pluto[2147]: core dump dir: /run/pluto/
Jul 20 02:20:11 d60873d39ec3 pluto[2147]: secrets file: /etc/ipsec.secrets
Jul 20 02:20:11 d60873d39ec3 pluto[2147]: leak-detective disabled
Jul 20 02:20:11 d60873d39ec3 pluto[2147]: NSS crypto [enabled]
Jul 20 02:20:11 d60873d39ec3 pluto[2147]: XAUTH PAM support [enabled]
Jul 20 02:20:11 d60873d39ec3 pluto[2147]: NAT-Traversal support  [enabled]
Jul 20 02:20:11 d60873d39ec3 pluto[2147]: Initializing libevent in pthreads mode: headers: 2.0.21-stable (2001500); library: 2.0.21-stable (2001500)
Jul 20 02:20:11 d60873d39ec3 pluto[2147]: Encryption algorithms:
Jul 20 02:20:11 d60873d39ec3 pluto[2147]:   AES_CCM_16          IKEv1:     ESP     IKEv2:     ESP     FIPS  {256,192,*128}  (aes_ccm aes_ccm_c)
Jul 20 02:20:11 d60873d39ec3 pluto[2147]:   AES_CCM_12          IKEv1:     ESP     IKEv2:     ESP     FIPS  {256,192,*128}  (aes_ccm_b)
Jul 20 02:20:11 d60873d39ec3 pluto[2147]:   AES_CCM_8           IKEv1:     ESP     IKEv2:     ESP     FIPS  {256,192,*128}  (aes_ccm_a)
Jul 20 02:20:11 d60873d39ec3 pluto[2147]:   3DES_CBC            IKEv1: IKE ESP     IKEv2: IKE ESP     FIPS  [*192]  (3des)
Jul 20 02:20:11 d60873d39ec3 pluto[2147]:   CAMELLIA_CTR        IKEv1:     ESP     IKEv2:     ESP           {256,192,*128}
Jul 20 02:20:11 d60873d39ec3 pluto[2147]:   CAMELLIA_CBC        IKEv1: IKE ESP     IKEv2: IKE ESP           {256,192,*128}  (camellia)
Jul 20 02:20:11 d60873d39ec3 pluto[2147]:   AES_GCM_16          IKEv1:     ESP     IKEv2: IKE ESP     FIPS  {256,192,*128}  (aes_gcm aes_gcm_c)
Jul 20 02:20:11 d60873d39ec3 pluto[2147]:   AES_GCM_12          IKEv1:     ESP     IKEv2: IKE ESP     FIPS  {256,192,*128}  (aes_gcm_b)
Jul 20 02:20:11 d60873d39ec3 pluto[2147]:   AES_GCM_8           IKEv1:     ESP     IKEv2: IKE ESP     FIPS  {256,192,*128}  (aes_gcm_a)
Jul 20 02:20:11 d60873d39ec3 pluto[2147]:   AES_CTR             IKEv1: IKE ESP     IKEv2: IKE ESP     FIPS  {256,192,*128}  (aesctr)
Jul 20 02:20:11 d60873d39ec3 pluto[2147]:   AES_CBC             IKEv1: IKE ESP     IKEv2: IKE ESP     FIPS  {256,192,*128}  (aes)
Jul 20 02:20:11 d60873d39ec3 pluto[2147]:   SERPENT_CBC         IKEv1: IKE ESP     IKEv2: IKE ESP           {256,192,*128}  (serpent)
Jul 20 02:20:11 d60873d39ec3 pluto[2147]:   TWOFISH_CBC         IKEv1: IKE ESP     IKEv2: IKE ESP           {256,192,*128}  (twofish)
Jul 20 02:20:11 d60873d39ec3 pluto[2147]:   TWOFISH_SSH         IKEv1: IKE         IKEv2: IKE ESP           {256,192,*128}  (twofish_cbc_ssh)
Jul 20 02:20:11 d60873d39ec3 pluto[2147]:   CAST_CBC            IKEv1:     ESP     IKEv2:     ESP           {*128}  (cast)
Jul 20 02:20:11 d60873d39ec3 pluto[2147]:   NULL_AUTH_AES_GMAC  IKEv1:     ESP     IKEv2:     ESP           {256,192,*128}  (aes_gmac)
Jul 20 02:20:11 d60873d39ec3 pluto[2147]:   NULL                IKEv1:     ESP     IKEv2:     ESP           []
Jul 20 02:20:11 d60873d39ec3 pluto[2147]: Hash algorithms:
Jul 20 02:20:11 d60873d39ec3 pluto[2147]:   MD5                 IKEv1: IKE         IKEv2:               
Jul 20 02:20:11 d60873d39ec3 pluto[2147]:   SHA1                IKEv1: IKE         IKEv2:             FIPS  (sha)
Jul 20 02:20:11 d60873d39ec3 pluto[2147]:   SHA2_256            IKEv1: IKE         IKEv2:             FIPS  (sha2 sha256)
Jul 20 02:20:11 d60873d39ec3 pluto[2147]:   SHA2_384            IKEv1: IKE         IKEv2:             FIPS  (sha384)
Jul 20 02:20:11 d60873d39ec3 pluto[2147]:   SHA2_512            IKEv1: IKE         IKEv2:             FIPS  (sha512)
Jul 20 02:20:11 d60873d39ec3 pluto[2147]: PRF algorithms:
Jul 20 02:20:11 d60873d39ec3 pluto[2147]:   HMAC_MD5            IKEv1: IKE         IKEv2: IKE               (md5)
Jul 20 02:20:11 d60873d39ec3 pluto[2147]:   HMAC_SHA1           IKEv1: IKE         IKEv2: IKE         FIPS  (sha sha1)
Jul 20 02:20:11 d60873d39ec3 pluto[2147]:   HMAC_SHA2_256       IKEv1: IKE         IKEv2: IKE         FIPS  (sha2 sha256 sha2_256)
Jul 20 02:20:11 d60873d39ec3 pluto[2147]:   HMAC_SHA2_384       IKEv1: IKE         IKEv2: IKE         FIPS  (sha384 sha2_384)
Jul 20 02:20:11 d60873d39ec3 pluto[2147]:   HMAC_SHA2_512       IKEv1: IKE         IKEv2: IKE         FIPS  (sha512 sha2_512)
Jul 20 02:20:11 d60873d39ec3 pluto[2147]: Integrity algorithms:
Jul 20 02:20:11 d60873d39ec3 pluto[2147]:   HMAC_MD5_96         IKEv1: IKE ESP AH  IKEv2: IKE ESP AH        (md5 hmac_md5)
Jul 20 02:20:11 d60873d39ec3 pluto[2147]:   HMAC_SHA1_96        IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  (sha sha1 sha1_96 hmac_sha1)
Jul 20 02:20:11 d60873d39ec3 pluto[2147]:   HMAC_SHA2_512_256   IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  (sha512 sha2_512 hmac_sha2_512)
Jul 20 02:20:11 d60873d39ec3 pluto[2147]:   HMAC_SHA2_384_192   IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  (sha384 sha2_384 hmac_sha2_384)
Jul 20 02:20:11 d60873d39ec3 pluto[2147]:   HMAC_SHA2_256_128   IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  (sha2 sha256 sha2_256 hmac_sha2_256)
Jul 20 02:20:11 d60873d39ec3 pluto[2147]:   AES_XCBC_96         IKEv1:     ESP AH  IKEv2:     ESP AH  FIPS  (aes_xcbc)
Jul 20 02:20:11 d60873d39ec3 pluto[2147]:   AES_CMAC_96         IKEv1:     ESP AH  IKEv2:     ESP AH  FIPS  (aes_cmac)
Jul 20 02:20:11 d60873d39ec3 pluto[2147]:   NONE                IKEv1:     ESP     IKEv2:     ESP     FIPS  (null)
Jul 20 02:20:11 d60873d39ec3 pluto[2147]: DH algorithms:
Jul 20 02:20:11 d60873d39ec3 pluto[2147]:   MODP1024            IKEv1: IKE ESP AH  IKEv2: IKE ESP AH        (dh2)
Jul 20 02:20:11 d60873d39ec3 pluto[2147]:   MODP1536            IKEv1: IKE ESP AH  IKEv2: IKE ESP AH        (dh5)
Jul 20 02:20:11 d60873d39ec3 pluto[2147]:   MODP2048            IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  (dh14)
Jul 20 02:20:11 d60873d39ec3 pluto[2147]:   MODP3072            IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  (dh15)
Jul 20 02:20:11 d60873d39ec3 pluto[2147]:   MODP4096            IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  (dh16)
Jul 20 02:20:11 d60873d39ec3 pluto[2147]:   MODP6144            IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  (dh17)
Jul 20 02:20:11 d60873d39ec3 pluto[2147]:   MODP8192            IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  (dh18)
Jul 20 02:20:11 d60873d39ec3 pluto[2147]:   DH19                IKEv1: IKE         IKEv2: IKE ESP AH  FIPS  (ecp_256)
Jul 20 02:20:11 d60873d39ec3 pluto[2147]:   DH20                IKEv1: IKE         IKEv2: IKE ESP AH  FIPS  (ecp_384)
Jul 20 02:20:11 d60873d39ec3 pluto[2147]:   DH21                IKEv1: IKE         IKEv2: IKE ESP AH  FIPS  (ecp_521)
Jul 20 02:20:11 d60873d39ec3 pluto[2147]:   DH23                IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS
Jul 20 02:20:11 d60873d39ec3 pluto[2147]:   DH24                IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS
Jul 20 02:20:11 d60873d39ec3 pluto[2147]: starting up 15 crypto helpers
Jul 20 02:20:11 d60873d39ec3 pluto[2147]: started thread for crypto helper 0 (master fd 11)
Jul 20 02:20:11 d60873d39ec3 pluto[2147]: started thread for crypto helper 1 (master fd 13)
Jul 20 02:20:11 d60873d39ec3 pluto[2147]: seccomp security for crypto helper not supported
Jul 20 02:20:11 d60873d39ec3 pluto[2147]: started thread for crypto helper 2 (master fd 15)
Jul 20 02:20:11 d60873d39ec3 pluto[2147]: seccomp security for crypto helper not supported
Jul 20 02:20:11 d60873d39ec3 pluto[2147]: seccomp security for crypto helper not supported
Jul 20 02:20:11 d60873d39ec3 pluto[2147]: started thread for crypto helper 3 (master fd 17)
Jul 20 02:20:11 d60873d39ec3 pluto[2147]: seccomp security for crypto helper not supported
Jul 20 02:20:11 d60873d39ec3 pluto[2147]: started thread for crypto helper 4 (master fd 19)
Jul 20 02:20:11 d60873d39ec3 pluto[2147]: started thread for crypto helper 5 (master fd 21)
Jul 20 02:20:11 d60873d39ec3 pluto[2147]: seccomp security for crypto helper not supported
Jul 20 02:20:11 d60873d39ec3 pluto[2147]: seccomp security for crypto helper not supported
Jul 20 02:20:11 d60873d39ec3 pluto[2147]: started thread for crypto helper 6 (master fd 23)
Jul 20 02:20:11 d60873d39ec3 pluto[2147]: seccomp security for crypto helper not supported
Jul 20 02:20:11 d60873d39ec3 pluto[2147]: started thread for crypto helper 7 (master fd 25)
Jul 20 02:20:11 d60873d39ec3 pluto[2147]: seccomp security for crypto helper not supported
Jul 20 02:20:11 d60873d39ec3 pluto[2147]: started thread for crypto helper 8 (master fd 27)
Jul 20 02:20:11 d60873d39ec3 pluto[2147]: started thread for crypto helper 9 (master fd 29)
Jul 20 02:20:11 d60873d39ec3 pluto[2147]: seccomp security for crypto helper not supported
Jul 20 02:20:11 d60873d39ec3 pluto[2147]: started thread for crypto helper 10 (master fd 31)
Jul 20 02:20:11 d60873d39ec3 pluto[2147]: seccomp security for crypto helper not supported
Jul 20 02:20:11 d60873d39ec3 pluto[2147]: seccomp security for crypto helper not supported
Jul 20 02:20:11 d60873d39ec3 pluto[2147]: started thread for crypto helper 11 (master fd 33)
Jul 20 02:20:11 d60873d39ec3 pluto[2147]: seccomp security for crypto helper not supported
Jul 20 02:20:11 d60873d39ec3 pluto[2147]: started thread for crypto helper 12 (master fd 35)
Jul 20 02:20:11 d60873d39ec3 pluto[2147]: seccomp security for crypto helper not supported
Jul 20 02:20:11 d60873d39ec3 pluto[2147]: started thread for crypto helper 13 (master fd 37)
Jul 20 02:20:11 d60873d39ec3 pluto[2147]: seccomp security for crypto helper not supported
Jul 20 02:20:11 d60873d39ec3 pluto[2147]: started thread for crypto helper 14 (master fd 39)
Jul 20 02:20:11 d60873d39ec3 pluto[2147]: seccomp security for crypto helper not supported
Jul 20 02:20:11 d60873d39ec3 pluto[2147]: Using Linux XFRM/NETKEY IPsec interface code on 4.4.0-130201807041620-generic
Jul 20 02:20:11 d60873d39ec3 pluto[2147]: | selinux support is NOT enabled.
Jul 20 02:20:11 d60873d39ec3 pluto[2147]: seccomp security not supported
Jul 20 02:20:12 d60873d39ec3 pluto[2147]: added connection description "l2tp-psk"
Jul 20 02:20:12 d60873d39ec3 pluto[2147]: added connection description "xauth-psk"
Jul 20 02:20:12 d60873d39ec3 pluto[2147]: listening for IKE messages
Jul 20 02:20:12 d60873d39ec3 pluto[2147]: adding interface eth0/eth0 172.18.0.2:500
Jul 20 02:20:12 d60873d39ec3 pluto[2147]: adding interface eth0/eth0 172.18.0.2:4500
Jul 20 02:20:12 d60873d39ec3 pluto[2147]: adding interface lo/lo 127.0.0.1:500
Jul 20 02:20:12 d60873d39ec3 pluto[2147]: adding interface lo/lo 127.0.0.1:4500
Jul 20 02:20:12 d60873d39ec3 pluto[2147]: | setup callback for interface lo:4500 fd 47
Jul 20 02:20:12 d60873d39ec3 pluto[2147]: | setup callback for interface lo:500 fd 46
Jul 20 02:20:12 d60873d39ec3 pluto[2147]: | setup callback for interface eth0:4500 fd 45
Jul 20 02:20:12 d60873d39ec3 pluto[2147]: | setup callback for interface eth0:500 fd 44
Jul 20 02:20:12 d60873d39ec3 pluto[2147]: loading secrets from "/etc/ipsec.secrets"
Jul 20 02:20:44 d60873d39ec3 pluto[2147]: "l2tp-psk"[1] Redacted #1: responding to Main Mode from unknown peer Redacted on port 41907
Jul 20 02:20:44 d60873d39ec3 pluto[2147]: "l2tp-psk"[1] Redacted #1: Oakley Transform [AES_CBC (256), HMAC_SHA2_384, MODP1024] refused
Jul 20 02:20:44 d60873d39ec3 pluto[2147]: "l2tp-psk"[1] Redacted #1: STATE_MAIN_R1: sent MR1, expecting MI2
Jul 20 02:20:44 d60873d39ec3 pluto[2147]: "l2tp-psk"[1] Redacted #1: STATE_MAIN_R2: sent MR2, expecting MI3
Jul 20 02:20:44 d60873d39ec3 pluto[2147]: "l2tp-psk"[1] Redacted #1: Peer ID is ID_IPV4_ADDR: '192.0.0.2'
Jul 20 02:20:44 d60873d39ec3 pluto[2147]: "l2tp-psk"[1] Redacted #1: switched from "l2tp-psk"[1] Redacted to "l2tp-psk"
Jul 20 02:20:44 d60873d39ec3 pluto[2147]: "l2tp-psk"[2] Redacted #1: deleting connection "l2tp-psk"[1] Redacted instance with peer Redacted {isakmp=#0/ipsec=#0}
Jul 20 02:20:44 d60873d39ec3 pluto[2147]: "l2tp-psk"[2] Redacted #1: Peer ID is ID_IPV4_ADDR: '192.0.0.2'
Jul 20 02:20:44 d60873d39ec3 pluto[2147]: "l2tp-psk"[2] Redacted #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=PRESHARED_KEY cipher=aes_256 integ=sha2_256 group=MODP1024}
Jul 20 02:20:44 d60873d39ec3 pluto[2147]: "l2tp-psk"[2] Redacted #1: ignoring informational payload IPSEC_INITIAL_CONTACT, msgid=00000000, length=28
Jul 20 02:20:44 d60873d39ec3 pluto[2147]: | ISAKMP Notification Payload
Jul 20 02:20:44 d60873d39ec3 pluto[2147]: |   00 00 00 1c  00 00 00 01  01 10 60 02
Jul 20 02:20:44 d60873d39ec3 pluto[2147]: "l2tp-psk"[2] Redacted #1: received and ignored informational message
Jul 20 02:20:45 d60873d39ec3 pluto[2147]: "l2tp-psk"[2] Redacted #1: the peer proposed: Redacted/32:17/1701 -> 192.0.0.2/32:17/0
Jul 20 02:20:45 d60873d39ec3 pluto[2147]: "l2tp-psk"[2] Redacted #2: responding to Quick Mode proposal {msgid:98bc7ec9}
Jul 20 02:20:45 d60873d39ec3 pluto[2147]: "l2tp-psk"[2] Redacted #2:     us: 172.18.0.2[Redacted]:17/1701
Jul 20 02:20:45 d60873d39ec3 pluto[2147]: "l2tp-psk"[2] Redacted #2:   them: Redacted[192.0.0.2]:17/0
Jul 20 02:20:45 d60873d39ec3 pluto[2147]: "l2tp-psk"[2] Redacted #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2 transport mode {ESP/NAT=>0x06755817 <0x9528949f xfrm=AES_CBC_256-HMAC_SHA1_96 NATOA=none NATD=Redacted:53944 DPD=active}
Jul 20 02:20:46 d60873d39ec3 pluto[2147]: "l2tp-psk"[2] Redacted #2: STATE_QUICK_R2: IPsec SA established transport mode {ESP/NAT=>0x06755817 <0x9528949f xfrm=AES_CBC_256-HMAC_SHA1_96 NATOA=none NATD=Redacted:53944 DPD=active}

$ sudo nmap -sU -p 500,4500 localhost

Starting Nmap 7.01 ( https://nmap.org ) at 2018-07-23 10:36 EDT
Nmap scan report for localhost (127.0.0.1)
Host is up (0.0011s latency).
Other addresses for localhost (not scanned): ::1
PORT     STATE         SERVICE
500/udp  open          isakmp
4500/udp open|filtered nat-t-ike

Nmap done: 1 IP address (1 host up) scanned in 1.40 seconds

$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy DROP)
target     prot opt source               destination
DOCKER-USER  all  --  anywhere             anywhere
DOCKER-ISOLATION-STAGE-1  all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain DOCKER (2 references)
target     prot opt source               destination
Redacted
ACCEPT     udp  --  anywhere             172.18.0.2           udp dpt:ipsec-nat-t
ACCEPT     udp  --  anywhere             172.18.0.2           udp dpt:isakmp
Redacted

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target     prot opt source               destination
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere
RETURN     all  --  anywhere             anywhere

Chain DOCKER-ISOLATION-STAGE-2 (2 references)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere
RETURN     all  --  anywhere             anywhere

Chain DOCKER-USER (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere
Originally created by @jsheradin on GitHub (Jul 20, 2018). Original GitHub issue: https://github.com/hwdsl2/docker-ipsec-vpn-server/issues/84 Unable to connect from Android 8.1.0 or Windows 10 clients. Credentials are correct. Ports 500, 4500 UDP have been forwarded. Host is Ubuntu Server 16.04.4 LTS (4.4.0-130201807041620-generic). Docker version is 18.03.1-ce. I have tried restart container, reboot, `modprobe af_key`, and remove container+recreate to no effect. Logs follow: ``` $ docker logs ipsec-vpn-server Trying to auto discover IP of this server... ================================================ IPsec VPN server is now ready for use! Connect to your new VPN with these details: Server IP: Redacted IPsec PSK: Redacted Username: Redacted Password: Redacted Write these down. You'll need them to connect! Important notes: https://git.io/vpnnotes2 Setup VPN clients: https://git.io/vpnclients ================================================ Redirecting to: /etc/init.d/ipsec start Starting pluto IKE daemon for IPsec: . xl2tpd[1]: Not looking for kernel SAref support. xl2tpd[1]: Using l2tp kernel support. xl2tpd[1]: xl2tpd version xl2tpd-1.3.12 started on d60873d39ec3 PID:1 xl2tpd[1]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc. xl2tpd[1]: Forked by Scott Balmos and David Stipp, (C) 2001 xl2tpd[1]: Inherited by Jeff McAdams, (C) 2002 xl2tpd[1]: Forked again by Xelerance (www.xelerance.com) (C) 2006-2016 xl2tpd[1]: Listening on IP address 0.0.0.0, port 1701 ``` ``` $ docker exec -it ipsec-vpn-server ipsec status 000 using kernel interface: netkey 000 interface lo/lo 127.0.0.1@4500 000 interface lo/lo 127.0.0.1@500 000 interface eth0/eth0 172.18.0.2@4500 000 interface eth0/eth0 172.18.0.2@500 000 000 000 fips mode=disabled; 000 SElinux=disabled 000 seccomp=unsupported 000 000 config setup options: 000 000 configdir=/etc, configfile=/etc/ipsec.conf, secrets=/etc/ipsec.secrets, ipsecdir=/etc/ipsec.d 000 nssdir=/etc/ipsec.d, dumpdir=/run/pluto/, statsbin=unset 000 sbindir=/usr/local/sbin, libexecdir=/usr/local/libexec/ipsec 000 pluto_version=3.22, pluto_vendorid=OE-Libreswan-3.22 000 nhelpers=-1, uniqueids=no, perpeerlog=no, logappend=yes, logip=yes, shuntlifetime=900s, xfrmlifetime=300s 000 ddos-cookies-threshold=50000, ddos-max-halfopen=25000, ddos-mode=auto 000 ikeport=500, ikebuf=0, msg_errqueue=yes, strictcrlpolicy=no, crlcheckinterval=0, listen=<any>, nflog-all=0 000 ocsp-enable=no, ocsp-strict=no, ocsp-timeout=2, ocsp-uri=<unset> 000 ocsp-trust-name=<unset> 000 ocsp-cache-size=1000, ocsp-cache-min-age=3600, ocsp-cache-max-age=86400, ocsp-method=get 000 secctx-attr-type=32001 000 myid = (none) 000 debug none 000 000 nat-traversal=yes, keep-alive=20, nat-ikeport=4500 000 virtual-private (%priv): 000 - allowed subnets: 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12 000 - excluded subnets: 192.168.42.0/24, 192.168.43.0/24 000 000 ESP algorithms supported: 000 000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192 000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=128, keysizemax=128 000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0 000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: id=22, name=ESP_CAMELLIA, ivlen=8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: id=23, name=ESP_NULL_AUTH_AES_GMAC, ivlen=8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256 000 algorithm AH/ESP auth: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128 000 algorithm AH/ESP auth: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160 000 algorithm AH/ESP auth: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256 000 algorithm AH/ESP auth: id=6, name=AUTH_ALGORITHM_HMAC_SHA2_384, keysizemin=384, keysizemax=384 000 algorithm AH/ESP auth: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_512, keysizemin=512, keysizemax=512 000 algorithm AH/ESP auth: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD, keysizemin=160, keysizemax=160 000 algorithm AH/ESP auth: id=9, name=AUTH_ALGORITHM_AES_XCBC, keysizemin=128, keysizemax=128 000 algorithm AH/ESP auth: id=250, name=AUTH_ALGORITHM_AES_CMAC_96, keysizemin=128, keysizemax=128 000 algorithm AH/ESP auth: id=251, name=AUTH_ALGORITHM_NULL_KAME, keysizemin=0, keysizemax=0 000 000 IKE algorithms supported: 000 000 algorithm IKE encrypt: v1id=5, v1name=OAKLEY_3DES_CBC, v2id=3, v2name=3DES, blocksize=8, keydeflen=192 000 algorithm IKE encrypt: v1id=8, v1name=OAKLEY_CAMELLIA_CBC, v2id=23, v2name=CAMELLIA_CBC, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=20, v2name=AES_GCM_C, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=19, v2name=AES_GCM_B, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=18, v2name=AES_GCM_A, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: v1id=13, v1name=OAKLEY_AES_CTR, v2id=13, v2name=AES_CTR, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: v1id=7, v1name=OAKLEY_AES_CBC, v2id=12, v2name=AES_CBC, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: v1id=65004, v1name=OAKLEY_SERPENT_CBC, v2id=65004, v2name=SERPENT_CBC, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: v1id=65005, v1name=OAKLEY_TWOFISH_CBC, v2id=65005, v2name=TWOFISH_CBC, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: v1id=65289, v1name=OAKLEY_TWOFISH_CBC_SSH, v2id=65289, v2name=TWOFISH_CBC_SSH, blocksize=16, keydeflen=128 000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashlen=16 000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashlen=20 000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashlen=32 000 algorithm IKE hash: id=5, name=OAKLEY_SHA2_384, hashlen=48 000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashlen=64 000 algorithm IKE DH Key Exchange: name=MODP1024, bits=1024 000 algorithm IKE DH Key Exchange: name=MODP1536, bits=1536 000 algorithm IKE DH Key Exchange: name=MODP2048, bits=2048 000 algorithm IKE DH Key Exchange: name=MODP3072, bits=3072 000 algorithm IKE DH Key Exchange: name=MODP4096, bits=4096 000 algorithm IKE DH Key Exchange: name=MODP6144, bits=6144 000 algorithm IKE DH Key Exchange: name=MODP8192, bits=8192 000 algorithm IKE DH Key Exchange: name=DH19, bits=512 000 algorithm IKE DH Key Exchange: name=DH20, bits=768 000 algorithm IKE DH Key Exchange: name=DH21, bits=1056 000 algorithm IKE DH Key Exchange: name=DH23, bits=2048 000 algorithm IKE DH Key Exchange: name=DH24, bits=2048 000 000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0} 000 000 Connection list: 000 000 "l2tp-psk": 172.18.0.2[Redacted]:17/1701---172.18.0.1...%any:17/%any; unrouted; eroute owner: #0 000 "l2tp-psk": oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown; 000 "l2tp-psk": xauth us:none, xauth them:none, my_username=[any]; their_username=[any] 000 "l2tp-psk": our auth:secret, their auth:secret 000 "l2tp-psk": modecfg info: us:none, them:none, modecfg policy:push, dns1:unset, dns2:unset, domain:unset, banner:unset, cat:unset; 000 "l2tp-psk": labeled_ipsec:no; 000 "l2tp-psk": policy_label:unset; 000 "l2tp-psk": ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 5; 000 "l2tp-psk": retransmit-interval: 500ms; retransmit-timeout: 60s; 000 "l2tp-psk": sha2-truncbug:yes; initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no; 000 "l2tp-psk": policy: PSK+ENCRYPT+DONT_REKEY+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO; 000 "l2tp-psk": conn_prio: 32,32; interface: eth0; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none; 000 "l2tp-psk": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto; 000 "l2tp-psk": our idtype: ID_IPV4_ADDR; our id=Redacted; their idtype: %none; their id=(none) 000 "l2tp-psk": dpd: action:clear; delay:30; timeout:120; nat-t: encaps:yes; nat_keepalive:yes; ikev1_natt:both 000 "l2tp-psk": newest ISAKMP SA: #0; newest IPsec SA: #0; 000 "l2tp-psk": IKE algorithms: 3DES_CBC-HMAC_SHA1-MODP2048, 3DES_CBC-HMAC_SHA1-MODP1536, 3DES_CBC-HMAC_SHA2_256-MODP2048, 3DES_CBC-HMAC_SHA2_256-MODP1536, AES_CBC-HMAC_SHA1-MODP2048, AES_CBC-HMAC_SHA1-MODP1536, AES_CBC-HMAC_SHA1-MODP1024, AES_CBC-HMAC_SHA2_256-MODP2048, AES_CBC-HMAC_SHA2_256-MODP1536, AES_CBC-HMAC_SHA2_256-MODP1024 000 "l2tp-psk": ESP algorithms: 3DES_CBC-HMAC_SHA1_96, 3DES_CBC-HMAC_SHA2_256_128, AES_CBC-HMAC_SHA1_96, AES_CBC-HMAC_SHA2_256_128, AES_CBC_256-HMAC_SHA2_512_256 000 "l2tp-psk"[2]: 172.18.0.2[Redacted]:17/1701---172.18.0.1...Redacted[192.0.0.2]:17/0; erouted; eroute owner: #2 000 "l2tp-psk"[2]: oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown; 000 "l2tp-psk"[2]: xauth us:none, xauth them:none, my_username=[any]; their_username=[any] 000 "l2tp-psk"[2]: our auth:secret, their auth:secret 000 "l2tp-psk"[2]: modecfg info: us:none, them:none, modecfg policy:push, dns1:unset, dns2:unset, domain:unset, banner:unset, cat:unset; 000 "l2tp-psk"[2]: labeled_ipsec:no; 000 "l2tp-psk"[2]: policy_label:unset; 000 "l2tp-psk"[2]: ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 5; 000 "l2tp-psk"[2]: retransmit-interval: 500ms; retransmit-timeout: 60s; 000 "l2tp-psk"[2]: sha2-truncbug:yes; initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no; 000 "l2tp-psk"[2]: policy: PSK+ENCRYPT+DONT_REKEY+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO; 000 "l2tp-psk"[2]: conn_prio: 32,32; interface: eth0; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none; 000 "l2tp-psk"[2]: nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto; 000 "l2tp-psk"[2]: our idtype: ID_IPV4_ADDR; our id=Redacted; their idtype: ID_IPV4_ADDR; their id=192.0.0.2 000 "l2tp-psk"[2]: dpd: action:clear; delay:30; timeout:120; nat-t: encaps:yes; nat_keepalive:yes; ikev1_natt:both 000 "l2tp-psk"[2]: newest ISAKMP SA: #1; newest IPsec SA: #2; 000 "l2tp-psk"[2]: IKE algorithms: 3DES_CBC-HMAC_SHA1-MODP2048, 3DES_CBC-HMAC_SHA1-MODP1536, 3DES_CBC-HMAC_SHA2_256-MODP2048, 3DES_CBC-HMAC_SHA2_256-MODP1536, AES_CBC-HMAC_SHA1-MODP2048, AES_CBC-HMAC_SHA1-MODP1536, AES_CBC-HMAC_SHA1-MODP1024, AES_CBC-HMAC_SHA2_256-MODP2048, AES_CBC-HMAC_SHA2_256-MODP1536, AES_CBC-HMAC_SHA2_256-MODP1024 000 "l2tp-psk"[2]: IKE algorithm newest: AES_CBC_256-HMAC_SHA2_256-MODP1024 000 "l2tp-psk"[2]: ESP algorithms: 3DES_CBC-HMAC_SHA1_96, 3DES_CBC-HMAC_SHA2_256_128, AES_CBC-HMAC_SHA1_96, AES_CBC-HMAC_SHA2_256_128, AES_CBC_256-HMAC_SHA2_512_256 000 "l2tp-psk"[2]: ESP algorithm newest: AES_CBC_256-HMAC_SHA1_96; pfsgroup=<N/A> 000 "xauth-psk": 0.0.0.0/0===172.18.0.2[Redacted,MS+XS+S=C]---172.18.0.1...%any[+MC+XC+S=C]; unrouted; eroute owner: #0 000 "xauth-psk": oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown; 000 "xauth-psk": xauth us:server, xauth them:client, xauthby:file; my_username=[any]; their_username=[any] 000 "xauth-psk": our auth:secret, their auth:secret 000 "xauth-psk": modecfg info: us:server, them:client, modecfg policy:pull, dns1:8.8.8.8, dns2:8.8.4.4, domain:unset, banner:unset, cat:unset; 000 "xauth-psk": labeled_ipsec:no; 000 "xauth-psk": policy_label:unset; 000 "xauth-psk": ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 5; 000 "xauth-psk": retransmit-interval: 500ms; retransmit-timeout: 60s; 000 "xauth-psk": sha2-truncbug:yes; initial-contact:no; cisco-unity:yes; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no; 000 "xauth-psk": policy: PSK+ENCRYPT+TUNNEL+DONT_REKEY+XAUTH+MODECFG_PULL+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO; 000 "xauth-psk": conn_prio: 0,32; interface: eth0; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none; 000 "xauth-psk": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto; 000 "xauth-psk": our idtype: ID_IPV4_ADDR; our id=Redacted; their idtype: %none; their id=(none) 000 "xauth-psk": dpd: action:clear; delay:30; timeout:120; nat-t: encaps:yes; nat_keepalive:yes; ikev1_natt:both 000 "xauth-psk": newest ISAKMP SA: #0; newest IPsec SA: #0; 000 "xauth-psk": IKE algorithms: 3DES_CBC-HMAC_SHA1-MODP2048, 3DES_CBC-HMAC_SHA1-MODP1536, 3DES_CBC-HMAC_SHA2_256-MODP2048, 3DES_CBC-HMAC_SHA2_256-MODP1536, AES_CBC-HMAC_SHA1-MODP2048, AES_CBC-HMAC_SHA1-MODP1536, AES_CBC-HMAC_SHA1-MODP1024, AES_CBC-HMAC_SHA2_256-MODP2048, AES_CBC-HMAC_SHA2_256-MODP1536, AES_CBC-HMAC_SHA2_256-MODP1024 000 "xauth-psk": ESP algorithms: 3DES_CBC-HMAC_SHA1_96, 3DES_CBC-HMAC_SHA2_256_128, AES_CBC-HMAC_SHA1_96, AES_CBC-HMAC_SHA2_256_128, AES_CBC_256-HMAC_SHA2_512_256 000 000 Total IPsec connections: loaded 3, active 1 000 000 State Information: DDoS cookies not required, Accepting new IKE connections 000 IKE SAs: total(1), half-open(0), open(0), authenticated(1), anonymous(0) 000 IPsec SAs: total(1), authenticated(1), anonymous(0) 000 000 #2: "l2tp-psk"[2] Redacted:53944 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_EXPIRE in 28739s; newest IPSEC; eroute owner; isakmp#1; idle; import:not set 000 #2: "l2tp-psk"[2] Redacted esp.6755817@Redacted esp.9528949f@172.18.0.2 ref=0 refhim=0 Traffic: ESPin=0B ESPout=0B! ESPmax=4194303B 000 #1: "l2tp-psk"[2] Redacted:53944 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_EXPIRE in 28738s; newest ISAKMP; lastdpd=1s(seq in:8477 out:8476); idle; import:not set 000 000 Bare Shunt list: 000 ``` ``` $ docker exec -it ipsec-vpn-server grep pluto /var/log/auth.log Jul 20 02:20:10 d60873d39ec3 pluto[629]: shutting down Jul 20 02:20:10 d60873d39ec3 pluto[629]: forgetting secrets Jul 20 02:20:10 d60873d39ec3 pluto[629]: "l2tp-psk"[4] Redacted: deleting connection "l2tp-psk"[4] Redacted instance with peer Redacted {isakmp=#3/ipsec=#4} Jul 20 02:20:10 d60873d39ec3 pluto[629]: "l2tp-psk" #4: deleting state (STATE_QUICK_R2) and sending notification Jul 20 02:20:10 d60873d39ec3 pluto[629]: "l2tp-psk" #4: ESP traffic information: in=0B out=0B Jul 20 02:20:10 d60873d39ec3 pluto[629]: "l2tp-psk" #3: deleting state (STATE_MAIN_R3) and sending notification Jul 20 02:20:10 d60873d39ec3 pluto[629]: "xauth-psk": deleting non-instance connection Jul 20 02:20:10 d60873d39ec3 pluto[629]: "l2tp-psk": deleting non-instance connection Jul 20 02:20:10 d60873d39ec3 pluto[629]: shutting down interface lo/lo 127.0.0.1:4500 Jul 20 02:20:10 d60873d39ec3 pluto[629]: shutting down interface lo/lo 127.0.0.1:500 Jul 20 02:20:10 d60873d39ec3 pluto[629]: shutting down interface eth0/eth0 172.18.0.2:4500 Jul 20 02:20:10 d60873d39ec3 pluto[629]: shutting down interface eth0/eth0 172.18.0.2:500 Jul 20 02:20:10 d60873d39ec3 ipsec__plutorun: pluto killed by SIGTERM, terminating without restart Jul 20 02:20:11 d60873d39ec3 ipsec__plutorun: Starting Pluto Jul 20 02:20:11 d60873d39ec3 pluto[2147]: NSS DB directory: sql:/etc/ipsec.d Jul 20 02:20:11 d60873d39ec3 pluto[2147]: Initializing NSS Jul 20 02:20:11 d60873d39ec3 pluto[2147]: Opening NSS database "sql:/etc/ipsec.d" read-only Jul 20 02:20:11 d60873d39ec3 pluto[2147]: NSS initialized Jul 20 02:20:11 d60873d39ec3 pluto[2147]: NSS crypto library initialized Jul 20 02:20:11 d60873d39ec3 pluto[2147]: FIPS HMAC integrity support [disabled] Jul 20 02:20:11 d60873d39ec3 pluto[2147]: libcap-ng support [enabled] Jul 20 02:20:11 d60873d39ec3 pluto[2147]: Linux audit support [disabled] Jul 20 02:20:11 d60873d39ec3 pluto[2147]: Starting Pluto (Libreswan Version 3.22 XFRM(netkey) KLIPS FORK PTHREAD_SETSCHEDPRIO NSS LABELED_IPSEC LIBCAP_NG XAUTH_PAM NETWORKMANAGER CURL(non-NSS)) pid:2147 Jul 20 02:20:11 d60873d39ec3 pluto[2147]: core dump dir: /run/pluto/ Jul 20 02:20:11 d60873d39ec3 pluto[2147]: secrets file: /etc/ipsec.secrets Jul 20 02:20:11 d60873d39ec3 pluto[2147]: leak-detective disabled Jul 20 02:20:11 d60873d39ec3 pluto[2147]: NSS crypto [enabled] Jul 20 02:20:11 d60873d39ec3 pluto[2147]: XAUTH PAM support [enabled] Jul 20 02:20:11 d60873d39ec3 pluto[2147]: NAT-Traversal support [enabled] Jul 20 02:20:11 d60873d39ec3 pluto[2147]: Initializing libevent in pthreads mode: headers: 2.0.21-stable (2001500); library: 2.0.21-stable (2001500) Jul 20 02:20:11 d60873d39ec3 pluto[2147]: Encryption algorithms: Jul 20 02:20:11 d60873d39ec3 pluto[2147]: AES_CCM_16 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} (aes_ccm aes_ccm_c) Jul 20 02:20:11 d60873d39ec3 pluto[2147]: AES_CCM_12 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} (aes_ccm_b) Jul 20 02:20:11 d60873d39ec3 pluto[2147]: AES_CCM_8 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} (aes_ccm_a) Jul 20 02:20:11 d60873d39ec3 pluto[2147]: 3DES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS [*192] (3des) Jul 20 02:20:11 d60873d39ec3 pluto[2147]: CAMELLIA_CTR IKEv1: ESP IKEv2: ESP {256,192,*128} Jul 20 02:20:11 d60873d39ec3 pluto[2147]: CAMELLIA_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} (camellia) Jul 20 02:20:11 d60873d39ec3 pluto[2147]: AES_GCM_16 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} (aes_gcm aes_gcm_c) Jul 20 02:20:11 d60873d39ec3 pluto[2147]: AES_GCM_12 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} (aes_gcm_b) Jul 20 02:20:11 d60873d39ec3 pluto[2147]: AES_GCM_8 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} (aes_gcm_a) Jul 20 02:20:11 d60873d39ec3 pluto[2147]: AES_CTR IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} (aesctr) Jul 20 02:20:11 d60873d39ec3 pluto[2147]: AES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} (aes) Jul 20 02:20:11 d60873d39ec3 pluto[2147]: SERPENT_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} (serpent) Jul 20 02:20:11 d60873d39ec3 pluto[2147]: TWOFISH_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} (twofish) Jul 20 02:20:11 d60873d39ec3 pluto[2147]: TWOFISH_SSH IKEv1: IKE IKEv2: IKE ESP {256,192,*128} (twofish_cbc_ssh) Jul 20 02:20:11 d60873d39ec3 pluto[2147]: CAST_CBC IKEv1: ESP IKEv2: ESP {*128} (cast) Jul 20 02:20:11 d60873d39ec3 pluto[2147]: NULL_AUTH_AES_GMAC IKEv1: ESP IKEv2: ESP {256,192,*128} (aes_gmac) Jul 20 02:20:11 d60873d39ec3 pluto[2147]: NULL IKEv1: ESP IKEv2: ESP [] Jul 20 02:20:11 d60873d39ec3 pluto[2147]: Hash algorithms: Jul 20 02:20:11 d60873d39ec3 pluto[2147]: MD5 IKEv1: IKE IKEv2: Jul 20 02:20:11 d60873d39ec3 pluto[2147]: SHA1 IKEv1: IKE IKEv2: FIPS (sha) Jul 20 02:20:11 d60873d39ec3 pluto[2147]: SHA2_256 IKEv1: IKE IKEv2: FIPS (sha2 sha256) Jul 20 02:20:11 d60873d39ec3 pluto[2147]: SHA2_384 IKEv1: IKE IKEv2: FIPS (sha384) Jul 20 02:20:11 d60873d39ec3 pluto[2147]: SHA2_512 IKEv1: IKE IKEv2: FIPS (sha512) Jul 20 02:20:11 d60873d39ec3 pluto[2147]: PRF algorithms: Jul 20 02:20:11 d60873d39ec3 pluto[2147]: HMAC_MD5 IKEv1: IKE IKEv2: IKE (md5) Jul 20 02:20:11 d60873d39ec3 pluto[2147]: HMAC_SHA1 IKEv1: IKE IKEv2: IKE FIPS (sha sha1) Jul 20 02:20:11 d60873d39ec3 pluto[2147]: HMAC_SHA2_256 IKEv1: IKE IKEv2: IKE FIPS (sha2 sha256 sha2_256) Jul 20 02:20:11 d60873d39ec3 pluto[2147]: HMAC_SHA2_384 IKEv1: IKE IKEv2: IKE FIPS (sha384 sha2_384) Jul 20 02:20:11 d60873d39ec3 pluto[2147]: HMAC_SHA2_512 IKEv1: IKE IKEv2: IKE FIPS (sha512 sha2_512) Jul 20 02:20:11 d60873d39ec3 pluto[2147]: Integrity algorithms: Jul 20 02:20:11 d60873d39ec3 pluto[2147]: HMAC_MD5_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH (md5 hmac_md5) Jul 20 02:20:11 d60873d39ec3 pluto[2147]: HMAC_SHA1_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS (sha sha1 sha1_96 hmac_sha1) Jul 20 02:20:11 d60873d39ec3 pluto[2147]: HMAC_SHA2_512_256 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS (sha512 sha2_512 hmac_sha2_512) Jul 20 02:20:11 d60873d39ec3 pluto[2147]: HMAC_SHA2_384_192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS (sha384 sha2_384 hmac_sha2_384) Jul 20 02:20:11 d60873d39ec3 pluto[2147]: HMAC_SHA2_256_128 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS (sha2 sha256 sha2_256 hmac_sha2_256) Jul 20 02:20:11 d60873d39ec3 pluto[2147]: AES_XCBC_96 IKEv1: ESP AH IKEv2: ESP AH FIPS (aes_xcbc) Jul 20 02:20:11 d60873d39ec3 pluto[2147]: AES_CMAC_96 IKEv1: ESP AH IKEv2: ESP AH FIPS (aes_cmac) Jul 20 02:20:11 d60873d39ec3 pluto[2147]: NONE IKEv1: ESP IKEv2: ESP FIPS (null) Jul 20 02:20:11 d60873d39ec3 pluto[2147]: DH algorithms: Jul 20 02:20:11 d60873d39ec3 pluto[2147]: MODP1024 IKEv1: IKE ESP AH IKEv2: IKE ESP AH (dh2) Jul 20 02:20:11 d60873d39ec3 pluto[2147]: MODP1536 IKEv1: IKE ESP AH IKEv2: IKE ESP AH (dh5) Jul 20 02:20:11 d60873d39ec3 pluto[2147]: MODP2048 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS (dh14) Jul 20 02:20:11 d60873d39ec3 pluto[2147]: MODP3072 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS (dh15) Jul 20 02:20:11 d60873d39ec3 pluto[2147]: MODP4096 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS (dh16) Jul 20 02:20:11 d60873d39ec3 pluto[2147]: MODP6144 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS (dh17) Jul 20 02:20:11 d60873d39ec3 pluto[2147]: MODP8192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS (dh18) Jul 20 02:20:11 d60873d39ec3 pluto[2147]: DH19 IKEv1: IKE IKEv2: IKE ESP AH FIPS (ecp_256) Jul 20 02:20:11 d60873d39ec3 pluto[2147]: DH20 IKEv1: IKE IKEv2: IKE ESP AH FIPS (ecp_384) Jul 20 02:20:11 d60873d39ec3 pluto[2147]: DH21 IKEv1: IKE IKEv2: IKE ESP AH FIPS (ecp_521) Jul 20 02:20:11 d60873d39ec3 pluto[2147]: DH23 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS Jul 20 02:20:11 d60873d39ec3 pluto[2147]: DH24 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS Jul 20 02:20:11 d60873d39ec3 pluto[2147]: starting up 15 crypto helpers Jul 20 02:20:11 d60873d39ec3 pluto[2147]: started thread for crypto helper 0 (master fd 11) Jul 20 02:20:11 d60873d39ec3 pluto[2147]: started thread for crypto helper 1 (master fd 13) Jul 20 02:20:11 d60873d39ec3 pluto[2147]: seccomp security for crypto helper not supported Jul 20 02:20:11 d60873d39ec3 pluto[2147]: started thread for crypto helper 2 (master fd 15) Jul 20 02:20:11 d60873d39ec3 pluto[2147]: seccomp security for crypto helper not supported Jul 20 02:20:11 d60873d39ec3 pluto[2147]: seccomp security for crypto helper not supported Jul 20 02:20:11 d60873d39ec3 pluto[2147]: started thread for crypto helper 3 (master fd 17) Jul 20 02:20:11 d60873d39ec3 pluto[2147]: seccomp security for crypto helper not supported Jul 20 02:20:11 d60873d39ec3 pluto[2147]: started thread for crypto helper 4 (master fd 19) Jul 20 02:20:11 d60873d39ec3 pluto[2147]: started thread for crypto helper 5 (master fd 21) Jul 20 02:20:11 d60873d39ec3 pluto[2147]: seccomp security for crypto helper not supported Jul 20 02:20:11 d60873d39ec3 pluto[2147]: seccomp security for crypto helper not supported Jul 20 02:20:11 d60873d39ec3 pluto[2147]: started thread for crypto helper 6 (master fd 23) Jul 20 02:20:11 d60873d39ec3 pluto[2147]: seccomp security for crypto helper not supported Jul 20 02:20:11 d60873d39ec3 pluto[2147]: started thread for crypto helper 7 (master fd 25) Jul 20 02:20:11 d60873d39ec3 pluto[2147]: seccomp security for crypto helper not supported Jul 20 02:20:11 d60873d39ec3 pluto[2147]: started thread for crypto helper 8 (master fd 27) Jul 20 02:20:11 d60873d39ec3 pluto[2147]: started thread for crypto helper 9 (master fd 29) Jul 20 02:20:11 d60873d39ec3 pluto[2147]: seccomp security for crypto helper not supported Jul 20 02:20:11 d60873d39ec3 pluto[2147]: started thread for crypto helper 10 (master fd 31) Jul 20 02:20:11 d60873d39ec3 pluto[2147]: seccomp security for crypto helper not supported Jul 20 02:20:11 d60873d39ec3 pluto[2147]: seccomp security for crypto helper not supported Jul 20 02:20:11 d60873d39ec3 pluto[2147]: started thread for crypto helper 11 (master fd 33) Jul 20 02:20:11 d60873d39ec3 pluto[2147]: seccomp security for crypto helper not supported Jul 20 02:20:11 d60873d39ec3 pluto[2147]: started thread for crypto helper 12 (master fd 35) Jul 20 02:20:11 d60873d39ec3 pluto[2147]: seccomp security for crypto helper not supported Jul 20 02:20:11 d60873d39ec3 pluto[2147]: started thread for crypto helper 13 (master fd 37) Jul 20 02:20:11 d60873d39ec3 pluto[2147]: seccomp security for crypto helper not supported Jul 20 02:20:11 d60873d39ec3 pluto[2147]: started thread for crypto helper 14 (master fd 39) Jul 20 02:20:11 d60873d39ec3 pluto[2147]: seccomp security for crypto helper not supported Jul 20 02:20:11 d60873d39ec3 pluto[2147]: Using Linux XFRM/NETKEY IPsec interface code on 4.4.0-130201807041620-generic Jul 20 02:20:11 d60873d39ec3 pluto[2147]: | selinux support is NOT enabled. Jul 20 02:20:11 d60873d39ec3 pluto[2147]: seccomp security not supported Jul 20 02:20:12 d60873d39ec3 pluto[2147]: added connection description "l2tp-psk" Jul 20 02:20:12 d60873d39ec3 pluto[2147]: added connection description "xauth-psk" Jul 20 02:20:12 d60873d39ec3 pluto[2147]: listening for IKE messages Jul 20 02:20:12 d60873d39ec3 pluto[2147]: adding interface eth0/eth0 172.18.0.2:500 Jul 20 02:20:12 d60873d39ec3 pluto[2147]: adding interface eth0/eth0 172.18.0.2:4500 Jul 20 02:20:12 d60873d39ec3 pluto[2147]: adding interface lo/lo 127.0.0.1:500 Jul 20 02:20:12 d60873d39ec3 pluto[2147]: adding interface lo/lo 127.0.0.1:4500 Jul 20 02:20:12 d60873d39ec3 pluto[2147]: | setup callback for interface lo:4500 fd 47 Jul 20 02:20:12 d60873d39ec3 pluto[2147]: | setup callback for interface lo:500 fd 46 Jul 20 02:20:12 d60873d39ec3 pluto[2147]: | setup callback for interface eth0:4500 fd 45 Jul 20 02:20:12 d60873d39ec3 pluto[2147]: | setup callback for interface eth0:500 fd 44 Jul 20 02:20:12 d60873d39ec3 pluto[2147]: loading secrets from "/etc/ipsec.secrets" Jul 20 02:20:44 d60873d39ec3 pluto[2147]: "l2tp-psk"[1] Redacted #1: responding to Main Mode from unknown peer Redacted on port 41907 Jul 20 02:20:44 d60873d39ec3 pluto[2147]: "l2tp-psk"[1] Redacted #1: Oakley Transform [AES_CBC (256), HMAC_SHA2_384, MODP1024] refused Jul 20 02:20:44 d60873d39ec3 pluto[2147]: "l2tp-psk"[1] Redacted #1: STATE_MAIN_R1: sent MR1, expecting MI2 Jul 20 02:20:44 d60873d39ec3 pluto[2147]: "l2tp-psk"[1] Redacted #1: STATE_MAIN_R2: sent MR2, expecting MI3 Jul 20 02:20:44 d60873d39ec3 pluto[2147]: "l2tp-psk"[1] Redacted #1: Peer ID is ID_IPV4_ADDR: '192.0.0.2' Jul 20 02:20:44 d60873d39ec3 pluto[2147]: "l2tp-psk"[1] Redacted #1: switched from "l2tp-psk"[1] Redacted to "l2tp-psk" Jul 20 02:20:44 d60873d39ec3 pluto[2147]: "l2tp-psk"[2] Redacted #1: deleting connection "l2tp-psk"[1] Redacted instance with peer Redacted {isakmp=#0/ipsec=#0} Jul 20 02:20:44 d60873d39ec3 pluto[2147]: "l2tp-psk"[2] Redacted #1: Peer ID is ID_IPV4_ADDR: '192.0.0.2' Jul 20 02:20:44 d60873d39ec3 pluto[2147]: "l2tp-psk"[2] Redacted #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=PRESHARED_KEY cipher=aes_256 integ=sha2_256 group=MODP1024} Jul 20 02:20:44 d60873d39ec3 pluto[2147]: "l2tp-psk"[2] Redacted #1: ignoring informational payload IPSEC_INITIAL_CONTACT, msgid=00000000, length=28 Jul 20 02:20:44 d60873d39ec3 pluto[2147]: | ISAKMP Notification Payload Jul 20 02:20:44 d60873d39ec3 pluto[2147]: | 00 00 00 1c 00 00 00 01 01 10 60 02 Jul 20 02:20:44 d60873d39ec3 pluto[2147]: "l2tp-psk"[2] Redacted #1: received and ignored informational message Jul 20 02:20:45 d60873d39ec3 pluto[2147]: "l2tp-psk"[2] Redacted #1: the peer proposed: Redacted/32:17/1701 -> 192.0.0.2/32:17/0 Jul 20 02:20:45 d60873d39ec3 pluto[2147]: "l2tp-psk"[2] Redacted #2: responding to Quick Mode proposal {msgid:98bc7ec9} Jul 20 02:20:45 d60873d39ec3 pluto[2147]: "l2tp-psk"[2] Redacted #2: us: 172.18.0.2[Redacted]:17/1701 Jul 20 02:20:45 d60873d39ec3 pluto[2147]: "l2tp-psk"[2] Redacted #2: them: Redacted[192.0.0.2]:17/0 Jul 20 02:20:45 d60873d39ec3 pluto[2147]: "l2tp-psk"[2] Redacted #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2 transport mode {ESP/NAT=>0x06755817 <0x9528949f xfrm=AES_CBC_256-HMAC_SHA1_96 NATOA=none NATD=Redacted:53944 DPD=active} Jul 20 02:20:46 d60873d39ec3 pluto[2147]: "l2tp-psk"[2] Redacted #2: STATE_QUICK_R2: IPsec SA established transport mode {ESP/NAT=>0x06755817 <0x9528949f xfrm=AES_CBC_256-HMAC_SHA1_96 NATOA=none NATD=Redacted:53944 DPD=active} ``` ``` $ sudo nmap -sU -p 500,4500 localhost Starting Nmap 7.01 ( https://nmap.org ) at 2018-07-23 10:36 EDT Nmap scan report for localhost (127.0.0.1) Host is up (0.0011s latency). Other addresses for localhost (not scanned): ::1 PORT STATE SERVICE 500/udp open isakmp 4500/udp open|filtered nat-t-ike Nmap done: 1 IP address (1 host up) scanned in 1.40 seconds ``` ``` $ sudo iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy DROP) target prot opt source destination DOCKER-USER all -- anywhere anywhere DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED DOCKER all -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED DOCKER all -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain DOCKER (2 references) target prot opt source destination Redacted ACCEPT udp -- anywhere 172.18.0.2 udp dpt:ipsec-nat-t ACCEPT udp -- anywhere 172.18.0.2 udp dpt:isakmp Redacted Chain DOCKER-ISOLATION-STAGE-1 (1 references) target prot opt source destination DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere RETURN all -- anywhere anywhere Chain DOCKER-ISOLATION-STAGE-2 (2 references) target prot opt source destination DROP all -- anywhere anywhere DROP all -- anywhere anywhere RETURN all -- anywhere anywhere Chain DOCKER-USER (1 references) target prot opt source destination RETURN all -- anywhere anywhere ```
kerem closed this issue 2026-03-02 07:11:31 +03:00
kerem commented 2026-03-02 07:11:32 +03:00
Author
Owner
Copy link

@KumaCool commented on GitHub (Jul 21, 2018):

same problem still remain after tried so many ways

<!-- gh-comment-id:406802460 --> @KumaCool commented on GitHub (Jul 21, 2018): same problem still remain after tried so many ways
kerem commented 2026-03-02 07:11:32 +03:00
Author
Owner
Copy link

@jsheradin commented on GitHub (Jul 23, 2018):

I am able to connect with the Android client using XAuth but I am still unable to connect using L2TP.

<!-- gh-comment-id:407083060 --> @jsheradin commented on GitHub (Jul 23, 2018): I am able to connect with the Android client using XAuth but I am still unable to connect using L2TP.
kerem commented 2026-03-02 07:11:32 +03:00
Author
Owner
Copy link

@hwdsl2 commented on GitHub (Aug 27, 2018):

@jsheradin @KumaCool Hello! Can you try the steps in the Android VPN client troubleshooting section [1]? Some Android clients require those parameters in order to connect.

[1] https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients.md#android-6-and-above

<!-- gh-comment-id:416124104 --> @hwdsl2 commented on GitHub (Aug 27, 2018): @jsheradin @KumaCool Hello! Can you try the steps in the Android VPN client troubleshooting section [1]? Some Android clients require those parameters in order to connect. [1] https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients.md#android-6-and-above
kerem commented 2026-03-02 07:11:32 +03:00
Author
Owner
Copy link

@jsheradin commented on GitHub (Aug 29, 2018):

Appending ,aes256-sha2_256 fixed connection issue for XAuth on the Android client. Thanks!

<!-- gh-comment-id:416825500 --> @jsheradin commented on GitHub (Aug 29, 2018): Appending `,aes256-sha2_256` fixed connection issue for XAuth on the Android client. Thanks!
kerem commented 2026-03-02 07:11:32 +03:00
Author
Owner
Copy link

@jsheradin commented on GitHub (Sep 1, 2018):

Windows 10 client also works now. Thanks!

<!-- gh-comment-id:417875701 --> @jsheradin commented on GitHub (Sep 1, 2018): Windows 10 client also works now. Thanks!
kerem commented 2026-03-02 07:11:33 +03:00
Author
Owner
Copy link

@hwdsl2 commented on GitHub (Sep 1, 2018):

@jsheradin Can you share with us how you fixed the Windows 10 client?
Thanks!

<!-- gh-comment-id:417878072 --> @hwdsl2 commented on GitHub (Sep 1, 2018): @jsheradin Can you share with us how you fixed the Windows 10 client? Thanks!
kerem commented 2026-03-02 07:11:33 +03:00
Author
Owner
Copy link

@jsheradin commented on GitHub (Sep 1, 2018):

It was either fixed with appending ,aes256-sha2_256 or in a recent commit/update.

<!-- gh-comment-id:417878504 --> @jsheradin commented on GitHub (Sep 1, 2018): It was either fixed with appending `,aes256-sha2_256` or in a recent commit/update.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
No results found.
Labels
Clear labels   
bug

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question
No labels
bug
pull-request
question
question
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/docker-ipsec-vpn-server#75
No description provided.