IKEv2 multiple devices with same public IP address

[miladabc]

Describe the issue I'm not able to connect multiple devices on my home network to IKEv2 server. I've generated two different clients for macbook and iphone devices, they can connect completely fine on their own but not simultaneously.

Also there is no @ in the leftid property in ikev2 config file.

To Reproduce This is my docker compose file:

version: '3.8'

services:
  ikev2:
    image: hwdsl2/ipsec-vpn-server
    container_name: ikev2
    restart: unless-stopped
    environment:
      VPN_IKEV2_ONLY: 'yes'
    ports:
      - '500:500/udp'
      - '4500:4500/udp'
    volumes:
      - ./ikev2:/etc/ipsec.d
    privileged: true

/etc/ipsec.d/ikev2.conf

conn ikev2-cp
  left=%defaultroute
  leftcert=[SERVER_IP_ADDRESS]
  leftsendcert=always
  leftsubnet=0.0.0.0/0
  leftrsasigkey=%cert
  right=%any
  rightid=%fromcert
  rightaddresspool=[DELETED]
  rightca=%same
  rightrsasigkey=%cert
  narrowing=yes
  dpddelay=30
  dpdtimeout=120
  dpdaction=clear
  auto=add
  ikev2=insist
  rekey=no
  pfs=no
  ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1
  phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes128-sha2,aes256-sha2
  ikelifetime=24h
  salifetime=24h
  encapsulation=yes
  leftid=[SERVER_IP_ADDRESS]
  modecfgdns="8.8.8.8 8.8.4.4"
  mobike=yes

ipsec --version

Linux Libreswan 4.5 (XFRM) on 3.10.0-1160.31.1.el7.x86_64

Server

• Docker host OS: CentOS-7-x64 (also tried on Ubuntu 20.04)

Client

• Device: Macbook (latest macos), iphone (latest ios)
• VPN mode: IKEv2

Additional context Please let me know how can I provide you more information.

[hwdsl2]

@miladabc Hello! Please enable Libreswan (IPsec) logs [1] in the container. Try to reproduce the issue, then check the logs for errors. Reply with the redacted logs for further troubleshooting.

[1] https://github.com/hwdsl2/docker-ipsec-vpn-server#enable-libreswan-logs

[miladabc]

I first connected successfully with iphone then tried connecting with macbook, it stays connecting for a minute or two then says vpn server did not respond.

2021-09-17T16:37:33.022666+00:00 999a18003d5d pluto[111]: forgetting secrets
2021-09-17T16:37:33.022705+00:00 999a18003d5d pluto[111]: shutting down interface lo 127.0.0.1:4500
2021-09-17T16:37:33.022709+00:00 999a18003d5d pluto[111]: shutting down interface lo 127.0.0.1:500
2021-09-17T16:37:33.022714+00:00 999a18003d5d pluto[111]: shutting down interface eth0 172.18.0.3:4500
2021-09-17T16:37:33.022719+00:00 999a18003d5d pluto[111]: shutting down interface eth0 172.18.0.3:500
2021-09-17T16:37:38.977294+00:00 999a18003d5d pluto[176]: Initializing NSS using read-write database "sql:/etc/ipsec.d"
2021-09-17T16:37:38.981928+00:00 999a18003d5d pluto[176]: FIPS Mode: NO
2021-09-17T16:37:38.981946+00:00 999a18003d5d pluto[176]: NSS crypto library initialized
2021-09-17T16:37:38.982005+00:00 999a18003d5d pluto[176]: FIPS mode disabled for pluto daemon
2021-09-17T16:37:38.982010+00:00 999a18003d5d pluto[176]: FIPS HMAC integrity support [disabled]
2021-09-17T16:37:38.982259+00:00 999a18003d5d pluto[176]: libcap-ng support [enabled]
2021-09-17T16:37:38.982265+00:00 999a18003d5d pluto[176]: Linux audit support [disabled]
2021-09-17T16:37:38.982275+00:00 999a18003d5d pluto[176]: Starting Pluto (Libreswan Version 4.5 IKEv2 IKEv1 XFRM XFRMI esp-hw-offload FORK PTHREAD_SETSCHEDPRIO NSS (IPsec profile) (NSS-PRF) LIBCAP_NG AUTH_PAM NETWORKMANAGER CURL(non-NSS)) pid:176
2021-09-17T16:37:38.982286+00:00 999a18003d5d pluto[176]: core dump dir: /run/pluto
2021-09-17T16:37:38.982291+00:00 999a18003d5d pluto[176]: secrets file /etc/ipsec.secrets
2021-09-17T16:37:38.982295+00:00 999a18003d5d pluto[176]: leak-detective disabled
2021-09-17T16:37:38.982299+00:00 999a18003d5d pluto[176]: NSS crypto [enabled]
2021-09-17T16:37:38.982474+00:00 999a18003d5d pluto[176]: XAUTH PAM support [enabled]
2021-09-17T16:37:38.982555+00:00 999a18003d5d pluto[176]: initializing libevent in pthreads mode: headers: 2.1.12-stable (2010c00); library: 2.1.12-stable (2010c00)
2021-09-17T16:37:38.982616+00:00 999a18003d5d pluto[176]: NAT-Traversal support  [enabled]
2021-09-17T16:37:38.982853+00:00 999a18003d5d pluto[176]: Encryption algorithms:
2021-09-17T16:37:38.982870+00:00 999a18003d5d pluto[176]:   AES_CCM_16         {256,192,*128} IKEv1:     ESP     IKEv2:     ESP     FIPS              aes_ccm, aes_ccm_c
2021-09-17T16:37:38.982878+00:00 999a18003d5d pluto[176]:   AES_CCM_12         {256,192,*128} IKEv1:     ESP     IKEv2:     ESP     FIPS              aes_ccm_b
2021-09-17T16:37:38.982885+00:00 999a18003d5d pluto[176]:   AES_CCM_8          {256,192,*128} IKEv1:     ESP     IKEv2:     ESP     FIPS              aes_ccm_a
2021-09-17T16:37:38.982892+00:00 999a18003d5d pluto[176]:   3DES_CBC           [*192]         IKEv1: IKE ESP     IKEv2: IKE ESP     FIPS NSS(CBC)     3des
2021-09-17T16:37:38.982898+00:00 999a18003d5d pluto[176]:   CAMELLIA_CTR       {256,192,*128} IKEv1:     ESP     IKEv2:     ESP
2021-09-17T16:37:38.982905+00:00 999a18003d5d pluto[176]:   CAMELLIA_CBC       {256,192,*128} IKEv1: IKE ESP     IKEv2: IKE ESP          NSS(CBC)     camellia
2021-09-17T16:37:38.982913+00:00 999a18003d5d pluto[176]:   AES_GCM_16         {256,192,*128} IKEv1:     ESP     IKEv2: IKE ESP     FIPS NSS(GCM)     aes_gcm, aes_gcm_c
2021-09-17T16:37:38.983071+00:00 999a18003d5d pluto[176]:   AES_GCM_12         {256,192,*128} IKEv1:     ESP     IKEv2: IKE ESP     FIPS NSS(GCM)     aes_gcm_b
2021-09-17T16:37:38.983084+00:00 999a18003d5d pluto[176]:   AES_GCM_8          {256,192,*128} IKEv1:     ESP     IKEv2: IKE ESP     FIPS NSS(GCM)     aes_gcm_a
2021-09-17T16:37:38.983091+00:00 999a18003d5d pluto[176]:   AES_CTR            {256,192,*128} IKEv1: IKE ESP     IKEv2: IKE ESP     FIPS NSS(CTR)     aesctr
2021-09-17T16:37:38.983111+00:00 999a18003d5d pluto[176]:   AES_CBC            {256,192,*128} IKEv1: IKE ESP     IKEv2: IKE ESP     FIPS NSS(CBC)     aes
2021-09-17T16:37:38.983118+00:00 999a18003d5d pluto[176]:   NULL_AUTH_AES_GMAC {256,192,*128} IKEv1:     ESP     IKEv2:     ESP     FIPS              aes_gmac
2021-09-17T16:37:38.983124+00:00 999a18003d5d pluto[176]:   NULL               []             IKEv1:     ESP     IKEv2:     ESP
2021-09-17T16:37:38.983131+00:00 999a18003d5d pluto[176]:   CHACHA20_POLY1305  [*256]         IKEv1:             IKEv2: IKE ESP          NSS(AEAD)    chacha20poly1305
2021-09-17T16:37:38.983135+00:00 999a18003d5d pluto[176]: Hash algorithms:
2021-09-17T16:37:38.983140+00:00 999a18003d5d pluto[176]:   MD5                               IKEv1: IKE         IKEv2:                  NSS
2021-09-17T16:37:38.983146+00:00 999a18003d5d pluto[176]:   SHA1                              IKEv1: IKE         IKEv2: IKE         FIPS NSS          sha
2021-09-17T16:37:38.983152+00:00 999a18003d5d pluto[176]:   SHA2_256                          IKEv1: IKE         IKEv2: IKE         FIPS NSS          sha2, sha256
2021-09-17T16:37:38.983322+00:00 999a18003d5d pluto[176]:   SHA2_384                          IKEv1: IKE         IKEv2: IKE         FIPS NSS          sha384
2021-09-17T16:37:38.983335+00:00 999a18003d5d pluto[176]:   SHA2_512                          IKEv1: IKE         IKEv2: IKE         FIPS NSS          sha512
2021-09-17T16:37:38.983339+00:00 999a18003d5d pluto[176]: PRF algorithms:
2021-09-17T16:37:38.983345+00:00 999a18003d5d pluto[176]:   HMAC_MD5                          IKEv1: IKE         IKEv2: IKE              native(HMAC) md5
2021-09-17T16:37:38.983351+00:00 999a18003d5d pluto[176]:   HMAC_SHA1                         IKEv1: IKE         IKEv2: IKE         FIPS NSS          sha, sha1
2021-09-17T16:37:38.983358+00:00 999a18003d5d pluto[176]:   HMAC_SHA2_256                     IKEv1: IKE         IKEv2: IKE         FIPS NSS          sha2, sha256, sha2_256
2021-09-17T16:37:38.983364+00:00 999a18003d5d pluto[176]:   HMAC_SHA2_384                     IKEv1: IKE         IKEv2: IKE         FIPS NSS          sha384, sha2_384
2021-09-17T16:37:38.983371+00:00 999a18003d5d pluto[176]:   HMAC_SHA2_512                     IKEv1: IKE         IKEv2: IKE         FIPS NSS          sha512, sha2_512
2021-09-17T16:37:38.983377+00:00 999a18003d5d pluto[176]:   AES_XCBC                          IKEv1:             IKEv2: IKE              native(XCBC) aes128_xcbc
2021-09-17T16:37:38.983381+00:00 999a18003d5d pluto[176]: Integrity algorithms:
2021-09-17T16:37:38.983387+00:00 999a18003d5d pluto[176]:   HMAC_MD5_96                       IKEv1: IKE ESP AH  IKEv2: IKE ESP AH       native(HMAC) md5, hmac_md5
2021-09-17T16:37:38.983524+00:00 999a18003d5d pluto[176]:   HMAC_SHA1_96                      IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS NSS          sha, sha1, sha1_96, hmac_sha1
2021-09-17T16:37:38.983536+00:00 999a18003d5d pluto[176]:   HMAC_SHA2_512_256                 IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS NSS          sha512, sha2_512, sha2_512_256, hmac_sha2_512
2021-09-17T16:37:38.983543+00:00 999a18003d5d pluto[176]:   HMAC_SHA2_384_192                 IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS NSS          sha384, sha2_384, sha2_384_192, hmac_sha2_384
2021-09-17T16:37:38.983551+00:00 999a18003d5d pluto[176]:   HMAC_SHA2_256_128                 IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS NSS          sha2, sha256, sha2_256, sha2_256_128, hmac_sha2_256
2021-09-17T16:37:38.983556+00:00 999a18003d5d pluto[176]:   HMAC_SHA2_256_TRUNCBUG            IKEv1:     ESP AH  IKEv2:         AH
2021-09-17T16:37:38.983563+00:00 999a18003d5d pluto[176]:   AES_XCBC_96                       IKEv1:     ESP AH  IKEv2: IKE ESP AH       native(XCBC) aes_xcbc, aes128_xcbc, aes128_xcbc_96
2021-09-17T16:37:38.983569+00:00 999a18003d5d pluto[176]:   AES_CMAC_96                       IKEv1:     ESP AH  IKEv2:     ESP AH  FIPS              aes_cmac
2021-09-17T16:37:38.983575+00:00 999a18003d5d pluto[176]:   NONE                              IKEv1:     ESP     IKEv2: IKE ESP     FIPS              null
2021-09-17T16:37:38.983579+00:00 999a18003d5d pluto[176]: DH algorithms:
2021-09-17T16:37:38.983585+00:00 999a18003d5d pluto[176]:   NONE                              IKEv1:             IKEv2: IKE ESP AH  FIPS NSS(MODP)    null, dh0
2021-09-17T16:37:38.983590+00:00 999a18003d5d pluto[176]:   MODP1024                          IKEv1: IKE ESP AH  IKEv2: IKE ESP AH       NSS(MODP)    dh2
2021-09-17T16:37:38.983733+00:00 999a18003d5d pluto[176]:   MODP1536                          IKEv1: IKE ESP AH  IKEv2: IKE ESP AH       NSS(MODP)    dh5
2021-09-17T16:37:38.983747+00:00 999a18003d5d pluto[176]:   MODP2048                          IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS NSS(MODP)    dh14
2021-09-17T16:37:38.983754+00:00 999a18003d5d pluto[176]:   MODP3072                          IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS NSS(MODP)    dh15
2021-09-17T16:37:38.983760+00:00 999a18003d5d pluto[176]:   MODP4096                          IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS NSS(MODP)    dh16
2021-09-17T16:37:38.983765+00:00 999a18003d5d pluto[176]:   MODP6144                          IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS NSS(MODP)    dh17
2021-09-17T16:37:38.983770+00:00 999a18003d5d pluto[176]:   MODP8192                          IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS NSS(MODP)    dh18
2021-09-17T16:37:38.983776+00:00 999a18003d5d pluto[176]:   DH19                              IKEv1: IKE         IKEv2: IKE ESP AH  FIPS NSS(ECP)     ecp_256, ecp256
2021-09-17T16:37:38.983782+00:00 999a18003d5d pluto[176]:   DH20                              IKEv1: IKE         IKEv2: IKE ESP AH  FIPS NSS(ECP)     ecp_384, ecp384
2021-09-17T16:37:38.983787+00:00 999a18003d5d pluto[176]:   DH21                              IKEv1: IKE         IKEv2: IKE ESP AH  FIPS NSS(ECP)     ecp_521, ecp521
2021-09-17T16:37:38.983792+00:00 999a18003d5d pluto[176]:   DH31                              IKEv1: IKE         IKEv2: IKE ESP AH       NSS(ECP)     curve25519
2021-09-17T16:37:38.983797+00:00 999a18003d5d pluto[176]: testing CAMELLIA_CBC:
2021-09-17T16:37:38.983936+00:00 999a18003d5d pluto[176]:   Camellia: 16 bytes with 128-bit key
2021-09-17T16:37:38.984175+00:00 999a18003d5d pluto[176]:   Camellia: 16 bytes with 128-bit key
2021-09-17T16:37:38.984236+00:00 999a18003d5d pluto[176]:   Camellia: 16 bytes with 256-bit key
2021-09-17T16:37:38.984313+00:00 999a18003d5d pluto[176]:   Camellia: 16 bytes with 256-bit key
2021-09-17T16:37:38.984371+00:00 999a18003d5d pluto[176]: testing AES_GCM_16:
2021-09-17T16:37:38.984375+00:00 999a18003d5d pluto[176]:   empty string
2021-09-17T16:37:38.984445+00:00 999a18003d5d pluto[176]:   one block
2021-09-17T16:37:38.984490+00:00 999a18003d5d pluto[176]:   two blocks
2021-09-17T16:37:38.984534+00:00 999a18003d5d pluto[176]:   two blocks with associated data
2021-09-17T16:37:38.984574+00:00 999a18003d5d pluto[176]: testing AES_CTR:
2021-09-17T16:37:38.984578+00:00 999a18003d5d pluto[176]:   Encrypting 16 octets using AES-CTR with 128-bit key
2021-09-17T16:37:38.984709+00:00 999a18003d5d pluto[176]:   Encrypting 32 octets using AES-CTR with 128-bit key
2021-09-17T16:37:38.984758+00:00 999a18003d5d pluto[176]:   Encrypting 36 octets using AES-CTR with 128-bit key
2021-09-17T16:37:38.984795+00:00 999a18003d5d pluto[176]:   Encrypting 16 octets using AES-CTR with 192-bit key
2021-09-17T16:37:38.984829+00:00 999a18003d5d pluto[176]:   Encrypting 32 octets using AES-CTR with 192-bit key
2021-09-17T16:37:38.984860+00:00 999a18003d5d pluto[176]:   Encrypting 36 octets using AES-CTR with 192-bit key
2021-09-17T16:37:38.984901+00:00 999a18003d5d pluto[176]:   Encrypting 16 octets using AES-CTR with 256-bit key
2021-09-17T16:37:38.984939+00:00 999a18003d5d pluto[176]:   Encrypting 32 octets using AES-CTR with 256-bit key
2021-09-17T16:37:38.984971+00:00 999a18003d5d pluto[176]:   Encrypting 36 octets using AES-CTR with 256-bit key
2021-09-17T16:37:38.985004+00:00 999a18003d5d pluto[176]: testing AES_CBC:
2021-09-17T16:37:38.985007+00:00 999a18003d5d pluto[176]:   Encrypting 16 bytes (1 block) using AES-CBC with 128-bit key
2021-09-17T16:37:38.985058+00:00 999a18003d5d pluto[176]:   Encrypting 32 bytes (2 blocks) using AES-CBC with 128-bit key
2021-09-17T16:37:38.985204+00:00 999a18003d5d pluto[176]:   Encrypting 48 bytes (3 blocks) using AES-CBC with 128-bit key
2021-09-17T16:37:38.985253+00:00 999a18003d5d pluto[176]:   Encrypting 64 bytes (4 blocks) using AES-CBC with 128-bit key
2021-09-17T16:37:38.985308+00:00 999a18003d5d pluto[176]: testing AES_XCBC:
2021-09-17T16:37:38.985312+00:00 999a18003d5d pluto[176]:   RFC 3566 Test Case 1: AES-XCBC-MAC-96 with 0-byte input
2021-09-17T16:37:38.985453+00:00 999a18003d5d pluto[176]:   RFC 3566 Test Case 2: AES-XCBC-MAC-96 with 3-byte input
2021-09-17T16:37:38.985562+00:00 999a18003d5d pluto[176]:   RFC 3566 Test Case 3: AES-XCBC-MAC-96 with 16-byte input
2021-09-17T16:37:38.985641+00:00 999a18003d5d pluto[176]:   RFC 3566 Test Case 4: AES-XCBC-MAC-96 with 20-byte input
2021-09-17T16:37:38.985722+00:00 999a18003d5d pluto[176]:   RFC 3566 Test Case 5: AES-XCBC-MAC-96 with 32-byte input
2021-09-17T16:37:38.985814+00:00 999a18003d5d pluto[176]:   RFC 3566 Test Case 6: AES-XCBC-MAC-96 with 34-byte input
2021-09-17T16:37:38.985898+00:00 999a18003d5d pluto[176]:   RFC 3566 Test Case 7: AES-XCBC-MAC-96 with 1000-byte input
2021-09-17T16:37:38.986157+00:00 999a18003d5d pluto[176]:   RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 16)
2021-09-17T16:37:38.986333+00:00 999a18003d5d pluto[176]:   RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 10)
2021-09-17T16:37:38.986431+00:00 999a18003d5d pluto[176]:   RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 18)
2021-09-17T16:37:38.986584+00:00 999a18003d5d pluto[176]: testing HMAC_MD5:
2021-09-17T16:37:38.986587+00:00 999a18003d5d pluto[176]:   RFC 2104: MD5_HMAC test 1
2021-09-17T16:37:38.986699+00:00 999a18003d5d pluto[176]:   RFC 2104: MD5_HMAC test 2
2021-09-17T16:37:38.986804+00:00 999a18003d5d pluto[176]:   RFC 2104: MD5_HMAC test 3
2021-09-17T16:37:38.986913+00:00 999a18003d5d pluto[176]: 1 CPU cores online
2021-09-17T16:37:38.986916+00:00 999a18003d5d pluto[176]: starting up 1 helper threads
2021-09-17T16:37:38.986945+00:00 999a18003d5d pluto[176]: started thread for helper 0
2021-09-17T16:37:38.986953+00:00 999a18003d5d pluto[176]: using Linux xfrm kernel support code on #1 SMP Thu Jun 10 13:32:12 UTC 2021
2021-09-17T16:37:38.987018+00:00 999a18003d5d pluto[176]: kernel: /proc/sys/net/ipv6/conf/all/disable_ipv6=1 ignore ipv6 holes
2021-09-17T16:37:38.987551+00:00 999a18003d5d pluto[176]: seccomp security not supported
2021-09-17T16:37:38.991162+00:00 999a18003d5d pluto[176]: seccomp security for helper not supported
2021-09-17T16:37:38.991615+00:00 999a18003d5d pluto[176]: "ikev2-cp": loaded private key matching left certificate '[SERVER_IP_ADDRESS]'
2021-09-17T16:37:38.991634+00:00 999a18003d5d pluto[176]: "ikev2-cp": added IKEv2 connection
2021-09-17T16:37:38.991744+00:00 999a18003d5d pluto[176]: listening for IKE messages
2021-09-17T16:37:38.991774+00:00 999a18003d5d pluto[176]: Kernel does not support NIC esp-hw-offload (ETHTOOL_GSSET_INFO failed)
2021-09-17T16:37:38.991821+00:00 999a18003d5d pluto[176]: adding UDP interface eth0 172.18.0.3:500
2021-09-17T16:37:38.991832+00:00 999a18003d5d pluto[176]: adding UDP interface eth0 172.18.0.3:4500
2021-09-17T16:37:38.991841+00:00 999a18003d5d pluto[176]: adding UDP interface lo 127.0.0.1:500
2021-09-17T16:37:38.991850+00:00 999a18003d5d pluto[176]: adding UDP interface lo 127.0.0.1:4500
2021-09-17T16:37:38.992772+00:00 999a18003d5d pluto[176]: forgetting secrets
2021-09-17T16:37:38.992816+00:00 999a18003d5d pluto[176]: loading secrets from "/etc/ipsec.secrets"
2021-09-17T16:39:17.485011+00:00 999a18003d5d pluto[176]: "ikev2-cp"[1] [MY_IP_ADDRESS]: local IKE proposals (IKE SA responder matching remote proposals):
2021-09-17T16:39:17.485034+00:00 999a18003d5d pluto[176]: "ikev2-cp"[1] [MY_IP_ADDRESS]:   1:IKE=AES_CBC_256-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE25519
2021-09-17T16:39:17.485044+00:00 999a18003d5d pluto[176]: "ikev2-cp"[1] [MY_IP_ADDRESS]:   2:IKE=AES_CBC_128-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE25519
2021-09-17T16:39:17.485053+00:00 999a18003d5d pluto[176]: "ikev2-cp"[1] [MY_IP_ADDRESS]:   3:IKE=AES_CBC_256-HMAC_SHA1-HMAC_SHA1_96-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE25519
2021-09-17T16:39:17.485061+00:00 999a18003d5d pluto[176]: "ikev2-cp"[1] [MY_IP_ADDRESS]:   4:IKE=AES_CBC_128-HMAC_SHA1-HMAC_SHA1_96-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE25519
2021-09-17T16:39:17.485080+00:00 999a18003d5d pluto[176]: "ikev2-cp"[1] [MY_IP_ADDRESS] #1: proposal 1:IKE=AES_CBC_256-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048[first-match]
2021-09-17T16:39:17.488531+00:00 999a18003d5d pluto[176]: "ikev2-cp"[1] [MY_IP_ADDRESS] #1: sent IKE_SA_INIT reply {cipher=AES_CBC_256 integ=HMAC_SHA2_256_128 prf=HMAC_SHA2_256 group=MODP2048}
2021-09-17T16:39:18.688956+00:00 999a18003d5d pluto[176]: "ikev2-cp"[1] [MY_IP_ADDRESS] #1: processing decrypted IKE_AUTH request: SK{IDi,CERT,N,IDr,AUTH,CP,N,N,SA,TSi,TSr,N}
2021-09-17T16:39:18.688975+00:00 999a18003d5d pluto[176]: loading root certificate cache
2021-09-17T16:39:18.697463+00:00 999a18003d5d pluto[176]: "ikev2-cp"[1] [MY_IP_ADDRESS] #1: reloaded private key matching left certificate '[SERVER_IP_ADDRESS]'
2021-09-17T16:39:18.697479+00:00 999a18003d5d pluto[176]: "ikev2-cp"[1] [MY_IP_ADDRESS] #1: switched from "ikev2-cp"[1] [MY_IP_ADDRESS] to "ikev2-cp"
2021-09-17T16:39:18.697518+00:00 999a18003d5d pluto[176]: "ikev2-cp"[1] [MY_IP_ADDRESS]: deleting connection instance with peer [MY_IP_ADDRESS] {isakmp=#0/ipsec=#0}
2021-09-17T16:39:18.697728+00:00 999a18003d5d pluto[176]: "ikev2-cp"[2] [MY_IP_ADDRESS] #1: established IKE SA; authenticated using RSA with SHA1 and peer certificate '@iphone' issued by CA 'CN=IKEv2 VPN CA, O=IKEv2 VPN'
2021-09-17T16:39:18.706935+00:00 999a18003d5d pluto[176]: | pool 192.168.43.10-192.168.43.250: growing address pool from 0 to 1
2021-09-17T16:39:18.706957+00:00 999a18003d5d pluto[176]: "ikev2-cp"[2] [MY_IP_ADDRESS]: local ESP/AH proposals (IKE_AUTH responder matching remote ESP/AH proposals):
2021-09-17T16:39:18.706964+00:00 999a18003d5d pluto[176]: "ikev2-cp"[2] [MY_IP_ADDRESS]:   1:ESP=AES_GCM_C_128+AES_GCM_C_256-NONE-NONE-DISABLED
2021-09-17T16:39:18.706969+00:00 999a18003d5d pluto[176]: "ikev2-cp"[2] [MY_IP_ADDRESS]:   2:ESP=AES_CBC_128-HMAC_SHA1_96-NONE-DISABLED
2021-09-17T16:39:18.706974+00:00 999a18003d5d pluto[176]: "ikev2-cp"[2] [MY_IP_ADDRESS]:   3:ESP=AES_CBC_256-HMAC_SHA1_96-NONE-DISABLED
2021-09-17T16:39:18.706979+00:00 999a18003d5d pluto[176]: "ikev2-cp"[2] [MY_IP_ADDRESS]:   4:ESP=AES_CBC_128-HMAC_SHA2_256_128-NONE-DISABLED
2021-09-17T16:39:18.706984+00:00 999a18003d5d pluto[176]: "ikev2-cp"[2] [MY_IP_ADDRESS]:   5:ESP=AES_CBC_256-HMAC_SHA2_256_128-NONE-DISABLED
2021-09-17T16:39:18.706998+00:00 999a18003d5d pluto[176]: "ikev2-cp"[2] [MY_IP_ADDRESS] #2: proposal 1:ESP=AES_GCM_C_128-DISABLED SPI=040b7a64 chosen from remote proposals 1:ESP:ENCR=AES_GCM_C_128;ESN=DISABLED[first-match]
2021-09-17T16:39:18.719090+00:00 999a18003d5d pluto[176]: "ikev2-cp"[2] [MY_IP_ADDRESS] #2: established Child SA; IPsec tunnel [0.0.0.0-255.255.255.255:0-65535 0] -> [192.168.43.10-192.168.43.10:0-65535 0] {ESPinUDP=>0x040b7a64 <0x52670296 xfrm=AES_GCM_16_128-NONE NATOA=none NATD=[MY_IP_ADDRESS]:4500 DPD=active}
2021-09-17T16:40:19.235229+00:00 999a18003d5d pluto[176]: "ikev2-cp"[2] [MY_IP_ADDRESS] #1: STATE_V2_ESTABLISHED_IKE_SA: retransmission; will wait 0.5 seconds for response
2021-09-17T16:40:19.735969+00:00 999a18003d5d pluto[176]: "ikev2-cp"[2] [MY_IP_ADDRESS] #1: STATE_V2_ESTABLISHED_IKE_SA: retransmission; will wait 1 seconds for response
2021-09-17T16:40:20.129587+00:00 999a18003d5d pluto[176]: "ikev2-cp"[2] [MY_IP_ADDRESS] #1: Ignoring MOBIKE UPDATE_SA since we are behind NAT
2021-09-17T16:40:20.129599+00:00 999a18003d5d pluto[176]: "ikev2-cp"[2] [MY_IP_ADDRESS] #1: MOBIKE request: updating IPsec SA by request
2021-09-17T16:40:24.786622+00:00 999a18003d5d pluto[176]: "ikev2-cp"[2] [MY_IP_ADDRESS] #1: Ignoring MOBIKE UPDATE_SA since we are behind NAT
2021-09-17T16:40:24.786637+00:00 999a18003d5d pluto[176]: "ikev2-cp"[2] [MY_IP_ADDRESS] #1: MOBIKE request: updating IPsec SA by request
2021-09-17T16:40:29.492820+00:00 999a18003d5d pluto[176]: "ikev2-cp"[2] [MY_IP_ADDRESS] #1: Ignoring MOBIKE UPDATE_SA since we are behind NAT
2021-09-17T16:40:29.492832+00:00 999a18003d5d pluto[176]: "ikev2-cp"[2] [MY_IP_ADDRESS] #1: MOBIKE request: updating IPsec SA by request
2021-09-17T16:40:33.712866+00:00 999a18003d5d pluto[176]: "ikev2-cp"[2] [MY_IP_ADDRESS] #1: Ignoring MOBIKE UPDATE_SA since we are behind NAT
2021-09-17T16:40:33.712876+00:00 999a18003d5d pluto[176]: "ikev2-cp"[2] [MY_IP_ADDRESS] #1: MOBIKE request: updating IPsec SA by request
2021-09-17T16:40:38.404829+00:00 999a18003d5d pluto[176]: "ikev2-cp"[2] [MY_IP_ADDRESS] #1: Ignoring MOBIKE UPDATE_SA since we are behind NAT
2021-09-17T16:40:38.404840+00:00 999a18003d5d pluto[176]: "ikev2-cp"[2] [MY_IP_ADDRESS] #1: MOBIKE request: updating IPsec SA by request
2021-09-17T16:40:42.253996+00:00 999a18003d5d pluto[176]: "ikev2-cp"[2] [MY_IP_ADDRESS] #1: Ignoring MOBIKE UPDATE_SA since we are behind NAT
2021-09-17T16:40:42.254018+00:00 999a18003d5d pluto[176]: "ikev2-cp"[2] [MY_IP_ADDRESS] #1: MOBIKE request: updating IPsec SA by request
2021-09-17T16:41:08.730563+00:00 999a18003d5d pluto[176]: "ikev2-cp"[2] [MY_IP_ADDRESS] #1: Ignoring MOBIKE UPDATE_SA since we are behind NAT
2021-09-17T16:41:08.730583+00:00 999a18003d5d pluto[176]: "ikev2-cp"[2] [MY_IP_ADDRESS] #1: MOBIKE request: updating IPsec SA by request
2021-09-17T16:42:07.242669+00:00 999a18003d5d pluto[176]: "ikev2-cp"[2] [MY_IP_ADDRESS] #1: Ignoring MOBIKE UPDATE_SA since we are behind NAT
2021-09-17T16:42:07.242690+00:00 999a18003d5d pluto[176]: "ikev2-cp"[2] [MY_IP_ADDRESS] #1: MOBIKE request: updating IPsec SA by request
2021-09-17T16:42:11.943246+00:00 999a18003d5d pluto[176]: "ikev2-cp"[2] [MY_IP_ADDRESS]: local IKE proposals (IKE SA responder matching remote proposals):
2021-09-17T16:42:11.943264+00:00 999a18003d5d pluto[176]: "ikev2-cp"[2] [MY_IP_ADDRESS]:   1:IKE=AES_CBC_256-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE25519
2021-09-17T16:42:11.943274+00:00 999a18003d5d pluto[176]: "ikev2-cp"[2] [MY_IP_ADDRESS]:   2:IKE=AES_CBC_128-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE25519
2021-09-17T16:42:11.943285+00:00 999a18003d5d pluto[176]: "ikev2-cp"[2] [MY_IP_ADDRESS]:   3:IKE=AES_CBC_256-HMAC_SHA1-HMAC_SHA1_96-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE25519
2021-09-17T16:42:11.943302+00:00 999a18003d5d pluto[176]: "ikev2-cp"[2] [MY_IP_ADDRESS]:   4:IKE=AES_CBC_128-HMAC_SHA1-HMAC_SHA1_96-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE25519
2021-09-17T16:42:11.943348+00:00 999a18003d5d pluto[176]: "ikev2-cp"[2] [MY_IP_ADDRESS] #3: proposal 1:IKE=AES_CBC_256-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048[first-match]
2021-09-17T16:42:11.945695+00:00 999a18003d5d pluto[176]: "ikev2-cp"[2] [MY_IP_ADDRESS] #3: sent IKE_SA_INIT reply {cipher=AES_CBC_256 integ=HMAC_SHA2_256_128 prf=HMAC_SHA2_256 group=MODP2048}
2021-09-17T16:42:34.879286+00:00 999a18003d5d pluto[176]: "ikev2-cp"[2] [MY_IP_ADDRESS] #1: Ignoring MOBIKE UPDATE_SA since we are behind NAT
2021-09-17T16:42:34.879307+00:00 999a18003d5d pluto[176]: "ikev2-cp"[2] [MY_IP_ADDRESS] #1: MOBIKE request: updating IPsec SA by request
2021-09-17T16:42:39.701295+00:00 999a18003d5d pluto[176]: "ikev2-cp"[2] [MY_IP_ADDRESS] #1: Ignoring MOBIKE UPDATE_SA since we are behind NAT
2021-09-17T16:42:39.701311+00:00 999a18003d5d pluto[176]: "ikev2-cp"[2] [MY_IP_ADDRESS] #1: MOBIKE request: updating IPsec SA by request
2021-09-17T16:42:43.169812+00:00 999a18003d5d pluto[176]: "ikev2-cp"[2] [MY_IP_ADDRESS] #4: proposal 1:IKE=AES_CBC_256-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048[first-match]
2021-09-17T16:42:43.171712+00:00 999a18003d5d pluto[176]: "ikev2-cp"[2] [MY_IP_ADDRESS] #4: sent IKE_SA_INIT reply {cipher=AES_CBC_256 integ=HMAC_SHA2_256_128 prf=HMAC_SHA2_256 group=MODP2048}
2021-09-17T16:42:44.359350+00:00 999a18003d5d pluto[176]: "ikev2-cp"[2] [MY_IP_ADDRESS] #1: Ignoring MOBIKE UPDATE_SA since we are behind NAT
2021-09-17T16:42:44.359367+00:00 999a18003d5d pluto[176]: "ikev2-cp"[2] [MY_IP_ADDRESS] #1: MOBIKE request: updating IPsec SA by request
2021-09-17T16:43:14.404986+00:00 999a18003d5d pluto[176]: "ikev2-cp"[2] [MY_IP_ADDRESS] #1: Ignoring MOBIKE UPDATE_SA since we are behind NAT
2021-09-17T16:43:14.404998+00:00 999a18003d5d pluto[176]: "ikev2-cp"[2] [MY_IP_ADDRESS] #1: MOBIKE request: updating IPsec SA by request

[hwdsl2]

@miladabc I tested but was unable to reproduce this issue - I was able to successfully connect both an iPhone and a macbook device simultaneously from behind the same NAT, and they both stayed connected without problems.

The logs you posted seem incomplete, because it does not contain the connection attempt by the macbook device. Your logs contain retransmission and MOBIKE UPDATE_SA, and I suspect that there are network issues between your VPN server and VPN client. Perhaps try a different server location or different provider. You may also try disabling MOBIKE to see if it makes any difference. To disable, run:

docker exec -it ipsec-vpn-server env TERM=xterm bash -l
apk add -U nano
nano /etc/ipsec.d/ikev2.conf
# Replace "mobike=yes" with "mobike=no", save the file and exit the editor
# After that, exit the container
exit
# Restart the container
docker restart ipsec-vpn-server

I'm closing this because I can't reproduce the issue. If you have additional findings, reply to let us know.

[miladabc]

Turning off mobike had no effects. It's weird, I generated a new client for an android device and it successfully connected along with macbook. Iphone and macbook can not connect at the same time under same network. Different networks work normally.