search

hwdsl2 / docker-ipsec-vpn-server

Docker image to run an IPsec VPN server, with IPsec/L2TP, Cisco IPsec and IKEv2
https://hub.docker.com/r/hwdsl2/ipsec-vpn-server
Other
6.37k stars 1.38k forks source link

更新镜像导致无法链接?deleting state (STATE_V2_PARENT_R0) aged 0.000293s and NOT sending notification #351

Closed SuperCatss closed 1 year ago

SuperCatss commented 1 year ago

任务列表

问题描述 使用清楚简明的语言描述这个 bug。

重现步骤 重现该 bug 的步骤:

  1. ...
  2. ...

期待的正确结果 简要地描述你期望的正确结果。

日志 启用日志,检查 VPN 状态,并且添加错误日志以帮助解释该问题(如果适用)。

服务器信息(请填写以下信息)

客户端信息(请填写以下信息)

其它信息 两种vpn模式都无法正常链接。服务器为exsi,虚拟 ubuntu 22.04 server。主要用于连回家查看摄像头使用。 部署很长一段时间都正常工作,现在使用频率减少,今天使用无法正常链接。所有配置,自成功配置以后都没有变动。只有镜像有时会更新镜像并重新使用原有配置,原有脚本重新部署。(不能排除是否是由更新镜像导致。)

SuperCatss commented 1 year ago

以下为使用ikev2 ipsec 链接时的日志,ip 已被替换

2023-02-21T00:47:24.400697+08:00 ipsec-server pluto[422]: "ikev2-cp"[1] 1.1.1.1 #1: proposal 1:IKE=AES_CBC_256-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_CBC_256;ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_384_192;INTEG=HMAC_SHA2_256_128;INTEG=HMAC_SHA1_96;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;DH=DH24;DH=ECP_384;DH=ECP_256;DH=MODP2048;DH=MODP1536[first-match] 2:IKE:ENCR=AES_GCM_C_256;ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;DH=DH24;DH=ECP_384;DH=ECP_256;DH=MODP2048;DH=MODP1536 2023-02-21T00:47:24.400750+08:00 ipsec-server pluto[422]: "ikev2-cp"[1] 1.1.1.1 #1: initiator guessed wrong keying material group (DH24); responding with INVALID_KE_PAYLOAD requesting MODP2048 2023-02-21T00:47:24.400780+08:00 ipsec-server pluto[422]: "ikev2-cp"[1] 1.1.1.1 #1: responding to IKE_SA_INIT message (ID 0) from 1.1.1.1:41615 with unencrypted notification INVALID_KE_PAYLOAD 2023-02-21T00:47:24.400801+08:00 ipsec-server pluto[422]: "ikev2-cp"[1] 1.1.1.1 #1: encountered fatal error in state STATE_V2_PARENT_R0 2023-02-21T00:47:24.400949+08:00 ipsec-server pluto[422]: "ikev2-cp"[1] 1.1.1.1 #1: deleting state (STATE_V2_PARENT_R0) aged 0.000334s and NOT sending notification 2023-02-21T00:47:24.400988+08:00 ipsec-server pluto[422]: "ikev2-cp"[1] 1.1.1.1: deleting connection instance with peer 1.1.1.1 {isakmp=#0/ipsec=#0} 2023-02-21T00:47:25.460639+08:00 ipsec-server pluto[422]: "ikev2-cp"[2] 1.1.1.1 #2: proposal 1:IKE=AES_CBC_256-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_CBC_256;ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_384_192;INTEG=HMAC_SHA2_256_128;INTEG=HMAC_SHA1_96;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;DH=DH24;DH=ECP_384;DH=ECP_256;DH=MODP2048;DH=MODP1536[first-match] 2:IKE:ENCR=AES_GCM_C_256;ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;DH=DH24;DH=ECP_384;DH=ECP_256;DH=MODP2048;DH=MODP1536 2023-02-21T00:47:25.460679+08:00 ipsec-server pluto[422]: "ikev2-cp"[2] 1.1.1.1 #2: initiator guessed wrong keying material group (DH24); responding with INVALID_KE_PAYLOAD requesting MODP2048 2023-02-21T00:47:25.460709+08:00 ipsec-server pluto[422]: "ikev2-cp"[2] 1.1.1.1 #2: responding to IKE_SA_INIT message (ID 0) from 1.1.1.1:41615 with unencrypted notification INVALID_KE_PAYLOAD 2023-02-21T00:47:25.460730+08:00 ipsec-server pluto[422]: "ikev2-cp"[2] 1.1.1.1 #2: encountered fatal error in state STATE_V2_PARENT_R0 2023-02-21T00:47:25.460825+08:00 ipsec-server pluto[422]: "ikev2-cp"[2] 1.1.1.1 #2: deleting state (STATE_V2_PARENT_R0) aged 0.000256s and NOT sending notification 2023-02-21T00:47:25.460860+08:00 ipsec-server pluto[422]: "ikev2-cp"[2] 1.1.1.1: deleting connection instance with peer 1.1.1.1 {isakmp=#0/ipsec=#0} 2023-02-21T00:47:27.252077+08:00 ipsec-server pluto[422]: "ikev2-cp"[3] 1.1.1.1 #3: proposal 1:IKE=AES_CBC_256-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_CBC_256;ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_384_192;INTEG=HMAC_SHA2_256_128;INTEG=HMAC_SHA1_96;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;DH=DH24;DH=ECP_384;DH=ECP_256;DH=MODP2048;DH=MODP1536[first-match] 2:IKE:ENCR=AES_GCM_C_256;ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;DH=DH24;DH=ECP_384;DH=ECP_256;DH=MODP2048;DH=MODP1536 2023-02-21T00:47:27.252137+08:00 ipsec-server pluto[422]: "ikev2-cp"[3] 1.1.1.1 #3: initiator guessed wrong keying material group (DH24); responding with INVALID_KE_PAYLOAD requesting MODP2048 2023-02-21T00:47:27.252186+08:00 ipsec-server pluto[422]: "ikev2-cp"[3] 1.1.1.1 #3: responding to IKE_SA_INIT message (ID 0) from 1.1.1.1:41615 with unencrypted notification INVALID_KE_PAYLOAD 2023-02-21T00:47:27.252221+08:00 ipsec-server pluto[422]: "ikev2-cp"[3] 1.1.1.1 #3: encountered fatal error in state STATE_V2_PARENT_R0 2023-02-21T00:47:27.252364+08:00 ipsec-server pluto[422]: "ikev2-cp"[3] 1.1.1.1 #3: deleting state (STATE_V2_PARENT_R0) aged 0.000346s and NOT sending notification 2023-02-21T00:47:27.252417+08:00 ipsec-server pluto[422]: "ikev2-cp"[3] 1.1.1.1: deleting connection instance with peer 1.1.1.1 {isakmp=#0/ipsec=#0} 2023-02-21T00:47:30.431968+08:00 ipsec-server pluto[422]: "ikev2-cp"[4] 1.1.1.1 #4: proposal 1:IKE=AES_CBC_256-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_CBC_256;ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_384_192;INTEG=HMAC_SHA2_256_128;INTEG=HMAC_SHA1_96;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;DH=DH24;DH=ECP_384;DH=ECP_256;DH=MODP2048;DH=MODP1536[first-match] 2:IKE:ENCR=AES_GCM_C_256;ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;DH=DH24;DH=ECP_384;DH=ECP_256;DH=MODP2048;DH=MODP1536 2023-02-21T00:47:30.432008+08:00 ipsec-server pluto[422]: "ikev2-cp"[4] 1.1.1.1 #4: initiator guessed wrong keying material group (DH24); responding with INVALID_KE_PAYLOAD requesting MODP2048 2023-02-21T00:47:30.432038+08:00 ipsec-server pluto[422]: "ikev2-cp"[4] 1.1.1.1 #4: responding to IKE_SA_INIT message (ID 0) from 1.1.1.1:41615 with unencrypted notification INVALID_KE_PAYLOAD 2023-02-21T00:47:30.432060+08:00 ipsec-server pluto[422]: "ikev2-cp"[4] 1.1.1.1 #4: encountered fatal error in state STATE_V2_PARENT_R0 2023-02-21T00:47:30.432170+08:00 ipsec-server pluto[422]: "ikev2-cp"[4] 1.1.1.1 #4: deleting state (STATE_V2_PARENT_R0) aged 0.000293s and NOT sending notification 2023-02-21T00:47:30.432203+08:00 ipsec-server pluto[422]: "ikev2-cp"[4] 1.1.1.1: deleting connection instance with peer 1.1.1.1 {isakmp=#0/ipsec=#0} 2023-02-21T00:47:36.279901+08:00 ipsec-server pluto[422]: "ikev2-cp"[5] 1.1.1.1 #5: proposal 1:IKE=AES_CBC_256-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_CBC_256;ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_384_192;INTEG=HMAC_SHA2_256_128;INTEG=HMAC_SHA1_96;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;DH=DH24;DH=ECP_384;DH=ECP_256;DH=MODP2048;DH=MODP1536[first-match] 2:IKE:ENCR=AES_GCM_C_256;ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;DH=DH24;DH=ECP_384;DH=ECP_256;DH=MODP2048;DH=MODP1536 2023-02-21T00:47:36.279972+08:00 ipsec-server pluto[422]: "ikev2-cp"[5] 1.1.1.1 #5: initiator guessed wrong keying material group (DH24); responding with INVALID_KE_PAYLOAD requesting MODP2048 2023-02-21T00:47:36.280001+08:00 ipsec-server pluto[422]: "ikev2-cp"[5] 1.1.1.1 #5: responding to IKE_SA_INIT message (ID 0) from 1.1.1.1:41615 with unencrypted notification INVALID_KE_PAYLOAD 2023-02-21T00:47:36.280023+08:00 ipsec-server pluto[422]: "ikev2-cp"[5] 1.1.1.1 #5: encountered fatal error in state STATE_V2_PARENT_R0 2023-02-21T00:47:36.280138+08:00 ipsec-server pluto[422]: "ikev2-cp"[5] 1.1.1.1 #5: deleting state (STATE_V2_PARENT_R0) aged 0.0003s and NOT sending notification 2023-02-21T00:47:36.280185+08:00 ipsec-server pluto[422]: "ikev2-cp"[5] 1.1.1.1: deleting connection instance with peer 1.1.1.1 {isakmp=#0/ipsec=#0} 2023-02-21T00:47:46.799877+08:00 ipsec-server pluto[422]: "ikev2-cp"[6] 1.1.1.1 #6: proposal 1:IKE=AES_CBC_256-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_CBC_256;ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_384_192;INTEG=HMAC_SHA2_256_128;INTEG=HMAC_SHA1_96;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;DH=DH24;DH=ECP_384;DH=ECP_256;DH=MODP2048;DH=MODP1536[first-match] 2:IKE:ENCR=AES_GCM_C_256;ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;DH=DH24;DH=ECP_384;DH=ECP_256;DH=MODP2048;DH=MODP1536 2023-02-21T00:47:46.799951+08:00 ipsec-server pluto[422]: "ikev2-cp"[6] 1.1.1.1 #6: initiator guessed wrong keying material group (DH24); responding with INVALID_KE_PAYLOAD requesting MODP2048 2023-02-21T00:47:46.800002+08:00 ipsec-server pluto[422]: "ikev2-cp"[6] 1.1.1.1 #6: responding to IKE_SA_INIT message (ID 0) from 1.1.1.1:41615 with unencrypted notification INVALID_KE_PAYLOAD 2023-02-21T00:47:46.800027+08:00 ipsec-server pluto[422]: "ikev2-cp"[6] 1.1.1.1 #6: encountered fatal error in state STATE_V2_PARENT_R0 2023-02-21T00:47:46.800134+08:00 ipsec-server pluto[422]: "ikev2-cp"[6] 1.1.1.1 #6: deleting state (STATE_V2_PARENT_R0) aged 0.000325s and NOT sending notification 2023-02-21T00:47:46.800170+08:00 ipsec-server pluto[422]: "ikev2-cp"[6] 1.1.1.1: deleting connection instance with peer 1.1.1.1 {isakmp=#0/ipsec=#0} 2023-02-21T00:48:21.502681+08:00 ipsec-server pluto[422]: "ikev2-cp"[7] 1.1.1.1 #7: proposal 1:IKE=AES_CBC_256-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_CBC_256;ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_384_192;INTEG=HMAC_SHA2_256_128;INTEG=HMAC_SHA1_96;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;DH=DH24;DH=ECP_384;DH=ECP_256;DH=MODP2048;DH=MODP1536[first-match] 2:IKE:ENCR=AES_GCM_C_256;ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;DH=DH24;DH=ECP_384;DH=ECP_256;DH=MODP2048;DH=MODP1536 2023-02-21T00:48:21.502723+08:00 ipsec-server pluto[422]: "ikev2-cp"[7] 1.1.1.1 #7: initiator guessed wrong keying material group (DH24); responding with INVALID_KE_PAYLOAD requesting MODP2048 2023-02-21T00:48:21.502751+08:00 ipsec-server pluto[422]: "ikev2-cp"[7] 1.1.1.1 #7: responding to IKE_SA_INIT message (ID 0) from 1.1.1.1:41615 with unencrypted notification INVALID_KE_PAYLOAD 2023-02-21T00:48:21.502772+08:00 ipsec-server pluto[422]: "ikev2-cp"[7] 1.1.1.1 #7: encountered fatal error in state STATE_V2_PARENT_R0 2023-02-21T00:48:21.502876+08:00 ipsec-server pluto[422]: "ikev2-cp"[7] 1.1.1.1 #7: deleting state (STATE_V2_PARENT_R0) aged 0.000264s and NOT sending notification 2023-02-21T00:48:21.502907+08:00 ipsec-server pluto[422]: "ikev2-cp"[7] 1.1.1.1: deleting connection instance with peer 1.1.1.1 {isakmp=#0/ipsec=#0}

hwdsl2 commented 1 year ago

@SuperCatss 你好!镜像的 IKEv2 算法最近并没有更改。IKEv1 算法去掉了 MODP1024 和 MODP1536 支持,因为它们安全性较低。参见这里

从你的日志来看,可能是客户端 VPN 连接的 IKEv2 算法的问题。你可以尝试编辑容器内/etc/ipsec.d/ikev2.conf,并将这一行

ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1

替换为

ike=aes_gcm-sha2-modp2048,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1

保存文件并重启 Docker 容器。如果仍然无法解决,你可以尝试在 Libreswan users mailing list 问一下。

SuperCatss commented 1 year ago

@SuperCatss 你好!镜像的 IKEv2 算法最近并没有更改。IKEv1 算法去掉了 MODP1024 和 MODP1536 支持,因为它们安全性较低。参见这里

从你的日志来看,可能是客户端 VPN 连接的 IKEv2 算法的问题。你可以尝试编辑容器内/etc/ipsec.d/ikev2.conf,并将这一行

ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1

替换为

ike=aes_gcm-sha2-modp2048,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1

保存文件并重启 Docker 容器。如果仍然无法解决,你可以尝试在 Libreswan users mailing list 问一下。

@hwdsl2 你好,按照建议修改后两种协议仍然无法连接。补上 IPSec/Xauth 模式下链接日志

2023-02-22T14:21:38.381540+08:00 ipsec-server pluto[422]: "xauth-psk"[1] 1.1.1.1 #15: responding to Main Mode from unknown peer 1.1.1.1:51478 2023-02-22T14:21:38.381663+08:00 ipsec-server pluto[422]: "xauth-psk"[1] 1.1.1.1 #15: WARNING: connection xauth-psk PSK length of 11 bytes is too short for HMAC_SHA2_256 PRF in FIPS mode (16 bytes required) 2023-02-22T14:21:38.381694+08:00 ipsec-server pluto[422]: "xauth-psk"[1] 1.1.1.1 #15: Oakley Transform [AES_CBC (256), HMAC_SHA2_256, MODP1024] refused 2023-02-22T14:21:38.381716+08:00 ipsec-server pluto[422]: "xauth-psk"[1] 1.1.1.1 #15: WARNING: connection xauth-psk PSK length of 11 bytes is too short for HMAC_SHA2_256 PRF in FIPS mode (16 bytes required) 2023-02-22T14:21:38.381735+08:00 ipsec-server pluto[422]: "xauth-psk"[1] 1.1.1.1 #15: Oakley Transform [AES_CBC (128), HMAC_SHA2_256, MODP1024] refused 2023-02-22T14:21:38.381757+08:00 ipsec-server pluto[422]: "xauth-psk"[1] 1.1.1.1 #15: Oakley Transform [AES_CBC (256), HMAC_SHA1, MODP1024] refused 2023-02-22T14:21:38.381777+08:00 ipsec-server pluto[422]: "xauth-psk"[1] 1.1.1.1 #15: Oakley Transform [AES_CBC (128), HMAC_SHA1, MODP1024] refused 2023-02-22T14:21:38.381804+08:00 ipsec-server pluto[422]: "xauth-psk"[1] 1.1.1.1 #15: Oakley Transform [AES_CBC (256), HMAC_MD5, MODP1024] refused 2023-02-22T14:21:38.381824+08:00 ipsec-server pluto[422]: "xauth-psk"[1] 1.1.1.1 #15: Oakley Transform [AES_CBC (128), HMAC_MD5, MODP1024] refused 2023-02-22T14:21:38.381845+08:00 ipsec-server pluto[422]: "xauth-psk"[1] 1.1.1.1 #15: Oakley Transform [3DES_CBC (192), HMAC_SHA1, MODP1024] refused 2023-02-22T14:21:38.381869+08:00 ipsec-server pluto[422]: "xauth-psk"[1] 1.1.1.1 #15: Oakley Transform [3DES_CBC (192), HMAC_MD5, MODP1024] refused 2023-02-22T14:21:38.381886+08:00 ipsec-server pluto[422]: "xauth-psk"[1] 1.1.1.1 #15: no acceptable Oakley Transform 2023-02-22T14:21:38.381927+08:00 ipsec-server pluto[422]: "xauth-psk"[1] 1.1.1.1 #15: sending notification NO_PROPOSAL_CHOSEN to 1.1.1.1:51478 2023-02-22T14:21:39.326165+08:00 ipsec-server pluto[422]: "xauth-psk"[1] 1.1.1.1 #15: discarding initial packet; already STATE_MAIN_R0 2023-02-22T14:21:41.134775+08:00 ipsec-server pluto[422]: "xauth-psk"[1] 1.1.1.1 #15: discarding initial packet; already STATE_MAIN_R0 2023-02-22T14:21:44.393343+08:00 ipsec-server pluto[422]: "xauth-psk"[1] 1.1.1.1 #15: discarding initial packet; already STATE_MAIN_R0 2023-02-22T14:21:50.194250+08:00 ipsec-server pluto[422]: "xauth-psk"[1] 1.1.1.1 #15: discarding initial packet; already STATE_MAIN_R0 2023-02-22T14:22:00.755178+08:00 ipsec-server pluto[422]: "xauth-psk"[1] 1.1.1.1 #15: discarding initial packet; already STATE_MAIN_R0 2023-02-22T14:22:19.597606+08:00 ipsec-server pluto[422]: "xauth-psk"[1] 1.1.1.1 #15: discarding initial packet; already STATE_MAIN_R0

补充修改conf 文件后的IPSec/ikev2 的链接日志

2023-02-22T14:34:26.574540+08:00 ipsec-server pluto[422]: "ikev2-cp"[15] 1.1.1.1 #16: proposal 2:IKE=AES_GCM_C_256-HMAC_SHA2_256-MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_CBC_256;ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_384_192;INTEG=HMAC_SHA2_256_128;INTEG=HMAC_SHA1_96;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;DH=DH24;DH=ECP_384;DH=ECP_256;DH=MODP2048;DH=MODP1536[first-match] 2:IKE:ENCR=AES_GCM_C_256;ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;DH=DH24;DH=ECP_384;DH=ECP_256;DH=MODP2048;DH=MODP1536[better-match] 2023-02-22T14:34:26.574582+08:00 ipsec-server pluto[422]: "ikev2-cp"[15] 1.1.1.1 #16: initiator guessed wrong keying material group (DH24); responding with INVALID_KE_PAYLOAD requesting MODP2048 2023-02-22T14:34:26.574611+08:00 ipsec-server pluto[422]: "ikev2-cp"[15] 1.1.1.1 #16: responding to IKE_SA_INIT message (ID 0) from 1.1.1.1:51480 with unencrypted notification INVALID_KE_PAYLOAD 2023-02-22T14:34:26.574632+08:00 ipsec-server pluto[422]: "ikev2-cp"[15] 1.1.1.1 #16: encountered fatal error in state STATE_V2_PARENT_R0 2023-02-22T14:34:26.574775+08:00 ipsec-server pluto[422]: "ikev2-cp"[15] 1.1.1.1 #16: deleting state (STATE_V2_PARENT_R0) aged 0.000283s and NOT sending notification 2023-02-22T14:34:26.574807+08:00 ipsec-server pluto[422]: "ikev2-cp"[15] 1.1.1.1: deleting connection instance with peer 1.1.1.1 {isakmp=#0/ipsec=#0} 2023-02-22T14:34:27.561966+08:00 ipsec-server pluto[422]: "ikev2-cp"[16] 1.1.1.1 #17: proposal 2:IKE=AES_GCM_C_256-HMAC_SHA2_256-MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_CBC_256;ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_384_192;INTEG=HMAC_SHA2_256_128;INTEG=HMAC_SHA1_96;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;DH=DH24;DH=ECP_384;DH=ECP_256;DH=MODP2048;DH=MODP1536[first-match] 2:IKE:ENCR=AES_GCM_C_256;ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;DH=DH24;DH=ECP_384;DH=ECP_256;DH=MODP2048;DH=MODP1536[better-match] 2023-02-22T14:34:27.562024+08:00 ipsec-server pluto[422]: "ikev2-cp"[16] 1.1.1.1 #17: initiator guessed wrong keying material group (DH24); responding with INVALID_KE_PAYLOAD requesting MODP2048 2023-02-22T14:34:27.562074+08:00 ipsec-server pluto[422]: "ikev2-cp"[16] 1.1.1.1 #17: responding to IKE_SA_INIT message (ID 0) from 1.1.1.1:51480 with unencrypted notification INVALID_KE_PAYLOAD 2023-02-22T14:34:27.562113+08:00 ipsec-server pluto[422]: "ikev2-cp"[16] 1.1.1.1 #17: encountered fatal error in state STATE_V2_PARENT_R0 2023-02-22T14:34:27.562272+08:00 ipsec-server pluto[422]: "ikev2-cp"[16] 1.1.1.1 #17: deleting state (STATE_V2_PARENT_R0) aged 0.000353s and NOT sending notification 2023-02-22T14:34:27.562319+08:00 ipsec-server pluto[422]: "ikev2-cp"[16] 1.1.1.1: deleting connection instance with peer 1.1.1.1 {isakmp=#0/ipsec=#0} 2023-02-22T14:34:29.368644+08:00 ipsec-server pluto[422]: "ikev2-cp"[17] 1.1.1.1 #18: proposal 2:IKE=AES_GCM_C_256-HMAC_SHA2_256-MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_CBC_256;ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_384_192;INTEG=HMAC_SHA2_256_128;INTEG=HMAC_SHA1_96;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;DH=DH24;DH=ECP_384;DH=ECP_256;DH=MODP2048;DH=MODP1536[first-match] 2:IKE:ENCR=AES_GCM_C_256;ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;DH=DH24;DH=ECP_384;DH=ECP_256;DH=MODP2048;DH=MODP1536[better-match] 2023-02-22T14:34:29.368686+08:00 ipsec-server pluto[422]: "ikev2-cp"[17] 1.1.1.1 #18: initiator guessed wrong keying material group (DH24); responding with INVALID_KE_PAYLOAD requesting MODP2048 2023-02-22T14:34:29.368716+08:00 ipsec-server pluto[422]: "ikev2-cp"[17] 1.1.1.1 #18: responding to IKE_SA_INIT message (ID 0) from 1.1.1.1:51480 with unencrypted notification INVALID_KE_PAYLOAD 2023-02-22T14:34:29.368737+08:00 ipsec-server pluto[422]: "ikev2-cp"[17] 1.1.1.1 #18: encountered fatal error in state STATE_V2_PARENT_R0 2023-02-22T14:34:29.368850+08:00 ipsec-server pluto[422]: "ikev2-cp"[17] 1.1.1.1 #18: deleting state (STATE_V2_PARENT_R0) aged 0.000254s and NOT sending notification 2023-02-22T14:34:29.368882+08:00 ipsec-server pluto[422]: "ikev2-cp"[17] 1.1.1.1: deleting connection instance with peer 1.1.1.1 {isakmp=#0/ipsec=#0} 2023-02-22T14:34:32.614497+08:00 ipsec-server pluto[422]: "ikev2-cp"[18] 1.1.1.1 #19: proposal 2:IKE=AES_GCM_C_256-HMAC_SHA2_256-MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_CBC_256;ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_384_192;INTEG=HMAC_SHA2_256_128;INTEG=HMAC_SHA1_96;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;DH=DH24;DH=ECP_384;DH=ECP_256;DH=MODP2048;DH=MODP1536[first-match] 2:IKE:ENCR=AES_GCM_C_256;ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;DH=DH24;DH=ECP_384;DH=ECP_256;DH=MODP2048;DH=MODP1536[better-match] 2023-02-22T14:34:32.614541+08:00 ipsec-server pluto[422]: "ikev2-cp"[18] 1.1.1.1 #19: initiator guessed wrong keying material group (DH24); responding with INVALID_KE_PAYLOAD requesting MODP2048 2023-02-22T14:34:32.614571+08:00 ipsec-server pluto[422]: "ikev2-cp"[18] 1.1.1.1 #19: responding to IKE_SA_INIT message (ID 0) from 1.1.1.1:51480 with unencrypted notification INVALID_KE_PAYLOAD 2023-02-22T14:34:32.614593+08:00 ipsec-server pluto[422]: "ikev2-cp"[18] 1.1.1.1 #19: encountered fatal error in state STATE_V2_PARENT_R0 2023-02-22T14:34:32.614715+08:00 ipsec-server pluto[422]: "ikev2-cp"[18] 1.1.1.1 #19: deleting state (STATE_V2_PARENT_R0) aged 0.000257s and NOT sending notification 2023-02-22T14:34:32.614761+08:00 ipsec-server pluto[422]: "ikev2-cp"[18] 1.1.1.1: deleting connection instance with peer 1.1.1.1 {isakmp=#0/ipsec=#0} 2023-02-22T14:34:38.436052+08:00 ipsec-server pluto[422]: "ikev2-cp"[19] 1.1.1.1 #20: proposal 2:IKE=AES_GCM_C_256-HMAC_SHA2_256-MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_CBC_256;ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_384_192;INTEG=HMAC_SHA2_256_128;INTEG=HMAC_SHA1_96;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;DH=DH24;DH=ECP_384;DH=ECP_256;DH=MODP2048;DH=MODP1536[first-match] 2:IKE:ENCR=AES_GCM_C_256;ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;DH=DH24;DH=ECP_384;DH=ECP_256;DH=MODP2048;DH=MODP1536[better-match] 2023-02-22T14:34:38.436094+08:00 ipsec-server pluto[422]: "ikev2-cp"[19] 1.1.1.1 #20: initiator guessed wrong keying material group (DH24); responding with INVALID_KE_PAYLOAD requesting MODP2048 2023-02-22T14:34:38.436123+08:00 ipsec-server pluto[422]: "ikev2-cp"[19] 1.1.1.1 #20: responding to IKE_SA_INIT message (ID 0) from 1.1.1.1:51480 with unencrypted notification INVALID_KE_PAYLOAD 2023-02-22T14:34:38.436145+08:00 ipsec-server pluto[422]: "ikev2-cp"[19] 1.1.1.1 #20: encountered fatal error in state STATE_V2_PARENT_R0 2023-02-22T14:34:38.436256+08:00 ipsec-server pluto[422]: "ikev2-cp"[19] 1.1.1.1 #20: deleting state (STATE_V2_PARENT_R0) aged 0.000267s and NOT sending notification 2023-02-22T14:34:38.436292+08:00 ipsec-server pluto[422]: "ikev2-cp"[19] 1.1.1.1: deleting connection instance with peer 1.1.1.1 {isakmp=#0/ipsec=#0}

另外想请教一下,是否可以拉取特定版本镜像,进行对比,如果可以建议拉取哪一个版本的镜像。 ikev2和wireguard 流量特征都明显的话,作为ISP,是否能查看流量内部的内容呢?

hwdsl2 commented 1 year ago

@SuperCatss 从你的新的日志来看,IPsec/XAuth 模式的问题可以这样解决:在 你的 env 文件 中添加 VPN_ENABLE_MODP1024=yes,然后重新创建(不是重新启动)Docker 容器。相关的说明请参见这里。请注意,这将重新启用安全性较低的 MODP1024 算法。

VPN 连接对你传输的数据进行了加密,请确保使用较安全的算法(比如脚本默认支持的 MODP2048 或以上)。

目前本项目不提供之前版本的镜像,但是你可以自己从源代码构建