ipsec-vpn-server on Synology NAS (Docker) won't work.

[Dieterm5]

Checklist

• [x] I read the README
• [x] I read the Important notes
• [x] I followed instructions to configure VPN clients
• [x] I checked IKEv1 troubleshooting, IKEv2 troubleshooting, enabled logs and checked VPN status
• [x] I searched existing Issues
• [x] This bug is about the IPsec VPN server Docker image, and not IPsec VPN itself

Describe the issue After a successfull connection to the server via IKEv2 option, the DSM on Synology NAS are not reacting anymore. On my phone it doesn't have internet access, the local network are also not responding (es. my pihole didn't respond). All the other containers on Docker crashes immediately. After a few minutes Synology restarts and it says there were a black-out. The docker says "error gathering device information while adding custom device /dev/ppp: no such file or directory".

This image can run without problems, the problem is starting when I try to connect to my server via IKEv2 option.

To Reproduce Steps to reproduce the behavior:

1. Follow the steps to install ipsec-vpn-server, running WITHOUT privilege SSH to Synology, get root access and then this:

   docker run \
   --name IKEv2-IPSec  \
   --env-file path-to-enf.file/vpn.env \
   --restart=always \
   -v ipsec-server-data:/etc/ipsec.d \
   -p 500:500/udp \
   -p 4500:4500/udp \
   -d --cap-add=NET_ADMIN \
   --device=/dev/ppp \
   --sysctl net.ipv4.ip_forward=1 \
   --sysctl net.ipv4.conf.all.accept_redirects=0 \
   --sysctl net.ipv4.conf.all.send_redirects=0 \
   --sysctl net.ipv4.conf.all.rp_filter=0 \
   --sysctl net.ipv4.conf.default.accept_redirects=0 \
   --sysctl net.ipv4.conf.default.send_redirects=0 \
   --sysctl net.ipv4.conf.default.rp_filter=0 \
   --sysctl net.ipv4.conf.eth0.send_redirects=0 \
   --sysctl net.ipv4.conf.eth0.rp_filter=0 \
   --sysctl net.ipv4.ip_no_pmtu_disc=1 \
   hwdsl2/ipsec-vpn-server

   env file looks like this:

   
   # Note: All the variables to this image are optional.
   # See README for more information.
   # To use, uncomment and replace with your own values.

Define IPsec PSK, VPN username and password

- DO NOT put "" or '' around values, or add space around =

- DO NOT use these special characters within values: \ " '

VPN_IPSEC_PSK=

VPN_USER=

VPN_PASSWORD=

Define additional VPN users

- DO NOT put "" or '' around values, or add space around =

- DO NOT use these special characters within values: \ " '

- Usernames and passwords must be separated by spaces

VPN_ADDL_USERS=additional_username_1 additional_username_2

VPN_ADDL_PASSWORDS=additional_password_1 additional_password_2

Use a DNS name for the VPN server

- The DNS name must be a fully qualified domain name (FQDN)

VPN_DNS_NAME=myname.synology.me

Specify a name for the first IKEv2 client

- Use one word only, no special characters except '-' and '_'

- The default is 'vpnclient' if not specified

VPN_CLIENT_NAME=USER

Use alternative DNS servers

- By default, clients are set to use Google Public DNS

- Example below shows Cloudflare's DNS service

DNS 1 = PiHole on my NAS

VPN_DNS_SRV1=xxx.xxx.xxx.xxx

Protect IKEv2 client config files using a password

- By default, no password is required when importing IKEv2 client configuration

- Uncomment if you want to protect these files using a random password

VPN_PROTECT_CONFIG=yes

To run this container only in IKEv2 mode (recommend)

VPN_IKEV2_ONLY=yes

Subnet conf (all these variables must be specified)

VPN_XAUTH_NET=10.7.0.0/24 VPN_XAUTH_POOL=10.7.0.2-10.7.0.254

2. Portforward 500 and 4500, also the firewall rules set to accept port 500 and 4500
3. Import my .p12 file to my Android phone (Samsung S22+) and follow the steps to connect

**Expected behavior**
The connection works and I still can work on my DSM on synology and also I should have access to internet on my phone during the connection

**Logs**
[Enable logs](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/docs/advanced-usage.md#enable-libreswan-logs), check [VPN status](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients.md#check-logs-and-vpn-status), and add error logs to help explain the problem, if applicable.

Logs on synology docker:

2023-03-19T16:54:36.872327488Z | stderr | xl2tpd[1]: death_handler: Fatal signal 15 received 2023-03-19T16:53:47.449058132Z | stderr | xl2tpd[1]: Listening on IP address 0.0.0.0, port 1701 2023-03-19T16:53:47.449025386Z | stderr | xl2tpd[1]: Forked again by Xelerance (www.xelerance.com) (C) 2006-2016 2023-03-19T16:53:47.448993119Z | stderr | xl2tpd[1]: Inherited by Jeff McAdams, (C) 2002 2023-03-19T16:53:47.448951845Z | stderr | xl2tpd[1]: Forked by Scott Balmos and David Stipp, (C) 2001 2023-03-19T16:53:47.448913723Z | stderr | xl2tpd[1]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc. 2023-03-19T16:53:47.448815776Z | stderr | xl2tpd[1]: xl2tpd version xl2tpd-1.3.18 started on 9a34d7676071 PID:1 2023-03-19T16:53:47.448581457Z | stderr | xl2tpd[1]: Using l2tp kernel support. 2023-03-19T16:53:47.333453924Z | stderr | xl2tpd[1]: Not looking for kernel SAref support. 2023-03-19T16:53:47.144628108Z | stdout |   2023-03-19T16:53:47.144597722Z | stdout | ================================================ 2023-03-19T16:53:47.144571828Z | stdout |   2023-03-19T16:53:47.144493127Z | stdout | https://vpnsetup.net/clients2 2023-03-19T16:53:47.143719197Z | stdout | Next steps: Configure IKEv2 clients. See: 2023-03-19T16:53:47.143692324Z | stdout |   2023-03-19T16:53:47.143648155Z | stdout | Write this down, you'll need it for import! 2023-03-19T16:53:47.143620756Z | stdout | passwordhidden 2023-03-19T16:53:47.143579536Z | stdout | IMPORTANT Password for client config files: 2023-03-19T16:53:47.143553004Z | stdout |   2023-03-19T16:53:47.143504565Z | stdout | /etc/ipsec.d/USER.mobileconfig (for iOS & macOS) 2023-03-19T16:53:47.143472956Z | stdout | /etc/ipsec.d/USER.sswan (for Android) 2023-03-19T16:53:47.143425400Z | stdout | /etc/ipsec.d/USER.p12 (for Windows & Linux) 2023-03-19T16:53:47.143395764Z | stdout | Docker container at: 2023-03-19T16:53:47.143350827Z | stdout | Client configuration is available inside the 2023-03-19T16:53:47.143322920Z | stdout |   2023-03-19T16:53:47.143272370Z | stdout | VPN client name: USER 2023-03-19T16:53:47.143095982Z | stdout | VPN server address: myname.synology.me 2023-03-19T16:53:47.119127519Z | stdout |   2023-03-19T16:53:47.119085426Z | stdout | IKEv2 is already set up. Details for IKEv2 mode: 2023-03-19T16:53:47.119057428Z | stdout |   2023-03-19T16:53:47.119002188Z | stdout | ================================================ 2023-03-19T16:53:47.118458815Z | stdout |   2023-03-19T16:53:45.077062629Z | stdout | Starting IPsec service... 2023-03-19T16:53:44.890870092Z | stdout |   2023-03-19T16:53:44.112788288Z | stdout | IPsec/L2TP and IPsec/XAuth ("Cisco IPsec") modes are disabled. 2023-03-19T16:53:44.112748197Z | stdout | Note: Running in IKEv2-only mode via env file option. 2023-03-19T16:53:44.112704565Z | stdout |   2023-03-19T16:53:44.111524354Z | stdout | Setting DNS servers to xxx.xxx.xxx.xxx... 2023-03-19T16:53:44.111404243Z | stdout |   2023-03-19T16:53:43.949416791Z | stdout | Retrieving previously generated VPN credentials... 2023-03-19T16:53:43.949293176Z | stdout |   2023-03-19T16:53:43.935059665Z | stdout | Debian 11/10 users, see https://vpnsetup.net/debian10 2023-03-19T16:53:43.935022817Z | stdout | Please use IKEv2 or IPsec/XAuth mode to connect. 2023-03-19T16:53:43.927276359Z | stdout |   2023-03-19T16:49:25.909814843Z | stderr | xl2tpd[1]: Listening on IP address 0.0.0.0, port 1701 2023-03-19T16:49:25.909782154Z | stderr | xl2tpd[1]: Forked again by Xelerance (www.xelerance.com) (C) 2006-2016 2023-03-19T16:49:25.909752670Z | stderr | xl2tpd[1]: Inherited by Jeff McAdams, (C) 2002 2023-03-19T16:49:25.909718975Z | stderr | xl2tpd[1]: Forked by Scott Balmos and David Stipp, (C) 2001 2023-03-19T16:49:25.909684798Z | stderr | xl2tpd[1]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc. 2023-03-19T16:49:25.909633614Z | stderr | xl2tpd[1]: xl2tpd version xl2tpd-1.3.18 started on 9a34d7676071 PID:1 2023-03-19T16:49:25.909496851Z | stderr | xl2tpd[1]: Using l2tp kernel support. 2023-03-19T16:49:25.872574854Z | stderr | xl2tpd[1]: Not looking for kernel SAref support. 2023-03-19T16:49:25.036292799Z | stdout |   2023-03-19T16:49:25.036267320Z | stdout | ================================================ 2023-03-19T16:49:25.036239181Z | stdout |   2023-03-19T16:49:25.036176057Z | stdout | https://vpnsetup.net/clients2 2023-03-19T16:49:25.035480090Z | stdout | Next steps: Configure IKEv2 clients. See: 2023-03-19T16:49:25.035455950Z | stdout |   2023-03-19T16:49:25.035425638Z | stdout | Write this down, you'll need it for import! 2023-03-19T16:49:25.035399723Z | stdout | passwordhidden 2023-03-19T16:49:25.035368728Z | stdout | IMPORTANT Password for client config files: 2023-03-19T16:49:25.035344640Z | stdout |   2023-03-19T16:49:25.035307318Z | stdout | /etc/ipsec.d/USER.mobileconfig (for iOS & macOS) 2023-03-19T16:49:25.035279291Z | stdout | /etc/ipsec.d/USER.sswan (for Android) 2023-03-19T16:49:25.035245077Z | stdout | /etc/ipsec.d/USER.p12 (for Windows & Linux) 2023-03-19T16:49:25.035193614Z | stdout | Docker container at: 2023-03-19T16:49:25.035158791Z | stdout | Client configuration is available inside the 2023-03-19T16:49:25.035131185Z | stdout |   2023-03-19T16:49:25.035096049Z | stdout | VPN client name: USER 2023-03-19T16:49:25.035041966Z | stdout | VPN server address: myname.synology.me 2023-03-19T16:49:25.034578344Z | stdout |   2023-03-19T16:49:25.034536860Z | stdout | IKEv2 is already set up. Details for IKEv2 mode: 2023-03-19T16:49:25.034511251Z | stdout |   2023-03-19T16:49:25.034472521Z | stdout | ================================================ 2023-03-19T16:49:25.034112416Z | stdout |   2023-03-19T16:49:23.376963617Z | stdout | Starting IPsec service... 2023-03-19T16:49:23.376840437Z | stdout |   2023-03-19T16:49:22.949072421Z | stdout | IPsec/L2TP and IPsec/XAuth ("Cisco IPsec") modes are disabled. 2023-03-19T16:49:22.949023666Z | stdout | Note: Running in IKEv2-only mode via env file option. 2023-03-19T16:49:22.948961978Z | stdout |   2023-03-19T16:49:22.947758137Z | stdout | Setting DNS servers to xxx.xxx.xxx.xxx... 2023-03-19T16:49:22.947643393Z | stdout |   2023-03-19T16:49:22.859576130Z | stdout | Retrieving previously generated VPN credentials... 2023-03-19T16:49:22.859449896Z | stdout |   2023-03-19T16:49:22.827709636Z | stdout | Debian 11/10 users, see https://vpnsetup.net/debian10 2023-03-19T16:49:22.827673332Z | stdout | Please use IKEv2 or IPsec/XAuth mode to connect. 2023-03-19T16:49:22.827120621Z | stdout

Libreswan logs:

2023-03-19T17:55:36.528226+00:00 9a34d7676071 pluto[417]: Pluto is shutting down 2023-03-19T17:55:36.528547+00:00 9a34d7676071 pluto[417]: forgetting secrets 2023-03-19T17:55:36.528590+00:00 9a34d7676071 pluto[417]: shutting down interface lo 127.0.0.1:4500 2023-03-19T17:55:36.528606+00:00 9a34d7676071 pluto[417]: shutting down interface lo 127.0.0.1:500 2023-03-19T17:55:36.528616+00:00 9a34d7676071 pluto[417]: shutting down interface eth0 172.17.0.5:4500 2023-03-19T17:55:36.528626+00:00 9a34d7676071 pluto[417]: shutting down interface eth0 172.17.0.5:500 2023-03-19T17:55:37.492658+00:00 9a34d7676071 pluto[775]: Initializing NSS using read-write database "sql:/etc/ipsec.d" 2023-03-19T17:55:37.497995+00:00 9a34d7676071 pluto[775]: FIPS Mode: NO 2023-03-19T17:55:37.498011+00:00 9a34d7676071 pluto[775]: NSS crypto library initialized 2023-03-19T17:55:37.498055+00:00 9a34d7676071 pluto[775]: FIPS mode disabled for pluto daemon 2023-03-19T17:55:37.498064+00:00 9a34d7676071 pluto[775]: FIPS HMAC integrity support [disabled] 2023-03-19T17:55:37.498290+00:00 9a34d7676071 pluto[775]: libcap-ng support [enabled] 2023-03-19T17:55:37.498304+00:00 9a34d7676071 pluto[775]: Linux audit support [disabled] 2023-03-19T17:55:37.498321+00:00 9a34d7676071 pluto[775]: Starting Pluto (Libreswan Version 4.10 IKEv2 IKEv1 XFRM XFRMI esp-hw-offload FORK PTHREAD_SETSCHEDPRIO NSS (IPsec profile) (NSS-KDF) LIBCAP_NG AUTH_PAM NETWORKMANAGER CURL(non-NSS)) pid:775 2023-03-19T17:55:37.498328+00:00 9a34d7676071 pluto[775]: core dump dir: /run/pluto 2023-03-19T17:55:37.498336+00:00 9a34d7676071 pluto[775]: secrets file: /etc/ipsec.secrets 2023-03-19T17:55:37.498343+00:00 9a34d7676071 pluto[775]: leak-detective disabled 2023-03-19T17:55:37.498350+00:00 9a34d7676071 pluto[775]: NSS crypto [enabled] 2023-03-19T17:55:37.498358+00:00 9a34d7676071 pluto[775]: XAUTH PAM support [enabled] 2023-03-19T17:55:37.498383+00:00 9a34d7676071 pluto[775]: initializing libevent in pthreads mode: headers: 2.1.12-stable (2010c00); library: 2.1.12-stable (2010c00) 2023-03-19T17:55:37.498446+00:00 9a34d7676071 pluto[775]: NAT-Traversal support [enabled] 2023-03-19T17:55:37.498670+00:00 9a34d7676071 pluto[775]: Encryption algorithms: 2023-03-19T17:55:37.498689+00:00 9a34d7676071 pluto[775]: AES_CCM_16 {256,192,128} IKEv1: ESP IKEv2: ESP FIPS aes_ccm, aes_ccm_c 2023-03-19T17:55:37.498701+00:00 9a34d7676071 pluto[775]: AES_CCM_12 {256,192,128} IKEv1: ESP IKEv2: ESP FIPS aes_ccm_b 2023-03-19T17:55:37.498713+00:00 9a34d7676071 pluto[775]: AES_CCM_8 {256,192,128} IKEv1: ESP IKEv2: ESP FIPS aes_ccm_a 2023-03-19T17:55:37.498724+00:00 9a34d7676071 pluto[775]: 3DES_CBC [192] IKEv1: IKE ESP IKEv2: IKE ESP FIPS NSS(CBC) 3des 2023-03-19T17:55:37.498735+00:00 9a34d7676071 pluto[775]: CAMELLIA_CTR {256,192,128} IKEv1: ESP IKEv2: ESP
2023-03-19T17:55:37.498747+00:00 9a34d7676071 pluto[775]: CAMELLIA_CBC {256,192,128} IKEv1: IKE ESP IKEv2: IKE ESP NSS(CBC) camellia 2023-03-19T17:55:37.498759+00:00 9a34d7676071 pluto[775]: AES_GCM_16 {256,192,128} IKEv1: ESP IKEv2: IKE ESP FIPS NSS(GCM) aes_gcm, aes_gcm_c 2023-03-19T17:55:37.498770+00:00 9a34d7676071 pluto[775]: AES_GCM_12 {256,192,128} IKEv1: ESP IKEv2: IKE ESP FIPS NSS(GCM) aes_gcm_b 2023-03-19T17:55:37.498782+00:00 9a34d7676071 pluto[775]: AES_GCM_8 {256,192,128} IKEv1: ESP IKEv2: IKE ESP FIPS NSS(GCM) aes_gcm_a 2023-03-19T17:55:37.498794+00:00 9a34d7676071 pluto[775]: AES_CTR {256,192,128} IKEv1: IKE ESP IKEv2: IKE ESP FIPS NSS(CTR) aesctr 2023-03-19T17:55:37.498804+00:00 9a34d7676071 pluto[775]: AES_CBC {256,192,128} IKEv1: IKE ESP IKEv2: IKE ESP FIPS NSS(CBC) aes 2023-03-19T17:55:37.498816+00:00 9a34d7676071 pluto[775]: NULL_AUTH_AES_GMAC {256,192,128} IKEv1: ESP IKEv2: ESP FIPS aes_gmac 2023-03-19T17:55:37.498826+00:00 9a34d7676071 pluto[775]: NULL [] IKEv1: ESP IKEv2: ESP
2023-03-19T17:55:37.498838+00:00 9a34d7676071 pluto[775]: CHACHA20_POLY1305 [*256] IKEv1: IKEv2: IKE ESP NSS(AEAD) chacha20poly1305 2023-03-19T17:55:37.498846+00:00 9a34d7676071 pluto[775]: Hash algorithms: 2023-03-19T17:55:37.498884+00:00 9a34d7676071 pluto[775]: MD5 IKEv1: IKE IKEv2: NSS
2023-03-19T17:55:37.498954+00:00 9a34d7676071 pluto[775]: SHA1 IKEv1: IKE IKEv2: IKE FIPS NSS sha 2023-03-19T17:55:37.498970+00:00 9a34d7676071 pluto[775]: SHA2_256 IKEv1: IKE IKEv2: IKE FIPS NSS sha2, sha256 2023-03-19T17:55:37.498981+00:00 9a34d7676071 pluto[775]: SHA2_384 IKEv1: IKE IKEv2: IKE FIPS NSS sha384 2023-03-19T17:55:37.499008+00:00 9a34d7676071 pluto[775]: SHA2_512 IKEv1: IKE IKEv2: IKE FIPS NSS sha512 2023-03-19T17:55:37.499035+00:00 9a34d7676071 pluto[775]: IDENTITY IKEv1: IKEv2: FIPS
2023-03-19T17:55:37.499060+00:00 9a34d7676071 pluto[775]: PRF algorithms: 2023-03-19T17:55:37.499089+00:00 9a34d7676071 pluto[775]: HMAC_MD5 IKEv1: IKE IKEv2: IKE native(HMAC) md5 2023-03-19T17:55:37.499113+00:00 9a34d7676071 pluto[775]: HMAC_SHA1 IKEv1: IKE IKEv2: IKE FIPS NSS sha, sha1 2023-03-19T17:55:37.499139+00:00 9a34d7676071 pluto[775]: HMAC_SHA2_256 IKEv1: IKE IKEv2: IKE FIPS NSS sha2, sha256, sha2_256 2023-03-19T17:55:37.499173+00:00 9a34d7676071 pluto[775]: HMAC_SHA2_384 IKEv1: IKE IKEv2: IKE FIPS NSS sha384, sha2_384 2023-03-19T17:55:37.499202+00:00 9a34d7676071 pluto[775]: HMAC_SHA2_512 IKEv1: IKE IKEv2: IKE FIPS NSS sha512, sha2_512 2023-03-19T17:55:37.499235+00:00 9a34d7676071 pluto[775]: AES_XCBC IKEv1: IKEv2: IKE native(XCBC) aes128_xcbc 2023-03-19T17:55:37.499269+00:00 9a34d7676071 pluto[775]: Integrity algorithms: 2023-03-19T17:55:37.499304+00:00 9a34d7676071 pluto[775]: HMAC_MD5_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH native(HMAC) md5, hmac_md5 2023-03-19T17:55:37.499339+00:00 9a34d7676071 pluto[775]: HMAC_SHA1_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS sha, sha1, sha1_96, hmac_sha1 2023-03-19T17:55:37.499372+00:00 9a34d7676071 pluto[775]: HMAC_SHA2_512_256 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS sha512, sha2_512, sha2_512_256, hmac_sha2_512 2023-03-19T17:55:37.499405+00:00 9a34d7676071 pluto[775]: HMAC_SHA2_384_192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS sha384, sha2_384, sha2_384_192, hmac_sha2_384 2023-03-19T17:55:37.499437+00:00 9a34d7676071 pluto[775]: HMAC_SHA2_256_128 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS sha2, sha256, sha2_256, sha2_256_128, hmac_sha2_256 2023-03-19T17:55:37.499469+00:00 9a34d7676071 pluto[775]: HMAC_SHA2_256_TRUNCBUG IKEv1: ESP AH IKEv2: AH
2023-03-19T17:55:37.499502+00:00 9a34d7676071 pluto[775]: AES_XCBC_96 IKEv1: ESP AH IKEv2: IKE ESP AH native(XCBC) aes_xcbc, aes128_xcbc, aes128_xcbc_96 2023-03-19T17:55:37.499534+00:00 9a34d7676071 pluto[775]: AES_CMAC_96 IKEv1: ESP AH IKEv2: ESP AH FIPS aes_cmac 2023-03-19T17:55:37.499566+00:00 9a34d7676071 pluto[775]: NONE IKEv1: ESP IKEv2: IKE ESP FIPS null 2023-03-19T17:55:37.499598+00:00 9a34d7676071 pluto[775]: DH algorithms: 2023-03-19T17:55:37.499631+00:00 9a34d7676071 pluto[775]: NONE IKEv1: IKEv2: IKE ESP AH FIPS NSS(MODP) null, dh0 2023-03-19T17:55:37.499664+00:00 9a34d7676071 pluto[775]: MODP1024 IKEv1: IKE ESP AH IKEv2: IKE ESP AH NSS(MODP) dh2 2023-03-19T17:55:37.499702+00:00 9a34d7676071 pluto[775]: MODP1536 IKEv1: IKE ESP AH IKEv2: IKE ESP AH NSS(MODP) dh5 2023-03-19T17:55:37.499735+00:00 9a34d7676071 pluto[775]: MODP2048 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS(MODP) dh14 2023-03-19T17:55:37.499769+00:00 9a34d7676071 pluto[775]: MODP3072 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS(MODP) dh15 2023-03-19T17:55:37.499802+00:00 9a34d7676071 pluto[775]: MODP4096 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS(MODP) dh16 2023-03-19T17:55:37.499834+00:00 9a34d7676071 pluto[775]: MODP6144 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS(MODP) dh17 2023-03-19T17:55:37.499867+00:00 9a34d7676071 pluto[775]: MODP8192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS(MODP) dh18 2023-03-19T17:55:37.499905+00:00 9a34d7676071 pluto[775]: DH19 IKEv1: IKE IKEv2: IKE ESP AH FIPS NSS(ECP) ecp_256, ecp256 2023-03-19T17:55:37.499938+00:00 9a34d7676071 pluto[775]: DH20 IKEv1: IKE IKEv2: IKE ESP AH FIPS NSS(ECP) ecp_384, ecp384 2023-03-19T17:55:37.499971+00:00 9a34d7676071 pluto[775]: DH21 IKEv1: IKE IKEv2: IKE ESP AH FIPS NSS(ECP) ecp_521, ecp521 2023-03-19T17:55:37.500003+00:00 9a34d7676071 pluto[775]: DH31 IKEv1: IKE IKEv2: IKE ESP AH NSS(ECP) curve25519 2023-03-19T17:55:37.500037+00:00 9a34d7676071 pluto[775]: IPCOMP algorithms: 2023-03-19T17:55:37.500070+00:00 9a34d7676071 pluto[775]: DEFLATE IKEv1: ESP AH IKEv2: ESP AH FIPS
2023-03-19T17:55:37.500103+00:00 9a34d7676071 pluto[775]: LZS IKEv1: IKEv2: ESP AH FIPS
2023-03-19T17:55:37.500135+00:00 9a34d7676071 pluto[775]: LZJH IKEv1: IKEv2: ESP AH FIPS
2023-03-19T17:55:37.500172+00:00 9a34d7676071 pluto[775]: testing CAMELLIA_CBC: 2023-03-19T17:55:37.500206+00:00 9a34d7676071 pluto[775]: Camellia: 16 bytes with 128-bit key 2023-03-19T17:55:37.500359+00:00 9a34d7676071 pluto[775]: Camellia: 16 bytes with 128-bit key 2023-03-19T17:55:37.500412+00:00 9a34d7676071 pluto[775]: Camellia: 16 bytes with 256-bit key 2023-03-19T17:55:37.500466+00:00 9a34d7676071 pluto[775]: Camellia: 16 bytes with 256-bit key 2023-03-19T17:55:37.500518+00:00 9a34d7676071 pluto[775]: testing AES_GCM_16: 2023-03-19T17:55:37.500525+00:00 9a34d7676071 pluto[775]: empty string 2023-03-19T17:55:37.500576+00:00 9a34d7676071 pluto[775]: one block 2023-03-19T17:55:37.500621+00:00 9a34d7676071 pluto[775]: two blocks 2023-03-19T17:55:37.500668+00:00 9a34d7676071 pluto[775]: two blocks with associated data 2023-03-19T17:55:37.500717+00:00 9a34d7676071 pluto[775]: testing AES_CTR: 2023-03-19T17:55:37.500725+00:00 9a34d7676071 pluto[775]: Encrypting 16 octets using AES-CTR with 128-bit key 2023-03-19T17:55:37.500773+00:00 9a34d7676071 pluto[775]: Encrypting 32 octets using AES-CTR with 128-bit key 2023-03-19T17:55:37.500824+00:00 9a34d7676071 pluto[775]: Encrypting 36 octets using AES-CTR with 128-bit key 2023-03-19T17:55:37.500883+00:00 9a34d7676071 pluto[775]: Encrypting 16 octets using AES-CTR with 192-bit key 2023-03-19T17:55:37.500933+00:00 9a34d7676071 pluto[775]: Encrypting 32 octets using AES-CTR with 192-bit key 2023-03-19T17:55:37.500983+00:00 9a34d7676071 pluto[775]: Encrypting 36 octets using AES-CTR with 192-bit key 2023-03-19T17:55:37.501034+00:00 9a34d7676071 pluto[775]: Encrypting 16 octets using AES-CTR with 256-bit key 2023-03-19T17:55:37.501086+00:00 9a34d7676071 pluto[775]: Encrypting 32 octets using AES-CTR with 256-bit key 2023-03-19T17:55:37.501140+00:00 9a34d7676071 pluto[775]: Encrypting 36 octets using AES-CTR with 256-bit key 2023-03-19T17:55:37.501195+00:00 9a34d7676071 pluto[775]: testing AES_CBC: 2023-03-19T17:55:37.501203+00:00 9a34d7676071 pluto[775]: Encrypting 16 bytes (1 block) using AES-CBC with 128-bit key 2023-03-19T17:55:37.501251+00:00 9a34d7676071 pluto[775]: Encrypting 32 bytes (2 blocks) using AES-CBC with 128-bit key 2023-03-19T17:55:37.501308+00:00 9a34d7676071 pluto[775]: Encrypting 48 bytes (3 blocks) using AES-CBC with 128-bit key 2023-03-19T17:55:37.501364+00:00 9a34d7676071 pluto[775]: Encrypting 64 bytes (4 blocks) using AES-CBC with 128-bit key 2023-03-19T17:55:37.501427+00:00 9a34d7676071 pluto[775]: testing AES_XCBC: 2023-03-19T17:55:37.501439+00:00 9a34d7676071 pluto[775]: RFC 3566 Test Case 1: AES-XCBC-MAC-96 with 0-byte input 2023-03-19T17:55:37.501633+00:00 9a34d7676071 pluto[775]: RFC 3566 Test Case 2: AES-XCBC-MAC-96 with 3-byte input 2023-03-19T17:55:37.501837+00:00 9a34d7676071 pluto[775]: RFC 3566 Test Case 3: AES-XCBC-MAC-96 with 16-byte input 2023-03-19T17:55:37.502036+00:00 9a34d7676071 pluto[775]: RFC 3566 Test Case 4: AES-XCBC-MAC-96 with 20-byte input 2023-03-19T17:55:37.502225+00:00 9a34d7676071 pluto[775]: RFC 3566 Test Case 5: AES-XCBC-MAC-96 with 32-byte input 2023-03-19T17:55:37.502415+00:00 9a34d7676071 pluto[775]: RFC 3566 Test Case 6: AES-XCBC-MAC-96 with 34-byte input 2023-03-19T17:55:37.502610+00:00 9a34d7676071 pluto[775]: RFC 3566 Test Case 7: AES-XCBC-MAC-96 with 1000-byte input 2023-03-19T17:55:37.503075+00:00 9a34d7676071 pluto[775]: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 16) 2023-03-19T17:55:37.503265+00:00 9a34d7676071 pluto[775]: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 10) 2023-03-19T17:55:37.503467+00:00 9a34d7676071 pluto[775]: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 18) 2023-03-19T17:55:37.503803+00:00 9a34d7676071 pluto[775]: testing HMAC_MD5: 2023-03-19T17:55:37.503815+00:00 9a34d7676071 pluto[775]: RFC 2104: MD5_HMAC test 1 2023-03-19T17:55:37.504076+00:00 9a34d7676071 pluto[775]: RFC 2104: MD5_HMAC test 2 2023-03-19T17:55:37.504306+00:00 9a34d7676071 pluto[775]: RFC 2104: MD5_HMAC test 3 2023-03-19T17:55:37.504534+00:00 9a34d7676071 pluto[775]: testing HMAC_SHA1: 2023-03-19T17:55:37.504546+00:00 9a34d7676071 pluto[775]: CAVP: IKEv2 key derivation with HMAC-SHA1 2023-03-19T17:55:37.506691+00:00 9a34d7676071 pluto[775]: 4 CPU cores online 2023-03-19T17:55:37.506701+00:00 9a34d7676071 pluto[775]: starting up 3 helper threads 2023-03-19T17:55:37.506744+00:00 9a34d7676071 pluto[775]: started thread for helper 0 2023-03-19T17:55:37.506780+00:00 9a34d7676071 pluto[775]: started thread for helper 1 2023-03-19T17:55:37.506808+00:00 9a34d7676071 pluto[775]: helper(1) seccomp security for helper not supported 2023-03-19T17:55:37.506832+00:00 9a34d7676071 pluto[775]: helper(2) seccomp security for helper not supported 2023-03-19T17:55:37.506850+00:00 9a34d7676071 pluto[775]: started thread for helper 2 2023-03-19T17:55:37.506870+00:00 9a34d7676071 pluto[775]: helper(3) seccomp security for helper not supported 2023-03-19T17:55:37.506888+00:00 9a34d7676071 pluto[775]: using Linux xfrm kernel support code on #42962 SMP Tue Jan 31 23:18:09 CST 2023 2023-03-19T17:55:37.506968+00:00 9a34d7676071 pluto[775]: kernel: /proc/sys/net/ipv6/conf/all/disable_ipv6=1 ignore ipv6 holes 2023-03-19T17:55:37.507239+00:00 9a34d7676071 pluto[775]: seccomp security not supported 2023-03-19T17:55:37.508472+00:00 9a34d7676071 pluto[775]: "ikev2-cp": IKE SA proposals (connection add): 2023-03-19T17:55:37.508491+00:00 9a34d7676071 pluto[775]: "ikev2-cp": 1:IKE=AES_CBC_256-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE25519 2023-03-19T17:55:37.508503+00:00 9a34d7676071 pluto[775]: "ikev2-cp": 2:IKE=AES_CBC_128-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE25519 2023-03-19T17:55:37.508515+00:00 9a34d7676071 pluto[775]: "ikev2-cp": 3:IKE=AES_CBC_256-HMAC_SHA1-HMAC_SHA1_96-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE25519 2023-03-19T17:55:37.508527+00:00 9a34d7676071 pluto[775]: "ikev2-cp": 4:IKE=AES_CBC_128-HMAC_SHA1-HMAC_SHA1_96-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE25519 2023-03-19T17:55:37.508633+00:00 9a34d7676071 pluto[775]: "ikev2-cp": Child SA proposals (connection add): 2023-03-19T17:55:37.508648+00:00 9a34d7676071 pluto[775]: "ikev2-cp": 1:ESP=AES_GCM_C_128+AES_GCM_C_256-NONE-NONE-ENABLED+DISABLED 2023-03-19T17:55:37.508659+00:00 9a34d7676071 pluto[775]: "ikev2-cp": 2:ESP=AES_CBC_128-HMAC_SHA1_96-NONE-ENABLED+DISABLED 2023-03-19T17:55:37.508669+00:00 9a34d7676071 pluto[775]: "ikev2-cp": 3:ESP=AES_CBC_256-HMAC_SHA1_96-NONE-ENABLED+DISABLED 2023-03-19T17:55:37.508680+00:00 9a34d7676071 pluto[775]: "ikev2-cp": 4:ESP=AES_CBC_128-HMAC_SHA2_256_128-NONE-ENABLED+DISABLED 2023-03-19T17:55:37.508690+00:00 9a34d7676071 pluto[775]: "ikev2-cp": 5:ESP=AES_CBC_256-HMAC_SHA2_256_128-NONE-ENABLED+DISABLED 2023-03-19T17:55:37.517173+00:00 9a34d7676071 pluto[775]: "ikev2-cp": loaded private key matching left certificate 'myname.synology.me' 2023-03-19T17:55:37.517202+00:00 9a34d7676071 pluto[775]: "ikev2-cp": added IKEv2 connection 2023-03-19T17:55:37.517323+00:00 9a34d7676071 pluto[775]: listening for IKE messages 2023-03-19T17:55:37.517373+00:00 9a34d7676071 pluto[775]: Kernel does not support NIC esp-hw-offload (ETHTOOL_GSSET_INFO failed) 2023-03-19T17:55:37.517465+00:00 9a34d7676071 pluto[775]: adding UDP interface eth0 172.17.0.5:500 2023-03-19T17:55:37.517501+00:00 9a34d7676071 pluto[775]: adding UDP interface eth0 172.17.0.5:4500 2023-03-19T17:55:37.517535+00:00 9a34d7676071 pluto[775]: adding UDP interface lo 127.0.0.1:500 2023-03-19T17:55:37.517567+00:00 9a34d7676071 pluto[775]: adding UDP interface lo 127.0.0.1:4500 2023-03-19T17:55:37.518647+00:00 9a34d7676071 pluto[775]: forgetting secrets 2023-03-19T17:55:37.518715+00:00 9a34d7676071 pluto[775]: loading secrets from "/etc/ipsec.secrets"

Messages:

2023-03-19T17:55:05.393350+00:00 9a34d7676071 : imklog: cannot open kernel log (/proc/kmsg): Operation not permitted. 2023-03-19T17:55:05.393408+00:00 9a34d7676071 : activation of module imklog failed [v8.2212.0 try https://www.rsyslog.com/e/2145 ] 2023-03-19T17:55:05.393441+00:00 9a34d7676071 : [origin software="rsyslogd" swVersion="8.2212.0" x-pid="474" x-info="https://www.rsyslog.com"] start 2023-03-19T17:55:36.579937+00:00 9a34d7676071 /etc/init.d/ipsec[629]: checkpath: /var/run/pluto: could not open run: No such device or address

**Server (please complete the following information)**
- Device: Synology NAS DS920+
- Docker host OS: [DSM 7.1.1-42962 Update 4]
- Hosting provider (if applicable): []

**Client (please complete the following information)**
- Device: [Samsung Galaxy S22+]
- OS: [Android 13, One UI 5.1] => Model SM-S906B/DS
- VPN mode: [IKEv2 only]

**Additional context**
Add any other context about the problem here.

Enabling Libreswan logs:

docker exec -it IKEv2-IPSec env TERM=xterm bash -l

apk add --no-cache rsyslog fetch https://dl-cdn.alpinelinux.org/alpine/v3.17/main/x86_64/APKINDEX.tar.gz fetch https://dl-cdn.alpinelinux.org/alpine/v3.17/community/x86_64/APKINDEX.tar.gz (1/4) Installing libestr (0.1.11-r2) (2/4) Installing libfastjson (0.99.9-r0) (3/4) Installing rsyslog (8.2212.0-r0) (4/4) Installing rsyslog-openrc (8.2212.0-r0) Executing busybox-1.35.0-r29.trigger OK: 46 MiB in 79 packages

rsyslogd rsyslogd: imklog: cannot open kernel log (/proc/kmsg): Operation not permitted. rsyslogd: activation of module imklog failed [v8.2212.0 try https://www.rsyslog.com/e/2145 ]

rc-service ipsec stop; rc-service -D ipsec start >/dev/null 2>&1

• Caching service dependencies ... Service hwdrivers' needs non existent servicedev' Service machine-id' needs non existent servicedev' [ ok ] /lib/rc/sh/openrc-run.sh: line 108: can't create /sys/fs/cgroup/blkio/tasks: Read-only file system /lib/rc/sh/openrc-run.sh: line 108: can't create /sys/fs/cgroup/cpu/tasks: Read-only file system /lib/rc/sh/openrc-run.sh: line 108: can't create /sys/fs/cgroup/cpuacct/tasks: Read-only file system /lib/rc/sh/openrc-run.sh: line 108: can't create /sys/fs/cgroup/cpuset/tasks: Read-only file system /lib/rc/sh/openrc-run.sh: line 108: can't create /sys/fs/cgroup/devices/tasks: Read-only file system /lib/rc/sh/openrc-run.sh: line 108: can't create /sys/fs/cgroup/freezer/tasks: Read-only file system /lib/rc/sh/openrc-run.sh: line 108: can't create /sys/fs/cgroup/memory/tasks: Read-only file system /lib/rc/sh/openrc-run.sh: line 108: can't create /sys/fs/cgroup/synomonitor/tasks: Read-only file system /lib/rc/sh/openrc-run.sh: line 108: can't create /sys/fs/cgroup/systemd/tasks: Read-only file system
• Stopping ipsec ...

sed -i '/pluto.pid/a rsyslogd' /opt/src/run.sh

Hope I didn't fuck up somewhere and didn't something right.
But this seems very strange and after 1 week of a lot research I'm posting this issue now.
I have filled it in as completely as possible.

Thanks

[seemebreakthis]

Per this comment https://github.com/hwdsl2/docker-ipsec-vpn-server/issues/298#issuecomment-1158593803

@hwdsl2 says himself this docker image does not work with Synology for unknown reasons.

I wish they would put this caveat up prominently in README.md. You and many others (myself included) have wasted so much time trying to get this docker image to work on Synology NAS I am sure, because of Android's limitation on types of VPN connections allowed + VPN server being a common use case for Synology NAS owners.

(Edit: Ended up installing kylemanna/docker-vpn per instructions here, working flawlessly)

[hwdsl2]

@Dieterm5 Hello! Thank you for reporting this issue. I looked at your description and logs, you mentioned that the DiskStation Manager (DSM) on Synology NAS crashes as soon as an IKEv2 connection is established. This is most likely a bug with IPsec VPN support in the DSM system. The exact cause is unclear from your provided logs.

As @seemebreakthis suggested, I can add a note in the README regarding using this Docker image on Synology NAS systems. Note that the separate issue in #298 was related to MOBIKE support and it was already fixed earlier. This can be seen from your logs that the IKEv2 connection was added successfully at Libreswan startup.

[Dieterm5]

@seemebreakthis Hi thanks for your message, I also ended up installing openvpn from Kylemanna's image and it works perfectly. Thanks for referring me to this. Actually I wish to get IKEv2 connection because that's the only way to use 'routines' on Android to autoconnect via IKEv2-VPN when I open an app that requires a specify IP (for example an IP from a specify country to be able see the videos). If I can autoconnect my phone using openvpn opening a specified app, all helps are welcome too 🎉

@hwdsl2 Thanks for your fast reply! Ok I will contact synology's team about this situation and hopefully they will fix something so this wouldn't happen again. I'll keep you updated. Also I've watchtower installed on my docker, so after every update of this image I'll get a notify and I'll keep a watch on this.

[Dieterm5]

@hwdsl2, @seemebreakthis

I got a reply from Synology: You have to run this image in privileged mode, set local ports to automatic (container port to 4500 and 500 udp)

I'm not going to test this btw, I'm afraid to break my NAS, maybe someone can test this?