Closed keelfy-lilly closed 1 year ago
@keelfy-lilly Hello! Thanks for reporting this issue and providing details. The error netlink response for Add SA ... Protocol not supported (errno 93)
typically means that your Docker host's Linux kernel does not properly support the IPsec protocol. If your VPS is OpenVZ or lxc based, it may run a shared Linux kernel which lacks IPsec support. Otherwise, if it's KVM-based, it should generally work fine, unless there's an issue with your hosting provider's VM implementation.
Alternatively, you can try creating a non-containerized VPN on a new VPS using scripts in this repo.
Checklist
Describe the issue None of my devices can connect to IKEv2 VPN. I've tried macOS 13, Windows 11, and Android 11. Windows says that the problem is unknown and macOS just stops connecting after 1-2 sec.
After finding out about this issue I've enabled logs of Libreswan to look at what happens on the server side. You can find them down below. The logs are the same for each device I've tried. By the same I mean the same steps and errors. I've tried to recreate VPS 2 times (installed CentOS and the problem was the same), I've tried to re-clone the repo, restart the container, and recreate the container. I'm thinking about the problem with my network preferences, but I don't know where to look or what to fix.
To Reproduce
VPN_DNS_NAME
to my domain (previously I've added A record pointing to VPS)VPN_IKEV2_ONLY=yes
because I'm planning to use only IKEv2 (I've also tried without this variable)Expected behavior
Logs
I've replaced my actual domain with 'mydomain'
Libreswan log
```log ipsec-vpn-server pluto[836]: "ikev2-cp"[1] 94.189.154.13 #1: proposal 1:IKE=AES_CBC_256-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048[first-match] ipsec-vpn-server pluto[836]: "ikev2-cp"[1] 94.189.154.13 #1: sent IKE_SA_INIT reply {cipher=AES_CBC_256 integ=HMAC_SHA2_256_128 prf=HMAC_SHA2_256 group=MODP2048} ipsec-vpn-server pluto[836]: "ikev2-cp"[1] 94.189.154.13 #1: processing decrypted IKE_AUTH request: SK{IDi,CERT,N(INITIAL_CONTACT),IDr,AUTH,CP,N(ESP_TFC_PADDING_NOT_SUPPORTED),N(NON_FIRST_FRAGMENTS_ALSO),SA,TSi,TSr,N(MOBIKE_SUPPORTED)} ipsec-vpn-server pluto[836]: "ikev2-cp"[1] 94.189.154.13 #1: reloaded private key matching left certificate 'mydomain' ipsec-vpn-server pluto[836]: "ikev2-cp"[1] 94.189.154.13 #1: responder established IKE SA; authenticated peer '3072-bit PKCS#1 1.5 RSA with SHA1' signature using peer certificate 'CN=vpnclient, O=IKEv2 VPN' issued by CA 'CN=IKEv2 VPN CA, O=IKEv2 VPN' ipsec-vpn-server pluto[836]: | pool 192.168.43.10-192.168.43.250: growing address pool from 0 to 1 ipsec-vpn-server pluto[836]: "ikev2-cp"[1] 94.189.154.13 #2: proposal 1:ESP=AES_GCM_C_128-DISABLED SPI=066d85fa chosen from remote proposals 1:ESP:ENCR=AES_GCM_C_128;ESN=DISABLED[first-match] ipsec-vpn-server pluto[836]: ERROR: "ikev2-cp"[1] 94.189.154.13 #2: netlink response for Add SA esp.66d85fa@94.189.154.13: Protocol not supported (errno 93) ipsec-vpn-server pluto[836]: "ikev2-cp"[1] 94.189.154.13 #2: setup_half_ipsec_sa() hit fail: ```Status log
``` 000 using kernel interface: xfrm 000 000 interface lo UDP 127.0.0.1:4500 000 interface lo UDP 127.0.0.1:500 000 interface eth0 UDP 172.18.0.2:4500 000 interface eth0 UDP 172.18.0.2:500 000 000 fips mode=disabled; 000 SElinux=disabled 000 seccomp=unsupported 000 000 config setup options: 000 000 configdir=/etc, configfile=/etc/ipsec.conf, secrets=/etc/ipsec.secrets, ipsecdir=/etc/ipsec.d 000 nssdir=/etc/ipsec.d, dumpdir=/run/pluto, statsbin=unset 000 sbindir=/usr/local/sbin, libexecdir=/usr/local/libexec/ipsec 000 pluto_version=4.10, pluto_vendorid=OE-Libreswan-4.10, audit-log=yes 000 nhelpers=-1, uniqueids=no, dnssec-enable=no, logappend=yes, logip=yes, shuntlifetime=900s, xfrmlifetime=30s 000 ddos-cookies-threshold=25000, ddos-max-halfopen=50000, ddos-mode=auto, ikev1-policy=accept 000 ikebuf=0, msg_errqueue=yes, crl-strict=no, crlcheckinterval=0, listen=Server (please complete the following information)
Client (please complete the following information)
Client (please complete the following information)
Client (please complete the following information)
Additional context I newbie in that kind of stuff, but I created one not containerized VPN using strongswan-starter under ubuntu system which worked fine.