search

hwdsl2 / docker-ipsec-vpn-server

Docker image to run an IPsec VPN server, with IPsec/L2TP, Cisco IPsec and IKEv2
https://hub.docker.com/r/hwdsl2/ipsec-vpn-server
Other
6.37k stars 1.38k forks source link

Libreswan: Protocol not supported (errno 93) #368

Closed keelfy-lilly closed 1 year ago

keelfy-lilly commented 1 year ago

Checklist

Describe the issue None of my devices can connect to IKEv2 VPN. I've tried macOS 13, Windows 11, and Android 11. Windows says that the problem is unknown and macOS just stops connecting after 1-2 sec.

After finding out about this issue I've enabled logs of Libreswan to look at what happens on the server side. You can find them down below. The logs are the same for each device I've tried. By the same I mean the same steps and errors. I've tried to recreate VPS 2 times (installed CentOS and the problem was the same), I've tried to re-clone the repo, restart the container, and recreate the container. I'm thinking about the problem with my network preferences, but I don't know where to look or what to fix.

To Reproduce

  1. clone this repo
  2. Change variable VPN_DNS_NAME to my domain (previously I've added A record pointing to VPS)
  3. Add VPN_IKEV2_ONLY=yes because I'm planning to use only IKEv2 (I've also tried without this variable)
  4. Using the latest docker type 'docker compose up -d'
  5. Copy certs from the container and use them according to your guide.

Expected behavior

  1. Copy certs from container
  2. Transfer them to device
  3. Add VPN according to your guide
  4. Use VPN

Logs

I've replaced my actual domain with 'mydomain'

Libreswan log ```log ipsec-vpn-server pluto[836]: "ikev2-cp"[1] 94.189.154.13 #1: proposal 1:IKE=AES_CBC_256-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048[first-match] ipsec-vpn-server pluto[836]: "ikev2-cp"[1] 94.189.154.13 #1: sent IKE_SA_INIT reply {cipher=AES_CBC_256 integ=HMAC_SHA2_256_128 prf=HMAC_SHA2_256 group=MODP2048} ipsec-vpn-server pluto[836]: "ikev2-cp"[1] 94.189.154.13 #1: processing decrypted IKE_AUTH request: SK{IDi,CERT,N(INITIAL_CONTACT),IDr,AUTH,CP,N(ESP_TFC_PADDING_NOT_SUPPORTED),N(NON_FIRST_FRAGMENTS_ALSO),SA,TSi,TSr,N(MOBIKE_SUPPORTED)} ipsec-vpn-server pluto[836]: "ikev2-cp"[1] 94.189.154.13 #1: reloaded private key matching left certificate 'mydomain' ipsec-vpn-server pluto[836]: "ikev2-cp"[1] 94.189.154.13 #1: responder established IKE SA; authenticated peer '3072-bit PKCS#1 1.5 RSA with SHA1' signature using peer certificate 'CN=vpnclient, O=IKEv2 VPN' issued by CA 'CN=IKEv2 VPN CA, O=IKEv2 VPN' ipsec-vpn-server pluto[836]: | pool 192.168.43.10-192.168.43.250: growing address pool from 0 to 1 ipsec-vpn-server pluto[836]: "ikev2-cp"[1] 94.189.154.13 #2: proposal 1:ESP=AES_GCM_C_128-DISABLED SPI=066d85fa chosen from remote proposals 1:ESP:ENCR=AES_GCM_C_128;ESN=DISABLED[first-match] ipsec-vpn-server pluto[836]: ERROR: "ikev2-cp"[1] 94.189.154.13 #2: netlink response for Add SA esp.66d85fa@94.189.154.13: Protocol not supported (errno 93) ipsec-vpn-server pluto[836]: "ikev2-cp"[1] 94.189.154.13 #2: setup_half_ipsec_sa() hit fail: ```
Status log ``` 000 using kernel interface: xfrm 000 000 interface lo UDP 127.0.0.1:4500 000 interface lo UDP 127.0.0.1:500 000 interface eth0 UDP 172.18.0.2:4500 000 interface eth0 UDP 172.18.0.2:500 000 000 fips mode=disabled; 000 SElinux=disabled 000 seccomp=unsupported 000 000 config setup options: 000 000 configdir=/etc, configfile=/etc/ipsec.conf, secrets=/etc/ipsec.secrets, ipsecdir=/etc/ipsec.d 000 nssdir=/etc/ipsec.d, dumpdir=/run/pluto, statsbin=unset 000 sbindir=/usr/local/sbin, libexecdir=/usr/local/libexec/ipsec 000 pluto_version=4.10, pluto_vendorid=OE-Libreswan-4.10, audit-log=yes 000 nhelpers=-1, uniqueids=no, dnssec-enable=no, logappend=yes, logip=yes, shuntlifetime=900s, xfrmlifetime=30s 000 ddos-cookies-threshold=25000, ddos-max-halfopen=50000, ddos-mode=auto, ikev1-policy=accept 000 ikebuf=0, msg_errqueue=yes, crl-strict=no, crlcheckinterval=0, listen=, nflog-all=0 000 ocsp-enable=no, ocsp-strict=no, ocsp-timeout=2, ocsp-uri= 000 ocsp-trust-name= 000 ocsp-cache-size=1000, ocsp-cache-min-age=3600, ocsp-cache-max-age=86400, ocsp-method=get 000 global-redirect=no, global-redirect-to= 000 secctx-attr-type= 000 debug: 000 000 nat-traversal=yes, keep-alive=20, nat-ikeport=4500 000 virtual-private (%priv): 000 - allowed subnets: 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12 000 - excluded subnets: 192.168.42.0/24, 192.168.43.0/24 000 000 Kernel algorithms supported: 000 000 algorithm ESP encrypt: name=3DES_CBC, keysizemin=192, keysizemax=192 000 algorithm ESP encrypt: name=AES_CBC, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: name=AES_CCM_12, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: name=AES_CCM_16, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: name=AES_CCM_8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: name=AES_CTR, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: name=AES_GCM_12, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: name=AES_GCM_16, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: name=AES_GCM_8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: name=CAMELLIA_CBC, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: name=CHACHA20_POLY1305, keysizemin=256, keysizemax=256 000 algorithm ESP encrypt: name=NULL, keysizemin=0, keysizemax=0 000 algorithm ESP encrypt: name=NULL_AUTH_AES_GMAC, keysizemin=128, keysizemax=256 000 algorithm AH/ESP auth: name=AES_CMAC_96, key-length=128 000 algorithm AH/ESP auth: name=AES_XCBC_96, key-length=128 000 algorithm AH/ESP auth: name=HMAC_MD5_96, key-length=128 000 algorithm AH/ESP auth: name=HMAC_SHA1_96, key-length=160 000 algorithm AH/ESP auth: name=HMAC_SHA2_256_128, key-length=256 000 algorithm AH/ESP auth: name=HMAC_SHA2_256_TRUNCBUG, key-length=256 000 algorithm AH/ESP auth: name=HMAC_SHA2_384_192, key-length=384 000 algorithm AH/ESP auth: name=HMAC_SHA2_512_256, key-length=512 000 algorithm AH/ESP auth: name=NONE, key-length=0 000 000 IKE algorithms supported: 000 000 algorithm IKE encrypt: v1id=5, v1name=OAKLEY_3DES_CBC, v2id=3, v2name=3DES, blocksize=8, keydeflen=192 000 algorithm IKE encrypt: v1id=8, v1name=OAKLEY_CAMELLIA_CBC, v2id=23, v2name=CAMELLIA_CBC, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=20, v2name=AES_GCM_C, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=19, v2name=AES_GCM_B, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=18, v2name=AES_GCM_A, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: v1id=13, v1name=OAKLEY_AES_CTR, v2id=13, v2name=AES_CTR, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: v1id=7, v1name=OAKLEY_AES_CBC, v2id=12, v2name=AES_CBC, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=28, v2name=CHACHA20_POLY1305, blocksize=16, keydeflen=256 000 algorithm IKE PRF: name=HMAC_MD5, hashlen=16 000 algorithm IKE PRF: name=HMAC_SHA1, hashlen=20 000 algorithm IKE PRF: name=HMAC_SHA2_256, hashlen=32 000 algorithm IKE PRF: name=HMAC_SHA2_384, hashlen=48 000 algorithm IKE PRF: name=HMAC_SHA2_512, hashlen=64 000 algorithm IKE PRF: name=AES_XCBC, hashlen=16 000 algorithm IKE DH Key Exchange: name=MODP1024, bits=1024 000 algorithm IKE DH Key Exchange: name=MODP1536, bits=1536 000 algorithm IKE DH Key Exchange: name=MODP2048, bits=2048 000 algorithm IKE DH Key Exchange: name=MODP3072, bits=3072 000 algorithm IKE DH Key Exchange: name=MODP4096, bits=4096 000 algorithm IKE DH Key Exchange: name=MODP6144, bits=6144 000 algorithm IKE DH Key Exchange: name=MODP8192, bits=8192 000 algorithm IKE DH Key Exchange: name=DH19, bits=512 000 algorithm IKE DH Key Exchange: name=DH20, bits=768 000 algorithm IKE DH Key Exchange: name=DH21, bits=1056 000 algorithm IKE DH Key Exchange: name=DH31, bits=256 000 000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0} 000 000 Connection list: 000 000 "ikev2-cp": 0.0.0.0/0===172.18.0.2[@mydomain,MS+S=C]---172.18.0.1...%any[%fromcert,+MC+S=C]; unrouted; eroute owner: #0 000 "ikev2-cp": oriented; my_ip=unset; their_ip=unset; mycert=mydomain; my_updown=ipsec _updown; 000 "ikev2-cp": xauth us:none, xauth them:none, my_username=[any]; their_username=[any] 000 "ikev2-cp": our auth:rsasig(RSASIG+RSASIG_v1_5), their auth:RSASIG+ECDSA+RSASIG_v1_5, our autheap:none, their autheap:none; 000 "ikev2-cp": modecfg info: us:server, them:client, modecfg policy:push, dns:8.8.8.8, 8.8.4.4, domains:unset, cat:unset; 000 "ikev2-cp": sec_label:unset; 000 "ikev2-cp": CAs: 'CN=IKEv2 VPN CA, O=IKEv2 VPN'...'CN=IKEv2 VPN CA, O=IKEv2 VPN' 000 "ikev2-cp": ike_life: 86400s; ipsec_life: 86400s; ipsec_max_bytes: 2^63B; ipsec_max_packets: 2^63; replay_window: 128; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; 000 "ikev2-cp": retransmit-interval: 500ms; retransmit-timeout: 300s; iketcp:no; iketcp-port:4500; 000 "ikev2-cp": initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no; 000 "ikev2-cp": policy: IKEv2+RSASIG+ECDSA+RSASIG_v1_5+ENCRYPT+TUNNEL+DONT_REKEY+IKEV2_ALLOW_NARROWING+IKE_FRAG_ALLOW+MOBIKE+ESN_NO+ESN_YES; 000 "ikev2-cp": v2-auth-hash-policy: SHA2_256+SHA2_384+SHA2_512; 000 "ikev2-cp": conn_prio: 0,0; interface: eth0; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none; 000 "ikev2-cp": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto; 000 "ikev2-cp": our idtype: ID_FQDN; our id=@mydomain; their idtype: %fromcert; their id=%fromcert 000 "ikev2-cp": liveness: active; dpdaction:clear; dpddelay:30s; retransmit-timeout:300s 000 "ikev2-cp": nat-traversal: encaps:yes; keepalive:20s 000 "ikev2-cp": newest IKE SA: #0; newest IPsec SA: #0; conn serial: $1; 000 "ikev2-cp": IKE algorithms: AES_CBC_256-HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_128-HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_256-HMAC_SHA1-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_128-HMAC_SHA1-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 000 "ikev2-cp": ESP algorithms: AES_GCM_16-NONE, AES_CBC_128-HMAC_SHA1_96, AES_CBC_256-HMAC_SHA1_96, AES_CBC_128-HMAC_SHA2_256_128, AES_CBC_256-HMAC_SHA2_256_128 000 000 Total IPsec connections: loaded 1, active 0 000 000 State Information: DDoS cookies not required, Accepting new IKE connections 000 IKE SAs: total(0), half-open(0), open(0), authenticated(0), anonymous(0) 000 IPsec SAs: total(0), authenticated(0), anonymous(0) 000 000 Bare Shunt list: 000 ```

Server (please complete the following information)

Client (please complete the following information)

Client (please complete the following information)

Client (please complete the following information)

Additional context I newbie in that kind of stuff, but I created one not containerized VPN using strongswan-starter under ubuntu system which worked fine.

hwdsl2 commented 1 year ago

@keelfy-lilly Hello! Thanks for reporting this issue and providing details. The error netlink response for Add SA ... Protocol not supported (errno 93) typically means that your Docker host's Linux kernel does not properly support the IPsec protocol. If your VPS is OpenVZ or lxc based, it may run a shared Linux kernel which lacks IPsec support. Otherwise, if it's KVM-based, it should generally work fine, unless there's an issue with your hosting provider's VM implementation.

Alternatively, you can try creating a non-containerized VPN on a new VPS using scripts in this repo.