Xiaomi Phone Can't Connect

Ran-Xing commented 1 year ago

Skip some tedious tasks

Current server: other systems can connect (using ddns)

Other AMD64 servers: all can be connected

info

client:
# miui 14.0.4.0
~ uname -a
Linux localhost 5.15.41-android13-8-00001-ga3c6366a9085-ab9291088 hwdsl2/setup-ipsec-vpn#1 SMP PREEMPT Mon Nov 14 15:03:54 UTC 2022 aarch64 Android

server:
# hwdsl2/ipsec-vpn-server:latest
Linux N1 6.0.13-flippy-80+ hwdsl2/setup-ipsec-vpn#42 SMP Wed Dec 14 20:45:43 CST 2022 aarch64 GNU/Linux

install command

docker run -it -d \
--name myvpn \
--restart=always \
-v /docker/myvpn:/etc/ipsec.d \
--privileged \
-p 500:500/udp \
-p 4500:4500/udp \
-e 'VPN_IPSEC_PSK=xxx' \
-e "VPN_USER=xxx" \
-e 'VPN_PASSWORD=xxx' \
-e "VPN_DNS_SRV1=8.8.8.8" \
-e "VPN_DNS_SRV2=223.5.5.5" \
-e "VPN_DNS_NAME=xxx.xxx.xxx" \
-e "VPN_CLIENT_NAME=xxx" \
hwdsl2/ipsec-vpn-server

log

Setting DNS servers to 8.8.8.8 and 223.5.5.5...

Starting IPsec service...
pluto[393]: Initializing NSS using read-write database "sql:/etc/ipsec.d"
pluto[393]: FIPS Mode: NO
pluto[393]: NSS crypto library initialized
pluto[393]: FIPS mode disabled for pluto daemon
pluto[393]: FIPS HMAC integrity support [disabled]
pluto[393]: libcap-ng support [enabled]
pluto[393]: Linux audit support [disabled]
pluto[393]: Starting Pluto (Libreswan Version 4.11 IKEv2 IKEv1 XFRM XFRMI esp-hw-offload FORK PTHREAD_SETSCHEDPRIO NSS (IPsec profile) (NSS-KDF) LIBCAP_NG AUTH_PAM NETWORKMANAGER CURL(non-NSS)) pid:393
pluto[393]: core dump dir: /run/pluto
pluto[393]: secrets file: /etc/ipsec.secrets
pluto[393]: leak-detective disabled
pluto[393]: NSS crypto [enabled]
pluto[393]: XAUTH PAM support [enabled]
pluto[393]: initializing libevent in pthreads mode: headers: 2.1.12-stable (2010c00); library: 2.1.12-stable (2010c00)
pluto[393]: NAT-Traversal support  [enabled]
pluto[393]: Encryption algorithms:
pluto[393]:   AES_CCM_16         {256,192,*128} IKEv1:     ESP     IKEv2:     ESP     FIPS              aes_ccm, aes_ccm_c
pluto[393]:   AES_CCM_12         {256,192,*128} IKEv1:     ESP     IKEv2:     ESP     FIPS              aes_ccm_b
pluto[393]:   AES_CCM_8          {256,192,*128} IKEv1:     ESP     IKEv2:     ESP     FIPS              aes_ccm_a
pluto[393]:   3DES_CBC           [*192]         IKEv1: IKE ESP     IKEv2: IKE ESP     FIPS NSS(CBC)     3des
pluto[393]:   CAMELLIA_CTR       {256,192,*128} IKEv1:     ESP     IKEv2:     ESP                      
pluto[393]:   CAMELLIA_CBC       {256,192,*128} IKEv1: IKE ESP     IKEv2: IKE ESP          NSS(CBC)     camellia
pluto[393]:   AES_GCM_16         {256,192,*128} IKEv1:     ESP     IKEv2: IKE ESP     FIPS NSS(GCM)     aes_gcm, aes_gcm_c
pluto[393]:   AES_GCM_12         {256,192,*128} IKEv1:     ESP     IKEv2: IKE ESP     FIPS NSS(GCM)     aes_gcm_b
pluto[393]:   AES_GCM_8          {256,192,*128} IKEv1:     ESP     IKEv2: IKE ESP     FIPS NSS(GCM)     aes_gcm_a
pluto[393]:   AES_CTR            {256,192,*128} IKEv1: IKE ESP     IKEv2: IKE ESP     FIPS NSS(CTR)     aesctr
pluto[393]:   AES_CBC            {256,192,*128} IKEv1: IKE ESP     IKEv2: IKE ESP     FIPS NSS(CBC)     aes
pluto[393]:   NULL_AUTH_AES_GMAC {256,192,*128} IKEv1:     ESP     IKEv2:     ESP     FIPS              aes_gmac
pluto[393]:   NULL               []             IKEv1:     ESP     IKEv2:     ESP                      
pluto[393]:   CHACHA20_POLY1305  [*256]         IKEv1:             IKEv2: IKE ESP          NSS(AEAD)    chacha20poly1305
pluto[393]: Hash algorithms:
pluto[393]:   MD5                               IKEv1: IKE         IKEv2:                  NSS         
pluto[393]:   SHA1                              IKEv1: IKE         IKEv2: IKE         FIPS NSS          sha
pluto[393]:   SHA2_256                          IKEv1: IKE         IKEv2: IKE         FIPS NSS          sha2, sha256
pluto[393]:   SHA2_384                          IKEv1: IKE         IKEv2: IKE         FIPS NSS          sha384
pluto[393]:   SHA2_512                          IKEv1: IKE         IKEv2: IKE         FIPS NSS          sha512
pluto[393]:   IDENTITY                          IKEv1:             IKEv2:             FIPS             
pluto[393]: PRF algorithms:
pluto[393]:   HMAC_MD5                          IKEv1: IKE         IKEv2: IKE              native(HMAC) md5
pluto[393]:   HMAC_SHA1                         IKEv1: IKE         IKEv2: IKE         FIPS NSS          sha, sha1
pluto[393]:   HMAC_SHA2_256                     IKEv1: IKE         IKEv2: IKE         FIPS NSS          sha2, sha256, sha2_256
pluto[393]:   HMAC_SHA2_384                     IKEv1: IKE         IKEv2: IKE         FIPS NSS          sha384, sha2_384
pluto[393]:   HMAC_SHA2_512                     IKEv1: IKE         IKEv2: IKE         FIPS NSS          sha512, sha2_512
pluto[393]:   AES_XCBC                          IKEv1:             IKEv2: IKE              native(XCBC) aes128_xcbc
pluto[393]: Integrity algorithms:
pluto[393]:   HMAC_MD5_96                       IKEv1: IKE ESP AH  IKEv2: IKE ESP AH       native(HMAC) md5, hmac_md5
pluto[393]:   HMAC_SHA1_96                      IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS NSS          sha, sha1, sha1_96, hmac_sha1
pluto[393]:   HMAC_SHA2_512_256                 IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS NSS          sha512, sha2_512, sha2_512_256, hmac_sha2_512
pluto[393]:   HMAC_SHA2_384_192                 IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS NSS          sha384, sha2_384, sha2_384_192, hmac_sha2_384
pluto[393]:   HMAC_SHA2_256_128                 IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS NSS          sha2, sha256, sha2_256, sha2_256_128, hmac_sha2_256
pluto[393]:   HMAC_SHA2_256_TRUNCBUG            IKEv1:     ESP AH  IKEv2:         AH                   
pluto[393]:   AES_XCBC_96                       IKEv1:     ESP AH  IKEv2: IKE ESP AH       native(XCBC) aes_xcbc, aes128_xcbc, aes128_xcbc_96
pluto[393]:   AES_CMAC_96                       IKEv1:     ESP AH  IKEv2:     ESP AH  FIPS              aes_cmac
pluto[393]:   NONE                              IKEv1:     ESP     IKEv2: IKE ESP     FIPS              null
pluto[393]: DH algorithms:
pluto[393]:   NONE                              IKEv1:             IKEv2: IKE ESP AH  FIPS NSS(MODP)    null, dh0
pluto[393]:   MODP1024                          IKEv1: IKE ESP AH  IKEv2: IKE ESP AH       NSS(MODP)    dh2
pluto[393]:   MODP1536                          IKEv1: IKE ESP AH  IKEv2: IKE ESP AH       NSS(MODP)    dh5
pluto[393]:   MODP2048                          IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS NSS(MODP)    dh14
pluto[393]:   MODP3072                          IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS NSS(MODP)    dh15
pluto[393]:   MODP4096                          IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS NSS(MODP)    dh16
pluto[393]:   MODP6144                          IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS NSS(MODP)    dh17
pluto[393]:   MODP8192                          IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS NSS(MODP)    dh18
pluto[393]:   DH19                              IKEv1: IKE         IKEv2: IKE ESP AH  FIPS NSS(ECP)     ecp_256, ecp256
pluto[393]:   DH20                              IKEv1: IKE         IKEv2: IKE ESP AH  FIPS NSS(ECP)     ecp_384, ecp384
pluto[393]:   DH21                              IKEv1: IKE         IKEv2: IKE ESP AH  FIPS NSS(ECP)     ecp_521, ecp521
pluto[393]:   DH31                              IKEv1: IKE         IKEv2: IKE ESP AH       NSS(ECP)     curve25519
pluto[393]: IPCOMP algorithms:
pluto[393]:   DEFLATE                           IKEv1:     ESP AH  IKEv2:     ESP AH  FIPS             
pluto[393]:   LZS                               IKEv1:             IKEv2:     ESP AH  FIPS             
pluto[393]:   LZJH                              IKEv1:             IKEv2:     ESP AH  FIPS             
pluto[393]: testing CAMELLIA_CBC:
pluto[393]:   Camellia: 16 bytes with 128-bit key
pluto[393]:   Camellia: 16 bytes with 128-bit key
pluto[393]:   Camellia: 16 bytes with 256-bit key
pluto[393]:   Camellia: 16 bytes with 256-bit key
pluto[393]: testing AES_GCM_16:
pluto[393]:   empty string
pluto[393]:   one block
pluto[393]:   two blocks
pluto[393]:   two blocks with associated data
pluto[393]: testing AES_CTR:
pluto[393]:   Encrypting 16 octets using AES-CTR with 128-bit key
pluto[393]:   Encrypting 32 octets using AES-CTR with 128-bit key
pluto[393]:   Encrypting 36 octets using AES-CTR with 128-bit key
pluto[393]:   Encrypting 16 octets using AES-CTR with 192-bit key
pluto[393]:   Encrypting 32 octets using AES-CTR with 192-bit key
pluto[393]:   Encrypting 36 octets using AES-CTR with 192-bit key
pluto[393]:   Encrypting 16 octets using AES-CTR with 256-bit key
pluto[393]:   Encrypting 32 octets using AES-CTR with 256-bit key
pluto[393]:   Encrypting 36 octets using AES-CTR with 256-bit key
pluto[393]: testing AES_CBC:
pluto[393]:   Encrypting 16 bytes (1 block) using AES-CBC with 128-bit key
pluto[393]:   Encrypting 32 bytes (2 blocks) using AES-CBC with 128-bit key
pluto[393]:   Encrypting 48 bytes (3 blocks) using AES-CBC with 128-bit key
pluto[393]:   Encrypting 64 bytes (4 blocks) using AES-CBC with 128-bit key

================================================

IPsec VPN server is now ready for use!

Connect to your new VPN with these details:

Server: xxx.xxx.xxx
IPsec PSK: xxx
Username: xxx
Password: xxx
pluto[393]: testing AES_XCBC:
pluto[393]:   RFC 3566 Test Case 1: AES-XCBC-MAC-96 with 0-byte input
pluto[393]:   RFC 3566 Test Case 2: AES-XCBC-MAC-96 with 3-byte input
pluto[393]:   RFC 3566 Test Case 3: AES-XCBC-MAC-96 with 16-byte input
pluto[393]:   RFC 3566 Test Case 4: AES-XCBC-MAC-96 with 20-byte input

Write these down. You'll need them to connect!

VPN client setup: https://vpnsetup.net/clients2

================================================
pluto[393]:   RFC 3566 Test Case 5: AES-XCBC-MAC-96 with 32-byte input
pluto[393]:   RFC 3566 Test Case 6: AES-XCBC-MAC-96 with 34-byte input
pluto[393]:   RFC 3566 Test Case 7: AES-XCBC-MAC-96 with 1000-byte input
pluto[393]:   RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 16)
pluto[393]:   RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 10)
pluto[393]:   RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 18)
pluto[393]: testing HMAC_MD5:
pluto[393]:   RFC 2104: MD5_HMAC test 1
pluto[393]:   RFC 2104: MD5_HMAC test 2

================================================

IKEv2 is already set up. Details for IKEv2 mode:

pluto[393]:   RFC 2104: MD5_HMAC test 3
pluto[393]: testing HMAC_SHA1:
pluto[393]:   CAVP: IKEv2 key derivation with HMAC-SHA1
VPN server address: xxx.xxx.xxx.xxx
VPN client name: N1

Client configuration is available inside the
Docker container at:
/etc/ipsec.d/N1.p12 (for Windows & Linux)
/etc/ipsec.d/N1.sswan (for Android)
/etc/ipsec.d/N1.mobileconfig (for iOS & macOS)

Next steps: Configure IKEv2 clients. See:
pluto[393]: 4 CPU cores online
pluto[393]: starting up 3 helper threads
pluto[393]: started thread for helper 0
pluto[393]: helper(1) seccomp security for helper not supported
pluto[393]: started thread for helper 1
pluto[393]: helper(2) seccomp security for helper not supported
pluto[393]: started thread for helper 2
pluto[393]: using Linux xfrm kernel support code on hwdsl2/setup-ipsec-vpn#42 SMP Wed Dec 14 20:45:43 CST 2022
pluto[393]: helper(3) seccomp security for helper not supported
pluto[393]: kernel: /proc/sys/net/ipv6/conf/all/disable_ipv6=1 ignore ipv6 holes
pluto[393]: seccomp security not supported
https://vpnsetup.net/clients2

================================================

Warning: The VPN_DNS_NAME variable you specified has no effect
         for IKEv2 mode, because IKEv2 is already set up in this
         container. To change the IKEv2 server address, see:
         https://vpnsetup.net/ikev2docker

pluto[393]: "l2tp-psk": added IKEv1 connection
pluto[393]: "xauth-psk": added IKEv1 connection
pluto[393]: "ikev2-cp": IKE SA proposals (connection add):
pluto[393]: "ikev2-cp":   1:IKE=AES_CBC_256-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE25519
pluto[393]: "ikev2-cp":   2:IKE=AES_CBC_128-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE25519
pluto[393]: "ikev2-cp":   3:IKE=AES_CBC_256-HMAC_SHA1-HMAC_SHA1_96-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE25519
pluto[393]: "ikev2-cp":   4:IKE=AES_CBC_128-HMAC_SHA1-HMAC_SHA1_96-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE25519
pluto[393]: "ikev2-cp": Child SA proposals (connection add):
pluto[393]: "ikev2-cp":   1:ESP=AES_GCM_C_128+AES_GCM_C_256-NONE-NONE-ENABLED+DISABLED
pluto[393]: "ikev2-cp":   2:ESP=AES_CBC_128-HMAC_SHA1_96-NONE-ENABLED+DISABLED
pluto[393]: "ikev2-cp":   3:ESP=AES_CBC_256-HMAC_SHA1_96-NONE-ENABLED+DISABLED
pluto[393]: "ikev2-cp":   4:ESP=AES_CBC_128-HMAC_SHA2_256_128-NONE-ENABLED+DISABLED
pluto[393]: "ikev2-cp":   5:ESP=AES_CBC_256-HMAC_SHA2_256_128-NONE-ENABLED+DISABLED
pluto[393]: "ikev2-cp": loaded private key matching left certificate 'xxx.xxx.xxx.xxx
pluto[393]: "ikev2-cp": added IKEv2 connection
pluto[393]: listening for IKE messages
pluto[393]: Kernel supports NIC esp-hw-offload
pluto[393]: adding UDP interface eth0 172.31.0.2:500
pluto[393]: adding UDP interface eth0 172.31.0.2:4500
pluto[393]: adding UDP interface lo 127.0.0.1:500
pluto[393]: adding UDP interface lo 127.0.0.1:4500
pluto[393]: forgetting secrets
pluto[393]: loading secrets from "/etc/ipsec.secrets"
xl2tpd[1]: Not looking for kernel SAref support.
xl2tpd[1]: L2TP kernel support not detected (try modprobing l2tp_ppp and pppol2tp)
xl2tpd[1]: xl2tpd version xl2tpd-1.3.18 started on b0e45a4e8591 PID:1
xl2tpd[1]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
xl2tpd[1]: Forked by Scott Balmos and David Stipp, (C) 2001
xl2tpd[1]: Inherited by Jeff McAdams, (C) 2002
xl2tpd[1]: Forked again by Xelerance (www.xelerance.com) (C) 2006-2016
xl2tpd[1]: Listening on IP address 0.0.0.0, port 1701
pluto[393]: packet from 192.168.2.253:500: responding to IKE_SA_INIT (34) message (Message ID 0) with unencrypted notification INVALID_SYNTAX
pluto[393]: packet from 192.168.2.253:500: responding to IKE_SA_INIT (34) message (Message ID 0) with unencrypted notification INVALID_SYNTAX
pluto[393]: packet from 192.168.2.253:500: responding to IKE_SA_INIT (34) message (Message ID 0) with unencrypted notification INVALID_SYNTAX
pluto[393]: "ikev2-cp"[1] 192.168.2.253 hwdsl2/setup-ipsec-vpn#1: proposal 1:IKE=AES_CBC_256-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_CTR_256;ENCR=AES_CBC_256;ENCR=AES_CTR_192;ENCR=AES_CBC_192;ENCR=AES_CTR_128;ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_384_192;INTEG=HMAC_SHA2_256_128;INTEG=AES_XCBC_96;INTEG=AES_CMAC_96;DH=MODP4096;DH=CURVE25519;DH=MODP3072;DH=MODP2048;PRF=HMAC_SHA1;PRF=AES128_XCBC;PRF=HMAC_SHA2_256;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_512;PRF=AES128_CMAC[first-match] 2:IKE:ENCR=CHACHA20_POLY1305;ENCR=AES_GCM_C_256;ENCR=AES_GCM_B_256;ENCR=AES_GCM_A_256;ENCR=AES_GCM_C_192;ENCR=AES_GCM_B_192;ENCR=AES_GCM_A_192;ENCR=AES_GCM_C_128;ENCR=AES_GCM_B_128;ENCR=AES_GCM_A_128;DH=MODP4096;DH=CURVE25519;DH=MODP3072;DH=MODP2048;PRF=HMAC_SHA1;PRF=AES128_XCBC;PRF=HMAC_SHA2_256;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_512;PRF=AES128_CMAC
pluto[393]: "ikev2-cp"[1] 192.168.2.253 hwdsl2/setup-ipsec-vpn#1: initiator guessed wrong keying material group (MODP4096); responding with INVALID_KE_PAYLOAD requesting MODP2048
pluto[393]: "ikev2-cp"[1] 192.168.2.253 hwdsl2/setup-ipsec-vpn#1: responding to IKE_SA_INIT message (ID 0) from 192.168.2.253:61134 with unencrypted notification INVALID_KE_PAYLOAD
pluto[393]: "ikev2-cp"[1] 192.168.2.253 hwdsl2/setup-ipsec-vpn#1: encountered fatal error in state STATE_V2_PARENT_R0
pluto[393]: "ikev2-cp"[1] 192.168.2.253 hwdsl2/setup-ipsec-vpn#1: deleting state (STATE_V2_PARENT_R0) aged 0.002182s and NOT sending notification
pluto[393]: "ikev2-cp"[1] 192.168.2.253: deleting connection instance with peer 192.168.2.253 {isakmp=#0/ipsec=#0}
pluto[393]: "ikev2-cp"[2] 192.168.2.253 hwdsl2/setup-ipsec-vpn#2: proposal 1:IKE=AES_CBC_256-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_CTR_256;ENCR=AES_CBC_256;ENCR=AES_CTR_192;ENCR=AES_CBC_192;ENCR=AES_CTR_128;ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_384_192;INTEG=HMAC_SHA2_256_128;INTEG=AES_XCBC_96;INTEG=AES_CMAC_96;DH=MODP4096;DH=CURVE25519;DH=MODP3072;DH=MODP2048;PRF=HMAC_SHA1;PRF=AES128_XCBC;PRF=HMAC_SHA2_256;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_512;PRF=AES128_CMAC[first-match] 2:IKE:ENCR=CHACHA20_POLY1305;ENCR=AES_GCM_C_256;ENCR=AES_GCM_B_256;ENCR=AES_GCM_A_256;ENCR=AES_GCM_C_192;ENCR=AES_GCM_B_192;ENCR=AES_GCM_A_192;ENCR=AES_GCM_C_128;ENCR=AES_GCM_B_128;ENCR=AES_GCM_A_128;DH=MODP4096;DH=CURVE25519;DH=MODP3072;DH=MODP2048;PRF=HMAC_SHA1;PRF=AES128_XCBC;PRF=HMAC_SHA2_256;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_512;PRF=AES128_CMAC
pluto[393]: "ikev2-cp"[2] 192.168.2.253 hwdsl2/setup-ipsec-vpn#2: sent IKE_SA_INIT reply {cipher=AES_CBC_256 integ=HMAC_SHA2_256_128 prf=HMAC_SHA2_256 group=MODP2048}
pluto[393]: "ikev2-cp"[2] 192.168.2.253 hwdsl2/setup-ipsec-vpn#2: processing decrypted IKE_AUTH request: SK{IDi,IDr,CERT,AUTH,SA,TSi,TSr,CP}
pluto[393]: "ikev2-cp"[2] 192.168.2.253 hwdsl2/setup-ipsec-vpn#2: peer certificate subjectAltName extension does not match ID_FQDN 'xxx.xxx.xxx'
pluto[393]: "ikev2-cp"[2] 192.168.2.253 hwdsl2/setup-ipsec-vpn#2: peer certificate subjectAltName extension does not match ID_FQDN 'xxx.xxx.xxx'
pluto[393]: "ikev2-cp"[2] 192.168.2.253 hwdsl2/setup-ipsec-vpn#2: responder established IKE SA; authenticated peer '3072-bit PKCS#1 1.5 RSA with SHA2_512' digital signature using peer certificate 'CN=N1, O=IKEv2 VPN' issued by CA 'CN=IKEv2 VPN CA, O=IKEv2 VPN'
pluto[393]: "ikev2-cp"[2] 192.168.2.253 hwdsl2/setup-ipsec-vpn#2: reloaded private key matching left certificate 'xxx.xxx.xxx.xxx
pluto[393]: | pool 192.168.43.10-192.168.43.250: growing address pool from 0 to 1
pluto[393]: "ikev2-cp"[2] 192.168.2.253 hwdsl2/setup-ipsec-vpn#3: proposal 2:ESP=AES_GCM_C_128-DISABLED SPI=60900910 chosen from remote proposals 1:ESP:ENCR=AES_CTR_256;ENCR=AES_CBC_256;ENCR=AES_CTR_192;ENCR=AES_CBC_192;ENCR=AES_CTR_128;ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_384_192;INTEG=HMAC_SHA2_256_128;INTEG=AES_XCBC_96;INTEG=AES_CMAC_96;ESN=DISABLED[first-match] 2:ESP:ENCR=CHACHA20_POLY1305;ENCR=AES_GCM_C_256;ENCR=AES_GCM_B_256;ENCR=AES_GCM_A_256;ENCR=AES_GCM_C_192;ENCR=AES_GCM_B_192;ENCR=AES_GCM_A_192;ENCR=AES_GCM_C_128;ENCR=AES_GCM_B_128;ENCR=AES_GCM_A_128;ESN=DISABLED[better-match]
pluto[393]: "ikev2-cp"[2] 192.168.2.253 hwdsl2/setup-ipsec-vpn#3: responder established Child SA using hwdsl2/setup-ipsec-vpn#2; IPsec tunnel [0.0.0.0-255.255.255.255:0-65535 0] -> [192.168.43.10-192.168.43.10:0-65535 0] {ESPinUDP=>0x60900910 <0x028e8fbd xfrm=AES_GCM_16_128-NONE NATD=192.168.2.253:61136 DPD=active}
pluto[393]: "ikev2-cp"[2] 192.168.2.253 hwdsl2/setup-ipsec-vpn#3: ESP traffic information: in=0B out=0B
pluto[393]: "ikev2-cp"[2] 192.168.2.253 hwdsl2/setup-ipsec-vpn#2: deleting state (STATE_V2_ESTABLISHED_IKE_SA) aged 0.617979s and NOT sending notification
pluto[393]: "ikev2-cp"[2] 192.168.2.253: deleting connection instance with peer 192.168.2.253 {isakmp=#0/ipsec=#0}

hwdsl2 commented 1 year ago

@Ran-Xing Hello! It looks like you specified VPN_DNS_NAME in your env file, but it has no effect for IKEv2 mode because IKEv2 was already set up. Related message from your logs:

Warning: The VPN_DNS_NAME variable you specified has no effect
         for IKEv2 mode, because IKEv2 is already set up in this
         container. To change the IKEv2 server address, see:
         https://vpnsetup.net/ikev2docker

You will probably need to change the IKEv2 server address to the DNS name you specified in your env file. To do that, read section Configure and use IKEv2 VPN and expand "Learn how to change the IKEv2 server address". Then follow those instructions.

When finished, make sure that you generate new client configuration files and import to your Android device. Instructions can be found at the same link above, by expanding "Learn how to manage IKEv2 clients". After that, you should be able to connect.

Ran-Xing commented 1 year ago

@hwdsl2 请问我的docker配置文件有问题吗？根据日志提示，我发现有两个不一样的ip 分别是两个接口😂，我以前提交过一次issues。但最重要的是我其他的设备都能够正常的连接(ps: 我的iPhone和mac都能正常连接，也是使用的域名，也是用了DDNS) 只是现在小米手机连接不了，我猜测有可能是Android 13的问题，因为我之前用pixel android 11 连接并没有问题😂😂😂

hwdsl2 commented 1 year ago

@Ran-Xing 你好！你的 Docker 配置文件看起来正常。你可以按照我上面回复中的建议试试看。在导入新的配置文件之前，可以移除手机中之前导入的 IKEv2 证书 (Settings -> Security & privacy -> More security settings -> Encryption & credentials -> User credentials)。

Ran-Xing commented 1 year ago

@hwdsl2 又出问题了，这次是正常的IP全部设备都连接不上了

pluto[398]: "ikev2-cp"[2] xxx.xxx.xxx.xxx #2: liveness action - clearing connection kind CK_INSTANCE
pluto[398]: "ikev2-cp"[2] xxx.xxx.xxx.xxx #3: ESP traffic information: in=0B out=0B
pluto[398]: "ikev2-cp"[2] xxx.xxx.xxx.xxx #2: deleting state (STATE_V2_ESTABLISHED_IKE_SA) aged 542.32205s and NOT sending notification
pluto[398]: "ikev2-cp"[2] xxx.xxx.xxx.xxx: deleting connection instance with peer xxx.xxx.xxx.xxx {isakmp=#0/ipsec=#0}
pluto[398]: "xauth-psk"[1] xxx.xxx.xxx.xxx #7: responding to Main Mode from unknown peer xxx.xxx.xxx.xxx:500
pluto[398]: "xauth-psk"[1] xxx.xxx.xxx.xxx #7: sent Main Mode R1
pluto[398]: "xauth-psk"[1] xxx.xxx.xxx.xxx #7: sent Main Mode R2
pluto[398]: "xauth-psk"[1] xxx.xxx.xxx.xxx #7: ignoring informational payload IPSEC_INITIAL_CONTACT, msgid=00000000, length=28
pluto[398]: "xauth-psk"[1] xxx.xxx.xxx.xxx #7: Peer ID is ID_IPV4_ADDR: '192.168.2.10'
pluto[398]: "xauth-psk"[1] xxx.xxx.xxx.xxx #7: switched to "xauth-psk"[2] xxx.xxx.xxx.xxx
pluto[398]: "xauth-psk"[1] xxx.xxx.xxx.xxx: deleting connection instance with peer xxx.xxx.xxx.xxx {isakmp=#0/ipsec=#0}
pluto[398]: "xauth-psk"[2] xxx.xxx.xxx.xxx #7: IKE SA established {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA2_256 group=MODP2048}
pluto[398]: "xauth-psk"[2] xxx.xxx.xxx.xxx #7: XAUTH: Sending Username/Password request (MAIN_R3->XAUTH_R0)
pluto[398]: "xauth-psk"[2] xxx.xxx.xxx.xxx #7: STATE_XAUTH_R0: retransmission; will wait 0.5 seconds for response
pluto[398]: "xauth-psk"[2] xxx.xxx.xxx.xxx #7: XAUTH: Sending Username/Password request (XAUTH_R0->XAUTH_R0)
pluto[398]: "xauth-psk"[2] xxx.xxx.xxx.xxx #7: STATE_XAUTH_R0: retransmission; will wait 1 seconds for response
pluto[398]: "xauth-psk"[2] xxx.xxx.xxx.xxx #7: XAUTH: Sending Username/Password request (XAUTH_R0->XAUTH_R0)
pluto[398]: "xauth-psk"[2] xxx.xxx.xxx.xxx #7: STATE_XAUTH_R0: retransmission; will wait 2 seconds for response
pluto[398]: "xauth-psk"[2] xxx.xxx.xxx.xxx #7: XAUTH: Sending Username/Password request (XAUTH_R0->XAUTH_R0)
pluto[398]: "xauth-psk"[2] xxx.xxx.xxx.xxx #7: STATE_XAUTH_R0: retransmission; will wait 4 seconds for response
pluto[398]: "xauth-psk"[2] xxx.xxx.xxx.xxx #7: XAUTH: Sending Username/Password request (XAUTH_R0->XAUTH_R0)
pluto[398]: "ikev2-cp"[3] xxx.xxx.xxx.xxx #5: STATE_V2_ESTABLISHED_IKE_SA: 300 second timeout exceeded after 10 retransmits.  No response (or no acceptable response) to our IKEv2 message
pluto[398]: "ikev2-cp"[3] xxx.xxx.xxx.xxx #5: liveness action - clearing connection kind CK_INSTANCE
pluto[398]: "ikev2-cp"[3] xxx.xxx.xxx.xxx #6: ESP traffic information: in=0B out=0B
pluto[398]: "ikev2-cp"[3] xxx.xxx.xxx.xxx #5: deleting state (STATE_V2_ESTABLISHED_IKE_SA) aged 542.2396s and NOT sending notification
pluto[398]: "ikev2-cp"[3] xxx.xxx.xxx.xxx: deleting connection instance with peer xxx.xxx.xxx.xxx {isakmp=#0/ipsec=#0}
pluto[398]: "xauth-psk"[2] xxx.xxx.xxx.xxx #7: STATE_XAUTH_R0: retransmission; will wait 8 seconds for response
pluto[398]: "xauth-psk"[2] xxx.xxx.xxx.xxx #7: XAUTH: Sending Username/Password request (XAUTH_R0->XAUTH_R0)
pluto[398]: "xauth-psk"[2] xxx.xxx.xxx.xxx #7: STATE_XAUTH_R0: retransmission; will wait 16 seconds for response
pluto[398]: "xauth-psk"[2] xxx.xxx.xxx.xxx #7: XAUTH: Sending Username/Password request (XAUTH_R0->XAUTH_R0)
pluto[398]: "xauth-psk"[2] xxx.xxx.xxx.xxx #7: STATE_XAUTH_R0: retransmission; will wait 32 seconds for response
pluto[398]: "xauth-psk"[2] xxx.xxx.xxx.xxx #7: XAUTH: Sending Username/Password request (XAUTH_R0->XAUTH_R0)

Ran-Xing commented 1 year ago

这次的设备是正常的使用IP连接的服务器，重新创建过容器，但是还是连接不上，证书也是删除重新信任的

hwdsl2 / docker-ipsec-vpn-server

Xiaomi Phone Can't Connect #387

info

install command

log