xauth 协议正常连接，ikev2连接提示鉴权失败

[SuperCatss]

IPSec架设在路由的docker里面。
使用的手机安卓10，三星s10。
架设成功后，使用xauth 协议，手机连接正常。正常使用。
随后开始折腾ikev2，使用自签名证书，教程都参考md 里面写的。
域名使用白群晖ddns 中的域名（群晖提供的ddns 服务），不知道是不是这里的原因导致的。
在手机上导入证书，并安装以后，使用strongwan 客户端，连接提示鉴权失败。
电脑上现在都没有测试成功，想先解决手机上的情况，方便定位是服务设置的问题，还是电脑使用设置的问题。
请大佬指点一下，是哪里的问题。

[hwdsl2]

@SuperCatss 你好！如果你是正确地按照这里的说明 [1] 配置 IKEv2 的话，我觉得可能是你的 DDNS 域名的问题。你试一下从外网是否可以 ping 通该 DDNS 域名？或者不使用 DDNS 重新配置。另外你可以启用服务器日志 [2]，重新尝试连接然后检查服务器以及客户端日志，具体有哪些错误？

[1] https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README-zh.md#%E9%85%8D%E7%BD%AE%E5%B9%B6%E4%BD%BF%E7%94%A8-ikev2-vpn
[2] https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README-zh.md#%E5%90%AF%E7%94%A8-libreswan-%E6%97%A5%E5%BF%97

[SuperCatss]

@SuperCatss 你好！如果你是正确地按照这里的说明 [1] 配置 IKEv2 的话，我觉得可能是你的 DDNS 域名的问题。你试一下从外网是否可以 ping 通该 DDNS 域名？或者不使用 DDNS 重新配置。另外你可以启用服务器日志 [2]，重新尝试连接然后检查服务器以及客户端日志，具体有哪些错误？

[1] https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README-zh.md#%E9%85%8D%E7%BD%AE%E5%B9%B6%E4%BD%BF%E7%94%A8-ikev2-vpn
[2] https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README-zh.md#%E5%90%AF%E7%94%A8-libreswan-%E6%97%A5%E5%BF%97

ddns 域名的问题我也有想过，但是我使用xauth 链接的时候，也是使用域名链接，通过在线的域名解析，的确是能解析到我公网的ip。目前不清楚，ikev2 是否 和xauth 是否都支持 用ddns 域名链接。

@SuperCatss 这样的话，可能不是 DDNS 的问题。你可以尝试启用服务器日志（如上所述），重新尝试连接然后检查服务器以及客户端日志，具体有哪些错误。

这是我通过手机 strongwan 客户端链接的异常信息，pc端也有问题，但是我想先定位一下问题是在服务器还是在客户端配置

[hwdsl2]

@SuperCatss 这样的话，可能不是 DDNS 的问题。你可以尝试启用服务器日志（如上所述），重新尝试连接然后检查服务器以及客户端日志，具体有哪些错误。

[SuperCatss]

@SuperCatss 这样的话，可能不是 DDNS 的问题。你可以尝试启用服务器日志（如上所述），重新尝试连接然后检查服务器以及客户端日志，具体有哪些错误。

客户端的报错信息，已经贴上了

[SuperCatss]

Jul 1 16:03:19 475be817578b pluto[339]: shutting down
Jul 1 16:03:19 475be817578b pluto[339]: 3 crypto helpers shutdown
Jul 1 16:03:19 475be817578b pluto[339]: forgetting secrets
Jul 1 16:03:19 475be817578b pluto[339]: "l2tp-psk"[3] 182.139.182.247: deleting connection "l2tp-psk"[3] 182.139.182.247 instance with peer 182.139.182.247 {isakmp=#0/ipsec=#0}
Jul 1 16:03:19 475be817578b pluto[339]: "l2tp-psk"[3] 182.139.182.247 #8: deleting state (STATE_MAIN_R0) aged 120799.427s and NOT sending notification
Jul 1 16:03:19 475be817578b pluto[339]: "l2tp-psk"[3] 182.139.182.247 #7: deleting state (STATE_MAIN_R0) aged 120902.929s and NOT sending notification
Jul 1 16:03:19 475be817578b pluto[339]: "l2tp-psk"[3] 182.139.182.247 #6: deleting state (STATE_MAIN_R0) aged 120957.162s and NOT sending notification
Jul 1 16:03:19 475be817578b pluto[339]: "l2tp-psk"[3] 182.139.182.247 #5: deleting state (STATE_MAIN_R0) aged 121030.296s and NOT sending notification
Jul 1 16:03:19 475be817578b pluto[339]: "l2tp-psk"[2] 216.218.206.82: deleting connection "l2tp-psk"[2] 216.218.206.82 instance with peer 216.218.206.82 {isakmp=#0/ipsec=#0}
Jul 1 16:03:19 475be817578b pluto[339]: "l2tp-psk"[2] 216.218.206.82 #4: deleting state (STATE_MAIN_R0) aged 143138.618s and NOT sending notification
Jul 1 16:03:19 475be817578b pluto[339]: shutting down interface lo/lo 127.0.0.1:4500
Jul 1 16:03:19 475be817578b pluto[339]: shutting down interface lo/lo 127.0.0.1:500
Jul 1 16:03:19 475be817578b pluto[339]: shutting down interface eth0/eth0 172.17.0.2:4500
Jul 1 16:03:19 475be817578b pluto[339]: shutting down interface eth0/eth0 172.17.0.2:500
Jul 1 16:03:19 475be817578b ipsec__plutorun: pluto killed by SIGTERM, terminating without restart
Jul 1 16:03:19 475be817578b ipsec__plutorun: Starting Pluto
Jul 1 16:03:20 475be817578b pluto[2279]: NSS DB directory: sql:/etc/ipsec.d
Jul 1 16:03:20 475be817578b pluto[2279]: Initializing NSS
Jul 1 16:03:20 475be817578b pluto[2279]: Opening NSS database "sql:/etc/ipsec.d" read-only
Jul 1 16:03:20 475be817578b pluto[2279]: NSS crypto library initialized
Jul 1 16:03:20 475be817578b pluto[2279]: FIPS Mode: NO
Jul 1 16:03:20 475be817578b pluto[2279]: FIPS mode disabled for pluto daemon
Jul 1 16:03:20 475be817578b pluto[2279]: FIPS HMAC integrity support [disabled]
Jul 1 16:03:20 475be817578b pluto[2279]: libcap-ng support [enabled]
Jul 1 16:03:20 475be817578b pluto[2279]: Linux audit support [disabled]
Jul 1 16:03:20 475be817578b pluto[2279]: Starting Pluto (Libreswan Version 3.32 XFRM(netkey) XFRMI esp-hw-offload FORK PTHREAD_SETSCHEDPRIO NSS (AVA copy) (native-PRF) LIBCAP_NG XAUTH_PAM NETWORKMANAGER CURL(non-NSS)) pid:2279
Jul 1 16:03:20 475be817578b pluto[2279]: core dump dir: /run/pluto
Jul 1 16:03:20 475be817578b pluto[2279]: secrets file: /etc/ipsec.secrets
Jul 1 16:03:20 475be817578b pluto[2279]: leak-detective disabled
Jul 1 16:03:20 475be817578b pluto[2279]: NSS crypto [enabled]
Jul 1 16:03:20 475be817578b pluto[2279]: XAUTH PAM support [enabled]
Jul 1 16:03:20 475be817578b pluto[2279]: Initializing libevent in pthreads mode: headers: 2.1.8-stable (2010800); library: 2.1.8-stable (2010800)
Jul 1 16:03:20 475be817578b pluto[2279]: NAT-Traversal support [enabled]
Jul 1 16:03:20 475be817578b pluto[2279]: Encryption algorithms:
Jul 1 16:03:20 475be817578b pluto[2279]: AES_CCM_16 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm, aes_ccm_c
Jul 1 16:03:20 475be817578b pluto[2279]: AES_CCM_12 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm_b
Jul 1 16:03:20 475be817578b pluto[2279]: AES_CCM_8 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm_a
Jul 1 16:03:20 475be817578b pluto[2279]: 3DES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS [*192] 3des
Jul 1 16:03:20 475be817578b pluto[2279]: CAMELLIA_CTR IKEv1: ESP IKEv2: ESP {256,192,*128}
Jul 1 16:03:20 475be817578b pluto[2279]: CAMELLIA_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} camellia
Jul 1 16:03:20 475be817578b pluto[2279]: AES_GCM_16 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm, aes_gcm_c
Jul 1 16:03:20 475be817578b pluto[2279]: AES_GCM_12 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm_b
Jul 1 16:03:20 475be817578b pluto[2279]: AES_GCM_8 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm_a
Jul 1 16:03:20 475be817578b pluto[2279]: AES_CTR IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} aesctr
Jul 1 16:03:20 475be817578b pluto[2279]: AES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} aes
Jul 1 16:03:20 475be817578b pluto[2279]: SERPENT_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} serpent
Jul 1 16:03:20 475be817578b pluto[2279]: TWOFISH_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} twofish
Jul 1 16:03:20 475be817578b pluto[2279]: TWOFISH_SSH IKEv1: IKE IKEv2: IKE ESP {256,192,*128} twofish_cbc_ssh
Jul 1 16:03:20 475be817578b pluto[2279]: NULL_AUTH_AES_GMAC IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_gmac
Jul 1 16:03:20 475be817578b pluto[2279]: NULL IKEv1: ESP IKEv2: ESP []
Jul 1 16:03:20 475be817578b pluto[2279]: CHACHA20_POLY1305 IKEv1: IKEv2: IKE ESP [*256] chacha20poly1305
Jul 1 16:03:20 475be817578b pluto[2279]: Hash algorithms:
Jul 1 16:03:20 475be817578b pluto[2279]: MD5 IKEv1: IKE IKEv2:
Jul 1 16:03:20 475be817578b pluto[2279]: SHA1 IKEv1: IKE IKEv2: FIPS sha
Jul 1 16:03:20 475be817578b pluto[2279]: SHA2_256 IKEv1: IKE IKEv2: FIPS sha2, sha256
Jul 1 16:03:20 475be817578b pluto[2279]: SHA2_384 IKEv1: IKE IKEv2: FIPS sha384
Jul 1 16:03:20 475be817578b pluto[2279]: SHA2_512 IKEv1: IKE IKEv2: FIPS sha512
Jul 1 16:03:20 475be817578b pluto[2279]: PRF algorithms:
Jul 1 16:03:20 475be817578b pluto[2279]: HMAC_MD5 IKEv1: IKE IKEv2: IKE md5
Jul 1 16:03:20 475be817578b pluto[2279]: HMAC_SHA1 IKEv1: IKE IKEv2: IKE FIPS sha, sha1
Jul 1 16:03:20 475be817578b pluto[2279]: HMAC_SHA2_256 IKEv1: IKE IKEv2: IKE FIPS sha2, sha256, sha2_256
Jul 1 16:03:20 475be817578b pluto[2279]: HMAC_SHA2_384 IKEv1: IKE IKEv2: IKE FIPS sha384, sha2_384
Jul 1 16:03:20 475be817578b pluto[2279]: HMAC_SHA2_512 IKEv1: IKE IKEv2: IKE FIPS sha512, sha2_512
Jul 1 16:03:20 475be817578b pluto[2279]: AES_XCBC IKEv1: IKEv2: IKE aes128_xcbc
Jul 1 16:03:20 475be817578b pluto[2279]: Integrity algorithms:
Jul 1 16:03:20 475be817578b pluto[2279]: HMAC_MD5_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH md5, hmac_md5
Jul 1 16:03:20 475be817578b pluto[2279]: HMAC_SHA1_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha, sha1, sha1_96, hmac_sha1
Jul 1 16:03:20 475be817578b pluto[2279]: HMAC_SHA2_512_256 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha512, sha2_512, sha2_512_256, hmac_sha2_512
Jul 1 16:03:20 475be817578b pluto[2279]: HMAC_SHA2_384_192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha384, sha2_384, sha2_384_192, hmac_sha2_384
Jul 1 16:03:20 475be817578b pluto[2279]: HMAC_SHA2_256_128 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha2, sha256, sha2_256, sha2_256_128, hmac_sha2_256
Jul 1 16:03:20 475be817578b pluto[2279]: HMAC_SHA2_256_TRUNCBUG IKEv1: ESP AH IKEv2: AH
Jul 1 16:03:20 475be817578b pluto[2279]: AES_XCBC_96 IKEv1: ESP AH IKEv2: IKE ESP AH aes_xcbc, aes128_xcbc, aes128_xcbc_96
Jul 1 16:03:20 475be817578b pluto[2279]: AES_CMAC_96 IKEv1: ESP AH IKEv2: ESP AH FIPS aes_cmac
Jul 1 16:03:20 475be817578b pluto[2279]: NONE IKEv1: ESP IKEv2: IKE ESP FIPS null
Jul 1 16:03:20 475be817578b pluto[2279]: DH algorithms:
Jul 1 16:03:20 475be817578b pluto[2279]: NONE IKEv1: IKEv2: IKE ESP AH FIPS null, dh0
Jul 1 16:03:20 475be817578b pluto[2279]: MODP1024 IKEv1: IKE ESP AH IKEv2: IKE ESP AH dh2
Jul 1 16:03:20 475be817578b pluto[2279]: MODP1536 IKEv1: IKE ESP AH IKEv2: IKE ESP AH dh5
Jul 1 16:03:20 475be817578b pluto[2279]: MODP2048 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh14
Jul 1 16:03:20 475be817578b pluto[2279]: MODP3072 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh15
Jul 1 16:03:20 475be817578b pluto[2279]: MODP4096 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh16
Jul 1 16:03:20 475be817578b pluto[2279]: MODP6144 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh17
Jul 1 16:03:20 475be817578b pluto[2279]: MODP8192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh18
Jul 1 16:03:20 475be817578b pluto[2279]: DH19 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_256, ecp256
Jul 1 16:03:20 475be817578b pluto[2279]: DH20 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_384, ecp384
Jul 1 16:03:20 475be817578b pluto[2279]: DH21 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_521, ecp521
Jul 1 16:03:20 475be817578b pluto[2279]: testing CAMELLIA_CBC:
Jul 1 16:03:20 475be817578b pluto[2279]: Camellia: 16 bytes with 128-bit key
Jul 1 16:03:20 475be817578b pluto[2279]: Camellia: 16 bytes with 128-bit key
Jul 1 16:03:20 475be817578b pluto[2279]: Camellia: 16 bytes with 256-bit key
Jul 1 16:03:20 475be817578b pluto[2279]: Camellia: 16 bytes with 256-bit key
Jul 1 16:03:20 475be817578b pluto[2279]: testing AES_GCM_16:
Jul 1 16:03:20 475be817578b pluto[2279]: empty string
Jul 1 16:03:20 475be817578b pluto[2279]: one block
Jul 1 16:03:20 475be817578b pluto[2279]: two blocks
Jul 1 16:03:20 475be817578b pluto[2279]: two blocks with associated data
Jul 1 16:03:20 475be817578b pluto[2279]: testing AES_CTR:
Jul 1 16:03:20 475be817578b pluto[2279]: Encrypting 16 octets using AES-CTR with 128-bit key
Jul 1 16:03:20 475be817578b pluto[2279]: Encrypting 32 octets using AES-CTR with 128-bit key
Jul 1 16:03:20 475be817578b pluto[2279]: Encrypting 36 octets using AES-CTR with 128-bit key
Jul 1 16:03:20 475be817578b pluto[2279]: Encrypting 16 octets using AES-CTR with 192-bit key
Jul 1 16:03:20 475be817578b pluto[2279]: Encrypting 32 octets using AES-CTR with 192-bit key
Jul 1 16:03:20 475be817578b pluto[2279]: Encrypting 36 octets using AES-CTR with 192-bit key
Jul 1 16:03:20 475be817578b pluto[2279]: Encrypting 16 octets using AES-CTR with 256-bit key
Jul 1 16:03:20 475be817578b pluto[2279]: Encrypting 32 octets using AES-CTR with 256-bit key
Jul 1 16:03:20 475be817578b pluto[2279]: Encrypting 36 octets using AES-CTR with 256-bit key
Jul 1 16:03:20 475be817578b pluto[2279]: testing AES_CBC:
Jul 1 16:03:20 475be817578b pluto[2279]: Encrypting 16 bytes (1 block) using AES-CBC with 128-bit key
Jul 1 16:03:20 475be817578b pluto[2279]: Encrypting 32 bytes (2 blocks) using AES-CBC with 128-bit key
Jul 1 16:03:20 475be817578b pluto[2279]: Encrypting 48 bytes (3 blocks) using AES-CBC with 128-bit key
Jul 1 16:03:20 475be817578b pluto[2279]: Encrypting 64 bytes (4 blocks) using AES-CBC with 128-bit key
Jul 1 16:03:20 475be817578b pluto[2279]: testing AES_XCBC:
Jul 1 16:03:20 475be817578b pluto[2279]: RFC 3566 Test Case 1: AES-XCBC-MAC-96 with 0-byte input
Jul 1 16:03:20 475be817578b pluto[2279]: RFC 3566 Test Case 2: AES-XCBC-MAC-96 with 3-byte input
Jul 1 16:03:20 475be817578b pluto[2279]: RFC 3566 Test Case 3: AES-XCBC-MAC-96 with 16-byte input
Jul 1 16:03:20 475be817578b pluto[2279]: RFC 3566 Test Case 4: AES-XCBC-MAC-96 with 20-byte input
Jul 1 16:03:20 475be817578b pluto[2279]: RFC 3566 Test Case 5: AES-XCBC-MAC-96 with 32-byte input
Jul 1 16:03:20 475be817578b pluto[2279]: RFC 3566 Test Case 6: AES-XCBC-MAC-96 with 34-byte input
Jul 1 16:03:20 475be817578b pluto[2279]: RFC 3566 Test Case 7: AES-XCBC-MAC-96 with 1000-byte input
Jul 1 16:03:20 475be817578b pluto[2279]: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 16)
Jul 1 16:03:20 475be817578b pluto[2279]: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 10)
Jul 1 16:03:20 475be817578b pluto[2279]: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 18)
Jul 1 16:03:20 475be817578b pluto[2279]: testing HMAC_MD5:
Jul 1 16:03:20 475be817578b pluto[2279]: RFC 2104: MD5_HMAC test 1
Jul 1 16:03:20 475be817578b pluto[2279]: RFC 2104: MD5_HMAC test 2
Jul 1 16:03:20 475be817578b pluto[2279]: RFC 2104: MD5_HMAC test 3
Jul 1 16:03:20 475be817578b pluto[2279]: 4 CPU cores online
Jul 1 16:03:20 475be817578b pluto[2279]: starting up 3 crypto helpers
Jul 1 16:03:20 475be817578b pluto[2279]: started thread for crypto helper 0
Jul 1 16:03:20 475be817578b pluto[2279]: seccomp security for crypto helper not supported
Jul 1 16:03:20 475be817578b pluto[2279]: started thread for crypto helper 1
Jul 1 16:03:20 475be817578b pluto[2279]: seccomp security for crypto helper not supported
Jul 1 16:03:20 475be817578b pluto[2279]: started thread for crypto helper 2
Jul 1 16:03:20 475be817578b pluto[2279]: seccomp security for crypto helper not supported
Jul 1 16:03:20 475be817578b pluto[2279]: Using Linux XFRM/NETKEY IPsec kernel support code on 4.19.122
Jul 1 16:03:20 475be817578b pluto[2279]: seccomp security not supported
Jul 1 16:03:20 475be817578b pluto[2279]: added connection description "l2tp-psk"
Jul 1 16:03:20 475be817578b pluto[2279]: added connection description "xauth-psk"
Jul 1 16:03:20 475be817578b pluto[2279]: MOBIKE kernel support missing for netkey interface: CONFIG_XFRM_MIGRATE
Jul 1 16:03:20 475be817578b pluto[2279]: listening for IKE messages
Jul 1 16:03:20 475be817578b pluto[2279]: Kernel supports NIC esp-hw-offload
Jul 1 16:03:20 475be817578b pluto[2279]: adding interface eth0/eth0 (esp-hw-offload not supported by kernel) 172.17.0.2:500
Jul 1 16:03:20 475be817578b pluto[2279]: adding interface eth0/eth0 172.17.0.2:4500
Jul 1 16:03:20 475be817578b pluto[2279]: adding interface lo/lo (esp-hw-offload not supported by kernel) 127.0.0.1:500
Jul 1 16:03:20 475be817578b pluto[2279]: adding interface lo/lo 127.0.0.1:4500
Jul 1 16:03:20 475be817578b pluto[2279]: loading secrets from "/etc/ipsec.secrets"
Jul 1 16:04:26 475be817578b pluto[2279]: packet from 119.4.253.57:61154: initial parent SA message received on 172.17.0.2:500 but no suitable connection found with IKEv2 policy
Jul 1 16:04:26 475be817578b pluto[2279]: packet from 119.4.253.57:61154: responding to IKE_SA_INIT (34) message (Message ID 0) from 119.4.253.57:61154 with unencrypted notification NO_PROPOSAL_CHOSEN
Jul 1 16:04:37 475be817578b pluto[2279]: packet from 119.4.253.57:61155: initial parent SA message received on 172.17.0.2:500 but no suitable connection found with IKEv2 policy
Jul 1 16:04:37 475be817578b pluto[2279]: packet from 119.4.253.57:61155: responding to IKE_SA_INIT (34) message (Message ID 0) from 119.4.253.57:61155 with unencrypted notification NO_PROPOSAL_CHOSEN
Jul 1 16:04:48 475be817578b pluto[2279]: packet from 119.4.253.57:61156: initial parent SA message received on 172.17.0.2:500 but no suitable connection found with IKEv2 policy
Jul 1 16:04:48 475be817578b pluto[2279]: packet from 119.4.253.57:61156: responding to IKE_SA_INIT (34) message (Message ID 0) from 119.4.253.57:61156 with unencrypted notification NO_PROPOSAL_CHOSEN
Jul 1 16:05:08 475be817578b pluto[2279]: packet from 119.4.253.57:61157: initial parent SA message received on 172.17.0.2:500 but no suitable connection found with IKEv2 policy
Jul 1 16:05:08 475be817578b pluto[2279]: packet from 119.4.253.57:61157: responding to IKE_SA_INIT (34) message (Message ID 0) from 119.4.253.57:61157 with unencrypted notification NO_PROPOSAL_CHOSEN
Jul 1 16:06:33 475be817578b pluto[2279]: packet from 119.4.253.57:61158: initial parent SA message received on 172.17.0.2:500 but no suitable connection found with IKEv2 policy
Jul 1 16:06:33 475be817578b pluto[2279]: packet from 119.4.253.57:61158: responding to IKE_SA_INIT (34) message (Message ID 0) from 119.4.253.57:61158 with unencrypted notification NO_PROPOSAL_CHOSEN
Jul 1 16:06:36 475be817578b pluto[2279]: packet from 119.4.253.57:61159: initial parent SA message received on 172.17.0.2:500 but no suitable connection found with IKEv2 policy
Jul 1 16:06:36 475be817578b pluto[2279]: packet from 119.4.253.57:61159: responding to IKE_SA_INIT (34) message (Message ID 0) from 119.4.253.57:61159 with unencrypted notification NO_PROPOSAL_CHOSEN
Jul 1 16:06:38 475be817578b pluto[2279]: packet from 119.4.253.57:61160: initial parent SA message received on 172.17.0.2:500 but no suitable connection found with IKEv2 policy
Jul 1 16:06:38 475be817578b pluto[2279]: packet from 119.4.253.57:61160: responding to IKE_SA_INIT (34) message (Message ID 0) from 119.4.253.57:61160 with unencrypted notification NO_PROPOSAL_CHOSEN
Jul 1 16:06:41 475be817578b pluto[2279]: packet from 119.4.253.57:61161: initial parent SA message received on 172.17.0.2:500 but no suitable connection found with IKEv2 policy
Jul 1 16:06:41 475be817578b pluto[2279]: packet from 119.4.253.57:61161: responding to IKE_SA_INIT (34) message (Message ID 0) from 119.4.253.57:61161 with unencrypted notification NO_PROPOSAL_CHOSEN
Jul 1 16:06:51 475be817578b pluto[2279]: packet from 119.4.253.57:61162: initial parent SA message received on 172.17.0.2:500 but no suitable connection found with IKEv2 policy
Jul 1 16:06:51 475be817578b pluto[2279]: packet from 119.4.253.57:61162: responding to IKE_SA_INIT (34) message (Message ID 0) from 119.4.253.57:61162 with unencrypted notification NO_PROPOSAL_CHOSEN
Jul 1 16:07:12 475be817578b pluto[2279]: packet from 119.4.253.57:61163: initial parent SA message received on 172.17.0.2:500 but no suitable connection found with IKEv2 policy
Jul 1 16:07:12 475be817578b pluto[2279]: packet from 119.4.253.57:61163: responding to IKE_SA_INIT (34) message (Message ID 0) from 119.4.253.57:61163 with unencrypted notification NO_PROPOSAL_CHOSEN
Jul 1 16:10:52 475be817578b pluto[2279]: "xauth-psk"[1] 119.4.253.57 #1: responding to Main Mode from unknown peer 119.4.253.57:61164
Jul 1 16:10:52 475be817578b pluto[2279]: "xauth-psk"[1] 119.4.253.57 #1: WARNING: connection xauth-psk PSK length of 11 bytes is too short for sha2_256 PRF in FIPS mode (16 bytes required)
Jul 1 16:10:52 475be817578b pluto[2279]: "xauth-psk"[1] 119.4.253.57 #1: STATE_MAIN_R1: sent MR1, expecting MI2
Jul 1 16:10:52 475be817578b pluto[2279]: "xauth-psk"[1] 119.4.253.57 #1: STATE_MAIN_R2: sent MR2, expecting MI3
Jul 1 16:10:52 475be817578b pluto[2279]: "xauth-psk"[1] 119.4.253.57 #1: Peer ID is ID_IPV4_ADDR: '10.162.196.12'
Jul 1 16:10:52 475be817578b pluto[2279]: "xauth-psk"[1] 119.4.253.57 #1: switched from "xauth-psk"[1] 119.4.253.57 to "xauth-psk"
Jul 1 16:10:52 475be817578b pluto[2279]: "xauth-psk"[2] 119.4.253.57 #1: deleting connection "xauth-psk"[1] 119.4.253.57 instance with peer 119.4.253.57 {isakmp=#0/ipsec=#0}
Jul 1 16:10:52 475be817578b pluto[2279]: "xauth-psk"[2] 119.4.253.57 #1: Peer ID is ID_IPV4_ADDR: '10.162.196.12'
Jul 1 16:10:52 475be817578b pluto[2279]: "xauth-psk"[2] 119.4.253.57 #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA2_256 group=MODP1024}
Jul 1 16:10:52 475be817578b pluto[2279]: "xauth-psk"[2] 119.4.253.57 #1: XAUTH: Sending Username/Password request (MAIN_R3->XAUTH_R0)
Jul 1 16:10:52 475be817578b pluto[2279]: "xauth-psk"[2] 119.4.253.57 #1: XAUTH: password file authentication method requested to authenticate user 'admin'
Jul 1 16:10:52 475be817578b pluto[2279]: "xauth-psk"[2] 119.4.253.57 #1: XAUTH: password file (/etc/ipsec.d/passwd) open.
Jul 1 16:10:52 475be817578b pluto[2279]: "xauth-psk"[2] 119.4.253.57 #1: XAUTH: success user(admin:xauth-psk)
Jul 1 16:10:52 475be817578b pluto[2279]: "xauth-psk"[2] 119.4.253.57 #1: XAUTH: User admin: Authentication Successful
Jul 1 16:10:52 475be817578b pluto[2279]: "xauth-psk"[2] 119.4.253.57 #1: XAUTH: xauth_inR1(STF_OK)
Jul 1 16:10:52 475be817578b pluto[2279]: "xauth-psk"[2] 119.4.253.57 #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA2_256 group=MODP1024}
Jul 1 16:10:52 475be817578b pluto[2279]: | pool 192.168.43.10-192.168.43.250: growing address pool from 0 to 1
Jul 1 16:10:52 475be817578b pluto[2279]: "xauth-psk"[2] 119.4.253.57 #1: modecfg_inR0(STF_OK)
Jul 1 16:10:52 475be817578b pluto[2279]: "xauth-psk"[2] 119.4.253.57 #1: STATE_MODE_CFG_R1: ModeCfg Set sent, expecting Ack {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA2_256 group=MODP1024}
Jul 1 16:10:52 475be817578b pluto[2279]: "xauth-psk"[2] 119.4.253.57 #1: the peer proposed: 0.0.0.0/0:0/0 -> 192.168.43.10/32:0/0
Jul 1 16:10:52 475be817578b pluto[2279]: "xauth-psk"[2] 119.4.253.57 #2: responding to Quick Mode proposal {msgid:18c9ae5a}
Jul 1 16:10:52 475be817578b pluto[2279]: "xauth-psk"[2] 119.4.253.57 #2: us: 0.0.0.0/0===172.17.0.2[125.70.1.227,MS+XS+S=C]
Jul 1 16:10:52 475be817578b pluto[2279]: "xauth-psk"[2] 119.4.253.57 #2: them: 119.4.253.57[10.162.196.12,+MC+XC+S=C]===192.168.43.10/32
Jul 1 16:10:52 475be817578b pluto[2279]: "xauth-psk"[2] 119.4.253.57 #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2 tunnel mode {ESP/NAT=>0xce4e6564 <0x0fe5512d xfrm=AES_CBC_256-HMAC_SHA2_256_128 NATOA=none NATD=119.4.253.57:52585 DPD=active username=admin}
Jul 1 16:10:52 475be817578b pluto[2279]: "xauth-psk"[2] 119.4.253.57 #2: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP/NAT=>0xce4e6564 <0x0fe5512d xfrm=AES_CBC_256-HMAC_SHA2_256_128 NATOA=none NATD=119.4.253.57:52585 DPD=active username=admin}
Jul 1 16:11:14 475be817578b pluto[2279]: "xauth-psk"[2] 119.4.253.57 #1: received Delete SA(0xce4e6564) payload: deleting IPsec State #2
Jul 1 16:11:14 475be817578b pluto[2279]: "xauth-psk"[2] 119.4.253.57 #2: deleting other state #2 (STATE_QUICK_R2) aged 22.159s and sending notification
Jul 1 16:11:14 475be817578b pluto[2279]: "xauth-psk"[2] 119.4.253.57 #2: ESP traffic information: in=12KB out=19KB XAUTHuser=admin
Jul 1 16:11:14 475be817578b pluto[2279]: "xauth-psk"[2] 119.4.253.57 #1: deleting state (STATE_MODE_CFG_R1) aged 22.503s and sending notification
Jul 1 16:11:14 475be817578b pluto[2279]: "xauth-psk"[2] 119.4.253.57: deleting connection "xauth-psk"[2] 119.4.253.57 instance with peer 119.4.253.57 {isakmp=#0/ipsec=#0}
Jul 1 16:11:35 475be817578b pluto[2279]: packet from 119.4.253.57:62374: initial parent SA message received on 172.17.0.2:500 but no suitable connection found with IKEv2 policy
Jul 1 16:11:35 475be817578b pluto[2279]: packet from 119.4.253.57:62374: responding to IKE_SA_INIT (34) message (Message ID 0) from 119.4.253.57:62374 with unencrypted notification NO_PROPOSAL_CHOSEN
Jul 1 16:11:45 475be817578b pluto[2279]: packet from 119.4.253.57:62375: initial parent SA message received on 172.17.0.2:500 but no suitable connection found with IKEv2 policy
Jul 1 16:11:45 475be817578b pluto[2279]: packet from 119.4.253.57:62375: responding to IKE_SA_INIT (34) message (Message ID 0) from 119.4.253.57:62375 with unencrypted notification NO_PROPOSAL_CHOSEN
Jul 1 16:12:06 475be817578b pluto[2279]: packet from 119.4.253.57:62376: initial parent SA message received on 172.17.0.2:500 but no suitable connection found with IKEv2 policy
Jul 1 16:12:06 475be817578b pluto[2279]: packet from 119.4.253.57:62376: responding to IKE_SA_INIT (34) message (Message ID 0) from 119.4.253.57:62376 with unencrypted notification NO_PROPOSAL_CHOSEN

这是服务端的日志，我特地使用xauth链接再断开，再使用strongwan 链接。

[SuperCatss]

在docker 挂载的路径下已经生成了两个客户证书和一个 ca 证书。

[hwdsl2]

@SuperCatss 你的服务器上的 IKEv2 并没有配置成功。日志中显示：

Jul 1 16:03:20 475be817578b pluto[2279]: added connection description "l2tp-psk"
Jul 1 16:03:20 475be817578b pluto[2279]: added connection description "xauth-psk"

如果配置成功，应该显示：

Jul 1 16:03:20 475be817578b pluto[2279]: added connection description "l2tp-psk"
Jul 1 16:03:20 475be817578b pluto[2279]: added connection description "xauth-psk"
Jul 1 16:03:20 475be817578b pluto[2279]: added connection description "ikev2-cp"

说明在配置 IKEv2 时可能有问题。请检查一下是否使用了最新版本的 Docker 镜像 [1]？如果没有，更新 Docker 镜像并重新创建容器。另外看一下你的 Docker 容器中的 /etc/ipsec.conf 最后一行是不是 include /etc/ipsec.d/*.conf。这一行在新版镜像中已添加。

[1] https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README-zh.md#%E6%9B%B4%E6%96%B0-docker-%E9%95%9C%E5%83%8F

[SuperCatss]

@SuperCatss 你的服务器上的 IKEv2 并没有配置成功。日志中显示：

Jul 1 16:03:20 475be817578b pluto[2279]: added connection description "l2tp-psk"
Jul 1 16:03:20 475be817578b pluto[2279]: added connection description "xauth-psk"

如果配置成功，应该显示：

Jul 1 16:03:20 475be817578b pluto[2279]: added connection description "l2tp-psk"
Jul 1 16:03:20 475be817578b pluto[2279]: added connection description "xauth-psk"
Jul 1 16:03:20 475be817578b pluto[2279]: added connection description "ikev2-cp"

说明在配置 IKEv2 时可能有问题。请检查一下是否使用了最新版本的 Docker 镜像 [1]？如果没有，更新 Docker 镜像并重新创建容器。另外看一下你的 Docker 容器中的 /etc/ipsec.conf 最后一行是不是 include /etc/ipsec.d/*.conf。这一行在新版镜像中已添加。

[1] https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README-zh.md#%E6%9B%B4%E6%96%B0-docker-%E9%95%9C%E5%83%8F

查看了一下镜像 是6天前拉取的。id 0c3d6112c025
ipsec.conf 最后一行的确是include /etc/ipsec.d/*.conf

这是ipsec.conf 内容

version 2.0

config setup
virtual-private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.42.0/24,%v4:!192.168.43.0/24
protostack=netkey
interfaces=%defaultroute
uniqueids=no

conn shared
left=%defaultroute
leftid=public IP
right=%any
encapsulation=yes
authby=secret
pfs=no
rekey=no
keyingtries=5
dpddelay=30
dpdtimeout=120
dpdaction=clear
ikev2=never
ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024
phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2
sha2-truncbug=no

conn l2tp-psk
auto=add
leftprotoport=17/1701
rightprotoport=17/%any
type=transport
phase2=esp
also=shared

conn xauth-psk
auto=add
leftsubnet=0.0.0.0/0
rightaddresspool=192.168.43.10-192.168.43.250
modecfgdns=192.168.2.1
leftxauthserver=yes
rightxauthclient=yes
leftmodecfgserver=yes
rightmodecfgclient=yes
modecfgpull=yes
xauthby=file
ike-frag=yes
cisco-unity=yes
also=shared

include /etc/ipsec.d/*.conf

[hwdsl2]

@SuperCatss 配置文件看起来没问题。如上所述，如果 IKEv2 配置成功，日志中应该显示：

Jul 1 16:03:20 475be817578b pluto[2279]: added connection description "l2tp-psk"
Jul 1 16:03:20 475be817578b pluto[2279]: added connection description "xauth-psk"
Jul 1 16:03:20 475be817578b pluto[2279]: added connection description "ikev2-cp"

所以可能是你的 Docker 卷没有正确挂载到容器内的 /etc/ipsec.d 目录。可以这样进入容器检查 [1]。或者，可能需要重启容器中的 IPsec 服务。

[1] https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README-zh.md#%E5%9C%A8%E5%AE%B9%E5%99%A8%E4%B8%AD%E8%BF%90%E8%A1%8C-bash-shell

[SuperCatss]

@SuperCatss 配置文件看起来没问题。如上所述，如果 IKEv2 配置成功，日志中应该显示：

Jul 1 16:03:20 475be817578b pluto[2279]: added connection description "l2tp-psk"
Jul 1 16:03:20 475be817578b pluto[2279]: added connection description "xauth-psk"
Jul 1 16:03:20 475be817578b pluto[2279]: added connection description "ikev2-cp"

所以可能是你的 Docker 卷没有正确挂载到容器内的 /etc/ipsec.d 目录。可以这样进入容器检查 [1]。或者，可能需要重启容器中的 IPsec 服务。

[1] https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README-zh.md#%E5%9C%A8%E5%AE%B9%E5%99%A8%E4%B8%AD%E8%BF%90%E8%A1%8C-bash-shell

容器服务，已经在配置ikev2后，已经重启过了。
挂载应该是正确的
docker inspect ipsec-vpn-server | grep Mounts -A 20
"Mounts": [
{
"Type": "volume",
"Name": "ikev2-vpn-data",
"Source": "/opt/docker/volumes/ikev2-vpn-data/_data",
"Destination": "/etc/ipsec.d",
"Driver": "local",
"Mode": "z",
"RW": true,
"Propagation": ""
}
],
"Config": {
"Hostname": "475be817578b",
"Domainname": "",
"User": "",
"AttachStdin": false,
"AttachStdout": false,
"AttachStderr": false,
"ExposedPorts": {
"4500/udp": {},

生成的证书文件也的确存在于 "/opt/docker/volumes/ikev2-vpn-data/_data" 路径下

[hwdsl2]

@SuperCatss 成功配置 IKEv2 的话，日志里应该有 added connection description "ikev2-cp" 字样。你的配置看起来没有什么问题，我也不知道问题在哪里。如果你想重新试一次的话，可以删除卷 ikev2-vpn-data 并按照说明再尝试一下 [1]。

[1] https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README-zh.md#%E9%85%8D%E7%BD%AE%E5%B9%B6%E4%BD%BF%E7%94%A8-ikev2-vpn

[SuperCatss]

@SuperCatss 成功配置 IKEv2 的话，日志里应该有 added connection description "ikev2-cp" 字样。你的配置看起来没有什么问题，我也不知道问题在哪里。如果你想重新试一次的话，可以删除卷 ikev2-vpn-data 并按照说明再尝试一下 [1]。

[1] https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README-zh.md#%E9%85%8D%E7%BD%AE%E5%B9%B6%E4%BD%BF%E7%94%A8-ikev2-vpn

我晚上通过手动重新配置一次。

[hwdsl2]

@SuperCatss 我又看了一下你的日志，找到问题在哪了。日志中有 MOBIKE kernel support missing for netkey interface: CONFIG_XFRM_MIGRATE 字样，说明你的 Docker 主机系统运行 Ubuntu，它不支持 MOBIKE，所以当你在安装时启用 MOBIKE 选项后，IKEv2 连接无法载入。要修复，只需按上面说过的步骤进入 Docker 容器，然后编辑 /etc/ipsec.d/ikev2.conf，将 mobike=yes 替换为 mobike=no，然后重启 IPsec 服务 service ipsec restart。你试一下，有问题可以继续回复。

[SuperCatss]

@SuperCatss 我又看了一下你的日志，找到问题在哪了。日志中有 MOBIKE kernel support missing for netkey interface: CONFIG_XFRM_MIGRATE 字样，说明你的 Docker 主机系统运行 Ubuntu，它不支持 MOBIKE，所以当你在安装时启用 MOBIKE 选项后，IKEv2 连接无法载入。要修复，只需按上面说过的步骤进入 Docker 容器，然后编辑 /etc/ipsec.d/ikev2.conf，将 mobike=yes 替换为 mobike=no，然后重启 IPsec 服务 service ipsec restart。你试一下，有问题可以继续回复。

感谢你的帮助，的确是这个问题，现在手机已经能正常连接了。我现在开始测试win10 的使用。
另外 ，请问，一个客户端证书是否可以同时分发给多个客户端同时连接使用？
日志能否手动关闭，以保持容器的容量和性能？

[hwdsl2]

@SuperCatss 可以分发给多个客户端，但是不能同时连接使用。要同时连接，必须为每个客户端生成唯一的证书。

要关闭日志，你可以尝试在容器内运行 apt-get remove rsyslog，或者，编辑 /etc/ipsec.conf 并在 config setup 下面添加 logfile=/dev/null [1]，开头必须空两格。然后重启 IPsec 服务。

[1] https://libreswan.org/man/ipsec.conf.5.html