Unable to connect via IKEv2

[ejhsu]

Checklist

• I read the README
• I read the Important notes
• I followed instructions to configure VPN clients
• I checked Troubleshooting, IKEv2 troubleshooting, enabled logs and checked VPN status
• I searched existing Issues
• This bug is about the IPsec VPN server Docker image, and not IPsec VPN itself

Describe the issue
After following the instructions at Start the IPsec VPN server, the server can be run successfully and could be connected via L2TP/IPSec PSK mode on my Mac.
But it cannot be connected via IKEv2 mode on Mac and Android.

To Reproduce
0. Prepare vpn.env file with content

VPN_IPSEC_PSK=12345678
VPN_USER=vpnuser
VPN_PASSWORD=vpnpassword

1. Start the server by

docker run \
    --name ipsec-vpn-server \
    --env-file ./vpn.env \
    --restart=always \
    -v ikev2-vpn-data:/etc/ipsec.d \
    -v /lib/modules:/lib/modules:ro \
    -p 500:500/udp \
    -p 4500:4500/udp \
    -d --privileged \
    hwdsl2/ipsec-vpn-server

3. Download .mobileconfig to Mac and .sswan to Android device.
4. Use native client on Mac and Strongswan on Android
5. Following instructions to setup clients
6. Error occurred

• "An unexpected error occurred" on Mac
  
• "Failed to establist VPN: User authentication failed" on Android Strongswan

Nov 30 19:31:50 00[DMN] +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Nov 30 19:31:50 00[DMN] Starting IKE service (strongSwan 5.9.3rc1, Android 13 - TP1A.221105.002/2022-11-05, Pixel 5 - google/redfin/Google, Linux 4.19.239-g248fa42a73b2-ab9062766, aarch64)
Nov 30 19:31:50 00[LIB] loaded plugins: androidbridge charon android-log openssl fips-prf random nonce pubkey chapoly curve25519 pkcs1 pkcs8 pem xcbc hmac socket-default revocation eap-identity eap-mschapv2 eap-md5 eap-gtc eap-tls x509
Nov 30 19:31:50 00[JOB] spawning 16 worker threads
Nov 30 19:31:50 07[CFG] loaded user certificate 'CN=vpnclient, O=IKEv2 VPN' and private key
Nov 30 19:31:50 07[CFG] loaded CA certificate 'CN=IKEv2 VPN CA, O=IKEv2 VPN'
Nov 30 19:31:50 07[IKE] initiating IKE_SA android[9] to **SERVER IP**
Nov 30 19:31:50 07[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Nov 30 19:31:50 07[NET] sending packet: from 10.35.152.69[38611] to **SERVER IP**[500] (464 bytes)
Nov 30 19:31:50 10[NET] received packet: from **SERVER IP**[500] to 10.35.152.69[38611] (36 bytes)
Nov 30 19:31:50 10[ENC] parsed IKE_SA_INIT response 0 [ N(NO_PROP) ]
Nov 30 19:31:50 10[IKE] received NO_PROPOSAL_CHOSEN notify error

Expected behavior
VPN Connected

Logs

Server Logs

connecting on Mac

2022-11-30T11:20:20.586516+00:00 45d27ece040a pluto[1583]: packet from 111.241.113.68:1674: ISAKMP_v2_IKE_SA_INIT message received on 172.17.0.2:500 but no suitable connection found with IKEv2 policy
2022-11-30T11:20:20.586535+00:00 45d27ece040a pluto[1583]: packet from 111.241.113.68:1674: responding to IKE_SA_INIT (34) message (Message ID 0) with unencrypted notification NO_PROPOSAL_CHOSEN
2022-11-30T11:20:20.730408+00:00 45d27ece040a pluto[1583]: packet from 111.241.113.68:1674: ISAKMP_v2_IKE_SA_INIT message received on 172.17.0.2:500 but no suitable connection found with IKEv2 policy
2022-11-30T11:20:20.730429+00:00 45d27ece040a pluto[1583]: packet from 111.241.113.68:1674: responding to IKE_SA_INIT (34) message (Message ID 0) with unencrypted notification NO_PROPOSAL_CHOSEN

connecting on Android

2022-11-30T11:23:41.643563+00:00 45d27ece040a pluto[1583]: packet from 223.140.152.69:58440: ISAKMP_v2_IKE_SA_INIT message received on 172.17.0.2:500 but no suitable connection found with IKEv2 policy
2022-11-30T11:23:41.643584+00:00 45d27ece040a pluto[1583]: packet from 223.140.152.69:58440: responding to IKE_SA_INIT (34) message (Message ID 0) with unencrypted notification NO_PROPOSAL_CHOSEN

Server

• Docker host OS: Google, Container-Optimized OS, 101-17162.40.34 LTS, Kernel: COS-5.15.65 Kubernetes: 1.23.10 Docker: 20.10.12 Family: cos-101-lts, supports Shielded VM features
• Hosting provider: GCP

Client

Device#1

• Device: Macbook
• OS: MacOS 12.6
• VPN mode: IKEv2

Device#2

• Device: Pixel5
• OS: Android 13
• VPN mode: IKEv2

Are there mismatches between cipher suites accepted by server and specified in client config file or something?

Thanks!

[hwdsl2]

@ejhsu Hello! Thanks for reporting this issue with details. Your issue is similar to #323. The "no suitable connection" error typically means that either the IKEv2 connection did not load successfully at Libreswan startup, or it could be that Libreswan listens to an IP address that is NOT where the connection request came from. The latter is less likely.

It looks like you already enabled Libreswan logs:

https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/docs/advanced-usage.md#enable-libreswan-logs

Restart the Docker container docker restart ipsec-vpn-server, then check the logs again. See if there is a specific error in the logs why the IKEv2 connection did not load.

You can also run:

docker exec -it ipsec-vpn-server ipsec status

Check if the output contains 3 loaded connections. "ikev2-cp" is the IKEv2 connection.

[ejhsu]

Thanks for your reply.

After restarting the container and investigating the log at /var/log/auth.log, I found the line with IKEv2 error:

2022-11-30T14:16:47.772425+00:00 45d27ece040a pluto[396]: "l2tp-psk": added IKEv1 connection
2022-11-30T14:16:47.772898+00:00 45d27ece040a pluto[396]: "xauth-psk": added IKEv1 connection
2022-11-30T14:16:47.773193+00:00 45d27ece040a pluto[396]: "ikev2-cp": failed to add connection: MOBIKE kernel support missing for xfrm interface: CONFIG_XFRM_MIGRATE

Seems that it's failed to load IKEv2 connection, but I'm not sure how to fix it.

Updated:
Given the error message, I found the related previous issue #199 (comment)
Following the instructions in the comment, I can connect to the server via IKEv2 now.

Thanks @hwdsl2!

[hwdsl2]

@ejhsu The root cause for this issue is that MOBIKE was enabled (by the IKEv2 script) in the container, but your Docker host's kernel does not support MOBIKE. The fix is straightforward:

First, open a Bash shell inside the Docker container, and install the nano editor. Instructions at:
https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/docs/advanced-usage.md#bash-shell-inside-container

After that, edit /etc/ipsec.d/ikev2.conf inside the Docker container:

nano /etc/ipsec.d/ikev2.conf

Find the line mobike=yes and replace yes with no. Then exit the Bash shell and restart the Docker container. You will find that the IKEv2 connection now loads successfully.

What is your Docker host's Linux kernel? Check using uname -a and post the output here. I'd like to add a fix in the IKEv2 script to prevent this issue on this OS for future users.

[hwdsl2]

@ejhsu Thanks for the update. Please post here your Docker host's Linux kernel version. Check using uname -a. I'd like to add a fix in the IKEv2 script to prevent this issue on this OS for future users.

[ejhsu]

The Docker host information and Linux kernal version lists below:

• host: Google, Container-Optimized OS, 101-17162.40.34 LTS, Kernel: COS-5.15.65 Kubernetes: 1.23.10 Docker: 20.10.12 Family: cos-101-lts, supports Shielded VM features
• uname -a: Linux 45d27ece040a 5.15.65+ #1 SMP Thu Nov 10 10:13:28 UTC 2022 x86_64 GNU/Linux