New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Doesn't connect from iPhone's mobile network #424
Comments
@Radmin24 Hello! Recently there have been several users reporting similar issues. What is your Docker host's Linux version (e.g. Ubuntu 22.04), and what is your server's hosting provider? Please try the solution in this linked comment by building the August 2023 version of this Docker image. Let us know if that version resolves the issue for you. |
Docker version 26.0.1, build d260a54
|
Before the time, I began to rejoice. Docker version 26.0.1, build d260a54 It doesn’t work through mobile traffic, it takes a very long time to connect and there is no Internet at all.
For iphone Wi-Fi. It is work
|
@Radmin24 Thanks for the update. From the logs you provided, it looks like your mobile network provider may be blocking IPsec VPN traffic. This is indicated by the "retransmitting" and multiple "sent IKE_SA_INIT reply" related lines in your logs. Some countries use techniques (like the GFW in mainland China) to block VPN traffic. For these use cases, there isn't much you can do on the VPN server to make IPsec VPN work. However, you can instead try an alternative solution that is more resistant to blocking, such as Shadowsocks. |
Checklist
Describe the issue
When connecting from any VPN network, the connection occurs smoothly for any mobile client, but when connecting from a mobile network, no matter what operator, the connection does not occur
To Reproduce
1.Run docker
2. Issue a certificate for the iPhone mobile device
3. Try to connect from a mobile network
Expected behavior
There will be a connection and after connecting there will be no Internet.
Logs
Connect client for mobile
2024-04-13T22:39:47.667318+00:00 edc33738daec pluto[1728]: "ikev2-cp"[1] 185.211.159.148 #1: proposal 1:IKE=AES_GCM_C_256-HMAC_SHA2_256-ECP_256 chosen from remote proposals 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_256;DH=ECP_256[first-match]
2024-04-13T22:39:47.672149+00:00 edc33738daec pluto[1728]: "ikev2-cp"[1] 185.211.159.148 #1: sent IKE_SA_INIT reply {cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_256 group=DH19}
2024-04-13T22:39:48.680221+00:00 edc33738daec pluto[1728]: "ikev2-cp"[1] 185.211.159.148 #1: received duplicate IKE_SA_INIT message request (Message ID 0); retransmitting response
2024-04-13T22:39:50.658573+00:00 edc33738daec pluto[1728]: "ikev2-cp"[1] 185.211.159.148 #1: received duplicate IKE_SA_INIT message request (Message ID 0); retransmitting response
2024-04-13T22:39:54.707746+00:00 edc33738daec pluto[1728]: "ikev2-cp"[1] 185.211.159.148 #1: received duplicate IKE_SA_INIT message request (Message ID 0); retransmitting response
2024-04-13T22:40:02.730893+00:00 edc33738daec pluto[1728]: "ikev2-cp"[1] 185.211.159.148 #1: received duplicate IKE_SA_INIT message request (Message ID 0); retransmitting response
Connnect from w-fi
2024-04-13T22:40:12.593748+00:00 edc33738daec pluto[1728]: "ikev2-cp"[2] 95.105.68.110 #2: proposal 1:IKE=AES_GCM_C_256-HMAC_SHA2_256-ECP_256 chosen from remote proposals 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_256;DH=ECP_256[first-match]
2024-04-13T22:40:12.596294+00:00 edc33738daec pluto[1728]: "ikev2-cp"[2] 95.105.68.110 #2: sent IKE_SA_INIT reply {cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_256 group=DH19}
2024-04-13T22:40:12.777376+00:00 edc33738daec pluto[1728]: "ikev2-cp"[2] 95.105.68.110 #2: processing decrypted IKE_AUTH request: SK{IDi,CERT,N(INITIAL_CONTACT),IDr,AUTH,CP,N(ESP_TFC_PADDING_NOT_SUPPORTED),N(NON_FIRST_FRAGMENTS_ALSO),SA,TSi,TSr,N(MOBIKE_SUPPORTED)}
2024-04-13T22:40:12.831136+00:00 edc33738daec pluto[1728]: "ikev2-cp"[2] 95.105.68.110 #2: reloaded private key matching left certificate '94.232.247.126'
2024-04-13T22:40:12.831896+00:00 edc33738daec pluto[1728]: "ikev2-cp"[2] 95.105.68.110 #2: responder established IKE SA; authenticated peer '3072-bit PKCS#1 1.5 RSA with SHA1' signature using peer certificate 'CN=radmil, O=IKEv2 VPN' issued by CA 'CN=IKEv2 VPN CA, O=IKEv2 VPN'
2024-04-13T22:40:12.863120+00:00 edc33738daec pluto[1728]: | pool 192.168.43.10-192.168.43.250: growing address pool from 0 to 1
2024-04-13T22:40:12.863321+00:00 edc33738daec pluto[1728]: "ikev2-cp"[2] 95.105.68.110 #3: proposal 1:ESP=AES_GCM_C_256-DISABLED SPI=0c0dfb56 chosen from remote proposals 1:ESP:ENCR=AES_GCM_C_256;ESN=DISABLED[first-match]
2024-04-13T22:40:12.911510+00:00 edc33738daec pluto[1728]: "ikev2-cp"[2] 95.105.68.110 #3: responder established Child SA using #2; IPsec tunnel [0.0.0.0-255.255.255.255:0-65535 0] -> [192.168.43.10-192.168.43.10:0-65535 0] {ESPinUDP=>0x0c0dfb56 <0x63108f47 xfrm=AES_GCM_16_256-NONE NATD=95.105.68.110:3500 DPD=active}
Server (please complete the following information)
Client (please complete the following information)
Additional context
Add any other context about the problem here.
The text was updated successfully, but these errors were encountered: