Doesn't connect from iPhone's mobile network

[Radmin24]

Checklist

• [X ] I read the README
• [ X] I read the Important notes
• [X ] I followed instructions to configure VPN clients
• [ X] I checked IKEv1 troubleshooting, IKEv2 troubleshooting, enabled logs and checked VPN status
• [ X] I searched existing Issues
• [ X] This bug is about the IPsec VPN server Docker image, and not IPsec VPN itself

Describe the issue
When connecting from any VPN network, the connection occurs smoothly for any mobile client, but when connecting from a mobile network, no matter what operator, the connection does not occur

To Reproduce
1.Run docker
2. Issue a certificate for the iPhone mobile device
3. Try to connect from a mobile network

Expected behavior
There will be a connection and after connecting there will be no Internet.

Logs
Connect client for mobile
2024-04-13T22:39:47.667318+00:00 edc33738daec pluto[1728]: "ikev2-cp"[1] 185.211.159.148 #1: proposal 1:IKE=AES_GCM_C_256-HMAC_SHA2_256-ECP_256 chosen from remote proposals 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_256;DH=ECP_256[first-match]
2024-04-13T22:39:47.672149+00:00 edc33738daec pluto[1728]: "ikev2-cp"[1] 185.211.159.148 #1: sent IKE_SA_INIT reply {cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_256 group=DH19}
2024-04-13T22:39:48.680221+00:00 edc33738daec pluto[1728]: "ikev2-cp"[1] 185.211.159.148 #1: received duplicate IKE_SA_INIT message request (Message ID 0); retransmitting response
2024-04-13T22:39:50.658573+00:00 edc33738daec pluto[1728]: "ikev2-cp"[1] 185.211.159.148 #1: received duplicate IKE_SA_INIT message request (Message ID 0); retransmitting response
2024-04-13T22:39:54.707746+00:00 edc33738daec pluto[1728]: "ikev2-cp"[1] 185.211.159.148 #1: received duplicate IKE_SA_INIT message request (Message ID 0); retransmitting response
2024-04-13T22:40:02.730893+00:00 edc33738daec pluto[1728]: "ikev2-cp"[1] 185.211.159.148 #1: received duplicate IKE_SA_INIT message request (Message ID 0); retransmitting response

Connnect from w-fi
2024-04-13T22:40:12.593748+00:00 edc33738daec pluto[1728]: "ikev2-cp"[2] 95.105.68.110 #2: proposal 1:IKE=AES_GCM_C_256-HMAC_SHA2_256-ECP_256 chosen from remote proposals 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_256;DH=ECP_256[first-match]
2024-04-13T22:40:12.596294+00:00 edc33738daec pluto[1728]: "ikev2-cp"[2] 95.105.68.110 #2: sent IKE_SA_INIT reply {cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_256 group=DH19}
2024-04-13T22:40:12.777376+00:00 edc33738daec pluto[1728]: "ikev2-cp"[2] 95.105.68.110 #2: processing decrypted IKE_AUTH request: SK{IDi,CERT,N(INITIAL_CONTACT),IDr,AUTH,CP,N(ESP_TFC_PADDING_NOT_SUPPORTED),N(NON_FIRST_FRAGMENTS_ALSO),SA,TSi,TSr,N(MOBIKE_SUPPORTED)}
2024-04-13T22:40:12.831136+00:00 edc33738daec pluto[1728]: "ikev2-cp"[2] 95.105.68.110 #2: reloaded private key matching left certificate '94.232.247.126'
2024-04-13T22:40:12.831896+00:00 edc33738daec pluto[1728]: "ikev2-cp"[2] 95.105.68.110 #2: responder established IKE SA; authenticated peer '3072-bit PKCS#1 1.5 RSA with SHA1' signature using peer certificate 'CN=radmil, O=IKEv2 VPN' issued by CA 'CN=IKEv2 VPN CA, O=IKEv2 VPN'
2024-04-13T22:40:12.863120+00:00 edc33738daec pluto[1728]: | pool 192.168.43.10-192.168.43.250: growing address pool from 0 to 1
2024-04-13T22:40:12.863321+00:00 edc33738daec pluto[1728]: "ikev2-cp"[2] 95.105.68.110 #3: proposal 1:ESP=AES_GCM_C_256-DISABLED SPI=0c0dfb56 chosen from remote proposals 1:ESP:ENCR=AES_GCM_C_256;ESN=DISABLED[first-match]
2024-04-13T22:40:12.911510+00:00 edc33738daec pluto[1728]: "ikev2-cp"[2] 95.105.68.110 #3: responder established Child SA using #2; IPsec tunnel [0.0.0.0-255.255.255.255:0-65535 0] -> [192.168.43.10-192.168.43.10:0-65535 0] {ESPinUDP=>0x0c0dfb56 <0x63108f47 xfrm=AES_GCM_16_256-NONE NATD=95.105.68.110:3500 DPD=active}

Server (please complete the following information)

• Docker host OS: [e.g. Ubuntu 22.04]
• Hosting provider (if applicable): [e.g. GCP, AWS]

Client (please complete the following information)

• Device: [e.g. iPhone 13]
• OS: [e.g. iOS 17]
• VPN mode: [IPsec/L2TP, IPsec/XAuth ("Cisco IPsec") or IKEv2]

Additional context
Add any other context about the problem here.

[hwdsl2]

@Radmin24 Hello! Recently there have been several users reporting similar issues. What is your Docker host's Linux version (e.g. Ubuntu 22.04), and what is your server's hosting provider? Please try the solution in this linked comment by building the August 2023 version of this Docker image. Let us know if that version resolves the issue for you.

[Radmin24]

Docker version 26.0.1, build d260a54
Ubuntu 22.04.4 LTS x86_64
https://bill.pq.hosting/
Перешел на версию от августа 2023 года ! Все заработало !
Спасибо !
Код который я использовал :

# Clone the repository
git clone https://github.com/hwdsl2/docker-ipsec-vpn-server
cd docker-ipsec-vpn-server
# Go back to the state on Aug. 15, 2023
git checkout 4c8bfa2
# To build Alpine-based image (note the dot "." at the end)
docker build -t hwdsl2/ipsec-vpn-server .
# Or, to build Debian-based image
docker build -f Dockerfile.debian -t hwdsl2/ipsec-vpn-server:debian .

docker run \
    --name ipsec-vpn-server \
    --env-file ./vpn.env \
    --restart=always \
    -v ikev2-vpn-data:/etc/ipsec.d \
    -v /lib/modules:/lib/modules:ro \
    -p 500:500/udp \
    -p 4500:4500/udp \
    -d --privileged \
    hwdsl2/ipsec-vpn-server:debian

[Radmin24]

Before the time, I began to rejoice.
Still clients cannot connect.

Docker version 26.0.1, build d260a54
Ubuntu 22.04.4 LTS x86_64
hwdsl2/ipsec-vpn-server:debian git:(4c8bfa2)

It doesn’t work through mobile traffic, it takes a very long time to connect and there is no Internet at all.

2024-04-14T15:53:16.356344+00:00 a5079bcc965f pluto[2486]: loading secrets from "/etc/ipsec.secrets"
2024-04-14T15:53:58.799696+00:00 a5079bcc965f pluto[2486]: "ikev2-cp"[1] 5.101.18.17 #1: proposal 1:IKE=AES_CBC_256-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048[first-match]
2024-04-14T15:53:58.810924+00:00 a5079bcc965f pluto[2486]: "ikev2-cp"[1] 5.101.18.17 #1: sent IKE_SA_INIT reply {cipher=AES_CBC_256 integ=HMAC_SHA2_256_128 prf=HMAC_SHA2_256 group=MODP2048}
2024-04-14T15:54:30.080742+00:00 a5079bcc965f pluto[2486]: "ikev2-cp"[1] 5.101.18.17 #2: proposal 1:IKE=AES_CBC_256-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048[first-match]
2024-04-14T15:54:30.085858+00:00 a5079bcc965f pluto[2486]: "ikev2-cp"[1] 5.101.18.17 #2: sent IKE_SA_INIT reply {cipher=AES_CBC_256 integ=HMAC_SHA2_256_128 prf=HMAC_SHA2_256 group=MODP2048}
2024-04-14T15:55:01.369369+00:00 a5079bcc965f pluto[2486]: "ikev2-cp"[1] 5.101.18.17 #3: proposal 1:IKE=AES_CBC_256-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048[first-match]
2024-04-14T15:55:01.372982+00:00 a5079bcc965f pluto[2486]: "ikev2-cp"[1] 5.101.18.17 #3: sent IKE_SA_INIT reply {cipher=AES_CBC_256 integ=HMAC_SHA2_256_128 prf=HMAC_SHA2_256 group=MODP2048}
2024-04-14T15:55:01.617621+00:00 a5079bcc965f pluto[2486]: "ikev2-cp"[1] 5.101.18.17 #3: processing decrypted IKE_AUTH request: SK{IDi,CERT,N(INITIAL_CONTACT),IDr,AUTH,CP,N(ESP_TFC_PADDING_NOT_SUPPORTED),N(NON_FIRST_FRAGMENTS_ALSO),SA,TSi,TSr,N(MOBIKE_SUPPORTED)}
2024-04-14T15:55:01.659877+00:00 a5079bcc965f pluto[2486]: "ikev2-cp"[1] 5.101.18.17 #3: reloaded private key matching left certificate '94.232.247.126'
2024-04-14T15:55:01.661284+00:00 a5079bcc965f pluto[2486]: "ikev2-cp"[1] 5.101.18.17 #3: responder established IKE SA; authenticated peer '3072-bit PKCS#1 1.5 RSA with SHA1' signature using peer certificate 'CN=RainaNEW, O=IKEv2 VPN' issued by CA 'CN=IKEv2 VPN CA, O=IKEv2 VPN'
2024-04-14T15:55:01.706641+00:00 a5079bcc965f pluto[2486]: | pool 192.168.43.10-192.168.43.250: growing address pool from 0 to 1
2024-04-14T15:55:01.706918+00:00 a5079bcc965f pluto[2486]: "ikev2-cp"[1] 5.101.18.17 #4: proposal 1:ESP=AES_GCM_C_128-DISABLED SPI=03d1a48d chosen from remote proposals 1:ESP:ENCR=AES_GCM_C_128;ESN=DISABLED[first-match]
2024-04-14T15:55:01.741678+00:00 a5079bcc965f pluto[2486]: "ikev2-cp"[1] 5.101.18.17 #4: responder established Child SA using #3; IPsec tunnel [0.0.0.0-255.255.255.255:0-65535 0] -> [192.168.43.10-192.168.43.10:0-65535 0] {ESPinUDP=>0x03d1a48d <0xe9dc9f9c xfrm=AES_GCM_16_128-NONE NATD=5.101.18.17:53850 DPD=active}

For iphone Wi-Fi. It is work

2024-04-14T15:56:02.228512+00:00 a5079bcc965f pluto[2486]: "ikev2-cp"[1] 5.101.18.17 #3: STATE_V2_ESTABLISHED_IKE_SA: retransmission; will wait 0.5 seconds for response
2024-04-14T15:56:02.732753+00:00 a5079bcc965f pluto[2486]: "ikev2-cp"[1] 5.101.18.17 #3: STATE_V2_ESTABLISHED_IKE_SA: retransmission; will wait 1 seconds for response
2024-04-14T15:56:03.734170+00:00 a5079bcc965f pluto[2486]: "ikev2-cp"[1] 5.101.18.17 #3: STATE_V2_ESTABLISHED_IKE_SA: retransmission; will wait 2 seconds for response
2024-04-14T15:56:05.741205+00:00 a5079bcc965f pluto[2486]: "ikev2-cp"[1] 5.101.18.17 #3: STATE_V2_ESTABLISHED_IKE_SA: retransmission; will wait 4 seconds for response
2024-04-14T15:56:09.745559+00:00 a5079bcc965f pluto[2486]: "ikev2-cp"[1] 5.101.18.17 #3: STATE_V2_ESTABLISHED_IKE_SA: retransmission; will wait 8 seconds for response
2024-04-14T15:56:17.747609+00:00 a5079bcc965f pluto[2486]: "ikev2-cp"[1] 5.101.18.17 #3: STATE_V2_ESTABLISHED_IKE_SA: retransmission; will wait 16 seconds for response
2024-04-14T15:56:33.750555+00:00 a5079bcc965f pluto[2486]: "ikev2-cp"[1] 5.101.18.17 #3: STATE_V2_ESTABLISHED_IKE_SA: retransmission; will wait 32 seconds for response
2024-04-14T15:57:05.754459+00:00 a5079bcc965f pluto[2486]: "ikev2-cp"[1] 5.101.18.17 #3: STATE_V2_ESTABLISHED_IKE_SA: retransmission; will wait 64 seconds for response
2024-04-14T15:57:18.810601+00:00 a5079bcc965f pluto[2486]: "ikev2-cp"[1] 5.101.18.17 #1: deleting incomplete state after 200 seconds
2024-04-14T15:57:18.810782+00:00 a5079bcc965f pluto[2486]: "ikev2-cp"[1] 5.101.18.17 #1: deleting state (STATE_V2_PARENT_R1) aged 200.011225s and NOT sending notification
2024-04-14T15:57:33.617286+00:00 a5079bcc965f pluto[2486]: "ikev2-cp"[2] 95.105.68.110 #5: proposal 1:IKE=AES_CBC_256-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048[first-match]
2024-04-14T15:57:33.625820+00:00 a5079bcc965f pluto[2486]: "ikev2-cp"[2] 95.105.68.110 #5: sent IKE_SA_INIT reply {cipher=AES_CBC_256 integ=HMAC_SHA2_256_128 prf=HMAC_SHA2_256 group=MODP2048}
2024-04-14T15:57:33.763524+00:00 a5079bcc965f pluto[2486]: "ikev2-cp"[2] 95.105.68.110 #5: processing decrypted IKE_AUTH request: SK{IDi,CERT,N(INITIAL_CONTACT),IDr,AUTH,CP,N(ESP_TFC_PADDING_NOT_SUPPORTED),N(NON_FIRST_FRAGMENTS_ALSO),SA,TSi,TSr,N(MOBIKE_SUPPORTED)}
2024-04-14T15:57:33.766231+00:00 a5079bcc965f pluto[2486]: "ikev2-cp"[2] 95.105.68.110 #5: responder established IKE SA; authenticated peer '3072-bit PKCS#1 1.5 RSA with SHA1' signature using peer certificate 'CN=RainaNEW, O=IKEv2 VPN' issued by CA 'CN=IKEv2 VPN CA, O=IKEv2 VPN'
2024-04-14T15:57:33.780377+00:00 a5079bcc965f pluto[2486]: | pool 192.168.43.10-192.168.43.250: growing address pool from 1 to 2
2024-04-14T15:57:33.780544+00:00 a5079bcc965f pluto[2486]: "ikev2-cp"[2] 95.105.68.110 #6: proposal 1:ESP=AES_GCM_C_128-DISABLED SPI=072a5dd2 chosen from remote proposals 1:ESP:ENCR=AES_GCM_C_128;ESN=DISABLED[first-match]
2024-04-14T15:57:33.832222+00:00 a5079bcc965f pluto[2486]: "ikev2-cp"[2] 95.105.68.110 #6: responder established Child SA using #5; IPsec tunnel [0.0.0.0-255.255.255.255:0-65535 0] -> [192.168.43.11-192.168.43.11:0-65535 0] {ESPinUDP=>0x072a5dd2 <0x506f6214 xfrm=AES_GCM_16_128-NONE NATD=95.105.68.110:3609 DPD=active}

[hwdsl2]

@Radmin24 Thanks for the update. From the logs you provided, it looks like your mobile network provider may be blocking IPsec VPN traffic. This is indicated by the "retransmitting" and multiple "sent IKE_SA_INIT reply" related lines in your logs. Some countries use techniques (like the GFW in mainland China) to block VPN traffic. For these use cases, there isn't much you can do on the VPN server to make IPsec VPN work. However, you can instead try an alternative solution that is more resistant to blocking, such as Shadowsocks.