IPsec/L2TP 和 IPsec/XAuth 模式下使用安卓10系统自带的VPN无法链接成功

[yangislet]

1. 配置/etc/psec.conf中相关参数，并重启服务器后，打开安卓10的自带VPN配置相关参数后，无法链接成功，但是win10可以连接成功
2. Issue with IPsec/XAuth client #618 中讨论的配置iptables的MTU也是无效
3. 查看日志报错信息为： ipsecvpn pluto[28514]: "xauth-psk"[1] 117.*.*.* #5: OAKLEY_DES_CBC(UNUSED) is not supported. Attribute OAKLEY_ENCRYPTION_ALGORITHM

[hwdsl2]

@yangislet 你好！请提供完整的日志（可去掉IP等信息）。除了这一行之外，应该有其他具体的错误信息。OAKLEY_DES_CBC(UNUSED) is not supported. Attribute OAKLEY_ENCRYPTION_ALGORITHM 应该不是无法连接的原因。

[yangislet]

1. 服务器firewalld防火墙关闭，iptables -L 的设置如下：

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
DROP       udp  --  anywhere             anywhere             udp dpt:l2tp policy match dir in pol none
DROP       all  --  anywhere             anywhere             ctstate INVALID
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     udp  --  anywhere             anywhere             multiport dports isakmp,ipsec-nat-t
ACCEPT     udp  --  anywhere             anywhere             udp dpt:l2tp policy match dir in pol ipsec
DROP       udp  --  anywhere             anywhere             udp dpt:l2tp

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere             ctstate INVALID
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             192.168.43.0/24      ctstate RELATED,ESTABLISHED
ACCEPT     all  --  192.168.43.0/24      anywhere            
ACCEPT     all  --  192.168.43.0/24      anywhere            
DROP       all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

2. 日志开头和结尾的是使用手机链接的，日志中间链接成功的是Windows的VPN客户端

Dec  1 13:11:49 ipsecvpn pluto[6139]: "ikev2-cp": loaded private key matching left certificate '*.*.*.*'
Dec  1 13:11:49 ipsecvpn pluto[6139]: "ikev2-cp": added IKEv2 connection
Dec  1 13:11:49 ipsecvpn pluto[6139]: listening for IKE messages
Dec  1 13:11:49 ipsecvpn pluto[6139]: Kernel does not support NIC esp-hw-offload (ETHTOOL_GSSET_INFO failed)
Dec  1 13:11:49 ipsecvpn pluto[6139]: adding UDP interface eth0 *.*.*.*:500
Dec  1 13:11:49 ipsecvpn pluto[6139]: adding UDP interface eth0 *.*.*.*:4500
Dec  1 13:11:49 ipsecvpn pluto[6139]: adding UDP interface lo 127.0.0.1:500
Dec  1 13:11:49 ipsecvpn pluto[6139]: adding UDP interface lo 127.0.0.1:4500
Dec  1 13:11:49 ipsecvpn pluto[6139]: forgetting secrets
Dec  1 13:11:49 ipsecvpn pluto[6139]: loading secrets from "/etc/ipsec.secrets"
Dec  1 13:15:48 ipsecvpn pluto[6139]: "l2tp-psk"[1] *.*.*.* #1: responding to Main Mode from unknown peer *.*.*.*:2805
Dec  1 13:15:48 ipsecvpn pluto[6139]: "l2tp-psk"[1] *.*.*.* #1: Oakley Transform [AES_CBC (256), HMAC_SHA1, DH20] refused
Dec  1 13:15:48 ipsecvpn pluto[6139]: "l2tp-psk"[1] *.*.*.* #1: Oakley Transform [AES_CBC (128), HMAC_SHA1, DH19] refused
Dec  1 13:15:48 ipsecvpn pluto[6139]: "l2tp-psk"[1] *.*.*.* #1: sent Main Mode R1
Dec  1 13:15:48 ipsecvpn pluto[6139]: "l2tp-psk"[1] *.*.*.* #1: sent Main Mode R2
Dec  1 13:15:48 ipsecvpn pluto[6139]: "l2tp-psk"[1] *.*.*.* #1: Peer ID is ID_IPV4_ADDR: '*.*.*.*'
Dec  1 13:15:48 ipsecvpn pluto[6139]: "l2tp-psk"[1] *.*.*.* #1: switched to "l2tp-psk"[2] *.*.*.*
Dec  1 13:15:48 ipsecvpn pluto[6139]: "l2tp-psk"[1] *.*.*.*: deleting connection instance with peer *.*.*.* {isakmp=#0/ipsec=#0}
Dec  1 13:15:48 ipsecvpn pluto[6139]: "l2tp-psk"[2] *.*.*.* #1: IKE SA established {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA1 group=MODP2048}
Dec  1 13:15:48 ipsecvpn pluto[6139]: "l2tp-psk"[2] *.*.*.* #1: Configured DPD (RFC 3706) support not enabled because remote peer did not advertise DPD support
Dec  1 13:15:48 ipsecvpn pluto[6139]: "l2tp-psk"[2] *.*.*.* #1: the peer proposed: *.*.*.*/32:1701 -UDP-> *.*.*.*/32:1701
Dec  1 13:15:48 ipsecvpn pluto[6139]: |   checking hostpair *.*.*.*/32:1701 -> *.*.*.*/32:0
Dec  1 13:15:48 ipsecvpn pluto[6139]: "l2tp-psk"[2] *.*.*.* #1: NAT-Traversal: received 2 NAT-OA. Using first; ignoring others
Dec  1 13:15:48 ipsecvpn pluto[6139]: "l2tp-psk"[2] *.*.*.* #2: responding to Quick Mode proposal {msgid:00000001}
Dec  1 13:15:48 ipsecvpn pluto[6139]: "l2tp-psk"[2] *.*.*.* #2:     us: *.*.*.*/32:UDP/1701===*.*.*.*[*.*.*.*]  them: *.*.*.*[*.*.*.*]===*.*.*.*/32:UDP/1701
Dec  1 13:15:48 ipsecvpn pluto[6139]: "l2tp-psk"[2] *.*.*.* #2: sent Quick Mode reply, inbound IPsec SA installed, expecting confirmation transport mode {ESPinUDP=>0x00383312 <0x75b79573 xfrm=AES_CBC_256-HMAC_SHA1_96 NATOA=*.*.*.* NATD=*.*.*.*:2212 DPD=unsupported}
Dec  1 13:15:48 ipsecvpn pluto[6139]: "l2tp-psk"[2] *.*.*.* #2: IPsec SA established transport mode {ESPinUDP=>0x00383312 <0x75b79573 xfrm=AES_CBC_256-HMAC_SHA1_96 NATOA=*.*.*.* NATD=*.*.*.*:2212 DPD=unsupported}
Dec  1 13:15:50 ipsecvpn pluto[6139]: netlink_expire got message with length 60 < 232 bytes; ignore message
Dec  1 13:15:50 ipsecvpn pluto[6139]: netlink_expire got message with length 60 < 232 bytes; ignore message
Dec  1 13:15:50 ipsecvpn pluto[6139]: netlink_expire got message with length 60 < 232 bytes; ignore message
Dec  1 13:15:52 ipsecvpn pluto[6139]: "l2tp-psk"[2] *.*.*.* #1: received Delete SA(0x00383312) payload: deleting IPsec State #2
Dec  1 13:15:52 ipsecvpn pluto[6139]: "l2tp-psk"[2] *.*.*.* #2: deleting state (STATE_QUICK_R2) aged 3.447739s and sending notification
Dec  1 13:15:52 ipsecvpn pluto[6139]: "l2tp-psk"[2] *.*.*.* #2: ESP traffic information: in=11KiB out=22KiB
Dec  1 13:15:52 ipsecvpn pluto[6139]: "l2tp-psk"[2] *.*.*.* #1: deleting state (STATE_MAIN_R3) aged 3.740226s and sending notification
Dec  1 13:15:52 ipsecvpn pluto[6139]: "l2tp-psk"[2] *.*.*.*: deleting connection instance with peer *.*.*.* {isakmp=#0/ipsec=#0}
Dec  1 13:16:27 ipsecvpn pluto[6139]: "xauth-psk"[1] *.*.*.* #3: responding to Main Mode from unknown peer *.*.*.*:35813
Dec  1 13:16:27 ipsecvpn pluto[6139]: "xauth-psk"[1] *.*.*.* #3: WARNING: connection xauth-psk PSK length of 20 bytes is too short for HMAC_SHA2_384 PRF in FIPS mode (24 bytes required)
Dec  1 13:16:27 ipsecvpn pluto[6139]: "xauth-psk"[1] *.*.*.* #3: Oakley Transform [AES_CBC (256), HMAC_SHA2_384, MODP1024] refused
Dec  1 13:16:27 ipsecvpn pluto[6139]: "xauth-psk"[1] *.*.*.* #3: Oakley Transform [AES_CBC (256), HMAC_SHA2_256, MODP1024] refused
Dec  1 13:16:27 ipsecvpn pluto[6139]: "xauth-psk"[1] *.*.*.* #3: WARNING: connection xauth-psk PSK length of 20 bytes is too short for HMAC_SHA2_512 PRF in FIPS mode (32 bytes required)
Dec  1 13:16:27 ipsecvpn pluto[6139]: "xauth-psk"[1] *.*.*.* #3: Oakley Transform [AES_CBC (256), HMAC_SHA2_512, MODP1024] refused
Dec  1 13:16:27 ipsecvpn pluto[6139]: "xauth-psk"[1] *.*.*.* #3: Oakley Transform [AES_CBC (256), HMAC_SHA1, MODP1024] refused
Dec  1 13:16:27 ipsecvpn pluto[6139]: "xauth-psk"[1] *.*.*.* #3: Oakley Transform [AES_CBC (256), HMAC_MD5, MODP1024] refused
Dec  1 13:16:27 ipsecvpn pluto[6139]: "xauth-psk"[1] *.*.*.* #3: WARNING: connection xauth-psk PSK length of 20 bytes is too short for HMAC_SHA2_512 PRF in FIPS mode (32 bytes required)
Dec  1 13:16:27 ipsecvpn pluto[6139]: "xauth-psk"[1] *.*.*.* #3: Oakley Transform [AES_CBC (128), HMAC_SHA2_512, MODP1024] refused
Dec  1 13:16:27 ipsecvpn pluto[6139]: "xauth-psk"[1] *.*.*.* #3: WARNING: connection xauth-psk PSK length of 20 bytes is too short for HMAC_SHA2_384 PRF in FIPS mode (24 bytes required)
Dec  1 13:16:27 ipsecvpn pluto[6139]: "xauth-psk"[1] *.*.*.* #3: Oakley Transform [AES_CBC (128), HMAC_SHA2_384, MODP1024] refused
Dec  1 13:16:27 ipsecvpn pluto[6139]: "xauth-psk"[1] *.*.*.* #3: Oakley Transform [AES_CBC (128), HMAC_SHA2_256, MODP1024] refused
Dec  1 13:16:27 ipsecvpn pluto[6139]: "xauth-psk"[1] *.*.*.* #3: Oakley Transform [AES_CBC (128), HMAC_SHA1, MODP1024] refused
Dec  1 13:16:27 ipsecvpn pluto[6139]: "xauth-psk"[1] *.*.*.* #3: Oakley Transform [AES_CBC (128), HMAC_MD5, MODP1024] refused
Dec  1 13:16:27 ipsecvpn pluto[6139]: "xauth-psk"[1] *.*.*.* #3: Oakley Transform [3DES_CBC (192), HMAC_SHA2_256, MODP1024] refused
Dec  1 13:16:27 ipsecvpn pluto[6139]: "xauth-psk"[1] *.*.*.* #3: Oakley Transform [3DES_CBC (192), HMAC_SHA1, MODP1024] refused
Dec  1 13:16:27 ipsecvpn pluto[6139]: "xauth-psk"[1] *.*.*.* #3: Oakley Transform [3DES_CBC (192), HMAC_MD5, MODP1024] refused
Dec  1 13:16:27 ipsecvpn pluto[6139]: "xauth-psk"[1] *.*.*.* #3: OAKLEY_DES_CBC(UNUSED) is not supported.  Attribute OAKLEY_ENCRYPTION_ALGORITHM
Dec  1 13:16:27 ipsecvpn pluto[6139]: "xauth-psk"[1] *.*.*.* #3: OAKLEY_DES_CBC(UNUSED) is not supported.  Attribute OAKLEY_ENCRYPTION_ALGORITHM
Dec  1 13:16:27 ipsecvpn pluto[6139]: "xauth-psk"[1] *.*.*.* #3: OAKLEY_DES_CBC(UNUSED) is not supported.  Attribute OAKLEY_ENCRYPTION_ALGORITHM
Dec  1 13:16:27 ipsecvpn pluto[6139]: "xauth-psk"[1] *.*.*.* #3: no acceptable Oakley Transform
Dec  1 13:16:27 ipsecvpn pluto[6139]: "xauth-psk"[1] *.*.*.* #3: sending notification NO_PROPOSAL_CHOSEN to *.*.*.*:35813
Dec  1 13:16:29 ipsecvpn pluto[6139]: "xauth-psk"[1] *.*.*.* #3: discarding initial packet; already STATE_MAIN_R0
Dec  1 13:16:32 ipsecvpn pluto[6139]: "xauth-psk"[1] *.*.*.* #3: discarding initial packet; already STATE_MAIN_R0
Dec  1 13:16:35 ipsecvpn pluto[6139]: "xauth-psk"[1] *.*.*.* #3: discarding initial packet; already STATE_MAIN_R0
Dec  1 13:16:38 ipsecvpn pluto[6139]: "xauth-psk"[1] *.*.*.* #3: discarding initial packet; already STATE_MAIN_R0
Dec  1 13:16:41 ipsecvpn pluto[6139]: "xauth-psk"[1] *.*.*.* #3: discarding initial packet; already STATE_MAIN_R0
Dec  1 13:16:44 ipsecvpn pluto[6139]: "xauth-psk"[1] *.*.*.* #3: discarding initial packet; already STATE_MAIN_R0
Dec  1 13:16:47 ipsecvpn pluto[6139]: "xauth-psk"[1] *.*.*.* #3: discarding initial packet; already STATE_MAIN_R0
Dec  1 13:16:50 ipsecvpn pluto[6139]: "xauth-psk"[1] *.*.*.* #3: discarding initial packet; already STATE_MAIN_R0
Dec  1 13:16:53 ipsecvpn pluto[6139]: "xauth-psk"[1] *.*.*.* #3: discarding initial packet; already STATE_MAIN_R0

[hwdsl2]

@yangislet 请参见：
#1244 (comment)
https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients-zh.md#android
https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients-xauth-zh.md#android

安卓自带的客户端对于 IPsec/L2TP 和 IPsec/XAuth 模式使用安全性较低的 MODP1024。为增强安全性，它在脚本的默认配置中已禁用。推荐使用 IKEv2 模式连接。

如果需要使用 IPsec/L2TP 或 IPsec/XAuth 模式连接，你可以按照以上第二个或第三个链接中的说明修改 ipsec.conf 并启用安全性较低的 MODP1024（不推荐）。

[yangislet]

问题是我已经安装官方教程执行后，还是无法链接成功，所以才来这里提问

[hwdsl2]

@yangislet 对于 IPsec/L2TP 和 IPsec/XAuth 模式，你可以按照这个链接的说明启用安全性较低的 MODP1024 并重启 IPsec 服务，然后即可连接。
https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients-zh.md#android

对于 IKEv2，请参见：
https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/ikev2-howto-zh.md#android

步骤中有：要查找 .sswan 文件，单击左上角的抽拉式菜单，然后浏览到你保存文件的目录。

[aogg]

可以了是小米客户端问题，再建一个vpn就能成功了

安卓11，自带客户端，配置了VPN_ENABLE_MODP1024=yes，一样链接不上，而且只显示失败，服务端也杀提示都没，端口肯定是开启的毕竟没有防火墙