docker-ipsec-vpn-server icon indicating copy to clipboard operation
docker-ipsec-vpn-server copied to clipboard

Published 20 hours ago verified publisher icon mobilejazz

VPN not working after iOS 14 upgrade

Open jackie1100 opened this issue 4 years ago • 4 comments

Hi, Thanks so much for this wonderful and amazing project, have been using it for 2 years. I'm very new to github so please excuse if I say or ask something stupid. I'm running the "docker-ipsec-vpn-server" in a cloud hosting environment and use it mainly for 4-5 personal phones. After the iOS 14 upgrade, the VPN does not connect on iPhone, although Android phones work fine. It looks like the issue is mentioned here: https://developer.apple.com/forums/thread/660499. It talks about deactivating SHA-256 compatible mode (96 bits). After searching and reading on various places online I found that these parameters may be defined in ipsec.conf. I found 2 ipsec.conf files in the container environment:

  1. /var/lib/docker/overlay2/<random_string>/diff/etc/ipsec.conf
  2. /var/lib/docker/overlay2/<random_string>/merged/etc/ipsec.conf These are both identical and contain the following which could be relevant: ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024,aes256-sha2_512 phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes256-sha2_512 sha2-truncbug=yes

But I have no idea what to change and in which of the 2 files to change. I would be more than happy to contribute and help others as I know many people would be facing this issue, but need some initial help in figuring out. I would really appreciate if you can provide some help. Thanks again.

jackie1100 avatar Oct 02 '20 23:10 jackie1100

@jgimenez - (I hope tagging directly is ok) Going through the README, I found the troubleshooting link: https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients.md#troubleshooting where it mentioned an issue with iOS 13 and changing sha2-truncbug value from yes to no and then doing an ipsec restart. Voila the Iphone VPN connects now. But I don't want to close this issue yet to make sure that I haven't applied just a band-aid. If I restarted both ipsec and xl2tpd, I noticed that the value I changed got reverted back. Also, if I restarted the container, the old value would be back, if I just restarted ipsec, it worked. So I want to make sure if there is a better/permanent way to apply this change? Secondly, is the sha2-truncbug value responsible for deactivating sha 256 compatible mode, as advised by apple? Thanks

jackie1100 avatar Oct 03 '20 01:10 jackie1100

If you want to apply the change just for the container you are running, you can edit the run.sh in /opt/src, delete the sha2-truncbug=yes. After this every time your restart the container the updated configure file will be applied.

zshvvhm avatar Nov 09 '20 06:11 zshvvhm

Another fix would be to just use Cisco IPSEC instead of L2TP over IPSEC

Woodehh avatar Nov 25 '20 20:11 Woodehh

Please feel free to send PRs if you want to support additional devices. However, iOS 14 and iOS 15 both work for me with no further changes.

jgimenez avatar Dec 16 '21 11:12 jgimenez