VPN not working after iOS 14 upgrade

[jackie1100]

Hi,
Thanks so much for this wonderful and amazing project, have been using it for 2 years.
I'm very new to github so please excuse if I say or ask something stupid.
I'm running the "docker-ipsec-vpn-server" in a cloud hosting environment and use it mainly for 4-5 personal phones.
After the iOS 14 upgrade, the VPN does not connect on iPhone, although Android phones work fine. It looks like the issue is mentioned here: https://developer.apple.com/forums/thread/660499. It talks about deactivating SHA-256 compatible mode (96 bits). After searching and reading on various places online I found that these parameters may be defined in ipsec.conf. I found 2 ipsec.conf files in the container environment:

1. /var/lib/docker/overlay2/<random_string>/diff/etc/ipsec.conf
2. /var/lib/docker/overlay2/<random_string>/merged/etc/ipsec.conf
   These are both identical and contain the following which could be relevant:
   ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024,aes256-sha2_512
   phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes256-sha2_512
   sha2-truncbug=yes

But I have no idea what to change and in which of the 2 files to change.
I would be more than happy to contribute and help others as I know many people would be facing this issue, but need some initial help in figuring out.
I would really appreciate if you can provide some help.
Thanks again.

[jackie1100]

@jgimenez - (I hope tagging directly is ok) Going through the README, I found the troubleshooting link: https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients.md#troubleshooting where it mentioned an issue with iOS 13 and changing sha2-truncbug value from yes to no and then doing an ipsec restart. Voila the Iphone VPN connects now.
But I don't want to close this issue yet to make sure that I haven't applied just a band-aid. If I restarted both ipsec and xl2tpd, I noticed that the value I changed got reverted back. Also, if I restarted the container, the old value would be back, if I just restarted ipsec, it worked. So I want to make sure if there is a better/permanent way to apply this change?
Secondly, is the sha2-truncbug value responsible for deactivating sha 256 compatible mode, as advised by apple?
Thanks

[zshvvhm]

If you want to apply the change just for the container you are running, you can edit the run.sh in /opt/src, delete the sha2-truncbug=yes. After this every time your restart the container the updated configure file will be applied.

[Woodehh]

Another fix would be to just use Cisco IPSEC instead of L2TP over IPSEC

[jgimenez]

Please feel free to send PRs if you want to support additional devices. However, iOS 14 and iOS 15 both work for me with no further changes.