hwdsl2 / docker-ipsec-vpn-server Goto Github PK

View Code? Open in Web Editor NEW

6.2K 115.0 1.4K 657 KB

Docker image to run an IPsec VPN server, with IPsec/L2TP, Cisco IPsec and IKEv2

Home Page: https://hub.docker.com/r/hwdsl2/ipsec-vpn-server

License: Other

Shell 89.38% Dockerfile 10.62%

docker ipsec l2tp vpn vpn-server network security docker-image ikev2 vpn-client

docker-ipsec-vpn-server's People

Contributors

Stargazers

Watchers

Forkers

onlydole stevemcquaid devlight1 booi rmoreira mediaeater rainisto jpillora gutorevoredo fcojean tshwangq alexzheng0000 robodenitro lucabongiorni wflk lotosbin furaoing zorrofox infinitysky yuyc novboy kingiol huangsen365 falquaddoomi darcy flochtililoch medder daiyanbao sqerison giuliano108 stigok tdlrobin sagnitude hendriksp ethanhuang0526 ahui hanwoody thanq atcchh jim3ma shishuwu xifat merlix txdywy otupman runt18 punkeel renyufu duzy wadetandy cncolder toby1991 branthz tudyzhb chennqqi qiqipipioioi kaliwdsn joostfaassen jjp9624022 jensenzhu maxmalakhov fabriziou heyang5254 robberthalff doudoupower cqsuper enefry wwj718 evitself xmzgtx gnuhub arctg70 qxhu todun tonychengtw luming1617 thechunk arkll gangh markhilton boumer gard svpn nbzdwss78 rubiojr vanitax newlifes01 newcastlecy ibuystuff tayoatgit mirceapreotu snowsky ihalton tonyingithub ksharpdabu materone efim-a-efim toecuta vavan11 matsub

docker-ipsec-vpn-server's Issues

win10 cannot connect

It's caused by the docker instance do not support MS-CHAPv2 which is a
Add
+mschap-v2
to

/etc/ppp/options.l2tpd

run.sh

can solve the problem

error 800 on client

I have followed your guide to install this image in my vps, but i'm getting error 800 in my client machine, I don't know what to do to fix this error.

port 500 and 4500 was opened in my vps, but i'm still getting the same error.

host machine:

uname -a && lsb_release -a
Linux vultr.guest 3.13.0-95-generic #142-Ubuntu SMP Fri Aug 12 17:00:09 UTC 2016 x86_64 x86_64    x86_64 GNU/Linux
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 14.04.5 LTS
Release:        14.04
Codename: trusty

Docker log:

xl2tpd[1]: setsockopt recvref[30]: Protocol not available
xl2tpd[1]: This binary does not support kernel L2TP.
xl2tpd[1]: xl2tpd version xl2tpd-1.3.6 started on 47a42351aaa5 PID:1
xl2tpd[1]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
xl2tpd[1]: Forked by Scott Balmos and David Stipp, (C) 2001
xl2tpd[1]: Inherited by Jeff McAdams, (C) 2002
xl2tpd[1]: Forked again by Xelerance (www.xelerance.com) (C) 2006
xl2tpd[1]: Listening on IP address 0.0.0.0, port 1701
xl2tpd[1]: death_handler: Fatal signal 15 received

docker exec -it ipsec-vpn-server ipsec status:

000 Total IPsec connections: loaded 3, active 0
000
000 State Information: DDoS cookies not required, Accepting new IKE connections
000 IKE SAs: total(31), half-open(0), open(31), authenticated(0), anonymous(0)
000 IPsec SAs: total(0), authenticated(0), anonymous(0)
000
000 #6: "l2tp-psk"[1] X.X.X.X:1008 STATE_MAIN_R1 (sent MR1, expecting MI2); EVENT_SA_EXPIRE in 26760s; nodpd; idle; import:not set
000 #14: "l2tp-psk"[1] X.X.X.X:1007 STATE_MAIN_R1 (sent MR1, expecting MI2); EVENT_SA_EXPIRE in 26901s; nodpd; idle; import:not set
000 #17: "l2tp-psk"[1] X.X.X.X:1006 STATE_MAIN_R1 (sent MR1, expecting MI2); EVENT_SA_EXPIRE in 27022s; nodpd; idle; import:not set
000 #26: "l2tp-psk"[1] X.X.X.X:1005 STATE_MAIN_R1 (sent MR1, expecting MI2); EVENT_SA_EXPIRE in 27171s; nodpd; idle; import:not set
000 #30: "l2tp-psk"[1] X.X.X.X:500 STATE_MAIN_R1 (sent MR1, expecting MI2); EVENT_SA_EXPIRE in 28648s; nodpd; idle; import:not set
000 #21: "l2tp-psk"[1] X.X.X.X:1006 STATE_MAIN_R1 (sent MR1, expecting MI2); EVENT_SA_EXPIRE in 27052s; nodpd; idle; import:not set
000 #22: "l2tp-psk"[1] X.X.X.X:1005 STATE_MAIN_R1 (sent MR1, expecting MI2); EVENT_SA_EXPIRE in 27156s; nodpd; idle; import:not set
000 #12: "l2tp-psk"[1] X.X.X.X:1007 STATE_MAIN_R1 (sent MR1, expecting MI2); EVENT_SA_EXPIRE in 26889s; nodpd; idle; import:not set
000 #9: "l2tp-psk"[1] X.X.X.X:1008 STATE_MAIN_R1 (sent MR1, expecting MI2); EVENT_SA_EXPIRE in 26788s; nodpd; idle; import:not set
000 #8: "l2tp-psk"[1] X.X.X.X:1008 STATE_MAIN_R1 (sent MR1, expecting MI2); EVENT_SA_EXPIRE in 26772s; nodpd; idle; import:not set
000 #7: "l2tp-psk"[1] X.X.X.X:1008 STATE_MAIN_R1 (sent MR1, expecting MI2); EVENT_SA_EXPIRE in 26764s; nodpd; idle; import:not set
000 #31: "l2tp-psk"[1] X.X.X.X:500 STATE_MAIN_R1 (sent MR1, expecting MI2); EVENT_SA_EXPIRE in 28651s; nodpd; idle; import:not set
000 #29: "l2tp-psk"[1] X.X.X.X:500 STATE_MAIN_R1 (sent MR1, expecting MI2); EVENT_SA_EXPIRE in 28647s; nodpd; idle; import:not set
000 #28: "l2tp-psk"[1] X.X.X.X:500 STATE_MAIN_R1 (sent MR1, expecting MI2); EVENT_SA_EXPIRE in 28646s; nodpd; idle; import:not set
000 #13: "l2tp-psk"[1] X.X.X.X:1007 STATE_MAIN_R1 (sent MR1, expecting MI2); EVENT_SA_EXPIRE in 26893s; nodpd; idle; import:not set
000 #18: "l2tp-psk"[1] X.X.X.X:1006 STATE_MAIN_R1 (sent MR1, expecting MI2); EVENT_SA_EXPIRE in 27024s; nodpd; idle; import:not set
000 #16: "l2tp-psk"[1] X.X.X.X:1006 STATE_MAIN_R1 (sent MR1, expecting MI2); EVENT_SA_EXPIRE in 27020s; nodpd; idle; import:not set
000 #15: "l2tp-psk"[1] X.X.X.X:1007 STATE_MAIN_R1 (sent MR1, expecting MI2); EVENT_SA_EXPIRE in 26917s; nodpd; idle; import:not set
000 #4: "l2tp-psk"[1] X.X.X.X:1008 STATE_MAIN_R1 (sent MR1, expecting MI2); EVENT_SA_EXPIRE in 26758s; nodpd; idle; import:not set
000 #10: "l2tp-psk"[1] X.X.X.X:1007 STATE_MAIN_R1 (sent MR1, expecting MI2); EVENT_SA_EXPIRE in 26885s; nodpd; idle; import:not set
000 #2: "l2tp-psk"[1] X.X.X.X:500 STATE_MAIN_R1 (sent MR1, expecting MI2); EVENT_SA_EXPIRE in 26494s; nodpd; idle; import:not set
000 #24: "l2tp-psk"[1] X.X.X.X:1005 STATE_MAIN_R1 (sent MR1, expecting MI2); EVENT_SA_EXPIRE in 27159s; nodpd; idle; import:not set
000 #19: "l2tp-psk"[1] X.X.X.X:1006 STATE_MAIN_R1 (sent MR1, expecting MI2); EVENT_SA_EXPIRE in 27028s; nodpd; idle; import:not set
000 #25: "l2tp-psk"[1] X.X.X.X:1005 STATE_MAIN_R1 (sent MR1, expecting MI2); EVENT_SA_EXPIRE in 27163s; nodpd; idle; import:not set
000 #5: "l2tp-psk"[1] X.X.X.X:1008 STATE_MAIN_R1 (sent MR1, expecting MI2); EVENT_SA_EXPIRE in 26758s; nodpd; idle; import:not set
000 #20: "l2tp-psk"[1] X.X.X.X:1006 STATE_MAIN_R1 (sent MR1, expecting MI2); EVENT_SA_EXPIRE in 27036s; nodpd; idle; import:not set
000 #3: "l2tp-psk"[1] X.X.X.X:500 STATE_MAIN_R1 (sent MR1, expecting MI2); EVENT_SA_EXPIRE in 26495s; nodpd; idle; import:not set
000 #27: "l2tp-psk"[1] X.X.X.X:1005 STATE_MAIN_R1 (sent MR1, expecting MI2); EVENT_SA_EXPIRE in 27187s; nodpd; idle; import:not set
000 #23: "l2tp-psk"[1] X.X.X.X:1005 STATE_MAIN_R1 (sent MR1, expecting MI2); EVENT_SA_EXPIRE in 27157s; nodpd; idle; import:not set
000 #11: "l2tp-psk"[1] X.X.X.X:1007 STATE_MAIN_R1 (sent MR1, expecting MI2); EVENT_SA_EXPIRE in 26887s; nodpd; idle; import:not set
000 #1: "l2tp-psk"[1] X.X.X.X:500 STATE_MAIN_R1 (sent MR1, expecting MI2); EVENT_SA_EXPIRE in 26493s; nodpd; idle; import:not set

`/etc/ipsec.conf` is reverted on restart

Hi, I've been using docker-ipsec-vpn-server with a lot of success, there's only one little hiccup. I'm using Android 6.0, so I followed the step here https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients.md#android to change /etc/ipsec.conf (using docker cp).

However, every time I restart the container or my machine, the ipsec.conf file gets reverted back to its original state, and then I have to make the same changes again. I'm not sure whether this is an expected behaviour. What's a good way to persist my changes?

Cannot connect from macos 10.13.1

Jan 27 02:52:29 06b48c2bd353 pluto[2257]: loading secrets from "/etc/ipsec.secrets"
Jan 27 02:53:11 06b48c2bd353 pluto[2257]: "xauth-psk"[1] 220.211.132.209 #1: responding to Main Mode from unknown peer 220.211.132.209 on port 500
Jan 27 02:53:11 06b48c2bd353 pluto[2257]: "xauth-psk"[1] 220.211.132.209 #1: STATE_MAIN_R1: sent MR1, expecting MI2
Jan 27 02:53:14 06b48c2bd353 pluto[2257]: "xauth-psk"[1] 220.211.132.209 #2: responding to Main Mode from unknown peer 220.211.132.209 on port 500
Jan 27 02:53:14 06b48c2bd353 pluto[2257]: "xauth-psk"[1] 220.211.132.209 #2: STATE_MAIN_R1: sent MR1, expecting MI2
Jan 27 02:53:18 06b48c2bd353 pluto[2257]: "xauth-psk"[1] 220.211.132.209 #3: responding to Main Mode from unknown peer 220.211.132.209 on port 500
Jan 27 02:53:18 06b48c2bd353 pluto[2257]: "xauth-psk"[1] 220.211.132.209 #3: STATE_MAIN_R1: sent MR1, expecting MI2
Jan 27 02:53:21 06b48c2bd353 pluto[2257]: "xauth-psk"[1] 220.211.132.209 #4: responding to Main Mode from unknown peer 220.211.132.209 on port 500
Jan 27 02:53:21 06b48c2bd353 pluto[2257]: "xauth-psk"[1] 220.211.132.209 #4: STATE_MAIN_R1: sent MR1, expecting MI2

I tried to setup with the script on digitalocean VPS, got the same error log in auth.log

XAuth

Hi,
is it possible to force L2TP clients to use XAuth Authentication Method?
Thanks

容器正常运行一段时间后, 忽然无法连接

你好, VPN容器已经正常运行, 前几天忽然无法响应, 日志如下:

Feb 17 05:09:17 ff44858d3881 pluto[2074]: "l2tp-psk"[1] 115.*.*.* #2: responding to Main Mode from unknown peer 115.*.*.* on port 500
Feb 17 05:09:17 ff44858d3881 pluto[2074]: "l2tp-psk"[1] 115.*.*.* #2: WARNING: connection l2tp-psk PSK length of 7 bytes is too short for sha2_256 PRF in FIPS mode (16 bytes required)
Feb 17 05:09:17 ff44858d3881 pluto[2074]: "l2tp-psk"[1] 115.*.*.* #2: STATE_MAIN_R1: sent MR1, expecting MI2
Feb 17 05:09:21 ff44858d3881 pluto[2074]: "l2tp-psk"[1] 115.*.*.* #2: retransmitting in response to duplicate packet; already STATE_MAIN_R1
Feb 17 05:09:24 ff44858d3881 pluto[2074]: "l2tp-psk"[1] 115.*.*.* #2: retransmitting in response to duplicate packet; already STATE_MAIN_R1
Feb 17 05:09:27 ff44858d3881 pluto[2074]: "l2tp-psk"[1] 115.*.*.* #2: retransmitting in response to duplicate packet; already STATE_MAIN_R1
Feb 17 05:10:17 ff44858d3881 pluto[2074]: "l2tp-psk"[1] 115.*.*.* #2: deleting incomplete state after 60.000 seconds
Feb 17 05:10:17 ff44858d3881 pluto[2074]: "l2tp-psk"[1] 115.*.*.* #2: deleting state (STATE_MAIN_R1)
Feb 17 05:10:17 ff44858d3881 pluto[2074]: deleting connection "l2tp-psk"[1] 115.*.*.* instance with peer 115.*.*.* {isakmp=#0/ipsec=#0}

测试4500端口和500端口均正常

4500:
found 0 associations
found 1 connections:
     1:	flags=82<CONNECTED,PREFERRED>
	outif (null)
	src 192.168.1.2 port 62722
	dst *.*.*.* port 4500
	rank info not available

Connection to *.*.*.* port 4500 [udp/ipsec-msft] succeeded!

500: 
found 0 associations
found 1 connections:
     1:	flags=82<CONNECTED,PREFERRED>
	outif (null)
	src 192.168.1.2 port 65349
	dst *.*.*.* port 500
	rank info not available

Connection to *.*.*.* port 500 [udp/isakmp] succeeded!

请问这个问题应该如何解决?

数据转发不成功？

刚刚部署在阿里云美西的服务器上，连接成功。然后，国内的网络访问都可以？国外的都不可以。这。。。是神马情况。

static IP for different users

Hi,

Is it possible to configure the users to have static IP subset Address?
I have many devices to connect to the IPSec VPN server, so I would like to have this feature.

Thanks!
Wing

what is /lib/modules folder?

I was trying to use this container but haven't succeed yet. One thing I notice is that:
/lib/modules directory is not existed on my ubuntu 14 ec2 image, can you explain what is that?

Running "--privileged" is a security risk

Just stumbled over this repo and noticed the active --privileged flag for the container.

Instead I'd recommend using --cap-add=NET_ADMIN --net=host, which leaves the host less exposed.

l2tp连接尝试是变，因为安全曾在初始化与远程计算机的协商时遇到一个处理错误

docker run --name ipsec-vpn-server --env-file ./vpn.env --restart=always -p 500:500/udp -p 4500:4500/udp -p 1701:1701/udp -v /lib/modules:/lib/modules:ro -d --privileged hwdsl2/ipsec-vpn-server

root@iZ2ze9rt5c8x00a69z163rZ:/vpn# docker logs ipsec-vpn-server -f

Trying to auto discover IP of this server...

================================================

IPsec VPN server is now ready for use!

Connect to your new VPN with these details:

Server IP: 47.93.38.77

IPsec PSK: < >
Username: < >
Password: < >

Write these down. You'll need them to connect!

Important notes: https://git.io/vpnnotes2
Setup VPN clients: https://git.io/vpnclients

================================================

Redirecting to: /etc/init.d/ipsec start
Starting pluto IKE daemon for IPsec: Initializing NSS database

.
xl2tpd[1]: setsockopt recvref[30]: Protocol not available
xl2tpd[1]: This binary does not support kernel L2TP.
xl2tpd[1]: xl2tpd version xl2tpd-1.3.6 started on c48037a5f890 PID:1
xl2tpd[1]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
xl2tpd[1]: Forked by Scott Balmos and David Stipp, (C) 2001
xl2tpd[1]: Inherited by Jeff McAdams, (C) 2002
xl2tpd[1]: Forked again by Xelerance (www.xelerance.com) (C) 2006
xl2tpd[1]: Listening on IP address 0.0.0.0, port 1701

connect success,but can not vist google...

vpn status:

admin@ubuntu:~$ sudo docker exec -it ipsec-vpn-server ipsec whack --trafficstatus
[sudo] password for admin: 
006 #20: "l2tp-psk"[5] 113.110.229.42, type=ESP, add_time=0, inBytes=955, outBytes=120, id='192.168.1.108'

windows 10 os，can not vist google,facebook an so on.
I'm in china.

local HTTPS sites not working from VPN

After connecting to the VPN (xauth) I am not able to load my local https websites. I am able to connect to regular http websites located by the docker host but not https. While connected to the VPN I am able to ping the docker host with no problems. I have also added exceptions to the firewall on the host for the website port as well as 443 for SSL, with no luck.

I receive the following error: ERR_ADDRESS_UNREACHABLE

I also attempted to use the --net=host but receive error:
xl2tpd[1]: setsockopt recvref[30]: Protocol not available
xl2tpd[1]: This binary does not support kernel L2TP.

Is this something that I should change in the Dockerfile or is this a host error?

怎样用centos连接其它cisco vpn

你好：
我现在需要用centos7作为客户端连接其它Cisco vpn，要怎样配置

Ping devices behind VPN client

Hi,
I started this docker container on my server. Then, I successfully connected a L2TP client (configured on a mikrotik mAP 2nD router) to the container. Now, the router running the L2TP client has three address classes (and two physical ethernet ports): one private address class (10.0.10.0/24) on the WAN interface that is connected to the horizontal wiring to get the Internet connection, one private address class (192.168.88.0/24) on the second ethernet port, and one private address 192.168.42.11 as VPN client (the VPN server has the 192.168.42.1 address). The VPN endpoints are able to ping each other and the clients on the 192.168.88.0/24 network are able to ping the VPN server endpoint (i.e. 192.168.42.1). Unfortunately, I can't ping the 192.168.88.0/24 network from the VPN server...do I have to change something on the VPN server configuration? or is this a VPN client issue?
Thanks

centos7.2 Permission denied (you must be root)

Please Help. Thanks.

Linux iZu1na35il8Z 3.10.0-327.el7.x86_64 #1 SMP Thu Nov 19 22:10:57 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux

[admin@iZu1na35il8Z ~]$ sudo  docker run hwdsl2/ipsec-vpn-server

VPN credentials not set by user. Generating random PSK and password...

Trying to auto discover IPs of this server...
sysctl: setting key "kernel.msgmnb": Read-only file system
sysctl: setting key "kernel.msgmax": Read-only file system
sysctl: setting key "kernel.shmmax": Read-only file system
sysctl: setting key "kernel.shmall": Read-only file system
sysctl: setting key "net.ipv4.ip_forward": Read-only file system
sysctl: setting key "net.ipv4.conf.all.accept_source_route": Read-only file system
sysctl: setting key "net.ipv4.conf.default.accept_source_route": Read-only file system
sysctl: setting key "net.ipv4.conf.all.accept_redirects": Read-only file system
sysctl: setting key "net.ipv4.conf.default.accept_redirects": Read-only file system
sysctl: setting key "net.ipv4.conf.all.send_redirects": Read-only file system
sysctl: setting key "net.ipv4.conf.default.send_redirects": Read-only file system
sysctl: setting key "net.ipv4.conf.lo.send_redirects": Read-only file system
sysctl: setting key "net.ipv4.conf.eth0.send_redirects": Read-only file system
sysctl: setting key "net.ipv4.conf.all.rp_filter": Read-only file system
sysctl: setting key "net.ipv4.conf.default.rp_filter": Read-only file system
sysctl: setting key "net.ipv4.conf.lo.rp_filter": Read-only file system
sysctl: setting key "net.ipv4.conf.eth0.rp_filter": Read-only file system
sysctl: setting key "net.ipv4.icmp_echo_ignore_broadcasts": Read-only file system
sysctl: setting key "net.ipv4.icmp_ignore_bogus_error_responses": Read-only file system
getsockopt failed strangely: Operation not permitted
iptables v1.4.21: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.4.21: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
getsockopt failed strangely: Operation not permitted
getsockopt failed strangely: Operation not permitted
iptables v1.4.21: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.4.21: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
getsockopt failed strangely: Operation not permitted
iptables v1.4.21: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.4.21: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.4.21: can't initialize iptables table `nat': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.4.21: can't initialize iptables table `nat': Permission denied (you must be root)

TCP is broken

Hi guys. I've installed vpn with a docker container behind a NAT. I'm trying to connect to my network and I get some problems with tcp connections from shrew. Ping works fine but if I connect through TCP after a while tcp is broken. From my client I see that packets a going out through vpn server but not coming back. At the destination host I see a lot of retransmission packets. Can you help me to solve this issue? p.s. from MacOS everything works well but not from shrew.

How to use IPSec VPN on Linux

I successfully setup my IPSec server by using your docker image. However I can't link to it on Linux.
I use vpnc to setup link. Here is the config file:

IPSec gateway xxx.xxx.xxx.xxx
IPSec ID <group-id>
IPSec secret *******
IKE Authmode psk
Xauth username xxx
Xauth password xxx

What is IPSec ID?
P.S.打英语好麻烦，如果可以的话能不能烦请用中文？

CentOS Linux release 7.2.1511 (Core) error

docker run
--name ipsec-vpn-server
--env-file ./vpn.env
-p 500:500/udp
-p 4500:4500/udp
-v /lib/modules:/lib/modules:ro
-d --privileged
hwdsl2/ipsec-vpn-server

modprobe: ERROR: ../libkmod/libkmod.c:557 kmod_search_moddep() could not open moddep file '/lib/modules/4.5.5-x86_64-linode69/modules.dep.bin'
Redirecting to: /etc/init.d/ipsec start
Starting pluto IKE daemon for IPsec: Initializing NSS database

xl2tpd[1]: setsockopt recvref[30]: Protocol not available
xl2tpd[1]: This binary does not support kernel L2TP.
xl2tpd[1]: xl2tpd version xl2tpd-1.3.6 started on 6538e2d25626 PID:1
xl2tpd[1]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
xl2tpd[1]: Forked by Scott Balmos and David Stipp, (C) 2001
xl2tpd[1]: Inherited by Jeff McAdams, (C) 2002
xl2tpd[1]: Forked again by Xelerance (www.xelerance.com) (C) 2006
xl2tpd[1]: Listening on IP address 0.0.0.0, port 1701

docker: Error response from daemon: driver failed programming external connectivity on endpoint ipsec-vpn-server (87fb4aaf354e190bb59ecb3f5874d9be47b57ced728ebe6958784d92d8f70199): iptables failed: iptables --wait -t nat -A DOCKER -p udp -d 0/0 --dport 4500 -j DNAT --to-destination 172.17.0.2:4500 ! -i docker0: iptables: No chain/target/match by that name.
(exit status 1).

CentOS Linux release 7.2.1511 (Core)

为什么连接是建立在ipv6上，这正常吗

运行后感觉日志正常，但是客户端连接不上。netstat的状态显示连接是建立在ipv6上，这正常吗？？

Why not write `sha2-truncbug=yes` in run.sh?

Originally posted by @cncolder:

/opt/src/run.sh will rewrite /etc/ipsec.conf after restart docker. I must edit every time.
I think it's good to move it from troubleshoot into /opt/src/run.sh

I setup -v ./ipsec.conf:/etc/ipsec.conf now. But I found there are some dynamic ip addresses in gen script.

can't modprobe af_key in debian8

Hi mate,

I use debian8 (jessie) amd64 version, kernel 4.1.5-x86_64-linode61.
and can't modprobe af_key,

modprobe af_key
modprobe: ERROR: ../libkmod/libkmod.c:557 kmod_search_moddep() could not open moddep file '/lib/modules/4.1.5-x86_64-linode61/modules.dep.bin'

Do you know how to add this? or maybe i need to rebuild kernel and enable IPSEC?

Thanks.

Can't modprobe af_key in OVH gaming server

Server info

OVH model name: MC-64-OC
CPU: i7-7700K overclock
RAM: 64GB
OS: Ubuntu Server 16.04 "Xenial Xerus" LTS

Log

birkhoff@bhs01:~$ sudo modprobe af_key
modprobe: ERROR: ../libkmod/libkmod.c:514 lookup_builtin_file() could not open builtin file '/lib/modules/4.9.13-mod-std-ipv6-64/modules.builtin.bin'
modprobe: FATAL: Module af_key not found in directory /lib/modules/4.9.13-mod-std-ipv6-64

Additional Info

I didn't check "Install original kernel" while installing the system. Will that be a problem?

Constant Restarting

I am trying to run this docker image on my Raspberry Pi 3 running Raspbian Pixel. The container seems like it is constantly restarting and not actually running. I am not sure if this is specific to the raspberry pi because I have run this docker image on other machines with no issues at all.

Multi-user support

In order to support multiple accounts, I had to customize the CMD (run.sh) script either to allow the specification of multiple users or adding a check whether there are accounts in /etc/ppp/chap-secrets and /etc/ipsec.d/passwd before overwriting them so I could mount them as volumes and fill them with users using something similar to

docker-compose exec vpn bash
VPN_USER='new_user'
VPN_PASSWORD='new_passwd'

cat >> /etc/ppp/chap-secrets <<EOF
"$VPN_USER" l2tpd "$VPN_PASSWORD" *
EOF

VPN_PASSWORD_ENC=$(openssl passwd -1 "$VPN_PASSWORD")
cat >> /etc/ipsec.d/passwd <<EOF
$VPN_USER:$VPN_PASSWORD_ENC:xauth-psk
EOF

Is not supporting multiple users a design decision or would merge requests be accepted if they do not complicate things for a default setup.

Drop certain connection

Hi. In my case i see that docker exec -it ipsec-vpn-server ipsec whack --trafficstatus outputs a list of connections from 1 user from 1 ip (behind NAT). How can i drop a certain connection using whack utlity without dropping another connection?

help help

i use iphone to connet to my ipsec server in docker. it seems 500 port error.
I have use it for several month , it works great, but in these days ,can't connect anymore.
the log shows as below.

log shows "xauth-psk"[1] 114.84.168.57:500 STATE_MAIN_R1 (sent MR1, expecting MI2); EVENT_SA_EXPIRE in 3570s; lastdpd=-1s(seq in:0 out:0); idle; import:not set and can not connect.

Missing vpn-gen.env File?

The command
docker cp ipsec-vpn-server:/opt/src/vpn-gen.env ./
returns
Error response from daemon: Could not find the file /opt/src/vpn-gen.env in container ipsec-vpn-server

Browsing a snapshot of the image, the only file in /opt/src is run.sh

can't connect vpn service

[root@sakura ~]# vi /etc/sysctl.conf
[root@sakura ~]# sysctl -p
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 0
[root@sakura ~]# docker restart ipsec-vpn-server
ipsec-vpn-server
[root@sakura ~]# docker ps | grep ipsec-vpn-server
28a744dcf368        hwdsl2/ipsec-vpn-server   "/run.sh"           3 minutes ago       Up 7 seconds        0.0.0.0:500->500/udp, 0.0.0.0:4500->4500/udp   ipsec-vpn-server
[root@sakura ~]# docker logs ipsec-vpn-server

Trying to auto discover IPs of this server...

================================================

IPsec VPN server is now ready for use!

Connect to your new VPN with these details:

Server IP: ********
IPsec PSK: ********
Username: ********
Password: ********

Write these down. You'll need them to connect!

Setup VPN clients: https://git.io/vpnclients

================================================

Redirecting to: /etc/init.d/ipsec start
Starting pluto IKE daemon for IPsec: Initializing NSS database

.
xl2tpd[1]: setsockopt recvref[30]: Protocol not available
xl2tpd[1]: This binary does not support kernel L2TP.
xl2tpd[1]: xl2tpd version xl2tpd-1.3.6 started on 28a744dcf368 PID:1
xl2tpd[1]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
xl2tpd[1]: Forked by Scott Balmos and David Stipp, (C) 2001
xl2tpd[1]: Inherited by Jeff McAdams, (C) 2002
xl2tpd[1]: Forked again by Xelerance (www.xelerance.com) (C) 2006
xl2tpd[1]: Listening on IP address 0.0.0.0, port 1701
xl2tpd[1]: death_handler: Fatal signal 15 received

Trying to auto discover IPs of this server...

================================================

IPsec VPN server is now ready for use!

Connect to your new VPN with these details:

Server IP: ********
IPsec PSK: ********
Username: ********
Password: ********

Write these down. You'll need them to connect!

Setup VPN clients: https://git.io/vpnclients

================================================

Redirecting to: /etc/init.d/ipsec start
Starting pluto IKE daemon for IPsec: .
xl2tpd[1]: setsockopt recvref[30]: Protocol not available
xl2tpd[1]: This binary does not support kernel L2TP.
xl2tpd[1]: xl2tpd version xl2tpd-1.3.6 started on 28a744dcf368 PID:1
xl2tpd[1]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
xl2tpd[1]: Forked by Scott Balmos and David Stipp, (C) 2001
xl2tpd[1]: Inherited by Jeff McAdams, (C) 2002
xl2tpd[1]: Forked again by Xelerance (www.xelerance.com) (C) 2006
xl2tpd[1]: Listening on IP address 0.0.0.0, port 1701
[root@sakura ~]# docker exec -it ipsec-vpn-server netstat -anput
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
udp        0      0 127.0.0.1:4500          0.0.0.0:*                           566/pluto
udp        0      0 172.17.0.2:4500         0.0.0.0:*                           566/pluto
udp        0      0 0.0.0.0:1701            0.0.0.0:*                           1/xl2tpd
udp        0      0 127.0.0.1:500           0.0.0.0:*                           566/pluto
udp        0      0 172.17.0.2:500          0.0.0.0:*                           566/pluto
udp6       0      0 ::1:500                 :::*                                566/pluto
[root@sakura ~]# netstat -anput
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      3548/sshd
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      3472/master
tcp        0      0 ********:22         ********:34916    ESTABLISHED 16477/sshd: root@pt
tcp        0      0 ********:22         ********:37517    ESTABLISHED 20814/sshd: root@pt
tcp        0     36 ********:22         ********:36064    ESTABLISHED 21031/sshd: root@pt
tcp        0      0 ********:22         ********:36563    ESTABLISHED 16887/sshd: root@pt
tcp        0      0 ********:22         ********:34812    ESTABLISHED 20873/sshd: root@pt
tcp6       0      0 :::22                   :::*                    LISTEN      3548/sshd
tcp6       0      0 ::1:25                  :::*                    LISTEN      3472/master
udp        0      0 172.17.0.1:123          0.0.0.0:*                           451/ntpd
udp        0      0 ********:123        0.0.0.0:*                           451/ntpd
udp        0      0 127.0.0.1:123           0.0.0.0:*                           451/ntpd
udp        0      0 0.0.0.0:123             0.0.0.0:*                           451/ntpd
udp        0      0 0.0.0.0:14769           0.0.0.0:*                           1024/dhclient
udp        0      0 0.0.0.0:68              0.0.0.0:*                           1024/dhclient
udp6       0      0 :::51550                :::*                                1024/dhclient
udp6       0      0 fe80::1ced:73ff:fe5:123 :::*                                451/ntpd
udp6       0      0 fe80::42:1dff:fe54::123 :::*                                451/ntpd
udp6       0      0 fe80::5400:ff:fe37::123 :::*                                451/ntpd
udp6       0      0 ********:123 :::*                                451/ntpd
udp6       0      0 ::1:123                 :::*                                451/ntpd
udp6       0      0 :::123                  :::*                                451/ntpd
udp6       0      0 :::4500                 :::*                                24710/docker-proxy
udp6       0      0 :::500                  :::*                                24717/docker-proxy
[root@sakura ~]#

service seem normal but is still can not connect

[root@sakura ~]# docker version
Client:
 Version:      1.12.1
 API version:  1.24
 Go version:   go1.6.3
 Git commit:   23cf638
 Built:
 OS/Arch:      linux/amd64

Server:
 Version:      1.12.1
 API version:  1.24
 Go version:   go1.6.3
 Git commit:   23cf638
 Built:
 OS/Arch:      linux/amd64


[root@sakura ~]# uname -a
Linux sakura 3.10.0-327.28.3.el7.x86_64 #1 SMP Thu Aug 18 19:05:49 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux

[root@sakura ~]# cat /etc/redhat-release
CentOS Linux release 7.2.1511 (Core)

FATAL ERROR using docker image

Some messages:

pluto[2619]: FATAL ERROR: Failed to bind bcast socket in init_netlink() - Perhaps kernel was not compiled with CONFIG_XFRM. Errno 1: Operation not permitted

pluto[3576]: FATAL ERROR: Failed to bind bcast socket in init_netlink() - Perhaps kernel was not compiled with CONFIG_XFRM. Errno 1: Operation not permitted

pluto[3895]: FATAL ERROR: Failed to bind bcast socket in init_netlink() - Perhaps kernel was not compiled with CONFIG_XFRM. Errno 1: Operation not permitted

pluto[5171]: FATAL ERROR: Failed to bind bcast socket in init_netlink() - Perhaps kernel was not compiled with CONFIG_XFRM. Errno 1: Operation not permitted

Docker versio:

$ docker -v
Docker version 1.12.5, build 7392c3b

我在树莓派docker上构建vpn-server 无法运行，求解决

我在树莓派docker上构建vpn-server 无法运行，intel核心的可以运行请告知需要修改哪里？

Can't connect to VPN Server

I run the docker same as the tutorial but it did't work!

My System info:

# uname -a && lsb_release -a
Linux Ubuntu-Server 4.4.0-31-generic #50-Ubuntu SMP Wed Jul 13 00:07:12 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 16.04 LTS
Release:        16.04
Codename:       denial

After docker logs ipsec-vpn-server I got this error message:

xl2tpd[1]: setsockopt recvref[30]: Protocol not available
xl2tpd[1]: This binary does not support kernel L2TP.
xl2tpd[1]: xl2tpd version xl2tpd-1.3.6 started on 1f3b55fa2a26 PID:1
xl2tpd[1]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
xl2tpd[1]: Forked by Scott Balmos and David Stipp, (C) 2001
xl2tpd[1]: Inherited by Jeff McAdams, (C) 2002
xl2tpd[1]: Forked again by Xelerance (www.xelerance.com) (C) 2006
xl2tpd[1]: Listening on IP address 0.0.0.0, port 1701

And there seems no af_key in Ubuntu 16.04?
I can't tab modprobe af_key on my server.

怎么创建多个用户呢

如题，我ipsec的vpn想给多个人用，怎么创建多个用户呢，谢谢

Ability to change ports

Hello!

I don't know if it's possible to change ports to allow multi vpn deployment on same host.

Have anyone any clue if it's possible?

centos docker

This binary does not support kernel L2TP.

如何转发端口到设备之一

大神您好，
我一直在用您发布的这个容器，想请教一下，我现在有一台服务器已部署此ipsec-vpn-server容器，公网ip地址假如是a.b.c.d，现有一台Windows 7已连接到ipsec-vpn服务器，子网ip是

Define ip range

Is is possible to define the ip range in the env file?

请问，为什么ikev2模式在iOS和macOS上需要通过docker生成配置文件

我看了一下docker生成的配置文件似乎也只是填写了服务器的预共享密钥和服务器地址
那么我能否不使用docker直接在真机上配置适用于iOS和macOS连接的服务

阿里云香港服务器搭建的IPSEC VPN ，使用MAc无法连接

一直提示服务器没有响应，
然后自己也根据网上的说明配置了文件，
但是还是无法连接上，请问这是真么回事

请问如何添加多个用户呢？

请问如何添加多个用户呢？
另外
centos7上安装后：win7,Mac均成功
安卓手机有问题，xauth PSK模式可连接但无网络，l2tp/ipsec psk模式无法连接

Network interface 'eth0' is not available. Aborting.

docker logs l2tp-server
Network interface 'eth0' is not available. Aborting.

Improve the default settings

I'll admit I'm no VPN expert, but it seems like the defaults for this VPN could be improved quite a bit.

If nothing else, maybe add a note as to why these cipher were picked as the defaults?

  ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024,aes256-sha2_512

Thanks

Internal subnet IP to other container

Hi, sorry for this (stupid) question, but i'm searching two days for a solution.

I have three containers your IPSec container (vpn1), an openvpn container (vpn2) and one proxy (squid) container.
Now i want to send the traffic from VPN through the proxy.
But i need the internal VPN IP of Client in the Proxy.

With OpenVPN it's ok i've solved it.
But with ipsec it's not so easy.
So i need the 192.168.43.0/24 IP in proxy (forwarded-for).

OpenVPN is started with (--network=host).
Proxy is on default bridge and IPSec too.

Do you have any idea to solve it? 😃

vpn1 --- \

# | --- squid --- www

vpn2 --- /

P.S.: Thanks for you work, IPSec setup and IPSec Image are very usefully

Failed in the VPN Authentication "for buggy Apple client"

kernel version: 4.10.0-041000rc3-generic

xl2tpd[1]: Connection established to 112.8.21.1, 51239.  Local: 33444, Remote: 9 (ref=0/0).  LNS session is 'default'
xl2tpd[1]: start_pppd: I'm running: 
xl2tpd[1]: "/usr/sbin/pppd" 
xl2tpd[1]: "passive" 
xl2tpd[1]: "nodetach" 
xl2tpd[1]: "192.168.42.1:192.168.42.10" 
xl2tpd[1]: "refuse-pap" 
xl2tpd[1]: "auth" 
xl2tpd[1]: "require-chap" 
xl2tpd[1]: "name" 
xl2tpd[1]: "l2tpd" 
xl2tpd[1]: "file" 
xl2tpd[1]: "/etc/ppp/options.xl2tpd" 
xl2tpd[1]: "/dev/pts/0" 
xl2tpd[1]: Call established with 112.8.21.1, Local: 33421, Remote: 9552, Serial: 1
xl2tpd[1]: result_code_avp: result code endianness fix for buggy Apple client. network=768, le=3
xl2tpd[1]: control_finish: Connection closed to 112.8.21.1, serial 1 ()
xl2tpd[1]: Terminating pppd: sending TERM signal to pid 762
xl2tpd[1]: result_code_avp: result code endianness fix for buggy Apple client. network=256, le=1
xl2tpd[1]: control_finish: Connection closed to 112.8.21.1, port 51239 (), Local: 33444, Remote: 9

exec user process caused "exec format error"

Raspbian Stretch

docker -v

docker run --name ipsec-vpn-server --restart=always -p 500:500/udp -p 4500:4500/udp -v /lib/modules:/lib/modules:ro -d --privileged hwdsl2/ipsec-vpn-server

Can you please help ?

More error logs of the docker:

Trying to auto discover IPs of this server...

================================================
IPsec VPN server is now ready for use!

Connect to your new VPN with these details:

Server IP: ********
IPsec PSK: ********
Username: ********
Password: ********

Write these down. You'll need them to connect!

Setup VPN Clients: https://git.io/vpnclients

================================================

modprobe: ERROR: could not insert 'af_key': Exec format error
Redirecting to: /etc/init.d/ipsec start
Starting pluto IKE daemon for IPsec: Initializing NSS database
.....
xl2tpd[1]: setsockopt recvref[30]: Protocol not available
xl2tpd[1]: This binary does not support kernel L2TP.
xl2tpd[1]: xl2tpd version xl2tpd-1.3.6 started on 87c976415d30 PID:1
xl2tpd[1]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
xl2tpd[1]: Forked by Scott Balmos and David Stipp, (C) 2001
xl2tpd[1]: Inherited by Jeff McAdams, (C) 2002
xl2tpd[1]: Forked again by Xelerance (www.xelerance.com) (C) 2006
xl2tpd[1]: Listening on IP address 0.0.0.0, port 1701
xl2tpd[1]: death_handler: Fatal signal 15 received

手机和电脑在同一个局域网下连接 VPN 后，先连接的无法使用网络

手机系统：iOS
电脑系统：MacOS

分别使用不同的 vpn 账号，使用cisco ipsec模式。

问题：两个设备同时连接 VPN 后，第一个连接的设备无法访问网络。

查看 ipsec 连接信息如下：

006 #23: "xauth-psk"[7] 223.89.65.191, username=user2, type=ESP, add_time=0, inBytes=124148, outBytes=212711, lease=192.168.43.10/32
006 #25: "xauth-psk"[7] 223.89.65.191, username=user, type=ESP, add_time=0, inBytes=664727, outBytes=1446150, lease=192.168.43.10/32

是不是由于分配了重复的 IP 地址导致的？应该如何解决？

谢谢！