hwdsl2 / docker-ipsec-vpn-server Goto Github PK
View Code? Open in Web Editor NEWDocker image to run an IPsec VPN server, with IPsec/L2TP, Cisco IPsec and IKEv2
Home Page: https://hub.docker.com/r/hwdsl2/ipsec-vpn-server
License: Other
Docker image to run an IPsec VPN server, with IPsec/L2TP, Cisco IPsec and IKEv2
Home Page: https://hub.docker.com/r/hwdsl2/ipsec-vpn-server
License: Other
It's caused by the docker instance do not support MS-CHAPv2 which is a
Add
+mschap-v2
to
/etc/ppp/options.l2tpd
in
run.sh
can solve the problem
I have followed your guide to install this image in my vps, but i'm getting error 800 in my client machine, I don't know what to do to fix this error.
port 500 and 4500 was opened in my vps, but i'm still getting the same error.
host machine:
uname -a && lsb_release -a
Linux vultr.guest 3.13.0-95-generic #142-Ubuntu SMP Fri Aug 12 17:00:09 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 14.04.5 LTS
Release: 14.04
Codename: trusty
Docker log:
xl2tpd[1]: setsockopt recvref[30]: Protocol not available
xl2tpd[1]: This binary does not support kernel L2TP.
xl2tpd[1]: xl2tpd version xl2tpd-1.3.6 started on 47a42351aaa5 PID:1
xl2tpd[1]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
xl2tpd[1]: Forked by Scott Balmos and David Stipp, (C) 2001
xl2tpd[1]: Inherited by Jeff McAdams, (C) 2002
xl2tpd[1]: Forked again by Xelerance (www.xelerance.com) (C) 2006
xl2tpd[1]: Listening on IP address 0.0.0.0, port 1701
xl2tpd[1]: death_handler: Fatal signal 15 received
docker exec -it ipsec-vpn-server ipsec status:
000 Total IPsec connections: loaded 3, active 0
000
000 State Information: DDoS cookies not required, Accepting new IKE connections
000 IKE SAs: total(31), half-open(0), open(31), authenticated(0), anonymous(0)
000 IPsec SAs: total(0), authenticated(0), anonymous(0)
000
000 #6: "l2tp-psk"[1] X.X.X.X:1008 STATE_MAIN_R1 (sent MR1, expecting MI2); EVENT_SA_EXPIRE in 26760s; nodpd; idle; import:not set
000 #14: "l2tp-psk"[1] X.X.X.X:1007 STATE_MAIN_R1 (sent MR1, expecting MI2); EVENT_SA_EXPIRE in 26901s; nodpd; idle; import:not set
000 #17: "l2tp-psk"[1] X.X.X.X:1006 STATE_MAIN_R1 (sent MR1, expecting MI2); EVENT_SA_EXPIRE in 27022s; nodpd; idle; import:not set
000 #26: "l2tp-psk"[1] X.X.X.X:1005 STATE_MAIN_R1 (sent MR1, expecting MI2); EVENT_SA_EXPIRE in 27171s; nodpd; idle; import:not set
000 #30: "l2tp-psk"[1] X.X.X.X:500 STATE_MAIN_R1 (sent MR1, expecting MI2); EVENT_SA_EXPIRE in 28648s; nodpd; idle; import:not set
000 #21: "l2tp-psk"[1] X.X.X.X:1006 STATE_MAIN_R1 (sent MR1, expecting MI2); EVENT_SA_EXPIRE in 27052s; nodpd; idle; import:not set
000 #22: "l2tp-psk"[1] X.X.X.X:1005 STATE_MAIN_R1 (sent MR1, expecting MI2); EVENT_SA_EXPIRE in 27156s; nodpd; idle; import:not set
000 #12: "l2tp-psk"[1] X.X.X.X:1007 STATE_MAIN_R1 (sent MR1, expecting MI2); EVENT_SA_EXPIRE in 26889s; nodpd; idle; import:not set
000 #9: "l2tp-psk"[1] X.X.X.X:1008 STATE_MAIN_R1 (sent MR1, expecting MI2); EVENT_SA_EXPIRE in 26788s; nodpd; idle; import:not set
000 #8: "l2tp-psk"[1] X.X.X.X:1008 STATE_MAIN_R1 (sent MR1, expecting MI2); EVENT_SA_EXPIRE in 26772s; nodpd; idle; import:not set
000 #7: "l2tp-psk"[1] X.X.X.X:1008 STATE_MAIN_R1 (sent MR1, expecting MI2); EVENT_SA_EXPIRE in 26764s; nodpd; idle; import:not set
000 #31: "l2tp-psk"[1] X.X.X.X:500 STATE_MAIN_R1 (sent MR1, expecting MI2); EVENT_SA_EXPIRE in 28651s; nodpd; idle; import:not set
000 #29: "l2tp-psk"[1] X.X.X.X:500 STATE_MAIN_R1 (sent MR1, expecting MI2); EVENT_SA_EXPIRE in 28647s; nodpd; idle; import:not set
000 #28: "l2tp-psk"[1] X.X.X.X:500 STATE_MAIN_R1 (sent MR1, expecting MI2); EVENT_SA_EXPIRE in 28646s; nodpd; idle; import:not set
000 #13: "l2tp-psk"[1] X.X.X.X:1007 STATE_MAIN_R1 (sent MR1, expecting MI2); EVENT_SA_EXPIRE in 26893s; nodpd; idle; import:not set
000 #18: "l2tp-psk"[1] X.X.X.X:1006 STATE_MAIN_R1 (sent MR1, expecting MI2); EVENT_SA_EXPIRE in 27024s; nodpd; idle; import:not set
000 #16: "l2tp-psk"[1] X.X.X.X:1006 STATE_MAIN_R1 (sent MR1, expecting MI2); EVENT_SA_EXPIRE in 27020s; nodpd; idle; import:not set
000 #15: "l2tp-psk"[1] X.X.X.X:1007 STATE_MAIN_R1 (sent MR1, expecting MI2); EVENT_SA_EXPIRE in 26917s; nodpd; idle; import:not set
000 #4: "l2tp-psk"[1] X.X.X.X:1008 STATE_MAIN_R1 (sent MR1, expecting MI2); EVENT_SA_EXPIRE in 26758s; nodpd; idle; import:not set
000 #10: "l2tp-psk"[1] X.X.X.X:1007 STATE_MAIN_R1 (sent MR1, expecting MI2); EVENT_SA_EXPIRE in 26885s; nodpd; idle; import:not set
000 #2: "l2tp-psk"[1] X.X.X.X:500 STATE_MAIN_R1 (sent MR1, expecting MI2); EVENT_SA_EXPIRE in 26494s; nodpd; idle; import:not set
000 #24: "l2tp-psk"[1] X.X.X.X:1005 STATE_MAIN_R1 (sent MR1, expecting MI2); EVENT_SA_EXPIRE in 27159s; nodpd; idle; import:not set
000 #19: "l2tp-psk"[1] X.X.X.X:1006 STATE_MAIN_R1 (sent MR1, expecting MI2); EVENT_SA_EXPIRE in 27028s; nodpd; idle; import:not set
000 #25: "l2tp-psk"[1] X.X.X.X:1005 STATE_MAIN_R1 (sent MR1, expecting MI2); EVENT_SA_EXPIRE in 27163s; nodpd; idle; import:not set
000 #5: "l2tp-psk"[1] X.X.X.X:1008 STATE_MAIN_R1 (sent MR1, expecting MI2); EVENT_SA_EXPIRE in 26758s; nodpd; idle; import:not set
000 #20: "l2tp-psk"[1] X.X.X.X:1006 STATE_MAIN_R1 (sent MR1, expecting MI2); EVENT_SA_EXPIRE in 27036s; nodpd; idle; import:not set
000 #3: "l2tp-psk"[1] X.X.X.X:500 STATE_MAIN_R1 (sent MR1, expecting MI2); EVENT_SA_EXPIRE in 26495s; nodpd; idle; import:not set
000 #27: "l2tp-psk"[1] X.X.X.X:1005 STATE_MAIN_R1 (sent MR1, expecting MI2); EVENT_SA_EXPIRE in 27187s; nodpd; idle; import:not set
000 #23: "l2tp-psk"[1] X.X.X.X:1005 STATE_MAIN_R1 (sent MR1, expecting MI2); EVENT_SA_EXPIRE in 27157s; nodpd; idle; import:not set
000 #11: "l2tp-psk"[1] X.X.X.X:1007 STATE_MAIN_R1 (sent MR1, expecting MI2); EVENT_SA_EXPIRE in 26887s; nodpd; idle; import:not set
000 #1: "l2tp-psk"[1] X.X.X.X:500 STATE_MAIN_R1 (sent MR1, expecting MI2); EVENT_SA_EXPIRE in 26493s; nodpd; idle; import:not set
Hi, I've been using docker-ipsec-vpn-server
with a lot of success, there's only one little hiccup. I'm using Android 6.0, so I followed the step here https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients.md#android to change /etc/ipsec.conf
(using docker cp
).
However, every time I restart the container or my machine, the ipsec.conf
file gets reverted back to its original state, and then I have to make the same changes again. I'm not sure whether this is an expected behaviour. What's a good way to persist my changes?
Jan 27 02:52:29 06b48c2bd353 pluto[2257]: loading secrets from "/etc/ipsec.secrets"
Jan 27 02:53:11 06b48c2bd353 pluto[2257]: "xauth-psk"[1] 220.211.132.209 #1: responding to Main Mode from unknown peer 220.211.132.209 on port 500
Jan 27 02:53:11 06b48c2bd353 pluto[2257]: "xauth-psk"[1] 220.211.132.209 #1: STATE_MAIN_R1: sent MR1, expecting MI2
Jan 27 02:53:14 06b48c2bd353 pluto[2257]: "xauth-psk"[1] 220.211.132.209 #2: responding to Main Mode from unknown peer 220.211.132.209 on port 500
Jan 27 02:53:14 06b48c2bd353 pluto[2257]: "xauth-psk"[1] 220.211.132.209 #2: STATE_MAIN_R1: sent MR1, expecting MI2
Jan 27 02:53:18 06b48c2bd353 pluto[2257]: "xauth-psk"[1] 220.211.132.209 #3: responding to Main Mode from unknown peer 220.211.132.209 on port 500
Jan 27 02:53:18 06b48c2bd353 pluto[2257]: "xauth-psk"[1] 220.211.132.209 #3: STATE_MAIN_R1: sent MR1, expecting MI2
Jan 27 02:53:21 06b48c2bd353 pluto[2257]: "xauth-psk"[1] 220.211.132.209 #4: responding to Main Mode from unknown peer 220.211.132.209 on port 500
Jan 27 02:53:21 06b48c2bd353 pluto[2257]: "xauth-psk"[1] 220.211.132.209 #4: STATE_MAIN_R1: sent MR1, expecting MI2
I tried to setup with the script on digitalocean VPS, got the same error log in auth.log
Hi,
is it possible to force L2TP clients to use XAuth Authentication Method?
Thanks
你好, VPN容器已经正常运行, 前几天忽然无法响应, 日志如下:
Feb 17 05:09:17 ff44858d3881 pluto[2074]: "l2tp-psk"[1] 115.*.*.* #2: responding to Main Mode from unknown peer 115.*.*.* on port 500
Feb 17 05:09:17 ff44858d3881 pluto[2074]: "l2tp-psk"[1] 115.*.*.* #2: WARNING: connection l2tp-psk PSK length of 7 bytes is too short for sha2_256 PRF in FIPS mode (16 bytes required)
Feb 17 05:09:17 ff44858d3881 pluto[2074]: "l2tp-psk"[1] 115.*.*.* #2: STATE_MAIN_R1: sent MR1, expecting MI2
Feb 17 05:09:21 ff44858d3881 pluto[2074]: "l2tp-psk"[1] 115.*.*.* #2: retransmitting in response to duplicate packet; already STATE_MAIN_R1
Feb 17 05:09:24 ff44858d3881 pluto[2074]: "l2tp-psk"[1] 115.*.*.* #2: retransmitting in response to duplicate packet; already STATE_MAIN_R1
Feb 17 05:09:27 ff44858d3881 pluto[2074]: "l2tp-psk"[1] 115.*.*.* #2: retransmitting in response to duplicate packet; already STATE_MAIN_R1
Feb 17 05:10:17 ff44858d3881 pluto[2074]: "l2tp-psk"[1] 115.*.*.* #2: deleting incomplete state after 60.000 seconds
Feb 17 05:10:17 ff44858d3881 pluto[2074]: "l2tp-psk"[1] 115.*.*.* #2: deleting state (STATE_MAIN_R1)
Feb 17 05:10:17 ff44858d3881 pluto[2074]: deleting connection "l2tp-psk"[1] 115.*.*.* instance with peer 115.*.*.* {isakmp=#0/ipsec=#0}
测试4500端口和500端口均正常
4500:
found 0 associations
found 1 connections:
1: flags=82<CONNECTED,PREFERRED>
outif (null)
src 192.168.1.2 port 62722
dst *.*.*.* port 4500
rank info not available
Connection to *.*.*.* port 4500 [udp/ipsec-msft] succeeded!
500:
found 0 associations
found 1 connections:
1: flags=82<CONNECTED,PREFERRED>
outif (null)
src 192.168.1.2 port 65349
dst *.*.*.* port 500
rank info not available
Connection to *.*.*.* port 500 [udp/isakmp] succeeded!
请问这个问题应该如何解决?
刚刚部署在阿里云美西的服务器上,连接成功。然后,国内的网络访问都可以?国外的都不可以。这。。。是神马情况。
Hi,
Is it possible to configure the users to have static IP subset Address?
I have many devices to connect to the IPSec VPN server, so I would like to have this feature.
Thanks!
Wing
I was trying to use this container but haven't succeed yet. One thing I notice is that:
/lib/modules directory is not existed on my ubuntu 14 ec2 image, can you explain what is that?
Just stumbled over this repo and noticed the active --privileged
flag for the container.
Instead I'd recommend using --cap-add=NET_ADMIN --net=host
, which leaves the host less exposed.
docker run --name ipsec-vpn-server --env-file ./vpn.env --restart=always -p 500:500/udp -p 4500:4500/udp -p 1701:1701/udp -v /lib/modules:/lib/modules:ro -d --privileged hwdsl2/ipsec-vpn-server
root@iZ2ze9rt5c8x00a69z163rZ:/vpn# docker logs ipsec-vpn-server -f
Trying to auto discover IP of this server...
================================================
IPsec VPN server is now ready for use!
Connect to your new VPN with these details:
Server IP: 47.93.38.77
IPsec PSK: < >
Username: < >
Password: < >
Write these down. You'll need them to connect!
Important notes: https://git.io/vpnnotes2
Setup VPN clients: https://git.io/vpnclients
================================================
Redirecting to: /etc/init.d/ipsec start
Starting pluto IKE daemon for IPsec: Initializing NSS database
.
xl2tpd[1]: setsockopt recvref[30]: Protocol not available
xl2tpd[1]: This binary does not support kernel L2TP.
xl2tpd[1]: xl2tpd version xl2tpd-1.3.6 started on c48037a5f890 PID:1
xl2tpd[1]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
xl2tpd[1]: Forked by Scott Balmos and David Stipp, (C) 2001
xl2tpd[1]: Inherited by Jeff McAdams, (C) 2002
xl2tpd[1]: Forked again by Xelerance (www.xelerance.com) (C) 2006
xl2tpd[1]: Listening on IP address 0.0.0.0, port 1701
vpn status:
admin@ubuntu:~$ sudo docker exec -it ipsec-vpn-server ipsec whack --trafficstatus
[sudo] password for admin:
006 #20: "l2tp-psk"[5] 113.110.229.42, type=ESP, add_time=0, inBytes=955, outBytes=120, id='192.168.1.108'
windows 10 os,can not vist google,facebook an so on.
I'm in china.
After connecting to the VPN (xauth) I am not able to load my local https websites. I am able to connect to regular http websites located by the docker host but not https. While connected to the VPN I am able to ping the docker host with no problems. I have also added exceptions to the firewall on the host for the website port as well as 443 for SSL, with no luck.
I receive the following error: ERR_ADDRESS_UNREACHABLE
I also attempted to use the --net=host but receive error:
xl2tpd[1]: setsockopt recvref[30]: Protocol not available
xl2tpd[1]: This binary does not support kernel L2TP.
Is this something that I should change in the Dockerfile or is this a host error?
你好:
我现在需要用centos7作为客户端连接其它Cisco vpn,要怎样配置
Hi,
I started this docker container on my server. Then, I successfully connected a L2TP client (configured on a mikrotik mAP 2nD router) to the container. Now, the router running the L2TP client has three address classes (and two physical ethernet ports): one private address class (10.0.10.0/24) on the WAN interface that is connected to the horizontal wiring to get the Internet connection, one private address class (192.168.88.0/24) on the second ethernet port, and one private address 192.168.42.11 as VPN client (the VPN server has the 192.168.42.1 address). The VPN endpoints are able to ping each other and the clients on the 192.168.88.0/24 network are able to ping the VPN server endpoint (i.e. 192.168.42.1). Unfortunately, I can't ping the 192.168.88.0/24 network from the VPN server...do I have to change something on the VPN server configuration? or is this a VPN client issue?
Thanks
Please Help. Thanks.
Linux iZu1na35il8Z 3.10.0-327.el7.x86_64 #1 SMP Thu Nov 19 22:10:57 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
[admin@iZu1na35il8Z ~]$ sudo docker run hwdsl2/ipsec-vpn-server
VPN credentials not set by user. Generating random PSK and password...
Trying to auto discover IPs of this server...
sysctl: setting key "kernel.msgmnb": Read-only file system
sysctl: setting key "kernel.msgmax": Read-only file system
sysctl: setting key "kernel.shmmax": Read-only file system
sysctl: setting key "kernel.shmall": Read-only file system
sysctl: setting key "net.ipv4.ip_forward": Read-only file system
sysctl: setting key "net.ipv4.conf.all.accept_source_route": Read-only file system
sysctl: setting key "net.ipv4.conf.default.accept_source_route": Read-only file system
sysctl: setting key "net.ipv4.conf.all.accept_redirects": Read-only file system
sysctl: setting key "net.ipv4.conf.default.accept_redirects": Read-only file system
sysctl: setting key "net.ipv4.conf.all.send_redirects": Read-only file system
sysctl: setting key "net.ipv4.conf.default.send_redirects": Read-only file system
sysctl: setting key "net.ipv4.conf.lo.send_redirects": Read-only file system
sysctl: setting key "net.ipv4.conf.eth0.send_redirects": Read-only file system
sysctl: setting key "net.ipv4.conf.all.rp_filter": Read-only file system
sysctl: setting key "net.ipv4.conf.default.rp_filter": Read-only file system
sysctl: setting key "net.ipv4.conf.lo.rp_filter": Read-only file system
sysctl: setting key "net.ipv4.conf.eth0.rp_filter": Read-only file system
sysctl: setting key "net.ipv4.icmp_echo_ignore_broadcasts": Read-only file system
sysctl: setting key "net.ipv4.icmp_ignore_bogus_error_responses": Read-only file system
getsockopt failed strangely: Operation not permitted
iptables v1.4.21: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.4.21: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
getsockopt failed strangely: Operation not permitted
getsockopt failed strangely: Operation not permitted
iptables v1.4.21: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.4.21: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
getsockopt failed strangely: Operation not permitted
iptables v1.4.21: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.4.21: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.4.21: can't initialize iptables table `nat': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.4.21: can't initialize iptables table `nat': Permission denied (you must be root)
Hi guys. I've installed vpn with a docker container behind a NAT. I'm trying to connect to my network and I get some problems with tcp connections from shrew. Ping works fine but if I connect through TCP after a while tcp is broken. From my client I see that packets a going out through vpn server but not coming back. At the destination host I see a lot of retransmission packets. Can you help me to solve this issue? p.s. from MacOS everything works well but not from shrew.
I successfully setup my IPSec server by using your docker image. However I can't link to it on Linux.
I use vpnc
to setup link. Here is the config file:
IPSec gateway xxx.xxx.xxx.xxx
IPSec ID <group-id>
IPSec secret *******
IKE Authmode psk
Xauth username xxx
Xauth password xxx
What is IPSec ID?
P.S.打英语好麻烦,如果可以的话能不能烦请用中文?
docker run
--name ipsec-vpn-server
--env-file ./vpn.env
-p 500:500/udp
-p 4500:4500/udp
-v /lib/modules:/lib/modules:ro
-d --privileged
hwdsl2/ipsec-vpn-server
modprobe: ERROR: ../libkmod/libkmod.c:557 kmod_search_moddep() could not open moddep file '/lib/modules/4.5.5-x86_64-linode69/modules.dep.bin'
Redirecting to: /etc/init.d/ipsec start
Starting pluto IKE daemon for IPsec: Initializing NSS database
xl2tpd[1]: setsockopt recvref[30]: Protocol not available
xl2tpd[1]: This binary does not support kernel L2TP.
xl2tpd[1]: xl2tpd version xl2tpd-1.3.6 started on 6538e2d25626 PID:1
xl2tpd[1]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
xl2tpd[1]: Forked by Scott Balmos and David Stipp, (C) 2001
xl2tpd[1]: Inherited by Jeff McAdams, (C) 2002
xl2tpd[1]: Forked again by Xelerance (www.xelerance.com) (C) 2006
xl2tpd[1]: Listening on IP address 0.0.0.0, port 1701
docker: Error response from daemon: driver failed programming external connectivity on endpoint ipsec-vpn-server (87fb4aaf354e190bb59ecb3f5874d9be47b57ced728ebe6958784d92d8f70199): iptables failed: iptables --wait -t nat -A DOCKER -p udp -d 0/0 --dport 4500 -j DNAT --to-destination 172.17.0.2:4500 ! -i docker0: iptables: No chain/target/match by that name.
(exit status 1).
CentOS Linux release 7.2.1511 (Core)
运行后感觉日志正常,但是客户端连接不上。netstat的状态显示连接是建立在ipv6上,这正常吗??
Originally posted by @cncolder:
/opt/src/run.sh
will rewrite /etc/ipsec.conf
after restart docker. I must edit every time.
I think it's good to move it from troubleshoot into /opt/src/run.sh
I setup -v ./ipsec.conf:/etc/ipsec.conf
now. But I found there are some dynamic ip addresses in gen script.
Hi mate,
I use debian8 (jessie) amd64 version, kernel 4.1.5-x86_64-linode61.
and can't modprobe af_key,
modprobe af_key
modprobe: ERROR: ../libkmod/libkmod.c:557 kmod_search_moddep() could not open moddep file '/lib/modules/4.1.5-x86_64-linode61/modules.dep.bin'
Do you know how to add this? or maybe i need to rebuild kernel and enable IPSEC?
Thanks.
birkhoff@bhs01:~$ sudo modprobe af_key
modprobe: ERROR: ../libkmod/libkmod.c:514 lookup_builtin_file() could not open builtin file '/lib/modules/4.9.13-mod-std-ipv6-64/modules.builtin.bin'
modprobe: FATAL: Module af_key not found in directory /lib/modules/4.9.13-mod-std-ipv6-64
I didn't check "Install original kernel" while installing the system. Will that be a problem?
I am trying to run this docker image on my Raspberry Pi 3 running Raspbian Pixel. The container seems like it is constantly restarting and not actually running. I am not sure if this is specific to the raspberry pi because I have run this docker image on other machines with no issues at all.
In order to support multiple accounts, I had to customize the CMD
(run.sh) script either to allow the specification of multiple users or adding a check whether there are accounts in /etc/ppp/chap-secrets
and /etc/ipsec.d/passwd
before overwriting them so I could mount them as volumes and fill them with users using something similar to
docker-compose exec vpn bash
VPN_USER='new_user'
VPN_PASSWORD='new_passwd'
cat >> /etc/ppp/chap-secrets <<EOF
"$VPN_USER" l2tpd "$VPN_PASSWORD" *
EOF
VPN_PASSWORD_ENC=$(openssl passwd -1 "$VPN_PASSWORD")
cat >> /etc/ipsec.d/passwd <<EOF
$VPN_USER:$VPN_PASSWORD_ENC:xauth-psk
EOF
Is not supporting multiple users a design decision or would merge requests be accepted if they do not complicate things for a default setup.
Hi. In my case i see that docker exec -it ipsec-vpn-server ipsec whack --trafficstatus
outputs a list of connections from 1 user from 1 ip (behind NAT). How can i drop a certain connection using whack utlity without dropping another connection?
i use iphone to connet to my ipsec server in docker. it seems 500 port error.
I have use it for several month , it works great, but in these days ,can't connect anymore.
the log shows as below.
log shows "xauth-psk"[1] 114.84.168.57:500 STATE_MAIN_R1 (sent MR1, expecting MI2); EVENT_SA_EXPIRE in 3570s; lastdpd=-1s(seq in:0 out:0); idle; import:not set and can not connect.
The command
docker cp ipsec-vpn-server:/opt/src/vpn-gen.env ./
returns
Error response from daemon: Could not find the file /opt/src/vpn-gen.env in container ipsec-vpn-server
Browsing a snapshot of the image, the only file in /opt/src
is run.sh
[root@sakura ~]# vi /etc/sysctl.conf
[root@sakura ~]# sysctl -p
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 0
[root@sakura ~]# docker restart ipsec-vpn-server
ipsec-vpn-server
[root@sakura ~]# docker ps | grep ipsec-vpn-server
28a744dcf368 hwdsl2/ipsec-vpn-server "/run.sh" 3 minutes ago Up 7 seconds 0.0.0.0:500->500/udp, 0.0.0.0:4500->4500/udp ipsec-vpn-server
[root@sakura ~]# docker logs ipsec-vpn-server
Trying to auto discover IPs of this server...
================================================
IPsec VPN server is now ready for use!
Connect to your new VPN with these details:
Server IP: ********
IPsec PSK: ********
Username: ********
Password: ********
Write these down. You'll need them to connect!
Setup VPN clients: https://git.io/vpnclients
================================================
Redirecting to: /etc/init.d/ipsec start
Starting pluto IKE daemon for IPsec: Initializing NSS database
.
xl2tpd[1]: setsockopt recvref[30]: Protocol not available
xl2tpd[1]: This binary does not support kernel L2TP.
xl2tpd[1]: xl2tpd version xl2tpd-1.3.6 started on 28a744dcf368 PID:1
xl2tpd[1]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
xl2tpd[1]: Forked by Scott Balmos and David Stipp, (C) 2001
xl2tpd[1]: Inherited by Jeff McAdams, (C) 2002
xl2tpd[1]: Forked again by Xelerance (www.xelerance.com) (C) 2006
xl2tpd[1]: Listening on IP address 0.0.0.0, port 1701
xl2tpd[1]: death_handler: Fatal signal 15 received
Trying to auto discover IPs of this server...
================================================
IPsec VPN server is now ready for use!
Connect to your new VPN with these details:
Server IP: ********
IPsec PSK: ********
Username: ********
Password: ********
Write these down. You'll need them to connect!
Setup VPN clients: https://git.io/vpnclients
================================================
Redirecting to: /etc/init.d/ipsec start
Starting pluto IKE daemon for IPsec: .
xl2tpd[1]: setsockopt recvref[30]: Protocol not available
xl2tpd[1]: This binary does not support kernel L2TP.
xl2tpd[1]: xl2tpd version xl2tpd-1.3.6 started on 28a744dcf368 PID:1
xl2tpd[1]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
xl2tpd[1]: Forked by Scott Balmos and David Stipp, (C) 2001
xl2tpd[1]: Inherited by Jeff McAdams, (C) 2002
xl2tpd[1]: Forked again by Xelerance (www.xelerance.com) (C) 2006
xl2tpd[1]: Listening on IP address 0.0.0.0, port 1701
[root@sakura ~]# docker exec -it ipsec-vpn-server netstat -anput
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
udp 0 0 127.0.0.1:4500 0.0.0.0:* 566/pluto
udp 0 0 172.17.0.2:4500 0.0.0.0:* 566/pluto
udp 0 0 0.0.0.0:1701 0.0.0.0:* 1/xl2tpd
udp 0 0 127.0.0.1:500 0.0.0.0:* 566/pluto
udp 0 0 172.17.0.2:500 0.0.0.0:* 566/pluto
udp6 0 0 ::1:500 :::* 566/pluto
[root@sakura ~]# netstat -anput
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 3548/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 3472/master
tcp 0 0 ********:22 ********:34916 ESTABLISHED 16477/sshd: root@pt
tcp 0 0 ********:22 ********:37517 ESTABLISHED 20814/sshd: root@pt
tcp 0 36 ********:22 ********:36064 ESTABLISHED 21031/sshd: root@pt
tcp 0 0 ********:22 ********:36563 ESTABLISHED 16887/sshd: root@pt
tcp 0 0 ********:22 ********:34812 ESTABLISHED 20873/sshd: root@pt
tcp6 0 0 :::22 :::* LISTEN 3548/sshd
tcp6 0 0 ::1:25 :::* LISTEN 3472/master
udp 0 0 172.17.0.1:123 0.0.0.0:* 451/ntpd
udp 0 0 ********:123 0.0.0.0:* 451/ntpd
udp 0 0 127.0.0.1:123 0.0.0.0:* 451/ntpd
udp 0 0 0.0.0.0:123 0.0.0.0:* 451/ntpd
udp 0 0 0.0.0.0:14769 0.0.0.0:* 1024/dhclient
udp 0 0 0.0.0.0:68 0.0.0.0:* 1024/dhclient
udp6 0 0 :::51550 :::* 1024/dhclient
udp6 0 0 fe80::1ced:73ff:fe5:123 :::* 451/ntpd
udp6 0 0 fe80::42:1dff:fe54::123 :::* 451/ntpd
udp6 0 0 fe80::5400:ff:fe37::123 :::* 451/ntpd
udp6 0 0 ********:123 :::* 451/ntpd
udp6 0 0 ::1:123 :::* 451/ntpd
udp6 0 0 :::123 :::* 451/ntpd
udp6 0 0 :::4500 :::* 24710/docker-proxy
udp6 0 0 :::500 :::* 24717/docker-proxy
[root@sakura ~]#
service seem normal but is still can not connect
[root@sakura ~]# docker version
Client:
Version: 1.12.1
API version: 1.24
Go version: go1.6.3
Git commit: 23cf638
Built:
OS/Arch: linux/amd64
Server:
Version: 1.12.1
API version: 1.24
Go version: go1.6.3
Git commit: 23cf638
Built:
OS/Arch: linux/amd64
[root@sakura ~]# uname -a
Linux sakura 3.10.0-327.28.3.el7.x86_64 #1 SMP Thu Aug 18 19:05:49 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
[root@sakura ~]# cat /etc/redhat-release
CentOS Linux release 7.2.1511 (Core)
Some messages:
pluto[2619]: FATAL ERROR: Failed to bind bcast socket in init_netlink() - Perhaps kernel was not compiled with CONFIG_XFRM. Errno 1: Operation not permitted
pluto[3576]: FATAL ERROR: Failed to bind bcast socket in init_netlink() - Perhaps kernel was not compiled with CONFIG_XFRM. Errno 1: Operation not permitted
pluto[3895]: FATAL ERROR: Failed to bind bcast socket in init_netlink() - Perhaps kernel was not compiled with CONFIG_XFRM. Errno 1: Operation not permitted
pluto[5171]: FATAL ERROR: Failed to bind bcast socket in init_netlink() - Perhaps kernel was not compiled with CONFIG_XFRM. Errno 1: Operation not permitted
Docker versio:
$ docker -v
Docker version 1.12.5, build 7392c3b
我在树莓派docker上构建vpn-server 无法运行,intel核心的可以运行 请告知需要修改哪里?
I run the docker same as the tutorial but it did't work!
My System info:
# uname -a && lsb_release -a
Linux Ubuntu-Server 4.4.0-31-generic #50-Ubuntu SMP Wed Jul 13 00:07:12 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 16.04 LTS
Release: 16.04
Codename: denial
After docker logs ipsec-vpn-server
I got this error message:
xl2tpd[1]: setsockopt recvref[30]: Protocol not available
xl2tpd[1]: This binary does not support kernel L2TP.
xl2tpd[1]: xl2tpd version xl2tpd-1.3.6 started on 1f3b55fa2a26 PID:1
xl2tpd[1]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
xl2tpd[1]: Forked by Scott Balmos and David Stipp, (C) 2001
xl2tpd[1]: Inherited by Jeff McAdams, (C) 2002
xl2tpd[1]: Forked again by Xelerance (www.xelerance.com) (C) 2006
xl2tpd[1]: Listening on IP address 0.0.0.0, port 1701
And there seems no af_key
in Ubuntu 16.04?
I can't tab modprobe af_key
on my server.
如题,我ipsec的vpn想给多个人用,怎么创建多个用户呢,谢谢
Hello!
I don't know if it's possible to change ports to allow multi vpn deployment on same host.
Have anyone any clue if it's possible?
This binary does not support kernel L2TP.
大神您好,
我一直在用您发布的这个容器,想请教一下,我现在有一台服务器已部署此ipsec-vpn-server容器,公网ip地址假如是a.b.c.d,现有一台Windows 7已连接到ipsec-vpn服务器,子网ip是
Is is possible to define the ip range in the env file?
我看了一下docker生成的配置文件 似乎也只是填写了服务器的预共享密钥和服务器地址
那么我能否不使用docker直接在真机上配置适用于iOS和macOS连接的服务
一直提示服务器没有响应,
然后自己也根据网上的说明配置了文件,
但是还是无法连接上,请问这是真么回事
请问如何添加多个用户呢?
另外
centos7上安装后:win7,Mac均成功
安卓手机有问题,xauth PSK模式可连接但无网络,l2tp/ipsec psk模式无法连接
docker logs l2tp-server
Network interface 'eth0' is not available. Aborting.
I'll admit I'm no VPN expert, but it seems like the defaults for this VPN could be improved quite a bit.
If nothing else, maybe add a note as to why these cipher were picked as the defaults?
ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024,aes256-sha2_512
Thanks
Hi, sorry for this (stupid) question, but i'm searching two days for a solution.
I have three containers your IPSec container (vpn1), an openvpn container (vpn2) and one proxy (squid) container.
Now i want to send the traffic from VPN through the proxy.
But i need the internal VPN IP of Client in the Proxy.
With OpenVPN it's ok i've solved it.
But with ipsec it's not so easy.
So i need the 192.168.43.0/24 IP in proxy (forwarded-for).
OpenVPN is started with (--network=host).
Proxy is on default bridge and IPSec too.
Do you have any idea to solve it? 😃
vpn1 --- \
vpn2 --- /
P.S.: Thanks for you work, IPSec setup and IPSec Image are very usefully
kernel version: 4.10.0-041000rc3-generic
xl2tpd[1]: Connection established to 112.8.21.1, 51239. Local: 33444, Remote: 9 (ref=0/0). LNS session is 'default'
xl2tpd[1]: start_pppd: I'm running:
xl2tpd[1]: "/usr/sbin/pppd"
xl2tpd[1]: "passive"
xl2tpd[1]: "nodetach"
xl2tpd[1]: "192.168.42.1:192.168.42.10"
xl2tpd[1]: "refuse-pap"
xl2tpd[1]: "auth"
xl2tpd[1]: "require-chap"
xl2tpd[1]: "name"
xl2tpd[1]: "l2tpd"
xl2tpd[1]: "file"
xl2tpd[1]: "/etc/ppp/options.xl2tpd"
xl2tpd[1]: "/dev/pts/0"
xl2tpd[1]: Call established with 112.8.21.1, Local: 33421, Remote: 9552, Serial: 1
xl2tpd[1]: result_code_avp: result code endianness fix for buggy Apple client. network=768, le=3
xl2tpd[1]: control_finish: Connection closed to 112.8.21.1, serial 1 ()
xl2tpd[1]: Terminating pppd: sending TERM signal to pid 762
xl2tpd[1]: result_code_avp: result code endianness fix for buggy Apple client. network=256, le=1
xl2tpd[1]: control_finish: Connection closed to 112.8.21.1, port 51239 (), Local: 33444, Remote: 9
I've set up a vpn server and now every client is connected to the server. The connections between clients and server is perfect, but these clients can't communicate with each other. How to solve this problem?
已经把win7的防火墙关了,用的极路由的没有关闭防火墙的选项,请问要怎样才能成功呢?是要开什么端口么?
Hi,
is there a way to monitor the status of several L2TP channels programmatically?
When several VPN clients are connected to the server, I need to detect in real-time when a client lost the VPN connection.
Thanks
I got this error: whack: Pluto is not running (no "/var/run/pluto/pluto.ctl")
When i check if the server is running how can i fix this?
More error logs of the docker:
Trying to auto discover IPs of this server...
================================================
IPsec VPN server is now ready for use!
Connect to your new VPN with these details:
Server IP: ********
IPsec PSK: ********
Username: ********
Password: ********
Write these down. You'll need them to connect!
Setup VPN Clients: https://git.io/vpnclients
================================================
modprobe: ERROR: could not insert 'af_key': Exec format error
Redirecting to: /etc/init.d/ipsec start
Starting pluto IKE daemon for IPsec: Initializing NSS database
.....
xl2tpd[1]: setsockopt recvref[30]: Protocol not available
xl2tpd[1]: This binary does not support kernel L2TP.
xl2tpd[1]: xl2tpd version xl2tpd-1.3.6 started on 87c976415d30 PID:1
xl2tpd[1]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
xl2tpd[1]: Forked by Scott Balmos and David Stipp, (C) 2001
xl2tpd[1]: Inherited by Jeff McAdams, (C) 2002
xl2tpd[1]: Forked again by Xelerance (www.xelerance.com) (C) 2006
xl2tpd[1]: Listening on IP address 0.0.0.0, port 1701
xl2tpd[1]: death_handler: Fatal signal 15 received
分别使用不同的 vpn 账号,使用cisco ipsec模式。
问题:两个设备同时连接 VPN 后,第一个连接的设备无法访问网络。
查看 ipsec 连接信息如下:
006 #23: "xauth-psk"[7] 223.89.65.191, username=user2, type=ESP, add_time=0, inBytes=124148, outBytes=212711, lease=192.168.43.10/32
006 #25: "xauth-psk"[7] 223.89.65.191, username=user, type=ESP, add_time=0, inBytes=664727, outBytes=1446150, lease=192.168.43.10/32
是不是由于分配了重复的 IP 地址导致的?应该如何解决?
谢谢!
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.