starred/docker-ipsec-vpn-server
1
0
Fork 0
mirror of https://github.com/hwdsl2/docker-ipsec-vpn-server.git synced 2026-04-26 01:55:53 +03:00
Code Issues Projects Releases Packages Wiki Activity

[GH-ISSUE #245] 在更新docker 宿主机系统后 重新运行容器 发生setup_half_ipsec_sa() hit fail 错误 #227

New issue
Closed
opened 2026-03-02 08:00:38 +03:00 by kerem · 1 comment
kerem commented 2026-03-02 08:00:38 +03:00
Owner
Copy link

Originally created by @SuperCatss on GitHub (Jul 9, 2021).
Original GitHub issue: https://github.com/hwdsl2/docker-ipsec-vpn-server/issues/245

环境: openwrt 中docker 容器 版本 Linux OpenWrt 5.4.124 #0 SMP Sat Jun 12 13:35:17 2021 x86_64 GNU/Linux

在此之前已经平稳运行一年,昨日更新了系统,使用原有的 docker run sh 文件,重新创建容器,手机连接失败。按照文档指示,打开了日志。日志如下

Jul  9 06:14:11 ipsec-server pluto[1715]: "xauth-psk"[3] 101.206.*.* #3: responding to Main Mode from unknown peer 101.206.*.*:15959
Jul  9 06:14:11 ipsec-server pluto[1715]: "xauth-psk"[3] 101.206.*.* #3: WARNING: connection xauth-psk PSK length of 11 bytes is too short for HMAC_SHA2_256 PRF in FIPS mode (16 bytes required)
Jul  9 06:14:11 ipsec-server pluto[1715]: "xauth-psk"[3] 101.206.*.* #3: sent Main Mode R1
Jul  9 06:14:11 ipsec-server pluto[1715]: "xauth-psk"[3] 101.206.*.* #3: sent Main Mode R2
Jul  9 06:14:11 ipsec-server pluto[1715]: "xauth-psk"[3] 101.206.*.* #3: Peer ID is ID_IPV4_ADDR: '10.229.*.*'
Jul  9 06:14:11 ipsec-server pluto[1715]: "xauth-psk"[3] 101.206.*.* #3: switched from "xauth-psk"[3] 101.206.*.* to "xauth-psk"
Jul  9 06:14:11 ipsec-server pluto[1715]: "xauth-psk"[3] 101.206.*.*: deleting connection instance with peer 101.206.167.188 {isakmp=#0/ipsec=#0}
Jul  9 06:14:11 ipsec-server pluto[1715]: "xauth-psk"[4] 101.206.*.* #3: Peer ID is ID_IPV4_ADDR: '10.229.196.249'
Jul  9 06:14:11 ipsec-server pluto[1715]: "xauth-psk"[4] 101.206.*.* #3: IKE SA established {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA2_256 group=MODP1024}
Jul  9 06:14:11 ipsec-server pluto[1715]: "xauth-psk"[4] 101.206.*.* #3: XAUTH: Sending Username/Password request (MAIN_R3->XAUTH_R0)
Jul  9 06:14:11 ipsec-server pluto[1715]: "xauth-psk"[4] 101.206.*.* #3: XAUTH: password file authentication method requested to authenticate user 'admin'
Jul  9 06:14:11 ipsec-server pluto[1715]: "xauth-psk"[4] 101.206.*.* #3: XAUTH: password file (/etc/ipsec.d/passwd) open.
Jul  9 06:14:11 ipsec-server pluto[1715]: "xauth-psk"[4] 101.206.*.* #3: XAUTH: success user(admin:xauth-psk) 
Jul  9 06:14:11 ipsec-server pluto[1715]: "xauth-psk"[4] 101.206.*.* #3: XAUTH: User admin: Authentication Successful
Jul  9 06:14:11 ipsec-server pluto[1715]: "xauth-psk"[4] 101.206.*.* #3: XAUTH: xauth_inR1(STF_OK)
Jul  9 06:14:11 ipsec-server pluto[1715]: "xauth-psk"[4] 101.206.*.* #3: IKE SA established {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA2_256 group=MODP1024}
Jul  9 06:14:11 ipsec-server pluto[1715]: "xauth-psk"[4] 101.206.*.* #3: modecfg_inR0(STF_OK)
Jul  9 06:14:11 ipsec-server pluto[1715]: "xauth-psk"[4] 101.206.*.* #3: sent ModeCfg reply, expecting Ack {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA2_256 group=MODP1024}
Jul  9 06:14:11 ipsec-server pluto[1715]: "xauth-psk"[4] 101.206.*.* #3: the peer proposed: 0.0.0.0/0 -<all>-> 192.168.43.10/32
Jul  9 06:14:11 ipsec-server pluto[1715]: "xauth-psk"[4] 101.206.*.* #4: responding to Quick Mode proposal {msgid:a6847c28}
Jul  9 06:14:11 ipsec-server pluto[1715]: "xauth-psk"[4] 101.206.*.* #4:     us: 0.0.0.0/0===172.18.0.2[23.95.18.26,MS+XS+S=C]  them: 101.206.*.*[10.229.*.*,+MC+XC+S=C]===192.168.43.10/32
Jul  9 06:14:11 ipsec-server pluto[1715]: "xauth-psk"[4] 101.206.*.* #4: ERROR: netlink response for Add SA esp.ce9312ab@101.206.*.* included errno 2: No such file or directory
Jul  9 06:14:11 ipsec-server pluto[1715]: "xauth-psk"[4] 101.206.*.* #4: setup_half_ipsec_sa() hit fail:
Jul  9 06:14:11 ipsec-server pluto[1715]: | failed to install outgoing SA: 0
Jul  9 06:14:11 ipsec-server pluto[1715]: "xauth-psk"[4] 101.206.*.* #4: state transition function for STATE_QUICK_R0 had internal error

贴出 docker logs

IPsec VPN server is now ready for use!

Connect to your new VPN with these details:

Server IP: ip
IPsec PSK: ipsec
Username: use1
Password: psd1

Additional VPN users (username | password):
user2 | psd2

Write these down. You'll need them to connect!

Important notes:   https://git.io/vpnnotes2
Setup VPN clients: https://git.io/vpnclients
IKEv2 guide:       https://git.io/ikev2docker

================================================

xl2tpd[1]: Not looking for kernel SAref support.
xl2tpd[1]: Using l2tp kernel support.
xl2tpd[1]: xl2tpd version xl2tpd-1.3.12 started on ipsec-server PID:1
xl2tpd[1]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
xl2tpd[1]: Forked by Scott Balmos and David Stipp, (C) 2001
xl2tpd[1]: Inherited by Jeff McAdams, (C) 2002
xl2tpd[1]: Forked again by Xelerance (www.xelerance.com) (C) 2006-2016
xl2tpd[1]: Listening on IP address 0.0.0.0, port 1701

贴出 docker sh

docker run \
    --name ipsec-vpn-server-test \
    --hostname=ipsec-server \
    --restart=always \
    --network=dnsnetwork \
    -v $(pwd)/ipsec.env:/opt/src/vpn.env:ro \
        -p 500:500/udp \
    -p 4500:4500/udp \
    -d --cap-add=NET_ADMIN \
    --device=/dev/ppp \
    --sysctl net.ipv4.ip_forward=1 \
    --sysctl net.ipv4.conf.all.accept_redirects=0 \
    --sysctl net.ipv4.conf.all.send_redirects=0 \
    --sysctl net.ipv4.conf.all.rp_filter=0 \
    --sysctl net.ipv4.conf.default.accept_redirects=0 \
    --sysctl net.ipv4.conf.default.send_redirects=0 \
    --sysctl net.ipv4.conf.default.rp_filter=0 \
    --sysctl net.ipv4.conf.eth0.send_redirects=0 \
    --sysctl net.ipv4.conf.eth0.rp_filter=0 \
    hwdsl2/ipsec-vpn-server

在提出issues 前 已经搜索了相关文献,在作者 2017年的 github 中有提到 No such file or directory 是由于vps 内核缺少特定模块,但由于当时 提出issues的用户 是安装在vps 中,而我是在docker中使用,不清楚这两者是否有相同的地方。
我也去 docker hub 查看 了镜像更新时间 https://hub.docker.com/r/hwdsl2/ipsec-vpn-server 最新的更新时间 是 21/7/8 日,并不清楚,这个问题是否是由于 新镜像更新导致。如果可以 请帮忙给我一些 意见 谢谢

Originally created by @SuperCatss on GitHub (Jul 9, 2021). Original GitHub issue: https://github.com/hwdsl2/docker-ipsec-vpn-server/issues/245 环境: openwrt 中docker 容器 版本 Linux OpenWrt 5.4.124 #0 SMP Sat Jun 12 13:35:17 2021 x86_64 GNU/Linux 在此之前已经平稳运行一年,昨日更新了系统,使用原有的 docker run sh 文件,重新创建容器,手机连接失败。按照文档指示,打开了日志。日志如下 ``` Jul 9 06:14:11 ipsec-server pluto[1715]: "xauth-psk"[3] 101.206.*.* #3: responding to Main Mode from unknown peer 101.206.*.*:15959 Jul 9 06:14:11 ipsec-server pluto[1715]: "xauth-psk"[3] 101.206.*.* #3: WARNING: connection xauth-psk PSK length of 11 bytes is too short for HMAC_SHA2_256 PRF in FIPS mode (16 bytes required) Jul 9 06:14:11 ipsec-server pluto[1715]: "xauth-psk"[3] 101.206.*.* #3: sent Main Mode R1 Jul 9 06:14:11 ipsec-server pluto[1715]: "xauth-psk"[3] 101.206.*.* #3: sent Main Mode R2 Jul 9 06:14:11 ipsec-server pluto[1715]: "xauth-psk"[3] 101.206.*.* #3: Peer ID is ID_IPV4_ADDR: '10.229.*.*' Jul 9 06:14:11 ipsec-server pluto[1715]: "xauth-psk"[3] 101.206.*.* #3: switched from "xauth-psk"[3] 101.206.*.* to "xauth-psk" Jul 9 06:14:11 ipsec-server pluto[1715]: "xauth-psk"[3] 101.206.*.*: deleting connection instance with peer 101.206.167.188 {isakmp=#0/ipsec=#0} Jul 9 06:14:11 ipsec-server pluto[1715]: "xauth-psk"[4] 101.206.*.* #3: Peer ID is ID_IPV4_ADDR: '10.229.196.249' Jul 9 06:14:11 ipsec-server pluto[1715]: "xauth-psk"[4] 101.206.*.* #3: IKE SA established {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA2_256 group=MODP1024} Jul 9 06:14:11 ipsec-server pluto[1715]: "xauth-psk"[4] 101.206.*.* #3: XAUTH: Sending Username/Password request (MAIN_R3->XAUTH_R0) Jul 9 06:14:11 ipsec-server pluto[1715]: "xauth-psk"[4] 101.206.*.* #3: XAUTH: password file authentication method requested to authenticate user 'admin' Jul 9 06:14:11 ipsec-server pluto[1715]: "xauth-psk"[4] 101.206.*.* #3: XAUTH: password file (/etc/ipsec.d/passwd) open. Jul 9 06:14:11 ipsec-server pluto[1715]: "xauth-psk"[4] 101.206.*.* #3: XAUTH: success user(admin:xauth-psk) Jul 9 06:14:11 ipsec-server pluto[1715]: "xauth-psk"[4] 101.206.*.* #3: XAUTH: User admin: Authentication Successful Jul 9 06:14:11 ipsec-server pluto[1715]: "xauth-psk"[4] 101.206.*.* #3: XAUTH: xauth_inR1(STF_OK) Jul 9 06:14:11 ipsec-server pluto[1715]: "xauth-psk"[4] 101.206.*.* #3: IKE SA established {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA2_256 group=MODP1024} Jul 9 06:14:11 ipsec-server pluto[1715]: "xauth-psk"[4] 101.206.*.* #3: modecfg_inR0(STF_OK) Jul 9 06:14:11 ipsec-server pluto[1715]: "xauth-psk"[4] 101.206.*.* #3: sent ModeCfg reply, expecting Ack {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA2_256 group=MODP1024} Jul 9 06:14:11 ipsec-server pluto[1715]: "xauth-psk"[4] 101.206.*.* #3: the peer proposed: 0.0.0.0/0 -<all>-> 192.168.43.10/32 Jul 9 06:14:11 ipsec-server pluto[1715]: "xauth-psk"[4] 101.206.*.* #4: responding to Quick Mode proposal {msgid:a6847c28} Jul 9 06:14:11 ipsec-server pluto[1715]: "xauth-psk"[4] 101.206.*.* #4: us: 0.0.0.0/0===172.18.0.2[23.95.18.26,MS+XS+S=C] them: 101.206.*.*[10.229.*.*,+MC+XC+S=C]===192.168.43.10/32 Jul 9 06:14:11 ipsec-server pluto[1715]: "xauth-psk"[4] 101.206.*.* #4: ERROR: netlink response for Add SA esp.ce9312ab@101.206.*.* included errno 2: No such file or directory Jul 9 06:14:11 ipsec-server pluto[1715]: "xauth-psk"[4] 101.206.*.* #4: setup_half_ipsec_sa() hit fail: Jul 9 06:14:11 ipsec-server pluto[1715]: | failed to install outgoing SA: 0 Jul 9 06:14:11 ipsec-server pluto[1715]: "xauth-psk"[4] 101.206.*.* #4: state transition function for STATE_QUICK_R0 had internal error ``` 贴出 docker logs ``` IPsec VPN server is now ready for use! Connect to your new VPN with these details: Server IP: ip IPsec PSK: ipsec Username: use1 Password: psd1 Additional VPN users (username | password): user2 | psd2 Write these down. You'll need them to connect! Important notes: https://git.io/vpnnotes2 Setup VPN clients: https://git.io/vpnclients IKEv2 guide: https://git.io/ikev2docker ================================================ xl2tpd[1]: Not looking for kernel SAref support. xl2tpd[1]: Using l2tp kernel support. xl2tpd[1]: xl2tpd version xl2tpd-1.3.12 started on ipsec-server PID:1 xl2tpd[1]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc. xl2tpd[1]: Forked by Scott Balmos and David Stipp, (C) 2001 xl2tpd[1]: Inherited by Jeff McAdams, (C) 2002 xl2tpd[1]: Forked again by Xelerance (www.xelerance.com) (C) 2006-2016 xl2tpd[1]: Listening on IP address 0.0.0.0, port 1701 ``` 贴出 docker sh ``` docker run \ --name ipsec-vpn-server-test \ --hostname=ipsec-server \ --restart=always \ --network=dnsnetwork \ -v $(pwd)/ipsec.env:/opt/src/vpn.env:ro \ -p 500:500/udp \ -p 4500:4500/udp \ -d --cap-add=NET_ADMIN \ --device=/dev/ppp \ --sysctl net.ipv4.ip_forward=1 \ --sysctl net.ipv4.conf.all.accept_redirects=0 \ --sysctl net.ipv4.conf.all.send_redirects=0 \ --sysctl net.ipv4.conf.all.rp_filter=0 \ --sysctl net.ipv4.conf.default.accept_redirects=0 \ --sysctl net.ipv4.conf.default.send_redirects=0 \ --sysctl net.ipv4.conf.default.rp_filter=0 \ --sysctl net.ipv4.conf.eth0.send_redirects=0 \ --sysctl net.ipv4.conf.eth0.rp_filter=0 \ hwdsl2/ipsec-vpn-server ``` 在提出issues 前 已经搜索了相关文献,在作者 2017年的 github 中有提到 **No such file or directory** 是由于vps 内核缺少特定模块,但由于当时 提出issues的用户 是安装在vps 中,而我是在docker中使用,不清楚这两者是否有相同的地方。 我也去 docker hub 查看 了镜像更新时间 [https://hub.docker.com/r/hwdsl2/ipsec-vpn-server](url) 最新的更新时间 是 21/7/8 日,并不清楚,这个问题是否是由于 新镜像更新导致。如果可以 请帮忙给我一些 意见 谢谢
kerem closed this issue 2026-03-02 08:00:38 +03:00
kerem commented 2026-03-02 08:00:39 +03:00
Author
Owner
Copy link

@hwdsl2 commented on GitHub (Jul 10, 2021):

@SuperCatss 你好!这个错误应该是因为你的 OpenWRT 新的系统内核缺少 VPN 需要的特定模块导致的。请参见 [1] (在你的描述里有提到这个 issue)。另外在这里 [2] 有一些关于怎样找出是缺少哪个模块的方法。

关于解决方案,你可能需要查看一下 OpenWRT 文档,或者在相关社区问一下。

[1] https://github.com/hwdsl2/setup-ipsec-vpn/issues/102
[2] https://digitalenginesoftware.com/blog/archives/67-Troubleshooting-OpenSwan-with-NETKEY

<!-- gh-comment-id:877559475 --> @hwdsl2 commented on GitHub (Jul 10, 2021): @SuperCatss 你好!这个错误应该是因为你的 OpenWRT 新的系统内核缺少 VPN 需要的特定模块导致的。请参见 [1] (在你的描述里有提到这个 issue)。另外在这里 [2] 有一些关于怎样找出是缺少哪个模块的方法。 关于解决方案,你可能需要查看一下 OpenWRT 文档,或者在相关社区问一下。 [1] https://github.com/hwdsl2/setup-ipsec-vpn/issues/102 [2] https://digitalenginesoftware.com/blog/archives/67-Troubleshooting-OpenSwan-with-NETKEY
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
No results found.
Labels
Clear labels   
bug

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question
No labels
bug
pull-request
question
question
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/docker-ipsec-vpn-server#227
No description provided.