[GH-ISSUE #260] IKEv2 clients don't connect when `VPN_PUBLIC_IP` is specified

kerem commented

2026-03-02 08:00:44 +03:00

Owner

Originally created by @mkyrilov on GitHub (Oct 13, 2021).
Original GitHub issue: https://github.com/hwdsl2/docker-ipsec-vpn-server/issues/260

Checklist

I read the README
I read the Important notes
I followed instructions to configure VPN clients
I checked Troubleshooting, enabled logs and checked VPN status
I searched existing Issues
This bug is about the IPsec VPN server Docker image, and not IPsec VPN itself <--- (probably)

Describe the issue
I was looking to specify the server IP address. This doesn't seem to be anywhere in the docs. However I did find an issue with a solution; specify the VPN_PUBLIC_IP environment variable. This gets the job done, and IPsec and L2TP work fine. However the default client for IKEv2, "vpnclient", does not work. It's not able to connect. Using the helper script to create another client yields the same result; unable to connect.

To resolve this issue I used the helper script:

5) Remove IKEv2
then setup again, essentially with the same details

clients created after this are able to connect.

To Reproduce
Steps to reproduce the behavior:

$ docker run \
  --name ipsec-vpn-server \
  -v ~/Downloads/ikev2-vpn-data:/etc/ipsec.d \
  -p 500:500/udp \
  -p 4500:4500/udp \
  -d --privileged \
  -e VPN_PUBLIC_IP=192.168.1.61 \
  hwdsl2/ipsec-vpn-server

192.168.1.61 is my computers local IP address. You will have to specify your own when testing.

Expected behavior
I expect the IKEv2 server and clients to be created with the correct configuration when using the environment variables to control configuration.

Logs
Enable logs, check VPN status, and add error logs to help explain the problem, if applicable.

Server (please complete the following information)

Docker host OS: macOS 11.6 + Docker Desktop 4.0.1
~~Hosting provider (if applicable): [e.g. GCP, AWS]~~

Client (please complete the following information)

Device: iPhone 12 Pro
OS: iOS 15.0.2
VPN mode: IKEv2

Additional context

Originally created by @mkyrilov on GitHub (Oct 13, 2021). Original GitHub issue: https://github.com/hwdsl2/docker-ipsec-vpn-server/issues/260 **Checklist** - [x] I read the [README](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README.md) - [x] I read the [Important notes](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README.md#important-notes) - [x] I followed instructions to [configure VPN clients](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README.md#next-steps) - [x] I checked [Troubleshooting](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients.md#troubleshooting), [enabled logs](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README.md#enable-libreswan-logs) and checked [VPN status](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients.md#check-logs-and-vpn-status) - [x] I searched existing [Issues](https://github.com/hwdsl2/docker-ipsec-vpn-server/issues?q=is%3Aissue) - [ ] This bug is about the IPsec VPN server Docker image, and not IPsec VPN itself `<--- (probably)`  **Describe the issue** I was looking to specify the server IP address. This doesn't seem to be anywhere in the docs. However I did find an [issue](https://github.com/hwdsl2/docker-ipsec-vpn-server/issues/85) with a solution; specify the `VPN_PUBLIC_IP` environment variable. This gets the job done, and IPsec and L2TP work fine. However the default client for IKEv2, "`vpnclient`", does not work. It's not able to connect. Using the helper script to create another client yields the same result; unable to connect. To resolve this issue I used the helper script: - `5) Remove IKEv2` - then setup again, essentially with the same details clients created after this are able to connect. **To Reproduce** Steps to reproduce the behavior: ```sh $ docker run \ --name ipsec-vpn-server \ -v ~/Downloads/ikev2-vpn-data:/etc/ipsec.d \ -p 500:500/udp \ -p 4500:4500/udp \ -d --privileged \ -e VPN_PUBLIC_IP=192.168.1.61 \ hwdsl2/ipsec-vpn-server ``` `192.168.1.61` is my computers local IP address. You will have to specify your own when testing. **Expected behavior** I expect the IKEv2 server and clients to be created with the correct configuration when using the environment variables to control configuration. **Logs** [Enable logs](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README.md#enable-libreswan-logs), check [VPN status](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients.md#check-logs-and-vpn-status), and add error logs to help explain the problem, if applicable. **Server (please complete the following information)** - Docker host OS: macOS 11.6 + Docker Desktop 4.0.1 - ~~Hosting provider (if applicable): [e.g. GCP, AWS]~~ **Client (please complete the following information)** - Device: iPhone 12 Pro - OS: iOS 15.0.2 - VPN mode: IKEv2 **Additional context** -

kerem closed this issue

2026-03-02 08:00:44 +03:00

kerem commented

2026-03-02 08:00:45 +03:00

Author

Owner

@hwdsl2 commented on GitHub (Oct 14, 2021):

@mkyrilov Thank you for the bug report. Similar to VPN_DNS_NAME and VPN_CLIENT_NAME, the VPN_PUBLIC_IP variable is only effective if it was specified when creating the Docker container for the first time. During this first creation, IKEv2 setup runs, and the public IP is written to the generated VPN server certificate. This cannot be changed even if you specify VPN_PUBLIC_IP later, because IKEv2 is already set up.

Therefore this is not actually a bug. Make sure to specify this variable the first time you create the Docker container, or alternatively, delete the mounted Docker volume (which will remove all VPN data!) or remove IKEv2 and set it up again.

You're right that the VPN_PUBLIC_IP variable is currently not documented. This is mainly because using this variable has some issues: While you can specify an IP using this, Libreswan on the VPN server does not have control of which "outgoing IP" will be used when a client's connection is active. For example, if your server has IPs 192.0.2.0 and 192.0.2.1, and you specify 192.0.2.1 as the VPN_PUBLIC_IP. In this case, while VPN clients are connected to 192.0.2.1, the outgoing IP that a VPN client "shows" (e.g. search "my ip" on Google) may be either of these IPs, depending on the routing configuration of the VPN server.

On a related note, for the IPsec/L2TP and IPsec/XAuth ("Cisco IPsec") modes, you don't have to use this variable. VPN clients can connect to a different public IP on the VPN server without additional configuration. However, the "outgoing IP" issue still remains, as mentioned above.

@hwdsl2 commented on GitHub (Oct 14, 2021): @mkyrilov Thank you for the bug report. Similar to `VPN_DNS_NAME` and `VPN_CLIENT_NAME`, the `VPN_PUBLIC_IP` variable is only effective if it was specified when creating the Docker container **for the first time**. During this first creation, IKEv2 setup runs, and the public IP is written to the generated VPN server certificate. This cannot be changed even if you specify `VPN_PUBLIC_IP` later, because IKEv2 is already set up. Therefore this is not actually a bug. Make sure to specify this variable the first time you create the Docker container, or alternatively, delete the mounted Docker volume (which will remove all VPN data!) or remove IKEv2 and set it up again. You're right that the `VPN_PUBLIC_IP` variable is currently not documented. This is mainly because using this variable has some issues: While you can specify an IP using this, Libreswan on the VPN server does not have control of which "outgoing IP" will be used when a client's connection is active. For example, if your server has IPs `192.0.2.0` and `192.0.2.1`, and you specify `192.0.2.1` as the `VPN_PUBLIC_IP`. In this case, while VPN clients are connected to `192.0.2.1`, the outgoing IP that a VPN client "shows" (e.g. search "my ip" on Google) may be either of these IPs, depending on the routing configuration of the VPN server. On a related note, for the IPsec/L2TP and IPsec/XAuth ("Cisco IPsec") modes, you don't have to use this variable. VPN clients can connect to a different public IP on the VPN server without additional configuration. However, the "outgoing IP" issue still remains, as mentioned above.

kerem commented

2026-03-02 08:00:45 +03:00

Author

Owner

@mkyrilov commented on GitHub (Oct 14, 2021):

@hwdsl2 Thank you for the detailed response. I just want to clarify that the issue I described is experienced on the initial creation. That is, I start a new container with this command:

$ docker run \
  --name ipsec-vpn-server \
  -v ~/Downloads/ikev2-vpn-data:/etc/ipsec.d \
  -p 500:500/udp \
  -p 4500:4500/udp \
  -d --privileged \
  -e VPN_PUBLIC_IP=192.168.1.61 \
  hwdsl2/ipsec-vpn-server

I also make sure that I delete the ~/Downloads/ikev2-vpn-data directory before I start the container.

The resulting default IKEv2 client, vpnclient, does not connect.

@mkyrilov commented on GitHub (Oct 14, 2021): @hwdsl2 Thank you for the detailed response. I just want to clarify that the issue I described is experienced on the initial creation. That is, I start a new container with this command: ```sh $ docker run \ --name ipsec-vpn-server \ -v ~/Downloads/ikev2-vpn-data:/etc/ipsec.d \ -p 500:500/udp \ -p 4500:4500/udp \ -d --privileged \ -e VPN_PUBLIC_IP=192.168.1.61 \ hwdsl2/ipsec-vpn-server ``` I also make sure that I delete the `~/Downloads/ikev2-vpn-data` directory before I start the container. The resulting default IKEv2 client, `vpnclient`, does not connect.

kerem commented

2026-03-02 08:00:45 +03:00

Author

Owner

@hwdsl2 commented on GitHub (Oct 15, 2021):

@mkyrilov Thanks for the update. I tested on a Linux server (Debian 11 with Docker) using the command in your comment above, and wasn't able to reproduce this issue. The generated IKEv2 server certificate and client configuration all contain the correct IP 192.168.1.61, as expected.

In addition, I looked at both the IKEv2 setup script and run.sh, but didn't see any obvious issues when specifying VPN_PUBLIC_IP. Perhaps this issue is specific to Docker on macOS. If you have any additional findings, please share.

@hwdsl2 commented on GitHub (Oct 15, 2021): @mkyrilov Thanks for the update. I tested on a Linux server (Debian 11 with Docker) using the command in your comment above, and wasn't able to reproduce this issue. The generated IKEv2 server certificate and client configuration all contain the correct IP `192.168.1.61`, as expected. In addition, I looked at both the IKEv2 setup script and `run.sh`, but didn't see any obvious issues when specifying `VPN_PUBLIC_IP`. Perhaps this issue is specific to Docker on macOS. If you have any additional findings, please share.

kerem commented

2026-03-02 08:00:45 +03:00

Author

Owner

@mkyrilov commented on GitHub (Oct 15, 2021):

@hwdsl2 I did some testing too. I created a Linux VM with Ubuntu Server 20.04, installed docker, and run this command:

$ sudo docker run \
  --name ipsec-vpn-server \
  -v /home/mike/ikev2-vpn-data:/etc/ipsec.d \
  -p 500:500/udp \
  -p 4500:4500/udp \
  -d --privileged \
  -e VPN_PUBLIC_IP=192.168.1.193 \
  hwdsl2/ipsec-vpn-server

and the IKEv2 clients work first time as expected. So like you point out, this probably is a Docker for Mac issue.

Thank you for taking the time to look into this, I appreciate it.

@mkyrilov commented on GitHub (Oct 15, 2021): @hwdsl2 I did some testing too. I created a Linux VM with Ubuntu Server 20.04, installed docker, and run this command: ```sh $ sudo docker run \ --name ipsec-vpn-server \ -v /home/mike/ikev2-vpn-data:/etc/ipsec.d \ -p 500:500/udp \ -p 4500:4500/udp \ -d --privileged \ -e VPN_PUBLIC_IP=192.168.1.193 \ hwdsl2/ipsec-vpn-server ``` and the IKEv2 clients work first time as expected. So like you point out, this probably is a Docker for Mac issue. Thank you for taking the time to look into this, I appreciate it.

Rows
Columns

[GH-ISSUE #260] IKEv2 clients don't connect when VPN_PUBLIC_IP is specified #241

Additional context

[GH-ISSUE #260] IKEv2 clients don't connect when `VPN_PUBLIC_IP` is specified #241