starred/docker-ipsec-vpn-server
1
0
Fork 0
mirror of https://github.com/hwdsl2/docker-ipsec-vpn-server.git synced 2026-04-26 01:55:53 +03:00
Code Issues Projects Releases Packages Wiki Activity

[GH-ISSUE #274] l2tp服务启动起来,但是客户端连不上,求大佬帮指条明路 #257

New issue
Closed
opened 2026-03-02 08:00:50 +03:00 by kerem · 7 comments
kerem commented 2026-03-02 08:00:50 +03:00
Owner
Copy link

Originally created by @vincent1394 on GitHub (Jan 17, 2022).
Original GitHub issue: https://github.com/hwdsl2/docker-ipsec-vpn-server/issues/274

Describe the issue
A clear and concise description of what the bug is.
客户端连接不上,我在另外一台机器上是可以的,在这台机器上无论如何也连接不上,也没有查出来问题,求大神帮解惑一下
1、服务器所在的网络也放开了500 4500 1701的udp tcp
2、我仔细对过了 端口都开着的
Proto Recv-Q Send-Q Local Address Foreign Address State
udp 0 0 0.0.0.0:1701 0.0.0.0:*
udp 0 0 0.0.0.0:8443 0.0.0.0:*
udp 0 0 0.0.0.0:4500 0.0.0.0:*
udp 0 0 0.0.0.0:500 0.0.0.0:*
udp6 0 0 :::1701 :::*
udp6 0 0 :::8443 :::*
udp6 0 0 :::4500 :::*
udp6 0 0 :::500 :::*
3、然后防火墙也打开端口了
[root@bio-scripts ~]# iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:1701
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1701
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:4500
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:4500
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:500
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:500
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:8443
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8443

日志:docker exec -it ipsec-vpn-server tail -f /var/log/auth.log
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT all -- 192.168.218.0/24 0.0.0.0/0
ACCEPT all -- 192.168.42.0/24 0.0.0.0/0
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable

2022-01-17T09:30:17.318533+00:00 2179ddfcb68b pluto[1951]: "l2tp-psk"[5] 172.17.0.1 #8: responding to Main Mode from unknown peer 172.17.0.1:36740
2022-01-17T09:30:17.319282+00:00 2179ddfcb68b pluto[1951]: "l2tp-psk"[5] 172.17.0.1 #8: sent Main Mode R1
2022-01-17T09:30:17.526572+00:00 2179ddfcb68b pluto[1951]: "l2tp-psk"[5] 172.17.0.1 #8: sent Main Mode R2
2022-01-17T09:30:18.027878+00:00 2179ddfcb68b pluto[1951]: "l2tp-psk"[5] 172.17.0.1 #8: STATE_MAIN_R2: retransmission; will wait 0.5 seconds for response
2022-01-17T09:30:18.528735+00:00 2179ddfcb68b pluto[1951]: "l2tp-psk"[5] 172.17.0.1 #8: STATE_MAIN_R2: retransmission; will wait 1 seconds for response
2022-01-17T09:30:19.530087+00:00 2179ddfcb68b pluto[1951]: "l2tp-psk"[5] 172.17.0.1 #8: STATE_MAIN_R2: retransmission; will wait 2 seconds for response
2022-01-17T09:30:21.532429+00:00 2179ddfcb68b pluto[1951]: "l2tp-psk"[5] 172.17.0.1 #8: STATE_MAIN_R2: retransmission; will wait 4 seconds for response
2022-01-17T09:30:25.536773+00:00 2179ddfcb68b pluto[1951]: "l2tp-psk"[5] 172.17.0.1 #8: STATE_MAIN_R2: retransmission; will wait 8 seconds for response
2022-01-17T09:30:33.541546+00:00 2179ddfcb68b pluto[1951]: "l2tp-psk"[5] 172.17.0.1 #8: STATE_MAIN_R2: retransmission; will wait 16 seconds for response
2022-01-17T09:30:49.542168+00:00 2179ddfcb68b pluto[1951]: "l2tp-psk"[5] 172.17.0.1 #8: STATE_MAIN_R2: retransmission; will wait 32 seconds for response

Client (please complete the following information)

  • Device: iphone 12pro
  • VPN mode: L2TP 这个使用的是l2tp, 要集成到路由器上。我自己装的ocserv是可以用的。
  • os centos 8.2
    Additional context
    我看搜索很多文章都说是路由规则的问题,但是始终没有找到问题的原因和解决之法
    配置都是默认用生成,未做调整,之前也有试过leftid等,结果都不太行。
Originally created by @vincent1394 on GitHub (Jan 17, 2022). Original GitHub issue: https://github.com/hwdsl2/docker-ipsec-vpn-server/issues/274 **Describe the issue** A clear and concise description of what the bug is. 客户端连接不上,我在另外一台机器上是可以的,在这台机器上无论如何也连接不上,也没有查出来问题,求大神帮解惑一下 1、服务器所在的网络也放开了500 4500 1701的udp tcp 2、我仔细对过了 端口都开着的 Proto Recv-Q Send-Q Local Address Foreign Address State udp 0 0 0.0.0.0:1701 0.0.0.0:* udp 0 0 0.0.0.0:8443 0.0.0.0:* udp 0 0 0.0.0.0:4500 0.0.0.0:* udp 0 0 0.0.0.0:500 0.0.0.0:* udp6 0 0 :::1701 :::* udp6 0 0 :::8443 :::* udp6 0 0 :::4500 :::* udp6 0 0 :::500 :::* 3、然后防火墙也打开端口了 [root@bio-scripts ~]# iptables -L -n Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:1701 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1701 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:4500 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:4500 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:500 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:500 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:8443 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8443 日志:docker exec -it ipsec-vpn-server tail -f /var/log/auth.log Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED ACCEPT all -- 192.168.218.0/24 0.0.0.0/0 ACCEPT all -- 192.168.42.0/24 0.0.0.0/0 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable ``` 2022-01-17T09:30:17.318533+00:00 2179ddfcb68b pluto[1951]: "l2tp-psk"[5] 172.17.0.1 #8: responding to Main Mode from unknown peer 172.17.0.1:36740 2022-01-17T09:30:17.319282+00:00 2179ddfcb68b pluto[1951]: "l2tp-psk"[5] 172.17.0.1 #8: sent Main Mode R1 2022-01-17T09:30:17.526572+00:00 2179ddfcb68b pluto[1951]: "l2tp-psk"[5] 172.17.0.1 #8: sent Main Mode R2 2022-01-17T09:30:18.027878+00:00 2179ddfcb68b pluto[1951]: "l2tp-psk"[5] 172.17.0.1 #8: STATE_MAIN_R2: retransmission; will wait 0.5 seconds for response 2022-01-17T09:30:18.528735+00:00 2179ddfcb68b pluto[1951]: "l2tp-psk"[5] 172.17.0.1 #8: STATE_MAIN_R2: retransmission; will wait 1 seconds for response 2022-01-17T09:30:19.530087+00:00 2179ddfcb68b pluto[1951]: "l2tp-psk"[5] 172.17.0.1 #8: STATE_MAIN_R2: retransmission; will wait 2 seconds for response 2022-01-17T09:30:21.532429+00:00 2179ddfcb68b pluto[1951]: "l2tp-psk"[5] 172.17.0.1 #8: STATE_MAIN_R2: retransmission; will wait 4 seconds for response 2022-01-17T09:30:25.536773+00:00 2179ddfcb68b pluto[1951]: "l2tp-psk"[5] 172.17.0.1 #8: STATE_MAIN_R2: retransmission; will wait 8 seconds for response 2022-01-17T09:30:33.541546+00:00 2179ddfcb68b pluto[1951]: "l2tp-psk"[5] 172.17.0.1 #8: STATE_MAIN_R2: retransmission; will wait 16 seconds for response 2022-01-17T09:30:49.542168+00:00 2179ddfcb68b pluto[1951]: "l2tp-psk"[5] 172.17.0.1 #8: STATE_MAIN_R2: retransmission; will wait 32 seconds for response ``` **Client (please complete the following information)** - Device: iphone 12pro - VPN mode: L2TP 这个使用的是l2tp, 要集成到路由器上。我自己装的ocserv是可以用的。 - os centos 8.2 **Additional context** 我看搜索很多文章都说是路由规则的问题,但是始终没有找到问题的原因和解决之法 配置都是默认用生成,未做调整,之前也有试过leftid等,结果都不太行。
kerem closed this issue 2026-03-02 08:00:50 +03:00
kerem commented 2026-03-02 08:00:51 +03:00
Author
Owner
Copy link

@hwdsl2 commented on GitHub (Jan 17, 2022):

@vincent1394 你好!你的问题是关于 Docker 镜像,所以我将它转到了 #274。首先,你的 Docker 主机的 IPTables 不需要打开 1701,500 和 4500 端口。Docker 容器启动时,Docker 会自动加入相应的 IPTables 转发规则以打开端口。只有 UDP 500 和 4500 两个端口是 VPN 正常工作需要的。

在这台 Docker 主机上,你的 iptables -L -n 命令输出并没有显示 Docker 相关规则。要修复,你可能需要在备份后重新安装主机上的 Docker。

你的日志显示 retransmission,可能是 VPN 服务器和客户端之间的网络出现了问题,不一定是因为没有打开端口。另外,这个 Docker 镜像不支持不带 IPsec 加密的 L2TP 模式,因为此模式下数据没有任何加密。而许多路由器仅支持此模式,所以使用这些路由器无法连接是正常的。

如果你有更多信息,可以继续在这里回复。

<!-- gh-comment-id:1014673943 --> @hwdsl2 commented on GitHub (Jan 17, 2022): @vincent1394 你好!你的问题是关于 Docker 镜像,所以我将它转到了 #274。首先,你的 Docker 主机的 IPTables 不需要打开 1701,500 和 4500 端口。Docker 容器启动时,Docker 会自动加入相应的 IPTables 转发规则以打开端口。只有 UDP 500 和 4500 两个端口是 VPN 正常工作需要的。 在这台 Docker 主机上,你的 `iptables -L -n` 命令输出并没有显示 Docker 相关规则。要修复,你可能需要在备份后重新安装主机上的 Docker。 你的日志显示 `retransmission`,可能是 VPN 服务器和客户端之间的网络出现了问题,不一定是因为没有打开端口。另外,这个 Docker 镜像不支持不带 IPsec 加密的 L2TP 模式,因为此模式下数据没有任何加密。而许多路由器仅支持此模式,所以使用这些路由器无法连接是正常的。 如果你有更多信息,可以继续在这里回复。
kerem commented 2026-03-02 08:00:51 +03:00
Author
Owner
Copy link

@vincent1394 commented on GitHub (Jan 18, 2022):

您好,因为我没有直接把docker暴露出来,是通过vps宿主机端口映射到docker容器上,在其它机器上都是可以启动docker就能连上了。
因为我有试过用脚本直接装到vps宿主机上 也是报同样的错误,然后就给换到docker上。错误也是一模一样的。大佬需要哪个日志,我去重新把宿主机上给启动起来。把日志给放上来
路由器支持加密的可以连接。

<!-- gh-comment-id:1015002034 --> @vincent1394 commented on GitHub (Jan 18, 2022): 您好,因为我没有直接把docker暴露出来,是通过vps宿主机端口映射到docker容器上,在其它机器上都是可以启动docker就能连上了。 因为我有试过用脚本直接装到vps宿主机上 也是报同样的错误,然后就给换到docker上。错误也是一模一样的。大佬需要哪个日志,我去重新把宿主机上给启动起来。把日志给放上来 路由器支持加密的可以连接。
kerem commented 2026-03-02 08:00:51 +03:00
Author
Owner
Copy link

@vincent1394 commented on GitHub (Jan 18, 2022):

这个是我在宿主机上装的日志,也是一样的。下面这些是我找到的一些日志,求大神帮看看有没有什么思路
Jan 18 14:10:05 bio-scripts pluto[34063]: "l2tp-psk"[2] XXX.XXX.XXX.XXX #130: discarding initial packet; already STATE_MAIN_R2
Jan 18 14:10:09 bio-scripts pluto[34063]: "l2tp-psk"[2] XXX.XXX.XXX.XXX #130: discarding initial packet; already STATE_MAIN_R2
Jan 18 14:10:13 bio-scripts pluto[34063]: "l2tp-psk"[2] XXX.XXX.XXX.XXX #130: discarding initial packet; already STATE_MAIN_R2
Jan 18 14:10:18 bio-scripts pluto[34063]: "l2tp-psk"[2] XXX.XXX.XXX.XXX #130: discarding initial packet; already STATE_MAIN_R2
Jan 18 14:10:29 bio-scripts pluto[34063]: "l2tp-psk"[2] XXX.XXX.XXX.XXX #131: responding to Main Mode from unknown peer XXX.XXX.XXX.XXX:500
Jan 18 14:10:29 bio-scripts pluto[34063]: "l2tp-psk"[2] XXX.XXX.XXX.XXX #131: Oakley Transform [3DES_CBC (192), HMAC_MD5, MODP1024] refused
Jan 18 14:10:29 bio-scripts pluto[34063]: "l2tp-psk"[2] XXX.XXX.XXX.XXX #131: Oakley Transform [3DES_CBC (192), HMAC_SHA1, MODP1024] refused
Jan 18 14:10:29 bio-scripts pluto[34063]: "l2tp-psk"[2] XXX.XXX.XXX.XXX #131: Oakley Transform [AES_CBC (128), HMAC_MD5, MODP1024] refused
Jan 18 14:10:29 bio-scripts pluto[34063]: "l2tp-psk"[2] XXX.XXX.XXX.XXX #131: sent Main Mode R1
Jan 18 14:10:29 bio-scripts pluto[34063]: "l2tp-psk"[2] XXX.XXX.XXX.XXX #131: sent Main Mode R2
Jan 18 14:10:29 bio-scripts pluto[34063]: "l2tp-psk"[2] XXX.XXX.XXX.XXX #131: STATE_MAIN_R2: retransmission; will wait 0.5 seconds for response
Jan 18 14:10:30 bio-scripts pluto[34063]: "l2tp-psk"[2] XXX.XXX.XXX.XXX #131: STATE_MAIN_R2: retransmission; will wait 1 seconds for response
Jan 18 14:10:31 bio-scripts pluto[34063]: "l2tp-psk"[2] XXX.XXX.XXX.XXX #131: STATE_MAIN_R2: retransmission; will wait 2 seconds for response
Jan 18 14:10:32 bio-scripts pluto[34063]: "l2tp-psk"[2] XXX.XXX.XXX.XXX #130: STATE_MAIN_R2: 60 second timeout exceeded after 7 retransmits. No response (or no acceptable response) to our IKEv1 message
Jan 18 14:10:32 bio-scripts pluto[34063]: "l2tp-psk"[2] XXX.XXX.XXX.XXX #130: deleting state (STATE_MAIN_R2) aged 64.082034s and NOT sending notification
Jan 18 14:10:33 bio-scripts pluto[34063]: "l2tp-psk"[2] XXX.XXX.XXX.XXX #131: STATE_MAIN_R2: retransmission; will wait 4 seconds for response
Jan 18 14:10:37 bio-scripts pluto[34063]: "l2tp-psk"[2] XXX.XXX.XXX.XXX #131: STATE_MAIN_R2: retransmission; will wait 8 seconds for response
Jan 18 14:10:45 bio-scripts pluto[34063]: "l2tp-psk"[2] XXX.XXX.XXX.XXX #131: STATE_MAIN_R2: retransmission; will wait 16 seconds for response
Jan 18 14:10:47 bio-scripts pluto[34063]: "l2tp-psk"[2] XXX.XXX.XXX.XXX #131: discarding initial packet; already STATE_MAIN_R2
Jan 18 14:10:51 bio-scripts pluto[34063]: "l2tp-psk"[2] XXX.XXX.XXX.XXX #131: discarding initial packet; already STATE_MAIN_R2

反正就是一样连不上
[root@bio-scripts log]# ipsec verify
Verifying installed system and configuration files

Version check and ipsec on-path [OK]
Libreswan 4.6 (XFRM) on 4.18.0-348.7.1.el8_5.x86_64
Checking for IPsec support in kernel [OK]
NETKEY: Testing XFRM related proc values
ICMP default/send_redirects [OK]
ICMP default/accept_redirects [OK]
XFRM larval drop [OK]
Pluto ipsec.conf syntax [OK]
Checking rp_filter [OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for IKE/NAT-T on udp 4500 [OK]
Pluto ipsec.secret syntax [OK]
Checking 'ip' command [OK]
Checking 'iptables' command [OK]
Checking 'prelink' command does not interfere with FIPS [OK]
Checking for obsolete ipsec.conf options [OK]
[root@bio-scripts log]# ps aux | grep l2tp
root 33458 0.0 0.0 15876 1824 ? Ss 10:29 0:00 /usr/sbin/xl2tpd -D
root 34215 0.0 0.0 221928 1156 pts/1 R+ 14:18 0:00 grep --color=auto l2tp

[root@bio-scripts log]# iptables -nL INPUT
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:1701 policy match dir in pol none
DROP all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 500,4500
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:1701 policy match dir in pol ipsec
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:1701
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:1701
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1701
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:4500
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:4500
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:500
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:500
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:8443
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8443
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1723
ACCEPT 47 -- 0.0.0.0/0 0.0.0.0/0
ACCEPT 47 -- 0.0.0.0/0 0.0.0.0/0

Warning: iptables-legacy tables present, use iptables-legacy to see them

[root@bio-scripts log]# systemctl status ipsec
● ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec
Loaded: loaded (/usr/lib/systemd/system/ipsec.service; disabled; vendor preset: disabled)
Active: active (running) since Tue 2022-01-18 11:59:28 HKT; 2h 19min ago
Docs: man:ipsec(8)
man:pluto(8)
man:ipsec.conf(5)
Process: 34052 ExecStartPre=/usr/local/sbin/ipsec --checknflog (code=exited, status=0/SUCCESS)
Process: 34049 ExecStartPre=/usr/local/sbin/ipsec --checknss (code=exited, status=0/SUCCESS)
Process: 33813 ExecStartPre=/usr/local/libexec/ipsec/_stackmanager start (code=exited, status=0/SUCCESS)
Process: 33811 ExecStartPre=/usr/local/libexec/ipsec/addconn --config /etc/ipsec.conf --checkconfig (code=exited, status=0/SUCCESS)
Main PID: 34063 (pluto)
Status: "Startup completed."
Tasks: 4 (limit: 23719)
Memory: 3.3M
CGroup: /system.slice/ipsec.service
└─34063 /usr/local/libexec/ipsec/pluto --leak-detective --config /etc/ipsec.conf --nofork

1月 18 14:18:40 bio-scripts pluto[34063]: "l2tp-psk"[2] XXX.XXX.XXX.XXX #139: STATE_MAIN_R2: retransmission; will wait 4 seconds for response
1月 18 14:18:44 bio-scripts pluto[34063]: "l2tp-psk"[2] XXX.XXX.XXX.XXX #139: STATE_MAIN_R2: retransmission; will wait 8 seconds for response
1月 18 14:18:52 bio-scripts pluto[34063]: "l2tp-psk"[2] XXX.XXX.XXX.XXX #139: STATE_MAIN_R2: retransmission; will wait 16 seconds for response
1月 18 14:18:54 bio-scripts pluto[34063]: "l2tp-psk"[2] XXX.XXX.XXX.XXX #139: discarding initial packet; already STATE_MAIN_R2
1月 18 14:18:58 bio-scripts pluto[34063]: "l2tp-psk"[2] XXX.XXX.XXX.XXX #139: discarding initial packet; already STATE_MAIN_R2
1月 18 14:19:03 bio-scripts pluto[34063]: "l2tp-psk"[2] XXX.XXX.XXX.XXX #139: discarding initial packet; already STATE_MAIN_R2
1月 18 14:19:08 bio-scripts pluto[34063]: "l2tp-psk"[2] XXX.XXX.XXX.XXX #139: discarding initial packet; already STATE_MAIN_R2
1月 18 14:19:08 bio-scripts pluto[34063]: "l2tp-psk"[2] XXX.XXX.XXX.XXX #139: STATE_MAIN_R2: retransmission; will wait 32 seconds for response
1月 18 14:19:13 bio-scripts pluto[34063]: "l2tp-psk"[2] XXX.XXX.XXX.XXX #139: discarding initial packet; already STATE_MAIN_R2
1月 18 14:19:17 bio-scripts pluto[34063]: "l2tp-psk"[2] XXX.XXX.XXX.XXX #139: discarding initial packet; already STATE_MAIN_R2

<!-- gh-comment-id:1015104856 --> @vincent1394 commented on GitHub (Jan 18, 2022): 这个是我在宿主机上装的日志,也是一样的。下面这些是我找到的一些日志,求大神帮看看有没有什么思路 Jan 18 14:10:05 bio-scripts pluto[34063]: "l2tp-psk"[2] XXX.XXX.XXX.XXX #130: discarding initial packet; already STATE_MAIN_R2 Jan 18 14:10:09 bio-scripts pluto[34063]: "l2tp-psk"[2] XXX.XXX.XXX.XXX #130: discarding initial packet; already STATE_MAIN_R2 Jan 18 14:10:13 bio-scripts pluto[34063]: "l2tp-psk"[2] XXX.XXX.XXX.XXX #130: discarding initial packet; already STATE_MAIN_R2 Jan 18 14:10:18 bio-scripts pluto[34063]: "l2tp-psk"[2] XXX.XXX.XXX.XXX #130: discarding initial packet; already STATE_MAIN_R2 Jan 18 14:10:29 bio-scripts pluto[34063]: "l2tp-psk"[2] XXX.XXX.XXX.XXX #131: responding to Main Mode from unknown peer XXX.XXX.XXX.XXX:500 Jan 18 14:10:29 bio-scripts pluto[34063]: "l2tp-psk"[2] XXX.XXX.XXX.XXX #131: Oakley Transform [3DES_CBC (192), HMAC_MD5, MODP1024] refused Jan 18 14:10:29 bio-scripts pluto[34063]: "l2tp-psk"[2] XXX.XXX.XXX.XXX #131: Oakley Transform [3DES_CBC (192), HMAC_SHA1, MODP1024] refused Jan 18 14:10:29 bio-scripts pluto[34063]: "l2tp-psk"[2] XXX.XXX.XXX.XXX #131: Oakley Transform [AES_CBC (128), HMAC_MD5, MODP1024] refused Jan 18 14:10:29 bio-scripts pluto[34063]: "l2tp-psk"[2] XXX.XXX.XXX.XXX #131: sent Main Mode R1 Jan 18 14:10:29 bio-scripts pluto[34063]: "l2tp-psk"[2] XXX.XXX.XXX.XXX #131: sent Main Mode R2 Jan 18 14:10:29 bio-scripts pluto[34063]: "l2tp-psk"[2] XXX.XXX.XXX.XXX #131: STATE_MAIN_R2: retransmission; will wait 0.5 seconds for response Jan 18 14:10:30 bio-scripts pluto[34063]: "l2tp-psk"[2] XXX.XXX.XXX.XXX #131: STATE_MAIN_R2: retransmission; will wait 1 seconds for response Jan 18 14:10:31 bio-scripts pluto[34063]: "l2tp-psk"[2] XXX.XXX.XXX.XXX #131: STATE_MAIN_R2: retransmission; will wait 2 seconds for response Jan 18 14:10:32 bio-scripts pluto[34063]: "l2tp-psk"[2] XXX.XXX.XXX.XXX #130: STATE_MAIN_R2: 60 second timeout exceeded after 7 retransmits. No response (or no acceptable response) to our IKEv1 message Jan 18 14:10:32 bio-scripts pluto[34063]: "l2tp-psk"[2] XXX.XXX.XXX.XXX #130: deleting state (STATE_MAIN_R2) aged 64.082034s and NOT sending notification Jan 18 14:10:33 bio-scripts pluto[34063]: "l2tp-psk"[2] XXX.XXX.XXX.XXX #131: STATE_MAIN_R2: retransmission; will wait 4 seconds for response Jan 18 14:10:37 bio-scripts pluto[34063]: "l2tp-psk"[2] XXX.XXX.XXX.XXX #131: STATE_MAIN_R2: retransmission; will wait 8 seconds for response Jan 18 14:10:45 bio-scripts pluto[34063]: "l2tp-psk"[2] XXX.XXX.XXX.XXX #131: STATE_MAIN_R2: retransmission; will wait 16 seconds for response Jan 18 14:10:47 bio-scripts pluto[34063]: "l2tp-psk"[2] XXX.XXX.XXX.XXX #131: discarding initial packet; already STATE_MAIN_R2 Jan 18 14:10:51 bio-scripts pluto[34063]: "l2tp-psk"[2] XXX.XXX.XXX.XXX #131: discarding initial packet; already STATE_MAIN_R2 反正就是一样连不上 [root@bio-scripts log]# ipsec verify Verifying installed system and configuration files Version check and ipsec on-path [OK] Libreswan 4.6 (XFRM) on 4.18.0-348.7.1.el8_5.x86_64 Checking for IPsec support in kernel [OK] NETKEY: Testing XFRM related proc values ICMP default/send_redirects [OK] ICMP default/accept_redirects [OK] XFRM larval drop [OK] Pluto ipsec.conf syntax [OK] Checking rp_filter [OK] Checking that pluto is running [OK] Pluto listening for IKE on udp 500 [OK] Pluto listening for IKE/NAT-T on udp 4500 [OK] Pluto ipsec.secret syntax [OK] Checking 'ip' command [OK] Checking 'iptables' command [OK] Checking 'prelink' command does not interfere with FIPS [OK] Checking for obsolete ipsec.conf options [OK] [root@bio-scripts log]# ps aux | grep l2tp root 33458 0.0 0.0 15876 1824 ? Ss 10:29 0:00 /usr/sbin/xl2tpd -D root 34215 0.0 0.0 221928 1156 pts/1 R+ 14:18 0:00 grep --color=auto l2tp [root@bio-scripts log]# iptables -nL INPUT Chain INPUT (policy ACCEPT) target prot opt source destination DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:1701 policy match dir in pol none DROP all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 500,4500 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:1701 policy match dir in pol ipsec DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:1701 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:1701 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1701 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:4500 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:4500 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:500 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:500 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:8443 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8443 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1723 ACCEPT 47 -- 0.0.0.0/0 0.0.0.0/0 ACCEPT 47 -- 0.0.0.0/0 0.0.0.0/0 # Warning: iptables-legacy tables present, use iptables-legacy to see them [root@bio-scripts log]# systemctl status ipsec ● ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec Loaded: loaded (/usr/lib/systemd/system/ipsec.service; disabled; vendor preset: disabled) Active: active (running) since Tue 2022-01-18 11:59:28 HKT; 2h 19min ago Docs: man:ipsec(8) man:pluto(8) man:ipsec.conf(5) Process: 34052 ExecStartPre=/usr/local/sbin/ipsec --checknflog (code=exited, status=0/SUCCESS) Process: 34049 ExecStartPre=/usr/local/sbin/ipsec --checknss (code=exited, status=0/SUCCESS) Process: 33813 ExecStartPre=/usr/local/libexec/ipsec/_stackmanager start (code=exited, status=0/SUCCESS) Process: 33811 ExecStartPre=/usr/local/libexec/ipsec/addconn --config /etc/ipsec.conf --checkconfig (code=exited, status=0/SUCCESS) Main PID: 34063 (pluto) Status: "Startup completed." Tasks: 4 (limit: 23719) Memory: 3.3M CGroup: /system.slice/ipsec.service └─34063 /usr/local/libexec/ipsec/pluto --leak-detective --config /etc/ipsec.conf --nofork 1月 18 14:18:40 bio-scripts pluto[34063]: "l2tp-psk"[2] XXX.XXX.XXX.XXX #139: STATE_MAIN_R2: retransmission; will wait 4 seconds for response 1月 18 14:18:44 bio-scripts pluto[34063]: "l2tp-psk"[2] XXX.XXX.XXX.XXX #139: STATE_MAIN_R2: retransmission; will wait 8 seconds for response 1月 18 14:18:52 bio-scripts pluto[34063]: "l2tp-psk"[2] XXX.XXX.XXX.XXX #139: STATE_MAIN_R2: retransmission; will wait 16 seconds for response 1月 18 14:18:54 bio-scripts pluto[34063]: "l2tp-psk"[2] XXX.XXX.XXX.XXX #139: discarding initial packet; already STATE_MAIN_R2 1月 18 14:18:58 bio-scripts pluto[34063]: "l2tp-psk"[2] XXX.XXX.XXX.XXX #139: discarding initial packet; already STATE_MAIN_R2 1月 18 14:19:03 bio-scripts pluto[34063]: "l2tp-psk"[2] XXX.XXX.XXX.XXX #139: discarding initial packet; already STATE_MAIN_R2 1月 18 14:19:08 bio-scripts pluto[34063]: "l2tp-psk"[2] XXX.XXX.XXX.XXX #139: discarding initial packet; already STATE_MAIN_R2 1月 18 14:19:08 bio-scripts pluto[34063]: "l2tp-psk"[2] XXX.XXX.XXX.XXX #139: STATE_MAIN_R2: retransmission; will wait 32 seconds for response 1月 18 14:19:13 bio-scripts pluto[34063]: "l2tp-psk"[2] XXX.XXX.XXX.XXX #139: discarding initial packet; already STATE_MAIN_R2 1月 18 14:19:17 bio-scripts pluto[34063]: "l2tp-psk"[2] XXX.XXX.XXX.XXX #139: discarding initial packet; already STATE_MAIN_R2
kerem commented 2026-03-02 08:00:51 +03:00
Author
Owner
Copy link

@hwdsl2 commented on GitHub (Jan 18, 2022):

@vincent1394 你的 Docker 主机系统是 CentOS 8 对吧?从你提供的信息来看,有可能是 IPTables 规则问题。或者也可能是连接被 GFW 干扰了。

请运行以下三个命令看一下输出:

iptables -nvL; iptable -nvL -t nat
iptables-legacy -nvL; iptable-legacy -nvL -t nat
nft list ruleset
<!-- gh-comment-id:1015112096 --> @hwdsl2 commented on GitHub (Jan 18, 2022): @vincent1394 你的 Docker 主机系统是 CentOS 8 对吧?从你提供的信息来看,有可能是 IPTables 规则问题。或者也可能是连接被 GFW 干扰了。 请运行以下三个命令看一下输出: ``` iptables -nvL; iptable -nvL -t nat iptables-legacy -nvL; iptable-legacy -nvL -t nat nft list ruleset ```
kerem commented 2026-03-02 08:00:51 +03:00
Author
Owner
Copy link

@hwdsl2 commented on GitHub (Jan 18, 2022):

@vincent1394 另外如果像你说的把脚本直接装到 VPS 宿主机上也是报同样的错误,考虑 VPN 连接被 GFW 干扰或屏蔽的可能性大。

<!-- gh-comment-id:1015113015 --> @hwdsl2 commented on GitHub (Jan 18, 2022): @vincent1394 另外如果像你说的把脚本直接装到 VPS 宿主机上也是报同样的错误,考虑 VPN 连接被 GFW 干扰或屏蔽的可能性大。
kerem commented 2026-03-02 08:00:51 +03:00
Author
Owner
Copy link

@vincent1394 commented on GitHub (Jan 18, 2022):

未找到匹配的参数: iptables-legacy 这个机器上没有,yum也没有 ,如果需要的话我可以再找找rpm包。 大佬再帮看一下,实在不行就只能放弃了这个机器了

root@bio-scripts log]# iptables -nvL;
Chain INPUT (policy ACCEPT 3028 packets, 528K bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:1701 policy match dir in pol none
    1    40 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID
 140K   68M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    4  1734 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 500,4500
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:1701 policy match dir in pol ipsec
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:1701
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:1701
    1    44 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:1701
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:4500
    1    44 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:4500
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:500
    1    44 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:500
    5   559 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:8443
  165  8492 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8443
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:1723
    5  2834 ACCEPT     47   --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     47   --  ens17  *       0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
  101 10580 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID
    0     0 ACCEPT     all  --  ens17  ppp+    0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  ppp+   ens17   0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  ppp+   ppp+    0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  ens17  *       0.0.0.0/0            192.168.43.0/24      ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  *      ens17   192.168.43.0/24      0.0.0.0/0
    0     0 ACCEPT     all  --  *      ppp+    192.168.43.0/24      0.0.0.0/0
 252K  190M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
 4138  334K ACCEPT     all  --  *      *       192.168.218.0/24     0.0.0.0/0
    0     0 ACCEPT     all  --  *      *       192.168.42.0/24      0.0.0.0/0
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 151K packets, 154M bytes)
 pkts bytes target     prot opt in     out     source               destination
# Warning: iptables-legacy tables present, use iptables-legacy to see them


[root@bio-scripts log]# nft list ruleset
table ip raw {
	chain PREROUTING {
		type filter hook prerouting priority raw; policy accept;
	}

	chain OUTPUT {
		type filter hook output priority raw; policy accept;
	}
}
table ip mangle {
	chain PREROUTING {
		type filter hook prerouting priority mangle; policy accept;
	}

	chain INPUT {
		type filter hook input priority mangle; policy accept;
	}

	chain FORWARD {
		type filter hook forward priority mangle; policy accept;
	}

	chain OUTPUT {
		type route hook output priority mangle; policy accept;
	}

	chain POSTROUTING {
		type filter hook postrouting priority mangle; policy accept;
	}
}
table ip nat {
	chain PREROUTING {
		type nat hook prerouting priority dstnat; policy accept;
	}

	chain INPUT {
		type nat hook input priority 100; policy accept;
	}

	chain POSTROUTING {
		type nat hook postrouting priority srcnat; policy accept;
		oifname "ens17" ip saddr 192.168.42.0/24 counter packets 0 bytes 0 masquerade
		oifname "ens17" ip saddr 192.168.43.0/24  counter packets 0 bytes 0 masquerade
		oifname "ens17" ip saddr 192.168.218.0/24 counter packets 3829 bytes 309709 masquerade
		oifname "ens17" ip saddr 192.168.42.0/24 counter packets 0 bytes 0 masquerade
		oifname "ens17" ip saddr 192.168.11.0/24 counter packets 0 bytes 0 masquerade
	}

	chain OUTPUT {
		type nat hook output priority -100; policy accept;
	}
}
table ip filter {
	chain INPUT {
		type filter hook input priority filter; policy accept;
		meta l4proto udp udp dport 1701 meta secpath missing counter packets 0 bytes 0 drop
		ct state invalid counter packets 1 bytes 40 drop
		ct state related,established counter packets 140866 bytes 67958852 accept
		meta l4proto udp udp dport { 500,4500} counter packets 4 bytes 1734 accept
		meta l4proto udp udp dport 1701 meta secpath exists counter packets 0 bytes 0 accept
		meta l4proto udp udp dport 1701 counter packets 0 bytes 0 drop
		meta l4proto udp udp dport 1701 counter packets 0 bytes 0 accept
		meta l4proto tcp tcp dport 1701 counter packets 1 bytes 44 accept
		meta l4proto udp udp dport 4500 counter packets 0 bytes 0 accept
		meta l4proto tcp tcp dport 4500 counter packets 1 bytes 44 accept
		meta l4proto udp udp dport 500 counter packets 0 bytes 0 accept
		meta l4proto tcp tcp dport 500 counter packets 1 bytes 44 accept
		meta l4proto udp udp dport 8443 counter packets 5 bytes 559 accept
		meta l4proto tcp tcp dport 8443 counter packets 165 bytes 8492 accept
		meta l4proto tcp tcp dport 1723 counter packets 0 bytes 0 accept
		meta l4proto gre counter packets 5 bytes 2834 accept
		iifname "ens17" meta l4proto gre counter packets 0 bytes 0 accept
	}

	chain FORWARD {
		type filter hook forward priority filter; policy accept;
		ct state invalid counter packets 101 bytes 10580 drop
		iifname "ens17" oifname "ppp*" ct state related,established counter packets 0 bytes 0 accept
		iifname "ppp*" oifname "ens17" counter packets 0 bytes 0 accept
		iifname "ppp*" oifname "ppp*" counter packets 0 bytes 0 accept
		iifname "ens17" ip daddr 192.168.43.0/24 ct state related,established counter packets 0 bytes 0 accept
		oifname "ens17" ip saddr 192.168.43.0/24 counter packets 0 bytes 0 accept
		oifname "ppp*" ip saddr 192.168.43.0/24 counter packets 0 bytes 0 accept
		ct state related,established counter packets 252323 bytes 190491551 accept
		ip saddr 192.168.218.0/24 counter packets 4144 bytes 334389 accept
		ip saddr 192.168.42.0/24 counter packets 0 bytes 0 accept
		counter packets 0 bytes 0 reject
		counter packets 0 bytes 0 drop
	}

	chain OUTPUT {
		type filter hook output priority filter; policy accept;
	}
}
<!-- gh-comment-id:1015307031 --> @vincent1394 commented on GitHub (Jan 18, 2022): 未找到匹配的参数: iptables-legacy 这个机器上没有,yum也没有 ,如果需要的话我可以再找找rpm包。 大佬再帮看一下,实在不行就只能放弃了这个机器了 ``` root@bio-scripts log]# iptables -nvL; Chain INPUT (policy ACCEPT 3028 packets, 528K bytes) pkts bytes target prot opt in out source destination 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1701 policy match dir in pol none 1 40 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID 140K 68M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 4 1734 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 500,4500 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1701 policy match dir in pol ipsec 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1701 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1701 1 44 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1701 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:4500 1 44 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:4500 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:500 1 44 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:500 5 559 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:8443 165 8492 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8443 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1723 5 2834 ACCEPT 47 -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT 47 -- ens17 * 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 101 10580 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID 0 0 ACCEPT all -- ens17 ppp+ 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 0 0 ACCEPT all -- ppp+ ens17 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- ppp+ ppp+ 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- ens17 * 0.0.0.0/0 192.168.43.0/24 ctstate RELATED,ESTABLISHED 0 0 ACCEPT all -- * ens17 192.168.43.0/24 0.0.0.0/0 0 0 ACCEPT all -- * ppp+ 192.168.43.0/24 0.0.0.0/0 252K 190M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 4138 334K ACCEPT all -- * * 192.168.218.0/24 0.0.0.0/0 0 0 ACCEPT all -- * * 192.168.42.0/24 0.0.0.0/0 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 151K packets, 154M bytes) pkts bytes target prot opt in out source destination # Warning: iptables-legacy tables present, use iptables-legacy to see them [root@bio-scripts log]# nft list ruleset table ip raw { chain PREROUTING { type filter hook prerouting priority raw; policy accept; } chain OUTPUT { type filter hook output priority raw; policy accept; } } table ip mangle { chain PREROUTING { type filter hook prerouting priority mangle; policy accept; } chain INPUT { type filter hook input priority mangle; policy accept; } chain FORWARD { type filter hook forward priority mangle; policy accept; } chain OUTPUT { type route hook output priority mangle; policy accept; } chain POSTROUTING { type filter hook postrouting priority mangle; policy accept; } } table ip nat { chain PREROUTING { type nat hook prerouting priority dstnat; policy accept; } chain INPUT { type nat hook input priority 100; policy accept; } chain POSTROUTING { type nat hook postrouting priority srcnat; policy accept; oifname "ens17" ip saddr 192.168.42.0/24 counter packets 0 bytes 0 masquerade oifname "ens17" ip saddr 192.168.43.0/24 counter packets 0 bytes 0 masquerade oifname "ens17" ip saddr 192.168.218.0/24 counter packets 3829 bytes 309709 masquerade oifname "ens17" ip saddr 192.168.42.0/24 counter packets 0 bytes 0 masquerade oifname "ens17" ip saddr 192.168.11.0/24 counter packets 0 bytes 0 masquerade } chain OUTPUT { type nat hook output priority -100; policy accept; } } table ip filter { chain INPUT { type filter hook input priority filter; policy accept; meta l4proto udp udp dport 1701 meta secpath missing counter packets 0 bytes 0 drop ct state invalid counter packets 1 bytes 40 drop ct state related,established counter packets 140866 bytes 67958852 accept meta l4proto udp udp dport { 500,4500} counter packets 4 bytes 1734 accept meta l4proto udp udp dport 1701 meta secpath exists counter packets 0 bytes 0 accept meta l4proto udp udp dport 1701 counter packets 0 bytes 0 drop meta l4proto udp udp dport 1701 counter packets 0 bytes 0 accept meta l4proto tcp tcp dport 1701 counter packets 1 bytes 44 accept meta l4proto udp udp dport 4500 counter packets 0 bytes 0 accept meta l4proto tcp tcp dport 4500 counter packets 1 bytes 44 accept meta l4proto udp udp dport 500 counter packets 0 bytes 0 accept meta l4proto tcp tcp dport 500 counter packets 1 bytes 44 accept meta l4proto udp udp dport 8443 counter packets 5 bytes 559 accept meta l4proto tcp tcp dport 8443 counter packets 165 bytes 8492 accept meta l4proto tcp tcp dport 1723 counter packets 0 bytes 0 accept meta l4proto gre counter packets 5 bytes 2834 accept iifname "ens17" meta l4proto gre counter packets 0 bytes 0 accept } chain FORWARD { type filter hook forward priority filter; policy accept; ct state invalid counter packets 101 bytes 10580 drop iifname "ens17" oifname "ppp*" ct state related,established counter packets 0 bytes 0 accept iifname "ppp*" oifname "ens17" counter packets 0 bytes 0 accept iifname "ppp*" oifname "ppp*" counter packets 0 bytes 0 accept iifname "ens17" ip daddr 192.168.43.0/24 ct state related,established counter packets 0 bytes 0 accept oifname "ens17" ip saddr 192.168.43.0/24 counter packets 0 bytes 0 accept oifname "ppp*" ip saddr 192.168.43.0/24 counter packets 0 bytes 0 accept ct state related,established counter packets 252323 bytes 190491551 accept ip saddr 192.168.218.0/24 counter packets 4144 bytes 334389 accept ip saddr 192.168.42.0/24 counter packets 0 bytes 0 accept counter packets 0 bytes 0 reject counter packets 0 bytes 0 drop } chain OUTPUT { type filter hook output priority filter; policy accept; } } ```
kerem commented 2026-03-02 08:00:51 +03:00
Author
Owner
Copy link

@hwdsl2 commented on GitHub (Jan 18, 2022):

@vincent1394 你的 IPTables 规则和 nft 规则都看起来正常。所以不太清楚是什么问题。建议你换一台机器试试看?

<!-- gh-comment-id:1015505756 --> @hwdsl2 commented on GitHub (Jan 18, 2022): @vincent1394 你的 IPTables 规则和 nft 规则都看起来正常。所以不太清楚是什么问题。建议你换一台机器试试看?
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
No results found.
Labels
Clear labels   
bug

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question
No labels
bug
pull-request
question
question
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/docker-ipsec-vpn-server#257
No description provided.