starred/docker-ipsec-vpn-server
1
0
Fork 0
mirror of https://github.com/hwdsl2/docker-ipsec-vpn-server.git synced 2026-04-26 01:55:53 +03:00
Code Issues Projects Releases Packages Wiki Activity

[GH-ISSUE #325] 由于iptables相关错误,无法连接IKEv2 VPN #302

New issue
Closed
opened 2026-03-02 08:01:12 +03:00 by kerem · 6 comments
kerem commented 2026-03-02 08:01:12 +03:00
Owner
Copy link

Originally created by @openegg on GitHub (Nov 23, 2022).
Original GitHub issue: https://github.com/hwdsl2/docker-ipsec-vpn-server/issues/325

任务列表

问题描述
启动ipsec-vpn-server Container后,无法连接VPN,用docker logs获取日志如下:

Trying to auto discover IP of this server...
Warning: Extension policy revision 0 not supported, missing kernel module?
iptables: No chain/target/match by that name.
iptables: Index of insertion too big.
iptables: Index of insertion too big.
Warning: Extension multiport revision 0 not supported, missing kernel module?
iptables: Index of insertion too big.
Warning: Extension policy revision 0 not supported, missing kernel module?
iptables: Index of insertion too big.
iptables: Index of insertion too big.
Warning: Extension policy revision 0 not supported, missing kernel module?
iptables: No chain/target/match by that name.
Starting IPsec service...
================================================
IPsec VPN server is now ready for use!
Connect to your new VPN with these details:

重现步骤
重现该 bug 的步骤:

  1. ...
  2. ...

期待的正确结果
简要地描述你期望的正确结果。

日志
检查日志及 VPN 状态,并添加错误日志以帮助解释该问题(如果适用)。

服务器信息(请填写以下信息)

  • 操作系统: Coreelec,docker为kodi插件版
  • 服务提供商(如果适用):

客户端信息(请填写以下信息)

  • 设备: [笔记本电脑]
  • 操作系统: [WIN11]
  • VPN 模式: [IKEv2]

其它信息

Originally created by @openegg on GitHub (Nov 23, 2022). Original GitHub issue: https://github.com/hwdsl2/docker-ipsec-vpn-server/issues/325 **任务列表** - [x] 我已阅读 [自述文件](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/README-zh.md) - [x] 我已阅读 [重要提示](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/README-zh.md#重要提示) - [x] 我已按照说明 [配置 VPN 客户端](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/README-zh.md#下一步) - [x] 我检查了 [故障排除](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients-zh.md#故障排除),[IKEv2 故障排除](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/ikev2-howto-zh.md#故障排除) 以及 [VPN 状态](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients-zh.md#检查日志及-vpn-状态) - [x] 我搜索了已有的 [Issues](https://github.com/hwdsl2/setup-ipsec-vpn/issues?q=is%3Aissue) - [ ] 这个 bug 是关于 VPN 安装脚本,而不是 IPsec VPN 本身 <!--- 如果你发现了 IPsec VPN 的一个可重复的程序漏洞,请在 https://github.com/libreswan/libreswan 提交一个错误报告。VPN 的相关问题可在 [Libreswan](https://lists.libreswan.org/mailman/listinfo/swan) 或 [strongSwan](https://lists.strongswan.org/mailman/listinfo/users) 用户邮件列表提问,或者搜索比如 [Stack Overflow](https://stackoverflow.com/questions/tagged/vpn) 等网站。 ---> **问题描述** 启动ipsec-vpn-server Container后,无法连接VPN,用docker logs获取日志如下: ``` Trying to auto discover IP of this server... Warning: Extension policy revision 0 not supported, missing kernel module? iptables: No chain/target/match by that name. iptables: Index of insertion too big. iptables: Index of insertion too big. Warning: Extension multiport revision 0 not supported, missing kernel module? iptables: Index of insertion too big. Warning: Extension policy revision 0 not supported, missing kernel module? iptables: Index of insertion too big. iptables: Index of insertion too big. Warning: Extension policy revision 0 not supported, missing kernel module? iptables: No chain/target/match by that name. Starting IPsec service... ================================================ IPsec VPN server is now ready for use! Connect to your new VPN with these details: ``` **重现步骤** 重现该 bug 的步骤: 1. ... 2. ... **期待的正确结果** 简要地描述你期望的正确结果。 **日志** [检查日志及 VPN 状态](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients-zh.md#检查日志及-vpn-状态),并添加错误日志以帮助解释该问题(如果适用)。 **服务器信息(请填写以下信息)** - 操作系统: Coreelec,docker为kodi插件版 - 服务提供商(如果适用): **客户端信息(请填写以下信息)** - 设备: [笔记本电脑] - 操作系统: [WIN11] - VPN 模式: [IKEv2] **其它信息**
kerem closed this issue 2026-03-02 08:01:12 +03:00
kerem commented 2026-03-02 08:01:13 +03:00
Author
Owner
Copy link

@hwdsl2 commented on GitHub (Nov 23, 2022):

@openegg 你好!你的 Docker 主机操作系统缺少某些 IPTables 功能或内核支持,不能使用这个 Docker 镜像。请换用比如 Ubuntu, Debian, CentOS 等系统。

<!-- gh-comment-id:1325303986 --> @hwdsl2 commented on GitHub (Nov 23, 2022): @openegg 你好!你的 Docker 主机操作系统缺少某些 IPTables 功能或内核支持,不能使用这个 Docker 镜像。请换用比如 Ubuntu, Debian, CentOS 等系统。
kerem commented 2026-03-02 08:01:13 +03:00
Author
Owner
Copy link

@hwdsl2 commented on GitHub (Nov 23, 2022):

@openegg 你可以尝试在 Docker 主机上运行 modprobe ip_tables 然后重新创建Docker容器。

<!-- gh-comment-id:1325307638 --> @hwdsl2 commented on GitHub (Nov 23, 2022): @openegg 你可以尝试在 Docker 主机上运行 modprobe ip_tables 然后重新创建Docker容器。
kerem commented 2026-03-02 08:01:13 +03:00
Author
Owner
Copy link

@openegg commented on GitHub (Nov 24, 2022):

试过modprobe 还是不行。我的另一个docker容器,运行着aliyundrive-webdav,使用的是tcp端口,就没有问题

<!-- gh-comment-id:1325905479 --> @openegg commented on GitHub (Nov 24, 2022): 试过modprobe 还是不行。我的另一个docker容器,运行着aliyundrive-webdav,使用的是tcp端口,就没有问题
kerem commented 2026-03-02 08:01:13 +03:00
Author
Owner
Copy link

@openegg commented on GitHub (Nov 24, 2022):

这是iptables的设置,里面有500 4500端口的转发,能帮忙分析下有什么问题么?
CoreELEC:~ # iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:500
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:4500
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:500
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:4500

Chain FORWARD (policy DROP)
target prot opt source destination
DOCKER-USER all -- 0.0.0.0/0 0.0.0.0/0
DOCKER-OVERLAY all -- 0.0.0.0/0 0.0.0.0/0
DOCKER-ISOLATION-STAGE-1 all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
DOCKER all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
DOCKER all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
DROP all -- 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DOCKER-OVERLAY all -- 0.0.0.0/0 0.0.0.0/0

Chain DOCKER (2 references)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 172.17.0.3 tcp dpt:8080
ACCEPT udp -- 0.0.0.0/0 172.17.0.2 udp dpt:4500
ACCEPT udp -- 0.0.0.0/0 172.17.0.2 udp dpt:500

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all -- 0.0.0.0/0 0.0.0.0/0
DOCKER-ISOLATION-STAGE-2 all -- 0.0.0.0/0 0.0.0.0/0
RETURN all -- 0.0.0.0/0 0.0.0.0/0

Chain DOCKER-ISOLATION-STAGE-2 (2 references)
target prot opt source destination
DROP all -- 0.0.0.0/0 0.0.0.0/0
DROP all -- 0.0.0.0/0 0.0.0.0/0
RETURN all -- 0.0.0.0/0 0.0.0.0/0

Chain DOCKER-OVERLAY (2 references)
target prot opt source destination
wqpck5m64fk3 all -- 0.0.0.0/0 0.0.0.0/0
RETURN all -- 0.0.0.0/0 0.0.0.0/0

Chain DOCKER-USER (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0

Chain wqpck5m64fk3 (1 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
DROP all -- 0.0.0.0/0 0.0.0.0/0

<!-- gh-comment-id:1325907437 --> @openegg commented on GitHub (Nov 24, 2022): 这是iptables的设置,里面有500 4500端口的转发,能帮忙分析下有什么问题么? CoreELEC:~ # iptables -L -n Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:500 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:4500 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:500 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:4500 Chain FORWARD (policy DROP) target prot opt source destination DOCKER-USER all -- 0.0.0.0/0 0.0.0.0/0 DOCKER-OVERLAY all -- 0.0.0.0/0 0.0.0.0/0 DOCKER-ISOLATION-STAGE-1 all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED DOCKER all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED DOCKER all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 DROP all -- 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT) target prot opt source destination DOCKER-OVERLAY all -- 0.0.0.0/0 0.0.0.0/0 Chain DOCKER (2 references) target prot opt source destination ACCEPT tcp -- 0.0.0.0/0 172.17.0.3 tcp dpt:8080 ACCEPT udp -- 0.0.0.0/0 172.17.0.2 udp dpt:4500 ACCEPT udp -- 0.0.0.0/0 172.17.0.2 udp dpt:500 Chain DOCKER-ISOLATION-STAGE-1 (1 references) target prot opt source destination DOCKER-ISOLATION-STAGE-2 all -- 0.0.0.0/0 0.0.0.0/0 DOCKER-ISOLATION-STAGE-2 all -- 0.0.0.0/0 0.0.0.0/0 RETURN all -- 0.0.0.0/0 0.0.0.0/0 Chain DOCKER-ISOLATION-STAGE-2 (2 references) target prot opt source destination DROP all -- 0.0.0.0/0 0.0.0.0/0 DROP all -- 0.0.0.0/0 0.0.0.0/0 RETURN all -- 0.0.0.0/0 0.0.0.0/0 Chain DOCKER-OVERLAY (2 references) target prot opt source destination wqpck5m64fk3 all -- 0.0.0.0/0 0.0.0.0/0 RETURN all -- 0.0.0.0/0 0.0.0.0/0 Chain DOCKER-USER (1 references) target prot opt source destination RETURN all -- 0.0.0.0/0 0.0.0.0/0 Chain wqpck5m64fk3 (1 references) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 DROP all -- 0.0.0.0/0 0.0.0.0/0
kerem commented 2026-03-02 08:01:13 +03:00
Author
Owner
Copy link

@openegg commented on GitHub (Nov 24, 2022):

我查到这个系统的iptable可配置的文件目录是 /storage/.config/iptables/rules.v4,是否和目录有关?

<!-- gh-comment-id:1325919179 --> @openegg commented on GitHub (Nov 24, 2022): 我查到这个系统的iptable可配置的文件目录是 /storage/.config/iptables/rules.v4,是否和目录有关?
kerem commented 2026-03-02 08:01:13 +03:00
Author
Owner
Copy link

@hwdsl2 commented on GitHub (Nov 24, 2022):

@openegg 应该和目录无关。你提供的是 Docker 主机的 IPTables 规则。IPTables 的错误是在容器内部发生的,你可以尝试在容器中运行 Bash shell,然后尝试添加 VPN 相关的 IPTables 规则(参见 run.sh),应该会出现你之前所说的错误信息。
https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/docs/advanced-usage-zh.md#%E5%9C%A8%E5%AE%B9%E5%99%A8%E4%B8%AD%E8%BF%90%E8%A1%8C-bash-shell

<!-- gh-comment-id:1325995683 --> @hwdsl2 commented on GitHub (Nov 24, 2022): @openegg 应该和目录无关。你提供的是 Docker 主机的 IPTables 规则。IPTables 的错误是在容器内部发生的,你可以尝试在容器中运行 Bash shell,然后尝试添加 VPN 相关的 IPTables 规则(参见 run.sh),应该会出现你之前所说的错误信息。 https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/docs/advanced-usage-zh.md#%E5%9C%A8%E5%AE%B9%E5%99%A8%E4%B8%AD%E8%BF%90%E8%A1%8C-bash-shell
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
No results found.
Labels
Clear labels   
bug

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question
No labels
bug
pull-request
question
question
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/docker-ipsec-vpn-server#302
No description provided.