starred/docker-ipsec-vpn-server
1
0
Fork 0
mirror of https://github.com/hwdsl2/docker-ipsec-vpn-server.git synced 2026-04-27 18:45:48 +03:00
Code Issues Projects Releases Packages Wiki Activity

[GH-ISSUE #458] 修改/etc/ipsec.conf 文件,重启docker容器恢复原来配置 #427

New issue
Closed
opened 2026-03-02 08:18:52 +03:00 by kerem · 3 comments
kerem commented 2026-03-02 08:18:52 +03:00
Owner
Copy link

Originally created by @alan699 on GitHub (Nov 19, 2024).
Original GitHub issue: https://github.com/hwdsl2/docker-ipsec-vpn-server/issues/458

大佬,你好,我在/etc/ipsec.conf 文件里修改添加leftsubnet=为多子网的 leftsubnets=后,重启 IPsec 服务: service ipsec restart,
但是重启docker容器,或者重启ubuntu系统会恢复原来配置,不能保存内容,是run.sh脚本?

变量:
VPN_L2TP_NET=11.11.11.0/24
VPN_L2TP_LOCAL=11.11.11.1
VPN_L2TP_POOL=11.11.11.150-11.11.11.199

VPN_XAUTH_NET=11.11.10.0/24
VPN_XAUTH_POOL=11.11.10.150-11.11.10.199

VPN_DNS_SRV1=223.5.5.5
VPN_DNS_SRV2=119.29.29.29

VPN_ANDROID_MTU_FIX=yes

ikev2.conf

conn ikev2-cp
left=%defaultroute
leftcert=0.0.0.0/0
leftsendcert=always

leftsubnets="172.29.208.0/20,172.24.208.0/20,11.11.10.0/23"

leftrsasigkey=%cert
right=%any
rightid=%fromcert
rightaddresspool=11.11.10.150-11.11.10.199
rightca=%same
rightrsasigkey=%cert
narrowing=yes
dpddelay=30
retransmit-timeout=300s
dpdaction=clear
auto=add
ikev2=insist
rekey=no
pfs=no
ike=aes_gcm_c_256-hmac_sha2_256-ecp_256,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1
phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes128-sha2,aes256-sha2
ikelifetime=24h
salifetime=24h
encapsulation=yes
leftid=0.0.0.0/24
modecfgdns="223.5.5.5 119.29.29.29"
mobike=no

conn ikev2-shared

left=%defaultroute
leftcert=0.0.0.0/24
leftsendcert=always

leftsubnets="172.29.208.0/20,172.24.208.0/20,11.11.10.0/23"

leftrsasigkey=%cert
right=%any

rightca=%same
rightrsasigkey=%cert
narrowing=yes
dpddelay=30
retransmit-timeout=300s
dpdaction=clear

ikev2=insist
rekey=no
pfs=no
ike=aes_gcm_c_256-hmac_sha2_256-ecp_256,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1
phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes128-sha2,aes256-sha2
ikelifetime=24h
salifetime=24h
encapsulation=yes
leftid=0.0.0.0/24
modecfgdns="223.5.5.5 119.29.29.29"
mobike=no

conn alan
rightid=@alan
rightaddresspool=11.11.10.10-11.11.10.10
auto=add
also=ikev2-shared

Originally created by @alan699 on GitHub (Nov 19, 2024). Original GitHub issue: https://github.com/hwdsl2/docker-ipsec-vpn-server/issues/458 大佬,你好,我在/etc/ipsec.conf 文件里修改添加leftsubnet=为多子网的 leftsubnets=后,重启 IPsec 服务: service ipsec restart, 但是重启docker容器,或者重启ubuntu系统会恢复原来配置,不能保存内容,是run.sh脚本? 变量: VPN_L2TP_NET=11.11.11.0/24 VPN_L2TP_LOCAL=11.11.11.1 VPN_L2TP_POOL=11.11.11.150-11.11.11.199 VPN_XAUTH_NET=11.11.10.0/24 VPN_XAUTH_POOL=11.11.10.150-11.11.10.199 VPN_DNS_SRV1=223.5.5.5 VPN_DNS_SRV2=119.29.29.29 VPN_ANDROID_MTU_FIX=yes ikev2.conf conn ikev2-cp left=%defaultroute leftcert=0.0.0.0/0 leftsendcert=always leftsubnets="172.29.208.0/20,172.24.208.0/20,11.11.10.0/23" leftrsasigkey=%cert right=%any rightid=%fromcert rightaddresspool=11.11.10.150-11.11.10.199 rightca=%same rightrsasigkey=%cert narrowing=yes dpddelay=30 retransmit-timeout=300s dpdaction=clear auto=add ikev2=insist rekey=no pfs=no ike=aes_gcm_c_256-hmac_sha2_256-ecp_256,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1 phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes128-sha2,aes256-sha2 ikelifetime=24h salifetime=24h encapsulation=yes leftid=0.0.0.0/24 modecfgdns="223.5.5.5 119.29.29.29" mobike=no conn ikev2-shared left=%defaultroute leftcert=0.0.0.0/24 leftsendcert=always leftsubnets="172.29.208.0/20,172.24.208.0/20,11.11.10.0/23" leftrsasigkey=%cert right=%any rightca=%same rightrsasigkey=%cert narrowing=yes dpddelay=30 retransmit-timeout=300s dpdaction=clear ikev2=insist rekey=no pfs=no ike=aes_gcm_c_256-hmac_sha2_256-ecp_256,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1 phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes128-sha2,aes256-sha2 ikelifetime=24h salifetime=24h encapsulation=yes leftid=0.0.0.0/24 modecfgdns="223.5.5.5 119.29.29.29" mobike=no conn alan rightid=@alan rightaddresspool=11.11.10.10-11.11.10.10 auto=add also=ikev2-shared
kerem closed this issue 2026-03-02 08:18:52 +03:00
kerem commented 2026-03-02 08:18:53 +03:00
Author
Owner
Copy link

@alan699 commented on GitHub (Nov 19, 2024):

目前的问题汇总
安卓13的原生IKEv2模式,分流正常,静态ip分配正常,访问网络正常。

win10的L2TP模式连接是正常的,分流正常,静态ip分配正常,访问网络正常。

win10 pro,IKEv2模式不能生效,使用脚本生成vpn的连接后,使用远程默认网关,可以ping通vpn服务器(阿里云上海实例)的内网网段,但是不能ping通223.5.5.5(阿里云dns)和访问互联网,ubuntu2204的VPN服务器网络正常。

取消远程默认网关,route add -p 172.29.208.0 mask 255.255.240.0 11.11.10.1 外网正常了,vpn内网不通了,

vpn拨号获得的ip:11.11.10.150,设置为路由网关,添加路由route add 172.29.208.0 mask 255.255.240.0 11.11.10.150就正常分流了,这个11.11.10.150的ip是地址池的开始数字,不管证书是不是固定静态分配,都是获得150的,静态ip分配没有生效。

同一个局域网的多台win10,用不同的证书先后连接vpn,获得同一个ip:11.11.10.150,win10 的IKEv2模式静态分配ip也没有生效。
同时手机用IKEv2模式,使用流量获得了11.11.10.151的ip。

ios17.7系统,使用辅助脚本的证书从描述文件导入,分流正常,静态ip分配正常,访问网络正常。

ios17.7系统,ipsec模式可以连接vpn服务器,获得分配的固定ip,但是不能ping通vpn服务器内网IP,也不能ping通DNS223.5.5.5,不能访问互联网。

ios17.7系统的l2tp模式发送所有流量,静态ip分配正常,访问网络正常。。

不发送所有流量,静态ip分配正常,ping网关VPN_L2TP_LOCAL=IP可以通,互联网可以访问,服务器内网ip不通,多网段分流没有生效。

win10的L2TP模式和手机ios17.7的ipsec模式客户端可以ping通。
win10的L2TP模式和手机ios17.7的L2TP模式客户端可以ping通。

win10的L2TP模式和手机ios17.7的IKEv2模式客户端 ping不通。

下面是VPN服务器的防火墙明细,期待你的回复。

iptables -nvL; sudo iptables -nvL -t nat

Chain INPUT (policy DROP 61 packets, 2848 bytes)
pkts bytes target prot opt in out source destination
38655 6087K ufw-before-logging-input all -- * * 0.0.0.0/0 0.0.0.0/0
38655 6087K ufw-before-input all -- * * 0.0.0.0/0 0.0.0.0/0
61 2848 ufw-after-input all -- * * 0.0.0.0/0 0.0.0.0/0
61 2848 ufw-after-logging-input all -- * * 0.0.0.0/0 0.0.0.0/0
61 2848 ufw-reject-input all -- * * 0.0.0.0/0 0.0.0.0/0
61 2848 ufw-track-input all -- * * 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
13826 2377K DOCKER-USER all -- * * 0.0.0.0/0 0.0.0.0/0
13826 2377K DOCKER-ISOLATION-STAGE-1 all -- * * 0.0.0.0/0 0.0.0.0/0
4949 1185K ACCEPT all -- * docker0 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
4954 170K DOCKER all -- * docker0 0.0.0.0/0 0.0.0.0/0
3923 1021K ACCEPT all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- docker0 docker0 0.0.0.0/0 0.0.0.0/0
0 0 ufw-before-logging-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-before-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-after-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-after-logging-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-reject-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-track-forward all -- * * 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT 3 packets, 132 bytes)
pkts bytes target prot opt in out source destination
50717 9395K ufw-before-logging-output all -- * * 0.0.0.0/0 0.0.0.0/0
50717 9395K ufw-before-output all -- * * 0.0.0.0/0 0.0.0.0/0
1049 71884 ufw-after-output all -- * * 0.0.0.0/0 0.0.0.0/0
1049 71884 ufw-after-logging-output all -- * * 0.0.0.0/0 0.0.0.0/0
1049 71884 ufw-reject-output all -- * * 0.0.0.0/0 0.0.0.0/0
1049 71884 ufw-track-output all -- * * 0.0.0.0/0 0.0.0.0/0

Chain DOCKER (1 references)
pkts bytes target prot opt in out source destination
17 8348 ACCEPT udp -- !docker0 docker0 0.0.0.0/0 172.17.0.2 udp dpt:500
4937 162K ACCEPT udp -- !docker0 docker0 0.0.0.0/0 172.17.0.2 udp dpt:4500

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
pkts bytes target prot opt in out source destination
3923 1021K DOCKER-ISOLATION-STAGE-2 all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
13826 2377K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0

Chain DOCKER-ISOLATION-STAGE-2 (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * docker0 0.0.0.0/0 0.0.0.0/0
3923 1021K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0

Chain DOCKER-USER (1 references)
pkts bytes target prot opt in out source destination
13826 2377K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0

Chain ufw-after-forward (1 references)
pkts bytes target prot opt in out source destination

Chain ufw-after-input (1 references)
pkts bytes target prot opt in out source destination
0 0 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:137
0 0 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:138
0 0 ufw-skip-to-policy-input tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:139
0 0 ufw-skip-to-policy-input tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:445
0 0 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
0 0 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:68
0 0 ufw-skip-to-policy-input all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST

Chain ufw-after-logging-forward (1 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "

Chain ufw-after-logging-input (1 references)
pkts bytes target prot opt in out source destination
61 2848 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "

Chain ufw-after-logging-output (1 references)
pkts bytes target prot opt in out source destination

Chain ufw-after-output (1 references)
pkts bytes target prot opt in out source destination

Chain ufw-before-forward (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 3
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 11
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 12
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
0 0 ufw-user-forward all -- * * 0.0.0.0/0 0.0.0.0/0

Chain ufw-before-input (1 references)
pkts bytes target prot opt in out source destination
896 91992 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
35508 5858K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
2 80 ufw-logging-deny all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
2 80 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 3
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 11
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 12
41 5578 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68
2208 131K ufw-not-local all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT udp -- * * 0.0.0.0/0 224.0.0.251 udp dpt:5353
0 0 ACCEPT udp -- * * 0.0.0.0/0 239.255.255.250 udp dpt:1900
2208 131K ufw-user-input all -- * * 0.0.0.0/0 0.0.0.0/0

Chain ufw-before-logging-forward (1 references)
pkts bytes target prot opt in out source destination

Chain ufw-before-logging-input (1 references)
pkts bytes target prot opt in out source destination

Chain ufw-before-logging-output (1 references)
pkts bytes target prot opt in out source destination

Chain ufw-before-output (1 references)
pkts bytes target prot opt in out source destination
896 91992 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
48772 9232K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
1049 71884 ufw-user-output all -- * * 0.0.0.0/0 0.0.0.0/0

Chain ufw-logging-allow (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW ALLOW] "

Chain ufw-logging-deny (2 references)
pkts bytes target prot opt in out source destination
2 80 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID limit: avg 3/min burst 10
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "

Chain ufw-not-local (1 references)
pkts bytes target prot opt in out source destination
2208 131K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type MULTICAST
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST
0 0 ufw-logging-deny all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

Chain ufw-reject-forward (1 references)
pkts bytes target prot opt in out source destination

Chain ufw-reject-input (1 references)
pkts bytes target prot opt in out source destination

Chain ufw-reject-output (1 references)
pkts bytes target prot opt in out source destination

Chain ufw-skip-to-policy-forward (0 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

Chain ufw-skip-to-policy-input (7 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

Chain ufw-skip-to-policy-output (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0

Chain ufw-track-forward (1 references)
pkts bytes target prot opt in out source destination

Chain ufw-track-input (1 references)
pkts bytes target prot opt in out source destination

Chain ufw-track-output (1 references)
pkts bytes target prot opt in out source destination
297 17820 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW
749 53932 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW

Chain ufw-user-forward (1 references)
pkts bytes target prot opt in out source destination

Chain ufw-user-input (1 references)
pkts bytes target prot opt in out source destination
2 80 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:9000
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:500
8 232 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:4500
2129 127K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
8 560 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1701

Chain ufw-user-limit (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 0 level 4 prefix "[UFW LIMIT BLOCK] "
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable

Chain ufw-user-limit-accept (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0

Chain ufw-user-logging-forward (0 references)
pkts bytes target prot opt in out source destination

Chain ufw-user-logging-input (0 references)
pkts bytes target prot opt in out source destination

Chain ufw-user-logging-output (0 references)
pkts bytes target prot opt in out source destination

Chain ufw-user-output (1 references)
pkts bytes target prot opt in out source destination
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
2173 144K DOCKER all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DOCKER all -- * * 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
308 33783 MASQUERADE all -- * !docker0 172.17.0.0/16 0.0.0.0/0
0 0 MASQUERADE udp -- * * 172.17.0.2 172.17.0.2 udp dpt:500
0 0 MASQUERADE udp -- * * 172.17.0.2 172.17.0.2 udp dpt:4500

Chain DOCKER (2 references)
pkts bytes target prot opt in out source destination
5 348 RETURN all -- docker0 * 0.0.0.0/0 0.0.0.0/0
17 8348 DNAT udp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:500 to:172.17.0.2:500
19 6152 DNAT udp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:4500 to:172.17.0.2:4500

<!-- gh-comment-id:2484880102 --> @alan699 commented on GitHub (Nov 19, 2024): 目前的问题汇总 安卓13的原生IKEv2模式,分流正常,静态ip分配正常,访问网络正常。 win10的L2TP模式连接是正常的,分流正常,静态ip分配正常,访问网络正常。 win10 pro,IKEv2模式不能生效,使用脚本生成vpn的连接后,使用远程默认网关,可以ping通vpn服务器(阿里云上海实例)的内网网段,但是不能ping通223.5.5.5(阿里云dns)和访问互联网,ubuntu2204的VPN服务器网络正常。 取消远程默认网关,route add -p 172.29.208.0 mask 255.255.240.0 11.11.10.1 外网正常了,vpn内网不通了, vpn拨号获得的ip:11.11.10.150,设置为路由网关,添加路由route add 172.29.208.0 mask 255.255.240.0 11.11.10.150就正常分流了,这个11.11.10.150的ip是地址池的开始数字,不管证书是不是固定静态分配,都是获得150的,静态ip分配没有生效。 同一个局域网的多台win10,用不同的证书先后连接vpn,获得同一个ip:11.11.10.150,win10 的IKEv2模式静态分配ip也没有生效。 同时手机用IKEv2模式,使用流量获得了11.11.10.151的ip。 ios17.7系统,使用辅助脚本的证书从描述文件导入,分流正常,静态ip分配正常,访问网络正常。 ios17.7系统,ipsec模式可以连接vpn服务器,获得分配的固定ip,但是不能ping通vpn服务器内网IP,也不能ping通DNS223.5.5.5,不能访问互联网。 ios17.7系统的l2tp模式发送所有流量,静态ip分配正常,访问网络正常。。 不发送所有流量,静态ip分配正常,ping网关VPN_L2TP_LOCAL=IP可以通,互联网可以访问,服务器内网ip不通,多网段分流没有生效。 win10的L2TP模式和手机ios17.7的ipsec模式客户端可以ping通。 win10的L2TP模式和手机ios17.7的L2TP模式客户端可以ping通。 win10的L2TP模式和手机ios17.7的IKEv2模式客户端 ping不通。 下面是VPN服务器的防火墙明细,期待你的回复。 iptables -nvL; sudo iptables -nvL -t nat ` `Chain INPUT (policy DROP 61 packets, 2848 bytes) pkts bytes target prot opt in out source destination 38655 6087K ufw-before-logging-input all -- * * 0.0.0.0/0 0.0.0.0/0 38655 6087K ufw-before-input all -- * * 0.0.0.0/0 0.0.0.0/0 61 2848 ufw-after-input all -- * * 0.0.0.0/0 0.0.0.0/0 61 2848 ufw-after-logging-input all -- * * 0.0.0.0/0 0.0.0.0/0 61 2848 ufw-reject-input all -- * * 0.0.0.0/0 0.0.0.0/0 61 2848 ufw-track-input all -- * * 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 13826 2377K DOCKER-USER all -- * * 0.0.0.0/0 0.0.0.0/0 13826 2377K DOCKER-ISOLATION-STAGE-1 all -- * * 0.0.0.0/0 0.0.0.0/0 4949 1185K ACCEPT all -- * docker0 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 4954 170K DOCKER all -- * docker0 0.0.0.0/0 0.0.0.0/0 3923 1021K ACCEPT all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- docker0 docker0 0.0.0.0/0 0.0.0.0/0 0 0 ufw-before-logging-forward all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ufw-before-forward all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ufw-after-forward all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ufw-after-logging-forward all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ufw-reject-forward all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ufw-track-forward all -- * * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 3 packets, 132 bytes) pkts bytes target prot opt in out source destination 50717 9395K ufw-before-logging-output all -- * * 0.0.0.0/0 0.0.0.0/0 50717 9395K ufw-before-output all -- * * 0.0.0.0/0 0.0.0.0/0 1049 71884 ufw-after-output all -- * * 0.0.0.0/0 0.0.0.0/0 1049 71884 ufw-after-logging-output all -- * * 0.0.0.0/0 0.0.0.0/0 1049 71884 ufw-reject-output all -- * * 0.0.0.0/0 0.0.0.0/0 1049 71884 ufw-track-output all -- * * 0.0.0.0/0 0.0.0.0/0 Chain DOCKER (1 references) pkts bytes target prot opt in out source destination 17 8348 ACCEPT udp -- !docker0 docker0 0.0.0.0/0 172.17.0.2 udp dpt:500 4937 162K ACCEPT udp -- !docker0 docker0 0.0.0.0/0 172.17.0.2 udp dpt:4500 Chain DOCKER-ISOLATION-STAGE-1 (1 references) pkts bytes target prot opt in out source destination 3923 1021K DOCKER-ISOLATION-STAGE-2 all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0 13826 2377K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 Chain DOCKER-ISOLATION-STAGE-2 (1 references) pkts bytes target prot opt in out source destination 0 0 DROP all -- * docker0 0.0.0.0/0 0.0.0.0/0 3923 1021K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 Chain DOCKER-USER (1 references) pkts bytes target prot opt in out source destination 13826 2377K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 Chain ufw-after-forward (1 references) pkts bytes target prot opt in out source destination Chain ufw-after-input (1 references) pkts bytes target prot opt in out source destination 0 0 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:137 0 0 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:138 0 0 ufw-skip-to-policy-input tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:139 0 0 ufw-skip-to-policy-input tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:445 0 0 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:67 0 0 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:68 0 0 ufw-skip-to-policy-input all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST Chain ufw-after-logging-forward (1 references) pkts bytes target prot opt in out source destination 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] " Chain ufw-after-logging-input (1 references) pkts bytes target prot opt in out source destination 61 2848 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] " Chain ufw-after-logging-output (1 references) pkts bytes target prot opt in out source destination Chain ufw-after-output (1 references) pkts bytes target prot opt in out source destination Chain ufw-before-forward (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 3 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 11 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 12 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8 0 0 ufw-user-forward all -- * * 0.0.0.0/0 0.0.0.0/0 Chain ufw-before-input (1 references) pkts bytes target prot opt in out source destination 896 91992 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 35508 5858K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 2 80 ufw-logging-deny all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID 2 80 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 3 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 11 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 12 41 5578 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68 2208 131K ufw-not-local all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT udp -- * * 0.0.0.0/0 224.0.0.251 udp dpt:5353 0 0 ACCEPT udp -- * * 0.0.0.0/0 239.255.255.250 udp dpt:1900 2208 131K ufw-user-input all -- * * 0.0.0.0/0 0.0.0.0/0 Chain ufw-before-logging-forward (1 references) pkts bytes target prot opt in out source destination Chain ufw-before-logging-input (1 references) pkts bytes target prot opt in out source destination Chain ufw-before-logging-output (1 references) pkts bytes target prot opt in out source destination Chain ufw-before-output (1 references) pkts bytes target prot opt in out source destination 896 91992 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0 48772 9232K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 1049 71884 ufw-user-output all -- * * 0.0.0.0/0 0.0.0.0/0 Chain ufw-logging-allow (0 references) pkts bytes target prot opt in out source destination 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW ALLOW] " Chain ufw-logging-deny (2 references) pkts bytes target prot opt in out source destination 2 80 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID limit: avg 3/min burst 10 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] " Chain ufw-not-local (1 references) pkts bytes target prot opt in out source destination 2208 131K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type MULTICAST 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST 0 0 ufw-logging-deny all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain ufw-reject-forward (1 references) pkts bytes target prot opt in out source destination Chain ufw-reject-input (1 references) pkts bytes target prot opt in out source destination Chain ufw-reject-output (1 references) pkts bytes target prot opt in out source destination Chain ufw-skip-to-policy-forward (0 references) pkts bytes target prot opt in out source destination 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain ufw-skip-to-policy-input (7 references) pkts bytes target prot opt in out source destination 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain ufw-skip-to-policy-output (0 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain ufw-track-forward (1 references) pkts bytes target prot opt in out source destination Chain ufw-track-input (1 references) pkts bytes target prot opt in out source destination Chain ufw-track-output (1 references) pkts bytes target prot opt in out source destination 297 17820 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW 749 53932 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW Chain ufw-user-forward (1 references) pkts bytes target prot opt in out source destination Chain ufw-user-input (1 references) pkts bytes target prot opt in out source destination 2 80 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:9000 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:500 8 232 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:4500 2129 127K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 8 560 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1701 Chain ufw-user-limit (0 references) pkts bytes target prot opt in out source destination 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 0 level 4 prefix "[UFW LIMIT BLOCK] " 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable Chain ufw-user-limit-accept (0 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain ufw-user-logging-forward (0 references) pkts bytes target prot opt in out source destination Chain ufw-user-logging-input (0 references) pkts bytes target prot opt in out source destination Chain ufw-user-logging-output (0 references) pkts bytes target prot opt in out source destination Chain ufw-user-output (1 references) pkts bytes target prot opt in out source destination Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 2173 144K DOCKER all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 DOCKER all -- * * 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 308 33783 MASQUERADE all -- * !docker0 172.17.0.0/16 0.0.0.0/0 0 0 MASQUERADE udp -- * * 172.17.0.2 172.17.0.2 udp dpt:500 0 0 MASQUERADE udp -- * * 172.17.0.2 172.17.0.2 udp dpt:4500 Chain DOCKER (2 references) pkts bytes target prot opt in out source destination 5 348 RETURN all -- docker0 * 0.0.0.0/0 0.0.0.0/0 17 8348 DNAT udp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:500 to:172.17.0.2:500 19 6152 DNAT udp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:4500 to:172.17.0.2:4500 ` `
kerem commented 2026-03-02 08:18:53 +03:00
Author
Owner
Copy link

@hwdsl2 commented on GitHub (Nov 20, 2024):

@alan699 你好!感谢你的总结。对于你的用例,如果修改容器内的 /etc/ipsec.conf 等 VPN 服务器配置文件,则需要对 /opt/src/run.sh 中的相应内容做同样的修改。这样可以确保在重启容器时 run.sh 不会将你的修改还原。另外,如果需要,你也可以在本项目基础上从源代码构建自定义 Docker 镜像。

你的 Docker 主机防火墙规则看起来基本正常。如果不是直接在 Docker 主机上安装 VPN 而是在容器内运行的话,不需要在 ufw-user-input chain 中打开 UDP 500 4500 1701 等端口。

对于同一个局域网的多台win10的静态 IP 分配问题,首先检查是否定义了正确的 rightid 值。参见VPN 内网 IP 和流量中的说明,"对于 Windows 7/8/10/11 和 RouterOS 客户端,你必须对 rightid= 使用不同的语法..."。

<!-- gh-comment-id:2487267238 --> @hwdsl2 commented on GitHub (Nov 20, 2024): @alan699 你好!感谢你的总结。对于你的用例,如果修改容器内的 `/etc/ipsec.conf` 等 VPN 服务器配置文件,则需要对 `/opt/src/run.sh` 中的相应内容做同样的修改。这样可以确保在重启容器时 run.sh 不会将你的修改还原。另外,如果需要,你也可以在本项目基础上[从源代码构建](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/docs/advanced-usage-zh.md#%E4%BB%8E%E6%BA%90%E4%BB%A3%E7%A0%81%E6%9E%84%E5%BB%BA)自定义 Docker 镜像。 你的 Docker 主机防火墙规则看起来基本正常。如果不是直接在 Docker 主机上安装 VPN 而是在容器内运行的话,不需要在 ufw-user-input chain 中打开 UDP 500 4500 1701 等端口。 对于同一个局域网的多台win10的静态 IP 分配问题,首先检查是否定义了正确的 rightid 值。参见[VPN 内网 IP 和流量](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/advanced-usage-zh.md#vpn-%E5%86%85%E7%BD%91-ip-%E5%92%8C%E6%B5%81%E9%87%8F)中的说明,"对于 Windows 7/8/10/11 和 RouterOS 客户端,你必须对 rightid= 使用不同的语法..."。
kerem commented 2026-03-02 08:18:53 +03:00
Author
Owner
Copy link

@alan699 commented on GitHub (Nov 20, 2024):

@alan699 你好!感谢你的总结。对于你的用例,如果修改容器内的 /etc/ipsec.conf 等 VPN 服务器配置文件,则需要对 /opt/src/run.sh 中的相应内容做同样的修改。这样可以确保在重启容器时 run.sh 不会将你的修改还原。另外,如果需要,你也可以在本项目基础上从源代码构建自定义 Docker 镜像。

你的 Docker 主机防火墙规则看起来基本正常。如果不是直接在 Docker 主机上安装 VPN 而是在容器内运行的话,不需要在 ufw-user-input chain 中打开 UDP 500 4500 1701 等端口。

对于同一个局域网的多台win10的静态 IP 分配问题,首先检查是否定义了正确的 rightid 值。参见VPN 内网 IP 和流量中的说明,"对于 Windows 7/8/10/11 和 RouterOS 客户端,你必须对 rightid= 使用不同的语法..."。

@hwdsl2 好的,感谢大佬的回复,我试试。

<!-- gh-comment-id:2487954317 --> @alan699 commented on GitHub (Nov 20, 2024): > @alan699 你好!感谢你的总结。对于你的用例,如果修改容器内的 `/etc/ipsec.conf` 等 VPN 服务器配置文件,则需要对 `/opt/src/run.sh` 中的相应内容做同样的修改。这样可以确保在重启容器时 run.sh 不会将你的修改还原。另外,如果需要,你也可以在本项目基础上[从源代码构建](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/docs/advanced-usage-zh.md#%E4%BB%8E%E6%BA%90%E4%BB%A3%E7%A0%81%E6%9E%84%E5%BB%BA)自定义 Docker 镜像。 > > 你的 Docker 主机防火墙规则看起来基本正常。如果不是直接在 Docker 主机上安装 VPN 而是在容器内运行的话,不需要在 ufw-user-input chain 中打开 UDP 500 4500 1701 等端口。 > > 对于同一个局域网的多台win10的静态 IP 分配问题,首先检查是否定义了正确的 rightid 值。参见[VPN 内网 IP 和流量](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/advanced-usage-zh.md#vpn-%E5%86%85%E7%BD%91-ip-%E5%92%8C%E6%B5%81%E9%87%8F)中的说明,"对于 Windows 7/8/10/11 和 RouterOS 客户端,你必须对 rightid= 使用不同的语法..."。 @hwdsl2 好的,感谢大佬的回复,我试试。
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
No results found.
Labels
Clear labels   
bug

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question
No labels
bug
pull-request
question
question
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/docker-ipsec-vpn-server#427
No description provided.