starred/docker-ipsec-vpn-server
1
0
Fork 0
mirror of https://github.com/hwdsl2/docker-ipsec-vpn-server.git synced 2026-04-26 18:15:50 +03:00
Code Issues Projects Releases Packages Wiki Activity

[GH-ISSUE #457] IPv6, Can connect to VPN but not to the internet #428

New issue
Closed
opened 2026-03-02 08:18:52 +03:00 by kerem · 2 comments
kerem commented 2026-03-02 08:18:52 +03:00
Owner
Copy link

Originally created by @Lovinoes on GitHub (Nov 16, 2024).
Original GitHub issue: https://github.com/hwdsl2/docker-ipsec-vpn-server/issues/457

I just successfully set up the VPN with the Docker image “hwdsl2/ipsec-vpn-server” and I was wondering if IPv6 support is available. I wanted to ask this because I only have IPv6 on my home network and I can connect to the VPN but not to the internet.

To Reproduce
Steps to reproduce the behavior:

  1. start server
  2. connect to vpn
  3. notice that you cannot access the Internet, but you can connect to the VPN.

Logs

docker exec -it ipsec-vpn-server ipsec status

root@fileforest:/var/www/vpn# docker exec -it ipsec-vpn-server ipsec status
using kernel interface: xfrm

interface lo [::1]:UDP/4500 (NAT)
interface lo [::1]:UDP/500
interface lo 127.0.0.1:UDP/4500 (NAT)
interface lo 127.0.0.1:UDP/500
interface eth0 172.20.0.2:UDP/4500 (NAT)
interface eth0 172.20.0.2:UDP/500

fips mode=disabled;
SElinux=disabled
seccomp=unsupported

config setup options:

configdir=/etc, configfile=/etc/ipsec.conf, secrets=/etc/ipsec.secrets, ipsecdir=/etc/ipsec.d
nssdir=/etc/ipsec.d, dumpdir=/run/pluto, statsbin=unset
sbindir=/usr/local/sbin, libexecdir=/usr/local/libexec/ipsec
pluto_version=5.1, pluto_vendorid=OE-Libreswan-5.1
nhelpers=-1, uniqueids=no, dnssec-enable=no, shuntlifetime=900s, xfrmlifetime=30s
logfile='<syslog>', logappend=yes, logip=yes, audit-log=yes
ddos-cookies-threshold=25000, ddos-max-halfopen=50000, ddos-mode=auto, ikev1-policy=accept
ikebuf=0, msg_errqueue=yes, crl-strict=no, crlcheckinterval=0, listen=<any>, nflog-all=0
ocsp-enable=no, ocsp-strict=no, ocsp-timeout=2, ocsp-uri=<unset>
ocsp-trust-name=<unset>
ocsp-cache-size=1000, ocsp-cache-min-age=3600, ocsp-cache-max-age=86400, ocsp-method=get
global-redirect=no, global-redirect-to=<unset>
debug:

nat-traversal: keep-alive=20, nat-ikeport=4500
virtual-private (%priv):
- allowed subnets: 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12
- excluded subnets: 192.168.42.0/24, 192.168.43.0/24

Kernel algorithms supported:

algorithm ESP encrypt: name=3DES_CBC, keysizemin=192, keysizemax=192
algorithm ESP encrypt: name=AES_CBC, keysizemin=128, keysizemax=256
algorithm ESP encrypt: name=AES_CCM_12, keysizemin=128, keysizemax=256
algorithm ESP encrypt: name=AES_CCM_16, keysizemin=128, keysizemax=256
algorithm ESP encrypt: name=AES_CCM_8, keysizemin=128, keysizemax=256
algorithm ESP encrypt: name=AES_CTR, keysizemin=128, keysizemax=256
algorithm ESP encrypt: name=AES_GCM_12, keysizemin=128, keysizemax=256
algorithm ESP encrypt: name=AES_GCM_16, keysizemin=128, keysizemax=256
algorithm ESP encrypt: name=AES_GCM_8, keysizemin=128, keysizemax=256
algorithm ESP encrypt: name=CAMELLIA_CBC, keysizemin=128, keysizemax=256
algorithm ESP encrypt: name=CHACHA20_POLY1305, keysizemin=256, keysizemax=256
algorithm ESP encrypt: name=NULL, keysizemin=0, keysizemax=0
algorithm ESP encrypt: name=NULL_AUTH_AES_GMAC, keysizemin=128, keysizemax=256
algorithm AH/ESP auth: name=AES_CMAC_96, key-length=128
algorithm AH/ESP auth: name=AES_XCBC_96, key-length=128
algorithm AH/ESP auth: name=HMAC_MD5_96, key-length=128
algorithm AH/ESP auth: name=HMAC_SHA1_96, key-length=160
algorithm AH/ESP auth: name=HMAC_SHA2_256_128, key-length=256
algorithm AH/ESP auth: name=HMAC_SHA2_256_TRUNCBUG, key-length=256
algorithm AH/ESP auth: name=HMAC_SHA2_384_192, key-length=384
algorithm AH/ESP auth: name=HMAC_SHA2_512_256, key-length=512
algorithm AH/ESP auth: name=NONE, key-length=0

IKE algorithms supported:

algorithm IKE encrypt: v1id=5, v1name=OAKLEY_3DES_CBC, v2id=3, v2name=3DES, blocksize=8, keydeflen=192
algorithm IKE encrypt: v1id=8, v1name=OAKLEY_CAMELLIA_CBC, v2id=23, v2name=CAMELLIA_CBC, blocksize=16, keydeflen=128
algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=20, v2name=AES_GCM_16, blocksize=16, keydeflen=128
algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=19, v2name=AES_GCM_12, blocksize=16, keydeflen=128
algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=18, v2name=AES_GCM_8, blocksize=16, keydeflen=128
algorithm IKE encrypt: v1id=13, v1name=OAKLEY_AES_CTR, v2id=13, v2name=AES_CTR, blocksize=16, keydeflen=128
algorithm IKE encrypt: v1id=7, v1name=OAKLEY_AES_CBC, v2id=12, v2name=AES_CBC, blocksize=16, keydeflen=128
algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=28, v2name=CHACHA20_POLY1305, blocksize=16, keydeflen=256
algorithm IKE PRF: name=HMAC_MD5, hashlen=16
algorithm IKE PRF: name=HMAC_SHA1, hashlen=20
algorithm IKE PRF: name=HMAC_SHA2_256, hashlen=32
algorithm IKE PRF: name=HMAC_SHA2_384, hashlen=48
algorithm IKE PRF: name=HMAC_SHA2_512, hashlen=64
algorithm IKE PRF: name=AES_XCBC, hashlen=16
algorithm IKE DH Key Exchange: name=MODP1024, bits=1024
algorithm IKE DH Key Exchange: name=MODP1536, bits=1536
algorithm IKE DH Key Exchange: name=MODP2048, bits=2048
algorithm IKE DH Key Exchange: name=MODP3072, bits=3072
algorithm IKE DH Key Exchange: name=MODP4096, bits=4096
algorithm IKE DH Key Exchange: name=MODP6144, bits=6144
algorithm IKE DH Key Exchange: name=MODP8192, bits=8192
algorithm IKE DH Key Exchange: name=DH19, bits=512
algorithm IKE DH Key Exchange: name=DH20, bits=768
algorithm IKE DH Key Exchange: name=DH21, bits=1056
algorithm IKE DH Key Exchange: name=DH31, bits=256

stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0}

Connection list:

"ikev2-cp": 0.0.0.0/0===172.20.0.2[@vpn.private.example.com,MS+S=C]---172.20.0.1...%any[%fromcert,+MC+S=C]; unrouted; my_ip=unset; their_ip=unset;
"ikev2-cp":   host: oriented; local: 172.20.0.2; remote: %any;
"ikev2-cp":   mycert=vpn.private.example.com; my_updown=ipsec _updown;
"ikev2-cp":   xauth us:none, xauth them:none,  my_username=[any]; their_username=[any]
"ikev2-cp":   our auth:rsasig(RSASIG+RSASIG_v1_5), their auth:RSASIG+ECDSA+RSASIG_v1_5, our autheap:none, their autheap:none;
"ikev2-cp":   modecfg info: us:server, them:client, modecfg policy:push, dns:1.1.1.1, 1.0.0.1, domains:unset, cat:unset;
"ikev2-cp":   sec_label:unset;
"ikev2-cp":   CAs: 'CN=IKEv2 VPN CA, O=IKEv2 VPN'...'CN=IKEv2 VPN CA, O=IKEv2 VPN'
"ikev2-cp":   ike_life: 86400s; ipsec_life: 86400s; ipsec_max_bytes: 2^63B; ipsec_max_packets: 2^63; replay_window: 128; rekey_margin: 540s; rekey_fuzz: 100%;
"ikev2-cp":   retransmit-interval: 500ms; retransmit-timeout: 300s; iketcp:no; iketcp-port:4500;
"ikev2-cp":   initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
"ikev2-cp":   policy: IKEv2+RSASIG+ECDSA+RSASIG_v1_5+ENCRYPT+TUNNEL+DONT_REKEY+IKEV2_ALLOW_NARROWING+IKE_FRAG_ALLOW+ESN_NO+ESN_YES;
"ikev2-cp":   v2-auth-hash-policy: SHA2_256+SHA2_384+SHA2_512;
"ikev2-cp":   conn_prio: 0,0; interface: eth0; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
"ikev2-cp":   nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:no;
"ikev2-cp":   our idtype: ID_FQDN; our id=@vpn.private.example.com; their idtype: %fromcert; their id=%fromcert
"ikev2-cp":   liveness: active; dpddelay:30s; retransmit-timeout:300s
"ikev2-cp":   nat-traversal: encapsulation:yes; keepalive:20s
"ikev2-cp":   routing: unrouted;
"ikev2-cp":   conn serial: $1;
"ikev2-cp":   IKE algorithms: AES_GCM_16_256-HMAC_SHA2_256-DH19, AES_CBC_256-HMAC_SHA2_256-DH19+DH20+DH21+DH31+MODP4096+MODP3072+MODP2048+MODP8192, AES_CBC_128-HMAC_SHA2_256-DH19+DH20+DH21+DH31+MODP4096+MODP3072+MODP2048+MODP8192, AES_CBC_256-HMAC_SHA1-DH19+DH20+DH21+DH31+MODP4096+MODP3072+MODP2048+MODP8192, AES_CBC_128-HMAC_SHA1-DH19+DH20+DH21+DH31+MODP4096+MODP3072+MODP2048+MODP8192
"ikev2-cp":   ESP algorithms: AES_GCM_16-NONE, AES_CBC_128-HMAC_SHA1_96, AES_CBC_256-HMAC_SHA1_96, AES_CBC_128-HMAC_SHA2_256_128, AES_CBC_256-HMAC_SHA2_256_128

Total IPsec connections: loaded 1, active 0

State Information: DDoS cookies not required, Accepting new IKE connections
IKE SAs: total(0), half-open(0), open(0), authenticated(0), anonymous(0)
IPsec SAs: total(0), authenticated(0), anonymous(0)

Bare Shunt list:

docker logs ipsec-vpn-server

Trying to auto discover IP of this server...

Setting DNS servers to 1.1.1.1 and 1.0.0.1...

Note: Running in IKEv2-only mode via env file option.
      IPsec/L2TP and IPsec/XAuth ("Cisco IPsec") modes are disabled.

Starting IPsec service...

================================================

IKEv2 is already set up. Details for IKEv2 mode:

VPN server address: vpn.private.example.com
VPN client name: vpnclient

Client configuration is available inside the
Docker container at:
/etc/ipsec.d/vpnclient.p12 (for Windows & Linux)
/etc/ipsec.d/vpnclient.sswan (for Android)
/etc/ipsec.d/vpnclient.mobileconfig (for iOS & macOS)

*IMPORTANT* Password for client config files:
<SECRET>
Write this down, you'll need it for import!

Next steps: Configure IKEv2 clients. See:
https://vpnsetup.net/clients2

================================================

xl2tpd[1]: Not looking for kernel SAref support.
xl2tpd[1]: Using l2tp kernel support.
xl2tpd[1]: xl2tpd version xl2tpd-1.3.18 started on vpn.private.example.com PID:1
xl2tpd[1]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
xl2tpd[1]: Forked by Scott Balmos and David Stipp, (C) 2001
xl2tpd[1]: Inherited by Jeff McAdams, (C) 2002
xl2tpd[1]: Forked again by Xelerance (www.xelerance.com) (C) 2006-2016
xl2tpd[1]: Listening on IP address 0.0.0.0, port 1701

Configuration

docker-compose.yml

volumes:
  ikev2-vpn-data:

services:
  vpn:
    image: hwdsl2/ipsec-vpn-server
    restart: always
    env_file:
      - ./vpn.env
    ports:
      - "500:500/udp"
      - "4500:4500/udp"
    privileged: true
    hostname: vpn.private.example.com
    container_name: ipsec-vpn-server
    volumes:
      - ikev2-vpn-data:/etc/ipsec.d
      - /lib/modules:/lib/modules:ro
      - /etc/letsencrypt:/etc/letsencrypt:ro
networks:
  vpn0:
    name: vpn0
    driver: bridge
    ipam:
      config:
        - subnet: "172.99.0.0/16"
        - subnet: "fd99:99::/64"
    driver_opts:
      com.docker.network.bridge.name: vpn0

vpn.env

# Note: All the variables to this image are optional.
# See README for more information.
# IPsec PSK, VPN username and password
VPN_IPSEC_PSK=<SECRET>
VPN_USER=<SECRET>
VPN_PASSWORD=<SECRET>

# Define additional VPN users
# VPN_ADDL_USERS=additional_username_1 additional_username_2
# VPN_ADDL_PASSWORDS=additional_password_1 additional_password_2


# DNS configuration
VPN_DNS_NAME=vpn.private.example.com
VPN_DNS_SRV1=1.1.1.1
VPN_DNS_SRV2=1.0.0.1

VPN_PUBLIC_IP=192.168.0.1 #(not my actual VMs ip address)
VPN_PUBLIC_IPV6=fe80::1 #(not my actual VMs ip address)

VPN_CERT_SERVER=/etc/letsencrypt/live/vpn.private.example.com/fullchain.pem
VPN_CERT_KEY=/etc/letsencrypt/live/vpn.private.example.com/privkey.pem


# IKEv2 Configuration
VPN_PROTECT_CONFIG=yes
VPN_IKEV2_ONLY=yes
# VPN_CLIENT_NAME=vpnclient

Firewall (UFW)

root@fileforest:/var/www/vpn# sudo ufw status
Status: inactive

Server

  • Docker host OS: Debian GNU/Linux bookworm 12.8 x86_64
    • Kernel: Linux 6.11.8-x64v3-xanmod1
  • Hosting provider AVORO.EU Dedicated Server

Client

  • Device: Desktop PC
  • OS: Windows 11 Pro
  • VPN mode: IKEv2
Originally created by @Lovinoes on GitHub (Nov 16, 2024). Original GitHub issue: https://github.com/hwdsl2/docker-ipsec-vpn-server/issues/457 I just successfully set up the VPN with the Docker image “hwdsl2/ipsec-vpn-server” and I was wondering if IPv6 support is available. I wanted to ask this because I only have IPv6 on my home network and I can connect to the VPN but not to the internet. **To Reproduce** Steps to reproduce the behavior: 1. start server 2. connect to vpn 3. notice that you cannot access the Internet, but you can connect to the VPN. **Logs** > docker exec -it ipsec-vpn-server ipsec status ```bash root@fileforest:/var/www/vpn# docker exec -it ipsec-vpn-server ipsec status using kernel interface: xfrm interface lo [::1]:UDP/4500 (NAT) interface lo [::1]:UDP/500 interface lo 127.0.0.1:UDP/4500 (NAT) interface lo 127.0.0.1:UDP/500 interface eth0 172.20.0.2:UDP/4500 (NAT) interface eth0 172.20.0.2:UDP/500 fips mode=disabled; SElinux=disabled seccomp=unsupported config setup options: configdir=/etc, configfile=/etc/ipsec.conf, secrets=/etc/ipsec.secrets, ipsecdir=/etc/ipsec.d nssdir=/etc/ipsec.d, dumpdir=/run/pluto, statsbin=unset sbindir=/usr/local/sbin, libexecdir=/usr/local/libexec/ipsec pluto_version=5.1, pluto_vendorid=OE-Libreswan-5.1 nhelpers=-1, uniqueids=no, dnssec-enable=no, shuntlifetime=900s, xfrmlifetime=30s logfile='<syslog>', logappend=yes, logip=yes, audit-log=yes ddos-cookies-threshold=25000, ddos-max-halfopen=50000, ddos-mode=auto, ikev1-policy=accept ikebuf=0, msg_errqueue=yes, crl-strict=no, crlcheckinterval=0, listen=<any>, nflog-all=0 ocsp-enable=no, ocsp-strict=no, ocsp-timeout=2, ocsp-uri=<unset> ocsp-trust-name=<unset> ocsp-cache-size=1000, ocsp-cache-min-age=3600, ocsp-cache-max-age=86400, ocsp-method=get global-redirect=no, global-redirect-to=<unset> debug: nat-traversal: keep-alive=20, nat-ikeport=4500 virtual-private (%priv): - allowed subnets: 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12 - excluded subnets: 192.168.42.0/24, 192.168.43.0/24 Kernel algorithms supported: algorithm ESP encrypt: name=3DES_CBC, keysizemin=192, keysizemax=192 algorithm ESP encrypt: name=AES_CBC, keysizemin=128, keysizemax=256 algorithm ESP encrypt: name=AES_CCM_12, keysizemin=128, keysizemax=256 algorithm ESP encrypt: name=AES_CCM_16, keysizemin=128, keysizemax=256 algorithm ESP encrypt: name=AES_CCM_8, keysizemin=128, keysizemax=256 algorithm ESP encrypt: name=AES_CTR, keysizemin=128, keysizemax=256 algorithm ESP encrypt: name=AES_GCM_12, keysizemin=128, keysizemax=256 algorithm ESP encrypt: name=AES_GCM_16, keysizemin=128, keysizemax=256 algorithm ESP encrypt: name=AES_GCM_8, keysizemin=128, keysizemax=256 algorithm ESP encrypt: name=CAMELLIA_CBC, keysizemin=128, keysizemax=256 algorithm ESP encrypt: name=CHACHA20_POLY1305, keysizemin=256, keysizemax=256 algorithm ESP encrypt: name=NULL, keysizemin=0, keysizemax=0 algorithm ESP encrypt: name=NULL_AUTH_AES_GMAC, keysizemin=128, keysizemax=256 algorithm AH/ESP auth: name=AES_CMAC_96, key-length=128 algorithm AH/ESP auth: name=AES_XCBC_96, key-length=128 algorithm AH/ESP auth: name=HMAC_MD5_96, key-length=128 algorithm AH/ESP auth: name=HMAC_SHA1_96, key-length=160 algorithm AH/ESP auth: name=HMAC_SHA2_256_128, key-length=256 algorithm AH/ESP auth: name=HMAC_SHA2_256_TRUNCBUG, key-length=256 algorithm AH/ESP auth: name=HMAC_SHA2_384_192, key-length=384 algorithm AH/ESP auth: name=HMAC_SHA2_512_256, key-length=512 algorithm AH/ESP auth: name=NONE, key-length=0 IKE algorithms supported: algorithm IKE encrypt: v1id=5, v1name=OAKLEY_3DES_CBC, v2id=3, v2name=3DES, blocksize=8, keydeflen=192 algorithm IKE encrypt: v1id=8, v1name=OAKLEY_CAMELLIA_CBC, v2id=23, v2name=CAMELLIA_CBC, blocksize=16, keydeflen=128 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=20, v2name=AES_GCM_16, blocksize=16, keydeflen=128 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=19, v2name=AES_GCM_12, blocksize=16, keydeflen=128 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=18, v2name=AES_GCM_8, blocksize=16, keydeflen=128 algorithm IKE encrypt: v1id=13, v1name=OAKLEY_AES_CTR, v2id=13, v2name=AES_CTR, blocksize=16, keydeflen=128 algorithm IKE encrypt: v1id=7, v1name=OAKLEY_AES_CBC, v2id=12, v2name=AES_CBC, blocksize=16, keydeflen=128 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=28, v2name=CHACHA20_POLY1305, blocksize=16, keydeflen=256 algorithm IKE PRF: name=HMAC_MD5, hashlen=16 algorithm IKE PRF: name=HMAC_SHA1, hashlen=20 algorithm IKE PRF: name=HMAC_SHA2_256, hashlen=32 algorithm IKE PRF: name=HMAC_SHA2_384, hashlen=48 algorithm IKE PRF: name=HMAC_SHA2_512, hashlen=64 algorithm IKE PRF: name=AES_XCBC, hashlen=16 algorithm IKE DH Key Exchange: name=MODP1024, bits=1024 algorithm IKE DH Key Exchange: name=MODP1536, bits=1536 algorithm IKE DH Key Exchange: name=MODP2048, bits=2048 algorithm IKE DH Key Exchange: name=MODP3072, bits=3072 algorithm IKE DH Key Exchange: name=MODP4096, bits=4096 algorithm IKE DH Key Exchange: name=MODP6144, bits=6144 algorithm IKE DH Key Exchange: name=MODP8192, bits=8192 algorithm IKE DH Key Exchange: name=DH19, bits=512 algorithm IKE DH Key Exchange: name=DH20, bits=768 algorithm IKE DH Key Exchange: name=DH21, bits=1056 algorithm IKE DH Key Exchange: name=DH31, bits=256 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0} Connection list: "ikev2-cp": 0.0.0.0/0===172.20.0.2[@vpn.private.example.com,MS+S=C]---172.20.0.1...%any[%fromcert,+MC+S=C]; unrouted; my_ip=unset; their_ip=unset; "ikev2-cp": host: oriented; local: 172.20.0.2; remote: %any; "ikev2-cp": mycert=vpn.private.example.com; my_updown=ipsec _updown; "ikev2-cp": xauth us:none, xauth them:none, my_username=[any]; their_username=[any] "ikev2-cp": our auth:rsasig(RSASIG+RSASIG_v1_5), their auth:RSASIG+ECDSA+RSASIG_v1_5, our autheap:none, their autheap:none; "ikev2-cp": modecfg info: us:server, them:client, modecfg policy:push, dns:1.1.1.1, 1.0.0.1, domains:unset, cat:unset; "ikev2-cp": sec_label:unset; "ikev2-cp": CAs: 'CN=IKEv2 VPN CA, O=IKEv2 VPN'...'CN=IKEv2 VPN CA, O=IKEv2 VPN' "ikev2-cp": ike_life: 86400s; ipsec_life: 86400s; ipsec_max_bytes: 2^63B; ipsec_max_packets: 2^63; replay_window: 128; rekey_margin: 540s; rekey_fuzz: 100%; "ikev2-cp": retransmit-interval: 500ms; retransmit-timeout: 300s; iketcp:no; iketcp-port:4500; "ikev2-cp": initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no; "ikev2-cp": policy: IKEv2+RSASIG+ECDSA+RSASIG_v1_5+ENCRYPT+TUNNEL+DONT_REKEY+IKEV2_ALLOW_NARROWING+IKE_FRAG_ALLOW+ESN_NO+ESN_YES; "ikev2-cp": v2-auth-hash-policy: SHA2_256+SHA2_384+SHA2_512; "ikev2-cp": conn_prio: 0,0; interface: eth0; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none; "ikev2-cp": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:no; "ikev2-cp": our idtype: ID_FQDN; our id=@vpn.private.example.com; their idtype: %fromcert; their id=%fromcert "ikev2-cp": liveness: active; dpddelay:30s; retransmit-timeout:300s "ikev2-cp": nat-traversal: encapsulation:yes; keepalive:20s "ikev2-cp": routing: unrouted; "ikev2-cp": conn serial: $1; "ikev2-cp": IKE algorithms: AES_GCM_16_256-HMAC_SHA2_256-DH19, AES_CBC_256-HMAC_SHA2_256-DH19+DH20+DH21+DH31+MODP4096+MODP3072+MODP2048+MODP8192, AES_CBC_128-HMAC_SHA2_256-DH19+DH20+DH21+DH31+MODP4096+MODP3072+MODP2048+MODP8192, AES_CBC_256-HMAC_SHA1-DH19+DH20+DH21+DH31+MODP4096+MODP3072+MODP2048+MODP8192, AES_CBC_128-HMAC_SHA1-DH19+DH20+DH21+DH31+MODP4096+MODP3072+MODP2048+MODP8192 "ikev2-cp": ESP algorithms: AES_GCM_16-NONE, AES_CBC_128-HMAC_SHA1_96, AES_CBC_256-HMAC_SHA1_96, AES_CBC_128-HMAC_SHA2_256_128, AES_CBC_256-HMAC_SHA2_256_128 Total IPsec connections: loaded 1, active 0 State Information: DDoS cookies not required, Accepting new IKE connections IKE SAs: total(0), half-open(0), open(0), authenticated(0), anonymous(0) IPsec SAs: total(0), authenticated(0), anonymous(0) Bare Shunt list: ``` >docker logs ipsec-vpn-server ```txt Trying to auto discover IP of this server... Setting DNS servers to 1.1.1.1 and 1.0.0.1... Note: Running in IKEv2-only mode via env file option. IPsec/L2TP and IPsec/XAuth ("Cisco IPsec") modes are disabled. Starting IPsec service... ================================================ IKEv2 is already set up. Details for IKEv2 mode: VPN server address: vpn.private.example.com VPN client name: vpnclient Client configuration is available inside the Docker container at: /etc/ipsec.d/vpnclient.p12 (for Windows & Linux) /etc/ipsec.d/vpnclient.sswan (for Android) /etc/ipsec.d/vpnclient.mobileconfig (for iOS & macOS) *IMPORTANT* Password for client config files: <SECRET> Write this down, you'll need it for import! Next steps: Configure IKEv2 clients. See: https://vpnsetup.net/clients2 ================================================ xl2tpd[1]: Not looking for kernel SAref support. xl2tpd[1]: Using l2tp kernel support. xl2tpd[1]: xl2tpd version xl2tpd-1.3.18 started on vpn.private.example.com PID:1 xl2tpd[1]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc. xl2tpd[1]: Forked by Scott Balmos and David Stipp, (C) 2001 xl2tpd[1]: Inherited by Jeff McAdams, (C) 2002 xl2tpd[1]: Forked again by Xelerance (www.xelerance.com) (C) 2006-2016 xl2tpd[1]: Listening on IP address 0.0.0.0, port 1701 ``` **Configuration** >docker-compose.yml ```yaml volumes: ikev2-vpn-data: services: vpn: image: hwdsl2/ipsec-vpn-server restart: always env_file: - ./vpn.env ports: - "500:500/udp" - "4500:4500/udp" privileged: true hostname: vpn.private.example.com container_name: ipsec-vpn-server volumes: - ikev2-vpn-data:/etc/ipsec.d - /lib/modules:/lib/modules:ro - /etc/letsencrypt:/etc/letsencrypt:ro networks: vpn0: name: vpn0 driver: bridge ipam: config: - subnet: "172.99.0.0/16" - subnet: "fd99:99::/64" driver_opts: com.docker.network.bridge.name: vpn0 ``` >vpn.env ```env # Note: All the variables to this image are optional. # See README for more information. # IPsec PSK, VPN username and password VPN_IPSEC_PSK=<SECRET> VPN_USER=<SECRET> VPN_PASSWORD=<SECRET> # Define additional VPN users # VPN_ADDL_USERS=additional_username_1 additional_username_2 # VPN_ADDL_PASSWORDS=additional_password_1 additional_password_2 # DNS configuration VPN_DNS_NAME=vpn.private.example.com VPN_DNS_SRV1=1.1.1.1 VPN_DNS_SRV2=1.0.0.1 VPN_PUBLIC_IP=192.168.0.1 #(not my actual VMs ip address) VPN_PUBLIC_IPV6=fe80::1 #(not my actual VMs ip address) VPN_CERT_SERVER=/etc/letsencrypt/live/vpn.private.example.com/fullchain.pem VPN_CERT_KEY=/etc/letsencrypt/live/vpn.private.example.com/privkey.pem # IKEv2 Configuration VPN_PROTECT_CONFIG=yes VPN_IKEV2_ONLY=yes # VPN_CLIENT_NAME=vpnclient ``` > Firewall (UFW) ```bash root@fileforest:/var/www/vpn# sudo ufw status Status: inactive ``` **Server** - Docker host OS: Debian GNU/Linux bookworm 12.8 x86_64 - Kernel: Linux 6.11.8-x64v3-xanmod1 - Hosting provider AVORO.EU Dedicated Server **Client** - Device: Desktop PC - OS: Windows 11 Pro - VPN mode: IKEv2
kerem closed this issue 2026-03-02 08:18:52 +03:00
kerem commented 2026-03-02 08:18:53 +03:00
Author
Owner
Copy link

@hwdsl2 commented on GitHub (Nov 17, 2024):

@Lovinoes Hello! Thank you for providing the details in this issue. Currently, this project does not support sending IPv6 traffic from the clients through the VPN. Only IPv4 traffic is supported. This feature is not planned in the short term. I would suggest that you try a different solution other than IPsec VPN, for example, OpenVPN or WireGuard. If your use case requires Docker, you may be able to find some Docker-based solutions too.

<!-- gh-comment-id:2480880844 --> @hwdsl2 commented on GitHub (Nov 17, 2024): @Lovinoes Hello! Thank you for providing the details in this issue. Currently, this project does not support sending IPv6 traffic from the clients through the VPN. Only IPv4 traffic is supported. This feature is not planned in the short term. I would suggest that you try a different solution other than IPsec VPN, for example, [OpenVPN](https://github.com/hwdsl2/openvpn-install) or [WireGuard](https://github.com/hwdsl2/wireguard-install). If your use case requires Docker, you may be able to find some Docker-based solutions too.
kerem commented 2026-03-02 08:18:53 +03:00
Author
Owner
Copy link

@Lovinoes commented on GitHub (Nov 17, 2024):

Hi, thanks for the reply! It's a shame, but it would be great if IPv6 support could be added in the future. Hopefully, it’s something that might be considered later on. 🙂

<!-- gh-comment-id:2480883027 --> @Lovinoes commented on GitHub (Nov 17, 2024): Hi, thanks for the reply! It's a shame, but it would be great if IPv6 support could be added in the future. Hopefully, it’s something that might be considered later on. 🙂
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
No results found.
Labels
Clear labels   
bug

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question
No labels
bug
pull-request
question
question
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/docker-ipsec-vpn-server#428
No description provided.