starred/docker-ipsec-vpn-server
1
0
Fork 0
mirror of https://github.com/hwdsl2/docker-ipsec-vpn-server.git synced 2026-04-26 01:55:53 +03:00
Code Issues Projects Releases Packages Wiki Activity

[GH-ISSUE #483] IKEV2 VPN Connected on Iphone but impossible to reach the Internet #454

New issue
Closed
opened 2026-03-02 08:19:03 +03:00 by kerem · 1 comment
kerem commented 2026-03-02 08:19:03 +03:00
Owner
Copy link

Originally created by @Don-Franco on GitHub (Sep 30, 2025).
Original GitHub issue: https://github.com/hwdsl2/docker-ipsec-vpn-server/issues/483

Checklist

Describe the issue
IKEV2 VPN from Iphone is successfully connected, getting an IP address, but when trying to reach the internet, packets are going out from the docker image, coming back from the Internet to the docker Image, but not returning to the Iphone VPN client trough IPSEC tunnel.

Here is a tcpdump traffic capture from inside the docker image, while the VPN client (192.168.43.10) is pinging 1.1.1.1:

f9f1484668de:/opt/src# tcpdump -nni any host 1.1.1.1
tcpdump: WARNING: any: That device doesn't support promiscuous mode
(Promiscuous mode not supported on the "any" device)
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
21:23:47.400503 eth0 In IP 192.168.43.10 > 1.1.1.1: ICMP echo request, id 65060, seq 1, length 80
21:23:47.400584 eth0 Out IP 172.17.0.3 > 1.1.1.1: ICMP echo request, id 65060, seq 1, length 80
21:23:47.405599 eth0 In IP 1.1.1.1 > 172.17.0.3: ICMP echo reply, id 65060, seq 1, length 80
21:23:48.405545 eth0 In IP 192.168.43.10 > 1.1.1.1: ICMP echo request, id 65060, seq 2, length 80
21:23:48.405610 eth0 Out IP 172.17.0.3 > 1.1.1.1: ICMP echo request, id 65060, seq 2, length 80
21:23:48.410459 eth0 In IP 1.1.1.1 > 172.17.0.3: ICMP echo reply, id 65060, seq 2, length 80

To Reproduce
Steps to reproduce the behavior:

  1. Connect the Iphone through VPN
  2. Capture traffic from docker container
  3. Ping the Internet from Iphone

Expected behavior
Ping going to the Internet Through docker image and docker host, and coming back to docker image, but not coming back to iphone in VPN tunnel:

Logs
root@dockerhost# docker exec -it ipsec-vpn-server ipsec trafficstatus
#4: "ikev2-cp"[2] 172.17.0.1, type=ESP, add_time=1759267423, inBytes=6823, outBytes=0, maxBytes=2^63B, id='CN=vpnuser, O=IKEv2 VPN', lease=192.168.43.10/32

Successful ikeV2 connection:
otal IPsec connections: loaded 3, routed 2, active 2

State Information: DDoS cookies not required, Accepting new IKE connections
IKE SAs: total(2), half-open(0), open(0), authenticated(2), anonymous(0)
IPsec SAs: total(2), authenticated(2), anonymous(0)

#3: "ikev2-cp"[2] 172.17.0.1:49477 ESTABLISHED_IKE_SA (established IKE SA); RETRANSMIT in 7s; EXPIRE in 85609s; newest; idle;
#4: "ikev2-cp"[2] 172.17.0.1:49477 ESTABLISHED_CHILD_SA (established Child SA); LIVENESS in 29s; EXPIRE in 85609s; newest; eroute owner; IKE SA #3; idle;
#4: "ikev2-cp"[2] 172.17.0.1 esp.ab7a7c0@172.17.0.1 esp.25f6f06b@172.17.0.3 tun.0@172.17.0.1 tun.0@172.17.0.3 Traffic: ESPin=7KB ESPout=0B ESPmax=2^63B
#5: "ikev2-cp"[3] 172.17.0.1:33791 ESTABLISHED_IKE_SA (established IKE SA); NAT_KEEPALIVE in 14s; EXPIRE in 86394s; newest; idle;
#6: "ikev2-cp"[3] 172.17.0.1:33791 ESTABLISHED_CHILD_SA (established Child SA); LIVENESS in 24s; EXPIRE in 86394s; newest; eroute owner; IKE SA #5; idle;
#6: "ikev2-cp"[3] 172.17.0.1 esp.442a395@172.17.0.1 esp.8f7e66cc@172.17.0.3 tun.0@172.17.0.1 tun.0@172.17.0.3 Traffic: ESPin=2KB ESPout=0B ESPmax=2^63B

Server (please complete the following information)

  • Docker host OS: Ubuntu 18.04.4 LTS
  • Hosting provider: OVH

Client (please complete the following information)

  • Device: Iphone 15
  • OS: iOS 18
  • VPN mode: IKEv2

Additional context
Add any other context about the problem here.

Originally created by @Don-Franco on GitHub (Sep 30, 2025). Original GitHub issue: https://github.com/hwdsl2/docker-ipsec-vpn-server/issues/483 **Checklist** - [X] I read the [README](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README.md) - [X] I read the [Important notes](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README.md#important-notes) - [X] I followed instructions to [configure VPN clients](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README.md#next-steps) - [X] I checked [IKEv1 troubleshooting](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients.md#ikev1-troubleshooting), [IKEv2 troubleshooting](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/ikev2-howto.md#ikev2-troubleshooting), [enabled logs](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/docs/advanced-usage.md#enable-libreswan-logs) and checked [VPN status](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients.md#check-logs-and-vpn-status) - [X] I searched existing [Issues](https://github.com/hwdsl2/docker-ipsec-vpn-server/issues?q=is%3Aissue) - [X] This bug is about the IPsec VPN server Docker image, and not IPsec VPN itself <!--- If you found a reproducible bug for the IPsec VPN, open a bug report at https://github.com/libreswan/libreswan. Ask VPN-related questions on the [Libreswan](https://lists.libreswan.org) or [strongSwan](https://lists.strongswan.org) users mailing list, or search e.g. [Stack Overflow](https://stackoverflow.com/questions/tagged/vpn). ---> **Describe the issue** IKEV2 VPN from Iphone is successfully connected, getting an IP address, but when trying to reach the internet, packets are going out from the docker image, coming back from the Internet to the docker Image, but not returning to the Iphone VPN client trough IPSEC tunnel. Here is a tcpdump traffic capture from inside the docker image, while the VPN client (192.168.43.10) is pinging 1.1.1.1: **f9f1484668de:/opt/src# tcpdump -nni any host 1.1.1.1** tcpdump: WARNING: any: That device doesn't support promiscuous mode (Promiscuous mode not supported on the "any" device) tcpdump: verbose output suppressed, use -v[v]... for full protocol decode listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes 21:23:47.400503 eth0 In IP 192.168.43.10 > 1.1.1.1: ICMP echo request, id 65060, seq 1, length 80 21:23:47.400584 eth0 Out IP 172.17.0.3 > 1.1.1.1: ICMP echo request, id 65060, seq 1, length 80 21:23:47.405599 eth0 In IP 1.1.1.1 > 172.17.0.3: ICMP echo reply, id 65060, seq 1, length 80 21:23:48.405545 eth0 In IP 192.168.43.10 > 1.1.1.1: ICMP echo request, id 65060, seq 2, length 80 21:23:48.405610 eth0 Out IP 172.17.0.3 > 1.1.1.1: ICMP echo request, id 65060, seq 2, length 80 21:23:48.410459 eth0 In IP 1.1.1.1 > 172.17.0.3: ICMP echo reply, id 65060, seq 2, length 80 **To Reproduce** Steps to reproduce the behavior: 1. Connect the Iphone through VPN 2. Capture traffic from docker container 3. Ping the Internet from Iphone **Expected behavior** Ping going to the Internet Through docker image and docker host, and coming back to docker image, but not coming back to iphone in VPN tunnel: **Logs** root@dockerhost# docker exec -it ipsec-vpn-server ipsec trafficstatus #4: "ikev2-cp"[2] 172.17.0.1, type=ESP, add_time=1759267423, inBytes=6823, **outBytes=0**, maxBytes=2^63B, id='CN=vpnuser, O=IKEv2 VPN', lease=192.168.43.10/32 **Successful ikeV2 connection:** otal IPsec connections: loaded 3, routed 2, active 2 State Information: DDoS cookies not required, Accepting new IKE connections IKE SAs: total(2), half-open(0), open(0), authenticated(2), anonymous(0) IPsec SAs: total(2), authenticated(2), anonymous(0) #3: "ikev2-cp"[2] 172.17.0.1:49477 ESTABLISHED_IKE_SA (established IKE SA); RETRANSMIT in 7s; EXPIRE in 85609s; newest; idle; #4: "ikev2-cp"[2] 172.17.0.1:49477 ESTABLISHED_CHILD_SA (established Child SA); LIVENESS in 29s; EXPIRE in 85609s; newest; eroute owner; IKE SA #3; idle; #4: "ikev2-cp"[2] 172.17.0.1 esp.ab7a7c0@172.17.0.1 esp.25f6f06b@172.17.0.3 tun.0@172.17.0.1 tun.0@172.17.0.3 Traffic: ESPin=7KB ESPout=0B ESPmax=2^63B #5: "ikev2-cp"[3] 172.17.0.1:33791 ESTABLISHED_IKE_SA (established IKE SA); NAT_KEEPALIVE in 14s; EXPIRE in 86394s; newest; idle; #6: "ikev2-cp"[3] 172.17.0.1:33791 ESTABLISHED_CHILD_SA (established Child SA); LIVENESS in 24s; EXPIRE in 86394s; newest; eroute owner; IKE SA #5; idle; #6: "ikev2-cp"[3] 172.17.0.1 esp.442a395@172.17.0.1 esp.8f7e66cc@172.17.0.3 tun.0@172.17.0.1 tun.0@172.17.0.3 Traffic: ESPin=2KB ESPout=0B ESPmax=2^63B **Server (please complete the following information)** - Docker host OS: Ubuntu 18.04.4 LTS - Hosting provider: OVH **Client (please complete the following information)** - Device: Iphone 15 - OS: iOS 18 - VPN mode: IKEv2 **Additional context** Add any other context about the problem here.
kerem closed this issue 2026-03-02 08:19:03 +03:00
kerem commented 2026-03-02 08:19:04 +03:00
Author
Owner
Copy link

@hwdsl2 commented on GitHub (Sep 30, 2025):

@Don-Franco Hello! The Docker image has been tested and works fine (on e.g. Ubuntu 24.04). According to the issue details you provided, it looks like it could either be an issue with IPTables rules in the Docker container, or MTU/MSS issues. A few suggestions:

  1. Your Docker host OS is a bit old. Try running the Docker container on a newer version of Docker host OS, e.g. Ubuntu 24.04 LTS, to see if it works. If you are using the Debian-based Docker image from this project, try the Alpine-based Docker image.
  2. Update the Docker image to the latest version. Delete and re-create the Docker container if needed.
  3. Enable Libreswan logs, retry the connection, then check the logs for errors.
  4. Try these troubleshooting steps, and steps for MTU/MSS issues.

If you have additional info feel free to comment below.

<!-- gh-comment-id:3354126976 --> @hwdsl2 commented on GitHub (Sep 30, 2025): @Don-Franco Hello! The Docker image has been tested and works fine (on e.g. Ubuntu 24.04). According to the issue details you provided, it looks like it could either be an issue with IPTables rules in the Docker container, or MTU/MSS issues. A few suggestions: 1. Your Docker host OS is a bit old. Try running the Docker container on a newer version of Docker host OS, e.g. Ubuntu 24.04 LTS, to see if it works. If you are using the Debian-based Docker image from this project, try the Alpine-based Docker image. 2. [Update](https://github.com/hwdsl2/docker-ipsec-vpn-server/tree/master?tab=readme-ov-file#update-docker-image) the Docker image to the latest version. Delete and re-create the Docker container if needed. 3. [Enable Libreswan logs](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/docs/advanced-usage.md#enable-libreswan-logs), retry the connection, then check the logs for errors. 4. Try [these troubleshooting steps](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/ikev2-howto.md#cannot-open-websites-after-connecting-to-ikev2), and [steps for MTU/MSS issues](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients.md#androidlinux-mtumss-issues). If you have additional info feel free to comment below.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
No results found.
Labels
Clear labels   
bug

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question
No labels
bug
pull-request
question
question
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/docker-ipsec-vpn-server#454
No description provided.