starred/docker-ipsec-vpn-server

Fork 0

mirror of https://github.com/hwdsl2/docker-ipsec-vpn-server.git synced 2026-04-26 01:55:53 +03:00

[GH-ISSUE #62] 一个公网ip出口的环境下只允许同时一个用户登录？ #57

New issue

Closed

opened 2026-03-02 07:11:24 +03:00 by kerem · 3 comments

kerem commented

2026-03-02 07:11:24 +03:00

Owner

Originally created by @kernelsky on GitHub (Mar 26, 2018).
Original GitHub issue: https://github.com/hwdsl2/docker-ipsec-vpn-server/issues/62

您好，首先很感谢楼主镜像，我在使用过程中遇到了一个问题，还请帮忙分析一下，我在机房部署了docker-ipsec-vpn-server，在办公区使用的时候只要有一个同事登录成功后其他同事就无法正常登陆，windows自带vpn报789错误，L2TP连接尝试失败,因为安全层在初始化与远程计算机的协商时遇到一个处理错误。也就是说同一个公网出口同时只能一个用户登陆。vpn客户端配置确定都没有问题，因为我们都能挨个交替登陆。
docker logs日志如下：
xl2tpd[1]: Can not find tunnel 40364 (refhim=0)
xl2tpd[1]: network_thread: unable to find call or tunnel to handle packet. call = 53277, tunnel = 40364 Dumping.
xl2tpd[1]: Can not find tunnel 40364 (refhim=0)
xl2tpd[1]: network_thread: unable to find call or tunnel to handle packet. call = 53277, tunnel = 40364 Dumping.
xl2tpd[1]: Maximum retries exceeded for tunnel 56949. Closing.
xl2tpd[1]: Terminating pppd: sending TERM signal to pid 684
xl2tpd[1]: Connection 27413 closed to 59.8.8.8, port 40589 (Timeout)
xl2tpd[1]: Can not find tunnel 40364 (refhim=0)
xl2tpd[1]: network_thread: unable to find call or tunnel to handle packet. call = 53277, tunnel = 40364 Dumping.
xl2tpd[1]: Can not find tunnel 40364 (refhim=0)
xl2tpd[1]: network_thread: unable to find call or tunnel to handle packet. call = 53277, tunnel = 40364 Dumping.
xl2tpd[1]: Can not find tunnel 40364 (refhim=0)
xl2tpd[1]: network_thread: unable to find call or tunnel to handle packet. call = 53277, tunnel = 40364 Dumping.
xl2tpd[1]: Unable to deliver closing message for tunnel 56949. Destroying anyway.

ipsec status显示如下：
000 Connection list:
000
000 "l2tp-psk": 172.17.0.2/32===172.17.0.2<172.17.0.2>[69.8.8.8]:17/1701---172.17.0.1...%any:17/%any; unrouted; eroute owner: #0
000 "l2tp-psk": oriented; my_ip=unset; their_ip=unset
000 "l2tp-psk": xauth us:none, xauth them:none, my_username=[any]; their_username=[any]
000 "l2tp-psk": modecfg info: us:none, them:none, modecfg policy:push, dns1:unset, dns2:unset, domain:unset, banner:unset;
000 "l2tp-psk": labeled_ipsec:no;
000 "l2tp-psk": policy_label:unset;
000 "l2tp-psk": ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3;
000 "l2tp-psk": retransmit-interval: 500ms; retransmit-timeout: 60s;
000 "l2tp-psk": sha2_truncbug:no; initial_contact:no; cisco_unity:no; fake_strongswan:no; send_vendorid:no;
000 "l2tp-psk": policy: PSK+ENCRYPT+DONT_REKEY+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO;
000 "l2tp-psk": conn_prio: 32,32; interface: eth0; metric: 0; mtu: unset; sa_prio:auto; nflog-group: unset; mark: unset;
000 "l2tp-psk": dpd: action:clear; delay:15; timeout:30; nat-t: force_encaps:yes; nat_keepalive:yes; ikev1_natt:both
000 "l2tp-psk": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "l2tp-psk": IKE algorithms wanted: 3DES_CBC(5)_000-SHA1(2)_000-MODP2048(14), 3DES_CBC(5)_000-SHA1(2)_000-MODP1536(5), 3DES_CBC(5)_000-SHA1(2)_000-MODP1024(2), AES_CBC(7)_000-SHA1(2)_000-MODP2048(14), AES_CBC(7)_000-SHA1(2)_000-MODP1536(5), AES_CBC(7)_000-SHA1(2)_000-MODP1024(2), AES_CBC(7)_256-SHA2_512(6)_000-MODP2048(14), AES_CBC(7)_256-SHA2_512(6)_000-MODP1536(5), AES_CBC(7)_256-SHA2_512(6)_000-MODP1024(2)
000 "l2tp-psk": IKE algorithms found: 3DES_CBC(5)_192-SHA1(2)_160-MODP2048(14), 3DES_CBC(5)_192-SHA1(2)_160-MODP1536(5), 3DES_CBC(5)_192-SHA1(2)_160-MODP1024(2), AES_CBC(7)_128-SHA1(2)_160-MODP2048(14), AES_CBC(7)_128-SHA1(2)_160-MODP1536(5), AES_CBC(7)_128-SHA1(2)_160-MODP1024(2), AES_CBC(7)_256-SHA2_512(6)_512-MODP2048(14), AES_CBC(7)_256-SHA2_512(6)_512-MODP1536(5), AES_CBC(7)_256-SHA2_512(6)_512-MODP1024(2)
000 "l2tp-psk": ESP algorithms wanted: 3DES(3)_000-SHA1(2)_000, AES(12)_000-SHA1(2)_000, AES(12)_256-SHA2_512(7)_000
000 "l2tp-psk": ESP algorithms loaded: 3DES(3)_000-SHA1(2)_000, AES(12)_000-SHA1(2)_000, AES(12)_256-SHA2_512(7)_000
000 "l2tp-psk"[3]: 172.17.0.2/32===172.17.0.2<172.17.0.2>[69.8.8.8]:17/1701---172.17.0.1...59.8.8.8[192.168.123.203]:17/1701; erouted; eroute owner: #14
000 "l2tp-psk"[3]: oriented; my_ip=unset; their_ip=unset
000 "l2tp-psk"[3]: xauth us:none, xauth them:none, my_username=[any]; their_username=[any]
000 "l2tp-psk"[3]: modecfg info: us:none, them:none, modecfg policy:push, dns1:unset, dns2:unset, domain:unset, banner:unset;
000 "l2tp-psk"[3]: labeled_ipsec:no;
000 "l2tp-psk"[3]: policy_label:unset;
000 "l2tp-psk"[3]: ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3;
000 "l2tp-psk"[3]: retransmit-interval: 500ms; retransmit-timeout: 60s;
000 "l2tp-psk"[3]: sha2_truncbug:no; initial_contact:no; cisco_unity:no; fake_strongswan:no; send_vendorid:no;
000 "l2tp-psk"[3]: policy: PSK+ENCRYPT+DONT_REKEY+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO;
000 "l2tp-psk"[3]: conn_prio: 32,32; interface: eth0; metric: 0; mtu: unset; sa_prio:auto; nflog-group: unset; mark: unset;
000 "l2tp-psk"[3]: dpd: action:clear; delay:15; timeout:30; nat-t: force_encaps:yes; nat_keepalive:yes; ikev1_natt:both
000 "l2tp-psk"[3]: newest ISAKMP SA: #3; newest IPsec SA: #14;
000 "l2tp-psk"[3]: IKE algorithms wanted: 3DES_CBC(5)_000-SHA1(2)_000-MODP2048(14), 3DES_CBC(5)_000-SHA1(2)_000-MODP1536(5), 3DES_CBC(5)_000-SHA1(2)_000-MODP1024(2), AES_CBC(7)_000-SHA1(2)_000-MODP2048(14), AES_CBC(7)_000-SHA1(2)_000-MODP1536(5), AES_CBC(7)_000-SHA1(2)_000-MODP1024(2), AES_CBC(7)_256-SHA2_512(6)_000-MODP2048(14), AES_CBC(7)_256-SHA2_512(6)_000-MODP1536(5), AES_CBC(7)_256-SHA2_512(6)_000-MODP1024(2)
000 "l2tp-psk"[3]: IKE algorithms found: 3DES_CBC(5)_192-SHA1(2)_160-MODP2048(14), 3DES_CBC(5)_192-SHA1(2)_160-MODP1536(5), 3DES_CBC(5)_192-SHA1(2)_160-MODP1024(2), AES_CBC(7)_128-SHA1(2)_160-MODP2048(14), AES_CBC(7)_128-SHA1(2)_160-MODP1536(5), AES_CBC(7)_128-SHA1(2)_160-MODP1024(2), AES_CBC(7)_256-SHA2_512(6)_512-MODP2048(14), AES_CBC(7)_256-SHA2_512(6)_512-MODP1536(5), AES_CBC(7)_256-SHA2_512(6)_512-MODP1024(2)
000 "l2tp-psk"[3]: IKE algorithm newest: AES_CBC_256-SHA1-MODP2048
000 "l2tp-psk"[3]: ESP algorithms wanted: 3DES(3)_000-SHA1(2)_000, AES(12)_000-SHA1(2)_000, AES(12)_256-SHA2_512(7)_000
000 "l2tp-psk"[3]: ESP algorithms loaded: 3DES(3)_000-SHA1(2)_000, AES(12)_000-SHA1(2)_000, AES(12)_256-SHA2_512(7)_000
000 "l2tp-psk"[3]: ESP algorithm newest: AES_128-HMAC_SHA1; pfsgroup=<N/A>
000 "xauth-psk": 0.0.0.0/0===172.17.0.2<172.17.0.2>[69.8.8.8,MS+XS+S=C]...%any[+MC+XC+S=C]; unrouted; eroute owner: #0
000 "xauth-psk": oriented; my_ip=unset; their_ip=unset
000 "xauth-psk": xauth us:server, xauth them:client, xauthby:file; my_username=[any]; their_username=[any]
000 "xauth-psk": modecfg info: us:server, them:client, modecfg policy:pull, dns1:8.8.8.8, dns2:8.8.4.4, domain:unset, banner:unset;
000 "xauth-psk": labeled_ipsec:no;
000 "xauth-psk": policy_label:unset;
000 "xauth-psk": ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3;
000 "xauth-psk": retransmit-interval: 500ms; retransmit-timeout: 60s;
000 "xauth-psk": sha2_truncbug:no; initial_contact:no; cisco_unity:yes; fake_strongswan:no; send_vendorid:no;
000 "xauth-psk": policy: PSK+ENCRYPT+TUNNEL+DONT_REKEY+XAUTH+MODECFG_PULL+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO;
000 "xauth-psk": conn_prio: 0,32; interface: eth0; metric: 0; mtu: unset; sa_prio:auto; nflog-group: unset; mark: unset;
000 "xauth-psk": dpd: action:clear; delay:15; timeout:30; nat-t: force_encaps:yes; nat_keepalive:yes; ikev1_natt:both
000 "xauth-psk": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "xauth-psk": IKE algorithms wanted: 3DES_CBC(5)_000-SHA1(2)_000-MODP2048(14), 3DES_CBC(5)_000-SHA1(2)_000-MODP1536(5), 3DES_CBC(5)_000-SHA1(2)_000-MODP1024(2), AES_CBC(7)_000-SHA1(2)_000-MODP2048(14), AES_CBC(7)_000-SHA1(2)_000-MODP1536(5), AES_CBC(7)_000-SHA1(2)_000-MODP1024(2), AES_CBC(7)_256-SHA2_512(6)_000-MODP2048(14), AES_CBC(7)_256-SHA2_512(6)_000-MODP1536(5), AES_CBC(7)_256-SHA2_512(6)_000-MODP1024(2)
000 "xauth-psk": IKE algorithms found: 3DES_CBC(5)_192-SHA1(2)_160-MODP2048(14), 3DES_CBC(5)_192-SHA1(2)_160-MODP1536(5), 3DES_CBC(5)_192-SHA1(2)_160-MODP1024(2), AES_CBC(7)_128-SHA1(2)_160-MODP2048(14), AES_CBC(7)_128-SHA1(2)_160-MODP1536(5), AES_CBC(7)_128-SHA1(2)_160-MODP1024(2), AES_CBC(7)_256-SHA2_512(6)_512-MODP2048(14), AES_CBC(7)_256-SHA2_512(6)_512-MODP1536(5), AES_CBC(7)_256-SHA2_512(6)_512-MODP1024(2)
000 "xauth-psk": ESP algorithms wanted: 3DES(3)_000-SHA1(2)_000, AES(12)_000-SHA1(2)_000, AES(12)_256-SHA2_512(7)_000
000 "xauth-psk": ESP algorithms loaded: 3DES(3)_000-SHA1(2)_000, AES(12)_000-SHA1(2)_000, AES(12)_256-SHA2_512(7)_000
000
000 Total IPsec connections: loaded 3, active 1
000
000 State Information: DDoS cookies not required, Accepting new IKE connections
000 IKE SAs: total(1), half-open(0), open(0), authenticated(1), anonymous(0)
000 IPsec SAs: total(1), authenticated(1), anonymous(0)
000
000 #14: "l2tp-psk"[3] 59.8.8.8:49806 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_EXPIRE in 2406s; newest IPSEC; eroute owner; isakmp#3; idle; import:not set
000 #14: "l2tp-psk"[3] 59.8.8.8 esp.1af9f176@59.8.8.8 esp.8b44f14e@172.17.0.2 ref=0 refhim=4294901761 Traffic: ESPin=227B ESPout=0B! ESPmax=244B
000 #3: "l2tp-psk"[3] 59.8.8.8:49806 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_EXPIRE in 27542s; newest ISAKMP; nodpd; idle; import:not set
000
000 Bare Shunt list:
000

Originally created by @kernelsky on GitHub (Mar 26, 2018). Original GitHub issue: https://github.com/hwdsl2/docker-ipsec-vpn-server/issues/62 您好，首先很感谢楼主镜像，我在使用过程中遇到了一个问题，还请帮忙分析一下，我在机房部署了docker-ipsec-vpn-server，在办公区使用的时候只要有一个同事登录成功后其他同事就无法正常登陆，windows自带vpn报789错误，L2TP连接尝试失败,因为安全层在初始化与远程计算机的协商时遇到一个处理错误。也就是说同一个公网出口同时只能一个用户登陆。vpn客户端配置确定都没有问题，因为我们都能挨个交替登陆。 docker logs日志如下： xl2tpd[1]: Can not find tunnel 40364 (refhim=0) xl2tpd[1]: network_thread: unable to find call or tunnel to handle packet. call = 53277, tunnel = 40364 Dumping. xl2tpd[1]: Can not find tunnel 40364 (refhim=0) xl2tpd[1]: network_thread: unable to find call or tunnel to handle packet. call = 53277, tunnel = 40364 Dumping. xl2tpd[1]: Maximum retries exceeded for tunnel 56949. Closing. xl2tpd[1]: Terminating pppd: sending TERM signal to pid 684 xl2tpd[1]: Connection 27413 closed to 59.8.8.8, port 40589 (Timeout) xl2tpd[1]: Can not find tunnel 40364 (refhim=0) xl2tpd[1]: network_thread: unable to find call or tunnel to handle packet. call = 53277, tunnel = 40364 Dumping. xl2tpd[1]: Can not find tunnel 40364 (refhim=0) xl2tpd[1]: network_thread: unable to find call or tunnel to handle packet. call = 53277, tunnel = 40364 Dumping. xl2tpd[1]: Can not find tunnel 40364 (refhim=0) xl2tpd[1]: network_thread: unable to find call or tunnel to handle packet. call = 53277, tunnel = 40364 Dumping. xl2tpd[1]: Unable to deliver closing message for tunnel 56949. Destroying anyway. ipsec status显示如下： 000 Connection list: 000 000 "l2tp-psk": 172.17.0.2/32===172.17.0.2<172.17.0.2>[69.8.8.8]:17/1701---172.17.0.1...%any:17/%any; unrouted; eroute owner: #0 000 "l2tp-psk": oriented; my_ip=unset; their_ip=unset 000 "l2tp-psk": xauth us:none, xauth them:none, my_username=[any]; their_username=[any] 000 "l2tp-psk": modecfg info: us:none, them:none, modecfg policy:push, dns1:unset, dns2:unset, domain:unset, banner:unset; 000 "l2tp-psk": labeled_ipsec:no; 000 "l2tp-psk": policy_label:unset; 000 "l2tp-psk": ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3; 000 "l2tp-psk": retransmit-interval: 500ms; retransmit-timeout: 60s; 000 "l2tp-psk": sha2_truncbug:no; initial_contact:no; cisco_unity:no; fake_strongswan:no; send_vendorid:no; 000 "l2tp-psk": policy: PSK+ENCRYPT+DONT_REKEY+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO; 000 "l2tp-psk": conn_prio: 32,32; interface: eth0; metric: 0; mtu: unset; sa_prio:auto; nflog-group: unset; mark: unset; 000 "l2tp-psk": dpd: action:clear; delay:15; timeout:30; nat-t: force_encaps:yes; nat_keepalive:yes; ikev1_natt:both 000 "l2tp-psk": newest ISAKMP SA: #0; newest IPsec SA: #0; 000 "l2tp-psk": IKE algorithms wanted: 3DES_CBC(5)_000-SHA1(2)_000-MODP2048(14), 3DES_CBC(5)_000-SHA1(2)_000-MODP1536(5), 3DES_CBC(5)_000-SHA1(2)_000-MODP1024(2), AES_CBC(7)_000-SHA1(2)_000-MODP2048(14), AES_CBC(7)_000-SHA1(2)_000-MODP1536(5), AES_CBC(7)_000-SHA1(2)_000-MODP1024(2), AES_CBC(7)_256-SHA2_512(6)_000-MODP2048(14), AES_CBC(7)_256-SHA2_512(6)_000-MODP1536(5), AES_CBC(7)_256-SHA2_512(6)_000-MODP1024(2) 000 "l2tp-psk": IKE algorithms found: 3DES_CBC(5)_192-SHA1(2)_160-MODP2048(14), 3DES_CBC(5)_192-SHA1(2)_160-MODP1536(5), 3DES_CBC(5)_192-SHA1(2)_160-MODP1024(2), AES_CBC(7)_128-SHA1(2)_160-MODP2048(14), AES_CBC(7)_128-SHA1(2)_160-MODP1536(5), AES_CBC(7)_128-SHA1(2)_160-MODP1024(2), AES_CBC(7)_256-SHA2_512(6)_512-MODP2048(14), AES_CBC(7)_256-SHA2_512(6)_512-MODP1536(5), AES_CBC(7)_256-SHA2_512(6)_512-MODP1024(2) 000 "l2tp-psk": ESP algorithms wanted: 3DES(3)_000-SHA1(2)_000, AES(12)_000-SHA1(2)_000, AES(12)_256-SHA2_512(7)_000 000 "l2tp-psk": ESP algorithms loaded: 3DES(3)_000-SHA1(2)_000, AES(12)_000-SHA1(2)_000, AES(12)_256-SHA2_512(7)_000 000 "l2tp-psk"[3]: 172.17.0.2/32===172.17.0.2<172.17.0.2>[69.8.8.8]:17/1701---172.17.0.1...59.8.8.8[192.168.123.203]:17/1701; erouted; eroute owner: #14 000 "l2tp-psk"[3]: oriented; my_ip=unset; their_ip=unset 000 "l2tp-psk"[3]: xauth us:none, xauth them:none, my_username=[any]; their_username=[any] 000 "l2tp-psk"[3]: modecfg info: us:none, them:none, modecfg policy:push, dns1:unset, dns2:unset, domain:unset, banner:unset; 000 "l2tp-psk"[3]: labeled_ipsec:no; 000 "l2tp-psk"[3]: policy_label:unset; 000 "l2tp-psk"[3]: ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3; 000 "l2tp-psk"[3]: retransmit-interval: 500ms; retransmit-timeout: 60s; 000 "l2tp-psk"[3]: sha2_truncbug:no; initial_contact:no; cisco_unity:no; fake_strongswan:no; send_vendorid:no; 000 "l2tp-psk"[3]: policy: PSK+ENCRYPT+DONT_REKEY+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO; 000 "l2tp-psk"[3]: conn_prio: 32,32; interface: eth0; metric: 0; mtu: unset; sa_prio:auto; nflog-group: unset; mark: unset; 000 "l2tp-psk"[3]: dpd: action:clear; delay:15; timeout:30; nat-t: force_encaps:yes; nat_keepalive:yes; ikev1_natt:both 000 "l2tp-psk"[3]: newest ISAKMP SA: #3; newest IPsec SA: #14; 000 "l2tp-psk"[3]: IKE algorithms wanted: 3DES_CBC(5)_000-SHA1(2)_000-MODP2048(14), 3DES_CBC(5)_000-SHA1(2)_000-MODP1536(5), 3DES_CBC(5)_000-SHA1(2)_000-MODP1024(2), AES_CBC(7)_000-SHA1(2)_000-MODP2048(14), AES_CBC(7)_000-SHA1(2)_000-MODP1536(5), AES_CBC(7)_000-SHA1(2)_000-MODP1024(2), AES_CBC(7)_256-SHA2_512(6)_000-MODP2048(14), AES_CBC(7)_256-SHA2_512(6)_000-MODP1536(5), AES_CBC(7)_256-SHA2_512(6)_000-MODP1024(2) 000 "l2tp-psk"[3]: IKE algorithms found: 3DES_CBC(5)_192-SHA1(2)_160-MODP2048(14), 3DES_CBC(5)_192-SHA1(2)_160-MODP1536(5), 3DES_CBC(5)_192-SHA1(2)_160-MODP1024(2), AES_CBC(7)_128-SHA1(2)_160-MODP2048(14), AES_CBC(7)_128-SHA1(2)_160-MODP1536(5), AES_CBC(7)_128-SHA1(2)_160-MODP1024(2), AES_CBC(7)_256-SHA2_512(6)_512-MODP2048(14), AES_CBC(7)_256-SHA2_512(6)_512-MODP1536(5), AES_CBC(7)_256-SHA2_512(6)_512-MODP1024(2) 000 "l2tp-psk"[3]: IKE algorithm newest: AES_CBC_256-SHA1-MODP2048 000 "l2tp-psk"[3]: ESP algorithms wanted: 3DES(3)_000-SHA1(2)_000, AES(12)_000-SHA1(2)_000, AES(12)_256-SHA2_512(7)_000 000 "l2tp-psk"[3]: ESP algorithms loaded: 3DES(3)_000-SHA1(2)_000, AES(12)_000-SHA1(2)_000, AES(12)_256-SHA2_512(7)_000 000 "l2tp-psk"[3]: ESP algorithm newest: AES_128-HMAC_SHA1; pfsgroup=<N/A> 000 "xauth-psk": 0.0.0.0/0===172.17.0.2<172.17.0.2>[69.8.8.8,MS+XS+S=C]...%any[+MC+XC+S=C]; unrouted; eroute owner: #0 000 "xauth-psk": oriented; my_ip=unset; their_ip=unset 000 "xauth-psk": xauth us:server, xauth them:client, xauthby:file; my_username=[any]; their_username=[any] 000 "xauth-psk": modecfg info: us:server, them:client, modecfg policy:pull, dns1:8.8.8.8, dns2:8.8.4.4, domain:unset, banner:unset; 000 "xauth-psk": labeled_ipsec:no; 000 "xauth-psk": policy_label:unset; 000 "xauth-psk": ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3; 000 "xauth-psk": retransmit-interval: 500ms; retransmit-timeout: 60s; 000 "xauth-psk": sha2_truncbug:no; initial_contact:no; cisco_unity:yes; fake_strongswan:no; send_vendorid:no; 000 "xauth-psk": policy: PSK+ENCRYPT+TUNNEL+DONT_REKEY+XAUTH+MODECFG_PULL+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO; 000 "xauth-psk": conn_prio: 0,32; interface: eth0; metric: 0; mtu: unset; sa_prio:auto; nflog-group: unset; mark: unset; 000 "xauth-psk": dpd: action:clear; delay:15; timeout:30; nat-t: force_encaps:yes; nat_keepalive:yes; ikev1_natt:both 000 "xauth-psk": newest ISAKMP SA: #0; newest IPsec SA: #0; 000 "xauth-psk": IKE algorithms wanted: 3DES_CBC(5)_000-SHA1(2)_000-MODP2048(14), 3DES_CBC(5)_000-SHA1(2)_000-MODP1536(5), 3DES_CBC(5)_000-SHA1(2)_000-MODP1024(2), AES_CBC(7)_000-SHA1(2)_000-MODP2048(14), AES_CBC(7)_000-SHA1(2)_000-MODP1536(5), AES_CBC(7)_000-SHA1(2)_000-MODP1024(2), AES_CBC(7)_256-SHA2_512(6)_000-MODP2048(14), AES_CBC(7)_256-SHA2_512(6)_000-MODP1536(5), AES_CBC(7)_256-SHA2_512(6)_000-MODP1024(2) 000 "xauth-psk": IKE algorithms found: 3DES_CBC(5)_192-SHA1(2)_160-MODP2048(14), 3DES_CBC(5)_192-SHA1(2)_160-MODP1536(5), 3DES_CBC(5)_192-SHA1(2)_160-MODP1024(2), AES_CBC(7)_128-SHA1(2)_160-MODP2048(14), AES_CBC(7)_128-SHA1(2)_160-MODP1536(5), AES_CBC(7)_128-SHA1(2)_160-MODP1024(2), AES_CBC(7)_256-SHA2_512(6)_512-MODP2048(14), AES_CBC(7)_256-SHA2_512(6)_512-MODP1536(5), AES_CBC(7)_256-SHA2_512(6)_512-MODP1024(2) 000 "xauth-psk": ESP algorithms wanted: 3DES(3)_000-SHA1(2)_000, AES(12)_000-SHA1(2)_000, AES(12)_256-SHA2_512(7)_000 000 "xauth-psk": ESP algorithms loaded: 3DES(3)_000-SHA1(2)_000, AES(12)_000-SHA1(2)_000, AES(12)_256-SHA2_512(7)_000 000 000 Total IPsec connections: loaded 3, active 1 000 000 State Information: DDoS cookies not required, Accepting new IKE connections 000 IKE SAs: total(1), half-open(0), open(0), authenticated(1), anonymous(0) 000 IPsec SAs: total(1), authenticated(1), anonymous(0) 000 000 #14: "l2tp-psk"[3] 59.8.8.8:49806 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_EXPIRE in 2406s; newest IPSEC; eroute owner; isakmp#3; idle; import:not set 000 #14: "l2tp-psk"[3] 59.8.8.8 esp.1af9f176@59.8.8.8 esp.8b44f14e@172.17.0.2 ref=0 refhim=4294901761 Traffic: ESPin=227B ESPout=0B! ESPmax=244B 000 #3: "l2tp-psk"[3] 59.8.8.8:49806 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_EXPIRE in 27542s; newest ISAKMP; nodpd; idle; import:not set 000 000 Bare Shunt list: 000

kerem closed this issue

2026-03-02 07:11:24 +03:00

kerem commented

2026-03-02 07:11:25 +03:00

Author

Owner

@hwdsl2 commented on GitHub (May 2, 2018):

@kernelsky 你好！由于 IPsec/L2TP 以及 Libreswan 的局限性，目前不支持同一个 NAT 后面的多个用户同时连接。参见 [1]。

[1] https://github.com/libreswan/libreswan/issues/166

@hwdsl2 commented on GitHub (May 2, 2018): @kernelsky 你好！由于 IPsec/L2TP 以及 Libreswan 的局限性，目前不支持同一个 NAT 后面的多个用户同时连接。参见 [1]。 [1] https://github.com/libreswan/libreswan/issues/166

kerem commented

2026-03-02 07:11:25 +03:00

Author

Owner

@kernelsky commented on GitHub (May 2, 2018):

了解了。感谢。

@kernelsky commented on GitHub (May 2, 2018): 了解了。感谢。

kerem commented

2026-03-02 07:11:25 +03:00

Author

Owner

@letoams commented on GitHub (Sep 18, 2018):

note libreswan 3.26 was released that addresses the issue related to bad lease ip re-use

@letoams commented on GitHub (Sep 18, 2018): note libreswan 3.26 was released that addresses the issue related to bad lease ip re-use

No labels

bug

pull-request

question

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/docker-ipsec-vpn-server#57

No description provided.

Rows
Columns