search

hwdsl2 / docker-ipsec-vpn-server

Docker image to run an IPsec VPN server, with IPsec/L2TP, Cisco IPsec and IKEv2
https://hub.docker.com/r/hwdsl2/ipsec-vpn-server
Other
6.38k stars 1.38k forks source link

vpn server no response #125

Closed ZhengSaisi closed 5 years ago

ZhengSaisi commented 5 years ago

I meat a problem that I cannot use the iphone to connect VPN_server build by docker. This is log . [root@localhost admin]# docker exec -it ipsec-vpn-server grep pluto /var/log/auth.log Feb 27 03:56:16 95c8b00b590f pluto[663]: shutting down Feb 27 03:56:16 95c8b00b590f pluto[663]: forgetting secrets Feb 27 03:56:16 95c8b00b590f pluto[663]: "xauth-psk": deleting non-instance connection Feb 27 03:56:17 95c8b00b590f pluto[663]: "l2tp-psk": deleting non-instance connection Feb 27 03:56:17 95c8b00b590f pluto[663]: shutting down interface lo/lo 127.0.0.1:4500 Feb 27 03:56:17 95c8b00b590f pluto[663]: shutting down interface lo/lo 127.0.0.1:500 Feb 27 03:56:17 95c8b00b590f pluto[663]: shutting down interface eth0/eth0 172.17.0.2:4500 Feb 27 03:56:17 95c8b00b590f pluto[663]: shutting down interface eth0/eth0 172.17.0.2:500 Feb 27 03:56:21 95c8b00b590f ipsecplutorun: pluto killed by SIGTERM, terminating without restart Feb 27 03:56:35 95c8b00b590f ipsecplutorun: Starting Pluto Feb 27 03:56:35 95c8b00b590f pluto[2442]: NSS DB directory: sql:/etc/ipsec.d Feb 27 03:56:35 95c8b00b590f pluto[2442]: Initializing NSS Feb 27 03:56:35 95c8b00b590f pluto[2442]: Opening NSS database "sql:/etc/ipsec.d" read-only Feb 27 03:56:36 95c8b00b590f pluto[2442]: NSS initialized Feb 27 03:56:36 95c8b00b590f pluto[2442]: NSS crypto library initialized Feb 27 03:56:36 95c8b00b590f pluto[2442]: FIPS HMAC integrity support [disabled] Feb 27 03:56:36 95c8b00b590f pluto[2442]: libcap-ng support [enabled] Feb 27 03:56:36 95c8b00b590f pluto[2442]: Linux audit support [disabled] Feb 27 03:56:36 95c8b00b590f pluto[2442]: Starting Pluto (Libreswan Version 3.27 XFRM(netkey) KLIPS FORK PTHREAD_SETSCHEDPRIO NSS LABELED_IPSEC LIBCAP_NG XAUTH_PAM NETWORKMANAGER CURL(non-NSS)) pid:2442 Feb 27 03:56:36 95c8b00b590f pluto[2442]: core dump dir: /run/pluto Feb 27 03:56:36 95c8b00b590f pluto[2442]: secrets file: /etc/ipsec.secrets Feb 27 03:56:36 95c8b00b590f pluto[2442]: leak-detective disabled Feb 27 03:56:36 95c8b00b590f pluto[2442]: NSS crypto [enabled] Feb 27 03:56:36 95c8b00b590f pluto[2442]: XAUTH PAM support [enabled] Feb 27 03:56:36 95c8b00b590f pluto[2442]: NAT-Traversal support [enabled] Feb 27 03:56:36 95c8b00b590f pluto[2442]: Initializing libevent in pthreads mode: headers: 2.0.21-stable (2001500); library: 2.0.21-stable (2001500) Feb 27 03:56:36 95c8b00b590f pluto[2442]: Encryption algorithms: Feb 27 03:56:36 95c8b00b590f pluto[2442]: AES_CCM_16 IKEv1: ESP IKEv2: ESP FIPS {256,192,128} aes_ccm, aes_ccm_c Feb 27 03:56:36 95c8b00b590f pluto[2442]: AES_CCM_12 IKEv1: ESP IKEv2: ESP FIPS {256,192,128} aes_ccm_b Feb 27 03:56:36 95c8b00b590f pluto[2442]: AES_CCM_8 IKEv1: ESP IKEv2: ESP FIPS {256,192,128} aes_ccm_a Feb 27 03:56:36 95c8b00b590f pluto[2442]: 3DES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS [192] 3des Feb 27 03:56:36 95c8b00b590f pluto[2442]: CAMELLIA_CTR IKEv1: ESP IKEv2: ESP {256,192,128} Feb 27 03:56:36 95c8b00b590f pluto[2442]: CAMELLIA_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,128} camellia Feb 27 03:56:36 95c8b00b590f pluto[2442]: AES_GCM_16 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,128} aes_gcm, aes_gcm_c Feb 27 03:56:36 95c8b00b590f pluto[2442]: AES_GCM_12 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,128} aes_gcm_b Feb 27 03:56:36 95c8b00b590f pluto[2442]: AES_GCM_8 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,128} aes_gcm_a Feb 27 03:56:36 95c8b00b590f pluto[2442]: AES_CTR IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,128} aesctr Feb 27 03:56:36 95c8b00b590f pluto[2442]: AES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,128} aes Feb 27 03:56:36 95c8b00b590f pluto[2442]: SERPENT_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,128} serpent Feb 27 03:56:36 95c8b00b590f pluto[2442]: TWOFISH_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,128} twofish Feb 27 03:56:36 95c8b00b590f pluto[2442]: TWOFISH_SSH IKEv1: IKE IKEv2: IKE ESP {256,192,128} twofish_cbc_ssh Feb 27 03:56:36 95c8b00b590f pluto[2442]: NULL_AUTH_AES_GMAC IKEv1: ESP IKEv2: ESP {256,192,128} aes_gmac Feb 27 03:56:36 95c8b00b590f pluto[2442]: NULL IKEv1: ESP IKEv2: ESP [] Feb 27 03:56:36 95c8b00b590f pluto[2442]: CHACHA20_POLY1305 IKEv1: IKEv2: IKE ESP [256] chacha20poly1305 Feb 27 03:56:36 95c8b00b590f pluto[2442]: Hash algorithms: Feb 27 03:56:36 95c8b00b590f pluto[2442]: MD5 IKEv1: IKE IKEv2:
Feb 27 03:56:36 95c8b00b590f pluto[2442]: SHA1 IKEv1: IKE IKEv2: FIPS sha Feb 27 03:56:36 95c8b00b590f pluto[2442]: SHA2_256 IKEv1: IKE IKEv2: FIPS sha2, sha256 Feb 27 03:56:36 95c8b00b590f pluto[2442]: SHA2_384 IKEv1: IKE IKEv2: FIPS sha384 Feb 27 03:56:36 95c8b00b590f pluto[2442]: SHA2_512 IKEv1: IKE IKEv2: FIPS sha512 Feb 27 03:56:36 95c8b00b590f pluto[2442]: PRF algorithms: Feb 27 03:56:36 95c8b00b590f pluto[2442]: HMAC_MD5 IKEv1: IKE IKEv2: IKE md5 Feb 27 03:56:36 95c8b00b590f pluto[2442]: HMAC_SHA1 IKEv1: IKE IKEv2: IKE FIPS sha, sha1 Feb 27 03:56:36 95c8b00b590f pluto[2442]: HMAC_SHA2_256 IKEv1: IKE IKEv2: IKE FIPS sha2, sha256, sha2_256 Feb 27 03:56:36 95c8b00b590f pluto[2442]: HMAC_SHA2_384 IKEv1: IKE IKEv2: IKE FIPS sha384, sha2_384 Feb 27 03:56:36 95c8b00b590f pluto[2442]: HMAC_SHA2_512 IKEv1: IKE IKEv2: IKE FIPS sha512, sha2_512 Feb 27 03:56:36 95c8b00b590f pluto[2442]: AES_XCBC IKEv1: IKEv2: IKE FIPS aes128_xcbc Feb 27 03:56:36 95c8b00b590f pluto[2442]: Integrity algorithms: Feb 27 03:56:36 95c8b00b590f pluto[2442]: HMAC_MD5_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH md5, hmac_md5 Feb 27 03:56:36 95c8b00b590f pluto[2442]: HMAC_SHA1_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha, sha1, sha1_96, hmac_sha1 Feb 27 03:56:36 95c8b00b590f pluto[2442]: HMAC_SHA2_512_256 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha512, sha2_512, hmac_sha2_512 Feb 27 03:56:36 95c8b00b590f pluto[2442]: HMAC_SHA2_384_192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha384, sha2_384, hmac_sha2_384 Feb 27 03:56:36 95c8b00b590f pluto[2442]: HMAC_SHA2_256_128 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha2, sha256, sha2_256, hmac_sha2_256 Feb 27 03:56:36 95c8b00b590f pluto[2442]: HMAC_SHA2_256_TRUNCBUG IKEv1: ESP AH IKEv2: AH
Feb 27 03:56:36 95c8b00b590f pluto[2442]: AES_XCBC_96 IKEv1: ESP AH IKEv2: IKE ESP AH FIPS aes_xcbc, aes128_xcbc, aes128_xcbc_96 Feb 27 03:56:36 95c8b00b590f pluto[2442]: AES_CMAC_96 IKEv1: ESP AH IKEv2: ESP AH FIPS aes_cmac Feb 27 03:56:36 95c8b00b590f pluto[2442]: NONE IKEv1: ESP IKEv2: ESP FIPS null Feb 27 03:56:36 95c8b00b590f pluto[2442]: DH algorithms: Feb 27 03:56:36 95c8b00b590f pluto[2442]: NONE IKEv1: IKEv2: IKE ESP AH FIPS null, dh0 Feb 27 03:56:36 95c8b00b590f pluto[2442]: MODP1024 IKEv1: IKE ESP AH IKEv2: IKE ESP AH dh2 Feb 27 03:56:36 95c8b00b590f pluto[2442]: MODP1536 IKEv1: IKE ESP AH IKEv2: IKE ESP AH dh5 Feb 27 03:56:36 95c8b00b590f pluto[2442]: MODP2048 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh14 Feb 27 03:56:36 95c8b00b590f pluto[2442]: MODP3072 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh15 Feb 27 03:56:36 95c8b00b590f pluto[2442]: MODP4096 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh16 Feb 27 03:56:36 95c8b00b590f pluto[2442]: MODP6144 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh17 Feb 27 03:56:36 95c8b00b590f pluto[2442]: MODP8192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh18 Feb 27 03:56:36 95c8b00b590f pluto[2442]: DH19 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_256 Feb 27 03:56:36 95c8b00b590f pluto[2442]: DH20 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_384 Feb 27 03:56:36 95c8b00b590f pluto[2442]: DH21 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_521 Feb 27 03:56:36 95c8b00b590f pluto[2442]: starting up 3 crypto helpers Feb 27 03:56:36 95c8b00b590f pluto[2442]: started thread for crypto helper 0 Feb 27 03:56:36 95c8b00b590f pluto[2442]: started thread for crypto helper 1 Feb 27 03:56:36 95c8b00b590f pluto[2442]: started thread for crypto helper 2 Feb 27 03:56:36 95c8b00b590f pluto[2442]: seccomp security for crypto helper not supported Feb 27 03:56:36 95c8b00b590f pluto[2442]: seccomp security for crypto helper not supported Feb 27 03:56:36 95c8b00b590f pluto[2442]: seccomp security for crypto helper not supported Feb 27 03:56:36 95c8b00b590f pluto[2442]: Using Linux XFRM/NETKEY IPsec interface code on 3.10.0-957.5.1.el7.x86_64 Feb 27 03:56:36 95c8b00b590f pluto[2442]: | selinux support is NOT enabled. Feb 27 03:56:36 95c8b00b590f pluto[2442]: seccomp security not supported Feb 27 03:56:36 95c8b00b590f pluto[2442]: added connection description "l2tp-psk" Feb 27 03:56:36 95c8b00b590f pluto[2442]: added connection description "xauth-psk" Feb 27 03:56:36 95c8b00b590f pluto[2442]: listening for IKE messages Feb 27 03:56:36 95c8b00b590f pluto[2442]: adding interface eth0/eth0 172.17.0.2:500 Feb 27 03:56:36 95c8b00b590f pluto[2442]: adding interface eth0/eth0 172.17.0.2:4500 Feb 27 03:56:36 95c8b00b590f pluto[2442]: adding interface lo/lo 127.0.0.1:500 Feb 27 03:56:36 95c8b00b590f pluto[2442]: adding interface lo/lo 127.0.0.1:4500 Feb 27 03:56:36 95c8b00b590f pluto[2442]: | setup callback for interface lo:4500 fd 18 Feb 27 03:56:36 95c8b00b590f pluto[2442]: | setup callback for interface lo:500 fd 17 Feb 27 03:56:36 95c8b00b590f pluto[2442]: | setup callback for interface eth0:4500 fd 16 Feb 27 03:56:36 95c8b00b590f pluto[2442]: | setup callback for interface eth0:500 fd 15 Feb 27 03:56:36 95c8b00b590f pluto[2442]: loading secrets from "/etc/ipsec.secrets"

hwdsl2 commented 5 years ago

@zzzacbbt Hello! Your logs do not contain any connection attempts from your VPN client(s). Most likely, it is caused by incorrect VPN server IP address entered on the client, or your server has an external firewall for which you must open UDP port 500 and UDP port 4500 (e.g. Amazon EC2 and Google Compute Engine). Refer to your server provider's documentation.

ZhengSaisi commented 5 years ago

@hwdsl2 hello, I capture the packet,find the server can send packet to client. and check the server ip,I am sure it is right.the vpn server installed by your docker documentation .

Connect to your new VPN with these details:

[root@localhost admin]# docker logs 95c8b00

Trying to auto discover IP of this server...

================================================

IPsec VPN server is now ready for use!

Connect to your new VPN with these details:

Server IP: **** IPsec PSK: **** Username: **** Password: ****

Write these down. You'll need them to connect!

Important notes: https://git.io/vpnnotes2 Setup VPN clients: https://git.io/vpnclients

================================================

Redirecting to: /etc/init.d/ipsec start Starting pluto IKE daemon for IPsec: Initializing NSS database

... xl2tpd[1]: Not looking for kernel SAref support. xl2tpd[1]: Using l2tp kernel support. xl2tpd[1]: xl2tpd version xl2tpd-1.3.12 started on 95c8b00b590f PID:1 xl2tpd[1]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc. xl2tpd[1]: Forked by Scott Balmos and David Stipp, (C) 2001 xl2tpd[1]: Inherited by Jeff McAdams, (C) 2002 xl2tpd[1]: Forked again by Xelerance (www.xelerance.com) (C) 2006-2016 xl2tpd[1]: Listening on IP address 0.0.0.0, port 1701 xl2tpd[1]: death_handler: Fatal signal 15 received

Trying to auto discover IP of this server...

================================================

IPsec VPN server is now ready for use!

Connect to your new VPN with these details:

Server IP: **** IPsec PSK: **** Username: **** Password: ****

Write these down. You'll need them to connect!

Important notes: https://git.io/vpnnotes2 Setup VPN clients: https://git.io/vpnclients

================================================

Redirecting to: /etc/init.d/ipsec start Starting pluto IKE daemon for IPsec: . xl2tpd[1]: Not looking for kernel SAref support. xl2tpd[1]: Using l2tp kernel support. xl2tpd[1]: xl2tpd version xl2tpd-1.3.12 started on 95c8b00b590f PID:1 xl2tpd[1]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc. xl2tpd[1]: Forked by Scott Balmos and David Stipp, (C) 2001 xl2tpd[1]: Inherited by Jeff McAdams, (C) 2002 xl2tpd[1]: Forked again by Xelerance (www.xelerance.com) (C) 2006-2016 xl2tpd[1]: Listening on IP address 0.0.0.0, port 1701

I connect by IPSEC .cisco,I am not sure my configuration is right or not.

Could you help me?

hwdsl2 commented 5 years ago

@zzzacbbt Please change your VPN credentials immediately because you posted them. You'll need to troubleshoot further yourself. As I said earlier, if you do not see any new connection attempts in the logs docker exec -it ipsec-vpn-server grep pluto /var/log/auth.log, then the traffic did not reach your VPN server.