hwdsl2
commented
1 year ago @andy112233445566 Hello! Thanks for providing the details in this issue. I am not familiar with SCTP, but it looks like SCTP might have some issues with IPsec VPNs [1]. I did a quick web search and this article [2] might help your use case. More specifically, in order for IPTables in the IPsec VPN container to properly forward SCTP traffic, you'll need to load a kernel module:
modprobe nf_conntrack_proto_sctpRestart the Docker container after that. Re-connect and check if the issue is resolved.
If loading the kernel module on the Docker host doesn't help, you can try loading it from inside the container.
[1] https://lists.strongswan.org/pipermail/users/2012-September/003618.html [2] https://serverfault.com/questions/720897/iptables-nat-not-work-for-sctp
Checklist
Describe the issue
ENV:
test 1: ping via ipsec success using ping 5.5.5.2 from ipsec client to ipsec server side, VPN work success, i can check docker container interface eth0:172.17.0.2 forward packet to 5.5.5.2, like below:
test 2: sctp via ipsec fail using lksctp-tools for test, but can not capture packet on docker container interface eth0, only get sctp packet on host interface, like below: (1). server side: command: "sctp_darn -H 0 -P 2500 -l" for listen (2). client side: command: "sctp_darn -H 0 -P 2600 -h 5.5.5.2 -p 2500 -s"
docker ikev2.conf:
do you have any suggest for config to support sctp, Thanks.