宿主机nc命令无法连接500和4500端口

wl2659297 commented 7 months ago

使用docker compose启动，iphone 15安装vpnclient.mobileconfig文件后无法连接vpn, 随后在宿主机测试端口，宿主机也无法连接500和4500端口。

docker-compose.yml文件： version: '3'

services: ikev2: image: hwdsl2/ipsec-vpn-server container_name: ikev2 restart: always environment:

VPN_DNS_NAME=xxxxxxxxx
VPN_IPSEC_PSK=123456789
VPN_USER=xxxxxxx
VPN_PASSWORD=xxxxxxxx privileged: true volumes:
/data/ikev2:/etc/ipsec.d
/lib/modules:/lib/modules:ro ports:
"500:500/udp"
"4500:4500/udp"

宿主机端口如下： [root@host-192-168-200-181 ikev2]# netstat -anp|grep 500 udp 0 0 0.0.0.0:4500 0.0.0.0: 25856/docker-proxy
udp 0 0 0.0.0.0:500 0.0.0.0: 25877/docker-proxy
udp6 0 0 :::4500 ::: 25862/docker-proxy
udp6 0 0 :::500 ::: 25884/docker-proxy

容器内端口如下： [root@host-192-168-200-181 ikev2]# docker exec -it ikev2 netstat -anput Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.11:37575 0.0.0.0: LISTEN - udp 0 0 127.0.0.1:500 0.0.0.0: 466/pluto udp 0 0 172.19.0.2:500 0.0.0.0: 466/pluto udp 0 0 0.0.0.0:1701 0.0.0.0: 1/xl2tpd udp 0 0 127.0.0.1:4500 0.0.0.0: 466/pluto udp 0 0 172.19.0.2:4500 0.0.0.0: 466/pluto udp 0 0 127.0.0.11:45821 0.0.0.0:* -

宿主机操作系统： [root@host-192-168-200-181 ikev2]# cat /etc/os-release NAME="Rocky Linux" VERSION="8.5 (Green Obsidian)"

宿主机防火墙关闭状态： [root@host-192-168-200-181 ikev2]# systemctl status firewalld ● firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled) Active: inactive (dead) Docs: man:firewalld(1)

宿主机执行nc命令： [root@host-192-168-200-181 ikev2]# nc -vz 127.0.0.1 500 Ncat: Version 7.92 ( https://nmap.org/ncat ) Ncat: Connection refused. [root@host-192-168-200-181 ikev2]# [root@host-192-168-200-181 ikev2]# nc -vz 127.0.0.1 4500 Ncat: Version 7.92 ( https://nmap.org/ncat ) Ncat: Connection refused.

500和4500均无法连接。

请问问题在哪。

wl2659297 commented 7 months ago

容器内部nc命令是可以连接到500和4500端口的。

hwdsl2 commented 7 months ago

@wl2659297 你好！在宿主机执行nc命令时，不要使用 127.0.0.1 IP 地址，请使用宿主机的私有或公有 IP 地址测试。这是因为宿主机可能通过 Docker 添加的 IPTables NAT 规则来接受 UDP 500 和 4500 的流量，使用 127.0.0.1 测试会绕过这些规则，所以无效。

如果无法连接，你可以启用并检查日志。

wl2659297 commented 7 months ago

[root@host-192-168-200-181 ~]# nc -vz 192.168.200.181 500 Ncat: Version 7.92 ( https://nmap.org/ncat ) Ncat: Connection refused.

你好，使用宿主机ip也是一样。链接不上 net.ipv4.ip_forward=1这个参数也加上了。docker也重启了

wl2659297 commented 7 months ago

[root@host-192-168-200-181 ~]# docker exec -it ikev2 grep pluto /var/log/auth.log 2024-01-24T02:13:18.796771+00:00 8c2aac6a939a pluto[464]: Pluto is shutting down 2024-01-24T02:13:18.797396+00:00 8c2aac6a939a pluto[464]: forgetting secrets 2024-01-24T02:13:18.797447+00:00 8c2aac6a939a pluto[464]: shutting down interface lo 127.0.0.1:4500 2024-01-24T02:13:18.797463+00:00 8c2aac6a939a pluto[464]: shutting down interface lo 127.0.0.1:500 2024-01-24T02:13:18.797475+00:00 8c2aac6a939a pluto[464]: shutting down interface eth0 172.20.0.2:4500 2024-01-24T02:13:18.797484+00:00 8c2aac6a939a pluto[464]: shutting down interface eth0 172.20.0.2:500 2024-01-24T02:13:19.907342+00:00 8c2aac6a939a pluto[8293]: Initializing NSS using read-write database "sql:/etc/ipsec.d" 2024-01-24T02:13:19.910399+00:00 8c2aac6a939a pluto[8293]: FIPS Mode: NO 2024-01-24T02:13:19.910420+00:00 8c2aac6a939a pluto[8293]: NSS crypto library initialized 2024-01-24T02:13:19.910460+00:00 8c2aac6a939a pluto[8293]: FIPS mode disabled for pluto daemon 2024-01-24T02:13:19.910466+00:00 8c2aac6a939a pluto[8293]: FIPS HMAC integrity support [disabled] 2024-01-24T02:13:19.910612+00:00 8c2aac6a939a pluto[8293]: libcap-ng support [enabled] 2024-01-24T02:13:19.910625+00:00 8c2aac6a939a pluto[8293]: Linux audit support [disabled] 2024-01-24T02:13:19.910633+00:00 8c2aac6a939a pluto[8293]: Starting Pluto (Libreswan Version 4.12 IKEv2 IKEv1 XFRM XFRMI esp-hw-offload FORK PTHREAD_SETSCHEDPRIO NSS (IPsec profile) (NSS-KDF) LIBCAP_NG AUTH_PAM NETWORKMANAGER CURL(non-NSS)) pid:8293 2024-01-24T02:13:19.910640+00:00 8c2aac6a939a pluto[8293]: core dump dir: /run/pluto 2024-01-24T02:13:19.910646+00:00 8c2aac6a939a pluto[8293]: secrets file: /etc/ipsec.secrets 2024-01-24T02:13:19.910652+00:00 8c2aac6a939a pluto[8293]: leak-detective disabled 2024-01-24T02:13:19.910658+00:00 8c2aac6a939a pluto[8293]: NSS crypto [enabled] 2024-01-24T02:13:19.910663+00:00 8c2aac6a939a pluto[8293]: XAUTH PAM support [enabled] 2024-01-24T02:13:19.910680+00:00 8c2aac6a939a pluto[8293]: initializing libevent in pthreads mode: headers: 2.1.12-stable (2010c00); library: 2.1.12-stable (2010c00) 2024-01-24T02:13:19.910751+00:00 8c2aac6a939a pluto[8293]: NAT-Traversal support [enabled] 2024-01-24T02:13:19.910915+00:00 8c2aac6a939a pluto[8293]: Encryption algorithms: 2024-01-24T02:13:19.910933+00:00 8c2aac6a939a pluto[8293]: AES_CCM_16 {256,192,128} IKEv1: ESP IKEv2: ESP FIPS aes_ccm, aes_ccm_c 2024-01-24T02:13:19.910943+00:00 8c2aac6a939a pluto[8293]: AES_CCM_12 {256,192,128} IKEv1: ESP IKEv2: ESP FIPS aes_ccm_b 2024-01-24T02:13:19.910953+00:00 8c2aac6a939a pluto[8293]: AES_CCM_8 {256,192,128} IKEv1: ESP IKEv2: ESP FIPS aes_ccm_a 2024-01-24T02:13:19.910965+00:00 8c2aac6a939a pluto[8293]: 3DES_CBC [192] IKEv1: IKE ESP IKEv2: IKE ESP FIPS NSS(CBC) 3des 2024-01-24T02:13:19.910974+00:00 8c2aac6a939a pluto[8293]: CAMELLIA_CTR {256,192,128} IKEv1: ESP IKEv2: ESP
2024-01-24T02:13:19.910983+00:00 8c2aac6a939a pluto[8293]: CAMELLIA_CBC {256,192,128} IKEv1: IKE ESP IKEv2: IKE ESP NSS(CBC) camellia 2024-01-24T02:13:19.910993+00:00 8c2aac6a939a pluto[8293]: AES_GCM_16 {256,192,128} IKEv1: ESP IKEv2: IKE ESP FIPS NSS(GCM) aes_gcm, aes_gcm_c 2024-01-24T02:13:19.911002+00:00 8c2aac6a939a pluto[8293]: AES_GCM_12 {256,192,128} IKEv1: ESP IKEv2: IKE ESP FIPS NSS(GCM) aes_gcm_b 2024-01-24T02:13:19.911011+00:00 8c2aac6a939a pluto[8293]: AES_GCM_8 {256,192,128} IKEv1: ESP IKEv2: IKE ESP FIPS NSS(GCM) aes_gcm_a 2024-01-24T02:13:19.911020+00:00 8c2aac6a939a pluto[8293]: AES_CTR {256,192,128} IKEv1: IKE ESP IKEv2: IKE ESP FIPS NSS(CTR) aesctr 2024-01-24T02:13:19.911028+00:00 8c2aac6a939a pluto[8293]: AES_CBC {256,192,128} IKEv1: IKE ESP IKEv2: IKE ESP FIPS NSS(CBC) aes 2024-01-24T02:13:19.911038+00:00 8c2aac6a939a pluto[8293]: NULL_AUTH_AES_GMAC {256,192,128} IKEv1: ESP IKEv2: ESP FIPS aes_gmac 2024-01-24T02:13:19.911045+00:00 8c2aac6a939a pluto[8293]: NULL [] IKEv1: ESP IKEv2: ESP
2024-01-24T02:13:19.911054+00:00 8c2aac6a939a pluto[8293]: CHACHA20_POLY1305 [*256] IKEv1: IKEv2: IKE ESP NSS(AEAD) chacha20poly1305 2024-01-24T02:13:19.911060+00:00 8c2aac6a939a pluto[8293]: Hash algorithms: 2024-01-24T02:13:19.911068+00:00 8c2aac6a939a pluto[8293]: MD5 IKEv1: IKE IKEv2: NSS
2024-01-24T02:13:19.911075+00:00 8c2aac6a939a pluto[8293]: SHA1 IKEv1: IKE IKEv2: IKE FIPS NSS sha 2024-01-24T02:13:19.911083+00:00 8c2aac6a939a pluto[8293]: SHA2_256 IKEv1: IKE IKEv2: IKE FIPS NSS sha2, sha256 2024-01-24T02:13:19.911091+00:00 8c2aac6a939a pluto[8293]: SHA2_384 IKEv1: IKE IKEv2: IKE FIPS NSS sha384 2024-01-24T02:13:19.911098+00:00 8c2aac6a939a pluto[8293]: SHA2_512 IKEv1: IKE IKEv2: IKE FIPS NSS sha512 2024-01-24T02:13:19.911105+00:00 8c2aac6a939a pluto[8293]: IDENTITY IKEv1: IKEv2: FIPS
2024-01-24T02:13:19.911111+00:00 8c2aac6a939a pluto[8293]: PRF algorithms: 2024-01-24T02:13:19.911130+00:00 8c2aac6a939a pluto[8293]: HMAC_MD5 IKEv1: IKE IKEv2: IKE native(HMAC) md5 2024-01-24T02:13:19.911139+00:00 8c2aac6a939a pluto[8293]: HMAC_SHA1 IKEv1: IKE IKEv2: IKE FIPS NSS sha, sha1 2024-01-24T02:13:19.911153+00:00 8c2aac6a939a pluto[8293]: HMAC_SHA2_256 IKEv1: IKE IKEv2: IKE FIPS NSS sha2, sha256, sha2_256 2024-01-24T02:13:19.911166+00:00 8c2aac6a939a pluto[8293]: HMAC_SHA2_384 IKEv1: IKE IKEv2: IKE FIPS NSS sha384, sha2_384 2024-01-24T02:13:19.911182+00:00 8c2aac6a939a pluto[8293]: HMAC_SHA2_512 IKEv1: IKE IKEv2: IKE FIPS NSS sha512, sha2_512 2024-01-24T02:13:19.911195+00:00 8c2aac6a939a pluto[8293]: AES_XCBC IKEv1: IKEv2: IKE native(XCBC) aes128_xcbc 2024-01-24T02:13:19.911216+00:00 8c2aac6a939a pluto[8293]: Integrity algorithms: 2024-01-24T02:13:19.911226+00:00 8c2aac6a939a pluto[8293]: HMAC_MD5_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH native(HMAC) md5, hmac_md5 2024-01-24T02:13:19.911250+00:00 8c2aac6a939a pluto[8293]: HMAC_SHA1_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS sha, sha1, sha1_96, hmac_sha1 2024-01-24T02:13:19.911261+00:00 8c2aac6a939a pluto[8293]: HMAC_SHA2_512_256 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS sha512, sha2_512, sha2_512_256, hmac_sha2_512 2024-01-24T02:13:19.911281+00:00 8c2aac6a939a pluto[8293]: HMAC_SHA2_384_192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS sha384, sha2_384, sha2_384_192, hmac_sha2_384 2024-01-24T02:13:19.911292+00:00 8c2aac6a939a pluto[8293]: HMAC_SHA2_256_128 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS sha2, sha256, sha2_256, sha2_256_128, hmac_sha2_256 2024-01-24T02:13:19.911311+00:00 8c2aac6a939a pluto[8293]: HMAC_SHA2_256_TRUNCBUG IKEv1: ESP AH IKEv2: AH
2024-01-24T02:13:19.911322+00:00 8c2aac6a939a pluto[8293]: AES_XCBC_96 IKEv1: ESP AH IKEv2: IKE ESP AH native(XCBC) aes_xcbc, aes128_xcbc, aes128_xcbc_96 2024-01-24T02:13:19.911345+00:00 8c2aac6a939a pluto[8293]: AES_CMAC_96 IKEv1: ESP AH IKEv2: ESP AH FIPS aes_cmac 2024-01-24T02:13:19.911358+00:00 8c2aac6a939a pluto[8293]: NONE IKEv1: ESP IKEv2: IKE ESP FIPS null 2024-01-24T02:13:19.911377+00:00 8c2aac6a939a pluto[8293]: DH algorithms: 2024-01-24T02:13:19.911387+00:00 8c2aac6a939a pluto[8293]: NONE IKEv1: IKEv2: IKE ESP AH FIPS NSS(MODP) null, dh0 2024-01-24T02:13:19.911408+00:00 8c2aac6a939a pluto[8293]: MODP1024 IKEv1: IKE ESP AH IKEv2: IKE ESP AH NSS(MODP) dh2 2024-01-24T02:13:19.911417+00:00 8c2aac6a939a pluto[8293]: MODP1536 IKEv1: IKE ESP AH IKEv2: IKE ESP AH NSS(MODP) dh5 2024-01-24T02:13:19.911441+00:00 8c2aac6a939a pluto[8293]: MODP2048 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS(MODP) dh14 2024-01-24T02:13:19.911453+00:00 8c2aac6a939a pluto[8293]: MODP3072 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS(MODP) dh15 2024-01-24T02:13:19.911473+00:00 8c2aac6a939a pluto[8293]: MODP4096 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS(MODP) dh16 2024-01-24T02:13:19.911487+00:00 8c2aac6a939a pluto[8293]: MODP6144 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS(MODP) dh17 2024-01-24T02:13:19.911506+00:00 8c2aac6a939a pluto[8293]: MODP8192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS(MODP) dh18 2024-01-24T02:13:19.911526+00:00 8c2aac6a939a pluto[8293]: DH19 IKEv1: IKE IKEv2: IKE ESP AH FIPS NSS(ECP) ecp_256, ecp256 2024-01-24T02:13:19.911547+00:00 8c2aac6a939a pluto[8293]: DH20 IKEv1: IKE IKEv2: IKE ESP AH FIPS NSS(ECP) ecp_384, ecp384 2024-01-24T02:13:19.911568+00:00 8c2aac6a939a pluto[8293]: DH21 IKEv1: IKE IKEv2: IKE ESP AH FIPS NSS(ECP) ecp_521, ecp521 2024-01-24T02:13:19.911577+00:00 8c2aac6a939a pluto[8293]: DH31 IKEv1: IKE IKEv2: IKE ESP AH NSS(ECP) curve25519 2024-01-24T02:13:19.911598+00:00 8c2aac6a939a pluto[8293]: IPCOMP algorithms: 2024-01-24T02:13:19.911609+00:00 8c2aac6a939a pluto[8293]: DEFLATE IKEv1: ESP AH IKEv2: ESP AH FIPS
2024-01-24T02:13:19.911629+00:00 8c2aac6a939a pluto[8293]: LZS IKEv1: IKEv2: ESP AH FIPS
2024-01-24T02:13:19.911651+00:00 8c2aac6a939a pluto[8293]: LZJH IKEv1: IKEv2: ESP AH FIPS
2024-01-24T02:13:19.911728+00:00 8c2aac6a939a pluto[8293]: testing CAMELLIA_CBC: 2024-01-24T02:13:19.911738+00:00 8c2aac6a939a pluto[8293]: Camellia: 16 bytes with 128-bit key 2024-01-24T02:13:19.911820+00:00 8c2aac6a939a pluto[8293]: Camellia: 16 bytes with 128-bit key 2024-01-24T02:13:19.911849+00:00 8c2aac6a939a pluto[8293]: Camellia: 16 bytes with 256-bit key 2024-01-24T02:13:19.911878+00:00 8c2aac6a939a pluto[8293]: Camellia: 16 bytes with 256-bit key 2024-01-24T02:13:19.911907+00:00 8c2aac6a939a pluto[8293]: testing AES_GCM_16: 2024-01-24T02:13:19.911913+00:00 8c2aac6a939a pluto[8293]: empty string 2024-01-24T02:13:19.911948+00:00 8c2aac6a939a pluto[8293]: one block 2024-01-24T02:13:19.911975+00:00 8c2aac6a939a pluto[8293]: two blocks 2024-01-24T02:13:19.912001+00:00 8c2aac6a939a pluto[8293]: two blocks with associated data 2024-01-24T02:13:19.912027+00:00 8c2aac6a939a pluto[8293]: testing AES_CTR: 2024-01-24T02:13:19.912033+00:00 8c2aac6a939a pluto[8293]: Encrypting 16 octets using AES-CTR with 128-bit key 2024-01-24T02:13:19.912061+00:00 8c2aac6a939a pluto[8293]: Encrypting 32 octets using AES-CTR with 128-bit key 2024-01-24T02:13:19.912089+00:00 8c2aac6a939a pluto[8293]: Encrypting 36 octets using AES-CTR with 128-bit key 2024-01-24T02:13:19.912118+00:00 8c2aac6a939a pluto[8293]: Encrypting 16 octets using AES-CTR with 192-bit key 2024-01-24T02:13:19.912144+00:00 8c2aac6a939a pluto[8293]: Encrypting 32 octets using AES-CTR with 192-bit key 2024-01-24T02:13:19.912173+00:00 8c2aac6a939a pluto[8293]: Encrypting 36 octets using AES-CTR with 192-bit key 2024-01-24T02:13:19.912201+00:00 8c2aac6a939a pluto[8293]: Encrypting 16 octets using AES-CTR with 256-bit key 2024-01-24T02:13:19.912228+00:00 8c2aac6a939a pluto[8293]: Encrypting 32 octets using AES-CTR with 256-bit key 2024-01-24T02:13:19.912256+00:00 8c2aac6a939a pluto[8293]: Encrypting 36 octets using AES-CTR with 256-bit key 2024-01-24T02:13:19.912285+00:00 8c2aac6a939a pluto[8293]: testing AES_CBC: 2024-01-24T02:13:19.912291+00:00 8c2aac6a939a pluto[8293]: Encrypting 16 bytes (1 block) using AES-CBC with 128-bit key 2024-01-24T02:13:19.912319+00:00 8c2aac6a939a pluto[8293]: Encrypting 32 bytes (2 blocks) using AES-CBC with 128-bit key 2024-01-24T02:13:19.912349+00:00 8c2aac6a939a pluto[8293]: Encrypting 48 bytes (3 blocks) using AES-CBC with 128-bit key 2024-01-24T02:13:19.912378+00:00 8c2aac6a939a pluto[8293]: Encrypting 64 bytes (4 blocks) using AES-CBC with 128-bit key 2024-01-24T02:13:19.912420+00:00 8c2aac6a939a pluto[8293]: testing AES_XCBC: 2024-01-24T02:13:19.912432+00:00 8c2aac6a939a pluto[8293]: RFC 3566 Test Case 1: AES-XCBC-MAC-96 with 0-byte input 2024-01-24T02:13:19.912547+00:00 8c2aac6a939a pluto[8293]: RFC 3566 Test Case 2: AES-XCBC-MAC-96 with 3-byte input 2024-01-24T02:13:19.912669+00:00 8c2aac6a939a pluto[8293]: RFC 3566 Test Case 3: AES-XCBC-MAC-96 with 16-byte input 2024-01-24T02:13:19.912797+00:00 8c2aac6a939a pluto[8293]: RFC 3566 Test Case 4: AES-XCBC-MAC-96 with 20-byte input 2024-01-24T02:13:19.912942+00:00 8c2aac6a939a pluto[8293]: RFC 3566 Test Case 5: AES-XCBC-MAC-96 with 32-byte input 2024-01-24T02:13:19.913060+00:00 8c2aac6a939a pluto[8293]: RFC 3566 Test Case 6: AES-XCBC-MAC-96 with 34-byte input 2024-01-24T02:13:19.913179+00:00 8c2aac6a939a pluto[8293]: RFC 3566 Test Case 7: AES-XCBC-MAC-96 with 1000-byte input 2024-01-24T02:13:19.913452+00:00 8c2aac6a939a pluto[8293]: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 16) 2024-01-24T02:13:19.913569+00:00 8c2aac6a939a pluto[8293]: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 10) 2024-01-24T02:13:19.913695+00:00 8c2aac6a939a pluto[8293]: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 18) 2024-01-24T02:13:19.913915+00:00 8c2aac6a939a pluto[8293]: testing HMAC_MD5: 2024-01-24T02:13:19.913926+00:00 8c2aac6a939a pluto[8293]: RFC 2104: MD5_HMAC test 1 2024-01-24T02:13:19.914099+00:00 8c2aac6a939a pluto[8293]: RFC 2104: MD5_HMAC test 2 2024-01-24T02:13:19.914240+00:00 8c2aac6a939a pluto[8293]: RFC 2104: MD5_HMAC test 3 2024-01-24T02:13:19.914380+00:00 8c2aac6a939a pluto[8293]: testing HMAC_SHA1: 2024-01-24T02:13:19.914390+00:00 8c2aac6a939a pluto[8293]: CAVP: IKEv2 key derivation with HMAC-SHA1 2024-01-24T02:13:19.914780+00:00 8c2aac6a939a pluto[8293]: 8 CPU cores online 2024-01-24T02:13:19.914794+00:00 8c2aac6a939a pluto[8293]: starting up 7 helper threads 2024-01-24T02:13:19.914844+00:00 8c2aac6a939a pluto[8293]: started thread for helper 0 2024-01-24T02:13:19.914882+00:00 8c2aac6a939a pluto[8293]: helper(1) seccomp security for helper not supported 2024-01-24T02:13:19.914898+00:00 8c2aac6a939a pluto[8293]: started thread for helper 1 2024-01-24T02:13:19.914918+00:00 8c2aac6a939a pluto[8293]: helper(2) seccomp security for helper not supported 2024-01-24T02:13:19.914945+00:00 8c2aac6a939a pluto[8293]: started thread for helper 2 2024-01-24T02:13:19.914975+00:00 8c2aac6a939a pluto[8293]: helper(3) seccomp security for helper not supported 2024-01-24T02:13:19.914987+00:00 8c2aac6a939a pluto[8293]: started thread for helper 3 2024-01-24T02:13:19.915013+00:00 8c2aac6a939a pluto[8293]: helper(4) seccomp security for helper not supported 2024-01-24T02:13:19.915023+00:00 8c2aac6a939a pluto[8293]: started thread for helper 4 2024-01-24T02:13:19.915058+00:00 8c2aac6a939a pluto[8293]: helper(5) seccomp security for helper not supported 2024-01-24T02:13:19.915082+00:00 8c2aac6a939a pluto[8293]: helper(6) seccomp security for helper not supported 2024-01-24T02:13:19.915104+00:00 8c2aac6a939a pluto[8293]: started thread for helper 5 2024-01-24T02:13:19.915145+00:00 8c2aac6a939a pluto[8293]: started thread for helper 6 2024-01-24T02:13:19.915162+00:00 8c2aac6a939a pluto[8293]: using Linux xfrm kernel support code on #1 SMP Sun Nov 14 00:51:12 UTC 2021 2024-01-24T02:13:19.915181+00:00 8c2aac6a939a pluto[8293]: helper(7) seccomp security for helper not supported 2024-01-24T02:13:19.915241+00:00 8c2aac6a939a pluto[8293]: kernel: /proc/sys/net/ipv6/conf/all/disable_ipv6=1 ignore ipv6 holes 2024-01-24T02:13:19.915517+00:00 8c2aac6a939a pluto[8293]: seccomp security not supported 2024-01-24T02:13:20.019211+00:00 8c2aac6a939a pluto[8293]: "l2tp-psk": added IKEv1 connection 2024-01-24T02:13:20.021139+00:00 8c2aac6a939a pluto[8293]: "xauth-psk": added IKEv1 connection 2024-01-24T02:13:20.021483+00:00 8c2aac6a939a pluto[8293]: "ikev2-cp": IKE SA proposals (connection add): 2024-01-24T02:13:20.021500+00:00 8c2aac6a939a pluto[8293]: "ikev2-cp": 1:IKE=AES_GCM_C_256-HMAC_SHA2_256-NONE-ECP_256 2024-01-24T02:13:20.021510+00:00 8c2aac6a939a pluto[8293]: "ikev2-cp": 2:IKE=AES_CBC_256-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE25519 2024-01-24T02:13:20.021519+00:00 8c2aac6a939a pluto[8293]: "ikev2-cp": 3:IKE=AES_CBC_128-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE25519 2024-01-24T02:13:20.021529+00:00 8c2aac6a939a pluto[8293]: "ikev2-cp": 4:IKE=AES_CBC_256-HMAC_SHA1-HMAC_SHA1_96-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE25519 2024-01-24T02:13:20.021538+00:00 8c2aac6a939a pluto[8293]: "ikev2-cp": 5:IKE=AES_CBC_128-HMAC_SHA1-HMAC_SHA1_96-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE25519 2024-01-24T02:13:20.021616+00:00 8c2aac6a939a pluto[8293]: "ikev2-cp": Child SA proposals (connection add): 2024-01-24T02:13:20.021629+00:00 8c2aac6a939a pluto[8293]: "ikev2-cp": 1:ESP=AES_GCM_C_128+AES_GCM_C_256-NONE-NONE-ENABLED+DISABLED 2024-01-24T02:13:20.021637+00:00 8c2aac6a939a pluto[8293]: "ikev2-cp": 2:ESP=AES_CBC_128-HMAC_SHA1_96-NONE-ENABLED+DISABLED 2024-01-24T02:13:20.021645+00:00 8c2aac6a939a pluto[8293]: "ikev2-cp": 3:ESP=AES_CBC_256-HMAC_SHA1_96-NONE-ENABLED+DISABLED 2024-01-24T02:13:20.021653+00:00 8c2aac6a939a pluto[8293]: "ikev2-cp": 4:ESP=AES_CBC_128-HMAC_SHA2_256_128-NONE-ENABLED+DISABLED 2024-01-24T02:13:20.021660+00:00 8c2aac6a939a pluto[8293]: "ikev2-cp": 5:ESP=AES_CBC_256-HMAC_SHA2_256_128-NONE-ENABLED+DISABLED 2024-01-24T02:13:20.026474+00:00 8c2aac6a939a pluto[8293]: "ikev2-cp": loaded private key matching left certificate 'xxxxx.com' 2024-01-24T02:13:20.026499+00:00 8c2aac6a939a pluto[8293]: "ikev2-cp": added IKEv2 connection 2024-01-24T02:13:20.026603+00:00 8c2aac6a939a pluto[8293]: listening for IKE messages 2024-01-24T02:13:20.026710+00:00 8c2aac6a939a pluto[8293]: Kernel supports NIC esp-hw-offload 2024-01-24T02:13:20.026807+00:00 8c2aac6a939a pluto[8293]: adding UDP interface eth0 172.20.0.2:500 2024-01-24T02:13:20.027059+00:00 8c2aac6a939a pluto[8293]: adding UDP interface eth0 172.20.0.2:4500 2024-01-24T02:13:20.027093+00:00 8c2aac6a939a pluto[8293]: adding UDP interface lo 127.0.0.1:500 2024-01-24T02:13:20.027121+00:00 8c2aac6a939a pluto[8293]: adding UDP interface lo 127.0.0.1:4500 2024-01-24T02:13:20.029636+00:00 8c2aac6a939a pluto[8293]: forgetting secrets 2024-01-24T02:13:20.029716+00:00 8c2aac6a939a pluto[8293]: loading secrets from "/etc/ipsec.secrets" [root@host-192-168-200-181 ~]# nc -vz 192.168.200.181 500 Ncat: Version 7.92 ( https://nmap.org/ncat ) Ncat: Connection refused.

hwdsl2 commented 7 months ago

@wl2659297 使用 nc 测试 UDP 端口时必须添加 -u 参数，否则默认为测试 TCP 端口。你之前的 nc 命令没有添加该参数。请注意，uc 测试 UDP 端口并不有效。你的上面的日志没有记录客户端的连接请求，也就是说客户端的连接请求没有到达 Docker 容器。我对 compose 不熟悉，你再自己调试一下。

wl2659297 commented 7 months ago

现在可以了。谢谢。是我对nc命令不熟悉，抱歉

hwdsl2 / docker-ipsec-vpn-server

宿主机nc命令无法连接500和4500端口 #414