search

hwdsl2 / docker-ipsec-vpn-server

Docker image to run an IPsec VPN server, with IPsec/L2TP, Cisco IPsec and IKEv2
https://hub.docker.com/r/hwdsl2/ipsec-vpn-server
Other
6.37k stars 1.38k forks source link

能够连接上VPN但是无法访问内网地址或者外网地址 #445

Closed microzhang716 closed 3 weeks ago

microzhang716 commented 3 weeks ago

问题描述 能够连接上VPN但是无法访问内网地址或者外网地址,路由器通过端口转发了500和4500的端口信息到IPSEC的服务器,ipsec的服务的运行脚本如下:

version: '3'
services:
  vpn:
    image: hwdsl2/ipsec-vpn-server
    container_name: 'ipsec-vpn-server'
    restart: always
    env_file:
      - $DOCKER_ROOT/ipsec-vpn-server/config/ipsec_config.env
    volumes:
      - $DOCKER_ROOT/ipsec-vpn-server/ikev2-vpn-data:/etc/ipsec.d
      - /lib/modules:/lib/modules:ro
    network_mode: host
    privileged: true

期待的正确结果 希望连接上VPN后,能够正常访问内网IP的设备或者路由器网页以及外部网站

日志 lopenwrt的配置信息 其他配置均为默认配置,只是配置了端口转发功能,配置如下所示 image

lIPSec服务连接日志信息 image

lIPSEC所在服务器的网络情况 服务器的访问网络信息均正常 image

l服务器防火墙信息

microzhang@lite:~$ sudo ufw status
Status: inactive
microzhang@lite:~$

服务器信息(请填写以下信息)

客户端信息(请填写以下信息)

补充OpenWRT中的防火墙配置信息

IPSEC服务是部署在内网的Ubuntu机器上,OpenWrt中Docker没有任何功能在启用

config defaults
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'REJECT'
    option fullcone '1'
    option synflood_protect '1'

config zone
    option name 'lan'
    list network 'lan'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'ACCEPT'

config zone
    option name 'wan'
    list network 'wan'
    list network 'wan6'
    option output 'ACCEPT'
    option masq '1'
    option mtu_fix '1'
    option input 'REJECT'
    option forward 'REJECT'

config forwarding
    option src 'lan'
    option dest 'wan'

config rule
    option name 'Allow-DHCP-Renew'
    option src 'wan'
    option proto 'udp'
    option dest_port '68'
    option target 'ACCEPT'
    option family 'ipv4'

config rule
    option name 'Allow-Ping'
    option src 'wan'
    option proto 'icmp'
    option icmp_type 'echo-request'
    option family 'ipv4'
    option target 'ACCEPT'

config rule
    option name 'Allow-IGMP'
    option src 'wan'
    option proto 'igmp'
    option family 'ipv4'
    option target 'ACCEPT'

config rule
    option name 'Allow-DHCPv6'
    option src 'wan'
    option proto 'udp'
    option dest_port '546'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-MLD'
    option src 'wan'
    option proto 'icmp'
    option src_ip 'fe80::/10'
    list icmp_type '130/0'
    list icmp_type '131/0'
    list icmp_type '132/0'
    list icmp_type '143/0'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-ICMPv6-Input'
    option src 'wan'
    option proto 'icmp'
    list icmp_type 'echo-request'
    list icmp_type 'echo-reply'
    list icmp_type 'destination-unreachable'
    list icmp_type 'packet-too-big'
    list icmp_type 'time-exceeded'
    list icmp_type 'bad-header'
    list icmp_type 'unknown-header-type'
    list icmp_type 'router-solicitation'
    list icmp_type 'neighbour-solicitation'
    list icmp_type 'router-advertisement'
    list icmp_type 'neighbour-advertisement'
    option limit '1000/sec'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-ICMPv6-Forward'
    option src 'wan'
    option dest '*'
    option proto 'icmp'
    list icmp_type 'echo-request'
    list icmp_type 'echo-reply'
    list icmp_type 'destination-unreachable'
    list icmp_type 'packet-too-big'
    list icmp_type 'time-exceeded'
    list icmp_type 'bad-header'
    list icmp_type 'unknown-header-type'
    option limit '1000/sec'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-IPSec-ESP'
    option src 'wan'
    option dest 'lan'
    option proto 'esp'
    option target 'ACCEPT'

config rule
    option name 'Allow-ISAKMP'
    option src 'wan'
    option dest 'lan'
    option dest_port '500'
    option proto 'udp'
    option target 'ACCEPT'

config rule
    option name 'Support-UDP-Traceroute'
    option src 'wan'
    option dest_port '33434:33689'
    option proto 'udp'
    option family 'ipv4'
    option target 'REJECT'
    option enabled '0'

config include
    option path '/etc/firewall.user'

config include 'miniupnpd'
    option type 'script'
    option path '/usr/share/miniupnpd/firewall.include'
    option family 'any'
    option reload '1'

config nat 'docker_nat'
    option name 'DockerNAT'
    option proto 'all'
    option src 'lan'
    option target 'MASQUERADE'
    option extra '-i docker0'

config rule 'linkease'
    option name 'linkease'
    option target 'ACCEPT'
    option src 'wan'
    option proto 'tcp'
    option dest_port '8897'

config zone 'docker'
    option name 'docker'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'ACCEPT'
    option auto_helper '0'
    list device 'docker0'

config forwarding 'docker_to_wan'
    option src 'docker'
    option dest 'wan'

config forwarding 'docker_to_lan'
    option src 'docker'
    option dest 'lan'

config forwarding 'lan_to_docker'
    option src 'lan'
    option dest 'docker'

config redirect
    option dest 'lan'
    option target 'DNAT'
    option name 'VPN'
    list proto 'udp'
    option src 'wan'
    option src_dport '500'
    option dest_port '500'
    option dest_ip '192.168.50.117'

config redirect
    option dest 'lan'
    option target 'DNAT'
    option name 'VPN'
    list proto 'udp'
    option src 'wan'
    option src_dport '4500'
    option dest_port '4500'
    option dest_ip '192.168.50.117'

config rule 'kms'
    option name 'kms'
    option target 'ACCEPT'
    option src 'wan'
    option proto 'tcp'
    option dest_port '1688'

config include 'passwall'
    option type 'script'
    option path '/var/etc/passwall.include'
    option reload '1'

config include 'passwall_server'
    option type 'script'
    option path '/var/etc/passwall_server.include'
    option reload '1'

config include 'unblockneteasemusic'
    option type 'script'
    option path '/var/run/unblockneteasemusic/fw3.include'
    option reload '1'

Android设备连接相关日志信息

Aug 21 00:19:37 00[DMN] +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Aug 21 00:19:37 00[DMN] Starting IKE service (strongSwan 5.9.14, Android 14 - UKQ1.230804.001 release-keys/2024-06-01, 23117RK66C - Redmi/manet/Xiaomi, Linux 6.1.57-android14-11-gd8b333a26dfd-ab11564698, aarch64, org.strongswan.android)
Aug 21 00:19:37 00[LIB] providers loaded by OpenSSL: default legacy
Aug 21 00:19:37 00[LIB] loaded plugins: androidbridge charon android-log socket-default openssl nonce pkcs1 pem x509 xcbc kdf revocation eap-identity eap-mschapv2 eap-md5 eap-gtc eap-tls
Aug 21 00:19:37 00[JOB] spawning 16 worker threads
Aug 21 00:19:37 13[CFG] loaded user certificate 'CN=vpnclient, O=IKEv2 VPN' and private key
Aug 21 00:19:37 13[CFG] loaded CA certificate 'CN=IKEv2 VPN CA, O=IKEv2 VPN'
Aug 21 00:19:37 13[IKE] initiating IKE_SA android[17] to 113.110.220.145
Aug 21 00:19:37 13[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Aug 21 00:19:37 13[NET] sending packet: from 10.5.2.214[44691] to 113.110.220.145[500] (464 bytes)
Aug 21 00:19:37 14[NET] received packet: from 113.110.220.145[500] to 10.5.2.214[44691] (487 bytes)
Aug 21 00:19:37 14[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(FRAG_SUP) N(HASH_ALG) N(NATD_S_IP) N(NATD_D_IP) N(CHDLESS_SUP) CERTREQ ]
Aug 21 00:19:37 14[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Aug 21 00:19:37 14[IKE] local host is behind NAT, sending keep alives
Aug 21 00:19:37 14[IKE] remote host is behind NAT
Aug 21 00:19:37 14[IKE] received cert request for "CN=IKEv2 VPN CA, O=IKEv2 VPN"
Aug 21 00:19:37 14[IKE] sending cert request for "C=HU, L=Budapest, O=Microsec Ltd., CN=Microsec e-Szigno Root CA 2009, E=info@e-szigno.hu"
Aug 21 00:19:37 14[IKE] sending cert request for "C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 2"
Aug 21 00:19:37 14[IKE] sending cert request for "C=TW, O=TAIWAN-CA, OU=Root CA, CN=TWCA Root Certification Authority"
Aug 21 00:19:37 14[IKE] sending cert request for "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA"
Aug 21 00:19:37 14[IKE] sending cert request for "C=US, O=DigiCert, Inc., CN=DigiCert TLS RSA4096 Root G5"
Aug 21 00:19:37 14[IKE] sending cert request for "C=TN, O=Agence Nationale de Certification Electronique, CN=TunTrust Root CA"
Aug 21 00:19:37 14[IKE] sending cert request for "C=BE, O=GlobalSign nv-sa, CN=GlobalSign Root R46"
Aug 21 00:19:37 14[IKE] sending cert request for "C=JP, O=SECOM Trust.net, OU=Security Communication RootCA1"
Aug 21 00:19:37 14[IKE] sending cert request for "C=US, ST=Texas, L=Houston, O=SSL Corporation, CN=SSL.com Root Certification Authority ECC"
Aug 21 00:19:37 14[IKE] sending cert request for "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Root CA"
Aug 21 00:19:37 14[IKE] sending cert request for "C=US, O=Certainly, CN=Certainly Root R1"
Aug 21 00:19:37 14[IKE] sending cert request for "C=US, ST=Illinois, L=Chicago, O=Trustwave Holdings, Inc., CN=Trustwave Global ECC P384 Certification Authority"
Aug 21 00:19:37 14[IKE] sending cert request for "C=US, O=Internet Security Research Group, CN=ISRG Root X1"
Aug 21 00:19:37 14[IKE] sending cert request for "C=US, O=Google Trust Services LLC, CN=GTS Root R2"
Aug 21 00:19:37 14[IKE] sending cert request for "C=US, OU=www.xrampsecurity.com, O=XRamp Security Services Inc, CN=XRamp Global Certification Authority"
Aug 21 00:19:37 14[IKE] sending cert request for "C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 3 G3"
Aug 21 00:19:37 14[IKE] sending cert request for "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Root G3"
Aug 21 00:19:37 14[IKE] sending cert request for "C=FR, O=Dhimyotis, OU=0002 48146308100036, CN=Certigna Root CA"
Aug 21 00:19:37 14[IKE] sending cert request for "C=CH, O=SwissSign AG, CN=SwissSign Silver CA - G2"
Aug 21 00:19:37 14[IKE] sending cert request for "C=US, O=Microsoft Corporation, CN=Microsoft ECC Root Certificate Authority 2017"
Aug 21 00:19:37 14[IKE] sending cert request for "C=CN, O=China Financial Certification Authority, CN=CFCA EV ROOT"
Aug 21 00:19:37 14[IKE] sending cert request for "C=JP, O=SECOM Trust Systems CO.,LTD., OU=Security Communication RootCA2"
Aug 21 00:19:37 14[IKE] sending cert request for "OU=GlobalSign Root CA - R6, O=GlobalSign, CN=GlobalSign"
Aug 21 00:19:37 14[IKE] sending cert request for "C=US, O=Entrust, Inc., OU=See www.entrust.net/legal-terms, OU=(c) 2015 Entrust, Inc. - for authorized use only, CN=Entrust Root Certification Authority - G4"
Aug 21 00:19:37 14[IKE] sending cert request for "C=US, O=AffirmTrust, CN=AffirmTrust Premium ECC"
Aug 21 00:19:37 14[IKE] sending cert request for "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Trusted Root G4"
Aug 21 00:19:37 14[IKE] sending cert request for "C=PL, O=Krajowa Izba Rozliczeniowa S.A., CN=SZAFIR ROOT CA2"
Aug 21 00:19:37 14[IKE] sending cert request for "C=US, O=Google Trust Services LLC, CN=GTS Root R1"
Aug 21 00:19:37 14[IKE] sending cert request for "C=IT, L=Milan, O=Actalis S.p.A./03358520967, CN=Actalis Authentication Root CA"
Aug 21 00:19:37 14[IKE] sending cert request for "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root G3"
Aug 21 00:19:37 14[IKE] sending cert request for "C=US, ST=Texas, L=Houston, O=SSL Corporation, CN=SSL.com Root Certification Authority RSA"
Aug 21 00:19:37 14[IKE] sending cert request for "C=US, O=SecureTrust Corporation, CN=Secure Global CA"
Aug 21 00:19:37 14[IKE] sending cert request for "C=PL, O=Unizeto Technologies S.A., OU=Certum Certification Authority, CN=Certum Trusted Network CA 2"
Aug 21 00:19:37 14[IKE] sending cert request for "C=DE, O=D-Trust GmbH, CN=D-TRUST EV Root CA 1 2020"
Aug 21 00:19:37 14[IKE] sending cert request for "C=US, O=Entrust, Inc., OU=See www.entrust.net/legal-terms, OU=(c) 2012 Entrust, Inc. - for authorized use only, CN=Entrust Root Certification Authority - EC1"
Aug 21 00:19:37 14[IKE] sending cert request for "C=US, OU=emSign PKI, O=eMudhra Inc, CN=emSign Root CA - C1"
Aug 21 00:19:37 14[IKE] sending cert request for "C=CN, O=iTrusChina Co.,Ltd., CN=vTrus Root CA"
Aug 21 00:19:37 14[IKE] sending cert request for "C=US, ST=Illinois, L=Chicago, O=Trustwave Holdings, Inc., CN=Trustwave Global Certification Authority"
Aug 21 00:19:37 14[IKE] sending cert request for "C=AT, O=e-commerce monitoring GmbH, CN=GLOBALTRUST 2020"
Aug 21 00:19:37 14[IKE] sending cert request for "C=RO, O=CERTSIGN SA, OU=certSIGN ROOT CA G2"
Aug 21 00:19:37 14[IKE] sending cert request for "C=US, O=IdenTrust, CN=IdenTrust Commercial Root CA 1"
Aug 21 00:19:37 14[IKE] sending cert request for "C=US, O=DigiCert, Inc., CN=DigiCert TLS ECC P384 Root G5"
Aug 21 00:19:37 14[IKE] sending cert request for "C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., CN=Go Daddy Root Certificate Authority - G2"
Aug 21 00:19:37 14[IKE] sending cert request for "C=SK, L=Bratislava, O=Disig a.s., CN=CA Disig Root R2"
Aug 21 00:19:37 14[IKE] sending cert request for "C=US, O=AffirmTrust, CN=AffirmTrust Premium"
Aug 21 00:19:37 14[IKE] sending cert request for "C=GR, O=Hellenic Academic and Research Institutions CA, CN=HARICA TLS RSA Root CA 2021"
Aug 21 00:19:37 14[IKE] sending cert request for "C=CN, O=GUANG DONG CERTIFICATE AUTHORITY CO.,LTD., CN=GDCA TrustAUTH R5 ROOT"
Aug 21 00:19:37 14[IKE] sending cert request for "C=US, O=Amazon, CN=Amazon Root CA 2"
Aug 21 00:19:37 14[IKE] sending cert request for "C=ES, O=FNMT-RCM, OU=Ceres, 55:04:61=VATES-Q2826004J, CN=AC RAIZ FNMT-RCM SERVIDORES SEGUROS"
Aug 21 00:19:37 14[IKE] sending cert request for "C=US, O=SecureTrust Corporation, CN=SecureTrust CA"
Aug 21 00:19:37 14[IKE] sending cert request for "OU=GlobalSign ECC Root CA - R4, O=GlobalSign, CN=GlobalSign"
Aug 21 00:19:37 14[IKE] sending cert request for "C=NO, O=Buypass AS-983163327, CN=Buypass Class 2 Root CA"
Aug 21 00:19:37 14[IKE] sending cert request for "C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 1 G3"
Aug 21 00:19:37 14[IKE] sending cert request for "O=TeliaSonera, CN=TeliaSonera Root CA v1"
Aug 21 00:19:37 14[IKE] sending cert request for "C=BE, O=GlobalSign nv-sa, OU=Root CA, CN=GlobalSign Root CA"
Aug 21 00:19:37 14[IKE] sending cert request for "C=JP, O=SECOM Trust Systems CO.,LTD., CN=Security Communication ECC RootCA1"
Aug 21 00:19:37 14[IKE] sending cert request for "C=IN, OU=emSign PKI, O=eMudhra Technologies Limited, CN=emSign Root CA - G1"
Aug 21 00:19:37 14[IKE] sending cert request for "C=US, O=Google Trust Services LLC, CN=GTS Root R3"
Aug 21 00:19:37 14[IKE] sending cert request for "C=CH, O=SwissSign AG, CN=SwissSign Gold CA - G2"
Aug 21 00:19:37 14[IKE] sending cert request for "C=BE, O=GlobalSign nv-sa, CN=GlobalSign Root E46"
Aug 21 00:19:37 14[IKE] sending cert request for "C=CH, O=WISeKey, OU=OISTE Foundation Endorsed, CN=OISTE WISeKey Global Root GC CA"
Aug 21 00:19:37 14[IKE] sending cert request for "C=TW, O=Chunghwa Telecom Co., Ltd., OU=ePKI Root Certification Authority"
Aug 21 00:19:37 14[IKE] sending cert request for "C=PL, O=Asseco Data Systems S.A., OU=Certum Certification Authority, CN=Certum Trusted Root CA"
Aug 21 00:19:37 14[IKE] sending cert request for "C=KR, O=NAVER BUSINESS PLATFORM Corp., CN=NAVER Global Root Certification Authority"
Aug 21 00:19:37 14[IKE] sending cert request for "C=US, O=Amazon, CN=Amazon Root CA 1"
Aug 21 00:19:37 14[IKE] sending cert request for "OU=GlobalSign ECC Root CA - R5, O=GlobalSign, CN=GlobalSign"
Aug 21 00:19:37 14[IKE] sending cert request for "C=US, O=AffirmTrust, CN=AffirmTrust Networking"
Aug 21 00:19:37 14[IKE] sending cert request for "C=CN, O=UniTrust, CN=UCA Global G2 Root"
Aug 21 00:19:37 14[IKE] sending cert request for "C=HK, O=Hongkong Post, CN=Hongkong Post Root CA 1"
Aug 21 00:19:37 14[IKE] sending cert request for "O=Entrust.net, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), OU=(c) 1999 Entrust.net Limited, CN=Entrust.net Certification Authority (2048)"
Aug 21 00:19:37 14[IKE] sending cert request for "C=FR, O=Dhimyotis, CN=Certigna"
Aug 21 00:19:37 14[IKE] sending cert request for "C=IN, OU=emSign PKI, O=eMudhra Technologies Limited, CN=emSign ECC Root CA - G3"
Aug 21 00:19:37 14[IKE] sending cert request for "C=US, O=Amazon, CN=Amazon Root CA 3"
Aug 21 00:19:37 14[IKE] sending cert request for "C=PL, O=Unizeto Technologies S.A., OU=Certum Certification Authority, CN=Certum Trusted Network CA"
Aug 21 00:19:37 14[IKE] sending cert request for "C=US, O=Starfield Technologies, Inc., OU=Starfield Class 2 Certification Authority"
Aug 21 00:19:37 14[IKE] sending cert request for "CN=Atos TrustedRoot 2011, O=Atos, C=DE"
Aug 21 00:19:37 14[IKE] sending cert request for "OU=GlobalSign Root CA - R3, O=GlobalSign, CN=GlobalSign"
Aug 21 00:19:37 14[IKE] sending cert request for "C=DE, O=T-Systems Enterprise Services GmbH, OU=T-Systems Trust Center, CN=T-TeleSec GlobalRoot Class 2"
Aug 21 00:19:37 14[IKE] sending cert request for "C=TR, L=Gebze - Kocaeli, O=Turkiye Bilimsel ve Teknolojik Arastirma Kurumu - TUBITAK, OU=Kamu Sertifikasyon Merkezi - Kamu SM, CN=TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1"
Aug 21 00:19:37 14[IKE] sending cert request for "C=IE, O=Baltimore, OU=CyberTrust, CN=Baltimore CyberTrust Root"
Aug 21 00:19:37 14[IKE] sending cert request for "C=US, O=Google Trust Services LLC, CN=GTS Root R4"
Aug 21 00:19:37 14[IKE] sending cert request for "C=ES, CN=Autoridad de Certificacion Firmaprofesional CIF A62634068"
Aug 21 00:19:37 14[IKE] sending cert request for "C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO Certification Authority"
Aug 21 00:19:37 14[IKE] sending cert request for "C=ES, CN=Autoridad de Certificacion Firmaprofesional CIF A62634068"
Aug 21 00:19:37 14[IKE] sending cert request for "C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 2 G3"
Aug 21 00:19:37 14[IKE] sending cert request for "C=CH, O=WISeKey, OU=OISTE Foundation Endorsed, CN=OISTE WISeKey Global Root GB CA"
Aug 21 00:19:37 14[IKE] sending cert request for "C=PL, O=Asseco Data Systems S.A., OU=Certum Certification Authority, CN=Certum EC-384 CA"
Aug 21 00:19:37 14[IKE] sending cert request for "C=TW, O=Chunghwa Telecom Co., Ltd., CN=HiPKI Root CA - G1"
Aug 21 00:19:37 14[IKE] sending cert request for "CN=ACCVRAIZ1, OU=PKIACCV, O=ACCV, C=ES"
Aug 21 00:19:37 14[IKE] sending cert request for "C=JP, O=SECOM Trust Systems CO.,LTD., CN=Security Communication RootCA3"
Aug 21 00:19:37 14[IKE] sending cert request for "C=US, O=Internet Security Research Group, CN=ISRG Root X2"
Aug 21 00:19:37 14[IKE] sending cert request for "C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust ECC Certification Authority"
Aug 21 00:19:37 14[IKE] sending cert request for "C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO ECC Certification Authority"
Aug 21 00:19:37 14[IKE] sending cert request for "C=US, O=Amazon, CN=Amazon Root CA 4"
Aug 21 00:19:37 14[IKE] sending cert request for "C=US, O=IdenTrust, CN=IdenTrust Public Sector Root CA 1"
Aug 21 00:19:37 14[IKE] sending cert request for "C=US, O=Entrust, Inc., OU=www.entrust.net/CPS is incorporated by reference, OU=(c) 2006 Entrust, Inc., CN=Entrust Root Certification Authority"
Aug 21 00:19:37 14[IKE] sending cert request for "C=FI, O=Telia Finland Oyj, CN=Telia Root CA v2"
Aug 21 00:19:37 14[IKE] sending cert request for "C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Certification Authority"
Aug 21 00:19:37 14[IKE] sending cert request for "C=US, ST=Texas, L=Houston, O=SSL Corporation, CN=SSL.com EV Root Certification Authority ECC"
Aug 21 00:19:37 14[IKE] sending cert request for "C=DE, O=T-Systems Enterprise Services GmbH, OU=T-Systems Trust Center, CN=T-TeleSec GlobalRoot Class 3"
Aug 21 00:19:37 14[IKE] sending cert request for "C=US, ST=Texas, L=Houston, O=SSL Corporation, CN=SSL.com EV Root Certification Authority RSA R2"
Aug 21 00:19:37 14[IKE] sending cert request for "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root CA"
Aug 21 00:19:37 14[IKE] sending cert request for "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root G2"
Aug 21 00:19:37 14[IKE] sending cert request for "C=CN, O=UniTrust, CN=UCA Extended Validation Root"
Aug 21 00:19:37 14[IKE] sending cert request for "C=DE, O=D-Trust GmbH, CN=D-TRUST Root Class 3 CA 2 EV 2009"
Aug 21 00:19:37 14[IKE] sending cert request for "C=US, O=Certainly, CN=Certainly Root E1"
Aug 21 00:19:37 14[IKE] sending cert request for "C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority"
Aug 21 00:19:37 14[IKE] sending cert request for "C=US, OU=emSign PKI, O=eMudhra Inc, CN=emSign ECC Root CA - C3"
Aug 21 00:19:37 14[IKE] sending cert request for "C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 3"
Aug 21 00:19:37 14[IKE] sending cert request for "C=US, O=Microsoft Corporation, CN=Microsoft RSA Root Certificate Authority 2017"
Aug 21 00:19:37 14[IKE] sending cert request for "serialNumber=G63287510, C=ES, O=ANF Autoridad de Certificacion, OU=ANF CA Raiz, CN=ANF Secure Server Root CA"
Aug 21 00:19:37 14[IKE] sending cert request for "C=US, O=The Go Daddy Group, Inc., OU=Go Daddy Class 2 Certification Authority"
Aug 21 00:19:37 14[IKE] sending cert request for "C=ES, O=IZENPE S.A., CN=Izenpe.com"
Aug 21 00:19:37 14[IKE] sending cert request for "C=GR, O=Hellenic Academic and Research Institutions CA, CN=HARICA TLS ECC Root CA 2021"
Aug 21 00:19:37 14[IKE] sending cert request for "C=HU, L=Budapest, O=Microsec Ltd., 55:04:61=VATHU-23584497, CN=e-Szigno Root CA 2017"
Aug 21 00:19:37 14[IKE] sending cert request for "C=HU, L=Budapest, O=NetLock Kft., OU=Tan??s??tv??nykiad??k (Certification Services), CN=NetLock Arany (Class Gold) F??tan??s??tv??ny"
Aug 21 00:19:37 14[IKE] sending cert request for "C=NO, O=Buypass AS-983163327, CN=Buypass Class 3 Root CA"
Aug 21 00:19:37 14[IKE] sending cert request for "C=CN, O=iTrusChina Co.,Ltd., CN=vTrus ECC Root CA"
Aug 21 00:19:37 14[IKE] sending cert request for "C=ES, O=FNMT-RCM, OU=AC RAIZ FNMT-RCM"
Aug 21 00:19:37 14[IKE] sending cert request for "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Root G2"
Aug 21 00:19:37 14[IKE] sending cert request for "C=GR, L=Athens, O=Hellenic Academic and Research Institutions Cert. Authority, CN=Hellenic Academic and Research Institutions ECC RootCA 2015"
Aug 21 00:19:37 14[IKE] sending cert request for "C=US, ST=Illinois, L=Chicago, O=Trustwave Holdings, Inc., CN=Trustwave Global ECC P256 Certification Authority"
Aug 21 00:19:37 14[IKE] sending cert request for "C=US, O=Entrust, Inc., OU=See www.entrust.net/legal-terms, OU=(c) 2009 Entrust, Inc. - for authorized use only, CN=Entrust Root Certification Authority - G2"
Aug 21 00:19:37 14[IKE] sending cert request for "C=RO, O=certSIGN, OU=certSIGN ROOT CA"
Aug 21 00:19:37 14[IKE] sending cert request for "C=DE, O=D-Trust GmbH, CN=D-TRUST BR Root CA 1 2020"
Aug 21 00:19:37 14[IKE] sending cert request for "C=GB, ST=Greater Manchester, L=Salford, O=Comodo CA Limited, CN=AAA Certificate Services"
Aug 21 00:19:37 14[IKE] sending cert request for "C=US, ST=Arizona, L=Scottsdale, O=Starfield Technologies, Inc., CN=Starfield Root Certificate Authority - G2"
Aug 21 00:19:37 14[IKE] sending cert request for "C=TW, O=TAIWAN-CA, OU=Root CA, CN=TWCA Global Root CA"
Aug 21 00:19:37 14[IKE] sending cert request for "C=DE, O=D-Trust GmbH, CN=D-TRUST Root Class 3 CA 2 2009"
Aug 21 00:19:37 14[IKE] sending cert request for "C=HK, ST=Hong Kong, L=Hong Kong, O=Hongkong Post, CN=Hongkong Post Root CA 3"
Aug 21 00:19:37 14[IKE] sending cert request for "C=US, O=AffirmTrust, CN=AffirmTrust Commercial"
Aug 21 00:19:37 14[IKE] sending cert request for "C=EN, O=AdGuard, CN=AdGuard Personal CA"
Aug 21 00:19:37 14[IKE] sending cert request for "C=JP, O=Japan Certification Services, Inc., CN=SecureSign RootCA11"
Aug 21 00:19:37 14[IKE] sending cert request for "C=GR, L=Athens, O=Hellenic Academic and Research Institutions Cert. Authority, CN=Hellenic Academic and Research Institutions RootCA 2015"
Aug 21 00:19:37 14[IKE] sending cert request for "C=US, ST=Arizona, L=Scottsdale, O=Starfield Technologies, Inc., CN=Starfield Services Root Certificate Authority - G2"
Aug 21 00:19:37 14[IKE] sending cert request for "CN=IKEv2 VPN CA, O=IKEv2 VPN"
Aug 21 00:19:37 14[IKE] authentication of 'CN=vpnclient, O=IKEv2 VPN' (myself) with RSA_EMSA_PSS_SHA2_256_SALT_32 successful
Aug 21 00:19:37 14[IKE] sending end entity cert "CN=vpnclient, O=IKEv2 VPN"
Aug 21 00:19:37 14[IKE] establishing CHILD_SA android{17}
Aug 21 00:19:37 14[ENC] generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ AUTH CPRQ(ADDR ADDR6 DNS DNS6) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Aug 21 00:19:37 14[ENC] splitting IKE message (4592 bytes) into 4 fragments
Aug 21 00:19:37 14[ENC] generating IKE_AUTH request 1 [ EF(1/4) ]
Aug 21 00:19:37 14[ENC] generating IKE_AUTH request 1 [ EF(2/4) ]
Aug 21 00:19:37 14[ENC] generating IKE_AUTH request 1 [ EF(3/4) ]
Aug 21 00:19:37 14[ENC] generating IKE_AUTH request 1 [ EF(4/4) ]
Aug 21 00:19:37 14[NET] sending packet: from 10.5.2.214[40138] to 113.110.220.145[4500] (1364 bytes)
Aug 21 00:19:37 14[NET] sending packet: from 10.5.2.214[40138] to 113.110.220.145[4500] (1364 bytes)
Aug 21 00:19:37 14[NET] sending packet: from 10.5.2.214[40138] to 113.110.220.145[4500] (1364 bytes)
Aug 21 00:19:37 14[NET] sending packet: from 10.5.2.214[40138] to 113.110.220.145[4500] (708 bytes)
Aug 21 00:19:37 05[NET] received packet: from 113.110.220.145[4500] to 10.5.2.214[40138] (532 bytes)
Aug 21 00:19:37 05[ENC] parsed IKE_AUTH response 1 [ EF(1/4) ]
Aug 21 00:19:37 05[ENC] received fragment hwdsl2/setup-ipsec-vpn#1 of 4, waiting for complete IKE message
Aug 21 00:19:37 06[NET] received packet: from 113.110.220.145[4500] to 10.5.2.214[40138] (532 bytes)
Aug 21 00:19:37 06[ENC] parsed IKE_AUTH response 1 [ EF(2/4) ]
Aug 21 00:19:37 06[ENC] received fragment hwdsl2/setup-ipsec-vpn#2 of 4, waiting for complete IKE message
Aug 21 00:19:37 16[NET] received packet: from 113.110.220.145[4500] to 10.5.2.214[40138] (532 bytes)
Aug 21 00:19:37 16[ENC] parsed IKE_AUTH response 1 [ EF(3/4) ]
Aug 21 00:19:37 16[ENC] received fragment hwdsl2/setup-ipsec-vpn#3 of 4, waiting for complete IKE message
Aug 21 00:19:37 04[NET] received packet: from 113.110.220.145[4500] to 10.5.2.214[40138] (340 bytes)
Aug 21 00:19:37 04[ENC] parsed IKE_AUTH response 1 [ EF(4/4) ]
Aug 21 00:19:37 04[ENC] received fragment hwdsl2/setup-ipsec-vpn#4 of 4, reassembled fragmented IKE message (1728 bytes)
Aug 21 00:19:37 04[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH CPRP(ADDR DNS DNS) SA TSi TSr ]
Aug 21 00:19:37 04[IKE] received end entity cert "CN=microzhang.com, O=IKEv2 VPN"
Aug 21 00:19:37 04[CFG]   using certificate "CN=microzhang.com, O=IKEv2 VPN"
Aug 21 00:19:37 04[CFG]   using trusted ca certificate "CN=IKEv2 VPN CA, O=IKEv2 VPN"
Aug 21 00:19:37 04[CFG]   reached self-signed root ca with a path length of 0
Aug 21 00:19:37 04[CFG] checking certificate status of "CN=microzhang.com, O=IKEv2 VPN"
Aug 21 00:19:37 04[CFG] certificate status is not available
Aug 21 00:19:37 04[IKE] authentication of 'microzhang.com' with RSA_EMSA_PSS_SHA2_256_SALT_32 successful
Aug 21 00:19:37 04[IKE] installing DNS server 8.8.8.8
Aug 21 00:19:37 04[IKE] installing DNS server 8.8.4.4
Aug 21 00:19:37 04[IKE] installing new virtual IP 192.168.43.10
Aug 21 00:19:37 04[IKE] IKE_SA android[17] established between 10.5.2.214[CN=vpnclient, O=IKEv2 VPN]...113.110.220.145[microzhang.com]
Aug 21 00:19:37 04[IKE] scheduling rekeying in 35773s
Aug 21 00:19:37 04[IKE] maximum IKE_SA lifetime 37573s
Aug 21 00:19:37 04[CFG] selected proposal: ESP:AES_GCM_16_128/NO_EXT_SEQ
Aug 21 00:19:37 04[IKE] CHILD_SA android{17} established with SPIs 11cc69bf_i 379637a4_o and TS 192.168.43.10/32 === 0.0.0.0/0
Aug 21 00:19:37 04[DMN] setting up TUN device for CHILD_SA android{17}
Aug 21 00:19:37 04[DMN] successfully created TUN device

docker中容器其他信息

lite:/opt/src# iptables -nvL; iptables -nvL -t nat
Chain INPUT (policy ACCEPT 3779 packets, 317K bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       17   --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:1701 policy match dir in pol none
    0     0 DROP       0    --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID
38301   11M ACCEPT     0    --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
 4610  691K ACCEPT     17   --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 500,4500
    0     0 ACCEPT     17   --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:1701 policy match dir in pol ipsec
    0     0 DROP       17   --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:1701

Chain FORWARD (policy ACCEPT 1 packets, 52 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    3   120 DROP       0    --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID
    0     0 ACCEPT     0    --  ens34  ppp+    0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     0    --  ppp+   ens34   0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     0    --  ppp+   ppp+    0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     0    --  ens34  *       0.0.0.0/0            192.168.43.0/24      ctstate RELATED,ESTABLISHED
24713 1640K ACCEPT     0    --  *      ens34   192.168.43.0/24      0.0.0.0/0           
    0     0 ACCEPT     0    --  *      ppp+    192.168.43.0/24      0.0.0.0/0           
    0     0 LOG        0    --  *      *       0.0.0.0/0            0.0.0.0/0            LOG flags 0 level 4

Chain OUTPUT (policy ACCEPT 24042 packets, 3539K bytes)
 pkts bytes target     prot opt in     out     source               destination         
Chain PREROUTING (policy ACCEPT 24878 packets, 1700K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 143 packets, 58163 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 6226 packets, 449K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 6226 packets, 449K bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MASQUERADE  0    --  *      ens34   192.168.42.0/24      0.0.0.0/0           
    0     0 MASQUERADE  0    --  *      ens34   192.168.43.0/24      0.0.0.0/0            policy match dir out pol none
lite:/opt/src# ip route show
default via 192.168.50.1 dev ens34 proto dhcp src 192.168.50.117 metric 100 
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown 
172.18.0.0/16 dev br-de9c149f973b proto kernel scope link src 172.18.0.1 linkdown 
192.168.50.0/24 dev ens34 proto kernel scope link src 192.168.50.117 metric 100 
192.168.50.1 dev ens34 proto dhcp scope link src 192.168.50.117 metric 100
hwdsl2 commented 3 weeks ago

@microzhang716 你好!对于你的用例,服务器和客户端的连接日志均正常。问题应该是出在你的 Docker compose 的配置的这一行:

network_mode: host

该项配置启用了 host network 模式,参见这里。某些 Docker 主机操作系统,比如 Debian 10,不能使用 host network 模式运行本镜像,因为它们使用 nftables,而本镜像使用 legacy IPTables,这可能导致添加的 IPTables 规则无法起作用,从而无法正确转发流量。

要解决该问题,你可以尝试去掉上述行,并且添加 UDP 500 和 4500 的端口映射,参见示例配置。完成后必须重新创建 Docker 容器以生效。可能还需要重启 Docker 主机。