How to setting ikev2.conf on docker image for support sctp protocol

[andy112233445566]

Checklist

• [V] I read the README
• [V] I read the Important notes
• [V] I followed instructions to configure VPN clients
• [V] I checked IKEv1 troubleshooting, IKEv2 troubleshooting, enabled logs and checked VPN status
• [V] I searched existing Issues
• This bug is about the IPsec VPN server Docker image, and not IPsec VPN itself

Describe the issue

ENV:

1. two ubuntu22.04 (5.15.0-76-generic) host link directly
2. using ikev2 and ikev2.conf only change for server ip: 7.7.7.2

test 1: ping via ipsec success
using ping 5.5.5.2 from ipsec client to ipsec server side, VPN work success, i can check docker container interface eth0:172.17.0.2 forward packet to 5.5.5.2, like below:

test 2: sctp via ipsec fail
using lksctp-tools for test, but can not capture packet on docker container interface eth0, only get sctp packet on host interface, like below:
(1). server side:
command: "sctp_darn -H 0 -P 2500 -l" for listen
(2). client side:
command: "sctp_darn -H 0 -P 2600 -h 5.5.5.2 -p 2500 -s"

docker ikev2.conf:

do you have any suggest for config to support sctp, Thanks.

[hwdsl2]

@andy112233445566 Hello! Thanks for providing the details in this issue. I am not familiar with SCTP, but it looks like SCTP might have some issues with IPsec VPNs [1]. I did a quick web search and this article [2] might help your use case. More specifically, in order for IPTables in the IPsec VPN container to properly forward SCTP traffic, you'll need to load a kernel module:

modprobe nf_conntrack_proto_sctp

Restart the Docker container after that. Re-connect and check if the issue is resolved.

If loading the kernel module on the Docker host doesn't help, you can try loading it from inside the container.

[1] https://lists.strongswan.org/pipermail/users/2012-September/003618.html
[2] https://serverfault.com/questions/720897/iptables-nat-not-work-for-sctp