You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This bug is about the IPsec VPN server Docker image, and not IPsec VPN itself
Describe the issue
ENV:
two ubuntu22.04 (5.15.0-76-generic) host link directly
using ikev2 and ikev2.conf only change for server ip: 7.7.7.2
test 1: ping via ipsec success
using ping 5.5.5.2 from ipsec client to ipsec server side, VPN work success, i can check docker container interface eth0:172.17.0.2 forward packet to 5.5.5.2, like below:
test 2: sctp via ipsec fail
using lksctp-tools for test, but can not capture packet on docker container interface eth0, only get sctp packet on host interface, like below:
(1). server side:
command: "sctp_darn -H 0 -P 2500 -l" for listen
(2). client side:
command: "sctp_darn -H 0 -P 2600 -h 5.5.5.2 -p 2500 -s"
docker ikev2.conf:
do you have any suggest for config to support sctp, Thanks.
The text was updated successfully, but these errors were encountered:
@andy112233445566 Hello! Thanks for providing the details in this issue. I am not familiar with SCTP, but it looks like SCTP might have some issues with IPsec VPNs [1]. I did a quick web search and this article [2] might help your use case. More specifically, in order for IPTables in the IPsec VPN container to properly forward SCTP traffic, you'll need to load a kernel module:
modprobe nf_conntrack_proto_sctp
Restart the Docker container after that. Re-connect and check if the issue is resolved.
If loading the kernel module on the Docker host doesn't help, you can try loading it from inside the container.
Checklist
Describe the issue
ENV:
test 1: ping via ipsec success
![image](https://private-user-images.githubusercontent.com/140498364/265314092-e5483865-d0a3-4cfc-b1ea-c2aa0e943350.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MjE2NzYyMDgsIm5iZiI6MTcyMTY3NTkwOCwicGF0aCI6Ii8xNDA0OTgzNjQvMjY1MzE0MDkyLWU1NDgzODY1LWQwYTMtNGNmYy1iMWVhLWMyYWEwZTk0MzM1MC5wbmc_WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVkNPRFlMU0E1M1BRSzRaQSUyRjIwMjQwNzIyJTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDI0MDcyMlQxOTE4MjhaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT0xMDc1NTA5Zjk1ZWM0NTM4YWRjMDVmNmE0OTlkMzVmNDkwNjdkMDBmOWMxY2Y5OTgzZDFjOWIyMjRjYWQ3MWYwJlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCZhY3Rvcl9pZD0wJmtleV9pZD0wJnJlcG9faWQ9MCJ9.D64ey9B8oUVTeXuqvLG2LtC5eF76jMM8lmqndKVtmRg)
using ping 5.5.5.2 from ipsec client to ipsec server side, VPN work success, i can check docker container interface eth0:172.17.0.2 forward packet to 5.5.5.2, like below:
test 2: sctp via ipsec fail
![image](https://private-user-images.githubusercontent.com/140498364/265316277-ff37b79d-5e87-4347-8c9b-21603d389de6.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MjE2NzYyMDgsIm5iZiI6MTcyMTY3NTkwOCwicGF0aCI6Ii8xNDA0OTgzNjQvMjY1MzE2Mjc3LWZmMzdiNzlkLTVlODctNDM0Ny04YzliLTIxNjAzZDM4OWRlNi5wbmc_WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVkNPRFlMU0E1M1BRSzRaQSUyRjIwMjQwNzIyJTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDI0MDcyMlQxOTE4MjhaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT01NGM1MTUzMjQ4Zjk3M2I4MTA1YWIwZmY4MTU2NjNhZGY2ZDE3ZWRmNTI4NzU5ZGYxMmNjOGY1ZjZmMjJlMzE3JlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCZhY3Rvcl9pZD0wJmtleV9pZD0wJnJlcG9faWQ9MCJ9.SOcYBlLvVJ4B71aKlc1Tm-GU36xMbxhCiHTpXQyO2zA)
using lksctp-tools for test, but can not capture packet on docker container interface eth0, only get sctp packet on host interface, like below:
(1). server side:
command: "sctp_darn -H 0 -P 2500 -l" for listen
(2). client side:
command: "sctp_darn -H 0 -P 2600 -h 5.5.5.2 -p 2500 -s"
docker ikev2.conf:
![image](https://private-user-images.githubusercontent.com/140498364/265317051-6f201848-ec1f-402f-abc6-9f412b3b66ac.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MjE2NzYyMDgsIm5iZiI6MTcyMTY3NTkwOCwicGF0aCI6Ii8xNDA0OTgzNjQvMjY1MzE3MDUxLTZmMjAxODQ4LWVjMWYtNDAyZi1hYmM2LTlmNDEyYjNiNjZhYy5wbmc_WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVkNPRFlMU0E1M1BRSzRaQSUyRjIwMjQwNzIyJTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDI0MDcyMlQxOTE4MjhaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT1lZTk2NjczZGZhMDczZDAxZWU0M2U5MmJmZmUxMDY5NTY2YWI3NmMyY2RjM2QyOWZlNjE2YTk0ZTQ3ZGVjMTA3JlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCZhY3Rvcl9pZD0wJmtleV9pZD0wJnJlcG9faWQ9MCJ9.ki0MZdfk3XLhCowoapMfkks7hWT5Mv_9937XzOBsm7o)
do you have any suggest for config to support sctp, Thanks.
The text was updated successfully, but these errors were encountered: