Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

宿主机nc命令无法连接500和4500端口 #414

Closed
wl2659297 opened this issue Jan 23, 2024 · 6 comments
Closed

宿主机nc命令无法连接500和4500端口 #414

wl2659297 opened this issue Jan 23, 2024 · 6 comments

Comments

@wl2659297
Copy link

wl2659297 commented Jan 23, 2024
edited

使用docker compose启动,iphone 15安装vpnclient.mobileconfig文件后无法连接vpn,
随后在宿主机测试端口,宿主机也无法连接500和4500端口。

docker-compose.yml文件:
version: '3'

services:
ikev2:
image: hwdsl2/ipsec-vpn-server
container_name: ikev2
restart: always
environment:
- VPN_DNS_NAME=xxxxxxxxx
- VPN_IPSEC_PSK=123456789
- VPN_USER=xxxxxxx
- VPN_PASSWORD=xxxxxxxx
privileged: true
volumes:
- /data/ikev2:/etc/ipsec.d
- /lib/modules:/lib/modules:ro
ports:
- "500:500/udp"
- "4500:4500/udp"

宿主机端口如下:
[root@host-192-168-200-181 ikev2]# netstat -anp|grep 500
udp 0 0 0.0.0.0:4500 0.0.0.0:* 25856/docker-proxy
udp 0 0 0.0.0.0:500 0.0.0.0:* 25877/docker-proxy
udp6 0 0 :::4500 :::* 25862/docker-proxy
udp6 0 0 :::500 :::* 25884/docker-proxy

容器内端口如下:
[root@host-192-168-200-181 ikev2]# docker exec -it ikev2 netstat -anput
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.11:37575 0.0.0.0:* LISTEN -
udp 0 0 127.0.0.1:500 0.0.0.0:* 466/pluto
udp 0 0 172.19.0.2:500 0.0.0.0:* 466/pluto
udp 0 0 0.0.0.0:1701 0.0.0.0:* 1/xl2tpd
udp 0 0 127.0.0.1:4500 0.0.0.0:* 466/pluto
udp 0 0 172.19.0.2:4500 0.0.0.0:* 466/pluto
udp 0 0 127.0.0.11:45821 0.0.0.0:* -

宿主机操作系统:
[root@host-192-168-200-181 ikev2]# cat /etc/os-release
NAME="Rocky Linux"
VERSION="8.5 (Green Obsidian)"

宿主机防火墙关闭状态:
[root@host-192-168-200-181 ikev2]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
Active: inactive (dead)
Docs: man:firewalld(1)

宿主机执行nc命令:
[root@host-192-168-200-181 ikev2]# nc -vz 127.0.0.1 500
Ncat: Version 7.92 ( https://nmap.org/ncat )
Ncat: Connection refused.
[root@host-192-168-200-181 ikev2]#
[root@host-192-168-200-181 ikev2]# nc -vz 127.0.0.1 4500
Ncat: Version 7.92 ( https://nmap.org/ncat )
Ncat: Connection refused.

500和4500均无法连接。

请问问题在哪。
@wl2659297
Copy link
Author

image
容器内部nc命令是可以连接到500和4500端口的。

@hwdsl2
Copy link
Owner

hwdsl2 commented Jan 23, 2024

@wl2659297 你好!在宿主机执行nc命令时,不要使用 127.0.0.1 IP 地址,请使用宿主机的私有或公有 IP 地址测试。这是因为宿主机可能通过 Docker 添加的 IPTables NAT 规则来接受 UDP 500 和 4500 的流量,使用 127.0.0.1 测试会绕过这些规则,所以无效。

如果无法连接,你可以启用并检查日志

@hwdsl2 hwdsl2 closed this as completed Jan 23, 2024
@wl2659297
Copy link
Author

[root@host-192-168-200-181 ~]# nc -vz 192.168.200.181 500
Ncat: Version 7.92 ( https://nmap.org/ncat )
Ncat: Connection refused.

你好,使用宿主机ip也是一样。链接不上
net.ipv4.ip_forward=1这个参数也加上了。docker也重启了

@wl2659297
Copy link
Author

[root@host-192-168-200-181 ~]# docker exec -it ikev2 grep pluto /var/log/auth.log
2024-01-24T02:13:18.796771+00:00 8c2aac6a939a pluto[464]: Pluto is shutting down
2024-01-24T02:13:18.797396+00:00 8c2aac6a939a pluto[464]: forgetting secrets
2024-01-24T02:13:18.797447+00:00 8c2aac6a939a pluto[464]: shutting down interface lo 127.0.0.1:4500
2024-01-24T02:13:18.797463+00:00 8c2aac6a939a pluto[464]: shutting down interface lo 127.0.0.1:500
2024-01-24T02:13:18.797475+00:00 8c2aac6a939a pluto[464]: shutting down interface eth0 172.20.0.2:4500
2024-01-24T02:13:18.797484+00:00 8c2aac6a939a pluto[464]: shutting down interface eth0 172.20.0.2:500
2024-01-24T02:13:19.907342+00:00 8c2aac6a939a pluto[8293]: Initializing NSS using read-write database "sql:/etc/ipsec.d"
2024-01-24T02:13:19.910399+00:00 8c2aac6a939a pluto[8293]: FIPS Mode: NO
2024-01-24T02:13:19.910420+00:00 8c2aac6a939a pluto[8293]: NSS crypto library initialized
2024-01-24T02:13:19.910460+00:00 8c2aac6a939a pluto[8293]: FIPS mode disabled for pluto daemon
2024-01-24T02:13:19.910466+00:00 8c2aac6a939a pluto[8293]: FIPS HMAC integrity support [disabled]
2024-01-24T02:13:19.910612+00:00 8c2aac6a939a pluto[8293]: libcap-ng support [enabled]
2024-01-24T02:13:19.910625+00:00 8c2aac6a939a pluto[8293]: Linux audit support [disabled]
2024-01-24T02:13:19.910633+00:00 8c2aac6a939a pluto[8293]: Starting Pluto (Libreswan Version 4.12 IKEv2 IKEv1 XFRM XFRMI esp-hw-offload FORK PTHREAD_SETSCHEDPRIO NSS (IPsec profile) (NSS-KDF) LIBCAP_NG AUTH_PAM NETWORKMANAGER CURL(non-NSS)) pid:8293
2024-01-24T02:13:19.910640+00:00 8c2aac6a939a pluto[8293]: core dump dir: /run/pluto
2024-01-24T02:13:19.910646+00:00 8c2aac6a939a pluto[8293]: secrets file: /etc/ipsec.secrets
2024-01-24T02:13:19.910652+00:00 8c2aac6a939a pluto[8293]: leak-detective disabled
2024-01-24T02:13:19.910658+00:00 8c2aac6a939a pluto[8293]: NSS crypto [enabled]
2024-01-24T02:13:19.910663+00:00 8c2aac6a939a pluto[8293]: XAUTH PAM support [enabled]
2024-01-24T02:13:19.910680+00:00 8c2aac6a939a pluto[8293]: initializing libevent in pthreads mode: headers: 2.1.12-stable (2010c00); library: 2.1.12-stable (2010c00)
2024-01-24T02:13:19.910751+00:00 8c2aac6a939a pluto[8293]: NAT-Traversal support [enabled]
2024-01-24T02:13:19.910915+00:00 8c2aac6a939a pluto[8293]: Encryption algorithms:
2024-01-24T02:13:19.910933+00:00 8c2aac6a939a pluto[8293]: AES_CCM_16 {256,192,*128} IKEv1: ESP IKEv2: ESP FIPS aes_ccm, aes_ccm_c
2024-01-24T02:13:19.910943+00:00 8c2aac6a939a pluto[8293]: AES_CCM_12 {256,192,*128} IKEv1: ESP IKEv2: ESP FIPS aes_ccm_b
2024-01-24T02:13:19.910953+00:00 8c2aac6a939a pluto[8293]: AES_CCM_8 {256,192,*128} IKEv1: ESP IKEv2: ESP FIPS aes_ccm_a
2024-01-24T02:13:19.910965+00:00 8c2aac6a939a pluto[8293]: 3DES_CBC [*192] IKEv1: IKE ESP IKEv2: IKE ESP FIPS NSS(CBC) 3des
2024-01-24T02:13:19.910974+00:00 8c2aac6a939a pluto[8293]: CAMELLIA_CTR {256,192,*128} IKEv1: ESP IKEv2: ESP
2024-01-24T02:13:19.910983+00:00 8c2aac6a939a pluto[8293]: CAMELLIA_CBC {256,192,*128} IKEv1: IKE ESP IKEv2: IKE ESP NSS(CBC) camellia
2024-01-24T02:13:19.910993+00:00 8c2aac6a939a pluto[8293]: AES_GCM_16 {256,192,*128} IKEv1: ESP IKEv2: IKE ESP FIPS NSS(GCM) aes_gcm, aes_gcm_c
2024-01-24T02:13:19.911002+00:00 8c2aac6a939a pluto[8293]: AES_GCM_12 {256,192,*128} IKEv1: ESP IKEv2: IKE ESP FIPS NSS(GCM) aes_gcm_b
2024-01-24T02:13:19.911011+00:00 8c2aac6a939a pluto[8293]: AES_GCM_8 {256,192,*128} IKEv1: ESP IKEv2: IKE ESP FIPS NSS(GCM) aes_gcm_a
2024-01-24T02:13:19.911020+00:00 8c2aac6a939a pluto[8293]: AES_CTR {256,192,*128} IKEv1: IKE ESP IKEv2: IKE ESP FIPS NSS(CTR) aesctr
2024-01-24T02:13:19.911028+00:00 8c2aac6a939a pluto[8293]: AES_CBC {256,192,*128} IKEv1: IKE ESP IKEv2: IKE ESP FIPS NSS(CBC) aes
2024-01-24T02:13:19.911038+00:00 8c2aac6a939a pluto[8293]: NULL_AUTH_AES_GMAC {256,192,*128} IKEv1: ESP IKEv2: ESP FIPS aes_gmac
2024-01-24T02:13:19.911045+00:00 8c2aac6a939a pluto[8293]: NULL [] IKEv1: ESP IKEv2: ESP
2024-01-24T02:13:19.911054+00:00 8c2aac6a939a pluto[8293]: CHACHA20_POLY1305 [*256] IKEv1: IKEv2: IKE ESP NSS(AEAD) chacha20poly1305
2024-01-24T02:13:19.911060+00:00 8c2aac6a939a pluto[8293]: Hash algorithms:
2024-01-24T02:13:19.911068+00:00 8c2aac6a939a pluto[8293]: MD5 IKEv1: IKE IKEv2: NSS
2024-01-24T02:13:19.911075+00:00 8c2aac6a939a pluto[8293]: SHA1 IKEv1: IKE IKEv2: IKE FIPS NSS sha
2024-01-24T02:13:19.911083+00:00 8c2aac6a939a pluto[8293]: SHA2_256 IKEv1: IKE IKEv2: IKE FIPS NSS sha2, sha256
2024-01-24T02:13:19.911091+00:00 8c2aac6a939a pluto[8293]: SHA2_384 IKEv1: IKE IKEv2: IKE FIPS NSS sha384
2024-01-24T02:13:19.911098+00:00 8c2aac6a939a pluto[8293]: SHA2_512 IKEv1: IKE IKEv2: IKE FIPS NSS sha512
2024-01-24T02:13:19.911105+00:00 8c2aac6a939a pluto[8293]: IDENTITY IKEv1: IKEv2: FIPS
2024-01-24T02:13:19.911111+00:00 8c2aac6a939a pluto[8293]: PRF algorithms:
2024-01-24T02:13:19.911130+00:00 8c2aac6a939a pluto[8293]: HMAC_MD5 IKEv1: IKE IKEv2: IKE native(HMAC) md5
2024-01-24T02:13:19.911139+00:00 8c2aac6a939a pluto[8293]: HMAC_SHA1 IKEv1: IKE IKEv2: IKE FIPS NSS sha, sha1
2024-01-24T02:13:19.911153+00:00 8c2aac6a939a pluto[8293]: HMAC_SHA2_256 IKEv1: IKE IKEv2: IKE FIPS NSS sha2, sha256, sha2_256
2024-01-24T02:13:19.911166+00:00 8c2aac6a939a pluto[8293]: HMAC_SHA2_384 IKEv1: IKE IKEv2: IKE FIPS NSS sha384, sha2_384
2024-01-24T02:13:19.911182+00:00 8c2aac6a939a pluto[8293]: HMAC_SHA2_512 IKEv1: IKE IKEv2: IKE FIPS NSS sha512, sha2_512
2024-01-24T02:13:19.911195+00:00 8c2aac6a939a pluto[8293]: AES_XCBC IKEv1: IKEv2: IKE native(XCBC) aes128_xcbc
2024-01-24T02:13:19.911216+00:00 8c2aac6a939a pluto[8293]: Integrity algorithms:
2024-01-24T02:13:19.911226+00:00 8c2aac6a939a pluto[8293]: HMAC_MD5_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH native(HMAC) md5, hmac_md5
2024-01-24T02:13:19.911250+00:00 8c2aac6a939a pluto[8293]: HMAC_SHA1_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS sha, sha1, sha1_96, hmac_sha1
2024-01-24T02:13:19.911261+00:00 8c2aac6a939a pluto[8293]: HMAC_SHA2_512_256 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS sha512, sha2_512, sha2_512_256, hmac_sha2_512
2024-01-24T02:13:19.911281+00:00 8c2aac6a939a pluto[8293]: HMAC_SHA2_384_192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS sha384, sha2_384, sha2_384_192, hmac_sha2_384
2024-01-24T02:13:19.911292+00:00 8c2aac6a939a pluto[8293]: HMAC_SHA2_256_128 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS sha2, sha256, sha2_256, sha2_256_128, hmac_sha2_256
2024-01-24T02:13:19.911311+00:00 8c2aac6a939a pluto[8293]: HMAC_SHA2_256_TRUNCBUG IKEv1: ESP AH IKEv2: AH
2024-01-24T02:13:19.911322+00:00 8c2aac6a939a pluto[8293]: AES_XCBC_96 IKEv1: ESP AH IKEv2: IKE ESP AH native(XCBC) aes_xcbc, aes128_xcbc, aes128_xcbc_96
2024-01-24T02:13:19.911345+00:00 8c2aac6a939a pluto[8293]: AES_CMAC_96 IKEv1: ESP AH IKEv2: ESP AH FIPS aes_cmac
2024-01-24T02:13:19.911358+00:00 8c2aac6a939a pluto[8293]: NONE IKEv1: ESP IKEv2: IKE ESP FIPS null
2024-01-24T02:13:19.911377+00:00 8c2aac6a939a pluto[8293]: DH algorithms:
2024-01-24T02:13:19.911387+00:00 8c2aac6a939a pluto[8293]: NONE IKEv1: IKEv2: IKE ESP AH FIPS NSS(MODP) null, dh0
2024-01-24T02:13:19.911408+00:00 8c2aac6a939a pluto[8293]: MODP1024 IKEv1: IKE ESP AH IKEv2: IKE ESP AH NSS(MODP) dh2
2024-01-24T02:13:19.911417+00:00 8c2aac6a939a pluto[8293]: MODP1536 IKEv1: IKE ESP AH IKEv2: IKE ESP AH NSS(MODP) dh5
2024-01-24T02:13:19.911441+00:00 8c2aac6a939a pluto[8293]: MODP2048 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS(MODP) dh14
2024-01-24T02:13:19.911453+00:00 8c2aac6a939a pluto[8293]: MODP3072 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS(MODP) dh15
2024-01-24T02:13:19.911473+00:00 8c2aac6a939a pluto[8293]: MODP4096 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS(MODP) dh16
2024-01-24T02:13:19.911487+00:00 8c2aac6a939a pluto[8293]: MODP6144 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS(MODP) dh17
2024-01-24T02:13:19.911506+00:00 8c2aac6a939a pluto[8293]: MODP8192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS(MODP) dh18
2024-01-24T02:13:19.911526+00:00 8c2aac6a939a pluto[8293]: DH19 IKEv1: IKE IKEv2: IKE ESP AH FIPS NSS(ECP) ecp_256, ecp256
2024-01-24T02:13:19.911547+00:00 8c2aac6a939a pluto[8293]: DH20 IKEv1: IKE IKEv2: IKE ESP AH FIPS NSS(ECP) ecp_384, ecp384
2024-01-24T02:13:19.911568+00:00 8c2aac6a939a pluto[8293]: DH21 IKEv1: IKE IKEv2: IKE ESP AH FIPS NSS(ECP) ecp_521, ecp521
2024-01-24T02:13:19.911577+00:00 8c2aac6a939a pluto[8293]: DH31 IKEv1: IKE IKEv2: IKE ESP AH NSS(ECP) curve25519
2024-01-24T02:13:19.911598+00:00 8c2aac6a939a pluto[8293]: IPCOMP algorithms:
2024-01-24T02:13:19.911609+00:00 8c2aac6a939a pluto[8293]: DEFLATE IKEv1: ESP AH IKEv2: ESP AH FIPS
2024-01-24T02:13:19.911629+00:00 8c2aac6a939a pluto[8293]: LZS IKEv1: IKEv2: ESP AH FIPS
2024-01-24T02:13:19.911651+00:00 8c2aac6a939a pluto[8293]: LZJH IKEv1: IKEv2: ESP AH FIPS
2024-01-24T02:13:19.911728+00:00 8c2aac6a939a pluto[8293]: testing CAMELLIA_CBC:
2024-01-24T02:13:19.911738+00:00 8c2aac6a939a pluto[8293]: Camellia: 16 bytes with 128-bit key
2024-01-24T02:13:19.911820+00:00 8c2aac6a939a pluto[8293]: Camellia: 16 bytes with 128-bit key
2024-01-24T02:13:19.911849+00:00 8c2aac6a939a pluto[8293]: Camellia: 16 bytes with 256-bit key
2024-01-24T02:13:19.911878+00:00 8c2aac6a939a pluto[8293]: Camellia: 16 bytes with 256-bit key
2024-01-24T02:13:19.911907+00:00 8c2aac6a939a pluto[8293]: testing AES_GCM_16:
2024-01-24T02:13:19.911913+00:00 8c2aac6a939a pluto[8293]: empty string
2024-01-24T02:13:19.911948+00:00 8c2aac6a939a pluto[8293]: one block
2024-01-24T02:13:19.911975+00:00 8c2aac6a939a pluto[8293]: two blocks
2024-01-24T02:13:19.912001+00:00 8c2aac6a939a pluto[8293]: two blocks with associated data
2024-01-24T02:13:19.912027+00:00 8c2aac6a939a pluto[8293]: testing AES_CTR:
2024-01-24T02:13:19.912033+00:00 8c2aac6a939a pluto[8293]: Encrypting 16 octets using AES-CTR with 128-bit key
2024-01-24T02:13:19.912061+00:00 8c2aac6a939a pluto[8293]: Encrypting 32 octets using AES-CTR with 128-bit key
2024-01-24T02:13:19.912089+00:00 8c2aac6a939a pluto[8293]: Encrypting 36 octets using AES-CTR with 128-bit key
2024-01-24T02:13:19.912118+00:00 8c2aac6a939a pluto[8293]: Encrypting 16 octets using AES-CTR with 192-bit key
2024-01-24T02:13:19.912144+00:00 8c2aac6a939a pluto[8293]: Encrypting 32 octets using AES-CTR with 192-bit key
2024-01-24T02:13:19.912173+00:00 8c2aac6a939a pluto[8293]: Encrypting 36 octets using AES-CTR with 192-bit key
2024-01-24T02:13:19.912201+00:00 8c2aac6a939a pluto[8293]: Encrypting 16 octets using AES-CTR with 256-bit key
2024-01-24T02:13:19.912228+00:00 8c2aac6a939a pluto[8293]: Encrypting 32 octets using AES-CTR with 256-bit key
2024-01-24T02:13:19.912256+00:00 8c2aac6a939a pluto[8293]: Encrypting 36 octets using AES-CTR with 256-bit key
2024-01-24T02:13:19.912285+00:00 8c2aac6a939a pluto[8293]: testing AES_CBC:
2024-01-24T02:13:19.912291+00:00 8c2aac6a939a pluto[8293]: Encrypting 16 bytes (1 block) using AES-CBC with 128-bit key
2024-01-24T02:13:19.912319+00:00 8c2aac6a939a pluto[8293]: Encrypting 32 bytes (2 blocks) using AES-CBC with 128-bit key
2024-01-24T02:13:19.912349+00:00 8c2aac6a939a pluto[8293]: Encrypting 48 bytes (3 blocks) using AES-CBC with 128-bit key
2024-01-24T02:13:19.912378+00:00 8c2aac6a939a pluto[8293]: Encrypting 64 bytes (4 blocks) using AES-CBC with 128-bit key
2024-01-24T02:13:19.912420+00:00 8c2aac6a939a pluto[8293]: testing AES_XCBC:
2024-01-24T02:13:19.912432+00:00 8c2aac6a939a pluto[8293]: RFC 3566 Test Case 1: AES-XCBC-MAC-96 with 0-byte input
2024-01-24T02:13:19.912547+00:00 8c2aac6a939a pluto[8293]: RFC 3566 Test Case 2: AES-XCBC-MAC-96 with 3-byte input
2024-01-24T02:13:19.912669+00:00 8c2aac6a939a pluto[8293]: RFC 3566 Test Case 3: AES-XCBC-MAC-96 with 16-byte input
2024-01-24T02:13:19.912797+00:00 8c2aac6a939a pluto[8293]: RFC 3566 Test Case 4: AES-XCBC-MAC-96 with 20-byte input
2024-01-24T02:13:19.912942+00:00 8c2aac6a939a pluto[8293]: RFC 3566 Test Case 5: AES-XCBC-MAC-96 with 32-byte input
2024-01-24T02:13:19.913060+00:00 8c2aac6a939a pluto[8293]: RFC 3566 Test Case 6: AES-XCBC-MAC-96 with 34-byte input
2024-01-24T02:13:19.913179+00:00 8c2aac6a939a pluto[8293]: RFC 3566 Test Case 7: AES-XCBC-MAC-96 with 1000-byte input
2024-01-24T02:13:19.913452+00:00 8c2aac6a939a pluto[8293]: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 16)
2024-01-24T02:13:19.913569+00:00 8c2aac6a939a pluto[8293]: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 10)
2024-01-24T02:13:19.913695+00:00 8c2aac6a939a pluto[8293]: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 18)
2024-01-24T02:13:19.913915+00:00 8c2aac6a939a pluto[8293]: testing HMAC_MD5:
2024-01-24T02:13:19.913926+00:00 8c2aac6a939a pluto[8293]: RFC 2104: MD5_HMAC test 1
2024-01-24T02:13:19.914099+00:00 8c2aac6a939a pluto[8293]: RFC 2104: MD5_HMAC test 2
2024-01-24T02:13:19.914240+00:00 8c2aac6a939a pluto[8293]: RFC 2104: MD5_HMAC test 3
2024-01-24T02:13:19.914380+00:00 8c2aac6a939a pluto[8293]: testing HMAC_SHA1:
2024-01-24T02:13:19.914390+00:00 8c2aac6a939a pluto[8293]: CAVP: IKEv2 key derivation with HMAC-SHA1
2024-01-24T02:13:19.914780+00:00 8c2aac6a939a pluto[8293]: 8 CPU cores online
2024-01-24T02:13:19.914794+00:00 8c2aac6a939a pluto[8293]: starting up 7 helper threads
2024-01-24T02:13:19.914844+00:00 8c2aac6a939a pluto[8293]: started thread for helper 0
2024-01-24T02:13:19.914882+00:00 8c2aac6a939a pluto[8293]: helper(1) seccomp security for helper not supported
2024-01-24T02:13:19.914898+00:00 8c2aac6a939a pluto[8293]: started thread for helper 1
2024-01-24T02:13:19.914918+00:00 8c2aac6a939a pluto[8293]: helper(2) seccomp security for helper not supported
2024-01-24T02:13:19.914945+00:00 8c2aac6a939a pluto[8293]: started thread for helper 2
2024-01-24T02:13:19.914975+00:00 8c2aac6a939a pluto[8293]: helper(3) seccomp security for helper not supported
2024-01-24T02:13:19.914987+00:00 8c2aac6a939a pluto[8293]: started thread for helper 3
2024-01-24T02:13:19.915013+00:00 8c2aac6a939a pluto[8293]: helper(4) seccomp security for helper not supported
2024-01-24T02:13:19.915023+00:00 8c2aac6a939a pluto[8293]: started thread for helper 4
2024-01-24T02:13:19.915058+00:00 8c2aac6a939a pluto[8293]: helper(5) seccomp security for helper not supported
2024-01-24T02:13:19.915082+00:00 8c2aac6a939a pluto[8293]: helper(6) seccomp security for helper not supported
2024-01-24T02:13:19.915104+00:00 8c2aac6a939a pluto[8293]: started thread for helper 5
2024-01-24T02:13:19.915145+00:00 8c2aac6a939a pluto[8293]: started thread for helper 6
2024-01-24T02:13:19.915162+00:00 8c2aac6a939a pluto[8293]: using Linux xfrm kernel support code on #1 SMP Sun Nov 14 00:51:12 UTC 2021
2024-01-24T02:13:19.915181+00:00 8c2aac6a939a pluto[8293]: helper(7) seccomp security for helper not supported
2024-01-24T02:13:19.915241+00:00 8c2aac6a939a pluto[8293]: kernel: /proc/sys/net/ipv6/conf/all/disable_ipv6=1 ignore ipv6 holes
2024-01-24T02:13:19.915517+00:00 8c2aac6a939a pluto[8293]: seccomp security not supported
2024-01-24T02:13:20.019211+00:00 8c2aac6a939a pluto[8293]: "l2tp-psk": added IKEv1 connection
2024-01-24T02:13:20.021139+00:00 8c2aac6a939a pluto[8293]: "xauth-psk": added IKEv1 connection
2024-01-24T02:13:20.021483+00:00 8c2aac6a939a pluto[8293]: "ikev2-cp": IKE SA proposals (connection add):
2024-01-24T02:13:20.021500+00:00 8c2aac6a939a pluto[8293]: "ikev2-cp": 1:IKE=AES_GCM_C_256-HMAC_SHA2_256-NONE-ECP_256
2024-01-24T02:13:20.021510+00:00 8c2aac6a939a pluto[8293]: "ikev2-cp": 2:IKE=AES_CBC_256-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE25519
2024-01-24T02:13:20.021519+00:00 8c2aac6a939a pluto[8293]: "ikev2-cp": 3:IKE=AES_CBC_128-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE25519
2024-01-24T02:13:20.021529+00:00 8c2aac6a939a pluto[8293]: "ikev2-cp": 4:IKE=AES_CBC_256-HMAC_SHA1-HMAC_SHA1_96-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE25519
2024-01-24T02:13:20.021538+00:00 8c2aac6a939a pluto[8293]: "ikev2-cp": 5:IKE=AES_CBC_128-HMAC_SHA1-HMAC_SHA1_96-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE25519
2024-01-24T02:13:20.021616+00:00 8c2aac6a939a pluto[8293]: "ikev2-cp": Child SA proposals (connection add):
2024-01-24T02:13:20.021629+00:00 8c2aac6a939a pluto[8293]: "ikev2-cp": 1:ESP=AES_GCM_C_128+AES_GCM_C_256-NONE-NONE-ENABLED+DISABLED
2024-01-24T02:13:20.021637+00:00 8c2aac6a939a pluto[8293]: "ikev2-cp": 2:ESP=AES_CBC_128-HMAC_SHA1_96-NONE-ENABLED+DISABLED
2024-01-24T02:13:20.021645+00:00 8c2aac6a939a pluto[8293]: "ikev2-cp": 3:ESP=AES_CBC_256-HMAC_SHA1_96-NONE-ENABLED+DISABLED
2024-01-24T02:13:20.021653+00:00 8c2aac6a939a pluto[8293]: "ikev2-cp": 4:ESP=AES_CBC_128-HMAC_SHA2_256_128-NONE-ENABLED+DISABLED
2024-01-24T02:13:20.021660+00:00 8c2aac6a939a pluto[8293]: "ikev2-cp": 5:ESP=AES_CBC_256-HMAC_SHA2_256_128-NONE-ENABLED+DISABLED
2024-01-24T02:13:20.026474+00:00 8c2aac6a939a pluto[8293]: "ikev2-cp": loaded private key matching left certificate 'xxxxx.com'
2024-01-24T02:13:20.026499+00:00 8c2aac6a939a pluto[8293]: "ikev2-cp": added IKEv2 connection
2024-01-24T02:13:20.026603+00:00 8c2aac6a939a pluto[8293]: listening for IKE messages
2024-01-24T02:13:20.026710+00:00 8c2aac6a939a pluto[8293]: Kernel supports NIC esp-hw-offload
2024-01-24T02:13:20.026807+00:00 8c2aac6a939a pluto[8293]: adding UDP interface eth0 172.20.0.2:500
2024-01-24T02:13:20.027059+00:00 8c2aac6a939a pluto[8293]: adding UDP interface eth0 172.20.0.2:4500
2024-01-24T02:13:20.027093+00:00 8c2aac6a939a pluto[8293]: adding UDP interface lo 127.0.0.1:500
2024-01-24T02:13:20.027121+00:00 8c2aac6a939a pluto[8293]: adding UDP interface lo 127.0.0.1:4500
2024-01-24T02:13:20.029636+00:00 8c2aac6a939a pluto[8293]: forgetting secrets
2024-01-24T02:13:20.029716+00:00 8c2aac6a939a pluto[8293]: loading secrets from "/etc/ipsec.secrets"
[root@host-192-168-200-181 ~]# nc -vz 192.168.200.181 500
Ncat: Version 7.92 ( https://nmap.org/ncat )
Ncat: Connection refused.

@hwdsl2
Copy link
Owner

hwdsl2 commented Jan 24, 2024

@wl2659297 使用 nc 测试 UDP 端口时必须添加 -u 参数,否则默认为测试 TCP 端口。你之前的 nc 命令没有添加该参数。请注意,uc 测试 UDP 端口并不有效。你的上面的日志没有记录客户端的连接请求,也就是说客户端的连接请求没有到达 Docker 容器。我对 compose 不熟悉,你再自己调试一下。

@wl2659297
Copy link
Author

现在可以了。谢谢。是我对nc命令不熟悉,抱歉

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@hwdsl2 @wl2659297