Update IKEv2 docs

2025-01-31 12:32:20 +03:00 · 2021-01-21 01:39:05 -06:00 · 2021-01-21 01:39:05 -06:00 · 0199df0369
commit 0199df0369
parent 5e1b3e1ae9
2 changed files with 42 additions and 0 deletions
--- a/docs/ikev2-howto-zh.md
+++ b/docs/ikev2-howto-zh.md
@ -59,6 +59,8 @@ wget https://git.io/ikev2setup -O ikev2.sh && sudo bash ikev2.sh --auto
   详细的操作步骤：   
   https://wiki.strongswan.org/projects/strongswan/wiki/Win7Certs

+   **注：** Ubuntu 18.04 用户在尝试将生成的 `.p12` 文件导入到 Windows 时可能会遇到错误 "输入的密码不正确"。参见 [已知问题](#已知问题)。
+
 1. 在 Windows 计算机上添加一个新的 IKEv2 VPN 连接：   
   https://wiki.strongswan.org/projects/strongswan/wiki/Win7Config

@ -497,6 +499,25 @@ wget https://git.io/ikev2setup -O ikev2.sh && sudo bash ikev2.sh --auto

 1. Windows 自带的 VPN 客户端可能不支持 IKEv2 fragmentation（该功能<a href="https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-ikee/74df968a-7125-431d-9c98-4ea929e548dc" target="_blank">需要</a> Windows 10 v1803 或更新版本）。在有些网络上，这可能会导致连接错误或其它连接问题。你可以尝试换用 <a href="clients-zh.md" target="_blank">IPsec/L2TP</a> 或 <a href="clients-xauth-zh.md" target="_blank">IPsec/XAuth</a> 模式。
 1. Ubuntu 18.04 用户在尝试将生成的 `.p12` 文件导入到 Windows 时可能会遇到错误 "输入的密码不正确"。这是由 `NSS` 中的一个问题导致的。更多信息请看 <a href="https://github.com/hwdsl2/setup-ipsec-vpn/issues/414#issuecomment-460495258" target="_blank">这里</a>。
+   <details>
+   <summary>
+   Ubuntu 18.04 上的 NSS 问题的解决方法
+   </summary>
+
+   首先安装更新版本的 `libnss3` 相关的软件包：
+
+   ```
+   wget http://security.ubuntu.com/ubuntu/pool/main/n/nss/libnss3_3.49.1-1ubuntu1.5_amd64.deb
+   wget http://security.ubuntu.com/ubuntu/pool/main/n/nss/libnss3-dev_3.49.1-1ubuntu1.5_amd64.deb
+   wget http://security.ubuntu.com/ubuntu/pool/universe/n/nss/libnss3-tools_3.49.1-1ubuntu1.5_amd64.deb
+   apt-get -y update
+   apt-get -y install "./libnss3_3.49.1-1ubuntu1.5_amd64.deb" \
+     "./libnss3-dev_3.49.1-1ubuntu1.5_amd64.deb" \
+     "./libnss3-tools_3.49.1-1ubuntu1.5_amd64.deb"
+   ```
+
+   然后重新 [导出 IKEv2 客户端的配置](#导出一个已有的客户端的配置)。
+   </details>
 1. 如果你使用 strongSwan Android VPN 客户端，则必须将服务器上的 Libreswan <a href="../README-zh.md#升级libreswan" target="_blank">升级</a>到版本 3.26 或以上。

 ## 移除 IKEv2
--- a/docs/ikev2-howto.md
+++ b/docs/ikev2-howto.md
@ -59,6 +59,8 @@ The <a href="../extras/ikev2setup.sh" target="_blank">script</a> must be run usi
   Detailed instructions:   
   https://wiki.strongswan.org/projects/strongswan/wiki/Win7Certs

+   **Note:** Ubuntu 18.04 users may encounter the error "The password you entered is incorrect" when trying to import the generated `.p12` file into Windows. See [Known issues](#known-issues).
+
 1. On the Windows computer, add a new IKEv2 VPN connection:   
   https://wiki.strongswan.org/projects/strongswan/wiki/Win7Config

@ -497,6 +499,25 @@ Before continuing, you **must** restart the IPsec service. The IKEv2 setup on th

 1. The built-in VPN client in Windows may not support IKEv2 fragmentation (this feature <a href="https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-ikee/74df968a-7125-431d-9c98-4ea929e548dc" target="_blank">requires</a> Windows 10 v1803 or newer). On some networks, this can cause the connection to fail or have other issues. You may instead try the <a href="clients.md" target="_blank">IPsec/L2TP</a> or <a href="clients-xauth.md" target="_blank">IPsec/XAuth</a> mode.
 1. Ubuntu 18.04 users may encounter the error "The password you entered is incorrect" when trying to import the generated `.p12` file into Windows. This is due to a bug in `NSS`. Read more <a href="https://github.com/hwdsl2/setup-ipsec-vpn/issues/414#issuecomment-460495258" target="_blank">here</a>.
+   <details>
+   <summary>
+   Workaround for the NSS bug on Ubuntu 18.04
+   </summary>
+
+   First, install newer versions of `libnss3` related packages:
+
+   ```
+   wget http://security.ubuntu.com/ubuntu/pool/main/n/nss/libnss3_3.49.1-1ubuntu1.5_amd64.deb
+   wget http://security.ubuntu.com/ubuntu/pool/main/n/nss/libnss3-dev_3.49.1-1ubuntu1.5_amd64.deb
+   wget http://security.ubuntu.com/ubuntu/pool/universe/n/nss/libnss3-tools_3.49.1-1ubuntu1.5_amd64.deb
+   apt-get -y update
+   apt-get -y install "./libnss3_3.49.1-1ubuntu1.5_amd64.deb" \
+     "./libnss3-dev_3.49.1-1ubuntu1.5_amd64.deb" \
+     "./libnss3-tools_3.49.1-1ubuntu1.5_amd64.deb"
+   ```
+
+   After that, [export configuration for the IKEv2 client](#export-configuration-for-an-existing-client) again.
+   </details>
 1. If using the strongSwan Android VPN client, you must <a href="../README.md#upgrade-libreswan" target="_blank">upgrade Libreswan</a> on your server to version 3.26 or above.

 ## Remove IKEv2