diff --git a/docs/ikev2-howto-zh.md b/docs/ikev2-howto-zh.md
index 1ebb1cb..f9eebe6 100644
--- a/docs/ikev2-howto-zh.md
+++ b/docs/ikev2-howto-zh.md
@@ -9,7 +9,7 @@
* [配置 IKEv2 VPN 客户端](#配置-ikev2-vpn-客户端)
* [管理客户端证书](#管理客户端证书)
* [手动在 VPN 服务器上配置 IKEv2](#手动在-vpn-服务器上配置-ikev2)
-* [已知问题](#已知问题)
+* [故障排除](#故障排除)
* [移除 IKEv2](#移除-ikev2)
* [参考链接](#参考链接)
@@ -82,7 +82,7 @@ To customize IKEv2 or client options, run this script without arguments.
另外,你也可以手动导入 `.p12` 文件。详细步骤请看 这里。在导入证书后,你必须确保将客户端证书放在 "个人 -> 证书" 目录中,并且将 CA 证书放在 "受信任的根证书颁发机构 -> 证书" 目录中。
- **注:** Ubuntu 18.04 用户在尝试导入 `.p12` 文件时可能会遇到错误 "输入的密码不正确"。参见 [已知问题](#已知问题)。
+ **注:** Ubuntu 18.04 用户在尝试导入 `.p12` 文件时可能会遇到错误 "输入的密码不正确"。参见 [故障排除](#故障排除)。
1. 在 Windows 计算机上添加一个新的 IKEv2 VPN 连接。对于 Windows 8.x 和 10,推荐从命令提示符运行以下命令创建 VPN 连接,以达到更佳的安全性和性能。
@@ -107,7 +107,7 @@ To customize IKEv2 or client options, run this script without arguments.
要连接到 VPN:单击系统托盘中的无线/网络图标,选择新的 VPN 连接,然后单击 **连接**。连接成功后,你可以到 这里 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。
-如果在连接过程中遇到错误,请参见 故障排除。
+如果在连接过程中遇到错误,请参见 [故障排除](#故障排除)。
### OS X (macOS)
@@ -153,7 +153,7 @@ To customize IKEv2 or client options, run this script without arguments.
连接成功后,你可以到 这里 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。
-如果在连接过程中遇到错误,请参见 故障排除。
+如果在连接过程中遇到错误,请参见 [故障排除](#故障排除)。
### iOS
@@ -204,7 +204,7 @@ To customize IKEv2 or client options, run this script without arguments.
连接成功后,你可以到 这里 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。
-如果在连接过程中遇到错误,请参见 故障排除。
+如果在连接过程中遇到错误,请参见 [故障排除](#故障排除)。
### Android
@@ -260,7 +260,7 @@ To customize IKEv2 or client options, run this script without arguments.
连接成功后,你可以到 这里 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。
-如果在连接过程中遇到错误,请参见 故障排除。
+如果在连接过程中遇到错误,请参见 [故障排除](#故障排除)。
## 管理客户端证书
@@ -586,33 +586,61 @@ To customize IKEv2 or client options, run this script without arguments.
在继续之前,你**必须**重启 IPsec 服务。VPN 服务器上的 IKEv2 配置到此已完成。下一步:[配置 VPN 客户端](#配置-ikev2-vpn-客户端)。
-## 已知问题
+## 故障排除
+
+### 在导入客户端配置文件时提示密码不正确
+
+如果你忘记了客户端配置文件的密码,可以重新 [导出 IKEv2 客户端的配置](#导出一个已有的客户端的配置)。
+
+Ubuntu 18.04 用户在尝试将生成的 `.p12` 文件导入到 Windows 时可能会遇到错误 "输入的密码不正确"。这是由 `NSS` 中的一个问题导致的。更多信息请看 这里。
+
+
+Ubuntu 18.04 上的 NSS 问题的解决方法
+
+
+**注:** 该解决方法仅适用于运行在 `x86_64` 架构下的 Ubuntu 18.04 系统。在 2021-01-21 已更新 IKEv2 辅助脚本以自动应用这个解决方法。
+
+首先安装更新版本的 `libnss3` 相关的软件包:
+
+```
+wget https://mirrors.kernel.org/ubuntu/pool/main/n/nss/libnss3_3.49.1-1ubuntu1.5_amd64.deb
+wget https://mirrors.kernel.org/ubuntu/pool/main/n/nss/libnss3-dev_3.49.1-1ubuntu1.5_amd64.deb
+wget https://mirrors.kernel.org/ubuntu/pool/universe/n/nss/libnss3-tools_3.49.1-1ubuntu1.5_amd64.deb
+apt-get -y update
+apt-get -y install "./libnss3_3.49.1-1ubuntu1.5_amd64.deb" \
+ "./libnss3-dev_3.49.1-1ubuntu1.5_amd64.deb" \
+ "./libnss3-tools_3.49.1-1ubuntu1.5_amd64.deb"
+```
+
+然后重新 [导出 IKEv2 客户端的配置](#导出一个已有的客户端的配置)。
+
+
+### IKEv2 在一小时后断开连接
+
+如果 IKEv2 连接在一小时(60 分钟)后自动断开,可以这样解决:编辑 VPN 服务器上的 `/etc/ipsec.d/ikev2.conf`(如果不存在,编辑 `/etc/ipsec.conf`)。在 `conn ikev2-cp` 一节的末尾添加以下行,开头必须空两格:
+
+```
+ ikelifetime=24h
+ salifetime=24h
+```
+
+保存修改并运行 `service ipsec restart`。该解决方案已在 2021-01-20 添加到辅助脚本。
+
+### 无法同时连接多个 IKEv2 客户端
+
+如果要同时连接多个客户端,则必须为每个客户端 [生成唯一的证书](#添加一个客户端证书)。
+
+如果你无法同时连接同一个 NAT (比如家用路由器)后面的多个 IKEv2 客户端,可以这样解决:编辑 VPN 服务器上的 `/etc/ipsec.d/ikev2.conf`,找到这一行 `leftid=@` 并去掉 `@`,也就是说将它替换为 `leftid=`。保存修改并运行 `service ipsec restart`。如果 `leftid` 是一个域名则不受影响,不要应用这个解决方案。该解决方案已在 2021-02-01 添加到辅助脚本。
+
+### 其它已知问题
1. Windows 自带的 VPN 客户端可能不支持 IKEv2 fragmentation(该功能需要 Windows 10 v1803 或更新版本)。在有些网络上,这可能会导致连接错误或其它连接问题。你可以尝试换用 IPsec/L2TP 或 IPsec/XAuth 模式。
-1. Ubuntu 18.04 用户在尝试将生成的 `.p12` 文件导入到 Windows 时可能会遇到错误 "输入的密码不正确"。这是由 `NSS` 中的一个问题导致的。更多信息请看 这里。
-
-
- Ubuntu 18.04 上的 NSS 问题的解决方法
-
-
- **注:** 该解决方法仅适用于运行在 `x86_64` 架构下的 Ubuntu 18.04 系统。在 2021-01-21 已更新 IKEv2 辅助脚本以自动应用这个解决方法。
-
- 首先安装更新版本的 `libnss3` 相关的软件包:
-
- ```
- wget https://mirrors.kernel.org/ubuntu/pool/main/n/nss/libnss3_3.49.1-1ubuntu1.5_amd64.deb
- wget https://mirrors.kernel.org/ubuntu/pool/main/n/nss/libnss3-dev_3.49.1-1ubuntu1.5_amd64.deb
- wget https://mirrors.kernel.org/ubuntu/pool/universe/n/nss/libnss3-tools_3.49.1-1ubuntu1.5_amd64.deb
- apt-get -y update
- apt-get -y install "./libnss3_3.49.1-1ubuntu1.5_amd64.deb" \
- "./libnss3-dev_3.49.1-1ubuntu1.5_amd64.deb" \
- "./libnss3-tools_3.49.1-1ubuntu1.5_amd64.deb"
- ```
-
- 然后重新 [导出 IKEv2 客户端的配置](#导出一个已有的客户端的配置)。
-
1. 如果你使用 strongSwan Android VPN 客户端,则必须将服务器上的 Libreswan 升级到版本 3.26 或以上。
+### 更多故障排除信息
+
+要查看更多故障排除信息,请看 这里。
+
## 移除 IKEv2
如果你想要从 VPN 服务器移除 IKEv2,但是保留 [IPsec/L2TP](clients-zh.md) 和 [IPsec/XAuth ("Cisco IPsec")](clients-xauth-zh.md) 模式,请重新运行 [辅助脚本](#使用辅助脚本) 并选择 "Remove IKEv2" 选项。请注意,这将删除所有的 IKEv2 配置(包括证书和密钥),并且**不可撤销**!
diff --git a/docs/ikev2-howto.md b/docs/ikev2-howto.md
index 23777ed..40367f7 100644
--- a/docs/ikev2-howto.md
+++ b/docs/ikev2-howto.md
@@ -9,7 +9,7 @@
* [Configure IKEv2 VPN clients](#configure-ikev2-vpn-clients)
* [Manage client certificates](#manage-client-certificates)
* [Manually set up IKEv2 on the VPN server](#manually-set-up-ikev2-on-the-vpn-server)
-* [Known issues](#known-issues)
+* [Troubleshooting](#troubleshooting)
* [Remove IKEv2](#remove-ikev2)
* [References](#references)
@@ -82,7 +82,7 @@ To customize IKEv2 or client options, run this script without arguments.
Alternatively, you can manually import the `.p12` file. Click here for instructions. Make sure that the client cert is placed in "Personal -> Certificates", and the CA cert is placed in "Trusted Root Certification Authorities -> Certificates".
- **Note:** Ubuntu 18.04 users may encounter the error "The password you entered is incorrect" when trying to import the `.p12` file. See [Known issues](#known-issues).
+ **Note:** Ubuntu 18.04 users may encounter the error "The password you entered is incorrect" when trying to import the `.p12` file. See [Troubleshooting](#troubleshooting).
1. On the Windows computer, add a new IKEv2 VPN connection. For Windows 8.x and 10, it is recommended to create the VPN connection using the following commands from a command prompt, for improved security and performance.
@@ -107,7 +107,7 @@ To customize IKEv2 or client options, run this script without arguments.
To connect to the VPN: Click on the wireless/network icon in your system tray, select the new VPN entry, and click **Connect**. Once successfully connected, you can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`".
-If you get an error when trying to connect, see Troubleshooting.
+If you get an error when trying to connect, see [Troubleshooting](#troubleshooting).
### OS X (macOS)
@@ -153,7 +153,7 @@ When finished, check to make sure both the new client certificate and `IKEv2 VPN
Once successfully connected, you can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`".
-If you get an error when trying to connect, see Troubleshooting.
+If you get an error when trying to connect, see [Troubleshooting](#troubleshooting).
### iOS
@@ -204,7 +204,7 @@ When finished, check to make sure both the new client certificate and `IKEv2 VPN
Once successfully connected, you can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`".
-If you get an error when trying to connect, see Troubleshooting.
+If you get an error when trying to connect, see [Troubleshooting](#troubleshooting).
### Android
@@ -260,7 +260,7 @@ If you manually set up IKEv2 without using the helper script, click here for ins
Once successfully connected, you can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`".
-If you get an error when trying to connect, see Troubleshooting.
+If you get an error when trying to connect, see [Troubleshooting](#troubleshooting).
## Manage client certificates
@@ -586,33 +586,61 @@ As an alternative to using the [helper script](#using-helper-scripts), advanced
Before continuing, you **must** restart the IPsec service. The IKEv2 setup on the VPN server is now complete. Follow instructions to [configure VPN clients](#configure-ikev2-vpn-clients).
-## Known issues
+## Troubleshooting
+
+### Incorrect password when trying to import client config files
+
+If you forgot the password for client config files, you may [export configuration for the IKEv2 client](#export-configuration-for-an-existing-client) again.
+
+Ubuntu 18.04 users may encounter the error "The password you entered is incorrect" when trying to import the generated `.p12` file into Windows. This is due to a bug in `NSS`. Read more here.
+
+
+Workaround for the NSS bug on Ubuntu 18.04
+
+
+**Note:** This workaround should only be used on Ubuntu 18.04 systems running on the `x86_64` architecture. As of 2021-01-21, the IKEv2 helper script was updated to automatically apply this workaround.
+
+First, install newer versions of `libnss3` related packages:
+
+```
+wget https://mirrors.kernel.org/ubuntu/pool/main/n/nss/libnss3_3.49.1-1ubuntu1.5_amd64.deb
+wget https://mirrors.kernel.org/ubuntu/pool/main/n/nss/libnss3-dev_3.49.1-1ubuntu1.5_amd64.deb
+wget https://mirrors.kernel.org/ubuntu/pool/universe/n/nss/libnss3-tools_3.49.1-1ubuntu1.5_amd64.deb
+apt-get -y update
+apt-get -y install "./libnss3_3.49.1-1ubuntu1.5_amd64.deb" \
+ "./libnss3-dev_3.49.1-1ubuntu1.5_amd64.deb" \
+ "./libnss3-tools_3.49.1-1ubuntu1.5_amd64.deb"
+```
+
+After that, [export configuration for the IKEv2 client](#export-configuration-for-an-existing-client) again.
+
+
+### IKEv2 disconnects after one hour
+
+If the IKEv2 connection disconnects automatically after one hour (60 minutes), apply this fix: Edit `/etc/ipsec.d/ikev2.conf` on the VPN server (or `/etc/ipsec.conf` if it does not exist), append these lines to the end of section `conn ikev2-cp`, indented by two spaces:
+
+```
+ ikelifetime=24h
+ salifetime=24h
+```
+
+Save the file and run `service ipsec restart`. As of 2021-01-20, the IKEv2 helper script was updated to include this fix.
+
+### Unable to connect multiple IKEv2 clients
+
+To connect multiple IKEv2 clients simultaneously, you must [generate a unique certificate](#add-a-client-certificate) for each.
+
+If you are unable to connect multiple IKEv2 clients simultaneously from behind the same NAT (e.g. home router), apply this fix: Edit `/etc/ipsec.d/ikev2.conf` on the VPN server, find the line `leftid=@` and remove the `@`, i.e. replace it with `leftid=`. Save the file and run `service ipsec restart`. Do not apply this fix if `leftid` is a DNS name, which is not affected. As of 2021-02-01, the IKEv2 helper script was updated to include this fix.
+
+### Other known issues
1. The built-in VPN client in Windows may not support IKEv2 fragmentation (this feature requires Windows 10 v1803 or newer). On some networks, this can cause the connection to fail or have other issues. You may instead try the IPsec/L2TP or IPsec/XAuth mode.
-1. Ubuntu 18.04 users may encounter the error "The password you entered is incorrect" when trying to import the generated `.p12` file into Windows. This is due to a bug in `NSS`. Read more here.
-
-
- Workaround for the NSS bug on Ubuntu 18.04
-
-
- **Note:** This workaround should only be used on Ubuntu 18.04 systems running on the `x86_64` architecture. As of 2021-01-21, the IKEv2 helper script was updated to automatically apply this workaround.
-
- First, install newer versions of `libnss3` related packages:
-
- ```
- wget https://mirrors.kernel.org/ubuntu/pool/main/n/nss/libnss3_3.49.1-1ubuntu1.5_amd64.deb
- wget https://mirrors.kernel.org/ubuntu/pool/main/n/nss/libnss3-dev_3.49.1-1ubuntu1.5_amd64.deb
- wget https://mirrors.kernel.org/ubuntu/pool/universe/n/nss/libnss3-tools_3.49.1-1ubuntu1.5_amd64.deb
- apt-get -y update
- apt-get -y install "./libnss3_3.49.1-1ubuntu1.5_amd64.deb" \
- "./libnss3-dev_3.49.1-1ubuntu1.5_amd64.deb" \
- "./libnss3-tools_3.49.1-1ubuntu1.5_amd64.deb"
- ```
-
- After that, [export configuration for the IKEv2 client](#export-configuration-for-an-existing-client) again.
-
1. If using the strongSwan Android VPN client, you must update Libreswan on your server to version 3.26 or above.
+### Additional troubleshooting
+
+Click here for additional troubleshooting information.
+
## Remove IKEv2
If you want to remove IKEv2 from the VPN server, but keep the [IPsec/L2TP](clients.md) and [IPsec/XAuth ("Cisco IPsec")](clients-xauth.md) modes, run the [helper script](#using-helper-scripts) again and select the "Remove IKEv2" option. Note that this will delete all IKEv2 configuration including certificates and keys, and **cannot be undone**!