mirror/setup-ipsec-vpn
1
0
Fork 0
mirror of synced 2024-11-25 14:26:09 +03:00
Code Issues Projects Releases Wiki Activity

Update docs

Browse Source
This commit is contained in:
hwdsl2 2021-02-02 10:45:05 -06:00
parent e615e6e192
commit 1327f9123e
2 changed files with 114 additions and 58 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

76
docs/ikev2-howto-zh.md
View File

@ -9,7 +9,7 @@
* [配置 IKEv2 VPN 客户端](#配置-ikev2-vpn-客户端)
* [管理客户端证书](#管理客户端证书)
* [手动在 VPN 服务器上配置 IKEv2](#手动在-vpn-服务器上配置-ikev2)
* [已知问题](#已知问题)
* [故障排除](#故障排除)
* [移除 IKEv2](#移除-ikev2)
* [参考链接](#参考链接)
@ -82,7 +82,7 @@ To customize IKEv2 or client options, run this script without arguments.
另外,你也可以手动导入 `.p12` 文件。详细步骤请看 <a href="https://wiki.strongswan.org/projects/strongswan/wiki/Win7Certs" target="_blank">这里</a>。在导入证书后,你必须确保将客户端证书放在 "个人 -> 证书" 目录中,并且将 CA 证书放在 "受信任的根证书颁发机构 -> 证书" 目录中。
**注:** Ubuntu 18.04 用户在尝试导入 `.p12` 文件时可能会遇到错误 "输入的密码不正确"。参见 [已知问题](#已知问题)。
**注:** Ubuntu 18.04 用户在尝试导入 `.p12` 文件时可能会遇到错误 "输入的密码不正确"。参见 [故障排除](#故障排除)。
1. 在 Windows 计算机上添加一个新的 IKEv2 VPN 连接。对于 Windows 8.x 和 10推荐从命令提示符运行以下命令创建 VPN 连接,以达到更佳的安全性和性能。
@ -107,7 +107,7 @@ To customize IKEv2 or client options, run this script without arguments.
要连接到 VPN单击系统托盘中的无线/网络图标,选择新的 VPN 连接,然后单击 **连接**。连接成功后,你可以到 <a href="https://www.ipchicken.com" target="_blank">这里</a> 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。
如果在连接过程中遇到错误,请参见 <a href="clients-zh.md#故障排除" target="_blank">故障排除</a>
如果在连接过程中遇到错误,请参见 [故障排除](#故障排除)
### OS X (macOS)
@ -153,7 +153,7 @@ To customize IKEv2 or client options, run this script without arguments.
连接成功后,你可以到 <a href="https://www.ipchicken.com" target="_blank">这里</a> 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。
如果在连接过程中遇到错误,请参见 <a href="clients-zh.md#故障排除" target="_blank">故障排除</a>
如果在连接过程中遇到错误,请参见 [故障排除](#故障排除)
### iOS
@ -204,7 +204,7 @@ To customize IKEv2 or client options, run this script without arguments.
连接成功后,你可以到 <a href="https://www.ipchicken.com" target="_blank">这里</a> 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。
如果在连接过程中遇到错误,请参见 <a href="clients-zh.md#故障排除" target="_blank">故障排除</a>
如果在连接过程中遇到错误,请参见 [故障排除](#故障排除)
### Android
@ -260,7 +260,7 @@ To customize IKEv2 or client options, run this script without arguments.
连接成功后,你可以到 <a href="https://www.ipchicken.com" target="_blank">这里</a> 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。
如果在连接过程中遇到错误,请参见 <a href="clients-zh.md#故障排除" target="_blank">故障排除</a>
如果在连接过程中遇到错误,请参见 [故障排除](#故障排除)
## 管理客户端证书
@ -586,33 +586,61 @@ To customize IKEv2 or client options, run this script without arguments.
在继续之前,你**必须**重启 IPsec 服务。VPN 服务器上的 IKEv2 配置到此已完成。下一步:[配置 VPN 客户端](#配置-ikev2-vpn-客户端)。
## 已知问题
## 故障排除
1. Windows 自带的 VPN 客户端可能不支持 IKEv2 fragmentation该功能<a href="https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-ikee/74df968a-7125-431d-9c98-4ea929e548dc" target="_blank">需要</a> Windows 10 v1803 或更新版本)。在有些网络上,这可能会导致连接错误或其它连接问题。你可以尝试换用 <a href="clients-zh.md" target="_blank">IPsec/L2TP</a><a href="clients-xauth-zh.md" target="_blank">IPsec/XAuth</a> 模式。
1. Ubuntu 18.04 用户在尝试将生成的 `.p12` 文件导入到 Windows 时可能会遇到错误 "输入的密码不正确"。这是由 `NSS` 中的一个问题导致的。更多信息请看 <a href="https://github.com/hwdsl2/setup-ipsec-vpn/issues/414#issuecomment-460495258" target="_blank">这里</a>
<details>
<summary>
Ubuntu 18.04 上的 NSS 问题的解决方法
</summary>
### 在导入客户端配置文件时提示密码不正确
**注:** 该解决方法仅适用于运行在 `x86_64` 架构下的 Ubuntu 18.04 系统。在 2021-01-21 已更新 IKEv2 辅助脚本以自动应用这个解决方法
如果你忘记了客户端配置文件的密码,可以重新 [导出 IKEv2 客户端的配置](#导出一个已有的客户端的配置)。
首先安装更新版本的 `libnss3` 相关的软件包:
Ubuntu 18.04 用户在尝试将生成的 `.p12` 文件导入到 Windows 时可能会遇到错误 "输入的密码不正确"。这是由 `NSS` 中的一个问题导致的。更多信息请看 <a href="https://github.com/hwdsl2/setup-ipsec-vpn/issues/414#issuecomment-460495258" target="_blank">这里</a>
<details>
<summary>
Ubuntu 18.04 上的 NSS 问题的解决方法
</summary>
```
wget https://mirrors.kernel.org/ubuntu/pool/main/n/nss/libnss3_3.49.1-1ubuntu1.5_amd64.deb
wget https://mirrors.kernel.org/ubuntu/pool/main/n/nss/libnss3-dev_3.49.1-1ubuntu1.5_amd64.deb
wget https://mirrors.kernel.org/ubuntu/pool/universe/n/nss/libnss3-tools_3.49.1-1ubuntu1.5_amd64.deb
apt-get -y update
apt-get -y install "./libnss3_3.49.1-1ubuntu1.5_amd64.deb" \
**注:** 该解决方法仅适用于运行在 `x86_64` 架构下的 Ubuntu 18.04 系统。在 2021-01-21 已更新 IKEv2 辅助脚本以自动应用这个解决方法。
首先安装更新版本的 `libnss3` 相关的软件包:
```
wget https://mirrors.kernel.org/ubuntu/pool/main/n/nss/libnss3_3.49.1-1ubuntu1.5_amd64.deb
wget https://mirrors.kernel.org/ubuntu/pool/main/n/nss/libnss3-dev_3.49.1-1ubuntu1.5_amd64.deb
wget https://mirrors.kernel.org/ubuntu/pool/universe/n/nss/libnss3-tools_3.49.1-1ubuntu1.5_amd64.deb
apt-get -y update
apt-get -y install "./libnss3_3.49.1-1ubuntu1.5_amd64.deb" \
"./libnss3-dev_3.49.1-1ubuntu1.5_amd64.deb" \
"./libnss3-tools_3.49.1-1ubuntu1.5_amd64.deb"
```
```
然后重新 [导出 IKEv2 客户端的配置](#导出一个已有的客户端的配置)。
</details>
然后重新 [导出 IKEv2 客户端的配置](#导出一个已有的客户端的配置)。
</details>
### IKEv2 在一小时后断开连接
如果 IKEv2 连接在一小时60 分钟)后自动断开,可以这样解决:编辑 VPN 服务器上的 `/etc/ipsec.d/ikev2.conf`(如果不存在,编辑 `/etc/ipsec.conf`)。在 `conn ikev2-cp` 一节的末尾添加以下行,开头必须空两格:
```
ikelifetime=24h
salifetime=24h
```
保存修改并运行 `service ipsec restart`。该解决方案已在 2021-01-20 添加到辅助脚本。
### 无法同时连接多个 IKEv2 客户端
如果要同时连接多个客户端,则必须为每个客户端 [生成唯一的证书](#添加一个客户端证书)。
如果你无法同时连接同一个 NAT (比如家用路由器)后面的多个 IKEv2 客户端,可以这样解决:编辑 VPN 服务器上的 `/etc/ipsec.d/ikev2.conf`,找到这一行 `leftid=@<your_server_ip>` 并去掉 `@`,也就是说将它替换为 `leftid=<your_server_ip>`。保存修改并运行 `service ipsec restart`。如果 `leftid` 是一个域名则不受影响,不要应用这个解决方案。该解决方案已在 2021-02-01 添加到辅助脚本。
### 其它已知问题
1. Windows 自带的 VPN 客户端可能不支持 IKEv2 fragmentation该功能<a href="https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-ikee/74df968a-7125-431d-9c98-4ea929e548dc" target="_blank">需要</a> Windows 10 v1803 或更新版本)。在有些网络上,这可能会导致连接错误或其它连接问题。你可以尝试换用 <a href="clients-zh.md" target="_blank">IPsec/L2TP</a><a href="clients-xauth-zh.md" target="_blank">IPsec/XAuth</a> 模式。
1. 如果你使用 strongSwan Android VPN 客户端,则必须将服务器上的 Libreswan <a href="../README-zh.md#升级libreswan" target="_blank">升级</a>到版本 3.26 或以上。
### 更多故障排除信息
要查看更多故障排除信息,请看 <a href="clients-zh.md#故障排除" target="_blank">这里</a>
## 移除 IKEv2
如果你想要从 VPN 服务器移除 IKEv2但是保留 [IPsec/L2TP](clients-zh.md) 和 [IPsec/XAuth ("Cisco IPsec")](clients-xauth-zh.md) 模式,请重新运行 [辅助脚本](#使用辅助脚本) 并选择 "Remove IKEv2" 选项。请注意,这将删除所有的 IKEv2 配置(包括证书和密钥),并且**不可撤销**

76
docs/ikev2-howto.md
View File

@ -9,7 +9,7 @@
* [Configure IKEv2 VPN clients](#configure-ikev2-vpn-clients)
* [Manage client certificates](#manage-client-certificates)
* [Manually set up IKEv2 on the VPN server](#manually-set-up-ikev2-on-the-vpn-server)
* [Known issues](#known-issues)
* [Troubleshooting](#troubleshooting)
* [Remove IKEv2](#remove-ikev2)
* [References](#references)
@ -82,7 +82,7 @@ To customize IKEv2 or client options, run this script without arguments.
Alternatively, you can manually import the `.p12` file. Click <a href="https://wiki.strongswan.org/projects/strongswan/wiki/Win7Certs" target="_blank">here</a> for instructions. Make sure that the client cert is placed in "Personal -> Certificates", and the CA cert is placed in "Trusted Root Certification Authorities -> Certificates".
**Note:** Ubuntu 18.04 users may encounter the error "The password you entered is incorrect" when trying to import the `.p12` file. See [Known issues](#known-issues).
**Note:** Ubuntu 18.04 users may encounter the error "The password you entered is incorrect" when trying to import the `.p12` file. See [Troubleshooting](#troubleshooting).
1. On the Windows computer, add a new IKEv2 VPN connection. For Windows 8.x and 10, it is recommended to create the VPN connection using the following commands from a command prompt, for improved security and performance.
@ -107,7 +107,7 @@ To customize IKEv2 or client options, run this script without arguments.
To connect to the VPN: Click on the wireless/network icon in your system tray, select the new VPN entry, and click **Connect**. Once successfully connected, you can verify that your traffic is being routed properly by <a href="https://www.google.com/search?q=my+ip" target="_blank">looking up your IP address on Google</a>. It should say "Your public IP address is `Your VPN Server IP`".
If you get an error when trying to connect, see <a href="clients.md#troubleshooting" target="_blank">Troubleshooting</a>.
If you get an error when trying to connect, see [Troubleshooting](#troubleshooting).
### OS X (macOS)
@ -153,7 +153,7 @@ When finished, check to make sure both the new client certificate and `IKEv2 VPN
Once successfully connected, you can verify that your traffic is being routed properly by <a href="https://www.google.com/search?q=my+ip" target="_blank">looking up your IP address on Google</a>. It should say "Your public IP address is `Your VPN Server IP`".
If you get an error when trying to connect, see <a href="clients.md#troubleshooting" target="_blank">Troubleshooting</a>.
If you get an error when trying to connect, see [Troubleshooting](#troubleshooting).
### iOS
@ -204,7 +204,7 @@ When finished, check to make sure both the new client certificate and `IKEv2 VPN
Once successfully connected, you can verify that your traffic is being routed properly by <a href="https://www.google.com/search?q=my+ip" target="_blank">looking up your IP address on Google</a>. It should say "Your public IP address is `Your VPN Server IP`".
If you get an error when trying to connect, see <a href="clients.md#troubleshooting" target="_blank">Troubleshooting</a>.
If you get an error when trying to connect, see [Troubleshooting](#troubleshooting).
### Android
@ -260,7 +260,7 @@ If you manually set up IKEv2 without using the helper script, click here for ins
Once successfully connected, you can verify that your traffic is being routed properly by <a href="https://www.google.com/search?q=my+ip" target="_blank">looking up your IP address on Google</a>. It should say "Your public IP address is `Your VPN Server IP`".
If you get an error when trying to connect, see <a href="clients.md#troubleshooting" target="_blank">Troubleshooting</a>.
If you get an error when trying to connect, see [Troubleshooting](#troubleshooting).
## Manage client certificates
@ -586,33 +586,61 @@ As an alternative to using the [helper script](#using-helper-scripts), advanced
Before continuing, you **must** restart the IPsec service. The IKEv2 setup on the VPN server is now complete. Follow instructions to [configure VPN clients](#configure-ikev2-vpn-clients).
## Known issues
## Troubleshooting
1. The built-in VPN client in Windows may not support IKEv2 fragmentation (this feature <a href="https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-ikee/74df968a-7125-431d-9c98-4ea929e548dc" target="_blank">requires</a> Windows 10 v1803 or newer). On some networks, this can cause the connection to fail or have other issues. You may instead try the <a href="clients.md" target="_blank">IPsec/L2TP</a> or <a href="clients-xauth.md" target="_blank">IPsec/XAuth</a> mode.
1. Ubuntu 18.04 users may encounter the error "The password you entered is incorrect" when trying to import the generated `.p12` file into Windows. This is due to a bug in `NSS`. Read more <a href="https://github.com/hwdsl2/setup-ipsec-vpn/issues/414#issuecomment-460495258" target="_blank">here</a>.
<details>
<summary>
Workaround for the NSS bug on Ubuntu 18.04
</summary>
### Incorrect password when trying to import client config files
**Note:** This workaround should only be used on Ubuntu 18.04 systems running on the `x86_64` architecture. As of 2021-01-21, the IKEv2 helper script was updated to automatically apply this workaround.
If you forgot the password for client config files, you may [export configuration for the IKEv2 client](#export-configuration-for-an-existing-client) again.
First, install newer versions of `libnss3` related packages:
Ubuntu 18.04 users may encounter the error "The password you entered is incorrect" when trying to import the generated `.p12` file into Windows. This is due to a bug in `NSS`. Read more <a href="https://github.com/hwdsl2/setup-ipsec-vpn/issues/414#issuecomment-460495258" target="_blank">here</a>.
<details>
<summary>
Workaround for the NSS bug on Ubuntu 18.04
</summary>
```
wget https://mirrors.kernel.org/ubuntu/pool/main/n/nss/libnss3_3.49.1-1ubuntu1.5_amd64.deb
wget https://mirrors.kernel.org/ubuntu/pool/main/n/nss/libnss3-dev_3.49.1-1ubuntu1.5_amd64.deb
wget https://mirrors.kernel.org/ubuntu/pool/universe/n/nss/libnss3-tools_3.49.1-1ubuntu1.5_amd64.deb
apt-get -y update
apt-get -y install "./libnss3_3.49.1-1ubuntu1.5_amd64.deb" \
**Note:** This workaround should only be used on Ubuntu 18.04 systems running on the `x86_64` architecture. As of 2021-01-21, the IKEv2 helper script was updated to automatically apply this workaround.
First, install newer versions of `libnss3` related packages:
```
wget https://mirrors.kernel.org/ubuntu/pool/main/n/nss/libnss3_3.49.1-1ubuntu1.5_amd64.deb
wget https://mirrors.kernel.org/ubuntu/pool/main/n/nss/libnss3-dev_3.49.1-1ubuntu1.5_amd64.deb
wget https://mirrors.kernel.org/ubuntu/pool/universe/n/nss/libnss3-tools_3.49.1-1ubuntu1.5_amd64.deb
apt-get -y update
apt-get -y install "./libnss3_3.49.1-1ubuntu1.5_amd64.deb" \
"./libnss3-dev_3.49.1-1ubuntu1.5_amd64.deb" \
"./libnss3-tools_3.49.1-1ubuntu1.5_amd64.deb"
```
```
After that, [export configuration for the IKEv2 client](#export-configuration-for-an-existing-client) again.
</details>
After that, [export configuration for the IKEv2 client](#export-configuration-for-an-existing-client) again.
</details>
### IKEv2 disconnects after one hour
If the IKEv2 connection disconnects automatically after one hour (60 minutes), apply this fix: Edit `/etc/ipsec.d/ikev2.conf` on the VPN server (or `/etc/ipsec.conf` if it does not exist), append these lines to the end of section `conn ikev2-cp`, indented by two spaces:
```
ikelifetime=24h
salifetime=24h
```
Save the file and run `service ipsec restart`. As of 2021-01-20, the IKEv2 helper script was updated to include this fix.
### Unable to connect multiple IKEv2 clients
To connect multiple IKEv2 clients simultaneously, you must [generate a unique certificate](#add-a-client-certificate) for each.
If you are unable to connect multiple IKEv2 clients simultaneously from behind the same NAT (e.g. home router), apply this fix: Edit `/etc/ipsec.d/ikev2.conf` on the VPN server, find the line `leftid=@<your_server_ip>` and remove the `@`, i.e. replace it with `leftid=<your_server_ip>`. Save the file and run `service ipsec restart`. Do not apply this fix if `leftid` is a DNS name, which is not affected. As of 2021-02-01, the IKEv2 helper script was updated to include this fix.
### Other known issues
1. The built-in VPN client in Windows may not support IKEv2 fragmentation (this feature <a href="https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-ikee/74df968a-7125-431d-9c98-4ea929e548dc" target="_blank">requires</a> Windows 10 v1803 or newer). On some networks, this can cause the connection to fail or have other issues. You may instead try the <a href="clients.md" target="_blank">IPsec/L2TP</a> or <a href="clients-xauth.md" target="_blank">IPsec/XAuth</a> mode.
1. If using the strongSwan Android VPN client, you must <a href="../README.md#upgrade-libreswan" target="_blank">update Libreswan</a> on your server to version 3.26 or above.
### Additional troubleshooting
Click <a href="clients.md#troubleshooting" target="_blank">here</a> for additional troubleshooting information.
## Remove IKEv2
If you want to remove IKEv2 from the VPN server, but keep the [IPsec/L2TP](clients.md) and [IPsec/XAuth ("Cisco IPsec")](clients-xauth.md) modes, run the [helper script](#using-helper-scripts) again and select the "Remove IKEv2" option. Note that this will delete all IKEv2 configuration including certificates and keys, and **cannot be undone**!