From 32d09c693731de261544f501464d01abfb891513 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sun, 12 Nov 2023 22:08:59 -0600 Subject: [PATCH] Update docs --- README-zh.md | 2 +- README.md | 2 +- docs/clients-xauth-zh.md | 2 +- docs/clients-xauth.md | 2 +- docs/clients-zh.md | 2 +- docs/clients.md | 2 +- docs/ikev2-howto-zh.md | 52 +++++++++++++++++++++++++++++++++++++++- docs/ikev2-howto.md | 22 ++++++++++------- 8 files changed, 71 insertions(+), 15 deletions(-) diff --git a/README-zh.md b/README-zh.md index 5137316..34594d9 100644 --- a/README-zh.md +++ b/README-zh.md @@ -209,7 +209,7 @@ sudo VPN_SKIP_IKEV2=yes sh vpn.sh (可选)如需为 VPN 客户端指定另外的 DNS 服务器,你可以定义 `VPN_DNS_SRV1` 和 `VPN_DNS_SRV2`(可选)。有关详细信息,参见上面的选项 1。 -然后运行 IKEv2 [辅助脚本](docs/ikev2-howto-zh.md#使用辅助脚本配置-ikev2) 使用自定义选项以交互方式配置 IKEv2: +然后运行 IKEv2 辅助脚本以使用自定义选项以交互方式配置 IKEv2: ```bash sudo ikev2.sh diff --git a/README.md b/README.md index 66d140d..c875c3f 100644 --- a/README.md +++ b/README.md @@ -209,7 +209,7 @@ sudo VPN_SKIP_IKEV2=yes sh vpn.sh (Optional) If you want to specify custom DNS server(s) for VPN clients, define `VPN_DNS_SRV1` and optionally `VPN_DNS_SRV2`. See option 1 above for details. -After that, run the IKEv2 [helper script](docs/ikev2-howto.md#set-up-ikev2-using-helper-script) to set up IKEv2 interactively using custom options: +After that, run the IKEv2 helper script to set up IKEv2 interactively using custom options: ```bash sudo ikev2.sh diff --git a/docs/clients-xauth-zh.md b/docs/clients-xauth-zh.md index 44c42c4..f6f893a 100644 --- a/docs/clients-xauth-zh.md +++ b/docs/clients-xauth-zh.md @@ -89,7 +89,7 @@ IPsec/XAuth 模式也称为 "Cisco IPsec"。该模式通常能够比 IPsec/L2TP **重要:** Android 用户应该使用更安全的 [IKEv2 模式](ikev2-howto-zh.md) 连接(推荐)。Android 12+ 仅支持 IKEv2 模式。Android 系统自带的 VPN 客户端对 IPsec/L2TP 和 IPsec/XAuth ("Cisco IPsec") 模式使用安全性较低的 `modp1024` (DH group 2)。 -如果你仍然想用 IPsec/XAuth 模式连接,你必须首先编辑 VPN 服务器上的 `/etc/ipsec.conf` 并在 `ike=...` 一行的末尾加上 `,aes256-sha2;modp1024,aes128-sha1;modp1024` 字样。保存文件并运行 `sudo service ipsec restart`。 +如果你仍然想用 IPsec/XAuth 模式连接,你必须首先编辑 VPN 服务器上的 `/etc/ipsec.conf` 并在 `ike=...` 一行的末尾加上 `,aes256-sha2;modp1024,aes128-sha1;modp1024` 字样。保存文件并运行 `service ipsec restart`。 Docker 用户:在 [你的 env 文件](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README-zh.md#如何使用本镜像) 中添加 `VPN_ENABLE_MODP1024=yes`,然后重新创建 Docker 容器。 diff --git a/docs/clients-xauth.md b/docs/clients-xauth.md index 8f935fa..87ae869 100644 --- a/docs/clients-xauth.md +++ b/docs/clients-xauth.md @@ -89,7 +89,7 @@ If you get an error when trying to connect, see [Troubleshooting](clients.md#ike **Important:** Android users should instead connect using [IKEv2 mode](ikev2-howto.md) (recommended), which is more secure. Android 12+ only supports IKEv2 mode. The native VPN client in Android uses the less secure `modp1024` (DH group 2) for the IPsec/L2TP and IPsec/XAuth ("Cisco IPsec") modes. -If you still want to connect using IPsec/XAuth mode, you must first edit `/etc/ipsec.conf` on the VPN server. Find the line `ike=...` and append `,aes256-sha2;modp1024,aes128-sha1;modp1024` at the end. Save the file and run `sudo service ipsec restart`. +If you still want to connect using IPsec/XAuth mode, you must first edit `/etc/ipsec.conf` on the VPN server. Find the line `ike=...` and append `,aes256-sha2;modp1024,aes128-sha1;modp1024` at the end. Save the file and run `service ipsec restart`. Docker users: Add `VPN_ENABLE_MODP1024=yes` to [your env file](https://github.com/hwdsl2/docker-ipsec-vpn-server#how-to-use-this-image), then re-create the Docker container. diff --git a/docs/clients-zh.md b/docs/clients-zh.md index 1ea3466..015bc6e 100644 --- a/docs/clients-zh.md +++ b/docs/clients-zh.md @@ -164,7 +164,7 @@ Add-VpnConnection -Name 'My IPsec VPN' -ServerAddress '你的 VPN 服务器 IP' **重要:** Android 用户应该使用更安全的 [IKEv2 模式](ikev2-howto-zh.md) 连接(推荐)。Android 12+ 仅支持 IKEv2 模式。Android 系统自带的 VPN 客户端对 IPsec/L2TP 和 IPsec/XAuth ("Cisco IPsec") 模式使用安全性较低的 `modp1024` (DH group 2)。 -如果你仍然想用 IPsec/L2TP 模式连接,你必须首先编辑 VPN 服务器上的 `/etc/ipsec.conf` 并在 `ike=...` 一行的末尾加上 `,aes256-sha2;modp1024,aes128-sha1;modp1024` 字样。保存文件并运行 `sudo service ipsec restart`。 +如果你仍然想用 IPsec/L2TP 模式连接,你必须首先编辑 VPN 服务器上的 `/etc/ipsec.conf` 并在 `ike=...` 一行的末尾加上 `,aes256-sha2;modp1024,aes128-sha1;modp1024` 字样。保存文件并运行 `service ipsec restart`。 Docker 用户:在 [你的 env 文件](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README-zh.md#如何使用本镜像) 中添加 `VPN_ENABLE_MODP1024=yes`,然后重新创建 Docker 容器。 diff --git a/docs/clients.md b/docs/clients.md index c79e5bd..5fa6d75 100644 --- a/docs/clients.md +++ b/docs/clients.md @@ -163,7 +163,7 @@ If you get an error when trying to connect, see [Troubleshooting](#ikev1-trouble **Important:** Android users should instead connect using [IKEv2 mode](ikev2-howto.md) (recommended), which is more secure. Android 12+ only supports IKEv2 mode. The native VPN client in Android uses the less secure `modp1024` (DH group 2) for the IPsec/L2TP and IPsec/XAuth ("Cisco IPsec") modes. -If you still want to connect using IPsec/L2TP mode, you must first edit `/etc/ipsec.conf` on the VPN server. Find the line `ike=...` and append `,aes256-sha2;modp1024,aes128-sha1;modp1024` at the end. Save the file and run `sudo service ipsec restart`. +If you still want to connect using IPsec/L2TP mode, you must first edit `/etc/ipsec.conf` on the VPN server. Find the line `ike=...` and append `,aes256-sha2;modp1024,aes128-sha1;modp1024` at the end. Save the file and run `service ipsec restart`. Docker users: Add `VPN_ENABLE_MODP1024=yes` to [your env file](https://github.com/hwdsl2/docker-ipsec-vpn-server#how-to-use-this-image), then re-create the Docker container. diff --git a/docs/ikev2-howto-zh.md b/docs/ikev2-howto-zh.md index 74a3b15..d16fea8 100644 --- a/docs/ikev2-howto-zh.md +++ b/docs/ikev2-howto-zh.md @@ -142,6 +142,8 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 [[支持者] **屏幕录影:** 在 macOS 上导入 IKEv2 配置并连接](https://ko-fi.com/post/Support-this-project-and-get-access-to-supporter-o-X8X5FVFZC) +**注:** macOS 14 (Sonoma) 存在一个问题,可能会导致 IKEv2 VPN 每 24-48 分钟断开连接。其他 macOS 版本不受影响。首先[检查你的 macOS 版本](https://support.apple.com/zh-cn/HT201260)。有关详细信息和解决方法,请参阅 [macOS Sonoma 客户端断开连接](#macos-sonoma-客户端断开连接)。 + 首先,将生成的 `.mobileconfig` 文件安全地传送到你的 Mac,然后双击并按提示操作,以导入为 macOS 配置描述文件。如果你的 Mac 运行 macOS Big Sur 或更新版本,打开系统偏好设置并转到描述文件部分以完成导入。对于 macOS Ventura 和更新版本,打开系统设置并搜索描述文件。在完成之后,检查并确保 "IKEv2 VPN" 显示在系统偏好设置 -> 描述文件中。 要连接到 VPN: @@ -542,6 +544,7 @@ sudo chmod 600 ca.cer client.cer client.key **另见:** [检查日志及 VPN 状态](clients-zh.md#检查日志及-vpn-状态),[IKEv1 故障排除](clients-zh.md#ikev1-故障排除) 和 [高级用法](advanced-usage-zh.md)。 * [无法连接到 VPN 服务器](#无法连接到-vpn-服务器) +* [macOS Sonoma 客户端断开连接](#macos-sonoma-客户端断开连接) * [无法连接多个 IKEv2 客户端](#无法连接多个-ikev2-客户端) * [IKE 身份验证凭证不可接受](#ike-身份验证凭证不可接受) * [参数错误 policy match error](#参数错误-policy-match-error) @@ -558,6 +561,53 @@ sudo chmod 600 ca.cer client.cer client.key [检查日志及 VPN 状态](clients-zh.md#检查日志及-vpn-状态)是否有错误。如果你遇到 retransmission 相关错误并且无法连接,说明 VPN 客户端和服务器之间的网络可能有问题。如果你从中国大陆进行连接,请考虑改用 IPsec VPN 以外的其他解决方案。 +### macOS Sonoma 客户端断开连接 + +macOS 14 (Sonoma) 存在[一个问题](https://github.com/hwdsl2/setup-ipsec-vpn/issues/1486),可能会导致 IKEv2 VPN 每 24-48 分钟断开连接。其他 macOS 版本不受影响。[检查你的 macOS 版本](https://support.apple.com/zh-cn/HT201260)。要解决此问题: + +1. 编辑 VPN 服务器上的 `/etc/ipsec.d/ikev2.conf`。首先将 `pfs=no` 替换为 `pfs=yes`。然后找到这些行 `ike=...` 和 `phase2alg=...`,并将它们替换为以下内容,开头必须空两格: + ``` + ike=aes256-sha2_256;dh19,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1 + phase2alg=aes256-sha2_256,aes_gcm-null,aes128-sha1,aes256-sha1,aes128-sha2,aes256-sha2 + ``` + **注:** Docker 用户需要首先[在容器中运行 Bash shell](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/docs/advanced-usage-zh.md#在容器中运行-bash-shell)。 +1. 保存文件并运行 `service ipsec restart`。Docker 用户:在下面的第 4 步之后退出 (`exit`) 容器并运行 `docker restart ipsec-vpn-server`。 +1. 编辑 VPN 服务器上的 `/opt/src/ikev2.sh`。找到以下部分并将其替换为这些新值: + ``` + ChildSecurityAssociationParameters + + DiffieHellmanGroup + 19 + EncryptionAlgorithm + AES-256 + IntegrityAlgorithm + SHA2-256 + LifeTimeInMinutes + 1410 + + ``` + ``` + EnablePFS + 1 + ``` + ``` + IKESecurityAssociationParameters + + DiffieHellmanGroup + 19 + EncryptionAlgorithm + AES-256 + IntegrityAlgorithm + SHA2-256 + LifeTimeInMinutes + 1410 + + ``` +1. 运行 `sudo ikev2.sh` 为你的每个 macOS 和 iOS (iPhone/iPad) 设备导出(或添加)更新后的客户端配置文件。 +1. 从你的 macOS 和 iOS 设备中移除之前导入的 IKEv2 配置文件(如果有),然后导入更新后的 `.mobileconfig` 文件。请参阅[配置 IKEv2 VPN 客户端](#配置-ikev2-vpn-客户端)。Docker 用户请看[配置并使用 IKEv2 VPN](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README-zh.md#配置并使用-ikev2-vpn)。 + +**注:** 更新后的 VPN 服务器配置可能不适用于 Windows 或 Android 客户端。对于这些客户端,你可能需要在 `ikev2.conf` 中将 `pfs=yes` 更改回 `pfs=no`,然后运行 `service ipsec restart` 或重启 Docker 容器。 + ### 无法连接多个 IKEv2 客户端 如果要同时连接在同一个 NAT(比如家用路由器)后面的多个 IKEv2 客户端,你需要为每个客户端生成唯一的证书。否则,你可能会遇到稍后连接的客户端影响现有客户端的 VPN 连接,从而导致无法访问 Internet 的问题。 @@ -810,7 +860,7 @@ wget https://get.vpnsetup.net/ikev2addr -O ikev2addr.sh sudo bash ikev2addr.sh ``` -**重要:** 运行此脚本后,你必须手动更新任何现有 IKEv2 客户端设备上的服务器地址以及 Remote ID(如果适用)。对于 iOS 客户端,你需要使用 IKEv2 [辅助脚本](#使用辅助脚本配置-ikev2) 导出然后重新导入客户端配置。 +**重要:** 运行此脚本后,你必须手动更新任何现有 IKEv2 客户端设备上的服务器地址以及 Remote ID(如果适用)。对于 iOS 客户端,你需要运行 `sudo ikev2.sh` 以导出更新后的客户端配置文件并导入 iOS 设备。 ## 更新 IKEv2 辅助脚本 diff --git a/docs/ikev2-howto.md b/docs/ikev2-howto.md index be033f4..7d48c42 100644 --- a/docs/ikev2-howto.md +++ b/docs/ikev2-howto.md @@ -142,6 +142,8 @@ Using the following steps, you can remove the VPN connection and optionally rest [[Supporters] **Screencast:** IKEv2 Import Configuration and Connect on macOS](https://ko-fi.com/post/Support-this-project-and-get-access-to-supporter-o-O5O7FVF8J) +**Note:** macOS 14 (Sonoma) has an issue that may cause IKEv2 VPN to disconnect every 24-48 minutes. Other macOS versions are not affected. First [check your macOS version](https://support.apple.com/en-us/HT201260). For more details and a workaround, see [macOS Sonoma clients disconnect](#macos-sonoma-clients-disconnect). + First, securely transfer the generated `.mobileconfig` file to your Mac, then double-click and follow the prompts to import as a macOS profile. If your Mac runs macOS Big Sur or newer, open System Preferences and go to the Profiles section to finish importing. For macOS Ventura and newer, open System Settings and search for Profiles. When finished, check to make sure "IKEv2 VPN" is listed under System Preferences -> Profiles. To connect to the VPN: @@ -563,17 +565,16 @@ For servers with an external firewall (e.g. [EC2](https://docs.aws.amazon.com/AW ### macOS Sonoma clients disconnect -macOS 14 (Sonoma) has [an issue](https://github.com/hwdsl2/setup-ipsec-vpn/issues/1486) which could cause the IKEv2 VPN to disconnect every 24-48 minutes. To work around this issue: - -1. Edit `/etc/ipsec.d/ikev2.conf` on the VPN server. Find the lines `ike=...` and `phase2alg=...`, and replace them with the following, indented by two spaces: +macOS 14 (Sonoma) has [an issue](https://github.com/hwdsl2/setup-ipsec-vpn/issues/1486) that may cause IKEv2 VPN to disconnect every 24-48 minutes. Other macOS versions are not affected. [Check your macOS version](https://support.apple.com/en-us/HT201260). To work around this issue: +1. Edit `/etc/ipsec.d/ikev2.conf` on the VPN server. First change `pfs=no` to `pfs=yes`. Then find the lines `ike=...` and `phase2alg=...`, and replace them with the following, indented by two spaces: ``` ike=aes256-sha2_256;dh19,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1 phase2alg=aes256-sha2_256,aes_gcm-null,aes128-sha1,aes256-sha1,aes128-sha2,aes256-sha2 ``` -1. Also in `/etc/ipsec.d/ikev2.conf`, change `pfs=no` to `pfs=yes`. -1. Save the file and run `sudo service ipsec restart`. -1. In the generated `.mobileconfig` client config file, find and replace the following sections with these new values: + **Note:** Docker users should first [open a Bash shell inside the container](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/docs/advanced-usage.md#bash-shell-inside-container). +1. Save the file and run `service ipsec restart`. Docker users: After step 4 below, `exit` the container and run `docker restart ipsec-vpn-server`. +1. Edit `/opt/src/ikev2.sh` on the VPN server. Find and replace the following sections with these new values: ``` ChildSecurityAssociationParameters @@ -590,6 +591,8 @@ macOS 14 (Sonoma) has [an issue](https://github.com/hwdsl2/setup-ipsec-vpn/issue ``` EnablePFS 1 + ``` + ``` IKESecurityAssociationParameters DiffieHellmanGroup @@ -602,7 +605,10 @@ macOS 14 (Sonoma) has [an issue](https://github.com/hwdsl2/setup-ipsec-vpn/issue 1410 ``` -1. Remove the previously imported IKEv2 profile from your Mac (if any), then import the updated `.mobileconfig` file. +1. Run `sudo ikev2.sh` to export (or add) updated client config files for each macOS and iOS (iPhone/iPad) device you have. +1. Remove the previously imported IKEv2 profile (if any) from your macOS and iOS device(s), then import the updated `.mobileconfig` file(s). See [Configure IKEv2 VPN clients](#configure-ikev2-vpn-clients). Docker users, see [Configure and use IKEv2 VPN](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README.md#configure-and-use-ikev2-vpn). + +**Note:** The updated VPN server configuration may not work with Windows or Android clients. For those clients, you may need to change `pfs=yes` back to `pfs=no` in `ikev2.conf`, then run `service ipsec restart` or restart the Docker container. ### Unable to connect multiple IKEv2 clients @@ -856,7 +862,7 @@ wget https://get.vpnsetup.net/ikev2addr -O ikev2addr.sh sudo bash ikev2addr.sh ``` -**Important:** After running this script, you must manually update the server address (and remote ID, if applicable) on any existing IKEv2 client devices. For iOS clients, you'll need to export and re-import client configuration using the IKEv2 [helper script](#set-up-ikev2-using-helper-script). +**Important:** After running this script, you must manually update the server address (and remote ID, if applicable) on any existing IKEv2 client devices. For iOS clients, you'll need to run `sudo ikev2.sh` to export the updated client config file and import it to the iOS device. ## Update IKEv2 helper script