From 6e16b9853eea80a73b5d2cd9b8b5d6d917a8c2fc Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sat, 9 Dec 2023 23:57:33 -0600 Subject: [PATCH] Update docs --- docs/ikev2-howto-zh.md | 63 ++++++++++++++++++++---------------------- docs/ikev2-howto.md | 63 ++++++++++++++++++++---------------------- 2 files changed, 60 insertions(+), 66 deletions(-) diff --git a/docs/ikev2-howto-zh.md b/docs/ikev2-howto-zh.md index 6eb19e4..fd752e8 100644 --- a/docs/ikev2-howto-zh.md +++ b/docs/ikev2-howto-zh.md @@ -570,48 +570,45 @@ sudo chmod 600 ca.cer client.cer client.key macOS 14 (Sonoma) 存在[一个小问题](https://github.com/hwdsl2/setup-ipsec-vpn/issues/1486),可能会导致 IKEv2 VPN 每 24-48 分钟断开并重新连接一次。其他 macOS 版本不受影响。首先[检查你的 macOS 版本](https://support.apple.com/zh-cn/HT201260)。要解决此问题,请按以下步骤操作。 -**注:** 应用此解决方案后,更新后的 VPN 服务器配置可能不适用于 Windows 或 Android 客户端。对于这些客户端,你可能需要在 `ikev2.conf` 中将 `pfs=yes` 更改回 `pfs=no`,然后运行 `service ipsec restart` 或重启 Docker 容器。 +**注:** 如果你在 2023 年 12 月 10 日之后安装了 IPsec VPN,则无需执行任何操作,因为已经包含以下修复。 -1. 编辑 VPN 服务器上的 `/etc/ipsec.d/ikev2.conf`。首先将 `pfs=no` 替换为 `pfs=yes`。然后找到这些行 `ike=...` 和 `phase2alg=...`,并将它们替换为以下内容,开头必须空两格: +1. 编辑 VPN 服务器上的 `/etc/ipsec.d/ikev2.conf`。找到这一行: ``` - ike=aes256-sha2_256;dh19,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1 - phase2alg=aes256-sha2_256,aes_gcm-null,aes128-sha1,aes256-sha1,aes128-sha2,aes256-sha2 + ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1 + ``` + 并将它替换为以下内容: + ``` + ike=aes_gcm_c_256-hmac_sha2_256-ecp_256,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1 ``` **注:** Docker 用户需要首先[在容器中运行 Bash shell](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/docs/advanced-usage-zh.md#在容器中运行-bash-shell)。 1. 保存文件并运行 `service ipsec restart`。Docker 用户:在下面的第 4 步之后退出 (`exit`) 容器并运行 `docker restart ipsec-vpn-server`。 1. 编辑 VPN 服务器上的 `/opt/src/ikev2.sh`。找到以下部分并将其替换为这些新值: ``` - ChildSecurityAssociationParameters - - DiffieHellmanGroup - 19 - EncryptionAlgorithm - AES-256 - IntegrityAlgorithm - SHA2-256 - LifeTimeInMinutes - 1410 - + ChildSecurityAssociationParameters + + DiffieHellmanGroup + 19 + EncryptionAlgorithm + AES-256-GCM + LifeTimeInMinutes + 1410 + ``` ``` - EnablePFS - 1 + IKESecurityAssociationParameters + + DiffieHellmanGroup + 19 + EncryptionAlgorithm + AES-256-GCM + IntegrityAlgorithm + SHA2-256 + LifeTimeInMinutes + 1410 + ``` - ``` - IKESecurityAssociationParameters - - DiffieHellmanGroup - 19 - EncryptionAlgorithm - AES-256 - IntegrityAlgorithm - SHA2-256 - LifeTimeInMinutes - 1410 - - ``` -1. 运行 `sudo ikev2.sh` 为你的每个 macOS 和 iOS (iPhone/iPad) 设备导出(或添加)更新后的客户端配置文件。 -1. 从你的 macOS 和 iOS 设备中移除之前导入的 IKEv2 配置文件(如果有),然后导入更新后的 `.mobileconfig` 文件。请参阅[配置 IKEv2 VPN 客户端](#配置-ikev2-vpn-客户端)。Docker 用户请看[配置并使用 IKEv2 VPN](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README-zh.md#配置并使用-ikev2-vpn)。 +1. 运行 `sudo ikev2.sh` 为你的每个 macOS 设备导出(或添加)更新后的客户端配置文件。 +1. 从你的 macOS 设备中移除之前导入的 IKEv2 配置文件(如果有),然后导入更新后的 `.mobileconfig` 文件。请参阅[配置 IKEv2 VPN 客户端](#配置-ikev2-vpn-客户端)。Docker 用户请看[配置并使用 IKEv2 VPN](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README-zh.md#配置并使用-ikev2-vpn)。 ### 无法连接多个 IKEv2 客户端 @@ -1017,7 +1014,7 @@ To customize IKEv2 or client options, run this script without arguments. ikev2=insist rekey=no pfs=no - ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1 + ike=aes_gcm_c_256-hmac_sha2_256-ecp_256,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1 phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes128-sha2,aes256-sha2 ikelifetime=24h salifetime=24h diff --git a/docs/ikev2-howto.md b/docs/ikev2-howto.md index 0c06c3d..1b2f04a 100644 --- a/docs/ikev2-howto.md +++ b/docs/ikev2-howto.md @@ -572,48 +572,45 @@ For servers with an external firewall (e.g. [EC2](https://docs.aws.amazon.com/AW macOS 14 (Sonoma) has [a minor issue](https://github.com/hwdsl2/setup-ipsec-vpn/issues/1486) that may cause IKEv2 VPN to disconnect and reconnect once every 24-48 minutes. Other macOS versions are not affected. First [check your macOS version](https://support.apple.com/en-us/HT201260). To work around this issue, follow the steps below. -**Note:** After applying this workaround, the updated VPN server configuration may not work with Windows or Android clients. For those clients, you may need to change `pfs=yes` back to `pfs=no` in `ikev2.conf`, then run `service ipsec restart` or restart the Docker container. +**Note:** If you installed IPsec VPN after December 10, 2023, no action is required because the following fixes are already included. -1. Edit `/etc/ipsec.d/ikev2.conf` on the VPN server. First change `pfs=no` to `pfs=yes`. Then find the lines `ike=...` and `phase2alg=...`, and replace them with the following, indented by two spaces: +1. Edit `/etc/ipsec.d/ikev2.conf` on the VPN server. Find the line: ``` - ike=aes256-sha2_256;dh19,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1 - phase2alg=aes256-sha2_256,aes_gcm-null,aes128-sha1,aes256-sha1,aes128-sha2,aes256-sha2 + ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1 + ``` + and replace it with the following: + ``` + ike=aes_gcm_c_256-hmac_sha2_256-ecp_256,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1 ``` **Note:** Docker users should first [open a Bash shell inside the container](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/docs/advanced-usage.md#bash-shell-inside-container). 1. Save the file and run `service ipsec restart`. Docker users: After step 4 below, `exit` the container and run `docker restart ipsec-vpn-server`. 1. Edit `/opt/src/ikev2.sh` on the VPN server. Find and replace the following sections with these new values: ``` - ChildSecurityAssociationParameters - - DiffieHellmanGroup - 19 - EncryptionAlgorithm - AES-256 - IntegrityAlgorithm - SHA2-256 - LifeTimeInMinutes - 1410 - + ChildSecurityAssociationParameters + + DiffieHellmanGroup + 19 + EncryptionAlgorithm + AES-256-GCM + LifeTimeInMinutes + 1410 + ``` ``` - EnablePFS - 1 + IKESecurityAssociationParameters + + DiffieHellmanGroup + 19 + EncryptionAlgorithm + AES-256-GCM + IntegrityAlgorithm + SHA2-256 + LifeTimeInMinutes + 1410 + ``` - ``` - IKESecurityAssociationParameters - - DiffieHellmanGroup - 19 - EncryptionAlgorithm - AES-256 - IntegrityAlgorithm - SHA2-256 - LifeTimeInMinutes - 1410 - - ``` -1. Run `sudo ikev2.sh` to export (or add) updated client config files for each macOS and iOS (iPhone/iPad) device you have. -1. Remove the previously imported IKEv2 profile (if any) from your macOS and iOS device(s), then import the updated `.mobileconfig` file(s). See [Configure IKEv2 VPN clients](#configure-ikev2-vpn-clients). Docker users, see [Configure and use IKEv2 VPN](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README.md#configure-and-use-ikev2-vpn). +1. Run `sudo ikev2.sh` to export (or add) updated client config files for each macOS device you have. +1. Remove the previously imported IKEv2 profile (if any) from your macOS device(s), then import the updated `.mobileconfig` file(s). See [Configure IKEv2 VPN clients](#configure-ikev2-vpn-clients). Docker users, see [Configure and use IKEv2 VPN](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README.md#configure-and-use-ikev2-vpn). ### Unable to connect multiple IKEv2 clients @@ -1019,7 +1016,7 @@ View example steps for manually configuring IKEv2 with Libreswan. ikev2=insist rekey=no pfs=no - ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1 + ike=aes_gcm_c_256-hmac_sha2_256-ecp_256,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1 phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes128-sha2,aes256-sha2 ikelifetime=24h salifetime=24h