From 94ca6536c8651b77e9af5ea417f15156f37b3e5e Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sun, 13 May 2018 15:26:14 -0500 Subject: [PATCH] Update docs - Fix/Update links - Add reg files for Windows Error 809 fix - Move Linux client instructions --- README-zh.md | 8 +- README.md | 8 +- docs/clients-xauth-zh.md | 4 +- docs/clients-xauth.md | 12 +- docs/clients-zh.md | 220 ++++++++++++++++++------------------ docs/clients.md | 234 ++++++++++++++++++++------------------- docs/ikev2-howto-zh.md | 2 +- docs/ikev2-howto.md | 4 +- 8 files changed, 254 insertions(+), 238 deletions(-) diff --git a/README-zh.md b/README-zh.md index f7de0a7..8a2a2c3 100644 --- a/README-zh.md +++ b/README-zh.md @@ -69,7 +69,7 @@ wget https://git.io/vpnsetup -O vpnsetup.sh && sudo sh vpnsetup.sh 一个专用服务器,或者基于 KVM/Xen 的虚拟专用服务器 (VPS),全新安装以上操作系统之一。OpenVZ VPS 不受支持,用户可以另外尝试比如 Shadowsocks 或者 OpenVPN。 -这也包括各种公共云服务中的 Linux 虚拟机,比如 DigitalOcean, Vultr, Linode, Google Compute Engine, Amazon Lightsail, Microsoft Azure, IBM Bluemix, OVHRackspace。 +这也包括各种公共云服务中的 Linux 虚拟机,比如 DigitalOcean, Vultr, Linode, Google Compute Engine, Amazon Lightsail, Microsoft Azure, IBM Cloud, OVHRackspaceDeploy to Azure Install on DigitalOcean Deploy to Linode @@ -145,7 +145,7 @@ VPN_PASSWORD='你的VPN密码' sh vpnsetup.sh 同一个 VPN 账户可以在你的多个设备上使用。但是由于 IPsec/L2TP 的局限性以及一个在 Libreswan 中的问题,现在还不支持同时连接在同一个 NAT(比如家用路由器)后面的多个设备。 -对于有外部防火墙的服务器(比如 EC2/GCE),请为 VPN 打开 UDP 端口 500 和 4500。 +对于有外部防火墙的服务器(比如 EC2/GCE),请为 VPN 打开 UDP 端口 500 和 4500。 如果需要添加,修改或者删除 VPN 用户账户,请参见 管理 VPN 用户。 @@ -173,7 +173,7 @@ wget https://git.io/vpnupgrade-centos -O vpnupgrade.sh ## 问题和反馈 - 有问题需要提问?请先搜索已有的留言,在 这个 Gist 以及 我的博客。 -- VPN 的相关问题可在 LibreswanstrongSwan 邮件列表提问,或者参考这些网站: [1] [2] [3] [4] [5]。 +- VPN 的相关问题可在 LibreswanstrongSwan 邮件列表提问,或者参考这些网站: [1] [2] [3] [4] [5]。 - 如果你发现了一个可重复的程序漏洞,请提交一个 GitHub Issue。 ## 卸载说明 @@ -184,7 +184,7 @@ wget https://git.io/vpnupgrade-centos -O vpnupgrade.sh - IPsec VPN Server on Docker - IKEv2 VPN Server on Docker -- Streisand +- Streisand - Algo VPN - OpenVPN Install diff --git a/README.md b/README.md index ae1cd27..c2ed73b 100644 --- a/README.md +++ b/README.md @@ -69,7 +69,7 @@ Please see OpenVPN or Shadowsocks. -This also includes Linux VMs in public clouds, such as DigitalOcean, Vultr, Linode, Google Compute Engine, Amazon Lightsail, Microsoft Azure, IBM Bluemix, OVH and Rackspace. +This also includes Linux VMs in public clouds, such as DigitalOcean, Vultr, Linode, Google Compute Engine, Amazon Lightsail, Microsoft Azure, IBM Cloud, OVH and Rackspace. Deploy to Azure Install on DigitalOcean Deploy to Linode @@ -145,7 +145,7 @@ For **Windows users**, this issue, it is not currently possible to connect multiple devices simultaneously from behind the same NAT (e.g. home router). -For servers with an external firewall (e.g. EC2/GCE), open UDP ports 500 and 4500 for the VPN. +For servers with an external firewall (e.g. EC2/GCE), open UDP ports 500 and 4500 for the VPN. If you wish to add, edit or remove VPN user accounts, see Manage VPN Users. @@ -173,7 +173,7 @@ wget https://git.io/vpnupgrade-centos -O vpnupgrade.sh ## Bugs & Questions - Got a question? Please first search other people's comments in this Gist and on my blog. -- Ask VPN related questions on the Libreswan or strongSwan mailing list, or read these wikis: [1] [2] [3] [4] [5]. +- Ask VPN related questions on the Libreswan or strongSwan mailing list, or read these wikis: [1] [2] [3] [4] [5]. - If you found a reproducible bug, open a GitHub Issue to submit a bug report. ## Uninstallation @@ -184,7 +184,7 @@ Please refer to Uninstall the VPNIPsec VPN Server on Docker - IKEv2 VPN Server on Docker -- Streisand +- Streisand - Algo VPN - OpenVPN Install diff --git a/docs/clients-xauth-zh.md b/docs/clients-xauth-zh.md index d2aa93d..821549e 100644 --- a/docs/clients-xauth-zh.md +++ b/docs/clients-xauth-zh.md @@ -99,14 +99,14 @@ VPN 连接成功后,会在通知栏显示图标。最后你可以到 Streisand 项目文档基础上翻译和修改。该项目由 Joshua Lund 和其他开发者维护。 +本文档是在 Streisand 项目文档基础上翻译和修改。该项目由 Joshua Lund 和其他开发者维护。 ## 授权协议 注: 这个协议仅适用于本文档。 版权所有 (C) 2016-2018 Lin Song -基于 Joshua Lund 的工作 (版权所有 2014-2016) +基于 Joshua Lund 的工作 (版权所有 2014-2016) 本程序为自由软件,在自由软件联盟发布的 GNU 通用公共许可协议的约束下,你可以对其进行再发布及修改。协议版本为第三版或(随你)更新的版本。 diff --git a/docs/clients-xauth.md b/docs/clients-xauth.md index a6358d9..5d61398 100644 --- a/docs/clients-xauth.md +++ b/docs/clients-xauth.md @@ -35,7 +35,7 @@ IPsec/XAuth mode is also called "Cisco IPsec". This mode is generally faster tha 1. Enter `Your VPN Password` in the **Password** field. 1. Click **Connect**. -Once connected, you will see **tunnel enabled** in the VPN Connect status window. Click the "Network" tab, and confirm that **Established - 1** is displayed under "Security Associations". You can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". +Once connected, you will see **tunnel enabled** in the VPN Connect status window. Click the "Network" tab, and confirm that **Established - 1** is displayed under "Security Associations". You can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". If you get an error when trying to connect, see Troubleshooting. @@ -57,7 +57,7 @@ If you get an error when trying to connect, see looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". +To connect to the VPN: Use the menu bar icon, or go to the Network section of System Preferences, select the VPN and choose **Connect**. You can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". ## Android @@ -77,7 +77,7 @@ To connect to the VPN: Use the menu bar icon, or go to the Network section of Sy 1. Check the **Save account information** checkbox. 1. Tap **Connect**. -Once connected, you will see a VPN icon in the notification bar. You can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". +Once connected, you will see a VPN icon in the notification bar. You can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". If you get an error when trying to connect, see Troubleshooting. @@ -95,18 +95,18 @@ If you get an error when trying to connect, see looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". +Once connected, you will see a VPN icon in the status bar. You can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". ## Credits -This document was adapted from the Streisand project, maintained by Joshua Lund and contributors. +This document was adapted from the Streisand project, maintained by Joshua Lund and contributors. ## License Note: This license applies to this document only. Copyright (C) 2016-2018 Lin Song -Based on the work of Joshua Lund (Copyright 2014-2016) +Based on the work of Joshua Lund (Copyright 2014-2016) This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. diff --git a/docs/clients-zh.md b/docs/clients-zh.md index ae4a105..1e4d390 100644 --- a/docs/clients-zh.md +++ b/docs/clients-zh.md @@ -160,6 +160,118 @@ Windows Phone 8.1 及以上版本用户可以尝试按照 修改一次注册表,以解决 VPN 服务器 和/或 客户端与 NAT (比如家用路由器)的兼容问题。请下载并导入下面的 `.reg` 文件,或者打开 提升权限命令提示符 并运行以下命令。**完成后必须重启计算机。** + +- 适用于 Windows Vista, 7, 8.x 和 10 ([下载 .reg 文件](https://static.ls20.com/reg-files/v1/Fix_VPN_Error_809_Windows_Vista_7_8_10_Reboot_Required.reg)) + + ```console + REG ADD HKLM\SYSTEM\CurrentControlSet\Services\PolicyAgent /v AssumeUDPEncapsulationContextOnSendRule /t REG_DWORD /d 0x2 /f + ``` + +- 仅适用于 Windows XP ([下载 .reg 文件](https://static.ls20.com/reg-files/v1/Fix_VPN_Error_809_Windows_XP_ONLY_Reboot_Required.reg)) + + ```console + REG ADD HKLM\SYSTEM\CurrentControlSet\Services\IPSec /v AssumeUDPEncapsulationContextOnSendRule /t REG_DWORD /d 0x2 /f + ``` + +另外,某些个别的 Windows 系统配置禁用了 IPsec 加密,此时也会导致连接失败。要重新启用它,可以运行以下命令并重启。 + +- 适用于 Windows XP, Vista, 7, 8.x 和 10 ([下载 .reg 文件](https://static.ls20.com/reg-files/v1/Fix_VPN_Error_809_Allow_IPsec_Reboot_Required.reg)) + + ```console + REG ADD HKLM\SYSTEM\CurrentControlSet\Services\RasMan\Parameters /v ProhibitIpSec /t REG_DWORD /d 0x0 /f + ``` + +### Windows 错误 628 + +> 在连接完成前,连接被远程计算机终止。 + +要解决此错误,请按以下步骤操作: + +1. 右键单击系统托盘中的无线/网络图标,选择 **打开网络与共享中心**。 +1. 单击左侧的 **更改适配器设置**。右键单击新的 VPN 连接,并选择 **属性**。 +1. 单击 **安全** 选项卡,从 **VPN 类型** 下拉菜单中选择 "使用 IPsec 的第 2 层隧道协议 (L2TP/IPSec)"。 +1. 单击 **允许使用这些协议**。确保选中 "质询握手身份验证协议 (CHAP)" 复选框。 +1. 单击 **高级设置** 按钮。 +1. 单击 **使用预共享密钥作身份验证** 并在 **密钥** 字段中输入`你的 VPN IPsec PSK`。 +1. 单击 **确定** 关闭 **高级设置**。 +1. 单击 **确定** 保存 VPN 连接的详细信息。 + +![Select CHAP in VPN connection properties](images/vpn-properties-zh.png) + +### Android 6 及以上版本 + +如果你无法使用 Android 6 或以上版本连接: + +1. 单击 VPN 连接旁边的设置按钮,选择 "Show advanced options" 并且滚动到底部。如果选项 "Backward compatible mode" 存在,请启用它并重试连接。如果不存在,请尝试下一步。 +1. 编辑 VPN 服务器上的 `/etc/ipsec.conf`。找到 `sha2-truncbug=yes` 并将它替换为 `sha2-truncbug=no`。保存修改并运行 `service ipsec restart`。(参见) + +![Android VPN workaround](images/vpn-profile-Android.png) + +### Chromebook 连接问题 + +Chromebook 用户: 如果你无法连接,请参见 这个 Issue。编辑 VPN 服务器上的 `/etc/ipsec.conf`。找到这一行 `phase2alg=...` 并在结尾加上 `,aes_gcm-null` 。保存修改并运行 `service ipsec restart`。 + +### 其它错误 + +如果你遇到其它错误,请参见以下链接: + +* http://www.tp-link.com/en/faq-1029.html +* https://documentation.meraki.com/MX-Z/Client_VPN/Troubleshooting_Client_VPN#Common_Connection_Issues +* https://blogs.technet.microsoft.com/rrasblog/2009/08/12/troubleshooting-common-vpn-related-errors/ + +### 额外的步骤 + +请尝试下面这些额外的故障排除步骤: + +首先,重启 VPN 服务器上的相关服务: + +```bash +service ipsec restart +service xl2tpd restart +``` + +如果你使用 Docker,请运行 `docker restart ipsec-vpn-server`。 + +然后重启你的 VPN 客户端设备,并重试连接。如果仍然无法连接,可以尝试删除并重新创建 VPN 连接,按照本文档中的步骤操作。请确保输入了正确的 VPN 登录凭证。 + +检查 Libreswan (IPsec) 和 xl2tpd 日志是否有错误: + +```bash +# Ubuntu & Debian +grep pluto /var/log/auth.log +grep xl2tpd /var/log/syslog + +# CentOS & RHEL +grep pluto /var/log/secure +grep xl2tpd /var/log/messages +``` + +查看 IPsec VPN 服务器状态: + +```bash +ipsec status +ipsec verify +``` + +显示当前已建立的 VPN 连接: + +```bash +ipsec whack --trafficstatus +``` + +## Linux VPN 客户端 + 以下步骤是基于 [Peter Sanford 的工作](https://gist.github.com/psanford/42c550a1a6ad3cb70b13e4aaa94ddb1c)。这些命令必须在你的 VPN 客户端上使用 `root` 账户运行。 要配置 VPN 客户端,首先安装以下软件包: @@ -356,120 +468,16 @@ echo "d myvpn" > /var/run/xl2tpd/l2tp-control strongswan down myvpn ``` -## 故障排除 - -*其他语言版本: [English](clients.md#troubleshooting), [简体中文](clients-zh.md#故障排除).* - -### Windows 错误 809 - -> 无法建立计算机与 VPN 服务器之间的网络连接,因为远程服务器未响应。 - -要解决此错误,在首次连接之前需要修改一次注册表,以解决 VPN 服务器 和/或 客户端与 NAT (比如家用路由器)的兼容问题。请参照链接网页中的说明,或者打开提升权限命令提示符并运行以下命令。完成后必须重启计算机。 - -- 适用于 Windows Vista, 7, 8 和 10 - ```console - REG ADD HKLM\SYSTEM\CurrentControlSet\Services\PolicyAgent /v AssumeUDPEncapsulationContextOnSendRule /t REG_DWORD /d 0x2 /f - ``` - -- 仅适用于 Windows XP - ```console - REG ADD HKLM\SYSTEM\CurrentControlSet\Services\IPSec /v AssumeUDPEncapsulationContextOnSendRule /t REG_DWORD /d 0x2 /f - ``` - -另外,某些个别的 Windows 系统禁用了 IPsec 加密,此时也会导致连接失败。要重新启用它,可以运行以下命令并重启计算机。 - -```console -REG ADD HKLM\SYSTEM\CurrentControlSet\Services\RasMan\Parameters /v ProhibitIpSec /t REG_DWORD /d 0x0 /f -``` - -### Windows 错误 628 - -> 在连接完成前,连接被远程计算机终止。 - -要解决此错误,请按以下步骤操作: - -1. 右键单击系统托盘中的无线/网络图标,选择 **打开网络与共享中心**。 -1. 单击左侧的 **更改适配器设置**。右键单击新的 VPN 连接,并选择 **属性**。 -1. 单击 **安全** 选项卡,从 **VPN 类型** 下拉菜单中选择 "使用 IPsec 的第 2 层隧道协议 (L2TP/IPSec)"。 -1. 单击 **允许使用这些协议**。确保选中 "质询握手身份验证协议 (CHAP)" 复选框。 -1. 单击 **高级设置** 按钮。 -1. 单击 **使用预共享密钥作身份验证** 并在 **密钥** 字段中输入`你的 VPN IPsec PSK`。 -1. 单击 **确定** 关闭 **高级设置**。 -1. 单击 **确定** 保存 VPN 连接的详细信息。 - -![Select CHAP in VPN connection properties](images/vpn-properties-zh.png) - -### Android 6 及以上版本 - -如果你无法使用 Android 6 或以上版本连接: - -1. 单击 VPN 连接旁边的设置按钮,选择 "Show advanced options" 并且滚动到底部。如果选项 "Backward compatible mode" 存在,请启用它并重试连接。如果不存在,请尝试下一步。 -1. 编辑 VPN 服务器上的 `/etc/ipsec.conf`。找到 `sha2-truncbug=yes` 并将它替换为 `sha2-truncbug=no`。保存修改并运行 `service ipsec restart`。(参见) - -![Android VPN workaround](images/vpn-profile-Android.png) - -### Chromebook 连接问题 - -Chromebook 用户: 如果你无法连接,请参见 这个 Issue。编辑 VPN 服务器上的 `/etc/ipsec.conf`。找到这一行 `phase2alg=...` 并在结尾加上 `,aes_gcm-null` 。保存修改并运行 `service ipsec restart`。 - -### 其它错误 - -如果你遇到其它错误,请参见以下链接: - -* http://www.tp-link.com/en/faq-1029.html -* https://documentation.meraki.com/MX-Z/Client_VPN/Troubleshooting_Client_VPN#Common_Connection_Issues -* https://blogs.technet.microsoft.com/rrasblog/2009/08/12/troubleshooting-common-vpn-related-errors/ - -### 额外的步骤 - -请尝试下面这些额外的故障排除步骤: - -首先,重启 VPN 服务器上的相关服务: - -```bash -service ipsec restart -service xl2tpd restart -``` - -如果你使用 Docker,请运行 `docker restart ipsec-vpn-server`。 - -然后重启你的 VPN 客户端设备,并重试连接。如果仍然无法连接,可以尝试删除并重新创建 VPN 连接,按照本文档中的步骤操作。请确保输入了正确的 VPN 登录凭证。 - -检查 Libreswan (IPsec) 和 xl2tpd 日志是否有错误: - -```bash -# Ubuntu & Debian -grep pluto /var/log/auth.log -grep xl2tpd /var/log/syslog - -# CentOS & RHEL -grep pluto /var/log/secure -grep xl2tpd /var/log/messages -``` - -查看 IPsec VPN 服务器状态: - -```bash -ipsec status -ipsec verify -``` - -显示当前已建立的 VPN 连接: - -```bash -ipsec whack --trafficstatus -``` - ## 致谢 -本文档是在 Streisand 项目文档基础上翻译和修改。该项目由 Joshua Lund 和其他开发者维护。 +本文档是在 Streisand 项目文档基础上翻译和修改。该项目由 Joshua Lund 和其他开发者维护。 ## 授权协议 注: 这个协议仅适用于本文档。 版权所有 (C) 2016-2018 Lin Song -基于 Joshua Lund 的工作 (版权所有 2014-2016) +基于 Joshua Lund 的工作 (版权所有 2014-2016) 本程序为自由软件,在自由软件联盟发布的 GNU 通用公共许可协议的约束下,你可以对其进行再发布及修改。协议版本为第三版或(随你)更新的版本。 diff --git a/docs/clients.md b/docs/clients.md index a0fd24b..4c8b972 100644 --- a/docs/clients.md +++ b/docs/clients.md @@ -73,7 +73,7 @@ After settin **Note:** This one-time registry change is required if the VPN server and/or client is behind NAT (e.g. home router). -To connect to the VPN: Click on the wireless/network icon in your system tray, select the new VPN entry, and click **Connect**. If prompted, enter `Your VPN Username` and `Password`, then click **OK**. You can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". +To connect to the VPN: Click on the wireless/network icon in your system tray, select the new VPN entry, and click **Connect**. If prompted, enter `Your VPN Username` and `Password`, then click **OK**. You can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". If you get an error when trying to connect, see Troubleshooting. @@ -96,7 +96,7 @@ If you get an error when trying to connect, see Troub 1. Click the **TCP/IP** tab, and make sure **Link-local only** is selected in the **Configure IPv6** section. 1. Click **OK** to close the Advanced settings, and then click **Apply** to save the VPN connection information. -To connect to the VPN: Use the menu bar icon, or go to the Network section of System Preferences, select the VPN and choose **Connect**. You can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". +To connect to the VPN: Use the menu bar icon, or go to the Network section of System Preferences, select the VPN and choose **Connect**. You can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". ## Android @@ -115,7 +115,7 @@ To connect to the VPN: Use the menu bar icon, or go to the Network section of Sy 1. Check the **Save account information** checkbox. 1. Tap **Connect**. -Once connected, you will see a VPN icon in the notification bar. You can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". +Once connected, you will see a VPN icon in the notification bar. You can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". If you get an error when trying to connect, see Troubleshooting. @@ -133,7 +133,7 @@ If you get an error when trying to connect, see Troub 1. Tap **Done**. 1. Slide the **VPN** switch ON. -Once connected, you will see a VPN icon in the status bar. You can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". +Once connected, you will see a VPN icon in the status bar. You can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". ## Chromebook @@ -150,16 +150,128 @@ Once connected, you will see a VPN icon in the status bar. You can verify that y 1. Enter `Your VPN Password` for the **Password**. 1. Click **Connect**. -Once connected, you will see a VPN icon overlay on the network status icon. You can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". +Once connected, you will see a VPN icon overlay on the network status icon. You can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". If you get an error when trying to connect, see Troubleshooting. ## Windows Phone -Users with Windows Phone 8.1 and above, try this tutorial. You can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". +Users with Windows Phone 8.1 and above, try this tutorial. You can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". ## Linux +See [Linux VPN Clients](#linux-vpn-clients). + +## Troubleshooting + +*Read this in other languages: [English](clients.md#troubleshooting), [简体中文](clients-zh.md#故障排除).* + +### Windows Error 809 + +> The network connection between your computer and the VPN server could not be established because the remote server is not responding. + +To fix this error, a one-time registry change is required because the VPN server and/or client is behind NAT (e.g. home router). Download and import the `.reg` file below, or run the following from an elevated command prompt. **You must reboot your PC when finished.** + +- For Windows Vista, 7, 8.x and 10 ([download .reg file](https://static.ls20.com/reg-files/v1/Fix_VPN_Error_809_Windows_Vista_7_8_10_Reboot_Required.reg)) + + ```console + REG ADD HKLM\SYSTEM\CurrentControlSet\Services\PolicyAgent /v AssumeUDPEncapsulationContextOnSendRule /t REG_DWORD /d 0x2 /f + ``` + +- For Windows XP ONLY ([download .reg file](https://static.ls20.com/reg-files/v1/Fix_VPN_Error_809_Windows_XP_ONLY_Reboot_Required.reg)) + + ```console + REG ADD HKLM\SYSTEM\CurrentControlSet\Services\IPSec /v AssumeUDPEncapsulationContextOnSendRule /t REG_DWORD /d 0x2 /f + ``` + +Although uncommon, some Windows systems disable IPsec encryption, causing the connection to fail. To re-enable it, run the following command and reboot your PC. + +- For Windows XP, Vista, 7, 8.x and 10 ([download .reg file](https://static.ls20.com/reg-files/v1/Fix_VPN_Error_809_Allow_IPsec_Reboot_Required.reg)) + + ```console + REG ADD HKLM\SYSTEM\CurrentControlSet\Services\RasMan\Parameters /v ProhibitIpSec /t REG_DWORD /d 0x0 /f + ``` + +### Windows Error 628 + +> The connection was terminated by the remote computer before it could be completed. + +To fix this error, please follow these steps: + +1. Right-click on the wireless/network icon in system tray, select **Open Network and Sharing Center**. +1. On the left, click **Change adapter settings**. Right-click on the new VPN and choose **Properties**. +1. Click the **Security** tab. Select "Layer 2 Tunneling Protocol with IPsec (L2TP/IPSec)" for **Type of VPN**. +1. Click **Allow these protocols**. Be sure to select the "Challenge Handshake Authentication Protocol (CHAP)" checkbox. +1. Click the **Advanced settings** button. +1. Select **Use preshared key for authentication** and enter `Your VPN IPsec PSK` for the **Key**. +1. Click **OK** to close the **Advanced settings**. +1. Click **OK** to save the VPN connection details. + +![Select CHAP in VPN connection properties](images/vpn-properties.png) + +### Android 6 and above + +If you are unable to connect using Android 6 or above: + +1. Tap the "Settings" icon next to your VPN profile. Select "Show advanced options" and scroll down to the bottom. If the option "Backward compatible mode" exists, enable it and reconnect the VPN. If not, try the next step. +1. Edit `/etc/ipsec.conf` on the VPN server. Find `sha2-truncbug=yes` and replace it with `sha2-truncbug=no`. Save the file and run `service ipsec restart`. (Ref) + +![Android VPN workaround](images/vpn-profile-Android.png) + +### Chromebook issues + +Chromebook users: If you are unable to connect, refer to this issue. Edit `/etc/ipsec.conf` on the VPN server. Find the line `phase2alg=...` and append `,aes_gcm-null` at the end. Save the file and run `service ipsec restart`. + +### Other errors + +If you encounter other errors, refer to the links below: + +* http://www.tp-link.com/en/faq-1029.html +* https://documentation.meraki.com/MX-Z/Client_VPN/Troubleshooting_Client_VPN#Common_Connection_Issues +* https://blogs.technet.microsoft.com/rrasblog/2009/08/12/troubleshooting-common-vpn-related-errors/ + +### Additional steps + +Please try these additional troubleshooting steps: + +First, restart services on the VPN server: + +```bash +service ipsec restart +service xl2tpd restart +``` + +If using Docker, run `docker restart ipsec-vpn-server`. + +Then reboot your VPN client device, and retry the connection. If still unable to connect, try removing and recreating the VPN connection, by following the instructions in this document. Make sure that the VPN credentials are entered correctly. + +Check the Libreswan (IPsec) and xl2tpd logs for errors: + +```bash +# Ubuntu & Debian +grep pluto /var/log/auth.log +grep xl2tpd /var/log/syslog + +# CentOS & RHEL +grep pluto /var/log/secure +grep xl2tpd /var/log/messages +``` + +Check status of the IPsec VPN server: + +```bash +ipsec status +ipsec verify +``` + +Show current established VPN connections: + +```bash +ipsec whack --trafficstatus +``` + +## Linux VPN Clients + Instructions below are based on [the work of Peter Sanford](https://gist.github.com/psanford/42c550a1a6ad3cb70b13e4aaa94ddb1c). Commands must be run as `root` on your VPN client. To set up the VPN client, first install the following packages: @@ -317,7 +429,7 @@ Exclude your VPN server's IP from the new default route (replace with actual val route add YOUR_VPN_SERVER_IP gw X.X.X.X ``` -If your VPN client is a remote server, you must also exclude your Local PC's public IP from the new default route, to prevent your SSH session from being disconnected (replace with actual value): +If your VPN client is a remote server, you must also exclude your Local PC's public IP from the new default route, to prevent your SSH session from being disconnected (replace with actual value): ```bash route add YOUR_LOCAL_PC_PUBLIC_IP gw X.X.X.X @@ -355,120 +467,16 @@ echo "d myvpn" > /var/run/xl2tpd/l2tp-control strongswan down myvpn ``` -## Troubleshooting - -*Read this in other languages: [English](clients.md#troubleshooting), [简体中文](clients-zh.md#故障排除).* - -### Windows Error 809 - -> The network connection between your computer and the VPN server could not be established because the remote server is not responding. - -To fix this error, a one-time registry change is required because the VPN server and/or client is behind NAT (e.g. home router). Refer to the linked web page, or run the following from an elevated command prompt. When finished, reboot your PC. - -- For Windows Vista, 7, 8.x and 10 - ```console - REG ADD HKLM\SYSTEM\CurrentControlSet\Services\PolicyAgent /v AssumeUDPEncapsulationContextOnSendRule /t REG_DWORD /d 0x2 /f - ``` - -- For Windows XP ONLY - ```console - REG ADD HKLM\SYSTEM\CurrentControlSet\Services\IPSec /v AssumeUDPEncapsulationContextOnSendRule /t REG_DWORD /d 0x2 /f - ``` - -Although uncommon, some Windows systems disable IPsec encryption, causing the connection to fail. To re-enable it, run the following command and reboot your PC. - -```console -REG ADD HKLM\SYSTEM\CurrentControlSet\Services\RasMan\Parameters /v ProhibitIpSec /t REG_DWORD /d 0x0 /f -``` - -### Windows Error 628 - -> The connection was terminated by the remote computer before it could be completed. - -To fix this error, please follow these steps: - -1. Right-click on the wireless/network icon in system tray, select **Open Network and Sharing Center**. -1. On the left, click **Change adapter settings**. Right-click on the new VPN and choose **Properties**. -1. Click the **Security** tab. Select "Layer 2 Tunneling Protocol with IPsec (L2TP/IPSec)" for **Type of VPN**. -1. Click **Allow these protocols**. Be sure to select the "Challenge Handshake Authentication Protocol (CHAP)" checkbox. -1. Click the **Advanced settings** button. -1. Select **Use preshared key for authentication** and enter `Your VPN IPsec PSK` for the **Key**. -1. Click **OK** to close the **Advanced settings**. -1. Click **OK** to save the VPN connection details. - -![Select CHAP in VPN connection properties](images/vpn-properties.png) - -### Android 6 and above - -If you are unable to connect using Android 6 or above: - -1. Tap the "Settings" icon next to your VPN profile. Select "Show advanced options" and scroll down to the bottom. If the option "Backward compatible mode" exists, enable it and reconnect the VPN. If not, try the next step. -1. Edit `/etc/ipsec.conf` on the VPN server. Find `sha2-truncbug=yes` and replace it with `sha2-truncbug=no`. Save the file and run `service ipsec restart`. (Ref) - -![Android VPN workaround](images/vpn-profile-Android.png) - -### Chromebook issues - -Chromebook users: If you are unable to connect, refer to this issue. Edit `/etc/ipsec.conf` on the VPN server. Find the line `phase2alg=...` and append `,aes_gcm-null` at the end. Save the file and run `service ipsec restart`. - -### Other errors - -If you encounter other errors, refer to the links below: - -* http://www.tp-link.com/en/faq-1029.html -* https://documentation.meraki.com/MX-Z/Client_VPN/Troubleshooting_Client_VPN#Common_Connection_Issues -* https://blogs.technet.microsoft.com/rrasblog/2009/08/12/troubleshooting-common-vpn-related-errors/ - -### Additional steps - -Please try these additional troubleshooting steps: - -First, restart services on the VPN server: - -```bash -service ipsec restart -service xl2tpd restart -``` - -If using Docker, run `docker restart ipsec-vpn-server`. - -Then reboot your VPN client device, and retry the connection. If still unable to connect, try removing and recreating the VPN connection, by following the instructions in this document. Make sure that the VPN credentials are entered correctly. - -Check the Libreswan (IPsec) and xl2tpd logs for errors: - -```bash -# Ubuntu & Debian -grep pluto /var/log/auth.log -grep xl2tpd /var/log/syslog - -# CentOS & RHEL -grep pluto /var/log/secure -grep xl2tpd /var/log/messages -``` - -Check status of the IPsec VPN server: - -```bash -ipsec status -ipsec verify -``` - -Show current established VPN connections: - -```bash -ipsec whack --trafficstatus -``` - ## Credits -This document was adapted from the Streisand project, maintained by Joshua Lund and contributors. +This document was adapted from the Streisand project, maintained by Joshua Lund and contributors. ## License Note: This license applies to this document only. Copyright (C) 2016-2018 Lin Song -Based on the work of Joshua Lund (Copyright 2014-2016) +Based on the work of Joshua Lund (Copyright 2014-2016) This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. diff --git a/docs/ikev2-howto-zh.md b/docs/ikev2-howto-zh.md index 513f50e..1f2b1b7 100644 --- a/docs/ikev2-howto-zh.md +++ b/docs/ikev2-howto-zh.md @@ -181,7 +181,7 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 vpnclient u,u,u ``` - **注:** 如需显示证书,可使用 `certutil -L -d sql:/etc/ipsec.d -n "Nickname"`。要删除一个证书,将 `-L` 换成 `-D`。更多的 `certutil` 使用说明请看 这里。 + **注:** 如需显示证书,可使用 `certutil -L -d sql:/etc/ipsec.d -n "Nickname"`。要删除一个证书,将 `-L` 换成 `-D`。更多的 `certutil` 使用说明请看 这里。 1. 重启 IPsec 服务: diff --git a/docs/ikev2-howto.md b/docs/ikev2-howto.md index 294b7a4..710e9f9 100644 --- a/docs/ikev2-howto.md +++ b/docs/ikev2-howto.md @@ -181,7 +181,7 @@ Before continuing, make sure you have successfully this page. + **Note:** To display a certificate, use `certutil -L -d sql:/etc/ipsec.d -n "Nickname"`. To delete a certificate, replace `-L` with `-D`. For other `certutil` usage, read this page. 1. Restart IPsec service: @@ -206,7 +206,7 @@ Before continuing, make sure you have successfully this registry key and reboot. -1. Once successfully connected, you can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". +1. Once successfully connected, you can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". ## Known Issues