Update docs

- Add a troubleshooting section for "Cannot open websites after
  connecting to IKEv2". Ref: #1000.

docs/ikev2-howto-zh.md

@@ -129,6 +129,8 @@ To customize IKEv2 or client options, run this script without arguments.
 1. 右键单击保存的脚本，选择 **属性**。单击对话框下方的 **解除锁定**，然后单击 **确定**。
 1. 右键单击保存的脚本，选择 **以管理员身份运行** 并按提示操作。
 
+如果在连接过程中遇到错误，请参见 [故障排除](#故障排除)。
+
 或者，**Windows 7, 8, 10 和 11** 用户可以手动导入 IKEv2 配置：
 
 1. 将生成的 `.p12` 文件安全地传送到你的计算机，然后导入到证书存储。
@@ -785,12 +787,30 @@ sudo ikev2.sh --revokeclient [client name]
 
 **另见：** [检查日志及 VPN 状态](clients-zh.md#检查日志及-vpn-状态)，[IKEv1 故障排除](clients-zh.md#故障排除) 和 [高级用法](advanced-usage-zh.md)。
 
+* [连接 IKEv2 后不能打开网站](#连接-ikev2-后不能打开网站)
 * [IKE 身份验证凭证不可接受](#ike-身份验证凭证不可接受)
 * [参数错误 policy match error](#参数错误-policy-match-error)
 * [IKEv2 在一小时后断开连接](#ikev2-在一小时后断开连接)
 * [无法同时连接多个 IKEv2 客户端](#无法同时连接多个-ikev2-客户端)
 * [其它已知问题](#其它已知问题)
 
+### 连接 IKEv2 后不能打开网站
+
+如果你的 VPN 客户端设备在成功连接到 IKEv2 后无法打开网站，请尝试以下解决方案：
+
+1. 某些云服务提供商，比如 [Google Cloud](https://cloud.google.com)，[默认设置较低的 MTU](https://cloud.google.com/network-connectivity/docs/vpn/concepts/mtu-considerations)。这可能会导致 IKEv2 VPN 客户端的网络问题。要解决此问题，尝试在 VPN 服务器上将 MTU 设置为 1500，然后重新连接 IKEv2 客户端：
+
+   ```bash
+   # 将 ens4 替换为你的服务器上的网络接口名称
+   sudo ifconfig ens4 mtu 1500
+   ```
+
+   此设置 **不会** 在重启后保持。要永久更改 MTU 大小，请参阅网络上的相关文章。
+
+1. 如果更改 MTU 无法解决问题，请尝试 [Android MTU/MSS 问题](clients-zh.md#android-mtumss-问题) 小节中的解决方案。
+
+1. 在某些情况下，Windows 在连接后不使用 IKEv2 指定的 DNS 服务器。要解决此问题，可以在网络连接属性 -> TCP/IPv4 中手动输入 DNS 服务器，例如 Google Public DNS (8.8.8.8, 8.8.4.4)。
+
 ### IKE 身份验证凭证不可接受
 
 如果遇到此错误，请确保你的 VPN 客户端设备上指定的 VPN 服务器地址与 IKEv2 辅助脚本输出中的服务器地址**完全一致**。例如，如果在配置 IKEv2 时未指定域名，则不可以使用域名进行连接。要更改 IKEv2 服务器地址，参见[这一小节](#更改-ikev2-服务器地址)。

docs/ikev2-howto.md

@@ -129,6 +129,8 @@ To customize IKEv2 or client options, run this script without arguments.
 1. Right-click on the saved script, select **Properties**. Click on **Unblock** at the bottom, then click on **OK**.
 1. Right-click on the saved script, select **Run as administrator** and follow the prompts.
 
+If you get an error when trying to connect, see [Troubleshooting](#troubleshooting).
+
 Alternatively, **Windows 7, 8, 10 and 11** users can manually import IKEv2 configuration:
 
 1. Securely transfer the generated `.p12` file to your computer, then import it into the certificate store.
@@ -787,19 +789,37 @@ Before continuing, you **must** restart the IPsec service. The IKEv2 setup on th
 
 **See also:** [Check logs and VPN status](clients.md#check-logs-and-vpn-status), [IKEv1 troubleshooting](clients.md#troubleshooting) and [Advanced usage](advanced-usage.md).
 
+* [Cannot open websites after connecting to IKEv2](#cannot-open-websites-after-connecting-to-ikev2)
 * [IKE authentication credentials are unacceptable](#ike-authentication-credentials-are-unacceptable)
 * [Policy match error](#policy-match-error)
 * [IKEv2 disconnects after one hour](#ikev2-disconnects-after-one-hour)
 * [Unable to connect multiple IKEv2 clients](#unable-to-connect-multiple-ikev2-clients)
 * [Other known issues](#other-known-issues)
 
+### Cannot open websites after connecting to IKEv2
+
+If your VPN client device cannot open websites after successfully connecting to IKEv2, try the following fixes:
+
+1. Some cloud providers, such as [Google Cloud](https://cloud.google.com), [set a lower MTU by default](https://cloud.google.com/network-connectivity/docs/vpn/concepts/mtu-considerations). This could cause network issues with IKEv2 VPN clients. To fix, try setting the MTU to 1500 on the VPN server, then re-connect the IKEv2 client:
+
+   ```bash
+   # Replace ens4 with the network interface name on your server
+   sudo ifconfig ens4 mtu 1500
+   ```
+
+   This setting **does not** persist after a reboot. To change the MTU size permanently, refer to relevant articles on the web.
+
+1. If changing the MTU does not fix the issue, try the fix from section [Android MTU/MSS issues](clients.md#android-mtumss-issues).
+
+1. Under certain circumstances, Windows does not use the DNS servers specified by IKEv2 after connecting. This can be fixed by manually entering DNS servers such as Google Public DNS (8.8.8.8, 8.8.4.4) in network interface properties -> TCP/IPv4.
+
 ### IKE authentication credentials are unacceptable
 
 If you encounter this error, make sure that the VPN server address specified on your VPN client device **exactly matches** the server address in the output of the IKEv2 helper script. For example, you cannot use a DNS name to connect if it was not specified when setting up IKEv2. To change the IKEv2 server address, read [this section](#change-ikev2-server-address).
 
 ### Policy match error
 
-To fix this error, you'll need to enable stronger ciphers for IKEv2 with a one-time registry change. Download and import the `.reg` file below, or run the following from an elevated command prompt.
+To fix this error, you will need to enable stronger ciphers for IKEv2 with a one-time registry change. Download and import the `.reg` file below, or run the following from an elevated command prompt.
 
 - For Windows 7, 8, 10 and 11 ([download .reg file](https://github.com/hwdsl2/vpn-extras/releases/download/v1.0.0/Enable_Stronger_Ciphers_for_IKEv2_on_Windows.reg))