From a03f2d556b0cc82820caf0824ed224c6b14475b2 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sun, 27 Feb 2022 11:00:03 -0600 Subject: [PATCH] Update docs - Simplify VPN setup: Switch to use the quick start script, which automatically sets up IKEv2 as part of the IPsec VPN setup. The quick start script was updated and users can specify variables similar to vpnsetup.sh. Ref: d37a2fb - Other minor updates --- README-zh.md | 55 ++---------- README.md | 55 ++---------- docs/ikev2-howto-zh.md | 197 ++++++++++++++++++++++------------------- docs/ikev2-howto.md | 197 ++++++++++++++++++++++------------------- 4 files changed, 224 insertions(+), 280 deletions(-) diff --git a/README-zh.md b/README-zh.md index d90bd93..fe3dc5c 100644 --- a/README-zh.md +++ b/README-zh.md @@ -102,32 +102,16 @@ curl -fsSL https://git.io/vpnstart -o vpn.sh && sudo sh vpn.sh 要安装 VPN,请从以下选项中选择一个: -
- -选项 1: 使用脚本随机生成的 VPN 登录凭证(完成后会在屏幕上显示)。 - +**选项 1:** 使用脚本随机生成的 VPN 登录凭证(完成后会在屏幕上显示)。 ```bash -wget https://git.io/vpnsetup -qO vpn.sh && sudo sh vpn.sh +wget https://git.io/vpnstart -qO vpn.sh && sudo sh vpn.sh ``` -在安装成功之后,推荐 [配置 IKEv2](docs/ikev2-howto-zh.md): +**选项 2:** 编辑脚本并提供你自己的 VPN 登录凭证。 ```bash -# 使用默认选项配置 IKEv2 -sudo ikev2.sh --auto -# 或者你也可以自定义 IKEv2 选项 -sudo ikev2.sh -``` -
- -
- -选项 2: 编辑脚本并提供你自己的 VPN 登录凭证。 - - -```bash -wget https://git.io/vpnsetup -nv -O vpn.sh +wget https://git.io/vpnstart -nv -O vpn.sh nano -w vpn.sh [替换为你自己的值: YOUR_IPSEC_PSK, YOUR_USERNAME 和 YOUR_PASSWORD] sudo sh vpn.sh @@ -135,41 +119,18 @@ sudo sh vpn.sh **注:** 一个安全的 IPsec PSK 应该至少包含 20 个随机字符。 -在安装成功之后,推荐 [配置 IKEv2](docs/ikev2-howto-zh.md): - -```bash -# 使用默认选项配置 IKEv2 -sudo ikev2.sh --auto -# 或者你也可以自定义 IKEv2 选项 -sudo ikev2.sh -``` -
- -
- -选项 3: 将你自己的 VPN 登录凭证定义为环境变量。 - +**选项 3:** 将你自己的 VPN 登录凭证定义为环境变量。 ```bash # 所有变量值必须用 '单引号' 括起来 # *不要* 在值中使用这些字符: \ " ' -wget https://git.io/vpnsetup -nv -O vpn.sh +wget https://git.io/vpnstart -nv -O vpn.sh sudo VPN_IPSEC_PSK='你的IPsec预共享密钥' \ VPN_USER='你的VPN用户名' \ VPN_PASSWORD='你的VPN密码' \ sh vpn.sh ``` -在安装成功之后,推荐 [配置 IKEv2](docs/ikev2-howto-zh.md): - -```bash -# 使用默认选项配置 IKEv2 -sudo ikev2.sh --auto -# 或者你也可以自定义 IKEv2 选项 -sudo ikev2.sh -``` -
-
如果无法通过 wget 下载,点这里查看解决方案。 @@ -178,11 +139,11 @@ sudo ikev2.sh 你也可以使用 `curl` 下载。例如: ```bash -curl -fsSL https://git.io/vpnsetup -o vpn.sh +curl -fsSL https://git.io/vpnstart -o vpn.sh sudo sh vpn.sh ``` -或者,打开 [vpnsetup.sh](vpnsetup.sh) 并点击右方的 `Raw` 按钮。按快捷键 `Ctrl/Cmd+A` 全选,`Ctrl/Cmd+C` 复制,然后粘贴到你喜欢的编辑器。 +或者,打开 [quickstart.sh](extras/quickstart.sh) 并点击右方的 `Raw` 按钮。按快捷键 `Ctrl/Cmd+A` 全选,`Ctrl/Cmd+C` 复制,然后粘贴到你喜欢的编辑器。
## 下一步 diff --git a/README.md b/README.md index cbe470a..df314ac 100644 --- a/README.md +++ b/README.md @@ -102,32 +102,16 @@ First, update your system with `sudo apt-get update && sudo apt-get dist-upgrade To install the VPN, please choose one of the following options: -
- -Option 1: Have the script generate random VPN credentials for you (will be displayed when finished). - +**Option 1:** Have the script generate random VPN credentials for you (will be displayed when finished). ```bash -wget https://git.io/vpnsetup -qO vpn.sh && sudo sh vpn.sh +wget https://git.io/vpnstart -qO vpn.sh && sudo sh vpn.sh ``` -After successful installation, it is recommended to [set up IKEv2](docs/ikev2-howto.md): +**Option 2:** Edit the script and provide your own VPN credentials. ```bash -# Set up IKEv2 using default options -sudo ikev2.sh --auto -# Alternatively, you may customize IKEv2 options -sudo ikev2.sh -``` -
- -
- -Option 2: Edit the script and provide your own VPN credentials. - - -```bash -wget https://git.io/vpnsetup -nv -O vpn.sh +wget https://git.io/vpnstart -nv -O vpn.sh nano -w vpn.sh [Replace with your own values: YOUR_IPSEC_PSK, YOUR_USERNAME and YOUR_PASSWORD] sudo sh vpn.sh @@ -135,41 +119,18 @@ sudo sh vpn.sh **Note:** A secure IPsec PSK should consist of at least 20 random characters. -After successful installation, it is recommended to [set up IKEv2](docs/ikev2-howto.md): - -```bash -# Set up IKEv2 using default options -sudo ikev2.sh --auto -# Alternatively, you may customize IKEv2 options -sudo ikev2.sh -``` -
- -
- -Option 3: Define your VPN credentials as environment variables. - +**Option 3:** Define your VPN credentials as environment variables. ```bash # All values MUST be placed inside 'single quotes' # DO NOT use these special characters within values: \ " ' -wget https://git.io/vpnsetup -nv -O vpn.sh +wget https://git.io/vpnstart -nv -O vpn.sh sudo VPN_IPSEC_PSK='your_ipsec_pre_shared_key' \ VPN_USER='your_vpn_username' \ VPN_PASSWORD='your_vpn_password' \ sh vpn.sh ``` -After successful installation, it is recommended to [set up IKEv2](docs/ikev2-howto.md): - -```bash -# Set up IKEv2 using default options -sudo ikev2.sh --auto -# Alternatively, you may customize IKEv2 options -sudo ikev2.sh -``` -
-
Click here if you are unable to download using wget. @@ -178,11 +139,11 @@ Click here if you are unable to download using wget. You may also use `curl` to download. For example: ```bash -curl -fsSL https://git.io/vpnsetup -o vpn.sh +curl -fsSL https://git.io/vpnstart -o vpn.sh sudo sh vpn.sh ``` -Alternatively, open [vpnsetup.sh](vpnsetup.sh) and click the `Raw` button on the right. Press `Ctrl/Cmd+A` to select all, `Ctrl/Cmd+C` to copy, then paste into your favorite editor. +Alternatively, open [quickstart.sh](extras/quickstart.sh) and click the `Raw` button on the right. Press `Ctrl/Cmd+A` to select all, `Ctrl/Cmd+C` to copy, then paste into your favorite editor.
## Next steps diff --git a/docs/ikev2-howto-zh.md b/docs/ikev2-howto-zh.md index 2ef74ac..6ba7f89 100644 --- a/docs/ikev2-howto-zh.md +++ b/docs/ikev2-howto-zh.md @@ -8,10 +8,10 @@ * [使用辅助脚本配置 IKEv2](#使用辅助脚本配置-ikev2) * [配置 IKEv2 VPN 客户端](#配置-ikev2-vpn-客户端) * [管理客户端证书](#管理客户端证书) -* [手动在 VPN 服务器上配置 IKEv2](#手动在-vpn-服务器上配置-ikev2) * [故障排除](#故障排除) -* [更新 IKEv2 辅助脚本](#更新-ikev2-辅助脚本) * [更改 IKEv2 服务器地址](#更改-ikev2-服务器地址) +* [更新 IKEv2 辅助脚本](#更新-ikev2-辅助脚本) +* [手动配置 IKEv2](#手动配置-ikev2) * [移除 IKEv2](#移除-ikev2) * [参考链接](#参考链接) @@ -42,6 +42,8 @@ sudo ikev2.sh --auto sudo ikev2.sh ``` +**注:** 如果 IKEv2 已经配置完成,但是你想要自定义 IKEv2 选项,首先 [移除 IKEv2](#移除-ikev2),然后运行 `sudo ikev2.sh` 重新配置。 + 在完成之后,请转到 [配置 IKEv2 VPN 客户端](#配置-ikev2-vpn-客户端)。高级用户可以启用 [仅限 IKEv2 模式](advanced-usage-zh.md#仅限-ikev2-的-vpn)。这是可选的。
@@ -89,6 +91,13 @@ sudo VPN_PROTECT_CONFIG=yes ikev2.sh --auto
+了解如何更改 IKEv2 服务器地址。 + + +在某些情况下,你可能需要在配置之后更改 IKEv2 服务器地址。例如切换为使用域名,或者在服务器的 IP 更改之后。要了解更多信息,参见 [这一小节](#更改-ikev2-服务器地址)。 +
+
+ 查看 IKEv2 脚本的使用信息。 @@ -421,7 +430,7 @@ sudo ikev2.sh --listclients sudo ikev2.sh --addclient [client name] ``` -另外,你也可以手动添加客户端证书。参见 [这一小节](#手动在-vpn-服务器上配置-ikev2) 的第 4 步。 +另外,你也可以手动添加客户端证书。参见 [这一小节](#手动配置-ikev2) 的第 4 步。 ### 导出已有的客户端的配置 @@ -569,9 +578,99 @@ sudo ikev2.sh --revokeclient [client name] ```
-## 手动在 VPN 服务器上配置 IKEv2 +## 故障排除 -除了使用 [辅助脚本](#使用辅助脚本配置-ikev2) 之外,高级用户也可以手动配置 IKEv2。在继续之前,推荐 [升级 Libreswan](../README-zh.md#升级libreswan) 到最新版本。 +*其他语言版本: [English](ikev2-howto.md#troubleshooting), [简体中文](ikev2-howto-zh.md#故障排除)。* + +**另见:** [检查日志及 VPN 状态](clients-zh.md#检查日志及-vpn-状态),[IKEv1 故障排除](clients-zh.md#故障排除) 和 [高级用法](advanced-usage-zh.md)。 + +* [连接 IKEv2 后不能打开网站](#连接-ikev2-后不能打开网站) +* [IKE 身份验证凭证不可接受](#ike-身份验证凭证不可接受) +* [参数错误 policy match error](#参数错误-policy-match-error) +* [IKEv2 在一小时后断开连接](#ikev2-在一小时后断开连接) +* [无法同时连接多个 IKEv2 客户端](#无法同时连接多个-ikev2-客户端) +* [其它已知问题](#其它已知问题) + +### 连接 IKEv2 后不能打开网站 + +如果你的 VPN 客户端设备在成功连接到 IKEv2 后无法打开网站,请尝试以下解决方案: + +1. 某些云服务提供商,比如 [Google Cloud](https://cloud.google.com),[默认设置较低的 MTU](https://cloud.google.com/network-connectivity/docs/vpn/concepts/mtu-considerations)。这可能会导致 IKEv2 VPN 客户端的网络问题。要解决此问题,尝试在 VPN 服务器上将 MTU 设置为 1500: + + ```bash + # 将 ens4 替换为你的服务器上的网络接口名称 + sudo ifconfig ens4 mtu 1500 + ``` + + 此设置 **不会** 在重启后保持。要永久更改 MTU 大小,请参阅网络上的相关文章。 + +1. 如果更改 MTU 无法解决问题,请尝试 [Android MTU/MSS 问题](clients-zh.md#android-mtumss-问题) 小节中的解决方案。 + +1. 在某些情况下,Windows 在连接后不使用 IKEv2 指定的 DNS 服务器。要解决此问题,可以在网络连接属性 -> TCP/IPv4 中手动输入 DNS 服务器,例如 Google Public DNS (8.8.8.8, 8.8.4.4)。 + +### IKE 身份验证凭证不可接受 + +如果遇到此错误,请确保你的 VPN 客户端设备上指定的 VPN 服务器地址与 IKEv2 辅助脚本输出中的服务器地址**完全一致**。例如,如果在配置 IKEv2 时未指定域名,则不可以使用域名进行连接。要更改 IKEv2 服务器地址,参见[这一小节](#更改-ikev2-服务器地址)。 + +### 参数错误 policy match error + +要解决此错误,你需要为 IKEv2 启用更强的加密算法,通过修改一次注册表来实现。请下载并导入下面的 `.reg` 文件,或者打开提升权限命令提示符并运行以下命令。 + +- 适用于 Windows 7, 8, 10 和 11 ([下载 .reg 文件](https://github.com/hwdsl2/vpn-extras/releases/download/v1.0.0/Enable_Stronger_Ciphers_for_IKEv2_on_Windows.reg)) + +```console +REG ADD HKLM\SYSTEM\CurrentControlSet\Services\RasMan\Parameters /v NegotiateDH2048_AES256 /t REG_DWORD /d 0x1 /f +``` + +### IKEv2 在一小时后断开连接 + +如果 IKEv2 连接在一小时(60 分钟)后自动断开,可以这样解决:编辑 VPN 服务器上的 `/etc/ipsec.d/ikev2.conf`(如果不存在,编辑 `/etc/ipsec.conf`)。在 `conn ikev2-cp` 一节的末尾添加以下行,开头必须空两格: + +``` + ikelifetime=24h + salifetime=24h +``` + +保存修改并运行 `service ipsec restart`。该解决方案已在 2021-01-20 添加到辅助脚本。 + +### 无法同时连接多个 IKEv2 客户端 + +如果要连接多个客户端,则必须为每个客户端 [生成唯一的证书](#添加客户端证书)。 + +如果你无法连接同一个 NAT(比如家用路由器)后面的多个 IKEv2 客户端,可以这样解决:编辑 VPN 服务器上的 `/etc/ipsec.d/ikev2.conf`,找到这一行 `leftid=@` 并去掉 `@`,也就是说将它替换为 `leftid=`。保存修改并运行 `service ipsec restart`。如果 `leftid` 是一个域名则不受影响,不要应用这个解决方案。该解决方案已在 2021-02-01 添加到辅助脚本。 + +### 其它已知问题 + +1. Windows 自带的 VPN 客户端可能不支持 IKEv2 fragmentation(该功能[需要](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-ikee/74df968a-7125-431d-9c98-4ea929e548dc) Windows 10 v1803 或更新版本)。在有些网络上,这可能会导致连接错误或其它连接问题。你可以尝试换用 [IPsec/L2TP](clients-zh.md) 或 [IPsec/XAuth](clients-xauth-zh.md) 模式。 +1. 如果你使用 strongSwan Android VPN 客户端,则必须将服务器上的 Libreswan [升级](../README-zh.md#升级libreswan)到版本 3.26 或以上。 + +## 更改 IKEv2 服务器地址 + +在某些情况下,你可能需要在配置之后更改 IKEv2 服务器地址。例如切换为使用域名,或者在服务器的 IP 更改之后。请注意,你在 VPN 客户端指定的服务器地址必须与 IKEv2 辅助脚本输出中的服务器地址 **完全一致**,否则客户端可能无法连接。 + +要更改服务器地址,运行这个 [辅助脚本](../extras/ikev2changeaddr.sh) 并按提示操作。 + +```bash +# 下载脚本 +wget -nv -O ikev2changeaddr.sh https://bit.ly/ikev2changeaddr +# 运行脚本并按照提示操作 +sudo bash ikev2changeaddr.sh +``` + +**重要:** 运行此脚本后,你必须手动更新任何现有 IKEv2 客户端设备上的服务器地址以及 Remote ID(如果适用)。对于 iOS 客户端,你需要使用 IKEv2 [辅助脚本](#使用辅助脚本配置-ikev2) 导出然后重新导入客户端配置。 + +## 更新 IKEv2 辅助脚本 + +IKEv2 辅助脚本会不时更新,以进行错误修复和改进([更新日志](https://github.com/hwdsl2/setup-ipsec-vpn/commits/master/extras/ikev2setup.sh))。 当有新版本可用时,你可以更新服务器上的 IKEv2 辅助脚本。这是可选的。请注意,这些命令将覆盖任何现有的 `ikev2.sh`。 + +```bash +wget https://git.io/ikev2setup -nv -O /opt/src/ikev2.sh +chmod +x /opt/src/ikev2.sh && ln -s /opt/src/ikev2.sh /usr/bin 2>/dev/null +``` + +## 手动配置 IKEv2 + +除了使用 [辅助脚本](#使用辅助脚本配置-ikev2) 之外,高级用户也可以手动在 VPN 服务器上配置 IKEv2。在继续之前,推荐 [升级 Libreswan](../README-zh.md#升级libreswan) 到最新版本。 下面举例说明如何手动在 Libreswan 上配置 IKEv2。以下命令必须用 `root` 账户运行。 @@ -780,94 +879,6 @@ sudo ikev2.sh --revokeclient [client name] 在继续之前,你**必须**重启 IPsec 服务。VPN 服务器上的 IKEv2 配置到此已完成。下一步:[配置 VPN 客户端](#配置-ikev2-vpn-客户端)。 -## 故障排除 - -*其他语言版本: [English](ikev2-howto.md#troubleshooting), [简体中文](ikev2-howto-zh.md#故障排除)。* - -**另见:** [检查日志及 VPN 状态](clients-zh.md#检查日志及-vpn-状态),[IKEv1 故障排除](clients-zh.md#故障排除) 和 [高级用法](advanced-usage-zh.md)。 - -* [连接 IKEv2 后不能打开网站](#连接-ikev2-后不能打开网站) -* [IKE 身份验证凭证不可接受](#ike-身份验证凭证不可接受) -* [参数错误 policy match error](#参数错误-policy-match-error) -* [IKEv2 在一小时后断开连接](#ikev2-在一小时后断开连接) -* [无法同时连接多个 IKEv2 客户端](#无法同时连接多个-ikev2-客户端) -* [其它已知问题](#其它已知问题) - -### 连接 IKEv2 后不能打开网站 - -如果你的 VPN 客户端设备在成功连接到 IKEv2 后无法打开网站,请尝试以下解决方案: - -1. 某些云服务提供商,比如 [Google Cloud](https://cloud.google.com),[默认设置较低的 MTU](https://cloud.google.com/network-connectivity/docs/vpn/concepts/mtu-considerations)。这可能会导致 IKEv2 VPN 客户端的网络问题。要解决此问题,尝试在 VPN 服务器上将 MTU 设置为 1500: - - ```bash - # 将 ens4 替换为你的服务器上的网络接口名称 - sudo ifconfig ens4 mtu 1500 - ``` - - 此设置 **不会** 在重启后保持。要永久更改 MTU 大小,请参阅网络上的相关文章。 - -1. 如果更改 MTU 无法解决问题,请尝试 [Android MTU/MSS 问题](clients-zh.md#android-mtumss-问题) 小节中的解决方案。 - -1. 在某些情况下,Windows 在连接后不使用 IKEv2 指定的 DNS 服务器。要解决此问题,可以在网络连接属性 -> TCP/IPv4 中手动输入 DNS 服务器,例如 Google Public DNS (8.8.8.8, 8.8.4.4)。 - -### IKE 身份验证凭证不可接受 - -如果遇到此错误,请确保你的 VPN 客户端设备上指定的 VPN 服务器地址与 IKEv2 辅助脚本输出中的服务器地址**完全一致**。例如,如果在配置 IKEv2 时未指定域名,则不可以使用域名进行连接。要更改 IKEv2 服务器地址,参见[这一小节](#更改-ikev2-服务器地址)。 - -### 参数错误 policy match error - -要解决此错误,你需要为 IKEv2 启用更强的加密算法,通过修改一次注册表来实现。请下载并导入下面的 `.reg` 文件,或者打开提升权限命令提示符并运行以下命令。 - -- 适用于 Windows 7, 8, 10 和 11 ([下载 .reg 文件](https://github.com/hwdsl2/vpn-extras/releases/download/v1.0.0/Enable_Stronger_Ciphers_for_IKEv2_on_Windows.reg)) - -```console -REG ADD HKLM\SYSTEM\CurrentControlSet\Services\RasMan\Parameters /v NegotiateDH2048_AES256 /t REG_DWORD /d 0x1 /f -``` - -### IKEv2 在一小时后断开连接 - -如果 IKEv2 连接在一小时(60 分钟)后自动断开,可以这样解决:编辑 VPN 服务器上的 `/etc/ipsec.d/ikev2.conf`(如果不存在,编辑 `/etc/ipsec.conf`)。在 `conn ikev2-cp` 一节的末尾添加以下行,开头必须空两格: - -``` - ikelifetime=24h - salifetime=24h -``` - -保存修改并运行 `service ipsec restart`。该解决方案已在 2021-01-20 添加到辅助脚本。 - -### 无法同时连接多个 IKEv2 客户端 - -如果要连接多个客户端,则必须为每个客户端 [生成唯一的证书](#添加客户端证书)。 - -如果你无法连接同一个 NAT(比如家用路由器)后面的多个 IKEv2 客户端,可以这样解决:编辑 VPN 服务器上的 `/etc/ipsec.d/ikev2.conf`,找到这一行 `leftid=@` 并去掉 `@`,也就是说将它替换为 `leftid=`。保存修改并运行 `service ipsec restart`。如果 `leftid` 是一个域名则不受影响,不要应用这个解决方案。该解决方案已在 2021-02-01 添加到辅助脚本。 - -### 其它已知问题 - -1. Windows 自带的 VPN 客户端可能不支持 IKEv2 fragmentation(该功能[需要](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-ikee/74df968a-7125-431d-9c98-4ea929e548dc) Windows 10 v1803 或更新版本)。在有些网络上,这可能会导致连接错误或其它连接问题。你可以尝试换用 [IPsec/L2TP](clients-zh.md) 或 [IPsec/XAuth](clients-xauth-zh.md) 模式。 -1. 如果你使用 strongSwan Android VPN 客户端,则必须将服务器上的 Libreswan [升级](../README-zh.md#升级libreswan)到版本 3.26 或以上。 - -## 更新 IKEv2 辅助脚本 - -IKEv2 辅助脚本会不时更新,以进行错误修复和改进([更新日志](https://github.com/hwdsl2/setup-ipsec-vpn/commits/master/extras/ikev2setup.sh))。 当有新版本可用时,你可以更新服务器上的 IKEv2 辅助脚本。这是可选的。请注意,这些命令将覆盖任何现有的 `ikev2.sh`。 - -```bash -wget https://git.io/ikev2setup -nv -O /opt/src/ikev2.sh -chmod +x /opt/src/ikev2.sh && ln -s /opt/src/ikev2.sh /usr/bin 2>/dev/null -``` - -## 更改 IKEv2 服务器地址 - -在某些情况下,你可能需要在配置之后更改 IKEv2 服务器地址。例如切换为使用域名,或者在服务器的 IP 更改之后。要更改服务器地址,运行这个 [辅助脚本](../extras/ikev2changeaddr.sh) 并按提示操作。 - -```bash -# 下载脚本 -wget -nv -O ikev2changeaddr.sh https://bit.ly/ikev2changeaddr -# 运行脚本并按照提示操作 -sudo bash ikev2changeaddr.sh -``` - -**重要:** 运行此脚本后,你必须手动更新任何现有 IKEv2 客户端设备上的服务器地址。对于 iOS 客户端,你需要使用 IKEv2 [辅助脚本](#使用辅助脚本配置-ikev2) 导出然后重新导入客户端配置。 - ## 移除 IKEv2 如果你想要从 VPN 服务器移除 IKEv2,但是保留 [IPsec/L2TP](clients-zh.md) 和 [IPsec/XAuth ("Cisco IPsec")](clients-xauth-zh.md) 模式(如果已安装),请重新运行 [辅助脚本](#使用辅助脚本配置-ikev2) 并选择 "Remove IKEv2" 选项。**警告:** 这将**永久删除**所有的 IKEv2 配置(包括证书和密钥),并且**不可撤销**! diff --git a/docs/ikev2-howto.md b/docs/ikev2-howto.md index 77ccc7e..1e9a87f 100644 --- a/docs/ikev2-howto.md +++ b/docs/ikev2-howto.md @@ -8,10 +8,10 @@ * [Set up IKEv2 using helper script](#set-up-ikev2-using-helper-script) * [Configure IKEv2 VPN clients](#configure-ikev2-vpn-clients) * [Manage client certificates](#manage-client-certificates) -* [Manually set up IKEv2 on the VPN server](#manually-set-up-ikev2-on-the-vpn-server) * [Troubleshooting](#troubleshooting) -* [Update IKEv2 helper script](#update-ikev2-helper-script) * [Change IKEv2 server address](#change-ikev2-server-address) +* [Update IKEv2 helper script](#update-ikev2-helper-script) +* [Manually set up IKEv2](#manually-set-up-ikev2) * [Remove IKEv2](#remove-ikev2) * [References](#references) @@ -42,6 +42,8 @@ sudo ikev2.sh --auto sudo ikev2.sh ``` +**Note:** If IKEv2 is already set up, but you want to customize IKEv2 options, first [remove IKEv2](#remove-ikev2), then set it up again using `sudo ikev2.sh`. + When finished, continue to [configure IKEv2 VPN clients](#configure-ikev2-vpn-clients). Advanced users can optionally enable [IKEv2-only mode](advanced-usage.md#ikev2-only-vpn).
@@ -89,6 +91,13 @@ sudo VPN_PROTECT_CONFIG=yes ikev2.sh --auto
+Learn how to change the IKEv2 server address. + + +In certain circumstances, you may need to change the IKEv2 server address after setup. For example, to switch to use a DNS name, or after server IP changes. Learn more in [this section](#change-ikev2-server-address). +
+
+ View usage information for the IKEv2 script. @@ -423,7 +432,7 @@ To generate certificates for additional IKEv2 clients, just run the [helper scri sudo ikev2.sh --addclient [client name] ``` -Alternatively, you may manually add a client certificate. Refer to step 4 in [this section](#manually-set-up-ikev2-on-the-vpn-server). +Alternatively, you may manually add a client certificate. Refer to step 4 in [this section](#manually-set-up-ikev2). ### Export configuration for an existing client @@ -571,9 +580,99 @@ Alternatively, you may manually revoke a client certificate. This can be done us ```
-## Manually set up IKEv2 on the VPN server +## Troubleshooting -As an alternative to using the [helper script](#set-up-ikev2-using-helper-script), advanced users can manually set up IKEv2. Before continuing, it is recommended to [update Libreswan](../README.md#upgrade-libreswan) to the latest version. +*Read this in other languages: [English](ikev2-howto.md#troubleshooting), [简体中文](ikev2-howto-zh.md#故障排除).* + +**See also:** [Check logs and VPN status](clients.md#check-logs-and-vpn-status), [IKEv1 troubleshooting](clients.md#troubleshooting) and [Advanced usage](advanced-usage.md). + +* [Cannot open websites after connecting to IKEv2](#cannot-open-websites-after-connecting-to-ikev2) +* [IKE authentication credentials are unacceptable](#ike-authentication-credentials-are-unacceptable) +* [Policy match error](#policy-match-error) +* [IKEv2 disconnects after one hour](#ikev2-disconnects-after-one-hour) +* [Unable to connect multiple IKEv2 clients](#unable-to-connect-multiple-ikev2-clients) +* [Other known issues](#other-known-issues) + +### Cannot open websites after connecting to IKEv2 + +If your VPN client device cannot open websites after successfully connecting to IKEv2, try the following fixes: + +1. Some cloud providers, such as [Google Cloud](https://cloud.google.com), [set a lower MTU by default](https://cloud.google.com/network-connectivity/docs/vpn/concepts/mtu-considerations). This could cause network issues with IKEv2 VPN clients. To fix, try setting the MTU to 1500 on the VPN server: + + ```bash + # Replace ens4 with the network interface name on your server + sudo ifconfig ens4 mtu 1500 + ``` + + This setting **does not** persist after a reboot. To change the MTU size permanently, refer to relevant articles on the web. + +1. If changing the MTU does not fix the issue, try the fix from section [Android MTU/MSS issues](clients.md#android-mtumss-issues). + +1. Under certain circumstances, Windows does not use the DNS servers specified by IKEv2 after connecting. This can be fixed by manually entering DNS servers such as Google Public DNS (8.8.8.8, 8.8.4.4) in network interface properties -> TCP/IPv4. + +### IKE authentication credentials are unacceptable + +If you encounter this error, make sure that the VPN server address specified on your VPN client device **exactly matches** the server address in the output of the IKEv2 helper script. For example, you cannot use a DNS name to connect if it was not specified when setting up IKEv2. To change the IKEv2 server address, read [this section](#change-ikev2-server-address). + +### Policy match error + +To fix this error, you will need to enable stronger ciphers for IKEv2 with a one-time registry change. Download and import the `.reg` file below, or run the following from an elevated command prompt. + +- For Windows 7, 8, 10 and 11 ([download .reg file](https://github.com/hwdsl2/vpn-extras/releases/download/v1.0.0/Enable_Stronger_Ciphers_for_IKEv2_on_Windows.reg)) + +```console +REG ADD HKLM\SYSTEM\CurrentControlSet\Services\RasMan\Parameters /v NegotiateDH2048_AES256 /t REG_DWORD /d 0x1 /f +``` + +### IKEv2 disconnects after one hour + +If the IKEv2 connection disconnects automatically after one hour (60 minutes), apply this fix: Edit `/etc/ipsec.d/ikev2.conf` on the VPN server (or `/etc/ipsec.conf` if it does not exist), append these lines to the end of section `conn ikev2-cp`, indented by two spaces: + +``` + ikelifetime=24h + salifetime=24h +``` + +Save the file and run `service ipsec restart`. As of 2021-01-20, the IKEv2 helper script was updated to include this fix. + +### Unable to connect multiple IKEv2 clients + +To connect multiple IKEv2 clients, you must [generate a unique certificate](#add-a-client-certificate) for each. + +If you are unable to connect multiple IKEv2 clients from behind the same NAT (e.g. home router), apply this fix: Edit `/etc/ipsec.d/ikev2.conf` on the VPN server, find the line `leftid=@` and remove the `@`, i.e. replace it with `leftid=`. Save the file and run `service ipsec restart`. Do not apply this fix if `leftid` is a DNS name, which is not affected. As of 2021-02-01, the IKEv2 helper script was updated to include this fix. + +### Other known issues + +1. The built-in VPN client in Windows may not support IKEv2 fragmentation (this feature [requires](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-ikee/74df968a-7125-431d-9c98-4ea929e548dc) Windows 10 v1803 or newer). On some networks, this can cause the connection to fail or have other issues. You may instead try the [IPsec/L2TP](clients.md) or [IPsec/XAuth](clients-xauth.md) mode. +1. If using the strongSwan Android VPN client, you must [update Libreswan](../README.md#upgrade-libreswan) on your server to version 3.26 or above. + +## Change IKEv2 server address + +In certain circumstances, you may need to change the IKEv2 server address after setup. For example, to switch to use a DNS name, or after server IP changes. Note that the server address you specify on VPN client devices must **exactly match** the server address in the output of the IKEv2 helper script. Otherwise, devices may be unable to connect. + +To change the server address, run this [helper script](../extras/ikev2changeaddr.sh) and follow the prompts. + +```bash +# Download the script +wget -nv -O ikev2changeaddr.sh https://bit.ly/ikev2changeaddr +# Run the script and follow the prompts +sudo bash ikev2changeaddr.sh +``` + +**Important:** After running this script, you must manually update the server address (and remote ID, if applicable) on any existing IKEv2 client devices. For iOS clients, you'll need to export and re-import client configuration using the IKEv2 [helper script](#set-up-ikev2-using-helper-script). + +## Update IKEv2 helper script + +The IKEv2 helper script is updated from time to time for bug fixes and improvements ([commit log](https://github.com/hwdsl2/setup-ipsec-vpn/commits/master/extras/ikev2setup.sh)). When a newer version is available, you may optionally update the IKEv2 helper script on your server. Note that these commands will overwrite any existing `ikev2.sh`. + +```bash +wget https://git.io/ikev2setup -nv -O /opt/src/ikev2.sh +chmod +x /opt/src/ikev2.sh && ln -s /opt/src/ikev2.sh /usr/bin 2>/dev/null +``` + +## Manually set up IKEv2 + +As an alternative to using the [helper script](#set-up-ikev2-using-helper-script), advanced users can manually set up IKEv2 on the VPN server. Before continuing, it is recommended to [update Libreswan](../README.md#upgrade-libreswan) to the latest version. The following example shows how to manually configure IKEv2 with Libreswan. Commands below must be run as `root`. @@ -782,94 +881,6 @@ View example steps for manually configuring IKEv2 with Libreswan. Before continuing, you **must** restart the IPsec service. The IKEv2 setup on the VPN server is now complete. Follow instructions to [configure VPN clients](#configure-ikev2-vpn-clients). -## Troubleshooting - -*Read this in other languages: [English](ikev2-howto.md#troubleshooting), [简体中文](ikev2-howto-zh.md#故障排除).* - -**See also:** [Check logs and VPN status](clients.md#check-logs-and-vpn-status), [IKEv1 troubleshooting](clients.md#troubleshooting) and [Advanced usage](advanced-usage.md). - -* [Cannot open websites after connecting to IKEv2](#cannot-open-websites-after-connecting-to-ikev2) -* [IKE authentication credentials are unacceptable](#ike-authentication-credentials-are-unacceptable) -* [Policy match error](#policy-match-error) -* [IKEv2 disconnects after one hour](#ikev2-disconnects-after-one-hour) -* [Unable to connect multiple IKEv2 clients](#unable-to-connect-multiple-ikev2-clients) -* [Other known issues](#other-known-issues) - -### Cannot open websites after connecting to IKEv2 - -If your VPN client device cannot open websites after successfully connecting to IKEv2, try the following fixes: - -1. Some cloud providers, such as [Google Cloud](https://cloud.google.com), [set a lower MTU by default](https://cloud.google.com/network-connectivity/docs/vpn/concepts/mtu-considerations). This could cause network issues with IKEv2 VPN clients. To fix, try setting the MTU to 1500 on the VPN server: - - ```bash - # Replace ens4 with the network interface name on your server - sudo ifconfig ens4 mtu 1500 - ``` - - This setting **does not** persist after a reboot. To change the MTU size permanently, refer to relevant articles on the web. - -1. If changing the MTU does not fix the issue, try the fix from section [Android MTU/MSS issues](clients.md#android-mtumss-issues). - -1. Under certain circumstances, Windows does not use the DNS servers specified by IKEv2 after connecting. This can be fixed by manually entering DNS servers such as Google Public DNS (8.8.8.8, 8.8.4.4) in network interface properties -> TCP/IPv4. - -### IKE authentication credentials are unacceptable - -If you encounter this error, make sure that the VPN server address specified on your VPN client device **exactly matches** the server address in the output of the IKEv2 helper script. For example, you cannot use a DNS name to connect if it was not specified when setting up IKEv2. To change the IKEv2 server address, read [this section](#change-ikev2-server-address). - -### Policy match error - -To fix this error, you will need to enable stronger ciphers for IKEv2 with a one-time registry change. Download and import the `.reg` file below, or run the following from an elevated command prompt. - -- For Windows 7, 8, 10 and 11 ([download .reg file](https://github.com/hwdsl2/vpn-extras/releases/download/v1.0.0/Enable_Stronger_Ciphers_for_IKEv2_on_Windows.reg)) - -```console -REG ADD HKLM\SYSTEM\CurrentControlSet\Services\RasMan\Parameters /v NegotiateDH2048_AES256 /t REG_DWORD /d 0x1 /f -``` - -### IKEv2 disconnects after one hour - -If the IKEv2 connection disconnects automatically after one hour (60 minutes), apply this fix: Edit `/etc/ipsec.d/ikev2.conf` on the VPN server (or `/etc/ipsec.conf` if it does not exist), append these lines to the end of section `conn ikev2-cp`, indented by two spaces: - -``` - ikelifetime=24h - salifetime=24h -``` - -Save the file and run `service ipsec restart`. As of 2021-01-20, the IKEv2 helper script was updated to include this fix. - -### Unable to connect multiple IKEv2 clients - -To connect multiple IKEv2 clients, you must [generate a unique certificate](#add-a-client-certificate) for each. - -If you are unable to connect multiple IKEv2 clients from behind the same NAT (e.g. home router), apply this fix: Edit `/etc/ipsec.d/ikev2.conf` on the VPN server, find the line `leftid=@` and remove the `@`, i.e. replace it with `leftid=`. Save the file and run `service ipsec restart`. Do not apply this fix if `leftid` is a DNS name, which is not affected. As of 2021-02-01, the IKEv2 helper script was updated to include this fix. - -### Other known issues - -1. The built-in VPN client in Windows may not support IKEv2 fragmentation (this feature [requires](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-ikee/74df968a-7125-431d-9c98-4ea929e548dc) Windows 10 v1803 or newer). On some networks, this can cause the connection to fail or have other issues. You may instead try the [IPsec/L2TP](clients.md) or [IPsec/XAuth](clients-xauth.md) mode. -1. If using the strongSwan Android VPN client, you must [update Libreswan](../README.md#upgrade-libreswan) on your server to version 3.26 or above. - -## Update IKEv2 helper script - -The IKEv2 helper script is updated from time to time for bug fixes and improvements ([commit log](https://github.com/hwdsl2/setup-ipsec-vpn/commits/master/extras/ikev2setup.sh)). When a newer version is available, you may optionally update the IKEv2 helper script on your server. Note that these commands will overwrite any existing `ikev2.sh`. - -```bash -wget https://git.io/ikev2setup -nv -O /opt/src/ikev2.sh -chmod +x /opt/src/ikev2.sh && ln -s /opt/src/ikev2.sh /usr/bin 2>/dev/null -``` - -## Change IKEv2 server address - -In certain circumstances, you may need to change the IKEv2 server address after setup. For example, to switch to use a DNS name, or after server IP changes. To change the server address, run this [helper script](../extras/ikev2changeaddr.sh) and follow the prompts. - -```bash -# Download the script -wget -nv -O ikev2changeaddr.sh https://bit.ly/ikev2changeaddr -# Run the script and follow the prompts -sudo bash ikev2changeaddr.sh -``` - -**Important:** After running this script, you must manually update the server address on any existing IKEv2 client devices. For iOS clients, you'll need to export and re-import client configuration using the IKEv2 [helper script](#set-up-ikev2-using-helper-script). - ## Remove IKEv2 If you want to remove IKEv2 from the VPN server, but keep the [IPsec/L2TP](clients.md) and [IPsec/XAuth ("Cisco IPsec")](clients-xauth.md) modes (if installed), run the [helper script](#set-up-ikev2-using-helper-script) again and select the "Remove IKEv2" option. **Warning:** All IKEv2 configuration including certificates and keys will be **permanently deleted**. This **cannot be undone**!