From a1dc39688320cc0f9165a3298a21cb52e03f6e29 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Tue, 15 Feb 2022 00:31:34 -0600 Subject: [PATCH] Update docs --- docs/ikev2-howto-zh.md | 55 ++++++++++++++++++++++++++---------------- docs/ikev2-howto.md | 55 ++++++++++++++++++++++++++---------------- 2 files changed, 68 insertions(+), 42 deletions(-) diff --git a/docs/ikev2-howto-zh.md b/docs/ikev2-howto-zh.md index 5e96b67..33e2452 100644 --- a/docs/ikev2-howto-zh.md +++ b/docs/ikev2-howto-zh.md @@ -10,6 +10,7 @@ * [管理客户端证书](#管理客户端证书) * [手动在 VPN 服务器上配置 IKEv2](#手动在-vpn-服务器上配置-ikev2) * [故障排除](#故障排除) +* [更新 IKEv2 辅助脚本](#更新-ikev2-辅助脚本) * [更改 IKEv2 服务器地址](#更改-ikev2-服务器地址) * [移除 IKEv2](#移除-ikev2) * [参考链接](#参考链接) @@ -59,7 +60,7 @@ chmod +x /opt/src/ikev2.sh && ln -s /opt/src/ikev2.sh /usr/bin
-你可以指定一个域名,客户端名称和/或另外的 DNS 服务器。这是可选的。点这里查看详情。 +你可以指定一个域名,客户端名称和/或另外的 DNS 服务器。这是可选的。 在使用自动模式安装 IKEv2 时,高级用户可以指定一个域名作为 VPN 服务器的地址。这是可选的。该域名必须是一个全称域名(FQDN),它将被包含在生成的服务器证书中。示例如下: @@ -82,25 +83,6 @@ sudo VPN_DNS_SRV1=1.1.1.1 VPN_DNS_SRV2=1.0.0.1 ikev2.sh --auto
-了解如何更新服务器上的 IKEv2 辅助脚本。 - - -IKEv2 辅助脚本会不时更新,以进行错误修复和改进([更新日志](https://github.com/hwdsl2/setup-ipsec-vpn/commits/master/extras/ikev2setup.sh))。 当有新版本可用时,你可以更新服务器上的 IKEv2 辅助脚本。这是可选的。请注意,这些命令将覆盖任何现有的 `ikev2.sh`。 - -```bash -wget https://git.io/ikev2setup -nv -O /opt/src/ikev2.sh -chmod +x /opt/src/ikev2.sh && ln -s /opt/src/ikev2.sh /usr/bin 2>/dev/null -``` -
-
- -了解如何在配置 IKEv2 之后更改服务器地址。 - - -在某些情况下,你可能需要在配置之后更改 IKEv2 服务器地址。参见 [这一小节](#更改-ikev2-服务器地址)。 -
-
- 查看 IKEv2 脚本的使用信息。 @@ -443,7 +425,7 @@ sudo ikev2.sh --exportclient [client name] 首先,请阅读上面的重要说明。然后点这里查看详情。 -**重要:** 请先阅读上面的重要说明。如果你仍然想要删除证书,参见下面的步骤。此操作**不可撤销**! +**警告:** 这将**永久删除**客户端证书和私钥。此操作**不可撤销**! 如果要删除一个客户端证书: @@ -578,6 +560,11 @@ sudo ikev2.sh --revokeclient [client name] 下面举例说明如何手动在 Libreswan 上配置 IKEv2。以下命令必须用 `root` 账户运行。 +
+ +查看手动在 Libreswan 上配置 IKEv2 的示例步骤。 + + 1. 获取 VPN 服务器的公共 IP 地址,将它保存到变量并检查。 ```bash @@ -776,6 +763,7 @@ sudo ikev2.sh --revokeclient [client name] ``` 在继续之前,你**必须**重启 IPsec 服务。VPN 服务器上的 IKEv2 配置到此已完成。下一步:[配置 VPN 客户端](#配置-ikev2-vpn-客户端)。 +
## 故障排除 @@ -783,10 +771,26 @@ sudo ikev2.sh --revokeclient [client name] **另见:** [检查日志及 VPN 状态](clients-zh.md#检查日志及-vpn-状态),[IKEv1 故障排除](clients-zh.md#故障排除) 和 [高级用法](advanced-usage-zh.md)。 +* [IKE 身份验证凭证不可接受](#ike-身份验证凭证不可接受) +* [参数错误 policy match error](#参数错误-policy-match-error) * [IKEv2 在一小时后断开连接](#ikev2-在一小时后断开连接) * [无法同时连接多个 IKEv2 客户端](#无法同时连接多个-ikev2-客户端) * [其它已知问题](#其它已知问题) +### IKE 身份验证凭证不可接受 + +如果遇到此错误,请确保你的 VPN 客户端设备上指定的 VPN 服务器地址与 IKEv2 辅助脚本输出中的服务器地址**完全一致**。例如,如果在配置 IKEv2 时未指定域名,则不可以使用域名进行连接。要更改 IKEv2 服务器地址,参见[这一小节](#更改-ikev2-服务器地址)。 + +### 参数错误 policy match error + +要解决此错误,你需要为 IKEv2 启用更强的加密算法,通过修改一次注册表来实现。请下载并导入下面的 `.reg` 文件,或者打开提升权限命令提示符并运行以下命令。 + +- 适用于 Windows 7, 8, 10 和 11 ([下载 .reg 文件](https://github.com/hwdsl2/vpn-extras/releases/download/v1.0.0/Enable_Stronger_Ciphers_for_IKEv2_on_Windows.reg)) + +```console +REG ADD HKLM\SYSTEM\CurrentControlSet\Services\RasMan\Parameters /v NegotiateDH2048_AES256 /t REG_DWORD /d 0x1 /f +``` + ### IKEv2 在一小时后断开连接 如果 IKEv2 连接在一小时(60 分钟)后自动断开,可以这样解决:编辑 VPN 服务器上的 `/etc/ipsec.d/ikev2.conf`(如果不存在,编辑 `/etc/ipsec.conf`)。在 `conn ikev2-cp` 一节的末尾添加以下行,开头必须空两格: @@ -809,6 +813,15 @@ sudo ikev2.sh --revokeclient [client name] 1. Windows 自带的 VPN 客户端可能不支持 IKEv2 fragmentation(该功能[需要](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-ikee/74df968a-7125-431d-9c98-4ea929e548dc) Windows 10 v1803 或更新版本)。在有些网络上,这可能会导致连接错误或其它连接问题。你可以尝试换用 [IPsec/L2TP](clients-zh.md) 或 [IPsec/XAuth](clients-xauth-zh.md) 模式。 1. 如果你使用 strongSwan Android VPN 客户端,则必须将服务器上的 Libreswan [升级](../README-zh.md#升级libreswan)到版本 3.26 或以上。 +## 更新 IKEv2 辅助脚本 + +IKEv2 辅助脚本会不时更新,以进行错误修复和改进([更新日志](https://github.com/hwdsl2/setup-ipsec-vpn/commits/master/extras/ikev2setup.sh))。 当有新版本可用时,你可以更新服务器上的 IKEv2 辅助脚本。这是可选的。请注意,这些命令将覆盖任何现有的 `ikev2.sh`。 + +```bash +wget https://git.io/ikev2setup -nv -O /opt/src/ikev2.sh +chmod +x /opt/src/ikev2.sh && ln -s /opt/src/ikev2.sh /usr/bin 2>/dev/null +``` + ## 更改 IKEv2 服务器地址 在某些情况下,你可能需要在配置之后更改 IKEv2 服务器地址。例如切换为使用域名,或者在服务器的 IP 更改之后。要更改服务器地址,运行这个 [辅助脚本](../extras/ikev2changeaddr.sh) 并按提示操作。 diff --git a/docs/ikev2-howto.md b/docs/ikev2-howto.md index 611f9f5..12384d9 100644 --- a/docs/ikev2-howto.md +++ b/docs/ikev2-howto.md @@ -10,6 +10,7 @@ * [Manage client certificates](#manage-client-certificates) * [Manually set up IKEv2 on the VPN server](#manually-set-up-ikev2-on-the-vpn-server) * [Troubleshooting](#troubleshooting) +* [Update IKEv2 helper script](#update-ikev2-helper-script) * [Change IKEv2 server address](#change-ikev2-server-address) * [Remove IKEv2](#remove-ikev2) * [References](#references) @@ -59,7 +60,7 @@ Then run the script using the instructions above.
-You may optionally specify a DNS name, client name and/or custom DNS servers. Click here for details. +You may optionally specify a DNS name, client name and/or custom DNS servers. When running IKEv2 setup in auto mode, advanced users can optionally specify a DNS name to be used as the VPN server's address. The DNS name must be a fully qualified domain name (FQDN). It will be included in the generated server certificate. Example: @@ -82,25 +83,6 @@ sudo VPN_DNS_SRV1=1.1.1.1 VPN_DNS_SRV2=1.0.0.1 ikev2.sh --auto
-Learn how to update the IKEv2 helper script on your server. - - -The IKEv2 helper script is updated from time to time for bug fixes and improvements ([commit log](https://github.com/hwdsl2/setup-ipsec-vpn/commits/master/extras/ikev2setup.sh)). When a newer version is available, you may optionally update the IKEv2 helper script on your server. Note that these commands will overwrite any existing `ikev2.sh`. - -```bash -wget https://git.io/ikev2setup -nv -O /opt/src/ikev2.sh -chmod +x /opt/src/ikev2.sh && ln -s /opt/src/ikev2.sh /usr/bin 2>/dev/null -``` -
-
- -Learn how to change server address after IKEv2 setup. - - -In certain circumstances, you may need to change the IKEv2 server address after setup. Learn more in [this section](#change-ikev2-server-address). -
-
- View usage information for the IKEv2 script. @@ -445,7 +427,7 @@ sudo ikev2.sh --exportclient [client name] First, read the important note above. Then click here for instructions. -**Important:** Please first read the important note above. If you still want to delete a certificate, refer to the steps below. This **cannot be undone**! +**Warning:** The client certificate and private key will be **permanently deleted**. This **cannot be undone**! To delete a client certificate: @@ -580,6 +562,11 @@ As an alternative to using the [helper script](#set-up-ikev2-using-helper-script The following example shows how to manually configure IKEv2 with Libreswan. Commands below must be run as `root`. +
+ +View example steps for manually configuring IKEv2 with Libreswan. + + 1. Find the VPN server's public IP, save it to a variable and check. ```bash @@ -778,6 +765,7 @@ The following example shows how to manually configure IKEv2 with Libreswan. Comm ``` Before continuing, you **must** restart the IPsec service. The IKEv2 setup on the VPN server is now complete. Follow instructions to [configure VPN clients](#configure-ikev2-vpn-clients). +
## Troubleshooting @@ -785,10 +773,26 @@ Before continuing, you **must** restart the IPsec service. The IKEv2 setup on th **See also:** [Check logs and VPN status](clients.md#check-logs-and-vpn-status), [IKEv1 troubleshooting](clients.md#troubleshooting) and [Advanced usage](advanced-usage.md). +* [IKE authentication credentials are unacceptable](#ike-authentication-credentials-are-unacceptable) +* [Policy match error](#policy-match-error) * [IKEv2 disconnects after one hour](#ikev2-disconnects-after-one-hour) * [Unable to connect multiple IKEv2 clients](#unable-to-connect-multiple-ikev2-clients) * [Other known issues](#other-known-issues) +### IKE authentication credentials are unacceptable + +If you encounter this error, make sure that the VPN server address specified on your VPN client device **exactly matches** the server address in the output of the IKEv2 helper script. For example, you cannot use a DNS name to connect if it was not specified when setting up IKEv2. To change the IKEv2 server address, read [this section](#change-ikev2-server-address). + +### Policy match error + +To fix this error, you'll need to enable stronger ciphers for IKEv2 with a one-time registry change. Download and import the `.reg` file below, or run the following from an elevated command prompt. + +- For Windows 7, 8, 10 and 11 ([download .reg file](https://github.com/hwdsl2/vpn-extras/releases/download/v1.0.0/Enable_Stronger_Ciphers_for_IKEv2_on_Windows.reg)) + +```console +REG ADD HKLM\SYSTEM\CurrentControlSet\Services\RasMan\Parameters /v NegotiateDH2048_AES256 /t REG_DWORD /d 0x1 /f +``` + ### IKEv2 disconnects after one hour If the IKEv2 connection disconnects automatically after one hour (60 minutes), apply this fix: Edit `/etc/ipsec.d/ikev2.conf` on the VPN server (or `/etc/ipsec.conf` if it does not exist), append these lines to the end of section `conn ikev2-cp`, indented by two spaces: @@ -811,6 +815,15 @@ If you are unable to connect multiple IKEv2 clients from behind the same NAT (e. 1. The built-in VPN client in Windows may not support IKEv2 fragmentation (this feature [requires](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-ikee/74df968a-7125-431d-9c98-4ea929e548dc) Windows 10 v1803 or newer). On some networks, this can cause the connection to fail or have other issues. You may instead try the [IPsec/L2TP](clients.md) or [IPsec/XAuth](clients-xauth.md) mode. 1. If using the strongSwan Android VPN client, you must [update Libreswan](../README.md#upgrade-libreswan) on your server to version 3.26 or above. +## Update IKEv2 helper script + +The IKEv2 helper script is updated from time to time for bug fixes and improvements ([commit log](https://github.com/hwdsl2/setup-ipsec-vpn/commits/master/extras/ikev2setup.sh)). When a newer version is available, you may optionally update the IKEv2 helper script on your server. Note that these commands will overwrite any existing `ikev2.sh`. + +```bash +wget https://git.io/ikev2setup -nv -O /opt/src/ikev2.sh +chmod +x /opt/src/ikev2.sh && ln -s /opt/src/ikev2.sh /usr/bin 2>/dev/null +``` + ## Change IKEv2 server address In certain circumstances, you may need to change the IKEv2 server address after setup. For example, to switch to use a DNS name, or after server IP changes. To change the server address, run this [helper script](../extras/ikev2changeaddr.sh) and follow the prompts.