Update docs
This commit is contained in:
parent
354c512d86
commit
a1dc396883
@ -10,6 +10,7 @@
|
|||||||
* [管理客户端证书](#管理客户端证书)
|
* [管理客户端证书](#管理客户端证书)
|
||||||
* [手动在 VPN 服务器上配置 IKEv2](#手动在-vpn-服务器上配置-ikev2)
|
* [手动在 VPN 服务器上配置 IKEv2](#手动在-vpn-服务器上配置-ikev2)
|
||||||
* [故障排除](#故障排除)
|
* [故障排除](#故障排除)
|
||||||
|
* [更新 IKEv2 辅助脚本](#更新-ikev2-辅助脚本)
|
||||||
* [更改 IKEv2 服务器地址](#更改-ikev2-服务器地址)
|
* [更改 IKEv2 服务器地址](#更改-ikev2-服务器地址)
|
||||||
* [移除 IKEv2](#移除-ikev2)
|
* [移除 IKEv2](#移除-ikev2)
|
||||||
* [参考链接](#参考链接)
|
* [参考链接](#参考链接)
|
||||||
@ -59,7 +60,7 @@ chmod +x /opt/src/ikev2.sh && ln -s /opt/src/ikev2.sh /usr/bin
|
|||||||
</details>
|
</details>
|
||||||
<details>
|
<details>
|
||||||
<summary>
|
<summary>
|
||||||
你可以指定一个域名,客户端名称和/或另外的 DNS 服务器。这是可选的。点这里查看详情。
|
你可以指定一个域名,客户端名称和/或另外的 DNS 服务器。这是可选的。
|
||||||
</summary>
|
</summary>
|
||||||
|
|
||||||
在使用自动模式安装 IKEv2 时,高级用户可以指定一个域名作为 VPN 服务器的地址。这是可选的。该域名必须是一个全称域名(FQDN),它将被包含在生成的服务器证书中。示例如下:
|
在使用自动模式安装 IKEv2 时,高级用户可以指定一个域名作为 VPN 服务器的地址。这是可选的。该域名必须是一个全称域名(FQDN),它将被包含在生成的服务器证书中。示例如下:
|
||||||
@ -82,25 +83,6 @@ sudo VPN_DNS_SRV1=1.1.1.1 VPN_DNS_SRV2=1.0.0.1 ikev2.sh --auto
|
|||||||
</details>
|
</details>
|
||||||
<details>
|
<details>
|
||||||
<summary>
|
<summary>
|
||||||
了解如何更新服务器上的 IKEv2 辅助脚本。
|
|
||||||
</summary>
|
|
||||||
|
|
||||||
IKEv2 辅助脚本会不时更新,以进行错误修复和改进([更新日志](https://github.com/hwdsl2/setup-ipsec-vpn/commits/master/extras/ikev2setup.sh))。 当有新版本可用时,你可以更新服务器上的 IKEv2 辅助脚本。这是可选的。请注意,这些命令将覆盖任何现有的 `ikev2.sh`。
|
|
||||||
|
|
||||||
```bash
|
|
||||||
wget https://git.io/ikev2setup -nv -O /opt/src/ikev2.sh
|
|
||||||
chmod +x /opt/src/ikev2.sh && ln -s /opt/src/ikev2.sh /usr/bin 2>/dev/null
|
|
||||||
```
|
|
||||||
</details>
|
|
||||||
<details>
|
|
||||||
<summary>
|
|
||||||
了解如何在配置 IKEv2 之后更改服务器地址。
|
|
||||||
</summary>
|
|
||||||
|
|
||||||
在某些情况下,你可能需要在配置之后更改 IKEv2 服务器地址。参见 [这一小节](#更改-ikev2-服务器地址)。
|
|
||||||
</details>
|
|
||||||
<details>
|
|
||||||
<summary>
|
|
||||||
查看 IKEv2 脚本的使用信息。
|
查看 IKEv2 脚本的使用信息。
|
||||||
</summary>
|
</summary>
|
||||||
|
|
||||||
@ -443,7 +425,7 @@ sudo ikev2.sh --exportclient [client name]
|
|||||||
首先,请阅读上面的重要说明。然后点这里查看详情。
|
首先,请阅读上面的重要说明。然后点这里查看详情。
|
||||||
</summary>
|
</summary>
|
||||||
|
|
||||||
**重要:** 请先阅读上面的重要说明。如果你仍然想要删除证书,参见下面的步骤。此操作**不可撤销**!
|
**警告:** 这将**永久删除**客户端证书和私钥。此操作**不可撤销**!
|
||||||
|
|
||||||
如果要删除一个客户端证书:
|
如果要删除一个客户端证书:
|
||||||
|
|
||||||
@ -578,6 +560,11 @@ sudo ikev2.sh --revokeclient [client name]
|
|||||||
|
|
||||||
下面举例说明如何手动在 Libreswan 上配置 IKEv2。以下命令必须用 `root` 账户运行。
|
下面举例说明如何手动在 Libreswan 上配置 IKEv2。以下命令必须用 `root` 账户运行。
|
||||||
|
|
||||||
|
<details>
|
||||||
|
<summary>
|
||||||
|
查看手动在 Libreswan 上配置 IKEv2 的示例步骤。
|
||||||
|
</summary>
|
||||||
|
|
||||||
1. 获取 VPN 服务器的公共 IP 地址,将它保存到变量并检查。
|
1. 获取 VPN 服务器的公共 IP 地址,将它保存到变量并检查。
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
@ -776,6 +763,7 @@ sudo ikev2.sh --revokeclient [client name]
|
|||||||
```
|
```
|
||||||
|
|
||||||
在继续之前,你**必须**重启 IPsec 服务。VPN 服务器上的 IKEv2 配置到此已完成。下一步:[配置 VPN 客户端](#配置-ikev2-vpn-客户端)。
|
在继续之前,你**必须**重启 IPsec 服务。VPN 服务器上的 IKEv2 配置到此已完成。下一步:[配置 VPN 客户端](#配置-ikev2-vpn-客户端)。
|
||||||
|
</details>
|
||||||
|
|
||||||
## 故障排除
|
## 故障排除
|
||||||
|
|
||||||
@ -783,10 +771,26 @@ sudo ikev2.sh --revokeclient [client name]
|
|||||||
|
|
||||||
**另见:** [检查日志及 VPN 状态](clients-zh.md#检查日志及-vpn-状态),[IKEv1 故障排除](clients-zh.md#故障排除) 和 [高级用法](advanced-usage-zh.md)。
|
**另见:** [检查日志及 VPN 状态](clients-zh.md#检查日志及-vpn-状态),[IKEv1 故障排除](clients-zh.md#故障排除) 和 [高级用法](advanced-usage-zh.md)。
|
||||||
|
|
||||||
|
* [IKE 身份验证凭证不可接受](#ike-身份验证凭证不可接受)
|
||||||
|
* [参数错误 policy match error](#参数错误-policy-match-error)
|
||||||
* [IKEv2 在一小时后断开连接](#ikev2-在一小时后断开连接)
|
* [IKEv2 在一小时后断开连接](#ikev2-在一小时后断开连接)
|
||||||
* [无法同时连接多个 IKEv2 客户端](#无法同时连接多个-ikev2-客户端)
|
* [无法同时连接多个 IKEv2 客户端](#无法同时连接多个-ikev2-客户端)
|
||||||
* [其它已知问题](#其它已知问题)
|
* [其它已知问题](#其它已知问题)
|
||||||
|
|
||||||
|
### IKE 身份验证凭证不可接受
|
||||||
|
|
||||||
|
如果遇到此错误,请确保你的 VPN 客户端设备上指定的 VPN 服务器地址与 IKEv2 辅助脚本输出中的服务器地址**完全一致**。例如,如果在配置 IKEv2 时未指定域名,则不可以使用域名进行连接。要更改 IKEv2 服务器地址,参见[这一小节](#更改-ikev2-服务器地址)。
|
||||||
|
|
||||||
|
### 参数错误 policy match error
|
||||||
|
|
||||||
|
要解决此错误,你需要为 IKEv2 启用更强的加密算法,通过修改一次注册表来实现。请下载并导入下面的 `.reg` 文件,或者打开提升权限命令提示符并运行以下命令。
|
||||||
|
|
||||||
|
- 适用于 Windows 7, 8, 10 和 11 ([下载 .reg 文件](https://github.com/hwdsl2/vpn-extras/releases/download/v1.0.0/Enable_Stronger_Ciphers_for_IKEv2_on_Windows.reg))
|
||||||
|
|
||||||
|
```console
|
||||||
|
REG ADD HKLM\SYSTEM\CurrentControlSet\Services\RasMan\Parameters /v NegotiateDH2048_AES256 /t REG_DWORD /d 0x1 /f
|
||||||
|
```
|
||||||
|
|
||||||
### IKEv2 在一小时后断开连接
|
### IKEv2 在一小时后断开连接
|
||||||
|
|
||||||
如果 IKEv2 连接在一小时(60 分钟)后自动断开,可以这样解决:编辑 VPN 服务器上的 `/etc/ipsec.d/ikev2.conf`(如果不存在,编辑 `/etc/ipsec.conf`)。在 `conn ikev2-cp` 一节的末尾添加以下行,开头必须空两格:
|
如果 IKEv2 连接在一小时(60 分钟)后自动断开,可以这样解决:编辑 VPN 服务器上的 `/etc/ipsec.d/ikev2.conf`(如果不存在,编辑 `/etc/ipsec.conf`)。在 `conn ikev2-cp` 一节的末尾添加以下行,开头必须空两格:
|
||||||
@ -809,6 +813,15 @@ sudo ikev2.sh --revokeclient [client name]
|
|||||||
1. Windows 自带的 VPN 客户端可能不支持 IKEv2 fragmentation(该功能[需要](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-ikee/74df968a-7125-431d-9c98-4ea929e548dc) Windows 10 v1803 或更新版本)。在有些网络上,这可能会导致连接错误或其它连接问题。你可以尝试换用 [IPsec/L2TP](clients-zh.md) 或 [IPsec/XAuth](clients-xauth-zh.md) 模式。
|
1. Windows 自带的 VPN 客户端可能不支持 IKEv2 fragmentation(该功能[需要](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-ikee/74df968a-7125-431d-9c98-4ea929e548dc) Windows 10 v1803 或更新版本)。在有些网络上,这可能会导致连接错误或其它连接问题。你可以尝试换用 [IPsec/L2TP](clients-zh.md) 或 [IPsec/XAuth](clients-xauth-zh.md) 模式。
|
||||||
1. 如果你使用 strongSwan Android VPN 客户端,则必须将服务器上的 Libreswan [升级](../README-zh.md#升级libreswan)到版本 3.26 或以上。
|
1. 如果你使用 strongSwan Android VPN 客户端,则必须将服务器上的 Libreswan [升级](../README-zh.md#升级libreswan)到版本 3.26 或以上。
|
||||||
|
|
||||||
|
## 更新 IKEv2 辅助脚本
|
||||||
|
|
||||||
|
IKEv2 辅助脚本会不时更新,以进行错误修复和改进([更新日志](https://github.com/hwdsl2/setup-ipsec-vpn/commits/master/extras/ikev2setup.sh))。 当有新版本可用时,你可以更新服务器上的 IKEv2 辅助脚本。这是可选的。请注意,这些命令将覆盖任何现有的 `ikev2.sh`。
|
||||||
|
|
||||||
|
```bash
|
||||||
|
wget https://git.io/ikev2setup -nv -O /opt/src/ikev2.sh
|
||||||
|
chmod +x /opt/src/ikev2.sh && ln -s /opt/src/ikev2.sh /usr/bin 2>/dev/null
|
||||||
|
```
|
||||||
|
|
||||||
## 更改 IKEv2 服务器地址
|
## 更改 IKEv2 服务器地址
|
||||||
|
|
||||||
在某些情况下,你可能需要在配置之后更改 IKEv2 服务器地址。例如切换为使用域名,或者在服务器的 IP 更改之后。要更改服务器地址,运行这个 [辅助脚本](../extras/ikev2changeaddr.sh) 并按提示操作。
|
在某些情况下,你可能需要在配置之后更改 IKEv2 服务器地址。例如切换为使用域名,或者在服务器的 IP 更改之后。要更改服务器地址,运行这个 [辅助脚本](../extras/ikev2changeaddr.sh) 并按提示操作。
|
||||||
|
@ -10,6 +10,7 @@
|
|||||||
* [Manage client certificates](#manage-client-certificates)
|
* [Manage client certificates](#manage-client-certificates)
|
||||||
* [Manually set up IKEv2 on the VPN server](#manually-set-up-ikev2-on-the-vpn-server)
|
* [Manually set up IKEv2 on the VPN server](#manually-set-up-ikev2-on-the-vpn-server)
|
||||||
* [Troubleshooting](#troubleshooting)
|
* [Troubleshooting](#troubleshooting)
|
||||||
|
* [Update IKEv2 helper script](#update-ikev2-helper-script)
|
||||||
* [Change IKEv2 server address](#change-ikev2-server-address)
|
* [Change IKEv2 server address](#change-ikev2-server-address)
|
||||||
* [Remove IKEv2](#remove-ikev2)
|
* [Remove IKEv2](#remove-ikev2)
|
||||||
* [References](#references)
|
* [References](#references)
|
||||||
@ -59,7 +60,7 @@ Then run the script using the instructions above.
|
|||||||
</details>
|
</details>
|
||||||
<details>
|
<details>
|
||||||
<summary>
|
<summary>
|
||||||
You may optionally specify a DNS name, client name and/or custom DNS servers. Click here for details.
|
You may optionally specify a DNS name, client name and/or custom DNS servers.
|
||||||
</summary>
|
</summary>
|
||||||
|
|
||||||
When running IKEv2 setup in auto mode, advanced users can optionally specify a DNS name to be used as the VPN server's address. The DNS name must be a fully qualified domain name (FQDN). It will be included in the generated server certificate. Example:
|
When running IKEv2 setup in auto mode, advanced users can optionally specify a DNS name to be used as the VPN server's address. The DNS name must be a fully qualified domain name (FQDN). It will be included in the generated server certificate. Example:
|
||||||
@ -82,25 +83,6 @@ sudo VPN_DNS_SRV1=1.1.1.1 VPN_DNS_SRV2=1.0.0.1 ikev2.sh --auto
|
|||||||
</details>
|
</details>
|
||||||
<details>
|
<details>
|
||||||
<summary>
|
<summary>
|
||||||
Learn how to update the IKEv2 helper script on your server.
|
|
||||||
</summary>
|
|
||||||
|
|
||||||
The IKEv2 helper script is updated from time to time for bug fixes and improvements ([commit log](https://github.com/hwdsl2/setup-ipsec-vpn/commits/master/extras/ikev2setup.sh)). When a newer version is available, you may optionally update the IKEv2 helper script on your server. Note that these commands will overwrite any existing `ikev2.sh`.
|
|
||||||
|
|
||||||
```bash
|
|
||||||
wget https://git.io/ikev2setup -nv -O /opt/src/ikev2.sh
|
|
||||||
chmod +x /opt/src/ikev2.sh && ln -s /opt/src/ikev2.sh /usr/bin 2>/dev/null
|
|
||||||
```
|
|
||||||
</details>
|
|
||||||
<details>
|
|
||||||
<summary>
|
|
||||||
Learn how to change server address after IKEv2 setup.
|
|
||||||
</summary>
|
|
||||||
|
|
||||||
In certain circumstances, you may need to change the IKEv2 server address after setup. Learn more in [this section](#change-ikev2-server-address).
|
|
||||||
</details>
|
|
||||||
<details>
|
|
||||||
<summary>
|
|
||||||
View usage information for the IKEv2 script.
|
View usage information for the IKEv2 script.
|
||||||
</summary>
|
</summary>
|
||||||
|
|
||||||
@ -445,7 +427,7 @@ sudo ikev2.sh --exportclient [client name]
|
|||||||
First, read the important note above. Then click here for instructions.
|
First, read the important note above. Then click here for instructions.
|
||||||
</summary>
|
</summary>
|
||||||
|
|
||||||
**Important:** Please first read the important note above. If you still want to delete a certificate, refer to the steps below. This **cannot be undone**!
|
**Warning:** The client certificate and private key will be **permanently deleted**. This **cannot be undone**!
|
||||||
|
|
||||||
To delete a client certificate:
|
To delete a client certificate:
|
||||||
|
|
||||||
@ -580,6 +562,11 @@ As an alternative to using the [helper script](#set-up-ikev2-using-helper-script
|
|||||||
|
|
||||||
The following example shows how to manually configure IKEv2 with Libreswan. Commands below must be run as `root`.
|
The following example shows how to manually configure IKEv2 with Libreswan. Commands below must be run as `root`.
|
||||||
|
|
||||||
|
<details>
|
||||||
|
<summary>
|
||||||
|
View example steps for manually configuring IKEv2 with Libreswan.
|
||||||
|
</summary>
|
||||||
|
|
||||||
1. Find the VPN server's public IP, save it to a variable and check.
|
1. Find the VPN server's public IP, save it to a variable and check.
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
@ -778,6 +765,7 @@ The following example shows how to manually configure IKEv2 with Libreswan. Comm
|
|||||||
```
|
```
|
||||||
|
|
||||||
Before continuing, you **must** restart the IPsec service. The IKEv2 setup on the VPN server is now complete. Follow instructions to [configure VPN clients](#configure-ikev2-vpn-clients).
|
Before continuing, you **must** restart the IPsec service. The IKEv2 setup on the VPN server is now complete. Follow instructions to [configure VPN clients](#configure-ikev2-vpn-clients).
|
||||||
|
</details>
|
||||||
|
|
||||||
## Troubleshooting
|
## Troubleshooting
|
||||||
|
|
||||||
@ -785,10 +773,26 @@ Before continuing, you **must** restart the IPsec service. The IKEv2 setup on th
|
|||||||
|
|
||||||
**See also:** [Check logs and VPN status](clients.md#check-logs-and-vpn-status), [IKEv1 troubleshooting](clients.md#troubleshooting) and [Advanced usage](advanced-usage.md).
|
**See also:** [Check logs and VPN status](clients.md#check-logs-and-vpn-status), [IKEv1 troubleshooting](clients.md#troubleshooting) and [Advanced usage](advanced-usage.md).
|
||||||
|
|
||||||
|
* [IKE authentication credentials are unacceptable](#ike-authentication-credentials-are-unacceptable)
|
||||||
|
* [Policy match error](#policy-match-error)
|
||||||
* [IKEv2 disconnects after one hour](#ikev2-disconnects-after-one-hour)
|
* [IKEv2 disconnects after one hour](#ikev2-disconnects-after-one-hour)
|
||||||
* [Unable to connect multiple IKEv2 clients](#unable-to-connect-multiple-ikev2-clients)
|
* [Unable to connect multiple IKEv2 clients](#unable-to-connect-multiple-ikev2-clients)
|
||||||
* [Other known issues](#other-known-issues)
|
* [Other known issues](#other-known-issues)
|
||||||
|
|
||||||
|
### IKE authentication credentials are unacceptable
|
||||||
|
|
||||||
|
If you encounter this error, make sure that the VPN server address specified on your VPN client device **exactly matches** the server address in the output of the IKEv2 helper script. For example, you cannot use a DNS name to connect if it was not specified when setting up IKEv2. To change the IKEv2 server address, read [this section](#change-ikev2-server-address).
|
||||||
|
|
||||||
|
### Policy match error
|
||||||
|
|
||||||
|
To fix this error, you'll need to enable stronger ciphers for IKEv2 with a one-time registry change. Download and import the `.reg` file below, or run the following from an elevated command prompt.
|
||||||
|
|
||||||
|
- For Windows 7, 8, 10 and 11 ([download .reg file](https://github.com/hwdsl2/vpn-extras/releases/download/v1.0.0/Enable_Stronger_Ciphers_for_IKEv2_on_Windows.reg))
|
||||||
|
|
||||||
|
```console
|
||||||
|
REG ADD HKLM\SYSTEM\CurrentControlSet\Services\RasMan\Parameters /v NegotiateDH2048_AES256 /t REG_DWORD /d 0x1 /f
|
||||||
|
```
|
||||||
|
|
||||||
### IKEv2 disconnects after one hour
|
### IKEv2 disconnects after one hour
|
||||||
|
|
||||||
If the IKEv2 connection disconnects automatically after one hour (60 minutes), apply this fix: Edit `/etc/ipsec.d/ikev2.conf` on the VPN server (or `/etc/ipsec.conf` if it does not exist), append these lines to the end of section `conn ikev2-cp`, indented by two spaces:
|
If the IKEv2 connection disconnects automatically after one hour (60 minutes), apply this fix: Edit `/etc/ipsec.d/ikev2.conf` on the VPN server (or `/etc/ipsec.conf` if it does not exist), append these lines to the end of section `conn ikev2-cp`, indented by two spaces:
|
||||||
@ -811,6 +815,15 @@ If you are unable to connect multiple IKEv2 clients from behind the same NAT (e.
|
|||||||
1. The built-in VPN client in Windows may not support IKEv2 fragmentation (this feature [requires](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-ikee/74df968a-7125-431d-9c98-4ea929e548dc) Windows 10 v1803 or newer). On some networks, this can cause the connection to fail or have other issues. You may instead try the [IPsec/L2TP](clients.md) or [IPsec/XAuth](clients-xauth.md) mode.
|
1. The built-in VPN client in Windows may not support IKEv2 fragmentation (this feature [requires](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-ikee/74df968a-7125-431d-9c98-4ea929e548dc) Windows 10 v1803 or newer). On some networks, this can cause the connection to fail or have other issues. You may instead try the [IPsec/L2TP](clients.md) or [IPsec/XAuth](clients-xauth.md) mode.
|
||||||
1. If using the strongSwan Android VPN client, you must [update Libreswan](../README.md#upgrade-libreswan) on your server to version 3.26 or above.
|
1. If using the strongSwan Android VPN client, you must [update Libreswan](../README.md#upgrade-libreswan) on your server to version 3.26 or above.
|
||||||
|
|
||||||
|
## Update IKEv2 helper script
|
||||||
|
|
||||||
|
The IKEv2 helper script is updated from time to time for bug fixes and improvements ([commit log](https://github.com/hwdsl2/setup-ipsec-vpn/commits/master/extras/ikev2setup.sh)). When a newer version is available, you may optionally update the IKEv2 helper script on your server. Note that these commands will overwrite any existing `ikev2.sh`.
|
||||||
|
|
||||||
|
```bash
|
||||||
|
wget https://git.io/ikev2setup -nv -O /opt/src/ikev2.sh
|
||||||
|
chmod +x /opt/src/ikev2.sh && ln -s /opt/src/ikev2.sh /usr/bin 2>/dev/null
|
||||||
|
```
|
||||||
|
|
||||||
## Change IKEv2 server address
|
## Change IKEv2 server address
|
||||||
|
|
||||||
In certain circumstances, you may need to change the IKEv2 server address after setup. For example, to switch to use a DNS name, or after server IP changes. To change the server address, run this [helper script](../extras/ikev2changeaddr.sh) and follow the prompts.
|
In certain circumstances, you may need to change the IKEv2 server address after setup. For example, to switch to use a DNS name, or after server IP changes. To change the server address, run this [helper script](../extras/ikev2changeaddr.sh) and follow the prompts.
|
||||||
|
Loading…
Reference in New Issue
Block a user