1
0
mirror of synced 2024-11-25 22:36:04 +03:00

Update docs

This commit is contained in:
hwdsl2 2022-02-15 00:31:34 -06:00
parent 354c512d86
commit a1dc396883
2 changed files with 68 additions and 42 deletions

View File

@ -10,6 +10,7 @@
* [管理客户端证书](#管理客户端证书) * [管理客户端证书](#管理客户端证书)
* [手动在 VPN 服务器上配置 IKEv2](#手动在-vpn-服务器上配置-ikev2) * [手动在 VPN 服务器上配置 IKEv2](#手动在-vpn-服务器上配置-ikev2)
* [故障排除](#故障排除) * [故障排除](#故障排除)
* [更新 IKEv2 辅助脚本](#更新-ikev2-辅助脚本)
* [更改 IKEv2 服务器地址](#更改-ikev2-服务器地址) * [更改 IKEv2 服务器地址](#更改-ikev2-服务器地址)
* [移除 IKEv2](#移除-ikev2) * [移除 IKEv2](#移除-ikev2)
* [参考链接](#参考链接) * [参考链接](#参考链接)
@ -59,7 +60,7 @@ chmod +x /opt/src/ikev2.sh && ln -s /opt/src/ikev2.sh /usr/bin
</details> </details>
<details> <details>
<summary> <summary>
你可以指定一个域名,客户端名称和/或另外的 DNS 服务器。这是可选的。点这里查看详情。 你可以指定一个域名,客户端名称和/或另外的 DNS 服务器。这是可选的。
</summary> </summary>
在使用自动模式安装 IKEv2 时,高级用户可以指定一个域名作为 VPN 服务器的地址。这是可选的。该域名必须是一个全称域名(FQDN),它将被包含在生成的服务器证书中。示例如下: 在使用自动模式安装 IKEv2 时,高级用户可以指定一个域名作为 VPN 服务器的地址。这是可选的。该域名必须是一个全称域名(FQDN),它将被包含在生成的服务器证书中。示例如下:
@ -82,25 +83,6 @@ sudo VPN_DNS_SRV1=1.1.1.1 VPN_DNS_SRV2=1.0.0.1 ikev2.sh --auto
</details> </details>
<details> <details>
<summary> <summary>
了解如何更新服务器上的 IKEv2 辅助脚本。
</summary>
IKEv2 辅助脚本会不时更新,以进行错误修复和改进([更新日志](https://github.com/hwdsl2/setup-ipsec-vpn/commits/master/extras/ikev2setup.sh))。 当有新版本可用时,你可以更新服务器上的 IKEv2 辅助脚本。这是可选的。请注意,这些命令将覆盖任何现有的 `ikev2.sh`
```bash
wget https://git.io/ikev2setup -nv -O /opt/src/ikev2.sh
chmod +x /opt/src/ikev2.sh && ln -s /opt/src/ikev2.sh /usr/bin 2>/dev/null
```
</details>
<details>
<summary>
了解如何在配置 IKEv2 之后更改服务器地址。
</summary>
在某些情况下,你可能需要在配置之后更改 IKEv2 服务器地址。参见 [这一小节](#更改-ikev2-服务器地址)。
</details>
<details>
<summary>
查看 IKEv2 脚本的使用信息。 查看 IKEv2 脚本的使用信息。
</summary> </summary>
@ -443,7 +425,7 @@ sudo ikev2.sh --exportclient [client name]
首先,请阅读上面的重要说明。然后点这里查看详情。 首先,请阅读上面的重要说明。然后点这里查看详情。
</summary> </summary>
**重要:** 请先阅读上面的重要说明。如果你仍然想要删除证书,参见下面的步骤。此操作**不可撤销** **警告:** 这将**永久删除**客户端证书和私钥。此操作**不可撤销**
如果要删除一个客户端证书: 如果要删除一个客户端证书:
@ -578,6 +560,11 @@ sudo ikev2.sh --revokeclient [client name]
下面举例说明如何手动在 Libreswan 上配置 IKEv2。以下命令必须用 `root` 账户运行。 下面举例说明如何手动在 Libreswan 上配置 IKEv2。以下命令必须用 `root` 账户运行。
<details>
<summary>
查看手动在 Libreswan 上配置 IKEv2 的示例步骤。
</summary>
1. 获取 VPN 服务器的公共 IP 地址,将它保存到变量并检查。 1. 获取 VPN 服务器的公共 IP 地址,将它保存到变量并检查。
```bash ```bash
@ -776,6 +763,7 @@ sudo ikev2.sh --revokeclient [client name]
``` ```
在继续之前,你**必须**重启 IPsec 服务。VPN 服务器上的 IKEv2 配置到此已完成。下一步:[配置 VPN 客户端](#配置-ikev2-vpn-客户端)。 在继续之前,你**必须**重启 IPsec 服务。VPN 服务器上的 IKEv2 配置到此已完成。下一步:[配置 VPN 客户端](#配置-ikev2-vpn-客户端)。
</details>
## 故障排除 ## 故障排除
@ -783,10 +771,26 @@ sudo ikev2.sh --revokeclient [client name]
**另见:** [检查日志及 VPN 状态](clients-zh.md#检查日志及-vpn-状态)[IKEv1 故障排除](clients-zh.md#故障排除) 和 [高级用法](advanced-usage-zh.md)。 **另见:** [检查日志及 VPN 状态](clients-zh.md#检查日志及-vpn-状态)[IKEv1 故障排除](clients-zh.md#故障排除) 和 [高级用法](advanced-usage-zh.md)。
* [IKE 身份验证凭证不可接受](#ike-身份验证凭证不可接受)
* [参数错误 policy match error](#参数错误-policy-match-error)
* [IKEv2 在一小时后断开连接](#ikev2-在一小时后断开连接) * [IKEv2 在一小时后断开连接](#ikev2-在一小时后断开连接)
* [无法同时连接多个 IKEv2 客户端](#无法同时连接多个-ikev2-客户端) * [无法同时连接多个 IKEv2 客户端](#无法同时连接多个-ikev2-客户端)
* [其它已知问题](#其它已知问题) * [其它已知问题](#其它已知问题)
### IKE 身份验证凭证不可接受
如果遇到此错误,请确保你的 VPN 客户端设备上指定的 VPN 服务器地址与 IKEv2 辅助脚本输出中的服务器地址**完全一致**。例如,如果在配置 IKEv2 时未指定域名,则不可以使用域名进行连接。要更改 IKEv2 服务器地址,参见[这一小节](#更改-ikev2-服务器地址)。
### 参数错误 policy match error
要解决此错误,你需要为 IKEv2 启用更强的加密算法,通过修改一次注册表来实现。请下载并导入下面的 `.reg` 文件,或者打开提升权限命令提示符并运行以下命令。
- 适用于 Windows 7, 8, 10 和 11 ([下载 .reg 文件](https://github.com/hwdsl2/vpn-extras/releases/download/v1.0.0/Enable_Stronger_Ciphers_for_IKEv2_on_Windows.reg))
```console
REG ADD HKLM\SYSTEM\CurrentControlSet\Services\RasMan\Parameters /v NegotiateDH2048_AES256 /t REG_DWORD /d 0x1 /f
```
### IKEv2 在一小时后断开连接 ### IKEv2 在一小时后断开连接
如果 IKEv2 连接在一小时60 分钟)后自动断开,可以这样解决:编辑 VPN 服务器上的 `/etc/ipsec.d/ikev2.conf`(如果不存在,编辑 `/etc/ipsec.conf`)。在 `conn ikev2-cp` 一节的末尾添加以下行,开头必须空两格: 如果 IKEv2 连接在一小时60 分钟)后自动断开,可以这样解决:编辑 VPN 服务器上的 `/etc/ipsec.d/ikev2.conf`(如果不存在,编辑 `/etc/ipsec.conf`)。在 `conn ikev2-cp` 一节的末尾添加以下行,开头必须空两格:
@ -809,6 +813,15 @@ sudo ikev2.sh --revokeclient [client name]
1. Windows 自带的 VPN 客户端可能不支持 IKEv2 fragmentation该功能[需要](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-ikee/74df968a-7125-431d-9c98-4ea929e548dc) Windows 10 v1803 或更新版本)。在有些网络上,这可能会导致连接错误或其它连接问题。你可以尝试换用 [IPsec/L2TP](clients-zh.md) 或 [IPsec/XAuth](clients-xauth-zh.md) 模式。 1. Windows 自带的 VPN 客户端可能不支持 IKEv2 fragmentation该功能[需要](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-ikee/74df968a-7125-431d-9c98-4ea929e548dc) Windows 10 v1803 或更新版本)。在有些网络上,这可能会导致连接错误或其它连接问题。你可以尝试换用 [IPsec/L2TP](clients-zh.md) 或 [IPsec/XAuth](clients-xauth-zh.md) 模式。
1. 如果你使用 strongSwan Android VPN 客户端,则必须将服务器上的 Libreswan [升级](../README-zh.md#升级libreswan)到版本 3.26 或以上。 1. 如果你使用 strongSwan Android VPN 客户端,则必须将服务器上的 Libreswan [升级](../README-zh.md#升级libreswan)到版本 3.26 或以上。
## 更新 IKEv2 辅助脚本
IKEv2 辅助脚本会不时更新,以进行错误修复和改进([更新日志](https://github.com/hwdsl2/setup-ipsec-vpn/commits/master/extras/ikev2setup.sh))。 当有新版本可用时,你可以更新服务器上的 IKEv2 辅助脚本。这是可选的。请注意,这些命令将覆盖任何现有的 `ikev2.sh`
```bash
wget https://git.io/ikev2setup -nv -O /opt/src/ikev2.sh
chmod +x /opt/src/ikev2.sh && ln -s /opt/src/ikev2.sh /usr/bin 2>/dev/null
```
## 更改 IKEv2 服务器地址 ## 更改 IKEv2 服务器地址
在某些情况下,你可能需要在配置之后更改 IKEv2 服务器地址。例如切换为使用域名,或者在服务器的 IP 更改之后。要更改服务器地址,运行这个 [辅助脚本](../extras/ikev2changeaddr.sh) 并按提示操作。 在某些情况下,你可能需要在配置之后更改 IKEv2 服务器地址。例如切换为使用域名,或者在服务器的 IP 更改之后。要更改服务器地址,运行这个 [辅助脚本](../extras/ikev2changeaddr.sh) 并按提示操作。

View File

@ -10,6 +10,7 @@
* [Manage client certificates](#manage-client-certificates) * [Manage client certificates](#manage-client-certificates)
* [Manually set up IKEv2 on the VPN server](#manually-set-up-ikev2-on-the-vpn-server) * [Manually set up IKEv2 on the VPN server](#manually-set-up-ikev2-on-the-vpn-server)
* [Troubleshooting](#troubleshooting) * [Troubleshooting](#troubleshooting)
* [Update IKEv2 helper script](#update-ikev2-helper-script)
* [Change IKEv2 server address](#change-ikev2-server-address) * [Change IKEv2 server address](#change-ikev2-server-address)
* [Remove IKEv2](#remove-ikev2) * [Remove IKEv2](#remove-ikev2)
* [References](#references) * [References](#references)
@ -59,7 +60,7 @@ Then run the script using the instructions above.
</details> </details>
<details> <details>
<summary> <summary>
You may optionally specify a DNS name, client name and/or custom DNS servers. Click here for details. You may optionally specify a DNS name, client name and/or custom DNS servers.
</summary> </summary>
When running IKEv2 setup in auto mode, advanced users can optionally specify a DNS name to be used as the VPN server's address. The DNS name must be a fully qualified domain name (FQDN). It will be included in the generated server certificate. Example: When running IKEv2 setup in auto mode, advanced users can optionally specify a DNS name to be used as the VPN server's address. The DNS name must be a fully qualified domain name (FQDN). It will be included in the generated server certificate. Example:
@ -82,25 +83,6 @@ sudo VPN_DNS_SRV1=1.1.1.1 VPN_DNS_SRV2=1.0.0.1 ikev2.sh --auto
</details> </details>
<details> <details>
<summary> <summary>
Learn how to update the IKEv2 helper script on your server.
</summary>
The IKEv2 helper script is updated from time to time for bug fixes and improvements ([commit log](https://github.com/hwdsl2/setup-ipsec-vpn/commits/master/extras/ikev2setup.sh)). When a newer version is available, you may optionally update the IKEv2 helper script on your server. Note that these commands will overwrite any existing `ikev2.sh`.
```bash
wget https://git.io/ikev2setup -nv -O /opt/src/ikev2.sh
chmod +x /opt/src/ikev2.sh && ln -s /opt/src/ikev2.sh /usr/bin 2>/dev/null
```
</details>
<details>
<summary>
Learn how to change server address after IKEv2 setup.
</summary>
In certain circumstances, you may need to change the IKEv2 server address after setup. Learn more in [this section](#change-ikev2-server-address).
</details>
<details>
<summary>
View usage information for the IKEv2 script. View usage information for the IKEv2 script.
</summary> </summary>
@ -445,7 +427,7 @@ sudo ikev2.sh --exportclient [client name]
First, read the important note above. Then click here for instructions. First, read the important note above. Then click here for instructions.
</summary> </summary>
**Important:** Please first read the important note above. If you still want to delete a certificate, refer to the steps below. This **cannot be undone**! **Warning:** The client certificate and private key will be **permanently deleted**. This **cannot be undone**!
To delete a client certificate: To delete a client certificate:
@ -580,6 +562,11 @@ As an alternative to using the [helper script](#set-up-ikev2-using-helper-script
The following example shows how to manually configure IKEv2 with Libreswan. Commands below must be run as `root`. The following example shows how to manually configure IKEv2 with Libreswan. Commands below must be run as `root`.
<details>
<summary>
View example steps for manually configuring IKEv2 with Libreswan.
</summary>
1. Find the VPN server's public IP, save it to a variable and check. 1. Find the VPN server's public IP, save it to a variable and check.
```bash ```bash
@ -778,6 +765,7 @@ The following example shows how to manually configure IKEv2 with Libreswan. Comm
``` ```
Before continuing, you **must** restart the IPsec service. The IKEv2 setup on the VPN server is now complete. Follow instructions to [configure VPN clients](#configure-ikev2-vpn-clients). Before continuing, you **must** restart the IPsec service. The IKEv2 setup on the VPN server is now complete. Follow instructions to [configure VPN clients](#configure-ikev2-vpn-clients).
</details>
## Troubleshooting ## Troubleshooting
@ -785,10 +773,26 @@ Before continuing, you **must** restart the IPsec service. The IKEv2 setup on th
**See also:** [Check logs and VPN status](clients.md#check-logs-and-vpn-status), [IKEv1 troubleshooting](clients.md#troubleshooting) and [Advanced usage](advanced-usage.md). **See also:** [Check logs and VPN status](clients.md#check-logs-and-vpn-status), [IKEv1 troubleshooting](clients.md#troubleshooting) and [Advanced usage](advanced-usage.md).
* [IKE authentication credentials are unacceptable](#ike-authentication-credentials-are-unacceptable)
* [Policy match error](#policy-match-error)
* [IKEv2 disconnects after one hour](#ikev2-disconnects-after-one-hour) * [IKEv2 disconnects after one hour](#ikev2-disconnects-after-one-hour)
* [Unable to connect multiple IKEv2 clients](#unable-to-connect-multiple-ikev2-clients) * [Unable to connect multiple IKEv2 clients](#unable-to-connect-multiple-ikev2-clients)
* [Other known issues](#other-known-issues) * [Other known issues](#other-known-issues)
### IKE authentication credentials are unacceptable
If you encounter this error, make sure that the VPN server address specified on your VPN client device **exactly matches** the server address in the output of the IKEv2 helper script. For example, you cannot use a DNS name to connect if it was not specified when setting up IKEv2. To change the IKEv2 server address, read [this section](#change-ikev2-server-address).
### Policy match error
To fix this error, you'll need to enable stronger ciphers for IKEv2 with a one-time registry change. Download and import the `.reg` file below, or run the following from an elevated command prompt.
- For Windows 7, 8, 10 and 11 ([download .reg file](https://github.com/hwdsl2/vpn-extras/releases/download/v1.0.0/Enable_Stronger_Ciphers_for_IKEv2_on_Windows.reg))
```console
REG ADD HKLM\SYSTEM\CurrentControlSet\Services\RasMan\Parameters /v NegotiateDH2048_AES256 /t REG_DWORD /d 0x1 /f
```
### IKEv2 disconnects after one hour ### IKEv2 disconnects after one hour
If the IKEv2 connection disconnects automatically after one hour (60 minutes), apply this fix: Edit `/etc/ipsec.d/ikev2.conf` on the VPN server (or `/etc/ipsec.conf` if it does not exist), append these lines to the end of section `conn ikev2-cp`, indented by two spaces: If the IKEv2 connection disconnects automatically after one hour (60 minutes), apply this fix: Edit `/etc/ipsec.d/ikev2.conf` on the VPN server (or `/etc/ipsec.conf` if it does not exist), append these lines to the end of section `conn ikev2-cp`, indented by two spaces:
@ -811,6 +815,15 @@ If you are unable to connect multiple IKEv2 clients from behind the same NAT (e.
1. The built-in VPN client in Windows may not support IKEv2 fragmentation (this feature [requires](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-ikee/74df968a-7125-431d-9c98-4ea929e548dc) Windows 10 v1803 or newer). On some networks, this can cause the connection to fail or have other issues. You may instead try the [IPsec/L2TP](clients.md) or [IPsec/XAuth](clients-xauth.md) mode. 1. The built-in VPN client in Windows may not support IKEv2 fragmentation (this feature [requires](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-ikee/74df968a-7125-431d-9c98-4ea929e548dc) Windows 10 v1803 or newer). On some networks, this can cause the connection to fail or have other issues. You may instead try the [IPsec/L2TP](clients.md) or [IPsec/XAuth](clients-xauth.md) mode.
1. If using the strongSwan Android VPN client, you must [update Libreswan](../README.md#upgrade-libreswan) on your server to version 3.26 or above. 1. If using the strongSwan Android VPN client, you must [update Libreswan](../README.md#upgrade-libreswan) on your server to version 3.26 or above.
## Update IKEv2 helper script
The IKEv2 helper script is updated from time to time for bug fixes and improvements ([commit log](https://github.com/hwdsl2/setup-ipsec-vpn/commits/master/extras/ikev2setup.sh)). When a newer version is available, you may optionally update the IKEv2 helper script on your server. Note that these commands will overwrite any existing `ikev2.sh`.
```bash
wget https://git.io/ikev2setup -nv -O /opt/src/ikev2.sh
chmod +x /opt/src/ikev2.sh && ln -s /opt/src/ikev2.sh /usr/bin 2>/dev/null
```
## Change IKEv2 server address ## Change IKEv2 server address
In certain circumstances, you may need to change the IKEv2 server address after setup. For example, to switch to use a DNS name, or after server IP changes. To change the server address, run this [helper script](../extras/ikev2changeaddr.sh) and follow the prompts. In certain circumstances, you may need to change the IKEv2 server address after setup. For example, to switch to use a DNS name, or after server IP changes. To change the server address, run this [helper script](../extras/ikev2changeaddr.sh) and follow the prompts.