1
0
mirror of synced 2024-11-26 06:46:06 +03:00

Update docs

This commit is contained in:
hwdsl2 2022-06-13 23:34:16 -05:00
parent 90f9e01565
commit ffdb388850
7 changed files with 50 additions and 88 deletions

View File

@ -10,8 +10,6 @@ IPsec VPN 可以加密你的网络流量,以防止在通过因特网传送时
我们将使用 [Libreswan](https://libreswan.org/) 作为 IPsec 服务器,以及 [xl2tpd](https://github.com/xelerance/xl2tpd) 作为 L2TP 提供者。 我们将使用 [Libreswan](https://libreswan.org/) 作为 IPsec 服务器,以及 [xl2tpd](https://github.com/xelerance/xl2tpd) 作为 L2TP 提供者。
**» 另见:[WireGuard](https://github.com/hwdsl2/wireguard-install/blob/master/README-zh.md) 和 [OpenVPN](https://github.com/hwdsl2/openvpn-install/blob/master/README-zh.md) 一键安装脚本**
## 快速开始 ## 快速开始
首先,在你的 Linux 服务器\* 上全新安装 Ubuntu, Debian 或者 CentOS。 首先,在你的 Linux 服务器\* 上全新安装 Ubuntu, Debian 或者 CentOS。
@ -196,15 +194,13 @@ https://gitlab.com/hwdsl2/setup-ipsec-vpn/-/raw/master/vpnsetup.sh
[**配置 IPsec/XAuth ("Cisco IPsec") VPN 客户端**](docs/clients-xauth-zh.md) [**配置 IPsec/XAuth ("Cisco IPsec") VPN 客户端**](docs/clients-xauth-zh.md)
如果在连接过程中遇到错误,请参见 [故障排除](docs/clients-zh.md#故障排除)。
开始使用自己的专属 VPN! :sparkles::tada::rocket::sparkles: 开始使用自己的专属 VPN! :sparkles::tada::rocket::sparkles:
如果你喜欢这个项目,可以 [表达你的支持或感谢](https://coindrop.to/hwdsl2)。 如果你喜欢这个项目,可以 [表达你的支持或感谢](https://coindrop.to/hwdsl2)。
## 重要提示 <a href="https://coindrop.to/hwdsl2" target="_blank"><img src="docs/images/embed-button.png" height="38" width="153" alt="Coindrop.to me"></img></a>
*其他语言版本: [English](README.md#important-notes), [中文](README-zh.md#重要提示)。* ## 重要提示
**Windows 用户** 对于 IPsec/L2TP 模式,在首次连接之前需要 [修改注册表](docs/clients-zh.md#windows-错误-809),以解决 VPN 服务器或客户端与 NAT比如家用路由器的兼容问题。 **Windows 用户** 对于 IPsec/L2TP 模式,在首次连接之前需要 [修改注册表](docs/clients-zh.md#windows-错误-809),以解决 VPN 服务器或客户端与 NAT比如家用路由器的兼容问题。

View File

@ -10,8 +10,6 @@ An IPsec VPN encrypts your network traffic, so that nobody between you and the V
We will use [Libreswan](https://libreswan.org/) as the IPsec server, and [xl2tpd](https://github.com/xelerance/xl2tpd) as the L2TP provider. We will use [Libreswan](https://libreswan.org/) as the IPsec server, and [xl2tpd](https://github.com/xelerance/xl2tpd) as the L2TP provider.
**&raquo; See also: [WireGuard](https://github.com/hwdsl2/wireguard-install) and [OpenVPN](https://github.com/hwdsl2/openvpn-install) Auto Setup Scripts**
## Quick start ## Quick start
First, prepare your Linux server\* with a fresh install of Ubuntu, Debian or CentOS. First, prepare your Linux server\* with a fresh install of Ubuntu, Debian or CentOS.
@ -196,15 +194,13 @@ Get your computer or device to use the VPN. Please refer to:
[**Configure IPsec/XAuth ("Cisco IPsec") VPN Clients**](docs/clients-xauth.md) [**Configure IPsec/XAuth ("Cisco IPsec") VPN Clients**](docs/clients-xauth.md)
If you get an error when trying to connect, see [Troubleshooting](docs/clients.md#troubleshooting).
Enjoy your very own VPN! :sparkles::tada::rocket::sparkles: Enjoy your very own VPN! :sparkles::tada::rocket::sparkles:
Like this project? You can [show your support or appreciation](https://coindrop.to/hwdsl2). Like this project? You can [show your support or appreciation](https://coindrop.to/hwdsl2).
## Important notes <a href="https://coindrop.to/hwdsl2" target="_blank"><img src="docs/images/embed-button.png" height="38" width="153" alt="Coindrop.to me"></img></a>
*Read this in other languages: [English](README.md#important-notes), [中文](README-zh.md#重要提示).* ## Important notes
**Windows users**: For IPsec/L2TP mode, a [one-time registry change](docs/clients.md#windows-error-809) is required if the VPN server or client is behind NAT (e.g. home router). **Windows users**: For IPsec/L2TP mode, a [one-time registry change](docs/clients.md#windows-error-809) is required if the VPN server or client is behind NAT (e.g. home router).

View File

@ -46,6 +46,8 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来
1. 右键单击保存的脚本,选择 **属性**。单击对话框下方的 **解除锁定**,然后单击 **确定** 1. 右键单击保存的脚本,选择 **属性**。单击对话框下方的 **解除锁定**,然后单击 **确定**
1. 右键单击保存的脚本,选择 **以管理员身份运行** 并按提示操作。 1. 右键单击保存的脚本,选择 **以管理员身份运行** 并按提示操作。
要连接到 VPN单击系统托盘中的无线/网络图标,选择新的 VPN 连接,然后单击 **连接**。连接成功后,你可以到 [这里](https://www.ipchicken.com) 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。
如果在连接过程中遇到错误,请参见 [故障排除](#故障排除)。 如果在连接过程中遇到错误,请参见 [故障排除](#故障排除)。
#### 手动导入配置 #### 手动导入配置
@ -421,14 +423,31 @@ sudo chmod 600 ikev2vpnca.cer vpnclient.cer vpnclient.key
**另见:** [检查日志及 VPN 状态](clients-zh.md#检查日志及-vpn-状态)[IKEv1 故障排除](clients-zh.md#故障排除) 和 [高级用法](advanced-usage-zh.md)。 **另见:** [检查日志及 VPN 状态](clients-zh.md#检查日志及-vpn-状态)[IKEv1 故障排除](clients-zh.md#故障排除) 和 [高级用法](advanced-usage-zh.md)。
* [连接 IKEv2 后不能打开网站](#连接-ikev2-后不能打开网站) * [无法连接多个 IKEv2 客户端](#无法连接多个-ikev2-客户端)
* [IKE 身份验证凭证不可接受](#ike-身份验证凭证不可接受) * [IKE 身份验证凭证不可接受](#ike-身份验证凭证不可接受)
* [参数错误 policy match error](#参数错误-policy-match-error) * [参数错误 policy match error](#参数错误-policy-match-error)
* [IKEv2 在一小时后断开连接](#ikev2-在一小时后断开连接) * [连接 IKEv2 后不能打开网站](#连接-ikev2-后不能打开网站)
* [无法同时连接多个 IKEv2 客户端](#无法同时连接多个-ikev2-客户端)
* [Windows 10 正在连接](#windows-10-正在连接) * [Windows 10 正在连接](#windows-10-正在连接)
* [其它已知问题](#其它已知问题) * [其它已知问题](#其它已知问题)
### 无法连接多个 IKEv2 客户端
如果要同时连接多个 IKEv2 客户端,你必须为每个客户端 [生成唯一的证书](#添加客户端证书)。
### IKE 身份验证凭证不可接受
如果遇到此错误,请确保你的 VPN 客户端设备上指定的 VPN 服务器地址与 IKEv2 辅助脚本输出中的服务器地址**完全一致**。例如,如果在配置 IKEv2 时未指定域名,则不可以使用域名进行连接。要更改 IKEv2 服务器地址,参见[这一小节](#更改-ikev2-服务器地址)。
### 参数错误 policy match error
要解决此错误,你需要为 IKEv2 启用更强的加密算法,通过修改一次注册表来实现。请下载并导入下面的 `.reg` 文件,或者打开提升权限命令提示符并运行以下命令。
- 适用于 Windows 7, 8, 10 和 11 ([下载 .reg 文件](https://github.com/hwdsl2/vpn-extras/releases/download/v1.0.0/Enable_Stronger_Ciphers_for_IKEv2_on_Windows.reg))
```console
REG ADD HKLM\SYSTEM\CurrentControlSet\Services\RasMan\Parameters /v NegotiateDH2048_AES256 /t REG_DWORD /d 0x1 /f
```
### 连接 IKEv2 后不能打开网站 ### 连接 IKEv2 后不能打开网站
如果你的 VPN 客户端设备在成功连接到 IKEv2 后无法打开网站,请尝试以下解决方案: 如果你的 VPN 客户端设备在成功连接到 IKEv2 后无法打开网站,请尝试以下解决方案:
@ -446,37 +465,6 @@ sudo chmod 600 ikev2vpnca.cer vpnclient.cer vpnclient.key
1. 在某些情况下Windows 在连接后不使用 IKEv2 指定的 DNS 服务器。要解决此问题,可以在网络连接属性 -> TCP/IPv4 中手动输入 DNS 服务器,例如 Google Public DNS (8.8.8.8, 8.8.4.4)。 1. 在某些情况下Windows 在连接后不使用 IKEv2 指定的 DNS 服务器。要解决此问题,可以在网络连接属性 -> TCP/IPv4 中手动输入 DNS 服务器,例如 Google Public DNS (8.8.8.8, 8.8.4.4)。
### IKE 身份验证凭证不可接受
如果遇到此错误,请确保你的 VPN 客户端设备上指定的 VPN 服务器地址与 IKEv2 辅助脚本输出中的服务器地址**完全一致**。例如,如果在配置 IKEv2 时未指定域名,则不可以使用域名进行连接。要更改 IKEv2 服务器地址,参见[这一小节](#更改-ikev2-服务器地址)。
### 参数错误 policy match error
要解决此错误,你需要为 IKEv2 启用更强的加密算法,通过修改一次注册表来实现。请下载并导入下面的 `.reg` 文件,或者打开提升权限命令提示符并运行以下命令。
- 适用于 Windows 7, 8, 10 和 11 ([下载 .reg 文件](https://github.com/hwdsl2/vpn-extras/releases/download/v1.0.0/Enable_Stronger_Ciphers_for_IKEv2_on_Windows.reg))
```console
REG ADD HKLM\SYSTEM\CurrentControlSet\Services\RasMan\Parameters /v NegotiateDH2048_AES256 /t REG_DWORD /d 0x1 /f
```
### IKEv2 在一小时后断开连接
如果 IKEv2 连接在一小时60 分钟)后自动断开,可以这样解决:编辑 VPN 服务器上的 `/etc/ipsec.d/ikev2.conf`(如果不存在,编辑 `/etc/ipsec.conf`)。在 `conn ikev2-cp` 一节的末尾添加以下行,开头必须空两格:
```
ikelifetime=24h
salifetime=24h
```
保存修改并运行 `service ipsec restart`。该解决方案已在 2021-01-20 添加到辅助脚本。
### 无法同时连接多个 IKEv2 客户端
如果要连接多个客户端,则必须为每个客户端 [生成唯一的证书](#添加客户端证书)。
如果你无法连接同一个 NAT比如家用路由器后面的多个 IKEv2 客户端,可以这样解决:编辑 VPN 服务器上的 `/etc/ipsec.d/ikev2.conf`,找到这一行 `leftid=@<your_server_ip>` 并去掉 `@`,也就是说将它替换为 `leftid=<your_server_ip>`。保存修改并运行 `service ipsec restart`。如果 `leftid` 是一个域名则不受影响,不要应用这个解决方案。该解决方案已在 2021-02-01 添加到辅助脚本。
### Windows 10 正在连接 ### Windows 10 正在连接
如果你使用 Windows 10 并且 VPN 卡在 "正在连接" 状态超过几分钟,尝试以下步骤: 如果你使用 Windows 10 并且 VPN 卡在 "正在连接" 状态超过几分钟,尝试以下步骤:
@ -487,8 +475,7 @@ REG ADD HKLM\SYSTEM\CurrentControlSet\Services\RasMan\Parameters /v NegotiateDH2
### 其它已知问题 ### 其它已知问题
1. Windows 自带的 VPN 客户端可能不支持 IKEv2 fragmentation该功能[需要](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-ikee/74df968a-7125-431d-9c98-4ea929e548dc) Windows 10 v1803 或更新版本)。在有些网络上,这可能会导致连接错误或其它连接问题。你可以尝试换用 [IPsec/L2TP](clients-zh.md) 或 [IPsec/XAuth](clients-xauth-zh.md) 模式。 Windows 自带的 VPN 客户端可能不支持 IKEv2 fragmentation该功能[需要](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-ikee/74df968a-7125-431d-9c98-4ea929e548dc) Windows 10 v1803 或更新版本)。在有些网络上,这可能会导致连接错误或其它连接问题。你可以尝试换用 [IPsec/L2TP](clients-zh.md) 或 [IPsec/XAuth](clients-xauth-zh.md) 模式。
1. 如果你使用 strongSwan Android VPN 客户端,则必须将服务器上的 Libreswan [升级](../README-zh.md#升级libreswan)到版本 3.26 或以上。
## 管理客户端证书 ## 管理客户端证书

View File

@ -46,6 +46,8 @@ By default, IKEv2 is automatically set up when running the VPN setup script. If
1. Right-click on the saved script, select **Properties**. Click on **Unblock** at the bottom, then click on **OK**. 1. Right-click on the saved script, select **Properties**. Click on **Unblock** at the bottom, then click on **OK**.
1. Right-click on the saved script, select **Run as administrator** and follow the prompts. 1. Right-click on the saved script, select **Run as administrator** and follow the prompts.
To connect to the VPN: Click on the wireless/network icon in your system tray, select the new VPN entry, and click **Connect**. Once successfully connected, you can verify that your traffic is being routed properly by [looking up your IP address on Google](https://www.google.com/search?q=my+ip). It should say "Your public IP address is `Your VPN Server IP`".
If you get an error when trying to connect, see [Troubleshooting](#troubleshooting). If you get an error when trying to connect, see [Troubleshooting](#troubleshooting).
#### Manually import configuration #### Manually import configuration
@ -423,14 +425,31 @@ for the entire network, or use `192.168.0.10` for just one device, and so on.
**See also:** [Check logs and VPN status](clients.md#check-logs-and-vpn-status), [IKEv1 troubleshooting](clients.md#troubleshooting) and [Advanced usage](advanced-usage.md). **See also:** [Check logs and VPN status](clients.md#check-logs-and-vpn-status), [IKEv1 troubleshooting](clients.md#troubleshooting) and [Advanced usage](advanced-usage.md).
* [Cannot open websites after connecting to IKEv2](#cannot-open-websites-after-connecting-to-ikev2) * [Unable to connect multiple IKEv2 clients](#unable-to-connect-multiple-ikev2-clients)
* [IKE authentication credentials are unacceptable](#ike-authentication-credentials-are-unacceptable) * [IKE authentication credentials are unacceptable](#ike-authentication-credentials-are-unacceptable)
* [Policy match error](#policy-match-error) * [Policy match error](#policy-match-error)
* [IKEv2 disconnects after one hour](#ikev2-disconnects-after-one-hour) * [Cannot open websites after connecting to IKEv2](#cannot-open-websites-after-connecting-to-ikev2)
* [Unable to connect multiple IKEv2 clients](#unable-to-connect-multiple-ikev2-clients)
* [Windows 10 connecting](#windows-10-connecting) * [Windows 10 connecting](#windows-10-connecting)
* [Other known issues](#other-known-issues) * [Other known issues](#other-known-issues)
### Unable to connect multiple IKEv2 clients
To connect multiple IKEv2 clients at the same time, you must [generate a unique certificate](#add-a-client-certificate) for each client.
### IKE authentication credentials are unacceptable
If you encounter this error, make sure that the VPN server address specified on your VPN client device **exactly matches** the server address in the output of the IKEv2 helper script. For example, you cannot use a DNS name to connect if it was not specified when setting up IKEv2. To change the IKEv2 server address, read [this section](#change-ikev2-server-address).
### Policy match error
To fix this error, you will need to enable stronger ciphers for IKEv2 with a one-time registry change. Download and import the `.reg` file below, or run the following from an elevated command prompt.
- For Windows 7, 8, 10 and 11 ([download .reg file](https://github.com/hwdsl2/vpn-extras/releases/download/v1.0.0/Enable_Stronger_Ciphers_for_IKEv2_on_Windows.reg))
```console
REG ADD HKLM\SYSTEM\CurrentControlSet\Services\RasMan\Parameters /v NegotiateDH2048_AES256 /t REG_DWORD /d 0x1 /f
```
### Cannot open websites after connecting to IKEv2 ### Cannot open websites after connecting to IKEv2
If your VPN client device cannot open websites after successfully connecting to IKEv2, try the following fixes: If your VPN client device cannot open websites after successfully connecting to IKEv2, try the following fixes:
@ -448,37 +467,6 @@ If your VPN client device cannot open websites after successfully connecting to
1. In certain circumstances, Windows does not use the DNS servers specified by IKEv2 after connecting. This can be fixed by manually entering DNS servers such as Google Public DNS (8.8.8.8, 8.8.4.4) in network interface properties -> TCP/IPv4. 1. In certain circumstances, Windows does not use the DNS servers specified by IKEv2 after connecting. This can be fixed by manually entering DNS servers such as Google Public DNS (8.8.8.8, 8.8.4.4) in network interface properties -> TCP/IPv4.
### IKE authentication credentials are unacceptable
If you encounter this error, make sure that the VPN server address specified on your VPN client device **exactly matches** the server address in the output of the IKEv2 helper script. For example, you cannot use a DNS name to connect if it was not specified when setting up IKEv2. To change the IKEv2 server address, read [this section](#change-ikev2-server-address).
### Policy match error
To fix this error, you will need to enable stronger ciphers for IKEv2 with a one-time registry change. Download and import the `.reg` file below, or run the following from an elevated command prompt.
- For Windows 7, 8, 10 and 11 ([download .reg file](https://github.com/hwdsl2/vpn-extras/releases/download/v1.0.0/Enable_Stronger_Ciphers_for_IKEv2_on_Windows.reg))
```console
REG ADD HKLM\SYSTEM\CurrentControlSet\Services\RasMan\Parameters /v NegotiateDH2048_AES256 /t REG_DWORD /d 0x1 /f
```
### IKEv2 disconnects after one hour
If the IKEv2 connection disconnects automatically after one hour (60 minutes), apply this fix: Edit `/etc/ipsec.d/ikev2.conf` on the VPN server (or `/etc/ipsec.conf` if it does not exist), append these lines to the end of section `conn ikev2-cp`, indented by two spaces:
```
ikelifetime=24h
salifetime=24h
```
Save the file and run `service ipsec restart`. As of 2021-01-20, the IKEv2 helper script was updated to include this fix.
### Unable to connect multiple IKEv2 clients
To connect multiple IKEv2 clients, you must [generate a unique certificate](#add-a-client-certificate) for each.
If you are unable to connect multiple IKEv2 clients from behind the same NAT (e.g. home router), apply this fix: Edit `/etc/ipsec.d/ikev2.conf` on the VPN server, find the line `leftid=@<your_server_ip>` and remove the `@`, i.e. replace it with `leftid=<your_server_ip>`. Save the file and run `service ipsec restart`. Do not apply this fix if `leftid` is a DNS name, which is not affected. As of 2021-02-01, the IKEv2 helper script was updated to include this fix.
### Windows 10 connecting ### Windows 10 connecting
If using Windows 10 and the VPN is stuck on "connecting" for more than a few minutes, try these steps: If using Windows 10 and the VPN is stuck on "connecting" for more than a few minutes, try these steps:
@ -489,8 +477,7 @@ If using Windows 10 and the VPN is stuck on "connecting" for more than a few min
### Other known issues ### Other known issues
1. The built-in VPN client in Windows may not support IKEv2 fragmentation (this feature [requires](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-ikee/74df968a-7125-431d-9c98-4ea929e548dc) Windows 10 v1803 or newer). On some networks, this can cause the connection to fail or have other issues. You may instead try the [IPsec/L2TP](clients.md) or [IPsec/XAuth](clients-xauth.md) mode. The built-in VPN client in Windows may not support IKEv2 fragmentation (this feature [requires](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-ikee/74df968a-7125-431d-9c98-4ea929e548dc) Windows 10 v1803 or newer). On some networks, this can cause the connection to fail or have other issues. You may instead try the [IPsec/L2TP](clients.md) or [IPsec/XAuth](clients-xauth.md) mode.
1. If using the strongSwan Android VPN client, you must [update Libreswan](../README.md#upgrade-libreswan) on your server to version 3.26 or above.
## Manage client certificates ## Manage client certificates

Binary file not shown.

After

Width:  |  Height:  |  Size: 14 KiB

View File

@ -11,8 +11,6 @@
## 使用辅助脚本管理 VPN 用户 ## 使用辅助脚本管理 VPN 用户
*其他语言版本: [English](manage-users.md#manage-vpn-users-using-helper-scripts), [中文](manage-users-zh.md#使用辅助脚本管理-vpn-用户)。*
你可以使用辅助脚本添加,删除或者更新 VPN 用户。它们将同时更新 IPsec/L2TP 和 IPsec/XAuth ("Cisco IPsec") 模式的用户。对于 IKEv2 模式,请参见 [管理客户端证书](ikev2-howto-zh.md#管理客户端证书)。 你可以使用辅助脚本添加,删除或者更新 VPN 用户。它们将同时更新 IPsec/L2TP 和 IPsec/XAuth ("Cisco IPsec") 模式的用户。对于 IKEv2 模式,请参见 [管理客户端证书](ikev2-howto-zh.md#管理客户端证书)。
**注:** 将下面的命令的参数换成你自己的值。VPN 用户信息保存在文件 `/etc/ppp/chap-secrets``/etc/ipsec.d/passwd`。脚本在修改这些文件之前会先做备份,使用 `.old-日期-时间` 为后缀。 **注:** 将下面的命令的参数换成你自己的值。VPN 用户信息保存在文件 `/etc/ppp/chap-secrets``/etc/ipsec.d/passwd`。脚本在修改这些文件之前会先做备份,使用 `.old-日期-时间` 为后缀。

View File

@ -11,8 +11,6 @@ By default, a single user account for VPN login is created. If you wish to view
## Manage VPN users using helper scripts ## Manage VPN users using helper scripts
*Read this in other languages: [English](manage-users.md#manage-vpn-users-using-helper-scripts), [中文](manage-users-zh.md#使用辅助脚本管理-vpn-用户).*
You may use helper scripts to add, delete or update VPN users for both IPsec/L2TP and IPsec/XAuth ("Cisco IPsec") modes. For IKEv2 mode, see [Manage client certificates](ikev2-howto.md#manage-client-certificates). You may use helper scripts to add, delete or update VPN users for both IPsec/L2TP and IPsec/XAuth ("Cisco IPsec") modes. For IKEv2 mode, see [Manage client certificates](ikev2-howto.md#manage-client-certificates).
**Note:** Replace command arguments below with your own values. VPN users are stored in `/etc/ppp/chap-secrets` and `/etc/ipsec.d/passwd`. The scripts will backup these files before making changes, with `.old-date-time` suffix. **Note:** Replace command arguments below with your own values. VPN users are stored in `/etc/ppp/chap-secrets` and `/etc/ipsec.d/passwd`. The scripts will backup these files before making changes, with `.old-date-time` suffix.