- Display a note if no password is required when importing client
config files.
- Advanced users can now define VPN_PROTECT_CONFIG=yes when setting up
IKEv2, if they want to protect client config files with a password.
- Add an option to protect IKEv2 client config files using a password,
which users can select when customizing IKEv2 or client options
Ref: dbc3527
- Change the default action to 'continue' when confirming IKEv2 setup
options
- Other minor improvements
- Simplify IKEv2 configuration import: Remove passwords for IKEv2
client config files. When importing, it is no longer required to
enter a config file password.
- For macOS and iOS, .mobileconfig files require a password to work.
The password is now included so there is no need to manually enter.
- Note: Client config files should be securely transferred from
the VPN server to VPN client device(s) for import.
- Fix IKEv2 "password is incorrect" issue when using Ubuntu 21.10
Fixes#1073. Ref: #1048.
- Note: Ubuntu 21.10 is NOT a supported OS for the VPN setup scripts.
Please use e.g. Ubuntu 20.04 instead.
Ref: https://github.com/hwdsl2/setup-ipsec-vpn#requirements
- Improve checking for MOBIKE support. Linux kernels on QNAP systems
do not support MOBIKE.
Ref: https://github.com/hwdsl2/docker-ipsec-vpn-server/issues/247
- Switch to use /etc/ipsec.d/.vpnconfig to store generated password
for IKEv2 client config files, instead of vpnclient.p12.password.
Migrate to use .vpnconfig if the older config file is found.
Ref: 45ee41d
- Improve IKEv2 setup: Save generated password for IKEv2 client
configuration files to vpnclient.p12.password, so that it can
be re-used for later runs of the helper script. Previously,
a different password is generated each time the script is run.
- In rare cases, if a parent process traps SIGPIPE, the 'tr'
command in the VPN setup scripts could output an error
'tr: write error: Broken pipe'. This is a cosmetic error
that does NOT affect the functionality of the scripts. This
commit hides the error in such cases.
- New: Revoke a client certificate using the helper script. Users can
also manually revoke a client certificate, see https://git.io/ikev2
- Check for certificate validity when exporting client configurations
- Delete CRL from IPsec database when removing IKEv2
- Cleanup
- Remove MODP1024 from IKEv2 ciphers for improved security. Windows users
will need to make a one-time registry change before connecting for the
first time. Refer to https://git.io/ikev2.