- New: Revoke a client certificate using the helper script. Users can
also manually revoke a client certificate, see https://git.io/ikev2
- Check for certificate validity when exporting client configurations
- Delete CRL from IPsec database when removing IKEv2
- Cleanup
- Remove MODP1024 from IKEv2 ciphers for improved security. Windows users
will need to make a one-time registry change before connecting for the
first time. Refer to https://git.io/ikev2.
- Use default key size (2048 bits) when generating key pairs using
certutil. This significantly reduces IKEv2 setup time on servers
with less powerful CPUs, such as Raspberry Pis, while still providing
sufficient security.
- Update docs
- Add variables VPN_DNS_SRV1 and VPN_DNS_SRV2, for specifying custom DNS
servers when running the IKEv2 script in auto mode. Example:
VPN_DNS_SRV1=1.1.1.1 VPN_DNS_SRV2=1.0.0.1 bash ikev2.sh --auto
- Add a variable VPN_DNS_NAME, which can be defined when running the
IKEv2 script in auto mode, to set up IKEv2 using a DNS name instead
of an IP address for the VPN server. The DNS name must be a fully
qualified domain name (FQDN). Example:
VPN_DNS_NAME=vpn.example.com bash ikev2.sh --auto
- Minor cleanup
- Improve output for the VPN setup and upgrade scripts. The outputs
of the scripts are now significantly reduced and only include the
most useful information for users.
- Other minor cleanup
- Use new Libreswan version 4.2
- Support updating to Libreswan 4.2 from older versions. The upgrade
scripts can now install one of these versions: 3.32, 4.1 or 4.2.
- Other small improvements
- Update tests
- Fix an issue where multiple IKEv2 clients behind the same NAT cannot
connect simultaneously to the VPN server. Note that before this fix,
this issue only occurs when using an IP address (instead of a DNS name)
for IKEv2 for the VPN server.
- This issue is found to be related to Libreswan's matching of local IDs
when checking connections. A local ID with '@' prefix has type ID_FQDN,
which does not match the ID_IPV4_ADDR type that the peer expects. This
prevents connection switching from working correctly for the scenario
above. Removing the prefix fixed the issue.
- Fixes#924
- Improvement: If the script is run using sudo, export the VPN client
config files to the user's home directory instead of "/root", and set
owner/group so that users can more easily download the config files.
- Add a command-line option to remove IKEv2
- Change the error to a warning when option '--auto' is specified after
IKEv2 setup
- Other minor improvements
- New: Users can now specify '--addclient [client name]' or
'--exportclient [client name]' command-line arguments to automatically
add or export an IKEv2 client using default options.
- Show script usage when '-h' or '--help' is specified.
- Other minor improvements
- For the Ubuntu 18.04 NSS bug fix, use mirrors.kernel.org, which
is an Ubuntu mirror that supports HTTPS, instead of HTTP-only
security.ubuntu.com
- Minor fix: When uninstalling IKEv2, delete keys in addition to
certificates from the IPsec database
- New feature: Export configuration for an existing IKEv2 client
- If IKEv2 has already been set up, users can now choose from a menu to
either add a new client or export configuration for an existing client
- New feature: The IKEv2 helper script can now be run in "auto mode",
which sets up IKEv2 using default options, no user input needed.
To use this mode, add command-line parameter "--auto"
- Refactor entire script to remove duplicate code, improve structure
and make it easier to read and maintain
- Add check for Libreswan version
- Update tests