diff --git a/README-zh.md b/README-zh.md index 3cbf993..ee122b8 100644 --- a/README-zh.md +++ b/README-zh.md @@ -255,10 +255,26 @@ https://gitlab.com/hwdsl2/setup-ipsec-vpn/-/raw/master/extras/vpnupgrade.sh 请参见 [管理 VPN 用户](docs/manage-users-zh.md)。 +- [使用辅助脚本管理 VPN 用户](docs/manage-users-zh.md#使用辅助脚本管理-vpn-用户) +- [查看 VPN 用户](docs/manage-users-zh.md#查看-vpn-用户) +- [查看或更改 IPsec PSK](docs/manage-users-zh.md#查看或更改-ipsec-psk) +- [手动管理 VPN 用户](docs/manage-users-zh.md#手动管理-vpn-用户) + ## 高级用法 请参见 [高级用法](docs/advanced-usage-zh.md)。 +- [使用其他的 DNS 服务器](docs/advanced-usage-zh.md#使用其他的-dns-服务器) +- [域名和更改服务器 IP](docs/advanced-usage-zh.md#域名和更改服务器-ip) +- [仅限 IKEv2 的 VPN](docs/advanced-usage-zh.md#仅限-ikev2-的-vpn) +- [VPN 内网 IP 和流量](docs/advanced-usage-zh.md#vpn-内网-ip-和流量) +- [自定义 VPN 子网](docs/advanced-usage-zh.md#自定义-vpn-子网) +- [转发端口到 VPN 客户端](docs/advanced-usage-zh.md#转发端口到-vpn-客户端) +- [VPN 分流](docs/advanced-usage-zh.md#vpn-分流) +- [访问 VPN 服务器的网段](docs/advanced-usage-zh.md#访问-vpn-服务器的网段) +- [更改 IPTables 规则](docs/advanced-usage-zh.md#更改-iptables-规则) +- [部署 Google BBR 拥塞控制](docs/advanced-usage-zh.md#部署-google-bbr-拥塞控制) + ## 卸载 VPN 要卸载 IPsec VPN,运行[辅助脚本](extras/vpnuninstall.sh): diff --git a/README.md b/README.md index cf3c06e..563e332 100644 --- a/README.md +++ b/README.md @@ -255,10 +255,26 @@ The latest supported Libreswan version is `4.7`. Check installed version: `ipsec See [Manage VPN users](docs/manage-users.md). +- [Manage VPN users using helper scripts](docs/manage-users.md#manage-vpn-users-using-helper-scripts) +- [View VPN users](docs/manage-users.md#view-vpn-users) +- [View or update the IPsec PSK](docs/manage-users.md#view-or-update-the-ipsec-psk) +- [Manually manage VPN users](docs/manage-users.md#manually-manage-vpn-users) + ## Advanced usage See [Advanced usage](docs/advanced-usage.md). +- [Use alternative DNS servers](docs/advanced-usage.md#use-alternative-dns-servers) +- [DNS name and server IP changes](docs/advanced-usage.md#dns-name-and-server-ip-changes) +- [IKEv2-only VPN](docs/advanced-usage.md#ikev2-only-vpn) +- [Internal VPN IPs and traffic](docs/advanced-usage.md#internal-vpn-ips-and-traffic) +- [Customize VPN subnets](docs/advanced-usage.md#customize-vpn-subnets) +- [Port forwarding to VPN clients](docs/advanced-usage.md#port-forwarding-to-vpn-clients) +- [Split tunneling](docs/advanced-usage.md#split-tunneling) +- [Access VPN server's subnet](docs/advanced-usage.md#access-vpn-servers-subnet) +- [Modify IPTables rules](docs/advanced-usage.md#modify-iptables-rules) +- [Deploy Google BBR congestion control](docs/advanced-usage.md#deploy-google-bbr-congestion-control) + ## Uninstall the VPN To uninstall IPsec VPN, run the [helper script](extras/vpnuninstall.sh): diff --git a/docs/ikev2-howto-zh.md b/docs/ikev2-howto-zh.md index 2bccd8d..a550f5d 100644 --- a/docs/ikev2-howto-zh.md +++ b/docs/ikev2-howto-zh.md @@ -6,8 +6,8 @@ * [导言](#导言) * [配置 IKEv2 VPN 客户端](#配置-ikev2-vpn-客户端) -* [管理客户端证书](#管理客户端证书) * [故障排除](#故障排除) +* [管理客户端证书](#管理客户端证书) * [更改 IKEv2 服务器地址](#更改-ikev2-服务器地址) * [更新 IKEv2 辅助脚本](#更新-ikev2-辅助脚本) * [使用辅助脚本配置 IKEv2](#使用辅助脚本配置-ikev2) @@ -415,6 +415,81 @@ sudo chmod 600 ikev2vpnca.cer vpnclient.cer vpnclient.key > mar/02/2022 12:52:57 by RouterOS 6.48 > RouterBOARD 941-2nD +## 故障排除 + +*其他语言版本: [English](ikev2-howto.md#troubleshooting), [中文](ikev2-howto-zh.md#故障排除)。* + +**另见:** [检查日志及 VPN 状态](clients-zh.md#检查日志及-vpn-状态),[IKEv1 故障排除](clients-zh.md#故障排除) 和 [高级用法](advanced-usage-zh.md)。 + +* [连接 IKEv2 后不能打开网站](#连接-ikev2-后不能打开网站) +* [IKE 身份验证凭证不可接受](#ike-身份验证凭证不可接受) +* [参数错误 policy match error](#参数错误-policy-match-error) +* [IKEv2 在一小时后断开连接](#ikev2-在一小时后断开连接) +* [无法同时连接多个 IKEv2 客户端](#无法同时连接多个-ikev2-客户端) +* [Windows 10 正在连接](#windows-10-正在连接) +* [其它已知问题](#其它已知问题) + +### 连接 IKEv2 后不能打开网站 + +如果你的 VPN 客户端设备在成功连接到 IKEv2 后无法打开网站,请尝试以下解决方案: + +1. 某些云服务提供商,比如 [Google Cloud](https://cloud.google.com),[默认设置较低的 MTU](https://cloud.google.com/network-connectivity/docs/vpn/concepts/mtu-considerations)。这可能会导致 IKEv2 VPN 客户端的网络问题。要解决此问题,尝试在 VPN 服务器上将 MTU 设置为 1500: + + ```bash + # 将 ens4 替换为你的服务器上的网络接口名称 + sudo ifconfig ens4 mtu 1500 + ``` + + 此设置 **不会** 在重启后保持。要永久更改 MTU 大小,请参阅网络上的相关文章。 + +1. 如果更改 MTU 大小无法解决问题,请尝试 [Android MTU/MSS 问题](clients-zh.md#android-mtumss-问题) 中的解决方案。 + +1. 在某些情况下,Windows 在连接后不使用 IKEv2 指定的 DNS 服务器。要解决此问题,可以在网络连接属性 -> TCP/IPv4 中手动输入 DNS 服务器,例如 Google Public DNS (8.8.8.8, 8.8.4.4)。 + +### IKE 身份验证凭证不可接受 + +如果遇到此错误,请确保你的 VPN 客户端设备上指定的 VPN 服务器地址与 IKEv2 辅助脚本输出中的服务器地址**完全一致**。例如,如果在配置 IKEv2 时未指定域名,则不可以使用域名进行连接。要更改 IKEv2 服务器地址,参见[这一小节](#更改-ikev2-服务器地址)。 + +### 参数错误 policy match error + +要解决此错误,你需要为 IKEv2 启用更强的加密算法,通过修改一次注册表来实现。请下载并导入下面的 `.reg` 文件,或者打开提升权限命令提示符并运行以下命令。 + +- 适用于 Windows 7, 8, 10 和 11 ([下载 .reg 文件](https://github.com/hwdsl2/vpn-extras/releases/download/v1.0.0/Enable_Stronger_Ciphers_for_IKEv2_on_Windows.reg)) + +```console +REG ADD HKLM\SYSTEM\CurrentControlSet\Services\RasMan\Parameters /v NegotiateDH2048_AES256 /t REG_DWORD /d 0x1 /f +``` + +### IKEv2 在一小时后断开连接 + +如果 IKEv2 连接在一小时(60 分钟)后自动断开,可以这样解决:编辑 VPN 服务器上的 `/etc/ipsec.d/ikev2.conf`(如果不存在,编辑 `/etc/ipsec.conf`)。在 `conn ikev2-cp` 一节的末尾添加以下行,开头必须空两格: + +``` + ikelifetime=24h + salifetime=24h +``` + +保存修改并运行 `service ipsec restart`。该解决方案已在 2021-01-20 添加到辅助脚本。 + +### 无法同时连接多个 IKEv2 客户端 + +如果要连接多个客户端,则必须为每个客户端 [生成唯一的证书](#添加客户端证书)。 + +如果你无法连接同一个 NAT(比如家用路由器)后面的多个 IKEv2 客户端,可以这样解决:编辑 VPN 服务器上的 `/etc/ipsec.d/ikev2.conf`,找到这一行 `leftid=@` 并去掉 `@`,也就是说将它替换为 `leftid=`。保存修改并运行 `service ipsec restart`。如果 `leftid` 是一个域名则不受影响,不要应用这个解决方案。该解决方案已在 2021-02-01 添加到辅助脚本。 + +### Windows 10 正在连接 + +如果你使用 Windows 10 并且 VPN 卡在 "正在连接" 状态超过几分钟,尝试以下步骤: + +1. 右键单击系统托盘中的无线/网络图标。 +1. 选择 **打开"网络和 Internet"设置**,然后在打开的页面中单击左侧的 **VPN**。 +1. 选择新的 VPN 连接,然后单击 **连接**。 + +### 其它已知问题 + +1. Windows 自带的 VPN 客户端可能不支持 IKEv2 fragmentation(该功能[需要](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-ikee/74df968a-7125-431d-9c98-4ea929e548dc) Windows 10 v1803 或更新版本)。在有些网络上,这可能会导致连接错误或其它连接问题。你可以尝试换用 [IPsec/L2TP](clients-zh.md) 或 [IPsec/XAuth](clients-xauth-zh.md) 模式。 +1. 如果你使用 strongSwan Android VPN 客户端,则必须将服务器上的 Libreswan [升级](../README-zh.md#升级libreswan)到版本 3.26 或以上。 + ## 管理客户端证书 * [列出已有的客户端](#列出已有的客户端) @@ -597,72 +672,6 @@ sudo ikev2.sh --revokeclient [client name] ``` -## 故障排除 - -*其他语言版本: [English](ikev2-howto.md#troubleshooting), [中文](ikev2-howto-zh.md#故障排除)。* - -**另见:** [检查日志及 VPN 状态](clients-zh.md#检查日志及-vpn-状态),[IKEv1 故障排除](clients-zh.md#故障排除) 和 [高级用法](advanced-usage-zh.md)。 - -* [连接 IKEv2 后不能打开网站](#连接-ikev2-后不能打开网站) -* [IKE 身份验证凭证不可接受](#ike-身份验证凭证不可接受) -* [参数错误 policy match error](#参数错误-policy-match-error) -* [IKEv2 在一小时后断开连接](#ikev2-在一小时后断开连接) -* [无法同时连接多个 IKEv2 客户端](#无法同时连接多个-ikev2-客户端) -* [其它已知问题](#其它已知问题) - -### 连接 IKEv2 后不能打开网站 - -如果你的 VPN 客户端设备在成功连接到 IKEv2 后无法打开网站,请尝试以下解决方案: - -1. 某些云服务提供商,比如 [Google Cloud](https://cloud.google.com),[默认设置较低的 MTU](https://cloud.google.com/network-connectivity/docs/vpn/concepts/mtu-considerations)。这可能会导致 IKEv2 VPN 客户端的网络问题。要解决此问题,尝试在 VPN 服务器上将 MTU 设置为 1500: - - ```bash - # 将 ens4 替换为你的服务器上的网络接口名称 - sudo ifconfig ens4 mtu 1500 - ``` - - 此设置 **不会** 在重启后保持。要永久更改 MTU 大小,请参阅网络上的相关文章。 - -1. 如果更改 MTU 大小无法解决问题,请尝试 [Android MTU/MSS 问题](clients-zh.md#android-mtumss-问题) 中的解决方案。 - -1. 在某些情况下,Windows 在连接后不使用 IKEv2 指定的 DNS 服务器。要解决此问题,可以在网络连接属性 -> TCP/IPv4 中手动输入 DNS 服务器,例如 Google Public DNS (8.8.8.8, 8.8.4.4)。 - -### IKE 身份验证凭证不可接受 - -如果遇到此错误,请确保你的 VPN 客户端设备上指定的 VPN 服务器地址与 IKEv2 辅助脚本输出中的服务器地址**完全一致**。例如,如果在配置 IKEv2 时未指定域名,则不可以使用域名进行连接。要更改 IKEv2 服务器地址,参见[这一小节](#更改-ikev2-服务器地址)。 - -### 参数错误 policy match error - -要解决此错误,你需要为 IKEv2 启用更强的加密算法,通过修改一次注册表来实现。请下载并导入下面的 `.reg` 文件,或者打开提升权限命令提示符并运行以下命令。 - -- 适用于 Windows 7, 8, 10 和 11 ([下载 .reg 文件](https://github.com/hwdsl2/vpn-extras/releases/download/v1.0.0/Enable_Stronger_Ciphers_for_IKEv2_on_Windows.reg)) - -```console -REG ADD HKLM\SYSTEM\CurrentControlSet\Services\RasMan\Parameters /v NegotiateDH2048_AES256 /t REG_DWORD /d 0x1 /f -``` - -### IKEv2 在一小时后断开连接 - -如果 IKEv2 连接在一小时(60 分钟)后自动断开,可以这样解决:编辑 VPN 服务器上的 `/etc/ipsec.d/ikev2.conf`(如果不存在,编辑 `/etc/ipsec.conf`)。在 `conn ikev2-cp` 一节的末尾添加以下行,开头必须空两格: - -``` - ikelifetime=24h - salifetime=24h -``` - -保存修改并运行 `service ipsec restart`。该解决方案已在 2021-01-20 添加到辅助脚本。 - -### 无法同时连接多个 IKEv2 客户端 - -如果要连接多个客户端,则必须为每个客户端 [生成唯一的证书](#添加客户端证书)。 - -如果你无法连接同一个 NAT(比如家用路由器)后面的多个 IKEv2 客户端,可以这样解决:编辑 VPN 服务器上的 `/etc/ipsec.d/ikev2.conf`,找到这一行 `leftid=@` 并去掉 `@`,也就是说将它替换为 `leftid=`。保存修改并运行 `service ipsec restart`。如果 `leftid` 是一个域名则不受影响,不要应用这个解决方案。该解决方案已在 2021-02-01 添加到辅助脚本。 - -### 其它已知问题 - -1. Windows 自带的 VPN 客户端可能不支持 IKEv2 fragmentation(该功能[需要](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-ikee/74df968a-7125-431d-9c98-4ea929e548dc) Windows 10 v1803 或更新版本)。在有些网络上,这可能会导致连接错误或其它连接问题。你可以尝试换用 [IPsec/L2TP](clients-zh.md) 或 [IPsec/XAuth](clients-xauth-zh.md) 模式。 -1. 如果你使用 strongSwan Android VPN 客户端,则必须将服务器上的 Libreswan [升级](../README-zh.md#升级libreswan)到版本 3.26 或以上。 - ## 更改 IKEv2 服务器地址 在某些情况下,你可能需要在配置之后更改 IKEv2 服务器地址。例如切换为使用域名,或者在服务器的 IP 更改之后。请注意,你在 VPN 客户端指定的服务器地址必须与 IKEv2 辅助脚本输出中的服务器地址 **完全一致**,否则客户端可能无法连接。 diff --git a/docs/ikev2-howto.md b/docs/ikev2-howto.md index 1c23e4e..33c7145 100644 --- a/docs/ikev2-howto.md +++ b/docs/ikev2-howto.md @@ -6,8 +6,8 @@ * [Introduction](#introduction) * [Configure IKEv2 VPN clients](#configure-ikev2-vpn-clients) -* [Manage client certificates](#manage-client-certificates) * [Troubleshooting](#troubleshooting) +* [Manage client certificates](#manage-client-certificates) * [Change IKEv2 server address](#change-ikev2-server-address) * [Update IKEv2 helper script](#update-ikev2-helper-script) * [Set up IKEv2 using helper script](#set-up-ikev2-using-helper-script) @@ -417,6 +417,81 @@ for the entire network, or use `192.168.0.10` for just one device, and so on. > mar/02/2022 12:52:57 by RouterOS 6.48 > RouterBOARD 941-2nD +## Troubleshooting + +*Read this in other languages: [English](ikev2-howto.md#troubleshooting), [中文](ikev2-howto-zh.md#故障排除).* + +**See also:** [Check logs and VPN status](clients.md#check-logs-and-vpn-status), [IKEv1 troubleshooting](clients.md#troubleshooting) and [Advanced usage](advanced-usage.md). + +* [Cannot open websites after connecting to IKEv2](#cannot-open-websites-after-connecting-to-ikev2) +* [IKE authentication credentials are unacceptable](#ike-authentication-credentials-are-unacceptable) +* [Policy match error](#policy-match-error) +* [IKEv2 disconnects after one hour](#ikev2-disconnects-after-one-hour) +* [Unable to connect multiple IKEv2 clients](#unable-to-connect-multiple-ikev2-clients) +* [Windows 10 connecting](#windows-10-connecting) +* [Other known issues](#other-known-issues) + +### Cannot open websites after connecting to IKEv2 + +If your VPN client device cannot open websites after successfully connecting to IKEv2, try the following fixes: + +1. Some cloud providers, such as [Google Cloud](https://cloud.google.com), [set a lower MTU by default](https://cloud.google.com/network-connectivity/docs/vpn/concepts/mtu-considerations). This could cause network issues with IKEv2 VPN clients. To fix, try setting the MTU to 1500 on the VPN server: + + ```bash + # Replace ens4 with the network interface name on your server + sudo ifconfig ens4 mtu 1500 + ``` + + This setting **does not** persist after a reboot. To change the MTU size permanently, refer to relevant articles on the web. + +1. If changing the MTU size does not fix the issue, try the fix in [Android MTU/MSS issues](clients.md#android-mtumss-issues). + +1. In certain circumstances, Windows does not use the DNS servers specified by IKEv2 after connecting. This can be fixed by manually entering DNS servers such as Google Public DNS (8.8.8.8, 8.8.4.4) in network interface properties -> TCP/IPv4. + +### IKE authentication credentials are unacceptable + +If you encounter this error, make sure that the VPN server address specified on your VPN client device **exactly matches** the server address in the output of the IKEv2 helper script. For example, you cannot use a DNS name to connect if it was not specified when setting up IKEv2. To change the IKEv2 server address, read [this section](#change-ikev2-server-address). + +### Policy match error + +To fix this error, you will need to enable stronger ciphers for IKEv2 with a one-time registry change. Download and import the `.reg` file below, or run the following from an elevated command prompt. + +- For Windows 7, 8, 10 and 11 ([download .reg file](https://github.com/hwdsl2/vpn-extras/releases/download/v1.0.0/Enable_Stronger_Ciphers_for_IKEv2_on_Windows.reg)) + +```console +REG ADD HKLM\SYSTEM\CurrentControlSet\Services\RasMan\Parameters /v NegotiateDH2048_AES256 /t REG_DWORD /d 0x1 /f +``` + +### IKEv2 disconnects after one hour + +If the IKEv2 connection disconnects automatically after one hour (60 minutes), apply this fix: Edit `/etc/ipsec.d/ikev2.conf` on the VPN server (or `/etc/ipsec.conf` if it does not exist), append these lines to the end of section `conn ikev2-cp`, indented by two spaces: + +``` + ikelifetime=24h + salifetime=24h +``` + +Save the file and run `service ipsec restart`. As of 2021-01-20, the IKEv2 helper script was updated to include this fix. + +### Unable to connect multiple IKEv2 clients + +To connect multiple IKEv2 clients, you must [generate a unique certificate](#add-a-client-certificate) for each. + +If you are unable to connect multiple IKEv2 clients from behind the same NAT (e.g. home router), apply this fix: Edit `/etc/ipsec.d/ikev2.conf` on the VPN server, find the line `leftid=@` and remove the `@`, i.e. replace it with `leftid=`. Save the file and run `service ipsec restart`. Do not apply this fix if `leftid` is a DNS name, which is not affected. As of 2021-02-01, the IKEv2 helper script was updated to include this fix. + +### Windows 10 connecting + +If using Windows 10 and the VPN is stuck on "connecting" for more than a few minutes, try these steps: + +1. Right-click on the wireless/network icon in your system tray. +1. Select **Open Network & Internet settings**, then on the page that opens, click **VPN** on the left. +1. Select the new VPN entry, then click **Connect**. + +### Other known issues + +1. The built-in VPN client in Windows may not support IKEv2 fragmentation (this feature [requires](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-ikee/74df968a-7125-431d-9c98-4ea929e548dc) Windows 10 v1803 or newer). On some networks, this can cause the connection to fail or have other issues. You may instead try the [IPsec/L2TP](clients.md) or [IPsec/XAuth](clients-xauth.md) mode. +1. If using the strongSwan Android VPN client, you must [update Libreswan](../README.md#upgrade-libreswan) on your server to version 3.26 or above. + ## Manage client certificates * [List existing clients](#list-existing-clients) @@ -599,72 +674,6 @@ Alternatively, you can manually revoke a client certificate. This can be done us ``` -## Troubleshooting - -*Read this in other languages: [English](ikev2-howto.md#troubleshooting), [中文](ikev2-howto-zh.md#故障排除).* - -**See also:** [Check logs and VPN status](clients.md#check-logs-and-vpn-status), [IKEv1 troubleshooting](clients.md#troubleshooting) and [Advanced usage](advanced-usage.md). - -* [Cannot open websites after connecting to IKEv2](#cannot-open-websites-after-connecting-to-ikev2) -* [IKE authentication credentials are unacceptable](#ike-authentication-credentials-are-unacceptable) -* [Policy match error](#policy-match-error) -* [IKEv2 disconnects after one hour](#ikev2-disconnects-after-one-hour) -* [Unable to connect multiple IKEv2 clients](#unable-to-connect-multiple-ikev2-clients) -* [Other known issues](#other-known-issues) - -### Cannot open websites after connecting to IKEv2 - -If your VPN client device cannot open websites after successfully connecting to IKEv2, try the following fixes: - -1. Some cloud providers, such as [Google Cloud](https://cloud.google.com), [set a lower MTU by default](https://cloud.google.com/network-connectivity/docs/vpn/concepts/mtu-considerations). This could cause network issues with IKEv2 VPN clients. To fix, try setting the MTU to 1500 on the VPN server: - - ```bash - # Replace ens4 with the network interface name on your server - sudo ifconfig ens4 mtu 1500 - ``` - - This setting **does not** persist after a reboot. To change the MTU size permanently, refer to relevant articles on the web. - -1. If changing the MTU size does not fix the issue, try the fix in [Android MTU/MSS issues](clients.md#android-mtumss-issues). - -1. In certain circumstances, Windows does not use the DNS servers specified by IKEv2 after connecting. This can be fixed by manually entering DNS servers such as Google Public DNS (8.8.8.8, 8.8.4.4) in network interface properties -> TCP/IPv4. - -### IKE authentication credentials are unacceptable - -If you encounter this error, make sure that the VPN server address specified on your VPN client device **exactly matches** the server address in the output of the IKEv2 helper script. For example, you cannot use a DNS name to connect if it was not specified when setting up IKEv2. To change the IKEv2 server address, read [this section](#change-ikev2-server-address). - -### Policy match error - -To fix this error, you will need to enable stronger ciphers for IKEv2 with a one-time registry change. Download and import the `.reg` file below, or run the following from an elevated command prompt. - -- For Windows 7, 8, 10 and 11 ([download .reg file](https://github.com/hwdsl2/vpn-extras/releases/download/v1.0.0/Enable_Stronger_Ciphers_for_IKEv2_on_Windows.reg)) - -```console -REG ADD HKLM\SYSTEM\CurrentControlSet\Services\RasMan\Parameters /v NegotiateDH2048_AES256 /t REG_DWORD /d 0x1 /f -``` - -### IKEv2 disconnects after one hour - -If the IKEv2 connection disconnects automatically after one hour (60 minutes), apply this fix: Edit `/etc/ipsec.d/ikev2.conf` on the VPN server (or `/etc/ipsec.conf` if it does not exist), append these lines to the end of section `conn ikev2-cp`, indented by two spaces: - -``` - ikelifetime=24h - salifetime=24h -``` - -Save the file and run `service ipsec restart`. As of 2021-01-20, the IKEv2 helper script was updated to include this fix. - -### Unable to connect multiple IKEv2 clients - -To connect multiple IKEv2 clients, you must [generate a unique certificate](#add-a-client-certificate) for each. - -If you are unable to connect multiple IKEv2 clients from behind the same NAT (e.g. home router), apply this fix: Edit `/etc/ipsec.d/ikev2.conf` on the VPN server, find the line `leftid=@` and remove the `@`, i.e. replace it with `leftid=`. Save the file and run `service ipsec restart`. Do not apply this fix if `leftid` is a DNS name, which is not affected. As of 2021-02-01, the IKEv2 helper script was updated to include this fix. - -### Other known issues - -1. The built-in VPN client in Windows may not support IKEv2 fragmentation (this feature [requires](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-ikee/74df968a-7125-431d-9c98-4ea929e548dc) Windows 10 v1803 or newer). On some networks, this can cause the connection to fail or have other issues. You may instead try the [IPsec/L2TP](clients.md) or [IPsec/XAuth](clients-xauth.md) mode. -1. If using the strongSwan Android VPN client, you must [update Libreswan](../README.md#upgrade-libreswan) on your server to version 3.26 or above. - ## Change IKEv2 server address In certain circumstances, you may need to change the IKEv2 server address after setup. For example, to switch to use a DNS name, or after server IP changes. Note that the server address you specify on VPN client devices must **exactly match** the server address in the output of the IKEv2 helper script. Otherwise, devices may be unable to connect.