Fix for IKEv2

- Fix an issue where multiple IKEv2 clients behind the same NAT cannot connect simultaneously to the VPN server. Note that before this fix, this issue only occurs when using an IP address (instead of a DNS name) for IKEv2 for the VPN server. - This issue is found to be related to Libreswan's matching of local IDs when checking connections. A local ID with '@' prefix has type ID_FQDN, which does not match the ID_IPV4_ADDR type that the peer expects. This prevents connection switching from working correctly for the scenario above. Removing the prefix fixed the issue. - Fixes #924
2024-09-22 00:00:42 +02:00 · 2021-02-01 21:31:40 -06:00 · 2021-02-01 21:31:40 -06:00 · 954b2acb7c
commit 954b2acb7c
parent c6182d76bb
3 changed files with 16 additions and 3 deletions
--- a/docs/ikev2-howto-zh.md
+++ b/docs/ikev2-howto-zh.md
@ -407,13 +407,15 @@ To customize IKEv2 or client options, run this script without arguments.
   fi
   ```

+   **注：** 如果你在上面的第一步指定了服务器的域名（而不是 IP 地址），则必须将以下命令中的 `leftid=$PUBLIC_IP` 换成 `leftid=@$PUBLIC_IP`。
+
   ```bash
   cat > /etc/ipsec.d/ikev2.conf <<EOF

   conn ikev2-cp
     left=%defaultroute
     leftcert=$PUBLIC_IP
-     leftid=@$PUBLIC_IP
+     leftid=$PUBLIC_IP
     leftsendcert=always
     leftsubnet=0.0.0.0/0
     leftrsasigkey=%cert
--- a/docs/ikev2-howto.md
+++ b/docs/ikev2-howto.md
@ -407,13 +407,15 @@ As an alternative to using the [helper script](#using-helper-scripts), advanced
   fi
   ```

+   **Note:** If you specified the server's DNS name (instead of its IP address) in step 1 above, you must replace `leftid=$PUBLIC_IP` in the command below with `leftid=@$PUBLIC_IP`.
+
   ```bash
   cat > /etc/ipsec.d/ikev2.conf <<EOF

   conn ikev2-cp
     left=%defaultroute
     leftcert=$PUBLIC_IP
-     leftid=@$PUBLIC_IP
+     leftid=$PUBLIC_IP
     leftsendcert=always
     leftsubnet=0.0.0.0/0
     leftrsasigkey=%cert
--- a/extras/ikev2setup.sh
+++ b/extras/ikev2setup.sh
@ -917,7 +917,6 @@ cat > /etc/ipsec.d/ikev2.conf <<EOF
 conn ikev2-cp
  left=%defaultroute
  leftcert=$server_addr
-  leftid=@$server_addr
  leftsendcert=always
  leftsubnet=0.0.0.0/0
  leftrsasigkey=%cert
@ -942,6 +941,16 @@ conn ikev2-cp
  encapsulation=yes
 EOF

+  if [ "$use_dns_name" = "1" ]; then
+cat >> /etc/ipsec.d/ikev2.conf <<EOF
+  leftid=@$server_addr
+EOF
+  else
+cat >> /etc/ipsec.d/ikev2.conf <<EOF
+  leftid=$server_addr
+EOF
+  fi
+
  case $swan_ver in
    3.2[35679]|3.3[12]|4.*)
      if [ -n "$dns_server_2" ]; then