From 954b2acb7c3150b6b641fed431a7d518e6abf94d Mon Sep 17 00:00:00 2001
From: hwdsl2 <hwdsl2@users.noreply.github.com>
Date: Mon, 1 Feb 2021 21:31:40 -0600
Subject: [PATCH] Fix for IKEv2

- Fix an issue where multiple IKEv2 clients behind the same NAT cannot
  connect simultaneously to the VPN server. Note that before this fix,
  this issue only occurs when using an IP address (instead of a DNS name)
  for IKEv2 for the VPN server.
- This issue is found to be related to Libreswan's matching of local IDs
  when checking connections. A local ID with '@' prefix has type ID_FQDN,
  which does not match the ID_IPV4_ADDR type that the peer expects. This
  prevents connection switching from working correctly for the scenario
  above. Removing the prefix fixed the issue.
- Fixes #924
---
 docs/ikev2-howto-zh.md |  4 +++-
 docs/ikev2-howto.md    |  4 +++-
 extras/ikev2setup.sh   | 11 ++++++++++-
 3 files changed, 16 insertions(+), 3 deletions(-)

diff --git a/docs/ikev2-howto-zh.md b/docs/ikev2-howto-zh.md
index cc7e1c3..1ebb1cb 100644
--- a/docs/ikev2-howto-zh.md
+++ b/docs/ikev2-howto-zh.md
@@ -407,13 +407,15 @@ To customize IKEv2 or client options, run this script without arguments.
    fi
    ```
 
+   **注：** 如果你在上面的第一步指定了服务器的域名（而不是 IP 地址），则必须将以下命令中的 `leftid=$PUBLIC_IP` 换成 `leftid=@$PUBLIC_IP`。
+
    ```bash
    cat > /etc/ipsec.d/ikev2.conf <<EOF
 
    conn ikev2-cp
      left=%defaultroute
      leftcert=$PUBLIC_IP
-     leftid=@$PUBLIC_IP
+     leftid=$PUBLIC_IP
      leftsendcert=always
      leftsubnet=0.0.0.0/0
      leftrsasigkey=%cert
diff --git a/docs/ikev2-howto.md b/docs/ikev2-howto.md
index 63b2c6d..23777ed 100644
--- a/docs/ikev2-howto.md
+++ b/docs/ikev2-howto.md
@@ -407,13 +407,15 @@ As an alternative to using the [helper script](#using-helper-scripts), advanced
    fi
    ```
 
+   **Note:** If you specified the server's DNS name (instead of its IP address) in step 1 above, you must replace `leftid=$PUBLIC_IP` in the command below with `leftid=@$PUBLIC_IP`.
+
    ```bash
    cat > /etc/ipsec.d/ikev2.conf <<EOF
 
    conn ikev2-cp
      left=%defaultroute
      leftcert=$PUBLIC_IP
-     leftid=@$PUBLIC_IP
+     leftid=$PUBLIC_IP
      leftsendcert=always
      leftsubnet=0.0.0.0/0
      leftrsasigkey=%cert
diff --git a/extras/ikev2setup.sh b/extras/ikev2setup.sh
index 518a7ae..b236f1b 100644
--- a/extras/ikev2setup.sh
+++ b/extras/ikev2setup.sh
@@ -917,7 +917,6 @@ cat > /etc/ipsec.d/ikev2.conf <<EOF
 conn ikev2-cp
   left=%defaultroute
   leftcert=$server_addr
-  leftid=@$server_addr
   leftsendcert=always
   leftsubnet=0.0.0.0/0
   leftrsasigkey=%cert
@@ -942,6 +941,16 @@ conn ikev2-cp
   encapsulation=yes
 EOF
 
+  if [ "$use_dns_name" = "1" ]; then
+cat >> /etc/ipsec.d/ikev2.conf <<EOF
+  leftid=@$server_addr
+EOF
+  else
+cat >> /etc/ipsec.d/ikev2.conf <<EOF
+  leftid=$server_addr
+EOF
+  fi
+
   case $swan_ver in
     3.2[35679]|3.3[12]|4.*)
       if [ -n "$dns_server_2" ]; then