Marown/setup-ipsec-vpn
1
0
Fork 0
mirror of https://github.com/hwdsl2/setup-ipsec-vpn.git synced 2024-09-22 00:00:42 +02:00
Code Issues Packages Projects Releases Wiki Activity

Fix for IKEv2

Browse Source 
- Fix an issue where multiple IKEv2 clients behind the same NAT cannot
  connect simultaneously to the VPN server. Note that before this fix,
  this issue only occurs when using an IP address (instead of a DNS name)
  for IKEv2 for the VPN server.
- This issue is found to be related to Libreswan's matching of local IDs
  when checking connections. A local ID with '@' prefix has type ID_FQDN,
  which does not match the ID_IPV4_ADDR type that the peer expects. This
  prevents connection switching from working correctly for the scenario
  above. Removing the prefix fixed the issue.
- Fixes #924
This commit is contained in:
hwdsl2 2021-02-01 21:31:40 -06:00
parent c6182d76bb
commit 954b2acb7c
3 changed files with 16 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
docs/ikev2-howto-zh.md
View File

@ -407,13 +407,15 @@ To customize IKEv2 or client options, run this script without arguments.
fi fi
``` ```
**注:** 如果你在上面的第一步指定了服务器的域名(而不是 IP 地址),则必须将以下命令中的 `leftid=$PUBLIC_IP` 换成 `leftid=@$PUBLIC_IP`
```bash ```bash
cat > /etc/ipsec.d/ikev2.conf <<EOF cat > /etc/ipsec.d/ikev2.conf <<EOF
conn ikev2-cp conn ikev2-cp
left=%defaultroute left=%defaultroute
leftcert=$PUBLIC_IP leftcert=$PUBLIC_IP
leftid=@$PUBLIC_IP leftid=$PUBLIC_IP
leftsendcert=always leftsendcert=always
leftsubnet=0.0.0.0/0 leftsubnet=0.0.0.0/0
leftrsasigkey=%cert leftrsasigkey=%cert

4
docs/ikev2-howto.md
View File

@ -407,13 +407,15 @@ As an alternative to using the [helper script](#using-helper-scripts), advanced
fi fi
``` ```
**Note:** If you specified the server's DNS name (instead of its IP address) in step 1 above, you must replace `leftid=$PUBLIC_IP` in the command below with `leftid=@$PUBLIC_IP`.
```bash ```bash
cat > /etc/ipsec.d/ikev2.conf <<EOF cat > /etc/ipsec.d/ikev2.conf <<EOF
conn ikev2-cp conn ikev2-cp
left=%defaultroute left=%defaultroute
leftcert=$PUBLIC_IP leftcert=$PUBLIC_IP
leftid=@$PUBLIC_IP leftid=$PUBLIC_IP
leftsendcert=always leftsendcert=always
leftsubnet=0.0.0.0/0 leftsubnet=0.0.0.0/0
leftrsasigkey=%cert leftrsasigkey=%cert

11
extras/ikev2setup.sh
View File

@ -917,7 +917,6 @@ cat > /etc/ipsec.d/ikev2.conf <<EOF
conn ikev2-cp conn ikev2-cp
left=%defaultroute left=%defaultroute
leftcert=$server_addr leftcert=$server_addr
leftid=@$server_addr
leftsendcert=always leftsendcert=always
leftsubnet=0.0.0.0/0 leftsubnet=0.0.0.0/0
leftrsasigkey=%cert leftrsasigkey=%cert
@ -942,6 +941,16 @@ conn ikev2-cp
encapsulation=yes encapsulation=yes
EOF EOF
if [ "$use_dns_name" = "1" ]; then
cat >> /etc/ipsec.d/ikev2.conf <<EOF
leftid=@$server_addr
EOF
else
cat >> /etc/ipsec.d/ikev2.conf <<EOF
leftid=$server_addr
EOF
fi
case $swan_ver in case $swan_ver in
3.2[35679]|3.3[12]|4.*) 3.2[35679]|3.3[12]|4.*)
if [ -n "$dns_server_2" ]; then if [ -n "$dns_server_2" ]; then