From 99dd5702e74a8d8a4b446d5148124b3e87674e64 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sun, 6 Jun 2021 15:27:56 -0500 Subject: [PATCH] Update docs --- README-zh.md | 13 ++++++++++++ README.md | 15 +++++++++++++- docs/advanced-usage-zh.md | 16 +++++++-------- docs/advanced-usage.md | 16 +++++++-------- docs/clients.md | 2 +- docs/ikev2-howto-zh.md | 43 +++++++++++++++++++++++---------------- docs/ikev2-howto.md | 25 +++++++++++++++-------- docs/manage-users-zh.md | 8 ++++---- docs/manage-users.md | 8 ++++---- 9 files changed, 93 insertions(+), 53 deletions(-) diff --git a/README-zh.md b/README-zh.md index ce97cbb..85fa993 100644 --- a/README-zh.md +++ b/README-zh.md @@ -336,10 +336,23 @@ wget https://git.io/vpnupgrade-amzn -O vpnup.sh && sudo sh vpnup.sh 请参见 [管理 VPN 用户](docs/manage-users-zh.md)。 +- [查看或更改 IPsec PSK](docs/manage-users-zh.md#查看或更改-ipsec-psk) +- [查看 VPN 用户](docs/manage-users-zh.md#查看-vpn-用户) +- [使用辅助脚本管理 VPN 用户](docs/manage-users-zh.md#使用辅助脚本管理-vpn-用户) +- [手动管理 VPN 用户](docs/manage-users-zh.md#手动管理-vpn-用户) + ## 高级用法 请参见 [高级用法](docs/advanced-usage-zh.md)。 +- [使用其他的 DNS 服务器](docs/advanced-usage-zh.md#使用其他的-dns-服务器) +- [域名和更改服务器 IP](docs/advanced-usage-zh.md#域名和更改服务器-ip) +- [VPN 内网 IP 和流量](docs/advanced-usage-zh.md#vpn-内网-ip-和流量) +- [VPN 分流](docs/advanced-usage-zh.md#vpn-分流) +- [访问 VPN 服务器的网段](docs/advanced-usage-zh.md#访问-vpn-服务器的网段) +- [仅限 IKEv2 的 VPN](docs/advanced-usage-zh.md#仅限-ikev2-的-vpn) +- [更改 IPTables 规则](docs/advanced-usage-zh.md#更改-iptables-规则) + ## 问题和反馈 - 有问题需要提问?请先搜索已有的留言,在 [这个 Gist](https://gist.github.com/hwdsl2/9030462#comments) 以及 [我的博客](https://blog.ls20.com/ipsec-l2tp-vpn-auto-setup-for-ubuntu-12-04-on-amazon-ec2/#disqus_thread)。 diff --git a/README.md b/README.md index 95bce13..7a90f64 100644 --- a/README.md +++ b/README.md @@ -288,7 +288,7 @@ Enjoy your very own VPN! :sparkles::tada::rocket::sparkles: The same VPN account can be used by your multiple devices. However, due to an IPsec/L2TP limitation, if you wish to connect multiple devices simultaneously from behind the same NAT (e.g. home router), you must use only [IPsec/XAuth mode](docs/clients-xauth.md), or [set up IKEv2](docs/ikev2-howto.md). -If you wish to view or update VPN user accounts, see [Manage VPN Users](docs/manage-users.md). Helper scripts are included for convenience. +If you wish to view or update VPN user accounts, see [Manage VPN users](docs/manage-users.md). Helper scripts are included for convenience. For servers with an external firewall (e.g. [EC2](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html)/[GCE](https://cloud.google.com/vpc/docs/firewalls)), open UDP ports 500 and 4500 for the VPN. Aliyun users, see [#433](https://github.com/hwdsl2/setup-ipsec-vpn/issues/433). @@ -336,10 +336,23 @@ wget https://git.io/vpnupgrade-amzn -O vpnup.sh && sudo sh vpnup.sh See [Manage VPN users](docs/manage-users.md). +- [View or update the IPsec PSK](docs/manage-users.md#view-or-update-the-ipsec-psk) +- [View VPN users](docs/manage-users.md#view-vpn-users) +- [Manage VPN users using helper scripts](docs/manage-users.md#manage-vpn-users-using-helper-scripts) +- [Manually manage VPN users](docs/manage-users.md#manually-manage-vpn-users) + ## Advanced usage See [Advanced usage](docs/advanced-usage.md). +- [Use alternative DNS servers](docs/advanced-usage.md#use-alternative-dns-servers) +- [DNS name and server IP changes](docs/advanced-usage.md#dns-name-and-server-ip-changes) +- [Internal VPN IPs and traffic](docs/advanced-usage.md#internal-vpn-ips-and-traffic) +- [Split tunneling](docs/advanced-usage.md#split-tunneling) +- [Access VPN server's subnet](docs/advanced-usage.md#access-vpn-servers-subnet) +- [IKEv2 only VPN](docs/advanced-usage.md#ikev2-only-vpn) +- [Modify IPTables rules](docs/advanced-usage.md#modify-iptables-rules) + ## Bugs & Questions - Got a question? Please first search other people's comments [in this Gist](https://gist.github.com/hwdsl2/9030462#comments) and [on my blog](https://blog.ls20.com/ipsec-l2tp-vpn-auto-setup-for-ubuntu-12-04-on-amazon-ec2/#disqus_thread). diff --git a/docs/advanced-usage-zh.md b/docs/advanced-usage-zh.md index 2ad4d71..123da12 100644 --- a/docs/advanced-usage-zh.md +++ b/docs/advanced-usage-zh.md @@ -2,13 +2,13 @@ *其他语言版本: [English](advanced-usage.md), [简体中文](advanced-usage-zh.md).* -- [使用其他的 DNS 服务器](#使用其他的-dns-服务器) -- [域名和更改服务器 IP](#域名和更改服务器-ip) -- [VPN 内网 IP 和流量](#vpn-内网-ip-和流量) -- [VPN 分流](#vpn-分流) -- [访问 VPN 服务器的网段](#访问-vpn-服务器的网段) -- [仅限 IKEv2 的 VPN](#仅限-ikev2-的-vpn) -- [更改 IPTables 规则](#更改-iptables-规则) +* [使用其他的 DNS 服务器](#使用其他的-dns-服务器) +* [域名和更改服务器 IP](#域名和更改服务器-ip) +* [VPN 内网 IP 和流量](#vpn-内网-ip-和流量) +* [VPN 分流](#vpn-分流) +* [访问 VPN 服务器的网段](#访问-vpn-服务器的网段) +* [仅限 IKEv2 的 VPN](#仅限-ikev2-的-vpn) +* [更改 IPTables 规则](#更改-iptables-规则) ## 使用其他的 DNS 服务器 @@ -25,7 +25,7 @@ sudo VPN_DNS_SRV1=1.1.1.1 VPN_DNS_SRV2=1.0.0.1 ikev2.sh --auto 对于 [IPsec/L2TP](clients-zh.md) 和 [IPsec/XAuth ("Cisco IPsec")](clients-xauth-zh.md) 模式,你可以在不需要额外配置的情况下使用一个域名(比如 `vpn.example.com`)而不是 IP 地址连接到 VPN 服务器。另外,一般来说,在服务器的 IP 更改后,比如在恢复一个映像到具有不同 IP 的新服务器后,VPN 会继续正常工作,虽然可能需要重启服务器。 -对于 [IKEv2](ikev2-howto-zh.md) 模式,如果你想要 VPN 在服务器的 IP 更改后继续正常工作,则必须在 [配置 IKEv2](ikev2-howto-zh.md) 时指定一个域名作为 VPN 服务器的地址。该域名必须是一个全称域名(FQDN)。示例如下: +对于 [IKEv2](ikev2-howto-zh.md) 模式,如果你想要 VPN 在服务器的 IP 更改后继续正常工作,则必须在 [配置 IKEv2](ikev2-howto-zh.md) 时指定一个域名作为 VPN 服务器的地址。该域名必须是一个全称域名(FQDN)。它将包含在生成的服务器证书中,这是 VPN 客户端连接所必需的。示例如下: ``` sudo VPN_DNS_NAME='vpn.example.com' ikev2.sh --auto diff --git a/docs/advanced-usage.md b/docs/advanced-usage.md index 4ea3cb7..09cee80 100644 --- a/docs/advanced-usage.md +++ b/docs/advanced-usage.md @@ -2,13 +2,13 @@ *Read this in other languages: [English](advanced-usage.md), [简体中文](advanced-usage-zh.md).* -- [Use alternative DNS servers](#use-alternative-dns-servers) -- [DNS name and server IP changes](#dns-name-and-server-ip-changes) -- [Internal VPN IPs and traffic](#internal-vpn-ips-and-traffic) -- [Split tunneling](#split-tunneling) -- [Access VPN server's subnet](#access-vpn-servers-subnet) -- [IKEv2 only VPN](#ikev2-only-vpn) -- [Modify IPTables rules](#modify-iptables-rules) +* [Use alternative DNS servers](#use-alternative-dns-servers) +* [DNS name and server IP changes](#dns-name-and-server-ip-changes) +* [Internal VPN IPs and traffic](#internal-vpn-ips-and-traffic) +* [Split tunneling](#split-tunneling) +* [Access VPN server's subnet](#access-vpn-servers-subnet) +* [IKEv2 only VPN](#ikev2-only-vpn) +* [Modify IPTables rules](#modify-iptables-rules) ## Use alternative DNS servers @@ -25,7 +25,7 @@ sudo VPN_DNS_SRV1=1.1.1.1 VPN_DNS_SRV2=1.0.0.1 ikev2.sh --auto For [IPsec/L2TP](clients.md) and [IPsec/XAuth ("Cisco IPsec")](clients-xauth.md) modes, you may use a DNS name (e.g. `vpn.example.com`) instead of an IP address to connect to the VPN server, without additional configuration. In addition, the VPN should generally continue to work after server IP changes, such as after restoring a snapshot to a new server with a different IP, although a reboot may be required. -For [IKEv2](ikev2-howto.md) mode, if you want the VPN to continue to work after server IP changes, you must specify a DNS name to be used as the VPN server's address when [setting up IKEv2](ikev2-howto.md). The DNS name must be a fully qualified domain name (FQDN). Example: +For [IKEv2](ikev2-howto.md) mode, if you want the VPN to continue to work after server IP changes, you must specify a DNS name to be used as the VPN server's address when [setting up IKEv2](ikev2-howto.md). The DNS name must be a fully qualified domain name (FQDN). It will be included in the generated server certificate, which is required for VPN clients to connect. Example: ``` sudo VPN_DNS_NAME='vpn.example.com' ikev2.sh --auto diff --git a/docs/clients.md b/docs/clients.md index 0bd99d8..b3dadeb 100644 --- a/docs/clients.md +++ b/docs/clients.md @@ -217,7 +217,7 @@ First check [here](https://github.com/nm-l2tp/NetworkManager-l2tp/wiki/Prebuilt- *Read this in other languages: [English](clients.md#troubleshooting), [简体中文](clients-zh.md#故障排除).* -**See also:** [check logs and VPN status](#check-logs-and-vpn-status), [IKEv2 troubleshooting](ikev2-howto.md#troubleshooting) and [advanced usage](advanced-usage.md). +**See also:** [Check logs and VPN status](#check-logs-and-vpn-status), [IKEv2 troubleshooting](ikev2-howto.md#troubleshooting) and [Advanced usage](advanced-usage.md). * [Windows error 809](#windows-error-809) * [Windows error 789 or 691](#windows-error-789-or-691) diff --git a/docs/ikev2-howto-zh.md b/docs/ikev2-howto-zh.md index 356d3ba..f362403 100644 --- a/docs/ikev2-howto-zh.md +++ b/docs/ikev2-howto-zh.md @@ -58,7 +58,7 @@ sudo bash ~/ikev2.sh --auto 你可以指定一个域名,客户端名称和/或另外的 DNS 服务器。这是可选的。点这里查看详情。 -在使用自动模式安装 IKEv2 时,高级用户可以指定一个域名作为 VPN 服务器的地址。这是可选的。该域名必须是一个全称域名(FQDN)。示例如下: +在使用自动模式安装 IKEv2 时,高级用户可以指定一个域名作为 VPN 服务器的地址。这是可选的。该域名必须是一个全称域名(FQDN)。它将包含在生成的服务器证书中,这是 VPN 客户端连接所必需的。示例如下: ``` sudo VPN_DNS_NAME='vpn.example.com' ikev2.sh --auto @@ -89,7 +89,7 @@ Options: --addclient [client name] add a new client using default options (after IKEv2 setup) --exportclient [client name] export configuration for an existing client (after IKEv2 setup) --listclients list the names of existing clients (after IKEv2 setup) - --revokeclient Revoke a client certificate (after IKEv2 setup) + --revokeclient revoke a client certificate (after IKEv2 setup) --removeikev2 remove IKEv2 and delete all certificates and keys from the IPsec database -h, --help show this help message and exit @@ -120,8 +120,6 @@ To customize IKEv2 or client options, run this script without arguments. 另外,你也可以手动导入 `.p12` 文件。详细步骤请看 [这里](https://wiki.strongswan.org/projects/strongswan/wiki/Win7Certs)。在导入证书后,你必须确保将客户端证书放在 "个人 -> 证书" 目录中,并且将 CA 证书放在 "受信任的根证书颁发机构 -> 证书" 目录中。 - **注:** Ubuntu 18.04 用户在尝试导入 `.p12` 文件时可能会遇到错误 "输入的密码不正确"。参见 [故障排除](#故障排除)。 - 1. 在 Windows 计算机上添加一个新的 IKEv2 VPN 连接。对于 Windows 8.x 和 10,推荐从命令提示符运行以下命令创建 VPN 连接,以达到更佳的安全性和性能。Windows 7 不支持这些命令,你可以手动创建 VPN 连接(见下面)。 ```console @@ -369,21 +367,27 @@ sudo chmod 600 ikev2vpnca.cer vpnclient.cer vpnclient.key ## 管理客户端证书 +* [列出已有的客户端](#列出已有的客户端) +* [添加客户端证书](#添加客户端证书) +* [导出已有的客户端的配置](#导出已有的客户端的配置) +* [删除客户端证书](#删除客户端证书) +* [吊销客户端证书](#吊销客户端证书) + ### 列出已有的客户端 如果要列出已有的 IKEv2 客户端的名称,运行 [辅助脚本](#使用辅助脚本) 并添加 `--listclients` 选项。使用参数 `-h` 显示使用信息。 -### 添加一个客户端证书 +### 添加客户端证书 如果要为更多的 IKEv2 客户端生成证书,只需重新运行 [辅助脚本](#使用辅助脚本)。或者你可以看 [这一小节](#手动在-vpn-服务器上配置-ikev2) 的第 4 步。 -### 导出一个已有的客户端的配置 +### 导出已有的客户端的配置 在默认情况下,[IKEv2 辅助脚本](#使用辅助脚本) 在运行后会导出客户端配置。如果之后你想要为一个已有的客户端导出配置,重新运行辅助脚本并选择适当的选项。 -### 删除一个客户端证书 +### 删除客户端证书 -**重要:** 从 IPsec 数据库中删除一个客户端证书 **并不能** 阻止 VPN 客户端使用该证书连接!对于此用例,你 **必须** [吊销该客户端证书](#吊销一个客户端证书),而不是删除证书。 +**重要:** 从 IPsec 数据库中删除一个客户端证书 **并不能** 阻止 VPN 客户端使用该证书连接!对于此用例,你 **必须** [吊销该客户端证书](#吊销客户端证书),而不是删除证书。
@@ -421,7 +425,7 @@ sudo chmod 600 ikev2vpnca.cer vpnclient.cer vpnclient.key 1. (可选步骤)删除之前为该客户端生成的配置文件(`.p12`, `.mobileconfig` 和 `.sswan` 文件),如果存在。
-### 吊销一个客户端证书 +### 吊销客户端证书 在某些情况下,你可能需要吊销一个之前生成的 VPN 客户端证书。要吊销证书,重新运行辅助脚本并选择适当的选项。 @@ -704,7 +708,7 @@ sudo chmod 600 ikev2vpnca.cer vpnclient.cer vpnclient.key vpnclient u,u,u ``` - **注:** 如需显示证书内容,可使用 `certutil -L -d sql:/etc/ipsec.d -n "Nickname"`。要吊销一个客户端证书,请转到[这一节](#吊销一个客户端证书)。关于 `certutil` 的其它用法参见 [这里](https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/tools/NSS_Tools_certutil)。 + **注:** 如需显示证书内容,可使用 `certutil -L -d sql:/etc/ipsec.d -n "Nickname"`。要吊销客户端证书,请转到[这一节](#吊销客户端证书)。关于 `certutil` 的其它用法参见 [这里](https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/tools/NSS_Tools_certutil)。 1. **(重要)重启 IPsec 服务**: @@ -718,9 +722,16 @@ sudo chmod 600 ikev2vpnca.cer vpnclient.cer vpnclient.key *其他语言版本: [English](ikev2-howto.md#troubleshooting), [简体中文](ikev2-howto-zh.md#故障排除).* -### 在导入客户端配置文件时提示密码不正确 +**另见:** [检查日志及 VPN 状态](clients-zh.md#检查日志及-vpn-状态),[IKEv1 故障排除](clients-zh.md#故障排除) 和 [高级用法](advanced-usage-zh.md)。 -如果你忘记了客户端配置文件的密码,可以重新 [导出 IKEv2 客户端的配置](#导出一个已有的客户端的配置)。 +* [在导入时提示密码不正确](#在导入时提示密码不正确) +* [IKEv2 在一小时后断开连接](#ikev2-在一小时后断开连接) +* [无法同时连接多个 IKEv2 客户端](#无法同时连接多个-ikev2-客户端) +* [其它已知问题](#其它已知问题) + +### 在导入时提示密码不正确 + +如果你忘记了客户端配置文件的密码,可以重新 [导出 IKEv2 客户端的配置](#导出已有的客户端的配置)。 Ubuntu 18.04 用户在尝试将生成的 `.p12` 文件导入到 Windows 时可能会遇到错误 "输入的密码不正确"。这是由 `NSS` 中的一个问题导致的。更多信息请看 [这里](https://github.com/hwdsl2/setup-ipsec-vpn/issues/414#issuecomment-460495258)。在 2021-01-21 已更新 IKEv2 辅助脚本以自动应用以下解决方法。
@@ -742,7 +753,7 @@ apt-get -y install "./libnss3_3.49.1-1ubuntu1.5_amd64.deb" \ "./libnss3-tools_3.49.1-1ubuntu1.5_amd64.deb" ``` -然后重新 [导出 IKEv2 客户端的配置](#导出一个已有的客户端的配置)。 +然后重新 [导出 IKEv2 客户端的配置](#导出已有的客户端的配置)。
### IKEv2 在一小时后断开连接 @@ -758,7 +769,7 @@ apt-get -y install "./libnss3_3.49.1-1ubuntu1.5_amd64.deb" \ ### 无法同时连接多个 IKEv2 客户端 -如果要同时连接多个客户端,则必须为每个客户端 [生成唯一的证书](#添加一个客户端证书)。 +如果要同时连接多个客户端,则必须为每个客户端 [生成唯一的证书](#添加客户端证书)。 如果你无法同时连接同一个 NAT (比如家用路由器)后面的多个 IKEv2 客户端,可以这样解决:编辑 VPN 服务器上的 `/etc/ipsec.d/ikev2.conf`,找到这一行 `leftid=@` 并去掉 `@`,也就是说将它替换为 `leftid=`。保存修改并运行 `service ipsec restart`。如果 `leftid` 是一个域名则不受影响,不要应用这个解决方案。该解决方案已在 2021-02-01 添加到辅助脚本。 @@ -767,10 +778,6 @@ apt-get -y install "./libnss3_3.49.1-1ubuntu1.5_amd64.deb" \ 1. Windows 自带的 VPN 客户端可能不支持 IKEv2 fragmentation(该功能[需要](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-ikee/74df968a-7125-431d-9c98-4ea929e548dc) Windows 10 v1803 或更新版本)。在有些网络上,这可能会导致连接错误或其它连接问题。你可以尝试换用 [IPsec/L2TP](clients-zh.md) 或 [IPsec/XAuth](clients-xauth-zh.md) 模式。 1. 如果你使用 strongSwan Android VPN 客户端,则必须将服务器上的 Libreswan [升级](../README-zh.md#升级libreswan)到版本 3.26 或以上。 -### 更多故障排除信息 - -要查看更多故障排除信息,请看 [这里](clients-zh.md#故障排除)。 - ## 移除 IKEv2 如果你想要从 VPN 服务器移除 IKEv2,但是保留 [IPsec/L2TP](clients-zh.md) 和 [IPsec/XAuth ("Cisco IPsec")](clients-xauth-zh.md) 模式(如果已安装),请重新运行 [辅助脚本](#使用辅助脚本) 并选择 "Remove IKEv2" 选项。请注意,这将删除所有的 IKEv2 配置(包括证书和密钥),并且**不可撤销**! diff --git a/docs/ikev2-howto.md b/docs/ikev2-howto.md index 68eb2d9..ea738cd 100644 --- a/docs/ikev2-howto.md +++ b/docs/ikev2-howto.md @@ -58,7 +58,7 @@ sudo bash ~/ikev2.sh --auto You may optionally specify a DNS name, client name and/or custom DNS servers. Click here for details. -When running IKEv2 setup in auto mode, advanced users can optionally specify a DNS name to be used as the VPN server's address. The DNS name must be a fully qualified domain name (FQDN). Example: +When running IKEv2 setup in auto mode, advanced users can optionally specify a DNS name to be used as the VPN server's address. The DNS name must be a fully qualified domain name (FQDN). It will be included in the generated server certificate, which is required for VPN clients to connect. Example: ``` sudo VPN_DNS_NAME='vpn.example.com' ikev2.sh --auto @@ -89,7 +89,7 @@ Options: --addclient [client name] add a new client using default options (after IKEv2 setup) --exportclient [client name] export configuration for an existing client (after IKEv2 setup) --listclients list the names of existing clients (after IKEv2 setup) - --revokeclient Revoke a client certificate (after IKEv2 setup) + --revokeclient revoke a client certificate (after IKEv2 setup) --removeikev2 remove IKEv2 and delete all certificates and keys from the IPsec database -h, --help show this help message and exit @@ -120,8 +120,6 @@ To customize IKEv2 or client options, run this script without arguments. Alternatively, you can manually import the `.p12` file. Click [here](https://wiki.strongswan.org/projects/strongswan/wiki/Win7Certs) for instructions. Make sure that the client cert is placed in "Personal -> Certificates", and the CA cert is placed in "Trusted Root Certification Authorities -> Certificates". - **Note:** Ubuntu 18.04 users may encounter the error "The password you entered is incorrect" when trying to import the `.p12` file. See [Troubleshooting](#troubleshooting). - 1. On the Windows computer, add a new IKEv2 VPN connection. For Windows 8.x and 10, it is recommended to create the VPN connection using the following commands from a command prompt, for improved security and performance. Windows 7 does not support these commands, you may manually create the VPN connection (see below). ```console @@ -371,6 +369,12 @@ If you get an error when trying to connect, see [Troubleshooting](#troubleshooti ## Manage client certificates +* [List existing clients](#list-existing-clients) +* [Add a client certificate](#add-a-client-certificate) +* [Export configuration for an existing client](#export-configuration-for-an-existing-client) +* [Delete a client certificate](#delete-a-client-certificate) +* [Revoke a client certificate](#revoke-a-client-certificate) + ### List existing clients If you want to list the names of existing IKEv2 clients, run the [helper script](#using-helper-scripts) with the `--listclients` option. Use option `-h` to show usage information. @@ -720,7 +724,14 @@ Before continuing, you **must** restart the IPsec service. The IKEv2 setup on th *Read this in other languages: [English](ikev2-howto.md#troubleshooting), [简体中文](ikev2-howto-zh.md#故障排除).* -### Incorrect password when trying to import client config files +**See also:** [Check logs and VPN status](clients.md#check-logs-and-vpn-status), [IKEv1 troubleshooting](clients.md#troubleshooting) and [Advanced usage](advanced-usage.md). + +* [Incorrect password when trying to import](#incorrect-password-when-trying-to-import) +* [IKEv2 disconnects after one hour](#ikev2-disconnects-after-one-hour) +* [Unable to connect multiple IKEv2 clients](#unable-to-connect-multiple-ikev2-clients) +* [Other known issues](#other-known-issues) + +### Incorrect password when trying to import If you forgot the password for client config files, you may [export configuration for the IKEv2 client](#export-configuration-for-an-existing-client) again. @@ -769,10 +780,6 @@ If you are unable to connect multiple IKEv2 clients simultaneously from behind t 1. The built-in VPN client in Windows may not support IKEv2 fragmentation (this feature [requires](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-ikee/74df968a-7125-431d-9c98-4ea929e548dc) Windows 10 v1803 or newer). On some networks, this can cause the connection to fail or have other issues. You may instead try the [IPsec/L2TP](clients.md) or [IPsec/XAuth](clients-xauth.md) mode. 1. If using the strongSwan Android VPN client, you must [update Libreswan](../README.md#upgrade-libreswan) on your server to version 3.26 or above. -### Additional troubleshooting - -Click [here](clients.md#troubleshooting) for additional troubleshooting information. - ## Remove IKEv2 If you want to remove IKEv2 from the VPN server, but keep the [IPsec/L2TP](clients.md) and [IPsec/XAuth ("Cisco IPsec")](clients-xauth.md) modes (if installed), run the [helper script](#using-helper-scripts) again and select the "Remove IKEv2" option. Note that this will delete all IKEv2 configuration including certificates and keys, and **cannot be undone**! diff --git a/docs/manage-users-zh.md b/docs/manage-users-zh.md index f24e380..3615855 100644 --- a/docs/manage-users-zh.md +++ b/docs/manage-users-zh.md @@ -4,10 +4,10 @@ 在默认情况下,将只创建一个用于 VPN 登录的用户账户。如果你需要查看或管理 IPsec/L2TP 和 IPsec/XAuth ("Cisco IPsec") 模式的用户,请阅读本文档。对于 IKEv2,参见 [管理客户端证书](ikev2-howto-zh.md#管理客户端证书)。 -- [查看或更改 IPsec PSK](#查看或更改-ipsec-psk) -- [查看 VPN 用户](#查看-vpn-用户) -- [使用辅助脚本管理 VPN 用户](#使用辅助脚本管理-vpn-用户) -- [手动管理 VPN 用户](#手动管理-vpn-用户) +* [查看或更改 IPsec PSK](#查看或更改-ipsec-psk) +* [查看 VPN 用户](#查看-vpn-用户) +* [使用辅助脚本管理 VPN 用户](#使用辅助脚本管理-vpn-用户) +* [手动管理 VPN 用户](#手动管理-vpn-用户) ## 查看或更改 IPsec PSK diff --git a/docs/manage-users.md b/docs/manage-users.md index bab5cdf..ce69ee4 100644 --- a/docs/manage-users.md +++ b/docs/manage-users.md @@ -4,10 +4,10 @@ By default, a single user account for VPN login is created. If you wish to view or manage users for the IPsec/L2TP and IPsec/XAuth ("Cisco IPsec") modes, read this document. For IKEv2, see [Manage client certificates](ikev2-howto.md#manage-client-certificates). -- [View or update the IPsec PSK](#view-or-update-the-ipsec-psk) -- [View VPN users](#view-vpn-users) -- [Manage VPN users using helper scripts](#manage-vpn-users-using-helper-scripts) -- [Manually manage VPN users](#manually-manage-vpn-users) +* [View or update the IPsec PSK](#view-or-update-the-ipsec-psk) +* [View VPN users](#view-vpn-users) +* [Manage VPN users using helper scripts](#manage-vpn-users-using-helper-scripts) +* [Manually manage VPN users](#manually-manage-vpn-users) ## View or update the IPsec PSK