mirror of
https://github.com/hwdsl2/setup-ipsec-vpn.git
synced 2024-06-03 20:45:47 +02:00
Compare commits
4 Commits
3eb1343d9b
...
e81c689ad0
Author | SHA1 | Date | |
---|---|---|---|
|
e81c689ad0 | ||
|
6e16b9853e | ||
|
5a9402b75b | ||
|
5109463aea |
|
@ -570,48 +570,45 @@ sudo chmod 600 ca.cer client.cer client.key
|
|||
|
||||
macOS 14 (Sonoma) 存在[一个小问题](https://github.com/hwdsl2/setup-ipsec-vpn/issues/1486),可能会导致 IKEv2 VPN 每 24-48 分钟断开并重新连接一次。其他 macOS 版本不受影响。首先[检查你的 macOS 版本](https://support.apple.com/zh-cn/HT201260)。要解决此问题,请按以下步骤操作。
|
||||
|
||||
**注:** 应用此解决方案后,更新后的 VPN 服务器配置可能不适用于 Windows 或 Android 客户端。对于这些客户端,你可能需要在 `ikev2.conf` 中将 `pfs=yes` 更改回 `pfs=no`,然后运行 `service ipsec restart` 或重启 Docker 容器。
|
||||
**注:** 如果你在 2023 年 12 月 10 日之后安装了 IPsec VPN,则无需执行任何操作,因为已经包含以下修复。
|
||||
|
||||
1. 编辑 VPN 服务器上的 `/etc/ipsec.d/ikev2.conf`。首先将 `pfs=no` 替换为 `pfs=yes`。然后找到这些行 `ike=...` 和 `phase2alg=...`,并将它们替换为以下内容,开头必须空两格:
|
||||
1. 编辑 VPN 服务器上的 `/etc/ipsec.d/ikev2.conf`。找到这一行:
|
||||
```
|
||||
ike=aes256-sha2_256;dh19,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1
|
||||
phase2alg=aes256-sha2_256,aes_gcm-null,aes128-sha1,aes256-sha1,aes128-sha2,aes256-sha2
|
||||
ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1
|
||||
```
|
||||
并将它替换为以下内容:
|
||||
```
|
||||
ike=aes_gcm_c_256-hmac_sha2_256-ecp_256,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1
|
||||
```
|
||||
**注:** Docker 用户需要首先[在容器中运行 Bash shell](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/docs/advanced-usage-zh.md#在容器中运行-bash-shell)。
|
||||
1. 保存文件并运行 `service ipsec restart`。Docker 用户:在下面的第 4 步之后退出 (`exit`) 容器并运行 `docker restart ipsec-vpn-server`。
|
||||
1. 编辑 VPN 服务器上的 `/opt/src/ikev2.sh`。找到以下部分并将其替换为这些新值:
|
||||
```
|
||||
<key>ChildSecurityAssociationParameters</key>
|
||||
<dict>
|
||||
<key>DiffieHellmanGroup</key>
|
||||
<integer>19</integer>
|
||||
<key>EncryptionAlgorithm</key>
|
||||
<string>AES-256</string>
|
||||
<key>IntegrityAlgorithm</key>
|
||||
<string>SHA2-256</string>
|
||||
<key>LifeTimeInMinutes</key>
|
||||
<integer>1410</integer>
|
||||
</dict>
|
||||
<key>ChildSecurityAssociationParameters</key>
|
||||
<dict>
|
||||
<key>DiffieHellmanGroup</key>
|
||||
<integer>19</integer>
|
||||
<key>EncryptionAlgorithm</key>
|
||||
<string>AES-256-GCM</string>
|
||||
<key>LifeTimeInMinutes</key>
|
||||
<integer>1410</integer>
|
||||
</dict>
|
||||
```
|
||||
```
|
||||
<key>EnablePFS</key>
|
||||
<integer>1</integer>
|
||||
<key>IKESecurityAssociationParameters</key>
|
||||
<dict>
|
||||
<key>DiffieHellmanGroup</key>
|
||||
<integer>19</integer>
|
||||
<key>EncryptionAlgorithm</key>
|
||||
<string>AES-256-GCM</string>
|
||||
<key>IntegrityAlgorithm</key>
|
||||
<string>SHA2-256</string>
|
||||
<key>LifeTimeInMinutes</key>
|
||||
<integer>1410</integer>
|
||||
</dict>
|
||||
```
|
||||
```
|
||||
<key>IKESecurityAssociationParameters</key>
|
||||
<dict>
|
||||
<key>DiffieHellmanGroup</key>
|
||||
<integer>19</integer>
|
||||
<key>EncryptionAlgorithm</key>
|
||||
<string>AES-256</string>
|
||||
<key>IntegrityAlgorithm</key>
|
||||
<string>SHA2-256</string>
|
||||
<key>LifeTimeInMinutes</key>
|
||||
<integer>1410</integer>
|
||||
</dict>
|
||||
```
|
||||
1. 运行 `sudo ikev2.sh` 为你的每个 macOS 和 iOS (iPhone/iPad) 设备导出(或添加)更新后的客户端配置文件。
|
||||
1. 从你的 macOS 和 iOS 设备中移除之前导入的 IKEv2 配置文件(如果有),然后导入更新后的 `.mobileconfig` 文件。请参阅[配置 IKEv2 VPN 客户端](#配置-ikev2-vpn-客户端)。Docker 用户请看[配置并使用 IKEv2 VPN](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README-zh.md#配置并使用-ikev2-vpn)。
|
||||
1. 运行 `sudo ikev2.sh` 为你的每个 macOS 设备导出(或添加)更新后的客户端配置文件。
|
||||
1. 从你的 macOS 设备中移除之前导入的 IKEv2 配置文件(如果有),然后导入更新后的 `.mobileconfig` 文件。请参阅[配置 IKEv2 VPN 客户端](#配置-ikev2-vpn-客户端)。Docker 用户请看[配置并使用 IKEv2 VPN](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README-zh.md#配置并使用-ikev2-vpn)。
|
||||
|
||||
### 无法连接多个 IKEv2 客户端
|
||||
|
||||
|
@ -1017,7 +1014,7 @@ To customize IKEv2 or client options, run this script without arguments.
|
|||
ikev2=insist
|
||||
rekey=no
|
||||
pfs=no
|
||||
ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1
|
||||
ike=aes_gcm_c_256-hmac_sha2_256-ecp_256,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1
|
||||
phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes128-sha2,aes256-sha2
|
||||
ikelifetime=24h
|
||||
salifetime=24h
|
||||
|
|
|
@ -572,48 +572,45 @@ For servers with an external firewall (e.g. [EC2](https://docs.aws.amazon.com/AW
|
|||
|
||||
macOS 14 (Sonoma) has [a minor issue](https://github.com/hwdsl2/setup-ipsec-vpn/issues/1486) that may cause IKEv2 VPN to disconnect and reconnect once every 24-48 minutes. Other macOS versions are not affected. First [check your macOS version](https://support.apple.com/en-us/HT201260). To work around this issue, follow the steps below.
|
||||
|
||||
**Note:** After applying this workaround, the updated VPN server configuration may not work with Windows or Android clients. For those clients, you may need to change `pfs=yes` back to `pfs=no` in `ikev2.conf`, then run `service ipsec restart` or restart the Docker container.
|
||||
**Note:** If you installed IPsec VPN after December 10, 2023, no action is required because the following fixes are already included.
|
||||
|
||||
1. Edit `/etc/ipsec.d/ikev2.conf` on the VPN server. First change `pfs=no` to `pfs=yes`. Then find the lines `ike=...` and `phase2alg=...`, and replace them with the following, indented by two spaces:
|
||||
1. Edit `/etc/ipsec.d/ikev2.conf` on the VPN server. Find the line:
|
||||
```
|
||||
ike=aes256-sha2_256;dh19,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1
|
||||
phase2alg=aes256-sha2_256,aes_gcm-null,aes128-sha1,aes256-sha1,aes128-sha2,aes256-sha2
|
||||
ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1
|
||||
```
|
||||
and replace it with the following:
|
||||
```
|
||||
ike=aes_gcm_c_256-hmac_sha2_256-ecp_256,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1
|
||||
```
|
||||
**Note:** Docker users should first [open a Bash shell inside the container](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/docs/advanced-usage.md#bash-shell-inside-container).
|
||||
1. Save the file and run `service ipsec restart`. Docker users: After step 4 below, `exit` the container and run `docker restart ipsec-vpn-server`.
|
||||
1. Edit `/opt/src/ikev2.sh` on the VPN server. Find and replace the following sections with these new values:
|
||||
```
|
||||
<key>ChildSecurityAssociationParameters</key>
|
||||
<dict>
|
||||
<key>DiffieHellmanGroup</key>
|
||||
<integer>19</integer>
|
||||
<key>EncryptionAlgorithm</key>
|
||||
<string>AES-256</string>
|
||||
<key>IntegrityAlgorithm</key>
|
||||
<string>SHA2-256</string>
|
||||
<key>LifeTimeInMinutes</key>
|
||||
<integer>1410</integer>
|
||||
</dict>
|
||||
<key>ChildSecurityAssociationParameters</key>
|
||||
<dict>
|
||||
<key>DiffieHellmanGroup</key>
|
||||
<integer>19</integer>
|
||||
<key>EncryptionAlgorithm</key>
|
||||
<string>AES-256-GCM</string>
|
||||
<key>LifeTimeInMinutes</key>
|
||||
<integer>1410</integer>
|
||||
</dict>
|
||||
```
|
||||
```
|
||||
<key>EnablePFS</key>
|
||||
<integer>1</integer>
|
||||
<key>IKESecurityAssociationParameters</key>
|
||||
<dict>
|
||||
<key>DiffieHellmanGroup</key>
|
||||
<integer>19</integer>
|
||||
<key>EncryptionAlgorithm</key>
|
||||
<string>AES-256-GCM</string>
|
||||
<key>IntegrityAlgorithm</key>
|
||||
<string>SHA2-256</string>
|
||||
<key>LifeTimeInMinutes</key>
|
||||
<integer>1410</integer>
|
||||
</dict>
|
||||
```
|
||||
```
|
||||
<key>IKESecurityAssociationParameters</key>
|
||||
<dict>
|
||||
<key>DiffieHellmanGroup</key>
|
||||
<integer>19</integer>
|
||||
<key>EncryptionAlgorithm</key>
|
||||
<string>AES-256</string>
|
||||
<key>IntegrityAlgorithm</key>
|
||||
<string>SHA2-256</string>
|
||||
<key>LifeTimeInMinutes</key>
|
||||
<integer>1410</integer>
|
||||
</dict>
|
||||
```
|
||||
1. Run `sudo ikev2.sh` to export (or add) updated client config files for each macOS and iOS (iPhone/iPad) device you have.
|
||||
1. Remove the previously imported IKEv2 profile (if any) from your macOS and iOS device(s), then import the updated `.mobileconfig` file(s). See [Configure IKEv2 VPN clients](#configure-ikev2-vpn-clients). Docker users, see [Configure and use IKEv2 VPN](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README.md#configure-and-use-ikev2-vpn).
|
||||
1. Run `sudo ikev2.sh` to export (or add) updated client config files for each macOS device you have.
|
||||
1. Remove the previously imported IKEv2 profile (if any) from your macOS device(s), then import the updated `.mobileconfig` file(s). See [Configure IKEv2 VPN clients](#configure-ikev2-vpn-clients). Docker users, see [Configure and use IKEv2 VPN](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README.md#configure-and-use-ikev2-vpn).
|
||||
|
||||
### Unable to connect multiple IKEv2 clients
|
||||
|
||||
|
@ -1019,7 +1016,7 @@ View example steps for manually configuring IKEv2 with Libreswan.
|
|||
ikev2=insist
|
||||
rekey=no
|
||||
pfs=no
|
||||
ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1
|
||||
ike=aes_gcm_c_256-hmac_sha2_256-ecp_256,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1
|
||||
phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes128-sha2,aes256-sha2
|
||||
ikelifetime=24h
|
||||
salifetime=24h
|
||||
|
|
|
@ -157,7 +157,7 @@ confirm_or_abort() {
|
|||
show_header() {
|
||||
cat <<'EOF'
|
||||
|
||||
IKEv2 Script Copyright (c) 2020-2023 Lin Song 11 Aug 2023
|
||||
IKEv2 Script Copyright (c) 2020-2023 Lin Song 9 Dec 2023
|
||||
|
||||
EOF
|
||||
}
|
||||
|
@ -353,7 +353,7 @@ show_start_setup() {
|
|||
op_text=default
|
||||
if [ -n "$VPN_DNS_NAME" ] || [ -n "$VPN_CLIENT_NAME" ] \
|
||||
|| [ -n "$VPN_DNS_SRV1" ] || [ -n "$VPN_PROTECT_CONFIG" ] \
|
||||
|| [ -n "$VPN_CLIENT_VALIDITY" ]; then
|
||||
|| [ -n "$VPN_CLIENT_VALIDITY" ] || [ -n "$VPN_IKEV2_USER_CERTS" ]; then
|
||||
op_text=custom
|
||||
fi
|
||||
bigecho "Starting IKEv2 setup in auto mode, using $op_text options."
|
||||
|
@ -652,6 +652,58 @@ EOF
|
|||
fi
|
||||
}
|
||||
|
||||
check_use_user_cert() {
|
||||
if [ "$use_user_certs" = 1 ]; then
|
||||
cat <<'EOF'
|
||||
|
||||
'--usercert' argument passed: using certs in $USER_CERTS_DIR
|
||||
|
||||
EOF
|
||||
else
|
||||
case $VPN_IKEV2_USER_CERTS in
|
||||
[yY][eE][sS])
|
||||
use_user_certs=1
|
||||
cat <<'EOF'
|
||||
|
||||
'VPN_IKEV2_USER_CERTS' set to YES: using certs in $USER_CERTS_DIR
|
||||
|
||||
EOF
|
||||
;;
|
||||
*)
|
||||
if grep -qs '^IKEV2_USER_CERTS=.\+' "$CONF_FILE"; then
|
||||
use_user_certs=1
|
||||
cat <<'EOF'
|
||||
|
||||
'IKEV2_USER_CERTS' set to YES in "$CONF_FILE": using certs in $USER_CERTS_DIR
|
||||
|
||||
EOF
|
||||
fi
|
||||
;;
|
||||
esac
|
||||
fi
|
||||
|
||||
# expecting the following file in /user-certs
|
||||
# - vpn_ca.p12
|
||||
#
|
||||
|
||||
if [ "$use_user_certs" = 1 ]; then
|
||||
if ! [ -e "${USER_CERTS_DIR}vpn_ca.p12" ]; then
|
||||
exiterr "${USER_CERTS_DIR}vpn_ca.p12 must exist."
|
||||
fi
|
||||
if ! [ -n "$VPN_IKEV2_USER_CERTS_PASS" ]; then
|
||||
ca_p12_password=$(grep -s '^IKEV2_USER_CERTS_PASS=.\+' "$CONF_FILE" | tail -n 1 | cut -f2- -d= | sed -e "s/^'//" -e "s/'$//")
|
||||
if [ -z "$ca_p12_password" ]; then
|
||||
bigecho2 "Did not find a password for vpn_ca.p12, using an EMPTY password!"
|
||||
VPN_IKEV2_USER_CERTS_PASS=''
|
||||
else
|
||||
VPN_IKEV2_USER_CERTS_PASS="$ca_p12_password"
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
|
||||
add_user_certs
|
||||
}
|
||||
|
||||
check_config_password() {
|
||||
use_config_password=0
|
||||
case $VPN_PROTECT_CONFIG in
|
||||
|
@ -872,6 +924,20 @@ install_uuidgen() {
|
|||
fi
|
||||
}
|
||||
|
||||
update_ikev2_conf() {
|
||||
if grep -qs 'ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1$' "$IKEV2_CONF"; then
|
||||
bigecho2 "Updating IKEv2 configuration..."
|
||||
sed -i \
|
||||
"/ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1$/s/ike=/ike=aes_gcm_c_256-hmac_sha2_256-ecp_256,/" \
|
||||
"$IKEV2_CONF"
|
||||
if [ "$os_type" = "alpine" ]; then
|
||||
ipsec auto --add ikev2-cp >/dev/null
|
||||
else
|
||||
restart_ipsec_service >/dev/null
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
create_mobileconfig() {
|
||||
[ -z "$server_addr" ] && get_server_address
|
||||
p12_file_enc="$export_dir$client_name.enc.p12"
|
||||
|
@ -898,9 +964,9 @@ cat > "$mc_file" <<EOF
|
|||
<key>ChildSecurityAssociationParameters</key>
|
||||
<dict>
|
||||
<key>DiffieHellmanGroup</key>
|
||||
<integer>14</integer>
|
||||
<integer>19</integer>
|
||||
<key>EncryptionAlgorithm</key>
|
||||
<string>AES-128-GCM</string>
|
||||
<string>AES-256-GCM</string>
|
||||
<key>LifeTimeInMinutes</key>
|
||||
<integer>1410</integer>
|
||||
</dict>
|
||||
|
@ -915,9 +981,9 @@ cat > "$mc_file" <<EOF
|
|||
<key>IKESecurityAssociationParameters</key>
|
||||
<dict>
|
||||
<key>DiffieHellmanGroup</key>
|
||||
<integer>14</integer>
|
||||
<integer>19</integer>
|
||||
<key>EncryptionAlgorithm</key>
|
||||
<string>AES-256</string>
|
||||
<string>AES-256-GCM</string>
|
||||
<key>IntegrityAlgorithm</key>
|
||||
<string>SHA2-256</string>
|
||||
<key>LifeTimeInMinutes</key>
|
||||
|
@ -1093,23 +1159,43 @@ export_client_config() {
|
|||
else
|
||||
install_uuidgen
|
||||
fi
|
||||
update_ikev2_conf
|
||||
export_p12_file
|
||||
create_mobileconfig
|
||||
create_android_profile
|
||||
}
|
||||
|
||||
add_user_certs() {
|
||||
bigecho2 "Adding user CA certificate..."
|
||||
|
||||
# gnutils-bin has certtool
|
||||
# certtool can create a working p12 from a key+crt but certtool is not installed in the img
|
||||
# certtool --to-p12 --outder --load-certificate a.crt --load-privkey a.key --outfile a.p12
|
||||
|
||||
pk12util -i "$USER_CERTS_DIR"vpn_ca.p12 -d /etc/ipsec.d/ -W "$VPN_IKEV2_USER_CERTS_PASS"
|
||||
|
||||
bigecho2 "Get cert nickname and set as CA_NAME"
|
||||
CA_NAME=$(openssl pkcs12 -info -in "$USER_CERTS_DIR"vpn_ca.p12 -passin pass:"$VPN_IKEV2_USER_CERTS_PASS" -nokeys |grep 'friendlyName:'|awk -F":" '{gsub(/^[ \t]+/, "", $2); gsub(/[ \t]+$/, "", $2); print $2}')
|
||||
|
||||
bigecho2 "Update permissions on new CA cert: $CA_NAME"
|
||||
certutil -M -d /etc/ipsec.d/ -t "CTu,u,u" -n "$CA_NAME"
|
||||
}
|
||||
|
||||
create_ca_server_certs() {
|
||||
bigecho2 "Generating CA and server certificates..."
|
||||
certutil -z <(head -c 1024 /dev/urandom) \
|
||||
-S -x -n "$CA_NAME" \
|
||||
-s "O=IKEv2 VPN,CN=$CA_NAME" \
|
||||
-k rsa -g 3072 -v 120 \
|
||||
-d "$CERT_DB" -t "CT,," -2 >/dev/null 2>&1 <<ANSWERS || exiterr "Failed to create CA certificate."
|
||||
if [ "$use_user_certs" = 0 ]; then
|
||||
bigecho2 "Generating CA certificate...$CA_NAME"
|
||||
certutil -z <(head -c 1024 /dev/urandom) \
|
||||
-S -x -n "$CA_NAME" \
|
||||
-s "O=IKEv2 VPN,CN=$CA_NAME" \
|
||||
-k rsa -g 3072 -v 120 \
|
||||
-d "$CERT_DB" -t "CT,," -2 >/dev/null 2>&1 <<ANSWERS || exiterr "Failed to create CA certificate."
|
||||
y
|
||||
|
||||
N
|
||||
ANSWERS
|
||||
sleep 1
|
||||
sleep 1
|
||||
fi
|
||||
bigecho2 "Generating server certificates...$CA_NAME"
|
||||
if [ "$use_dns_name" = 1 ]; then
|
||||
certutil -z <(head -c 1024 /dev/urandom) \
|
||||
-S -c "$CA_NAME" -n "$server_addr" \
|
||||
|
@ -1174,7 +1260,7 @@ conn ikev2-cp
|
|||
ikev2=insist
|
||||
rekey=no
|
||||
pfs=no
|
||||
ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1
|
||||
ike=aes_gcm_c_256-hmac_sha2_256-ecp_256,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1
|
||||
phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes128-sha2,aes256-sha2
|
||||
ikelifetime=24h
|
||||
salifetime=24h
|
||||
|
@ -1505,6 +1591,7 @@ ikev2setup() {
|
|||
revoke_client=0
|
||||
delete_client=0
|
||||
remove_ikev2=0
|
||||
use_user_certs=0
|
||||
while [ "$#" -gt 0 ]; do
|
||||
case $1 in
|
||||
--auto)
|
||||
|
@ -1543,6 +1630,10 @@ ikev2setup() {
|
|||
remove_ikev2=1
|
||||
shift
|
||||
;;
|
||||
--usercert)
|
||||
use_user_certs=1
|
||||
shift
|
||||
;;
|
||||
-h|--help)
|
||||
show_usage
|
||||
;;
|
||||
|
@ -1554,11 +1645,13 @@ ikev2setup() {
|
|||
|
||||
CA_NAME="IKEv2 VPN CA"
|
||||
CERT_DB="sql:/etc/ipsec.d"
|
||||
CONF_DIR="/etc/ipsec.d"
|
||||
CONF_DIR="/etc/ipsec.d/"
|
||||
CONF_FILE="/etc/ipsec.d/.vpnconfig"
|
||||
IKEV2_CONF="/etc/ipsec.d/ikev2.conf"
|
||||
IPSEC_CONF="/etc/ipsec.conf"
|
||||
USER_CERTS_DIR="/user-certs/"
|
||||
|
||||
check_use_user_cert
|
||||
check_arguments
|
||||
check_config_password
|
||||
get_export_dir
|
||||
|
@ -1693,7 +1786,9 @@ ikev2setup() {
|
|||
esac
|
||||
fi
|
||||
|
||||
check_cert_exists_and_exit "$CA_NAME"
|
||||
if [ "$use_user_certs" = 0 ]; then
|
||||
check_cert_exists_and_exit "$CA_NAME"
|
||||
fi
|
||||
|
||||
if [ "$use_defaults" = 0 ]; then
|
||||
show_header
|
||||
|
|
Loading…
Reference in New Issue
Block a user