mirror/setup-ipsec-vpn
1
0
Fork 0
mirror of synced 2025-02-25 08:23:15 +03:00
Code Issues Projects Releases Wiki Activity

Update IKEv2 howto

Browse Source 
[ci skip]
This commit is contained in:
hwdsl2 2016-09-28 14:50:49 -05:00
parent 37b5726ffd
commit 1f7d9f1687
2 changed files with 26 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
docs/ikev2-howto-zh.md
View File

@ -8,7 +8,7 @@
--- ---
Windows 7 和更新版本 (包括 Windows Phone 8.1 及以上) 支持 IKEv2 和 MOBIKE 标准,通过 Microsoft 的 Agile VPN 功能来实现。因特网密钥交换 英语Internet Key Exchange简称 IKE 或 IKEv2是一种网络协议归属于 IPsec 协议族之下,用以创建安全关联 Security associationSA。与 IKEv1 相比较IKEv2 带来许多<a href="https://en.wikipedia.org/wiki/Internet_Key_Exchange#Improvements_with_IKEv2" target="_blank">功能改进</a>,比如通过 MOBIKE 实现 Standard Mobility 支持,以及更高的可靠性。 Windows 7 和更新版本 (包括 Windows Phone 8.1 及以上) 支持 IKEv2 和 MOBIKE 标准,通过 Microsoft 的 Agile VPN 功能来实现。因特网密钥交换 英语Internet Key Exchange简称 IKE 或 IKEv2是一种网络协议归属于 IPsec 协议族之下,用以创建安全关联 (Security Association, SA)。与 IKE 版本 1 相比较IKEv2 带来许多<a href="https://en.wikipedia.org/wiki/Internet_Key_Exchange#Improvements_with_IKEv2" target="_blank">功能改进</a>,比如通过 MOBIKE 实现 Standard Mobility 支持,以及更高的可靠性。
Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来对 IKEv2 客户端进行身份验证。该方法无需 IPsec PSK, 用户名或密码。除了 Windows 之外,它也可用于 <a href="https://wiki.strongswan.org/projects/strongswan/wiki/AndroidVpnClient" target="_blank">strongSwan Android VPN 客户端</a>。下面举例说明如何配置 IKEv2。 Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来对 IKEv2 客户端进行身份验证。该方法无需 IPsec PSK, 用户名或密码。除了 Windows 之外,它也可用于 <a href="https://wiki.strongswan.org/projects/strongswan/wiki/AndroidVpnClient" target="_blank">strongSwan Android VPN 客户端</a>。下面举例说明如何配置 IKEv2。
@ -17,7 +17,7 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来
1. 获取服务器的公共和私有 IP 地址,并确保它们的值非空。注意,这两个 IP 地址可以相同。 1. 获取服务器的公共和私有 IP 地址,并确保它们的值非空。注意,这两个 IP 地址可以相同。
```bash ```bash
$ PUBLIC_IP=$(dig @resolver1.opendns.com -t A -4 myip.opendns.com +short) $ PUBLIC_IP=$(wget -t 3 -T 15 -qO- http://whatismyip.akamai.com)
$ PRIVATE_IP=$(ip -4 route get 1 | awk '{print $NF;exit}') $ PRIVATE_IP=$(ip -4 route get 1 | awk '{print $NF;exit}')
$ echo "$PUBLIC_IP" $ echo "$PUBLIC_IP"
(Your public IP is displayed) (Your public IP is displayed)
@ -57,10 +57,11 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来
EOF EOF
``` ```
1. 生成 Certificate Authority (CA) 和 VPN 服务器证书: 1. 生成 Certificate Authority (CA) 和 VPN 服务器证书:
注: 使用 "-v" 参数指定证书的有效期(单位:月),例如 "-v 36"。
```bash ```bash
$ certutil -S -x -n "Example CA" -s "O=Example,CN=Example CA" -k rsa -g 4096 -v 12 -d sql:/etc/ipsec.d -t "CT,," -2 $ certutil -S -x -n "Example CA" -s "O=Example,CN=Example CA" -k rsa -g 4096 -v 36 -d sql:/etc/ipsec.d -t "CT,," -2
A random seed must be generated that will be used in the A random seed must be generated that will be used in the
creation of your key. One of the easiest ways to create a creation of your key. One of the easiest ways to create a
@ -83,7 +84,7 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来
Is this a critical extension [y/N]? Is this a critical extension [y/N]?
N N
$ certutil -S -c "Example CA" -n "$PUBLIC_IP" -s "O=Example,CN=$PUBLIC_IP" -k rsa -g 4096 -v 12 -d sql:/etc/ipsec.d -t ",," -1 -6 -8 "$PUBLIC_IP" $ certutil -S -c "Example CA" -n "$PUBLIC_IP" -s "O=Example,CN=$PUBLIC_IP" -k rsa -g 4096 -v 36 -d sql:/etc/ipsec.d -t ",," -1 -6 -8 "$PUBLIC_IP"
A random seed must be generated that will be used in the A random seed must be generated that will be used in the
creation of your key. One of the easiest ways to create a creation of your key. One of the easiest ways to create a
@ -156,18 +157,18 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来
1. 生成客户端证书,并且导出 p12 文件。该文件包含客户端证书,私钥以及 CA 证书: 1. 生成客户端证书,并且导出 p12 文件。该文件包含客户端证书,私钥以及 CA 证书:
```bash ```bash
$ certutil -S -c "Example CA" -n "winclient" -s "O=Example,CN=winclient" -k rsa -g 4096 -v 12 -d sql:/etc/ipsec.d -t ",," -1 -6 -8 "winclient" $ certutil -S -c "Example CA" -n "vpnclient" -s "O=Example,CN=vpnclient" -k rsa -g 4096 -v 36 -d sql:/etc/ipsec.d -t ",," -1 -6 -8 "vpnclient"
-- repeat same extensions as above -- -- repeat same extensions as above --
$ pk12util -o winclient.p12 -n "winclient" -d sql:/etc/ipsec.d $ pk12util -o vpnclient.p12 -n "vpnclient" -d sql:/etc/ipsec.d
Enter password for PKCS12 file: Enter password for PKCS12 file:
Re-enter password: Re-enter password:
pk12util: PKCS12 EXPORT SUCCESSFUL pk12util: PKCS12 EXPORT SUCCESSFUL
``` ```
可以重复该步骤来为更多的客户端生成证书,但必须把所有的 `winclient` 换成 `winclient2`,等等。 可以重复该步骤来为更多的客户端生成证书,但必须把所有的 `vpnclient` 换成 `vpnclient2`,等等。
1. 证书数据库现在应该包含以下内容: 1. 证书数据库现在应该包含以下内容:
@ -179,7 +180,7 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来
Example CA CTu,u,u Example CA CTu,u,u
($PUBLIC_IP) u,u,u ($PUBLIC_IP) u,u,u
winclient u,u,u vpnclient u,u,u
``` ```
注:如需删除证书,可运行命令 `certutil -D -d sql:/etc/ipsec.d -n "Certificate Nickname"` 注:如需删除证书,可运行命令 `certutil -D -d sql:/etc/ipsec.d -n "Certificate Nickname"`
@ -190,11 +191,13 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来
$ service ipsec restart $ service ipsec restart
``` ```
1. 文件 `winclient.p12` 应该被安全的传送到 Windows 客户端计算机,并且导入到 Computer 证书存储。在导入 CA 证书后,它必须被放入(或移动到) "Trusted Root Certification Authorities" 目录的 "Certificates" 子目录中。 1. 文件 `vpnclient.p12` 应该被安全的传送到 Windows 客户端计算机,并且导入到 Computer 证书存储。在导入 CA 证书后,它必须被放入(或移动到) "Trusted Root Certification Authorities" 目录的 "Certificates" 子目录中。
详细的操作步骤: 详细的操作步骤:
https://wiki.strongswan.org/projects/strongswan/wiki/Win7Certs https://wiki.strongswan.org/projects/strongswan/wiki/Win7Certs
Windows Phone 8.1 及以上版本用户: 首先导入 .p12 文件,然后参照 <a href="https://technet.microsoft.com/en-us/windows/dn673608.aspx" target="_blank">这些说明</a> 配置一个基于证书的 IKEv2 VPN。
1. 在 Windows 计算机上添加一个新的 IKEv2 VPN 连接。 1. 在 Windows 计算机上添加一个新的 IKEv2 VPN 连接。
https://wiki.strongswan.org/projects/strongswan/wiki/Win7Config https://wiki.strongswan.org/projects/strongswan/wiki/Win7Config

23
docs/ikev2-howto.md
View File

@ -8,7 +8,7 @@
--- ---
Windows 7 and newer releases (including Windows Phone 8.1 and newer) support the IKEv2 and MOBIKE standards through Microsoft's Agile VPN functionality. Internet Key Exchange (IKE or IKEv2) is the protocol used to set up a security association (SA) in the IPsec protocol suite. Compared to IKEv1, IKEv2 has <a href="https://en.wikipedia.org/wiki/Internet_Key_Exchange#Improvements_with_IKEv2" target="_blank">many improvements</a> such as Standard Mobility support through MOBIKE, and improved reliability. Windows 7 and newer releases (including Windows Phone 8.1 and newer) support the IKEv2 and MOBIKE standards through Microsoft's Agile VPN functionality. Internet Key Exchange (IKE or IKEv2) is the protocol used to set up a Security Association (SA) in the IPsec protocol suite. Compared to IKE version 1, IKEv2 has <a href="https://en.wikipedia.org/wiki/Internet_Key_Exchange#Improvements_with_IKEv2" target="_blank">many improvements</a> such as Standard Mobility support through MOBIKE, and improved reliability.
Libreswan can authenticate IKEv2 clients on the basis of X.509 Machine Certificates using RSA signatures. This method does not require an IPsec PSK, username or password. Besides Windows, it can also be used with <a href="https://wiki.strongswan.org/projects/strongswan/wiki/AndroidVpnClient" target="_blank">strongSwan Android VPN client</a>. The following examples show how to configure IKEv2. Libreswan can authenticate IKEv2 clients on the basis of X.509 Machine Certificates using RSA signatures. This method does not require an IPsec PSK, username or password. Besides Windows, it can also be used with <a href="https://wiki.strongswan.org/projects/strongswan/wiki/AndroidVpnClient" target="_blank">strongSwan Android VPN client</a>. The following examples show how to configure IKEv2.
@ -17,7 +17,7 @@ First, make sure you have successfully <a href="https://github.com/hwdsl2/setup-
1. Find the public and private IP of your server, and make sure they are not empty. It is OK if they are the same. 1. Find the public and private IP of your server, and make sure they are not empty. It is OK if they are the same.
```bash ```bash
$ PUBLIC_IP=$(dig @resolver1.opendns.com -t A -4 myip.opendns.com +short) $ PUBLIC_IP=$(wget -t 3 -T 15 -qO- http://whatismyip.akamai.com)
$ PRIVATE_IP=$(ip -4 route get 1 | awk '{print $NF;exit}') $ PRIVATE_IP=$(ip -4 route get 1 | awk '{print $NF;exit}')
$ echo "$PUBLIC_IP" $ echo "$PUBLIC_IP"
(Your public IP is displayed) (Your public IP is displayed)
@ -57,10 +57,11 @@ First, make sure you have successfully <a href="https://github.com/hwdsl2/setup-
EOF EOF
``` ```
1. Generate Certificate Authority (CA) and VPN server certificates: 1. Generate Certificate Authority (CA) and VPN server certificates:
Note: Specify the certificate validity period (in months) using "-v". e.g. "-v 36".
```bash ```bash
$ certutil -S -x -n "Example CA" -s "O=Example,CN=Example CA" -k rsa -g 4096 -v 12 -d sql:/etc/ipsec.d -t "CT,," -2 $ certutil -S -x -n "Example CA" -s "O=Example,CN=Example CA" -k rsa -g 4096 -v 36 -d sql:/etc/ipsec.d -t "CT,," -2
A random seed must be generated that will be used in the A random seed must be generated that will be used in the
creation of your key. One of the easiest ways to create a creation of your key. One of the easiest ways to create a
@ -83,7 +84,7 @@ First, make sure you have successfully <a href="https://github.com/hwdsl2/setup-
Is this a critical extension [y/N]? Is this a critical extension [y/N]?
N N
$ certutil -S -c "Example CA" -n "$PUBLIC_IP" -s "O=Example,CN=$PUBLIC_IP" -k rsa -g 4096 -v 12 -d sql:/etc/ipsec.d -t ",," -1 -6 -8 "$PUBLIC_IP" $ certutil -S -c "Example CA" -n "$PUBLIC_IP" -s "O=Example,CN=$PUBLIC_IP" -k rsa -g 4096 -v 36 -d sql:/etc/ipsec.d -t ",," -1 -6 -8 "$PUBLIC_IP"
A random seed must be generated that will be used in the A random seed must be generated that will be used in the
creation of your key. One of the easiest ways to create a creation of your key. One of the easiest ways to create a
@ -156,18 +157,18 @@ First, make sure you have successfully <a href="https://github.com/hwdsl2/setup-
1. Generate client certificate(s), and export the p12 file that contains the client certificate, private key, and CA certificate: 1. Generate client certificate(s), and export the p12 file that contains the client certificate, private key, and CA certificate:
```bash ```bash
$ certutil -S -c "Example CA" -n "winclient" -s "O=Example,CN=winclient" -k rsa -g 4096 -v 12 -d sql:/etc/ipsec.d -t ",," -1 -6 -8 "winclient" $ certutil -S -c "Example CA" -n "vpnclient" -s "O=Example,CN=vpnclient" -k rsa -g 4096 -v 36 -d sql:/etc/ipsec.d -t ",," -1 -6 -8 "vpnclient"
-- repeat same extensions as above -- -- repeat same extensions as above --
$ pk12util -o winclient.p12 -n "winclient" -d sql:/etc/ipsec.d $ pk12util -o vpnclient.p12 -n "vpnclient" -d sql:/etc/ipsec.d
Enter password for PKCS12 file: Enter password for PKCS12 file:
Re-enter password: Re-enter password:
pk12util: PKCS12 EXPORT SUCCESSFUL pk12util: PKCS12 EXPORT SUCCESSFUL
``` ```
Repeat this step for additional VPN clients, but replace every `winclient` with `winclient2`, etc. Repeat this step for additional VPN clients, but replace every `vpnclient` with `vpnclient2`, etc.
1. The database should now contain: 1. The database should now contain:
@ -179,7 +180,7 @@ First, make sure you have successfully <a href="https://github.com/hwdsl2/setup-
Example CA CTu,u,u Example CA CTu,u,u
($PUBLIC_IP) u,u,u ($PUBLIC_IP) u,u,u
winclient u,u,u vpnclient u,u,u
``` ```
Note: To delete a certificate, use `certutil -D -d sql:/etc/ipsec.d -n "Certificate Nickname"`. Note: To delete a certificate, use `certutil -D -d sql:/etc/ipsec.d -n "Certificate Nickname"`.
@ -190,11 +191,13 @@ First, make sure you have successfully <a href="https://github.com/hwdsl2/setup-
$ service ipsec restart $ service ipsec restart
``` ```
1. The `winclient.p12` file should then be securely transferred to the Windows client computer and imported to the Computer certificate store. The CA cert once imported must be placed (or moved) into the "Certificates" sub-folder under "Trusted Root Certification Authorities". 1. The `vpnclient.p12` file should then be securely transferred to the Windows client computer and imported to the Computer certificate store. The CA cert once imported must be placed (or moved) into the "Certificates" sub-folder under "Trusted Root Certification Authorities".
Detailed instructions: Detailed instructions:
https://wiki.strongswan.org/projects/strongswan/wiki/Win7Certs https://wiki.strongswan.org/projects/strongswan/wiki/Win7Certs
Users with Windows Phone 8.1 and above: First import the .p12 file, then follow <a href="https://technet.microsoft.com/en-us/windows/dn673608.aspx" target="_blank">these instructions</a> to configure a certificate-based IKEv2 VPN.
1. On the Windows computer, add a new IKEv2 VPN connection. 1. On the Windows computer, add a new IKEv2 VPN connection.
https://wiki.strongswan.org/projects/strongswan/wiki/Win7Config https://wiki.strongswan.org/projects/strongswan/wiki/Win7Config