mirror/setup-ipsec-vpn
1
0
Fork 0
mirror of synced 2024-11-22 13:06:02 +03:00
Code Issues Projects Releases Wiki Activity

Update docs

Browse Source 
- Ref: #1191
This commit is contained in:
hwdsl2 2022-07-03 01:47:22 -05:00
parent 2aa313593d
commit 1fb560c226
2 changed files with 44 additions and 31 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

49
docs/ikev2-howto-zh.md
View File

@ -366,7 +366,7 @@ sudo chmod 600 ikev2vpnca.cer vpnclient.cer vpnclient.key
### RouterOS ### RouterOS
**注:** 这些步骤由 [@Unix-User](https://github.com/Unix-User) 提供。 **注:** 这些步骤由 [@Unix-User](https://github.com/Unix-User) 提供。建议通过 SSH 连接运行终端命令,例如通过 Putty。
1. 将生成的 `.p12` 文件安全地传送到你的计算机。 1. 将生成的 `.p12` 文件安全地传送到你的计算机。
@ -388,6 +388,29 @@ sudo chmod 600 ikev2vpnca.cer vpnclient.cer vpnclient.key
![routeros import certificate](images/routeros-import-cert.gif) ![routeros import certificate](images/routeros-import-cert.gif)
</details> </details>
或者,你也可以使用终端命令 (empty passphrase):
```bash
[admin@MikroTik] > /certificate/import file-name=mikrotik.p12
passphrase:
certificates-imported: 2
private-keys-imported: 0
files-imported: 1
decryption-failures: 0
keys-with-no-certificate: 0
[admin@MikroTik] > /certificate/import file-name=mikrotik.p12
passphrase:
certificates-imported: 0
private-keys-imported: 1
files-imported: 1
decryption-failures: 0
keys-with-no-certificate: 0
```
3. 在 terminal 中运行以下命令。将以下内容替换为你自己的值。 3. 在 terminal 中运行以下命令。将以下内容替换为你自己的值。
`YOUR_VPN_SERVER_IP_OR_DNS_NAME` 是你的 VPN 服务器 IP 或域名。 `YOUR_VPN_SERVER_IP_OR_DNS_NAME` 是你的 VPN 服务器 IP 或域名。
`IMPORTED_CERTIFICATE` 是上面第 2 步中的证书名称,例如 `vpnclient.p12_0` `IMPORTED_CERTIFICATE` 是上面第 2 步中的证书名称,例如 `vpnclient.p12_0`
@ -397,23 +420,15 @@ sudo chmod 600 ikev2vpnca.cer vpnclient.cer vpnclient.key
来指定整个网络,或者使用 `192.168.0.10` 来指定仅用于一个设备,依此类推。 来指定整个网络,或者使用 `192.168.0.10` 来指定仅用于一个设备,依此类推。
```bash ```bash
/ip firewall address-list /ip firewall address-list add address=THESE_ADDRESSES_GO_THROUGH_VPN list=local
add address=THESE_ADDRESSES_GO_THROUGH_VPN list=local /ip ipsec mode-config add name=ike2-rw responder=no src-address-list=local
/ip ipsec mode-config /ip ipsec policy group add name=ike2-rw
add name=ike2-rw responder=no src-address-list=local /ip ipsec profile add name=ike2-rw
/ip ipsec policy group /ip ipsec peer add address=YOUR_VPN_SERVER_IP_OR_DNS_NAME exchange-mode=ike2 name=ike2-rw-client profile=ike2-rw
add name=ike2-rw /ip ipsec proposal add name=ike2-rw pfs-group=none
/ip ipsec profile /ip ipsec identity add auth-method=digital-signature certificate=IMPORTED_CERTIFICATE generate-policy=port-strict mode-config=ike2-rw \
add name=ike2-rw
/ip ipsec peer
add address=YOUR_VPN_SERVER_IP_OR_DNS_NAME exchange-mode=ike2 name=ike2-rw-client profile=ike2-rw
/ip ipsec proposal
add name=ike2-rw pfs-group=none
/ip ipsec identity
add auth-method=digital-signature certificate=IMPORTED_CERTIFICATE generate-policy=port-strict mode-config=ike2-rw \
peer=ike2-rw-client policy-template-group=ike2-rw peer=ike2-rw-client policy-template-group=ike2-rw
/ip ipsec policy /ip ipsec policy add group=ike2-rw proposal=ike2-rw template=yes
add group=ike2-rw proposal=ike2-rw template=yes
``` ```
4. 更多信息请参见 [#1112](https://github.com/hwdsl2/setup-ipsec-vpn/issues/1112#issuecomment-1059628623)。 4. 更多信息请参见 [#1112](https://github.com/hwdsl2/setup-ipsec-vpn/issues/1112#issuecomment-1059628623)。

22
docs/ikev2-howto.md
View File

@ -368,9 +368,7 @@ If you get an error when trying to connect, see [Troubleshooting](#troubleshooti
### RouterOS ### RouterOS
**Note:** These steps were contributed by [@Unix-User](https://github.com/Unix-User). **Note:** These steps were contributed by [@Unix-User](https://github.com/Unix-User). It is recommended to run terminal commands via an SSH connection, e.g. via Putty.
It is recommended to use terminal command via SSH connection, eg via Putty.
1. Securely transfer the generated `.p12` file to your computer. 1. Securely transfer the generated `.p12` file to your computer.
@ -384,7 +382,16 @@ It is recommended to use terminal command via SSH connection, eg via Putty.
2. In WinBox, go to System > certificates > import. Import the `.p12` certificate file twice (yes, import the same file two times!). Verify in your certificates panel. You will see 2 files, the one that is marked KT is the key. 2. In WinBox, go to System > certificates > import. Import the `.p12` certificate file twice (yes, import the same file two times!). Verify in your certificates panel. You will see 2 files, the one that is marked KT is the key.
<details>
<summary>
Click to see screencast.
</summary>
![routeros import certificate](images/routeros-import-cert.gif)
</details>
Or you can use terminal instead (empty passphrase): Or you can use terminal instead (empty passphrase):
```bash ```bash
[admin@MikroTik] > /certificate/import file-name=mikrotik.p12 [admin@MikroTik] > /certificate/import file-name=mikrotik.p12
passphrase: passphrase:
@ -406,15 +413,6 @@ It is recommended to use terminal command via SSH connection, eg via Putty.
``` ```
<details>
<summary>
Click to see screencast.
</summary>
![routeros import certificate](images/routeros-import-cert.gif)
</details>
3. Run these commands in terminal. Replace the following with your own values. 3. Run these commands in terminal. Replace the following with your own values.
`YOUR_VPN_SERVER_IP_OR_DNS_NAME` is your VPN server IP or DNS name. `YOUR_VPN_SERVER_IP_OR_DNS_NAME` is your VPN server IP or DNS name.
`IMPORTED_CERTIFICATE` is the name of the certificate from step 2 above, e.g. `vpnclient.p12_0` `IMPORTED_CERTIFICATE` is the name of the certificate from step 2 above, e.g. `vpnclient.p12_0`