Update IKEv2 docs
- Add instructions for iOS (iPhone/iPad). Thanks @zzuzjl for the suggestion! - Change IKEv2 address pool to 192.168.43.150-192.168.43.250 to help avoid conflict with IPsec/XAuth - Closes #453. Closes #461 - Cleanup
This commit is contained in:
parent
a04d2d32e8
commit
26ef49b099
@ -129,7 +129,7 @@ VPN_PASSWORD='你的VPN密码' sh vpnsetup.sh
|
|||||||
|
|
||||||
<a href="docs/clients-xauth-zh.md" target="_blank">**配置 IPsec/XAuth ("Cisco IPsec") VPN 客户端**</a>
|
<a href="docs/clients-xauth-zh.md" target="_blank">**配置 IPsec/XAuth ("Cisco IPsec") VPN 客户端**</a>
|
||||||
|
|
||||||
<a href="docs/ikev2-howto-zh.md" target="_blank">**如何配置 IKEv2 VPN: Windows 和 Android**</a>
|
<a href="docs/ikev2-howto-zh.md" target="_blank">**如何配置 IKEv2 VPN: Windows, Android 和 iOS**</a>
|
||||||
|
|
||||||
如果在连接过程中遇到错误,请参见 <a href="docs/clients-zh.md#故障排除" target="_blank">故障排除</a>。
|
如果在连接过程中遇到错误,请参见 <a href="docs/clients-zh.md#故障排除" target="_blank">故障排除</a>。
|
||||||
|
|
||||||
|
@ -129,7 +129,7 @@ Get your computer or device to use the VPN. Please refer to:
|
|||||||
|
|
||||||
<a href="docs/clients-xauth.md" target="_blank">**Configure IPsec/XAuth ("Cisco IPsec") VPN Clients**</a>
|
<a href="docs/clients-xauth.md" target="_blank">**Configure IPsec/XAuth ("Cisco IPsec") VPN Clients**</a>
|
||||||
|
|
||||||
<a href="docs/ikev2-howto.md" target="_blank">**How-To: IKEv2 VPN for Windows and Android**</a>
|
<a href="docs/ikev2-howto.md" target="_blank">**How-To: IKEv2 VPN for Windows, Android and iOS**</a>
|
||||||
|
|
||||||
If you get an error when trying to connect, see <a href="docs/clients.md#troubleshooting" target="_blank">Troubleshooting</a>.
|
If you get an error when trying to connect, see <a href="docs/clients.md#troubleshooting" target="_blank">Troubleshooting</a>.
|
||||||
|
|
||||||
|
@ -2,7 +2,7 @@
|
|||||||
|
|
||||||
*其他语言版本: [English](clients-xauth.md), [简体中文](clients-xauth-zh.md).*
|
*其他语言版本: [English](clients-xauth.md), [简体中文](clients-xauth-zh.md).*
|
||||||
|
|
||||||
*注: 你也可以使用 [IPsec/L2TP 模式](clients-zh.md) 连接,或者配置 [IKEv2](ikev2-howto-zh.md)。*
|
**注:** 你也可以使用 [IPsec/L2TP 模式](clients-zh.md) 连接,或者配置 [IKEv2](ikev2-howto-zh.md)。
|
||||||
|
|
||||||
在成功<a href="https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/README-zh.md" target="_blank">搭建自己的 VPN 服务器</a>之后,按照下面的步骤来配置你的设备。IPsec/XAuth ("Cisco IPsec") 在 Android, iOS 和 OS X 上均受支持,无需安装额外的软件。Windows 用户可以使用免费的 <a href="https://www.shrew.net/download/vpn" target="_blank">Shrew Soft 客户端</a>。如果无法连接,请首先检查是否输入了正确的 VPN 登录凭证。
|
在成功<a href="https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/README-zh.md" target="_blank">搭建自己的 VPN 服务器</a>之后,按照下面的步骤来配置你的设备。IPsec/XAuth ("Cisco IPsec") 在 Android, iOS 和 OS X 上均受支持,无需安装额外的软件。Windows 用户可以使用免费的 <a href="https://www.shrew.net/download/vpn" target="_blank">Shrew Soft 客户端</a>。如果无法连接,请首先检查是否输入了正确的 VPN 登录凭证。
|
||||||
|
|
||||||
@ -92,7 +92,7 @@ VPN 连接成功后,会在通知栏显示图标。最后你可以到 <a href="
|
|||||||
1. 在 **密码** 字段中输入`你的 VPN 密码`。
|
1. 在 **密码** 字段中输入`你的 VPN 密码`。
|
||||||
1. 保持 **群组名称** 字段空白。
|
1. 保持 **群组名称** 字段空白。
|
||||||
1. 在 **密钥** 字段中输入`你的 VPN IPsec PSK`。
|
1. 在 **密钥** 字段中输入`你的 VPN IPsec PSK`。
|
||||||
1. 单击右上角的 **存储**。
|
1. 单击右上角的 **完成**。
|
||||||
1. 启用 **VPN** 连接。
|
1. 启用 **VPN** 连接。
|
||||||
|
|
||||||
VPN 连接成功后,会在通知栏显示图标。最后你可以到 <a href="https://www.ipchicken.com" target="_blank">这里</a> 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。
|
VPN 连接成功后,会在通知栏显示图标。最后你可以到 <a href="https://www.ipchicken.com" target="_blank">这里</a> 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。
|
||||||
|
@ -2,7 +2,7 @@
|
|||||||
|
|
||||||
*Read this in other languages: [English](clients-xauth.md), [简体中文](clients-xauth-zh.md).*
|
*Read this in other languages: [English](clients-xauth.md), [简体中文](clients-xauth-zh.md).*
|
||||||
|
|
||||||
*Note: You may also connect using [IPsec/L2TP mode](clients.md), or set up [IKEv2](ikev2-howto.md).*
|
**Note:** You may also connect using [IPsec/L2TP mode](clients.md), or set up [IKEv2](ikev2-howto.md).
|
||||||
|
|
||||||
After <a href="https://github.com/hwdsl2/setup-ipsec-vpn" target="_blank">setting up your own VPN server</a>, follow these steps to configure your devices. IPsec/XAuth ("Cisco IPsec") is natively supported by Android, iOS and OS X. There is no additional software to install. Windows users can use the free <a href="https://www.shrew.net/download/vpn" target="_blank">Shrew Soft client</a>. In case you are unable to connect, first check to make sure the VPN credentials were entered correctly.
|
After <a href="https://github.com/hwdsl2/setup-ipsec-vpn" target="_blank">setting up your own VPN server</a>, follow these steps to configure your devices. IPsec/XAuth ("Cisco IPsec") is natively supported by Android, iOS and OS X. There is no additional software to install. Windows users can use the free <a href="https://www.shrew.net/download/vpn" target="_blank">Shrew Soft client</a>. In case you are unable to connect, first check to make sure the VPN credentials were entered correctly.
|
||||||
|
|
||||||
|
@ -2,7 +2,7 @@
|
|||||||
|
|
||||||
*其他语言版本: [English](clients.md), [简体中文](clients-zh.md).*
|
*其他语言版本: [English](clients.md), [简体中文](clients-zh.md).*
|
||||||
|
|
||||||
*注: 你也可以使用更高效的 [IPsec/XAuth 模式](clients-xauth-zh.md) 连接,或者配置 [IKEv2](ikev2-howto-zh.md)。*
|
**注:** 你也可以使用更高效的 [IPsec/XAuth 模式](clients-xauth-zh.md) 连接,或者配置 [IKEv2](ikev2-howto-zh.md)。
|
||||||
|
|
||||||
在成功<a href="https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/README-zh.md" target="_blank">搭建自己的 VPN 服务器</a>之后,按照下面的步骤来配置你的设备。IPsec/L2TP 在 Android, iOS, OS X 和 Windows 上均受支持,无需安装额外的软件。设置过程通常只需要几分钟。如果无法连接,请首先检查是否输入了正确的 VPN 登录凭证。
|
在成功<a href="https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/README-zh.md" target="_blank">搭建自己的 VPN 服务器</a>之后,按照下面的步骤来配置你的设备。IPsec/L2TP 在 Android, iOS, OS X 和 Windows 上均受支持,无需安装额外的软件。设置过程通常只需要几分钟。如果无法连接,请首先检查是否输入了正确的 VPN 登录凭证。
|
||||||
|
|
||||||
@ -129,7 +129,7 @@ VPN 连接成功后,会在通知栏显示图标。最后你可以到 <a href="
|
|||||||
|
|
||||||
## iOS
|
## iOS
|
||||||
|
|
||||||
**注:** 你也可以使用更高效的 [IPsec/XAuth 模式](clients-xauth-zh.md) 连接。
|
**注:** 你也可以使用更高效的 [IPsec/XAuth 模式](clients-xauth-zh.md) 连接,或者配置 [IKEv2](ikev2-howto-zh.md)。
|
||||||
|
|
||||||
1. 进入设置 -> 通用 -> VPN。
|
1. 进入设置 -> 通用 -> VPN。
|
||||||
1. 单击 **添加VPN配置...**。
|
1. 单击 **添加VPN配置...**。
|
||||||
@ -140,7 +140,7 @@ VPN 连接成功后,会在通知栏显示图标。最后你可以到 <a href="
|
|||||||
1. 在 **密码** 字段中输入`你的 VPN 密码`。
|
1. 在 **密码** 字段中输入`你的 VPN 密码`。
|
||||||
1. 在 **密钥** 字段中输入`你的 VPN IPsec PSK`。
|
1. 在 **密钥** 字段中输入`你的 VPN IPsec PSK`。
|
||||||
1. 启用 **发送所有流量** 选项。
|
1. 启用 **发送所有流量** 选项。
|
||||||
1. 单击右上角的 **存储**。
|
1. 单击右上角的 **完成**。
|
||||||
1. 启用 **VPN** 连接。
|
1. 启用 **VPN** 连接。
|
||||||
|
|
||||||
VPN 连接成功后,会在通知栏显示图标。最后你可以到 <a href="https://www.ipchicken.com" target="_blank">这里</a> 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。
|
VPN 连接成功后,会在通知栏显示图标。最后你可以到 <a href="https://www.ipchicken.com" target="_blank">这里</a> 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。
|
||||||
|
@ -2,7 +2,7 @@
|
|||||||
|
|
||||||
*Read this in other languages: [English](clients.md), [简体中文](clients-zh.md).*
|
*Read this in other languages: [English](clients.md), [简体中文](clients-zh.md).*
|
||||||
|
|
||||||
*Note: You may also connect using the faster [IPsec/XAuth mode](clients-xauth.md), or set up [IKEv2](ikev2-howto.md).*
|
**Note:** You may also connect using the faster [IPsec/XAuth mode](clients-xauth.md), or set up [IKEv2](ikev2-howto.md).
|
||||||
|
|
||||||
After <a href="https://github.com/hwdsl2/setup-ipsec-vpn" target="_blank">setting up your own VPN server</a>, follow these steps to configure your devices. IPsec/L2TP is natively supported by Android, iOS, OS X, and Windows. There is no additional software to install. Setup should only take a few minutes. In case you are unable to connect, first check to make sure the VPN credentials were entered correctly.
|
After <a href="https://github.com/hwdsl2/setup-ipsec-vpn" target="_blank">setting up your own VPN server</a>, follow these steps to configure your devices. IPsec/L2TP is natively supported by Android, iOS, OS X, and Windows. There is no additional software to install. Setup should only take a few minutes. In case you are unable to connect, first check to make sure the VPN credentials were entered correctly.
|
||||||
|
|
||||||
@ -129,7 +129,7 @@ If you get an error when trying to connect, see <a href="#troubleshooting">Troub
|
|||||||
|
|
||||||
## iOS
|
## iOS
|
||||||
|
|
||||||
**Note:** You may also connect using the faster [IPsec/XAuth mode](clients-xauth.md).
|
**Note:** You may also connect using the faster [IPsec/XAuth mode](clients-xauth.md), or set up [IKEv2](ikev2-howto.md).
|
||||||
|
|
||||||
1. Go to Settings -> General -> VPN.
|
1. Go to Settings -> General -> VPN.
|
||||||
1. Tap **Add VPN Configuration...**.
|
1. Tap **Add VPN Configuration...**.
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
# 如何配置 IKEv2 VPN: Windows 和 Android
|
# 如何配置 IKEv2 VPN: Windows, Android 和 iOS
|
||||||
|
|
||||||
*其他语言版本: [English](ikev2-howto.md), [简体中文](ikev2-howto-zh.md).*
|
*其他语言版本: [English](ikev2-howto.md), [简体中文](ikev2-howto-zh.md).*
|
||||||
|
|
||||||
@ -14,10 +14,11 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来
|
|||||||
|
|
||||||
- Windows 7, 8.x 和 10
|
- Windows 7, 8.x 和 10
|
||||||
- Android 4.x 和更新版本(使用 strongSwan VPN 客户端)
|
- Android 4.x 和更新版本(使用 strongSwan VPN 客户端)
|
||||||
|
- iOS (iPhone/iPad)
|
||||||
|
|
||||||
下面举例说明如何在 Libreswan 上配置 IKEv2。以下命令必须用 `root` 账户运行。
|
下面举例说明如何在 Libreswan 上配置 IKEv2。以下命令必须用 `root` 账户运行。
|
||||||
|
|
||||||
在继续之前,请确保你已经成功地 <a href="https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/README-zh.md" target="_blank">搭建自己的 VPN 服务器</a>,并且已经将 Libreswan <a href="https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/README-zh.md#%E5%8D%87%E7%BA%A7libreswan" target="_blank">升级到最新版本</a>。
|
在继续之前,请确保你已经成功地 <a href="https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/README-zh.md" target="_blank">搭建自己的 VPN 服务器</a>,并且将 Libreswan <a href="https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/README-zh.md#%E5%8D%87%E7%BA%A7libreswan" target="_blank">升级到最新版本</a>。
|
||||||
|
|
||||||
1. 获取 VPN 服务器的公共 IP 地址,将它保存到变量并检查。
|
1. 获取 VPN 服务器的公共 IP 地址,将它保存到变量并检查。
|
||||||
|
|
||||||
@ -43,7 +44,7 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来
|
|||||||
leftrsasigkey=%cert
|
leftrsasigkey=%cert
|
||||||
right=%any
|
right=%any
|
||||||
rightid=%fromcert
|
rightid=%fromcert
|
||||||
rightaddresspool=192.168.43.10-192.168.43.250
|
rightaddresspool=192.168.43.150-192.168.43.250
|
||||||
rightca=%same
|
rightca=%same
|
||||||
rightrsasigkey=%cert
|
rightrsasigkey=%cert
|
||||||
narrowing=yes
|
narrowing=yes
|
||||||
@ -104,7 +105,9 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来
|
|||||||
-s "O=Example,CN=Example CA" \
|
-s "O=Example,CN=Example CA" \
|
||||||
-k rsa -g 4096 -v 36 \
|
-k rsa -g 4096 -v 36 \
|
||||||
-d sql:/etc/ipsec.d -t "CT,," -2
|
-d sql:/etc/ipsec.d -t "CT,," -2
|
||||||
|
```
|
||||||
|
|
||||||
|
```
|
||||||
Generating key. This may take a few moments...
|
Generating key. This may take a few moments...
|
||||||
|
|
||||||
Is this a CA certificate [y/N]?
|
Is this a CA certificate [y/N]?
|
||||||
@ -123,11 +126,13 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来
|
|||||||
--keyUsage digitalSignature,keyEncipherment \
|
--keyUsage digitalSignature,keyEncipherment \
|
||||||
--extKeyUsage serverAuth \
|
--extKeyUsage serverAuth \
|
||||||
--extSAN "ip:$PUBLIC_IP,dns:$PUBLIC_IP"
|
--extSAN "ip:$PUBLIC_IP,dns:$PUBLIC_IP"
|
||||||
|
```
|
||||||
|
|
||||||
|
```
|
||||||
Generating key. This may take a few moments...
|
Generating key. This may take a few moments...
|
||||||
```
|
```
|
||||||
|
|
||||||
1. 生成客户端证书,并且导出 `.p12` 文件。该文件包含客户端证书,私钥以及 CA 证书:
|
1. 生成客户端证书,导出 CA 证书以及 `.p12` 文件,该文件包含客户端证书,私钥以及 CA 证书:
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
$ certutil -z <(head -c 1024 /dev/urandom) \
|
$ certutil -z <(head -c 1024 /dev/urandom) \
|
||||||
@ -137,19 +142,29 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来
|
|||||||
-d sql:/etc/ipsec.d -t ",," \
|
-d sql:/etc/ipsec.d -t ",," \
|
||||||
--keyUsage digitalSignature,keyEncipherment \
|
--keyUsage digitalSignature,keyEncipherment \
|
||||||
--extKeyUsage serverAuth,clientAuth -8 "vpnclient"
|
--extKeyUsage serverAuth,clientAuth -8 "vpnclient"
|
||||||
|
```
|
||||||
|
|
||||||
|
```
|
||||||
Generating key. This may take a few moments...
|
Generating key. This may take a few moments...
|
||||||
```
|
```
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
$ pk12util -o vpnclient.p12 -n "vpnclient" -d sql:/etc/ipsec.d
|
$ certutil -L -d sql:/etc/ipsec.d -n "Example CA" -a -o vpnca.cer
|
||||||
|
```
|
||||||
|
|
||||||
|
**注:** 这个 `vpnca.cer` 文件仅需要在 iOS 客户端上使用。
|
||||||
|
|
||||||
|
```bash
|
||||||
|
$ pk12util -o vpnclient.p12 -n "vpnclient" -d sql:/etc/ipsec.d
|
||||||
|
```
|
||||||
|
|
||||||
|
```
|
||||||
Enter password for PKCS12 file:
|
Enter password for PKCS12 file:
|
||||||
Re-enter password:
|
Re-enter password:
|
||||||
pk12util: PKCS12 EXPORT SUCCESSFUL
|
pk12util: PKCS12 EXPORT SUCCESSFUL
|
||||||
```
|
```
|
||||||
|
|
||||||
你可以重复本步骤来为更多的客户端生成证书。将所有的 `vpnclient` 换成 `vpnclient2`,等等。
|
指定一个安全的密码以保护导出的 `.p12` 文件。你可以重复本步骤来为更多的客户端生成证书。将所有的 `vpnclient` 换成 `vpnclient2`,等等。
|
||||||
|
|
||||||
**注:** 如需同时连接多个客户端,则必须为每个客户端生成唯一的证书。
|
**注:** 如需同时连接多个客户端,则必须为每个客户端生成唯一的证书。
|
||||||
|
|
||||||
@ -157,7 +172,9 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来
|
|||||||
|
|
||||||
```bash
|
```bash
|
||||||
$ certutil -L -d sql:/etc/ipsec.d
|
$ certutil -L -d sql:/etc/ipsec.d
|
||||||
|
```
|
||||||
|
|
||||||
|
```
|
||||||
Certificate Nickname Trust Attributes
|
Certificate Nickname Trust Attributes
|
||||||
SSL,S/MIME,JAR/XPI
|
SSL,S/MIME,JAR/XPI
|
||||||
|
|
||||||
@ -168,7 +185,7 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来
|
|||||||
|
|
||||||
**注:** 如需显示证书内容,可使用 `certutil -L -d sql:/etc/ipsec.d -n "Nickname"`。要删除一个证书,将 `-L` 换成 `-D`。更多的 `certutil` 使用说明请看 <a href="http://manpages.ubuntu.com/manpages/xenial/en/man1/certutil.1.html" target="_blank">这里</a>。
|
**注:** 如需显示证书内容,可使用 `certutil -L -d sql:/etc/ipsec.d -n "Nickname"`。要删除一个证书,将 `-L` 换成 `-D`。更多的 `certutil` 使用说明请看 <a href="http://manpages.ubuntu.com/manpages/xenial/en/man1/certutil.1.html" target="_blank">这里</a>。
|
||||||
|
|
||||||
1. 重启 IPsec 服务:
|
1. **重启 IPsec 服务**:
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
$ service ipsec restart
|
$ service ipsec restart
|
||||||
@ -195,18 +212,36 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来
|
|||||||
|
|
||||||
1. 从 **Google Play** 安装 <a href="https://play.google.com/store/apps/details?id=org.strongswan.android" target="_blank">strongSwan VPN 客户端</a>。
|
1. 从 **Google Play** 安装 <a href="https://play.google.com/store/apps/details?id=org.strongswan.android" target="_blank">strongSwan VPN 客户端</a>。
|
||||||
1. 打开 VPN 客户端,然后单击 **Add VPN Profile**。
|
1. 打开 VPN 客户端,然后单击 **Add VPN Profile**。
|
||||||
1. 在 **Server** 字段中输入 `你的 VPN 服务器 IP`。
|
1. 在 **Server** 字段中输入 `你的 VPN 服务器 IP` (或者域名)。
|
||||||
1. 在 **VPN Type** 下拉菜单选择 **IKEv2 Certificate**。
|
1. 在 **VPN Type** 下拉菜单选择 **IKEv2 Certificate**。
|
||||||
1. 单击 **Select user certificate**,然后单击 **Install certificate**。
|
1. 单击 **Select user certificate**,然后单击 **Install certificate**。
|
||||||
1. 选择你从服务器复制过来的 `.p12` 文件,并按提示操作。
|
1. 选择你从服务器复制过来的 `.p12` 文件,并按提示操作。
|
||||||
1. 保存新的 VPN 连接,然后单击它以开始连接。
|
1. 保存新的 VPN 连接,然后单击它以开始连接。
|
||||||
|
|
||||||
|
#### iOS (iPhone/iPad)
|
||||||
|
|
||||||
|
首先,将你在上面的步骤 4 中导出的两个文件 `vpnca.cer` and `vpnclient.p12` 以电子邮件附件的形式发送给你自己,然后在 iOS 邮件应用中点击它们并逐个导入为 iOS 配置描述文件。或者,你也可以将文件放在一个你的安全的托管网站上,然后在 Mobile Safari 中下载并导入。在完成之后,检查并确保 `vpnclient` 和 `Example CA` 都显示在设置 -> 通用 -> 描述文件中。
|
||||||
|
|
||||||
|
1. 进入设置 -> 通用 -> VPN。
|
||||||
|
1. 单击 **添加VPN配置...**。
|
||||||
|
1. 单击 **类型** 。选择 **IKEv2** 并返回。
|
||||||
|
1. 在 **描述** 字段中输入任意内容。
|
||||||
|
1. 在 **服务器** 字段中输入 `你的 VPN 服务器 IP` (或者域名)。
|
||||||
|
1. 在 **远程 ID** 字段中输入 `你的 VPN 服务器 IP` (或者域名)。
|
||||||
|
1. 保持 **本地 ID** 字段空白。
|
||||||
|
1. 单击 **用户鉴定** 。选择 **无** 并返回。
|
||||||
|
1. 启用 **使用证书** 选项。
|
||||||
|
1. 单击 **证书** 。选择 **vpnclient** 并返回。
|
||||||
|
1. 单击右上角的 **完成**。
|
||||||
|
1. 启用 **VPN** 连接。
|
||||||
|
|
||||||
1. 连接成功后,你可以到 <a href="https://www.ipchicken.com" target="_blank">这里</a> 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。
|
1. 连接成功后,你可以到 <a href="https://www.ipchicken.com" target="_blank">这里</a> 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。
|
||||||
|
|
||||||
## 已知问题
|
## 已知问题
|
||||||
|
|
||||||
1. Windows 自带的 VPN 客户端可能不支持 IKEv2 fragmentation。在有些网络上,这可能会导致连接错误或其它连接问题。你可以尝试换用 <a href="clients-zh.md" target="_blank">IPsec/L2TP</a> 或 <a href="clients-xauth-zh.md" target="_blank">IPsec/XAuth</a> 模式连接。
|
1. Windows 自带的 VPN 客户端可能不支持 IKEv2 fragmentation。在有些网络上,这可能会导致连接错误或其它连接问题。你可以尝试换用 <a href="clients-zh.md" target="_blank">IPsec/L2TP</a> 或 <a href="clients-xauth-zh.md" target="_blank">IPsec/XAuth</a> 模式连接。
|
||||||
1. 如果你使用 strongSwan Android VPN 客户端,则必须将服务器上的 Libreswan <a href="https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/README-zh.md#%E5%8D%87%E7%BA%A7libreswan" target="_blank">升级</a>到版本 3.26 或以上。
|
1. 如果你使用 strongSwan Android VPN 客户端,则必须将服务器上的 Libreswan <a href="https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/README-zh.md#%E5%8D%87%E7%BA%A7libreswan" target="_blank">升级</a>到版本 3.26 或以上。
|
||||||
|
1. 在导入到 iOS 设备时,`.p12` 文件的密码不能为空。要解决这个问题,按照步骤 4 中的命令重新导出 `.p12` 文件并指定一个安全的密码。
|
||||||
|
|
||||||
## 参考链接
|
## 参考链接
|
||||||
|
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
# How-To: IKEv2 VPN for Windows and Android
|
# How-To: IKEv2 VPN for Windows, Android and iOS
|
||||||
|
|
||||||
*Read this in other languages: [English](ikev2-howto.md), [简体中文](ikev2-howto-zh.md).*
|
*Read this in other languages: [English](ikev2-howto.md), [简体中文](ikev2-howto-zh.md).*
|
||||||
|
|
||||||
@ -14,6 +14,7 @@ Libreswan can authenticate IKEv2 clients on the basis of X.509 Machine Certifica
|
|||||||
|
|
||||||
- Windows 7, 8.x and 10
|
- Windows 7, 8.x and 10
|
||||||
- Android 4.x and newer (using the strongSwan VPN client)
|
- Android 4.x and newer (using the strongSwan VPN client)
|
||||||
|
- iOS (iPhone/iPad)
|
||||||
|
|
||||||
The following example shows how to configure IKEv2 with Libreswan. Commands below must be run as `root`.
|
The following example shows how to configure IKEv2 with Libreswan. Commands below must be run as `root`.
|
||||||
|
|
||||||
@ -43,7 +44,7 @@ Before continuing, make sure you have successfully <a href="https://github.com/h
|
|||||||
leftrsasigkey=%cert
|
leftrsasigkey=%cert
|
||||||
right=%any
|
right=%any
|
||||||
rightid=%fromcert
|
rightid=%fromcert
|
||||||
rightaddresspool=192.168.43.10-192.168.43.250
|
rightaddresspool=192.168.43.150-192.168.43.250
|
||||||
rightca=%same
|
rightca=%same
|
||||||
rightrsasigkey=%cert
|
rightrsasigkey=%cert
|
||||||
narrowing=yes
|
narrowing=yes
|
||||||
@ -104,7 +105,9 @@ Before continuing, make sure you have successfully <a href="https://github.com/h
|
|||||||
-s "O=Example,CN=Example CA" \
|
-s "O=Example,CN=Example CA" \
|
||||||
-k rsa -g 4096 -v 36 \
|
-k rsa -g 4096 -v 36 \
|
||||||
-d sql:/etc/ipsec.d -t "CT,," -2
|
-d sql:/etc/ipsec.d -t "CT,," -2
|
||||||
|
```
|
||||||
|
|
||||||
|
```
|
||||||
Generating key. This may take a few moments...
|
Generating key. This may take a few moments...
|
||||||
|
|
||||||
Is this a CA certificate [y/N]?
|
Is this a CA certificate [y/N]?
|
||||||
@ -123,11 +126,13 @@ Before continuing, make sure you have successfully <a href="https://github.com/h
|
|||||||
--keyUsage digitalSignature,keyEncipherment \
|
--keyUsage digitalSignature,keyEncipherment \
|
||||||
--extKeyUsage serverAuth \
|
--extKeyUsage serverAuth \
|
||||||
--extSAN "ip:$PUBLIC_IP,dns:$PUBLIC_IP"
|
--extSAN "ip:$PUBLIC_IP,dns:$PUBLIC_IP"
|
||||||
|
```
|
||||||
|
|
||||||
|
```
|
||||||
Generating key. This may take a few moments...
|
Generating key. This may take a few moments...
|
||||||
```
|
```
|
||||||
|
|
||||||
1. Generate client certificate(s), and export the `.p12` file that contains the client certificate, private key, and CA certificate:
|
1. Generate client certificate(s), export the CA certificate and the `.p12` file that contains the client certificate, private key, and CA certificate:
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
$ certutil -z <(head -c 1024 /dev/urandom) \
|
$ certutil -z <(head -c 1024 /dev/urandom) \
|
||||||
@ -137,19 +142,29 @@ Before continuing, make sure you have successfully <a href="https://github.com/h
|
|||||||
-d sql:/etc/ipsec.d -t ",," \
|
-d sql:/etc/ipsec.d -t ",," \
|
||||||
--keyUsage digitalSignature,keyEncipherment \
|
--keyUsage digitalSignature,keyEncipherment \
|
||||||
--extKeyUsage serverAuth,clientAuth -8 "vpnclient"
|
--extKeyUsage serverAuth,clientAuth -8 "vpnclient"
|
||||||
|
```
|
||||||
|
|
||||||
|
```
|
||||||
Generating key. This may take a few moments...
|
Generating key. This may take a few moments...
|
||||||
```
|
```
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
$ pk12util -o vpnclient.p12 -n "vpnclient" -d sql:/etc/ipsec.d
|
$ certutil -L -d sql:/etc/ipsec.d -n "Example CA" -a -o vpnca.cer
|
||||||
|
```
|
||||||
|
|
||||||
|
**Note:** This `vpnca.cer` file is only required for iOS clients.
|
||||||
|
|
||||||
|
```bash
|
||||||
|
$ pk12util -o vpnclient.p12 -n "vpnclient" -d sql:/etc/ipsec.d
|
||||||
|
```
|
||||||
|
|
||||||
|
```
|
||||||
Enter password for PKCS12 file:
|
Enter password for PKCS12 file:
|
||||||
Re-enter password:
|
Re-enter password:
|
||||||
pk12util: PKCS12 EXPORT SUCCESSFUL
|
pk12util: PKCS12 EXPORT SUCCESSFUL
|
||||||
```
|
```
|
||||||
|
|
||||||
Repeat this step to generate certificates for additional VPN clients. Replace every `vpnclient` with `vpnclient2`, etc.
|
Enter a secure password to protect the exported `.p12` file. Repeat this step to generate certificates for additional VPN clients. Replace every `vpnclient` with `vpnclient2`, etc.
|
||||||
|
|
||||||
**Note:** To connect multiple VPN clients simultaneously, you must generate a unique certificate for each.
|
**Note:** To connect multiple VPN clients simultaneously, you must generate a unique certificate for each.
|
||||||
|
|
||||||
@ -157,7 +172,9 @@ Before continuing, make sure you have successfully <a href="https://github.com/h
|
|||||||
|
|
||||||
```bash
|
```bash
|
||||||
$ certutil -L -d sql:/etc/ipsec.d
|
$ certutil -L -d sql:/etc/ipsec.d
|
||||||
|
```
|
||||||
|
|
||||||
|
```
|
||||||
Certificate Nickname Trust Attributes
|
Certificate Nickname Trust Attributes
|
||||||
SSL,S/MIME,JAR/XPI
|
SSL,S/MIME,JAR/XPI
|
||||||
|
|
||||||
@ -168,7 +185,7 @@ Before continuing, make sure you have successfully <a href="https://github.com/h
|
|||||||
|
|
||||||
**Note:** To display a certificate, use `certutil -L -d sql:/etc/ipsec.d -n "Nickname"`. To delete a certificate, replace `-L` with `-D`. For other `certutil` usage, read <a href="http://manpages.ubuntu.com/manpages/xenial/en/man1/certutil.1.html" target="_blank">this page</a>.
|
**Note:** To display a certificate, use `certutil -L -d sql:/etc/ipsec.d -n "Nickname"`. To delete a certificate, replace `-L` with `-D`. For other `certutil` usage, read <a href="http://manpages.ubuntu.com/manpages/xenial/en/man1/certutil.1.html" target="_blank">this page</a>.
|
||||||
|
|
||||||
1. Restart IPsec service:
|
1. **Restart IPsec service**:
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
$ service ipsec restart
|
$ service ipsec restart
|
||||||
@ -195,18 +212,36 @@ Before continuing, make sure you have successfully <a href="https://github.com/h
|
|||||||
|
|
||||||
1. Install <a href="https://play.google.com/store/apps/details?id=org.strongswan.android" target="_blank">strongSwan VPN Client</a> from **Google Play**.
|
1. Install <a href="https://play.google.com/store/apps/details?id=org.strongswan.android" target="_blank">strongSwan VPN Client</a> from **Google Play**.
|
||||||
1. Launch the VPN client and tap **Add VPN Profile**.
|
1. Launch the VPN client and tap **Add VPN Profile**.
|
||||||
1. Enter `Your VPN Server IP` in the **Server** field.
|
1. Enter `Your VPN Server IP` (or DNS name) in the **Server** field.
|
||||||
1. Select **IKEv2 Certificate** from the **VPN Type** drop-down menu.
|
1. Select **IKEv2 Certificate** from the **VPN Type** drop-down menu.
|
||||||
1. Tap **Select user certificate**, then tap **Install certificate**.
|
1. Tap **Select user certificate**, then tap **Install certificate**.
|
||||||
1. Choose the `.p12` file you copied from the VPN server, and follow the prompts.
|
1. Choose the `.p12` file you copied from the VPN server, and follow the prompts.
|
||||||
1. Save the new VPN connection, then tap to connect.
|
1. Save the new VPN connection, then tap to connect.
|
||||||
|
|
||||||
|
#### iOS (iPhone/iPad)
|
||||||
|
|
||||||
|
First, send both `vpnca.cer` and `vpnclient.p12` (exported from step 4 above) to yourself as email attachments, then click to import them one by one as iOS profiles in the iOS Mail app. Alternatively, host the files on a secure website of yours, then download and import in Mobile Safari. When finished, check to make sure both `vpnclient` and `Example CA` are listed under Settings -> General -> Profiles.
|
||||||
|
|
||||||
|
1. Go to Settings -> General -> VPN.
|
||||||
|
1. Tap **Add VPN Configuration...**.
|
||||||
|
1. Tap **Type**. Select **IKEv2** and go back.
|
||||||
|
1. Tap **Description** and enter anything you like.
|
||||||
|
1. Tap **Server** and enter `Your VPN Server IP` (or DNS name).
|
||||||
|
1. Tap **Remote ID** and enter `Your VPN Server IP` (or DNS name).
|
||||||
|
1. Leave the **Local ID** field blank.
|
||||||
|
1. Tap **User Authentication**. Select **None** and go back.
|
||||||
|
1. Make sure the **Use Certificate** switch is ON.
|
||||||
|
1. Tap **Certificate**. Select **vpnclient** and go back.
|
||||||
|
1. Tap **Done**.
|
||||||
|
1. Slide the **VPN** switch ON.
|
||||||
|
|
||||||
1. Once successfully connected, you can verify that your traffic is being routed properly by <a href="https://www.google.com/search?q=my+ip" target="_blank">looking up your IP address on Google</a>. It should say "Your public IP address is `Your VPN Server IP`".
|
1. Once successfully connected, you can verify that your traffic is being routed properly by <a href="https://www.google.com/search?q=my+ip" target="_blank">looking up your IP address on Google</a>. It should say "Your public IP address is `Your VPN Server IP`".
|
||||||
|
|
||||||
## Known Issues
|
## Known Issues
|
||||||
|
|
||||||
1. The built-in VPN client in Windows may not support IKEv2 fragmentation. On some networks, this can cause the connection to fail or have other issues. You may instead try the <a href="clients.md" target="_blank">IPsec/L2TP</a> or <a href="clients-xauth.md" target="_blank">IPsec/XAuth</a> mode.
|
1. The built-in VPN client in Windows may not support IKEv2 fragmentation. On some networks, this can cause the connection to fail or have other issues. You may instead try the <a href="clients.md" target="_blank">IPsec/L2TP</a> or <a href="clients-xauth.md" target="_blank">IPsec/XAuth</a> mode.
|
||||||
1. If using the strongSwan Android VPN client, you must <a href="https://github.com/hwdsl2/setup-ipsec-vpn#upgrade-libreswan" target="_blank">upgrade Libreswan</a> on your server to version 3.26 or above.
|
1. If using the strongSwan Android VPN client, you must <a href="https://github.com/hwdsl2/setup-ipsec-vpn#upgrade-libreswan" target="_blank">upgrade Libreswan</a> on your server to version 3.26 or above.
|
||||||
|
1. The `.p12` file cannot have an empty password when importing into an iOS device. To resolve this issue, follow instructions in step 4 to re-export the file with a secure password.
|
||||||
|
|
||||||
## References
|
## References
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user