mirror/setup-ipsec-vpn
1
0
Fork 0
mirror of synced 2024-11-22 04:56:03 +03:00
Code Issues Projects Releases Wiki Activity

Update IKEv2 docs

Browse Source 
- Add instructions for iOS (iPhone/iPad). Thanks @zzuzjl for the
  suggestion!
- Change IKEv2 address pool to 192.168.43.150-192.168.43.250 to help
  avoid conflict with IPsec/XAuth
- Closes #453. Closes #461
- Cleanup
This commit is contained in:
hwdsl2 2018-10-13 14:26:09 -05:00
parent a04d2d32e8
commit 26ef49b099
8 changed files with 131 additions and 61 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
README-zh.md
View File

@ -129,7 +129,7 @@ VPN_PASSWORD='你的VPN密码' sh vpnsetup.sh
<a href="docs/clients-xauth-zh.md" target="_blank">**配置 IPsec/XAuth ("Cisco IPsec") VPN 客户端**</a>
<a href="docs/ikev2-howto-zh.md" target="_blank">**如何配置 IKEv2 VPN: Windows 和 Android**</a>
<a href="docs/ikev2-howto-zh.md" target="_blank">**如何配置 IKEv2 VPN: Windows, Android 和 iOS**</a>
如果在连接过程中遇到错误,请参见 <a href="docs/clients-zh.md#故障排除" target="_blank">故障排除</a>

2
README.md
View File

@ -129,7 +129,7 @@ Get your computer or device to use the VPN. Please refer to:
<a href="docs/clients-xauth.md" target="_blank">**Configure IPsec/XAuth ("Cisco IPsec") VPN Clients**</a>
<a href="docs/ikev2-howto.md" target="_blank">**How-To: IKEv2 VPN for Windows and Android**</a>
<a href="docs/ikev2-howto.md" target="_blank">**How-To: IKEv2 VPN for Windows, Android and iOS**</a>
If you get an error when trying to connect, see <a href="docs/clients.md#troubleshooting" target="_blank">Troubleshooting</a>.

4
docs/clients-xauth-zh.md
View File

@ -2,7 +2,7 @@
*其他语言版本: [English](clients-xauth.md), [简体中文](clients-xauth-zh.md).*
*注: 你也可以使用 [IPsec/L2TP 模式](clients-zh.md) 连接,或者配置 [IKEv2](ikev2-howto-zh.md)。*
**注:** 你也可以使用 [IPsec/L2TP 模式](clients-zh.md) 连接,或者配置 [IKEv2](ikev2-howto-zh.md)。
在成功<a href="https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/README-zh.md" target="_blank">搭建自己的 VPN 服务器</a>之后按照下面的步骤来配置你的设备。IPsec/XAuth ("Cisco IPsec") 在 Android, iOS 和 OS X 上均受支持无需安装额外的软件。Windows 用户可以使用免费的 <a href="https://www.shrew.net/download/vpn" target="_blank">Shrew Soft 客户端</a>。如果无法连接,请首先检查是否输入了正确的 VPN 登录凭证。
@ -92,7 +92,7 @@ VPN 连接成功后,会在通知栏显示图标。最后你可以到 <a href="
1. 在 **密码** 字段中输入`你的 VPN 密码`。
1. 保持 **群组名称** 字段空白。
1. 在 **密钥** 字段中输入`你的 VPN IPsec PSK`。
1. 单击右上角的 **存储**。
1. 单击右上角的 **完成**。
1. 启用 **VPN** 连接。
VPN 连接成功后,会在通知栏显示图标。最后你可以到 <a href="https://www.ipchicken.com" target="_blank">这里</a> 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。

2
docs/clients-xauth.md
View File

@ -2,7 +2,7 @@
*Read this in other languages: [English](clients-xauth.md), [简体中文](clients-xauth-zh.md).*
*Note: You may also connect using [IPsec/L2TP mode](clients.md), or set up [IKEv2](ikev2-howto.md).*
**Note:** You may also connect using [IPsec/L2TP mode](clients.md), or set up [IKEv2](ikev2-howto.md).
After <a href="https://github.com/hwdsl2/setup-ipsec-vpn" target="_blank">setting up your own VPN server</a>, follow these steps to configure your devices. IPsec/XAuth ("Cisco IPsec") is natively supported by Android, iOS and OS X. There is no additional software to install. Windows users can use the free <a href="https://www.shrew.net/download/vpn" target="_blank">Shrew Soft client</a>. In case you are unable to connect, first check to make sure the VPN credentials were entered correctly.

6
docs/clients-zh.md
View File

@ -2,7 +2,7 @@
*其他语言版本: [English](clients.md), [简体中文](clients-zh.md).*
*注: 你也可以使用更高效的 [IPsec/XAuth 模式](clients-xauth-zh.md) 连接,或者配置 [IKEv2](ikev2-howto-zh.md)。*
**注:** 你也可以使用更高效的 [IPsec/XAuth 模式](clients-xauth-zh.md) 连接,或者配置 [IKEv2](ikev2-howto-zh.md)。
在成功<a href="https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/README-zh.md" target="_blank">搭建自己的 VPN 服务器</a>之后按照下面的步骤来配置你的设备。IPsec/L2TP 在 Android, iOS, OS X 和 Windows 上均受支持,无需安装额外的软件。设置过程通常只需要几分钟。如果无法连接,请首先检查是否输入了正确的 VPN 登录凭证。
@ -129,7 +129,7 @@ VPN 连接成功后,会在通知栏显示图标。最后你可以到 <a href="
## iOS
**注:** 你也可以使用更高效的 [IPsec/XAuth 模式](clients-xauth-zh.md) 连接。
**注:** 你也可以使用更高效的 [IPsec/XAuth 模式](clients-xauth-zh.md) 连接,或者配置 [IKEv2](ikev2-howto-zh.md)
1. 进入设置 -> 通用 -> VPN。
1. 单击 **添加VPN配置...**
@ -140,7 +140,7 @@ VPN 连接成功后,会在通知栏显示图标。最后你可以到 <a href="
1. 在 **密码** 字段中输入`你的 VPN 密码`。
1. 在 **密钥** 字段中输入`你的 VPN IPsec PSK`。
1. 启用 **发送所有流量** 选项。
1. 单击右上角的 **存储**。
1. 单击右上角的 **完成**。
1. 启用 **VPN** 连接。
VPN 连接成功后,会在通知栏显示图标。最后你可以到 <a href="https://www.ipchicken.com" target="_blank">这里</a> 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。

4
docs/clients.md
View File

@ -2,7 +2,7 @@
*Read this in other languages: [English](clients.md), [简体中文](clients-zh.md).*
*Note: You may also connect using the faster [IPsec/XAuth mode](clients-xauth.md), or set up [IKEv2](ikev2-howto.md).*
**Note:** You may also connect using the faster [IPsec/XAuth mode](clients-xauth.md), or set up [IKEv2](ikev2-howto.md).
After <a href="https://github.com/hwdsl2/setup-ipsec-vpn" target="_blank">setting up your own VPN server</a>, follow these steps to configure your devices. IPsec/L2TP is natively supported by Android, iOS, OS X, and Windows. There is no additional software to install. Setup should only take a few minutes. In case you are unable to connect, first check to make sure the VPN credentials were entered correctly.
@ -129,7 +129,7 @@ If you get an error when trying to connect, see <a href="#troubleshooting">Troub
## iOS
**Note:** You may also connect using the faster [IPsec/XAuth mode](clients-xauth.md).
**Note:** You may also connect using the faster [IPsec/XAuth mode](clients-xauth.md), or set up [IKEv2](ikev2-howto.md).
1. Go to Settings -> General -> VPN.
1. Tap **Add VPN Configuration...**.

51
docs/ikev2-howto-zh.md
View File

@ -1,4 +1,4 @@
# 如何配置 IKEv2 VPN: Windows 和 Android
# 如何配置 IKEv2 VPN: Windows, Android 和 iOS
*其他语言版本: [English](ikev2-howto.md), [简体中文](ikev2-howto-zh.md).*
@ -14,10 +14,11 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来
- Windows 7, 8.x 和 10
- Android 4.x 和更新版本(使用 strongSwan VPN 客户端)
- iOS (iPhone/iPad)
下面举例说明如何在 Libreswan 上配置 IKEv2。以下命令必须用 `root` 账户运行。
在继续之前,请确保你已经成功地 <a href="https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/README-zh.md" target="_blank">搭建自己的 VPN 服务器</a>,并且已经将 Libreswan <a href="https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/README-zh.md#%E5%8D%87%E7%BA%A7libreswan" target="_blank">升级到最新版本</a>
在继续之前,请确保你已经成功地 <a href="https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/README-zh.md" target="_blank">搭建自己的 VPN 服务器</a>,并且将 Libreswan <a href="https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/README-zh.md#%E5%8D%87%E7%BA%A7libreswan" target="_blank">升级到最新版本</a>
1. 获取 VPN 服务器的公共 IP 地址,将它保存到变量并检查。
@ -43,7 +44,7 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来
leftrsasigkey=%cert
right=%any
rightid=%fromcert
rightaddresspool=192.168.43.10-192.168.43.250
rightaddresspool=192.168.43.150-192.168.43.250
rightca=%same
rightrsasigkey=%cert
narrowing=yes
@ -104,7 +105,9 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来
-s "O=Example,CN=Example CA" \
-k rsa -g 4096 -v 36 \
-d sql:/etc/ipsec.d -t "CT,," -2
```
```
Generating key. This may take a few moments...
Is this a CA certificate [y/N]?
@ -123,11 +126,13 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来
--keyUsage digitalSignature,keyEncipherment \
--extKeyUsage serverAuth \
--extSAN "ip:$PUBLIC_IP,dns:$PUBLIC_IP"
```
```
Generating key. This may take a few moments...
```
1. 生成客户端证书,并且导出 `.p12` 文件。该文件包含客户端证书,私钥以及 CA 证书:
1. 生成客户端证书,导出 CA 证书以及 `.p12` 文件,该文件包含客户端证书,私钥以及 CA 证书:
```bash
$ certutil -z <(head -c 1024 /dev/urandom) \
@ -137,19 +142,29 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来
-d sql:/etc/ipsec.d -t ",," \
--keyUsage digitalSignature,keyEncipherment \
--extKeyUsage serverAuth,clientAuth -8 "vpnclient"
```
```
Generating key. This may take a few moments...
```
```bash
$ pk12util -o vpnclient.p12 -n "vpnclient" -d sql:/etc/ipsec.d
$ certutil -L -d sql:/etc/ipsec.d -n "Example CA" -a -o vpnca.cer
```
**注:** 这个 `vpnca.cer` 文件仅需要在 iOS 客户端上使用。
```bash
$ pk12util -o vpnclient.p12 -n "vpnclient" -d sql:/etc/ipsec.d
```
```
Enter password for PKCS12 file:
Re-enter password:
pk12util: PKCS12 EXPORT SUCCESSFUL
```
你可以重复本步骤来为更多的客户端生成证书。将所有的 `vpnclient` 换成 `vpnclient2`,等等。
指定一个安全的密码以保护导出的 `.p12` 文件。你可以重复本步骤来为更多的客户端生成证书。将所有的 `vpnclient` 换成 `vpnclient2`,等等。
**注:** 如需同时连接多个客户端,则必须为每个客户端生成唯一的证书。
@ -157,7 +172,9 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来
```bash
$ certutil -L -d sql:/etc/ipsec.d
```
```
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
@ -168,7 +185,7 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来
**注:** 如需显示证书内容,可使用 `certutil -L -d sql:/etc/ipsec.d -n "Nickname"`。要删除一个证书,将 `-L` 换成 `-D`。更多的 `certutil` 使用说明请看 <a href="http://manpages.ubuntu.com/manpages/xenial/en/man1/certutil.1.html" target="_blank">这里</a>
1. 重启 IPsec 服务:
1. **重启 IPsec 服务**
```bash
$ service ipsec restart
@ -195,18 +212,36 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来
1. 从 **Google Play** 安装 <a href="https://play.google.com/store/apps/details?id=org.strongswan.android" target="_blank">strongSwan VPN 客户端</a>
1. 打开 VPN 客户端,然后单击 **Add VPN Profile**
1. 在 **Server** 字段中输入 `你的 VPN 服务器 IP`
1. 在 **Server** 字段中输入 `你的 VPN 服务器 IP` (或者域名)
1. 在 **VPN Type** 下拉菜单选择 **IKEv2 Certificate**
1. 单击 **Select user certificate**,然后单击 **Install certificate**
1. 选择你从服务器复制过来的 `.p12` 文件,并按提示操作。
1. 保存新的 VPN 连接,然后单击它以开始连接。
#### iOS (iPhone/iPad)
首先,将你在上面的步骤 4 中导出的两个文件 `vpnca.cer` and `vpnclient.p12` 以电子邮件附件的形式发送给你自己,然后在 iOS 邮件应用中点击它们并逐个导入为 iOS 配置描述文件。或者,你也可以将文件放在一个你的安全的托管网站上,然后在 Mobile Safari 中下载并导入。在完成之后,检查并确保 `vpnclient``Example CA` 都显示在设置 -> 通用 -> 描述文件中。
1. 进入设置 -> 通用 -> VPN。
1. 单击 **添加VPN配置...**
1. 单击 **类型** 。选择 **IKEv2** 并返回。
1. 在 **描述** 字段中输入任意内容。
1. 在 **服务器** 字段中输入 `你的 VPN 服务器 IP` (或者域名)。
1. 在 **远程 ID** 字段中输入 `你的 VPN 服务器 IP` (或者域名)。
1. 保持 **本地 ID** 字段空白。
1. 单击 **用户鉴定** 。选择 **无** 并返回。
1. 启用 **使用证书** 选项。
1. 单击 **证书** 。选择 **vpnclient** 并返回。
1. 单击右上角的 **完成**
1. 启用 **VPN** 连接。
1. 连接成功后,你可以到 <a href="https://www.ipchicken.com" target="_blank">这里</a> 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。
## 已知问题
1. Windows 自带的 VPN 客户端可能不支持 IKEv2 fragmentation。在有些网络上这可能会导致连接错误或其它连接问题。你可以尝试换用 <a href="clients-zh.md" target="_blank">IPsec/L2TP</a><a href="clients-xauth-zh.md" target="_blank">IPsec/XAuth</a> 模式连接。
1. 如果你使用 strongSwan Android VPN 客户端,则必须将服务器上的 Libreswan <a href="https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/README-zh.md#%E5%8D%87%E7%BA%A7libreswan" target="_blank">升级</a>到版本 3.26 或以上。
1. 在导入到 iOS 设备时,`.p12` 文件的密码不能为空。要解决这个问题,按照步骤 4 中的命令重新导出 `.p12` 文件并指定一个安全的密码。
## 参考链接

49
docs/ikev2-howto.md
View File

@ -1,4 +1,4 @@
# How-To: IKEv2 VPN for Windows and Android
# How-To: IKEv2 VPN for Windows, Android and iOS
*Read this in other languages: [English](ikev2-howto.md), [简体中文](ikev2-howto-zh.md).*
@ -14,6 +14,7 @@ Libreswan can authenticate IKEv2 clients on the basis of X.509 Machine Certifica
- Windows 7, 8.x and 10
- Android 4.x and newer (using the strongSwan VPN client)
- iOS (iPhone/iPad)
The following example shows how to configure IKEv2 with Libreswan. Commands below must be run as `root`.
@ -43,7 +44,7 @@ Before continuing, make sure you have successfully <a href="https://github.com/h
leftrsasigkey=%cert
right=%any
rightid=%fromcert
rightaddresspool=192.168.43.10-192.168.43.250
rightaddresspool=192.168.43.150-192.168.43.250
rightca=%same
rightrsasigkey=%cert
narrowing=yes
@ -104,7 +105,9 @@ Before continuing, make sure you have successfully <a href="https://github.com/h
-s "O=Example,CN=Example CA" \
-k rsa -g 4096 -v 36 \
-d sql:/etc/ipsec.d -t "CT,," -2
```
```
Generating key. This may take a few moments...
Is this a CA certificate [y/N]?
@ -123,11 +126,13 @@ Before continuing, make sure you have successfully <a href="https://github.com/h
--keyUsage digitalSignature,keyEncipherment \
--extKeyUsage serverAuth \
--extSAN "ip:$PUBLIC_IP,dns:$PUBLIC_IP"
```
```
Generating key. This may take a few moments...
```
1. Generate client certificate(s), and export the `.p12` file that contains the client certificate, private key, and CA certificate:
1. Generate client certificate(s), export the CA certificate and the `.p12` file that contains the client certificate, private key, and CA certificate:
```bash
$ certutil -z <(head -c 1024 /dev/urandom) \
@ -137,19 +142,29 @@ Before continuing, make sure you have successfully <a href="https://github.com/h
-d sql:/etc/ipsec.d -t ",," \
--keyUsage digitalSignature,keyEncipherment \
--extKeyUsage serverAuth,clientAuth -8 "vpnclient"
```
```
Generating key. This may take a few moments...
```
```bash
$ pk12util -o vpnclient.p12 -n "vpnclient" -d sql:/etc/ipsec.d
$ certutil -L -d sql:/etc/ipsec.d -n "Example CA" -a -o vpnca.cer
```
**Note:** This `vpnca.cer` file is only required for iOS clients.
```bash
$ pk12util -o vpnclient.p12 -n "vpnclient" -d sql:/etc/ipsec.d
```
```
Enter password for PKCS12 file:
Re-enter password:
pk12util: PKCS12 EXPORT SUCCESSFUL
```
Repeat this step to generate certificates for additional VPN clients. Replace every `vpnclient` with `vpnclient2`, etc.
Enter a secure password to protect the exported `.p12` file. Repeat this step to generate certificates for additional VPN clients. Replace every `vpnclient` with `vpnclient2`, etc.
**Note:** To connect multiple VPN clients simultaneously, you must generate a unique certificate for each.
@ -157,7 +172,9 @@ Before continuing, make sure you have successfully <a href="https://github.com/h
```bash
$ certutil -L -d sql:/etc/ipsec.d
```
```
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
@ -168,7 +185,7 @@ Before continuing, make sure you have successfully <a href="https://github.com/h
**Note:** To display a certificate, use `certutil -L -d sql:/etc/ipsec.d -n "Nickname"`. To delete a certificate, replace `-L` with `-D`. For other `certutil` usage, read <a href="http://manpages.ubuntu.com/manpages/xenial/en/man1/certutil.1.html" target="_blank">this page</a>.
1. Restart IPsec service:
1. **Restart IPsec service**:
```bash
$ service ipsec restart
@ -195,18 +212,36 @@ Before continuing, make sure you have successfully <a href="https://github.com/h
1. Install <a href="https://play.google.com/store/apps/details?id=org.strongswan.android" target="_blank">strongSwan VPN Client</a> from **Google Play**.
1. Launch the VPN client and tap **Add VPN Profile**.
1. Enter `Your VPN Server IP` in the **Server** field.
1. Enter `Your VPN Server IP` (or DNS name) in the **Server** field.
1. Select **IKEv2 Certificate** from the **VPN Type** drop-down menu.
1. Tap **Select user certificate**, then tap **Install certificate**.
1. Choose the `.p12` file you copied from the VPN server, and follow the prompts.
1. Save the new VPN connection, then tap to connect.
#### iOS (iPhone/iPad)
First, send both `vpnca.cer` and `vpnclient.p12` (exported from step 4 above) to yourself as email attachments, then click to import them one by one as iOS profiles in the iOS Mail app. Alternatively, host the files on a secure website of yours, then download and import in Mobile Safari. When finished, check to make sure both `vpnclient` and `Example CA` are listed under Settings -> General -> Profiles.
1. Go to Settings -> General -> VPN.
1. Tap **Add VPN Configuration...**.
1. Tap **Type**. Select **IKEv2** and go back.
1. Tap **Description** and enter anything you like.
1. Tap **Server** and enter `Your VPN Server IP` (or DNS name).
1. Tap **Remote ID** and enter `Your VPN Server IP` (or DNS name).
1. Leave the **Local ID** field blank.
1. Tap **User Authentication**. Select **None** and go back.
1. Make sure the **Use Certificate** switch is ON.
1. Tap **Certificate**. Select **vpnclient** and go back.
1. Tap **Done**.
1. Slide the **VPN** switch ON.
1. Once successfully connected, you can verify that your traffic is being routed properly by <a href="https://www.google.com/search?q=my+ip" target="_blank">looking up your IP address on Google</a>. It should say "Your public IP address is `Your VPN Server IP`".
## Known Issues
1. The built-in VPN client in Windows may not support IKEv2 fragmentation. On some networks, this can cause the connection to fail or have other issues. You may instead try the <a href="clients.md" target="_blank">IPsec/L2TP</a> or <a href="clients-xauth.md" target="_blank">IPsec/XAuth</a> mode.
1. If using the strongSwan Android VPN client, you must <a href="https://github.com/hwdsl2/setup-ipsec-vpn#upgrade-libreswan" target="_blank">upgrade Libreswan</a> on your server to version 3.26 or above.
1. The `.p12` file cannot have an empty password when importing into an iOS device. To resolve this issue, follow instructions in step 4 to re-export the file with a secure password.
## References