1
0
mirror of synced 2024-11-25 22:36:04 +03:00

Update docs

[ci skip]
This commit is contained in:
hwdsl2 2016-09-09 16:45:39 -05:00
parent 7937a74469
commit 56a96603f9
12 changed files with 135 additions and 89 deletions

View File

@ -121,9 +121,7 @@ DigitalOcean 用户可以参考这个<a href="https://usefulpcguide.com/17318/cr
## 重要提示 ## 重要提示
**Windows 用户** 如果在连接过程中遇到错误,请参见 <a href="docs/clients-zh.md#故障排除" target="_blank">故障排除</a> **Windows 和 Android 6.0/7.0 用户** 如果在连接过程中遇到错误,请参见 <a href="docs/clients-zh.md#故障排除" target="_blank">故障排除</a>
**Android 6 (Marshmallow) 用户** 请参考此文档中的注释: <a href="docs/clients-zh.md#android" target="_blank">配置 IPsec/L2TP VPN 客户端</a>
如果需要添加,修改或者删除 VPN 用户账户,请参见 <a href="docs/manage-users-zh.md" target="_blank">管理 VPN 用户</a> 如果需要添加,修改或者删除 VPN 用户账户,请参见 <a href="docs/manage-users-zh.md" target="_blank">管理 VPN 用户</a>

View File

@ -121,9 +121,7 @@ Enjoy your very own VPN! :sparkles::tada::rocket::sparkles:
## Important Notes ## Important Notes
**Windows users**: If you get an error when trying to connect, see <a href="docs/clients.md#troubleshooting" target="_blank">Troubleshooting</a>. **Windows and Android 6.0/7.0 users**: If you get an error when trying to connect, see <a href="docs/clients.md#troubleshooting" target="_blank">Troubleshooting</a>.
**Android 6 (Marshmallow) users**: Please see notes in <a href="docs/clients.md#android" target="_blank">Configure IPsec/L2TP VPN Clients</a>.
If you wish to add, edit or remove VPN user accounts, refer to <a href="docs/manage-users.md" target="_blank">Manage VPN Users</a>. If you wish to add, edit or remove VPN user accounts, refer to <a href="docs/manage-users.md" target="_blank">Manage VPN Users</a>.

View File

@ -6,13 +6,13 @@
根据你的偏好设置以下选项: 根据你的偏好设置以下选项:
- Username for VPN and SSH VPN 和 SSH 用户名) - Username for VPN and SSH (用户名)
- Password for VPN and SSH VPN 和 SSH 密码) - Password for VPN and SSH (密码)
- IPsec Pre-Shared Key IPsec 预共享密钥) - IPsec Pre-Shared Key IPsec 预共享密钥)
- Operating System Image 操作系统镜像Debian 8 或 Ubuntu 16.04 LTS - Operating System Image 操作系统镜像Debian 8 或 Ubuntu 16.04 LTS
- Virtual Machine Size (虚拟机大小,默认值: Standard_A0 - Virtual Machine Size (虚拟机大小,默认值: Standard_A0
击以下按钮开始: 击以下按钮开始:
<a href="https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fhwdsl2%2Fsetup-ipsec-vpn%2Fmaster%2Fazure%2Fazuredeploy.json" target="_blank"> <a href="https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fhwdsl2%2Fsetup-ipsec-vpn%2Fmaster%2Fazure%2Fazuredeploy.json" target="_blank">
<img src="../docs/images/azure-deploy-button.png" alt="Deploy to Azure" /> <img src="../docs/images/azure-deploy-button.png" alt="Deploy to Azure" />
@ -24,4 +24,4 @@
## 作者 ## 作者
- Daniel Falkner (https://github.com/derdanu) 版权所有 (C) 2016 [Daniel Falkner](https://github.com/derdanu)

View File

@ -24,4 +24,4 @@ Screenshot:
## Author ## Author
- Daniel Falkner (https://github.com/derdanu) Copyright (C) 2016 [Daniel Falkner](https://github.com/derdanu)

View File

@ -1,12 +1,12 @@
## 配置 IPsec/XAuth VPN 客户端 # 配置 IPsec/XAuth VPN 客户端
*其他语言版本: [English](clients-xauth.md), [简体中文](clients-xauth-zh.md).* *其他语言版本: [English](clients-xauth.md), [简体中文](clients-xauth-zh.md).*
*如需使用 IPsec/L2TP 模式连接,请参见: [配置 IPsec/L2TP VPN 客户端](clients-zh.md)* *注: 你也可以使用 [IPsec/L2TP 模式](clients-zh.md) 连接,或者配置 [IKEv2](ikev2-howto-zh.md)。*
在成功<a href="https://github.com/hwdsl2/setup-ipsec-vpn" target="_blank">搭建自己的 VPN 服务器</a>之后你可以按照下面的步骤来配置你的设备。IPsec/XAuth ("Cisco IPsec") 在 Android, iOS 和 OS X 上均受支持无需安装额外的软件。Windows 用户可以使用免费的 <a href="https://www.shrew.net/download/vpn" target="_blank">Shrew Soft 客户端</a>。如果无法连接,请首先检查是否输入了正确的 VPN 登录凭证。 在成功<a href="https://github.com/hwdsl2/setup-ipsec-vpn" target="_blank">搭建自己的 VPN 服务器</a>之后你可以按照下面的步骤来配置你的设备。IPsec/XAuth ("Cisco IPsec") 在 Android, iOS 和 OS X 上均受支持无需安装额外的软件。Windows 用户可以使用免费的 <a href="https://www.shrew.net/download/vpn" target="_blank">Shrew Soft 客户端</a>。如果无法连接,请首先检查是否输入了正确的 VPN 登录凭证。
`IPsec/XAuth` 模式也称为 "Cisco IPsec"。和 `IPsec/L2TP` 相比较,它通常能够更高效地传输数据。 IPsec/XAuth 模式也称为 "Cisco IPsec",它通常能够比 IPsec/L2TP 更高效地传输数据。
--- ---
* 平台名称 * 平台名称
@ -15,7 +15,7 @@
* [Android](#android) * [Android](#android)
* [iOS (iPhone/iPad)](#ios) * [iOS (iPhone/iPad)](#ios)
### Windows ### ## Windows
**注:** 你也可以使用 [IPsec/L2TP 模式](clients-zh.md) 连接,无需安装额外的软件。 **注:** 你也可以使用 [IPsec/L2TP 模式](clients-zh.md) 连接,无需安装额外的软件。
@ -33,9 +33,12 @@
1. 在 **Password** 字段中输入`你的 VPN 密码`。 1. 在 **Password** 字段中输入`你的 VPN 密码`。
1. 单击 **Connect** 1. 单击 **Connect**
VPN 连接成功后,你会在 VPN Connect 状态窗口中看到 **tunnel enabled** 字样。单击 "Network" 选项卡,并确认 **Established - 1** 显示在 "Security Associations" 下面。最后你可以到<a href="https://www.whatismyip.com" target="_blank">这里</a>检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。 VPN 连接成功后,你会在 VPN Connect 状态窗口中看到 **tunnel enabled** 字样。单击 "Network" 选项卡,并确认 **Established - 1** 显示在 "Security Associations" 下面。最后你可以到 <a href="https://www.ipchicken.com" target="_blank">这里</a> 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。
如果在连接过程中遇到错误,请参见 <a href="clients-zh.md#故障排除" target="_blank">故障排除</a>
## OS X
### OS X ###
1. 打开系统偏好设置并转到网络部分。 1. 打开系统偏好设置并转到网络部分。
1. 在窗口左下角单击 **+** 按钮。 1. 在窗口左下角单击 **+** 按钮。
1. 从 **接口** 下拉菜单选择 **VPN** 1. 从 **接口** 下拉菜单选择 **VPN**
@ -52,9 +55,10 @@ VPN 连接成功后,你会在 VPN Connect 状态窗口中看到 **tunnel enabl
1. 选中 **在菜单栏中显示 VPN 状态** 复选框。 1. 选中 **在菜单栏中显示 VPN 状态** 复选框。
1. 单击 **应用** 保存VPN连接信息。 1. 单击 **应用** 保存VPN连接信息。
要连接到 VPN 使用菜单栏中的图标,或者打开系统偏好设置的网络部分,选择 VPN 并单击 **连接**。最后你可以到<a href="https://www.whatismyip.com" target="_blank">这里</a>检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。 要连接到 VPN 使用菜单栏中的图标,或者打开系统偏好设置的网络部分,选择 VPN 并单击 **连接**。最后你可以到 <a href="https://www.ipchicken.com" target="_blank">这里</a> 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。
## Android
### Android ###
1. 启动 **设置** 应用程序。 1. 启动 **设置** 应用程序。
1. 在 **无线和网络** 部分单击 **更多...** 1. 在 **无线和网络** 部分单击 **更多...**
1. 单击 **VPN** 1. 单击 **VPN**
@ -71,14 +75,12 @@ VPN 连接成功后,你会在 VPN Connect 状态窗口中看到 **tunnel enabl
1. 选中 **保存帐户信息** 复选框。 1. 选中 **保存帐户信息** 复选框。
1. 单击 **连接** 1. 单击 **连接**
**注:** 如果无法使用 Android 6 (Marshmallow) 连接,请尝试以下解决方案: VPN 连接成功后,会在通知栏显示图标。最后你可以到 <a href="https://www.ipchicken.com" target="_blank">这里</a> 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。
1. 单击 VPN 连接右边的设置按钮,选择 "显示高级选项" 并且滚动到底部。如果选项 "兼容模式" 存在,请启用它并重试连接。如果不存在,请跳到第二步。 如果在连接过程中遇到错误,请参见 <a href="clients-zh.md#故障排除" target="_blank">故障排除</a>
1. (注:最新版本的 VPN 脚本已经包含这些更改)编辑 VPN 服务器上的 `/etc/ipsec.conf`,并在 `ike=``phase2alg=` 两行结尾添加 `,aes256-sha2_256` 字样。然后在它们下面添加一行 `sha2-truncbug=yes`。每行开头必须空两格。保存修改并运行 `service ipsec restart`。(<a href="https://libreswan.org/wiki/FAQ#Android_6.0_connection_comes_up_but_no_packet_flow" target="_blank">参考链接</a>)
VPN 连接成功后,会在通知栏显示图标。最后你可以到<a href="https://www.whatismyip.com" target="_blank">这里</a>检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。 ## iOS
### iOS ###
1. 进入设置 -> 通用 -> VPN。 1. 进入设置 -> 通用 -> VPN。
1. 单击 **添加VPN配置...** 1. 单击 **添加VPN配置...**
1. 单击 **类型** 。选择 **IPSec** 并返回。 1. 单击 **类型** 。选择 **IPSec** 并返回。
@ -91,7 +93,7 @@ VPN 连接成功后,会在通知栏显示图标。最后你可以到<a href="h
1. 单击右上角的 **存储** 1. 单击右上角的 **存储**
1. 启用 **VPN** 连接。 1. 启用 **VPN** 连接。
VPN 连接成功后,会在通知栏显示图标。最后你可以到<a href="https://www.whatismyip.com" target="_blank">这里</a>检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。 VPN 连接成功后,会在通知栏显示图标。最后你可以到 <a href="https://www.ipchicken.com" target="_blank">这里</a> 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。
## 致谢 ## 致谢
@ -99,6 +101,8 @@ VPN 连接成功后,会在通知栏显示图标。最后你可以到<a href="h
## 授权协议 ## 授权协议
注: 这个协议仅适用于本文档。
版权所有 (C) 2016 Lin Song 版权所有 (C) 2016 Lin Song
基于 <a href="https://github.com/jlund/streisand/blob/master/playbooks/roles/l2tp-ipsec/templates/instructions.md.j2" target="_blank">Joshua Lund 的工作</a> (版权所有 2014-2016) 基于 <a href="https://github.com/jlund/streisand/blob/master/playbooks/roles/l2tp-ipsec/templates/instructions.md.j2" target="_blank">Joshua Lund 的工作</a> (版权所有 2014-2016)

View File

@ -1,12 +1,12 @@
## Configure IPsec/XAuth VPN Clients # Configure IPsec/XAuth VPN Clients
*Read this in other languages: [English](clients-xauth.md), [简体中文](clients-xauth-zh.md).* *Read this in other languages: [English](clients-xauth.md), [简体中文](clients-xauth-zh.md).*
*To connect using IPsec/L2TP mode, see: [Configure IPsec/L2TP VPN Clients](clients.md)* *Note: You may also connect using [IPsec/L2TP mode](clients.md), or set up [IKEv2](ikev2-howto.md).*
After <a href="https://github.com/hwdsl2/setup-ipsec-vpn" target="_blank">setting up your own VPN server</a>, follow these steps to configure your devices. IPsec/XAuth ("Cisco IPsec") is natively supported by Android, iOS and OS X. There is no additional software to install. Windows users can use the free <a href="https://www.shrew.net/download/vpn" target="_blank">Shrew Soft client</a>. In case you are unable to connect, first check to make sure the VPN credentials were entered correctly. After <a href="https://github.com/hwdsl2/setup-ipsec-vpn" target="_blank">setting up your own VPN server</a>, follow these steps to configure your devices. IPsec/XAuth ("Cisco IPsec") is natively supported by Android, iOS and OS X. There is no additional software to install. Windows users can use the free <a href="https://www.shrew.net/download/vpn" target="_blank">Shrew Soft client</a>. In case you are unable to connect, first check to make sure the VPN credentials were entered correctly.
`IPsec/XAuth` mode is also called "Cisco IPsec". Compared to `IPsec/L2TP`, it is generally faster with less overhead. IPsec/XAuth mode is also called "Cisco IPsec". It is generally faster than IPsec/L2TP with less overhead.
--- ---
* Platforms * Platforms
@ -15,9 +15,9 @@ After <a href="https://github.com/hwdsl2/setup-ipsec-vpn" target="_blank">settin
* [Android](#android) * [Android](#android)
* [iOS (iPhone/iPad)](#ios) * [iOS (iPhone/iPad)](#ios)
### Windows ### ## Windows
**Note:** You can also connect using [IPsec/L2TP mode](clients.md). No additional software is required. **Note:** You may also connect using [IPsec/L2TP mode](clients.md). No additional software is required.
1. Download and install the free <a href="https://www.shrew.net/download/vpn" target="_blank">Shrew Soft VPN client</a>. 1. Download and install the free <a href="https://www.shrew.net/download/vpn" target="_blank">Shrew Soft VPN client</a>.
1. Click Start Menu -> All Programs -> ShrewSoft VPN Client -> VPN Access Manager 1. Click Start Menu -> All Programs -> ShrewSoft VPN Client -> VPN Access Manager
@ -35,7 +35,10 @@ After <a href="https://github.com/hwdsl2/setup-ipsec-vpn" target="_blank">settin
Once connected, you will see **tunnel enabled** in the VPN Connect status window. Click the "Network" tab, and confirm that **Established - 1** is displayed under "Security Associations". You can verify that your traffic is being routed properly by <a href="https://encrypted.google.com/search?q=my+ip" target="_blank">looking up your IP address on Google</a>. It should say "Your public IP address is `Your VPN Server IP`". Once connected, you will see **tunnel enabled** in the VPN Connect status window. Click the "Network" tab, and confirm that **Established - 1** is displayed under "Security Associations". You can verify that your traffic is being routed properly by <a href="https://encrypted.google.com/search?q=my+ip" target="_blank">looking up your IP address on Google</a>. It should say "Your public IP address is `Your VPN Server IP`".
### OS X ### If you get an error when trying to connect, see <a href="clients.md#troubleshooting" target="_blank">Troubleshooting</a>.
## OS X
1. Open System Preferences and go to the Network section. 1. Open System Preferences and go to the Network section.
1. Click the **+** button in the lower-left corner of the window. 1. Click the **+** button in the lower-left corner of the window.
1. Select **VPN** from the **Interface** drop-down menu. 1. Select **VPN** from the **Interface** drop-down menu.
@ -54,7 +57,8 @@ Once connected, you will see **tunnel enabled** in the VPN Connect status window
To connect to the VPN: Use the menu bar icon, or go to the Network section of System Preferences, select the VPN and choose **Connect**. You can verify that your traffic is being routed properly by <a href="https://encrypted.google.com/search?q=my+ip" target="_blank">looking up your IP address on Google</a>. It should say "Your public IP address is `Your VPN Server IP`". To connect to the VPN: Use the menu bar icon, or go to the Network section of System Preferences, select the VPN and choose **Connect**. You can verify that your traffic is being routed properly by <a href="https://encrypted.google.com/search?q=my+ip" target="_blank">looking up your IP address on Google</a>. It should say "Your public IP address is `Your VPN Server IP`".
### Android ### ## Android
1. Launch the **Settings** application. 1. Launch the **Settings** application.
1. Tap **More...** in the **Wireless & Networks** section. 1. Tap **More...** in the **Wireless & Networks** section.
1. Tap **VPN**. 1. Tap **VPN**.
@ -71,14 +75,12 @@ To connect to the VPN: Use the menu bar icon, or go to the Network section of Sy
1. Check the **Save account information** checkbox. 1. Check the **Save account information** checkbox.
1. Tap **Connect**. 1. Tap **Connect**.
**Note:** If unable to connect using Android 6 (Marshmallow), try these workarounds:
1. Tap the settings icon next to your VPN profile. Select "Show Advanced Options" and scroll down to the bottom. If the option "Backwards-compatible mode" exists, enable it and reconnect the VPN. If not, skip to step 2.
1. (Note: Latest version of the VPN scripts already include these changes) Edit `/etc/ipsec.conf` on the VPN server and append `,aes256-sha2_256` to both `ike=` and `phase2alg=` lines. Then add a new line `sha2-truncbug=yes` immediately after those. Indent lines with two spaces. Save the file and run `service ipsec restart`. (<a href="https://libreswan.org/wiki/FAQ#Android_6.0_connection_comes_up_but_no_packet_flow" target="_blank">Reference</a>)
Once connected, you will see a VPN icon in the notification bar. You can verify that your traffic is being routed properly by <a href="https://encrypted.google.com/search?q=my+ip" target="_blank">looking up your IP address on Google</a>. It should say "Your public IP address is `Your VPN Server IP`". Once connected, you will see a VPN icon in the notification bar. You can verify that your traffic is being routed properly by <a href="https://encrypted.google.com/search?q=my+ip" target="_blank">looking up your IP address on Google</a>. It should say "Your public IP address is `Your VPN Server IP`".
### iOS ### If you get an error when trying to connect, see <a href="clients.md#troubleshooting" target="_blank">Troubleshooting</a>.
## iOS
1. Go to Settings -> General -> VPN. 1. Go to Settings -> General -> VPN.
1. Tap **Add VPN Configuration...**. 1. Tap **Add VPN Configuration...**.
1. Tap **Type**. Select **IPSec** and go back. 1. Tap **Type**. Select **IPSec** and go back.
@ -99,6 +101,8 @@ This document was adapted from the <a href="https://github.com/jlund/streisand"
## License ## License
Note: This license applies to this document only.
Copyright (C) 2016 Lin Song Copyright (C) 2016 Lin Song
Based on <a href="https://github.com/jlund/streisand/blob/master/playbooks/roles/l2tp-ipsec/templates/instructions.md.j2" target="_blank">the work of Joshua Lund</a> (Copyright 2014-2016) Based on <a href="https://github.com/jlund/streisand/blob/master/playbooks/roles/l2tp-ipsec/templates/instructions.md.j2" target="_blank">the work of Joshua Lund</a> (Copyright 2014-2016)

View File

@ -1,12 +1,12 @@
## 配置 IPsec/L2TP VPN 客户端 # 配置 IPsec/L2TP VPN 客户端
*其他语言版本: [English](clients.md), [简体中文](clients-zh.md).* *其他语言版本: [English](clients.md), [简体中文](clients-zh.md).*
*如需使用 IPsec/XAuth 模式连接,请参见: [配置 IPsec/XAuth VPN 客户端](clients-xauth-zh.md)* *注: 你也可以使用 [IPsec/XAuth 模式](clients-xauth-zh.md) 连接,或者配置 [IKEv2](ikev2-howto-zh.md)。*
在成功<a href="https://github.com/hwdsl2/setup-ipsec-vpn" target="_blank">搭建自己的 VPN 服务器</a>之后你可以按照下面的步骤来配置你的设备。IPsec/L2TP 在 Android, iOS, OS X 和 Windows 上均受支持,无需安装额外的软件。设置过程通常只需要几分钟。如果无法连接,请首先检查是否输入了正确的 VPN 登录凭证。 在成功<a href="https://github.com/hwdsl2/setup-ipsec-vpn" target="_blank">搭建自己的 VPN 服务器</a>之后你可以按照下面的步骤来配置你的设备。IPsec/L2TP 在 Android, iOS, OS X 和 Windows 上均受支持,无需安装额外的软件。设置过程通常只需要几分钟。如果无法连接,请首先检查是否输入了正确的 VPN 登录凭证。
你也可以参考另一个<a href="https://usefulpcguide.com/17318/create-your-own-vpn/" target="_blank">带图片的安装指南</a>,由 Tony Tran 编写。 另一个带图片的<a href="https://usefulpcguide.com/17318/create-your-own-vpn/" target="_blank">安装指南</a>可供参考由 Tony Tran 编写。
--- ---
* 平台名称 * 平台名称
@ -15,11 +15,12 @@
* [Android](#android) * [Android](#android)
* [iOS (iPhone/iPad)](#ios) * [iOS (iPhone/iPad)](#ios)
* [Chromebook](#chromebook) * [Chromebook](#chromebook)
* [Windows Phone](#windows-phone)
* [Linux](#linux) * [Linux](#linux)
### Windows ### ## Windows
**Windows 10 and 8.x:** ### Windows 10 and 8.x
1. 右键单击系统托盘中的无线/网络图标。 1. 右键单击系统托盘中的无线/网络图标。
1. 选择 **打开网络与共享中心** 1. 选择 **打开网络与共享中心**
@ -37,7 +38,7 @@
1. 单击 **确定** 关闭 **高级设置** 1. 单击 **确定** 关闭 **高级设置**
1. 单击 **确定** 保存 VPN 连接的详细信息。 1. 单击 **确定** 保存 VPN 连接的详细信息。
**Windows 7, Vista and XP:** ### Windows 7, Vista and XP
1. 单击开始菜单,选择控制面板。 1. 单击开始菜单,选择控制面板。
1. 进入 **网络和Internet** 部分。 1. 进入 **网络和Internet** 部分。
@ -63,11 +64,12 @@
1. 单击 **确定** 关闭 **高级设置** 1. 单击 **确定** 关闭 **高级设置**
1. 单击 **确定** 保存 VPN 连接的详细信息。 1. 单击 **确定** 保存 VPN 连接的详细信息。
要连接到 VPN 单击系统托盘中的无线/网络图标,选择新的 VPN 连接,然后单击 **连接**。如果出现提示,在登录窗口中输入 `你的 VPN 用户名``密码` ,并单击 **确定**。最后你可以到<a href="https://www.whatismyip.com" target="_blank">这里</a>检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。 要连接到 VPN 单击系统托盘中的无线/网络图标,选择新的 VPN 连接,然后单击 **连接**。如果出现提示,在登录窗口中输入 `你的 VPN 用户名``密码` ,并单击 **确定**。最后你可以到 <a href="https://www.ipchicken.com" target="_blank">这里</a> 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。
如果在连接过程中遇到错误,请参见 <a href="#故障排除">故障排除</a> 如果在连接过程中遇到错误,请参见 <a href="#故障排除">故障排除</a>
### OS X ### ## OS X
1. 打开系统偏好设置并转到网络部分。 1. 打开系统偏好设置并转到网络部分。
1. 在窗口左下角单击 **+** 按钮。 1. 在窗口左下角单击 **+** 按钮。
1. 从 **接口** 下拉菜单选择 **VPN** 1. 从 **接口** 下拉菜单选择 **VPN**
@ -85,9 +87,10 @@
1. 单击 **TCP/IP** 选项卡,并在 **配置IPv6** 部分中选择 **仅本地链接** 1. 单击 **TCP/IP** 选项卡,并在 **配置IPv6** 部分中选择 **仅本地链接**
1. 单击 **好** 关闭高级设置,然后单击 **应用** 保存VPN连接信息。 1. 单击 **好** 关闭高级设置,然后单击 **应用** 保存VPN连接信息。
要连接到 VPN 使用菜单栏中的图标,或者打开系统偏好设置的网络部分,选择 VPN 并单击 **连接**。最后你可以到<a href="https://www.whatismyip.com" target="_blank">这里</a>检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。 要连接到 VPN 使用菜单栏中的图标,或者打开系统偏好设置的网络部分,选择 VPN 并单击 **连接**。最后你可以到 <a href="https://www.ipchicken.com" target="_blank">这里</a> 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。
## Android
### Android ###
1. 启动 **设置** 应用程序。 1. 启动 **设置** 应用程序。
1. 在 **无线和网络** 部分单击 **更多...** 1. 在 **无线和网络** 部分单击 **更多...**
1. 单击 **VPN** 1. 单击 **VPN**
@ -103,14 +106,12 @@
1. 选中 **保存帐户信息** 复选框。 1. 选中 **保存帐户信息** 复选框。
1. 单击 **连接** 1. 单击 **连接**
**注:** 如果无法使用 Android 6 (Marshmallow) 连接,请尝试以下解决方案: VPN 连接成功后,会在通知栏显示图标。最后你可以到 <a href="https://www.ipchicken.com" target="_blank">这里</a> 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。
1. 单击 VPN 连接右边的设置按钮,选择 "显示高级选项" 并且滚动到底部。如果选项 "兼容模式" 存在,请启用它并重试连接。如果不存在,请跳到第二步。 如果在连接过程中遇到错误,请参见 <a href="#故障排除">故障排除</a>
1. (注:最新版本的 VPN 脚本已经包含这些更改)编辑 VPN 服务器上的 `/etc/ipsec.conf`,并在 `ike=``phase2alg=` 两行结尾添加 `,aes256-sha2_256` 字样。然后在它们下面添加一行 `sha2-truncbug=yes`。每行开头必须空两格。保存修改并运行 `service ipsec restart`。(<a href="https://libreswan.org/wiki/FAQ#Android_6.0_connection_comes_up_but_no_packet_flow" target="_blank">参考链接</a>)
VPN 连接成功后,会在通知栏显示图标。最后你可以到<a href="https://www.whatismyip.com" target="_blank">这里</a>检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。 ## iOS
### iOS ###
1. 进入设置 -> 通用 -> VPN。 1. 进入设置 -> 通用 -> VPN。
1. 单击 **添加VPN配置...** 1. 单击 **添加VPN配置...**
1. 单击 **类型** 。选择 **L2TP** 并返回。 1. 单击 **类型** 。选择 **L2TP** 并返回。
@ -123,9 +124,10 @@ VPN 连接成功后,会在通知栏显示图标。最后你可以到<a href="h
1. 单击右上角的 **存储** 1. 单击右上角的 **存储**
1. 启用 **VPN** 连接。 1. 启用 **VPN** 连接。
VPN 连接成功后,会在通知栏显示图标。最后你可以到<a href="https://www.whatismyip.com" target="_blank">这里</a>检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。 VPN 连接成功后,会在通知栏显示图标。最后你可以到 <a href="https://www.ipchicken.com" target="_blank">这里</a> 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。
## Chromebook
### Chromebook ###
1. 如果你尚未登录 Chromebook请先登录。 1. 如果你尚未登录 Chromebook请先登录。
1. 单击状态区(其中显示你的帐户头像)。 1. 单击状态区(其中显示你的帐户头像)。
1. 单击 **设置** 1. 单击 **设置**
@ -139,11 +141,15 @@ VPN 连接成功后,会在通知栏显示图标。最后你可以到<a href="h
1. 在 **密码** 字段中输入`你的 VPN 密码`。 1. 在 **密码** 字段中输入`你的 VPN 密码`。
1. 单击 **连接** 1. 单击 **连接**
VPN 连接成功后,网络状态图标上会出现 VPN 指示。最后你可以到<a href="https://www.whatismyip.com" target="_blank">这里</a>检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。 VPN 连接成功后,网络状态图标上会出现 VPN 指示。最后你可以到 <a href="https://www.ipchicken.com" target="_blank">这里</a> 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。
### Linux ### ## Windows Phone
**Ubuntu and Debian:** Windows Phone 8.1 和更新版本的用户可以尝试<a href="http://forums.windowscentral.com/windows-phone-8-1-preview-developers/301521-tutorials-windows-phone-8-1-support-l2tp-ipsec-vpn-now.html" target="_blank">这个教程</a>。请注意,该平台的 IPsec/L2TP 支持可能有一些问题。最后你可以到 <a href="https://www.ipchicken.com" target="_blank">这里</a> 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。
## Linux
### Ubuntu & Debian
按照 <a href="http://www.jasonernst.com/2016/06/21/l2tp-ipsec-vpn-on-ubuntu-16-04/" target="_blank">这个教程</a> 的步骤操作。需要更正以下项: 按照 <a href="http://www.jasonernst.com/2016/06/21/l2tp-ipsec-vpn-on-ubuntu-16-04/" target="_blank">这个教程</a> 的步骤操作。需要更正以下项:
@ -163,7 +169,7 @@ VPN 连接成功后,网络状态图标上会出现 VPN 指示。最后你可
如果遇到错误,请检查 `ifconfig` 的输出并将上面的 `ppp0` 换成 `ppp1`,等等。 如果遇到错误,请检查 `ifconfig` 的输出并将上面的 `ppp0` 换成 `ppp1`,等等。
检查 VPN 是否正常工作: 连接成功后,检查 VPN 是否正常工作:
``` ```
wget -qO- http://whatismyip.akamai.com; echo wget -qO- http://whatismyip.akamai.com; echo
``` ```
@ -175,7 +181,7 @@ wget -qO- http://whatismyip.akamai.com; echo
sudo route del default dev ppp0 sudo route del default dev ppp0
``` ```
**CentOS and Fedora:** ### CentOS & Fedora
参照上面的 Ubuntu/Debian 部分,并进行以下改动: 参照上面的 Ubuntu/Debian 部分,并进行以下改动:
@ -183,7 +189,7 @@ sudo route del default dev ppp0
1. 在这些系统中,`ipsec` 命令已经被重命名为 `strongswan` 1. 在这些系统中,`ipsec` 命令已经被重命名为 `strongswan`
1. 文件 `ipsec.conf``ipsec.secrets` 应该保存在 `/etc/strongswan` 目录中。 1. 文件 `ipsec.conf``ipsec.secrets` 应该保存在 `/etc/strongswan` 目录中。
**Other Linux:** ### Other Linux
如果你的系统提供 `strongswan` 软件包,请参见上面的两个部分。 如果你的系统提供 `strongswan` 软件包,请参见上面的两个部分。
@ -219,6 +225,13 @@ sudo route del default dev ppp0
![Select CHAP in VPN connection properties](images/vpn-properties-zh.png) ![Select CHAP in VPN connection properties](images/vpn-properties-zh.png)
### Android 6.0 and 7.0
如果你无法使用 Android 6.0 (Marshmallow) 或者 7.0 (Nougat) 连接,请尝试以下解决方案:
1. 单击 VPN 连接旁边的设置按钮,选择 "显示高级选项" 并且滚动到底部。如果选项 "兼容模式" 存在,请启用它并重试连接。如果不存在,请看下一步。
1. (注: 最新版本的 VPN 脚本已经包含这些更改) 编辑 VPN 服务器上的 `/etc/ipsec.conf`,并在 `ike=``phase2alg=` 两行结尾添加 `,aes256-sha2_256` 字样。然后在它们下面添加一行 `sha2-truncbug=yes`。每行开头必须空两格。保存修改并运行 `service ipsec restart`。(<a href="https://libreswan.org/wiki/FAQ#Configuration_Matters" target="_blank">参见</a>)
### 其它错误 ### 其它错误
更多的故障排除信息请参见 <a href="https://documentation.meraki.com/MX-Z/Client_VPN/Troubleshooting_Client_VPN#Common_Connection_Issues" target="_blank">这个文档</a> 更多的故障排除信息请参见 <a href="https://documentation.meraki.com/MX-Z/Client_VPN/Troubleshooting_Client_VPN#Common_Connection_Issues" target="_blank">这个文档</a>
@ -229,6 +242,8 @@ sudo route del default dev ppp0
## 授权协议 ## 授权协议
注: 这个协议仅适用于本文档。
版权所有 (C) 2016 Lin Song 版权所有 (C) 2016 Lin Song
基于 <a href="https://github.com/jlund/streisand/blob/master/playbooks/roles/l2tp-ipsec/templates/instructions.md.j2" target="_blank">Joshua Lund 的工作</a> (版权所有 2014-2016) 基于 <a href="https://github.com/jlund/streisand/blob/master/playbooks/roles/l2tp-ipsec/templates/instructions.md.j2" target="_blank">Joshua Lund 的工作</a> (版权所有 2014-2016)

View File

@ -1,12 +1,12 @@
## Configure IPsec/L2TP VPN Clients # Configure IPsec/L2TP VPN Clients
*Read this in other languages: [English](clients.md), [简体中文](clients-zh.md).* *Read this in other languages: [English](clients.md), [简体中文](clients-zh.md).*
*To connect using IPsec/XAuth mode, see: [Configure IPsec/XAuth VPN Clients](clients-xauth.md)* *Note: You may also connect using [IPsec/XAuth mode](clients-xauth.md), or set up [IKEv2](ikev2-howto.md).*
After <a href="https://github.com/hwdsl2/setup-ipsec-vpn" target="_blank">setting up your own VPN server</a>, follow these steps to configure your devices. IPsec/L2TP is natively supported by Android, iOS, OS X, and Windows. There is no additional software to install. Setup should only take a few minutes. In case you are unable to connect, first check to make sure the VPN credentials were entered correctly. After <a href="https://github.com/hwdsl2/setup-ipsec-vpn" target="_blank">setting up your own VPN server</a>, follow these steps to configure your devices. IPsec/L2TP is natively supported by Android, iOS, OS X, and Windows. There is no additional software to install. Setup should only take a few minutes. In case you are unable to connect, first check to make sure the VPN credentials were entered correctly.
You may also refer to this alternative <a href="https://usefulpcguide.com/17318/create-your-own-vpn/" target="_blank">setup guide with images</a> by Tony Tran. An alternative <a href="https://usefulpcguide.com/17318/create-your-own-vpn/" target="_blank">setup guide</a> with images is available, written by Tony Tran.
--- ---
* Platforms * Platforms
@ -15,11 +15,12 @@ You may also refer to this alternative <a href="https://usefulpcguide.com/17318/
* [Android](#android) * [Android](#android)
* [iOS (iPhone/iPad)](#ios) * [iOS (iPhone/iPad)](#ios)
* [Chromebook](#chromebook) * [Chromebook](#chromebook)
* [Windows Phone](#windows-phone)
* [Linux](#linux) * [Linux](#linux)
### Windows ### ## Windows
**Windows 10 and 8.x:** ### Windows 10 and 8.x
1. Right-click on the wireless/network icon in your system tray. 1. Right-click on the wireless/network icon in your system tray.
1. Select **Open Network and Sharing Center**. 1. Select **Open Network and Sharing Center**.
@ -37,7 +38,7 @@ You may also refer to this alternative <a href="https://usefulpcguide.com/17318/
1. Click **OK** to close the **Advanced settings**. 1. Click **OK** to close the **Advanced settings**.
1. Click **OK** to save the VPN connection details. 1. Click **OK** to save the VPN connection details.
**Windows 7, Vista and XP:** ### Windows 7, Vista and XP
1. Click on the Start Menu and go to the Control Panel. 1. Click on the Start Menu and go to the Control Panel.
1. Go to the **Network and Internet** section. 1. Go to the **Network and Internet** section.
@ -67,7 +68,8 @@ To connect to the VPN: Click on the wireless/network icon in your system tray, s
If you get an error when trying to connect, see <a href="#troubleshooting">Troubleshooting</a>. If you get an error when trying to connect, see <a href="#troubleshooting">Troubleshooting</a>.
### OS X ### ## OS X
1. Open System Preferences and go to the Network section. 1. Open System Preferences and go to the Network section.
1. Click the **+** button in the lower-left corner of the window. 1. Click the **+** button in the lower-left corner of the window.
1. Select **VPN** from the **Interface** drop-down menu. 1. Select **VPN** from the **Interface** drop-down menu.
@ -87,7 +89,8 @@ If you get an error when trying to connect, see <a href="#troubleshooting">Troub
To connect to the VPN: Use the menu bar icon, or go to the Network section of System Preferences, select the VPN and choose **Connect**. You can verify that your traffic is being routed properly by <a href="https://encrypted.google.com/search?q=my+ip" target="_blank">looking up your IP address on Google</a>. It should say "Your public IP address is `Your VPN Server IP`". To connect to the VPN: Use the menu bar icon, or go to the Network section of System Preferences, select the VPN and choose **Connect**. You can verify that your traffic is being routed properly by <a href="https://encrypted.google.com/search?q=my+ip" target="_blank">looking up your IP address on Google</a>. It should say "Your public IP address is `Your VPN Server IP`".
### Android ### ## Android
1. Launch the **Settings** application. 1. Launch the **Settings** application.
1. Tap **More...** in the **Wireless & Networks** section. 1. Tap **More...** in the **Wireless & Networks** section.
1. Tap **VPN**. 1. Tap **VPN**.
@ -103,14 +106,12 @@ To connect to the VPN: Use the menu bar icon, or go to the Network section of Sy
1. Check the **Save account information** checkbox. 1. Check the **Save account information** checkbox.
1. Tap **Connect**. 1. Tap **Connect**.
**Note:** If unable to connect using Android 6 (Marshmallow), try these workarounds:
1. Tap the settings icon next to your VPN profile. Select "Show Advanced Options" and scroll down to the bottom. If the option "Backwards-compatible mode" exists, enable it and reconnect the VPN. If not, skip to step 2.
1. (Note: Latest version of the VPN scripts already include these changes) Edit `/etc/ipsec.conf` on the VPN server and append `,aes256-sha2_256` to both `ike=` and `phase2alg=` lines. Then add a new line `sha2-truncbug=yes` immediately after those. Indent lines with two spaces. Save the file and run `service ipsec restart`. (<a href="https://libreswan.org/wiki/FAQ#Android_6.0_connection_comes_up_but_no_packet_flow" target="_blank">Reference</a>)
Once connected, you will see a VPN icon in the notification bar. You can verify that your traffic is being routed properly by <a href="https://encrypted.google.com/search?q=my+ip" target="_blank">looking up your IP address on Google</a>. It should say "Your public IP address is `Your VPN Server IP`". Once connected, you will see a VPN icon in the notification bar. You can verify that your traffic is being routed properly by <a href="https://encrypted.google.com/search?q=my+ip" target="_blank">looking up your IP address on Google</a>. It should say "Your public IP address is `Your VPN Server IP`".
### iOS ### If you get an error when trying to connect, see <a href="#troubleshooting">Troubleshooting</a>.
## iOS
1. Go to Settings -> General -> VPN. 1. Go to Settings -> General -> VPN.
1. Tap **Add VPN Configuration...**. 1. Tap **Add VPN Configuration...**.
1. Tap **Type**. Select **L2TP** and go back. 1. Tap **Type**. Select **L2TP** and go back.
@ -125,7 +126,8 @@ Once connected, you will see a VPN icon in the notification bar. You can verify
Once connected, you will see a VPN icon in the status bar. You can verify that your traffic is being routed properly by <a href="https://encrypted.google.com/search?q=my+ip" target="_blank">looking up your IP address on Google</a>. It should say "Your public IP address is `Your VPN Server IP`". Once connected, you will see a VPN icon in the status bar. You can verify that your traffic is being routed properly by <a href="https://encrypted.google.com/search?q=my+ip" target="_blank">looking up your IP address on Google</a>. It should say "Your public IP address is `Your VPN Server IP`".
### Chromebook ### ## Chromebook
1. If you haven't already, sign in to your Chromebook. 1. If you haven't already, sign in to your Chromebook.
1. Click the status area, where your account picture appears. 1. Click the status area, where your account picture appears.
1. Click **Settings**. 1. Click **Settings**.
@ -141,9 +143,13 @@ Once connected, you will see a VPN icon in the status bar. You can verify that y
Once connected, you will see a VPN icon overlay on the network status icon. You can verify that your traffic is being routed properly by <a href="https://encrypted.google.com/search?q=my+ip" target="_blank">looking up your IP address on Google</a>. It should say "Your public IP address is `Your VPN Server IP`". Once connected, you will see a VPN icon overlay on the network status icon. You can verify that your traffic is being routed properly by <a href="https://encrypted.google.com/search?q=my+ip" target="_blank">looking up your IP address on Google</a>. It should say "Your public IP address is `Your VPN Server IP`".
### Linux ### ## Windows Phone
**Ubuntu and Debian:** Users with Windows Phone 8.1 and newer, try <a href="http://forums.windowscentral.com/windows-phone-8-1-preview-developers/301521-tutorials-windows-phone-8-1-support-l2tp-ipsec-vpn-now.html" target="_blank">this tutorial</a>. Please note that IPsec/L2TP support on this platform may have some issues. You can verify that your traffic is being routed properly by <a href="https://encrypted.google.com/search?q=my+ip" target="_blank">looking up your IP address on Google</a>. It should say "Your public IP address is `Your VPN Server IP`".
## Linux
### Ubuntu & Debian
Follow the steps in <a href="http://www.jasonernst.com/2016/06/21/l2tp-ipsec-vpn-on-ubuntu-16-04/" target="_blank">this tutorial</a>. Some corrections are required: Follow the steps in <a href="http://www.jasonernst.com/2016/06/21/l2tp-ipsec-vpn-on-ubuntu-16-04/" target="_blank">this tutorial</a>. Some corrections are required:
@ -163,7 +169,7 @@ Follow the steps in <a href="http://www.jasonernst.com/2016/06/21/l2tp-ipsec-vpn
If there is an error, check the output of `ifconfig` and replace `ppp0` above with `ppp1`, etc. If there is an error, check the output of `ifconfig` and replace `ppp0` above with `ppp1`, etc.
Verify that your traffic is being routed properly: Once connected, verify that your traffic is being routed properly:
``` ```
wget -qO- http://whatismyip.akamai.com; echo wget -qO- http://whatismyip.akamai.com; echo
``` ```
@ -175,7 +181,7 @@ To stop routing traffic via the VPN server:
sudo route del default dev ppp0 sudo route del default dev ppp0
``` ```
**CentOS and Fedora:** ### CentOS & Fedora
Refer to the Ubuntu/Debian section above, with these changes: Refer to the Ubuntu/Debian section above, with these changes:
@ -183,7 +189,7 @@ Refer to the Ubuntu/Debian section above, with these changes:
1. In these systems, the `ipsec` command has been renamed to `strongswan`. 1. In these systems, the `ipsec` command has been renamed to `strongswan`.
1. The files `ipsec.conf` and `ipsec.secrets` should be saved under `/etc/strongswan`. 1. The files `ipsec.conf` and `ipsec.secrets` should be saved under `/etc/strongswan`.
**Other Linux:** ### Other Linux
If your system provides the `strongswan` package, refer to the two sections above. If your system provides the `strongswan` package, refer to the two sections above.
@ -219,6 +225,13 @@ To fix this error, please follow these steps:
![Select CHAP in VPN connection properties](images/vpn-properties.png) ![Select CHAP in VPN connection properties](images/vpn-properties.png)
### Android 6.0 and 7.0
If you are unable to connect using Android 6.0 (Marshmallow) or 7.0 (Nougat), try these workarounds:
1. Tap the "Settings" icon next to your VPN profile. Select "Show Advanced Options" and scroll down to the bottom. If the option "Backwards-compatible mode" exists, enable it and reconnect the VPN. If not, see the next step.
1. (Note: The latest version of VPN scripts already includes these changes) Edit `/etc/ipsec.conf` on the VPN server and append `,aes256-sha2_256` to both `ike=` and `phase2alg=` lines. Then add a new line `sha2-truncbug=yes` immediately after those. Indent lines with two spaces. Save the file and run `service ipsec restart`. (<a href="https://libreswan.org/wiki/FAQ#Configuration_Matters" target="_blank">Ref</a>)
### Other Errors ### Other Errors
Please refer to <a href="https://documentation.meraki.com/MX-Z/Client_VPN/Troubleshooting_Client_VPN#Common_Connection_Issues" target="_blank">this document</a> for more troubleshooting tips. Please refer to <a href="https://documentation.meraki.com/MX-Z/Client_VPN/Troubleshooting_Client_VPN#Common_Connection_Issues" target="_blank">this document</a> for more troubleshooting tips.
@ -229,6 +242,8 @@ This document was adapted from the <a href="https://github.com/jlund/streisand"
## License ## License
Note: This license applies to this document only.
Copyright (C) 2016 Lin Song Copyright (C) 2016 Lin Song
Based on <a href="https://github.com/jlund/streisand/blob/master/playbooks/roles/l2tp-ipsec/templates/instructions.md.j2" target="_blank">the work of Joshua Lund</a> (Copyright 2014-2016) Based on <a href="https://github.com/jlund/streisand/blob/master/playbooks/roles/l2tp-ipsec/templates/instructions.md.j2" target="_blank">the work of Joshua Lund</a> (Copyright 2014-2016)

View File

@ -2,12 +2,18 @@
*其他语言版本: [English](ikev2-howto.md), [简体中文](ikev2-howto-zh.md).* *其他语言版本: [English](ikev2-howto.md), [简体中文](ikev2-howto-zh.md).*
---
**重要提示:** 本指南仅适用于**高级用户**。其他用户请使用 <a href="clients-zh.md" target="_blank">IPsec/L2TP</a> 或者 <a href="clients-xauth-zh.md" target="_blank">IPsec/XAuth</a> **重要提示:** 本指南仅适用于**高级用户**。其他用户请使用 <a href="clients-zh.md" target="_blank">IPsec/L2TP</a> 或者 <a href="clients-xauth-zh.md" target="_blank">IPsec/XAuth</a>
Windows 7 和更新版本支持 IKEv2 和 MOBIKE 标准,通过 Microsoft 的 Agile VPN 功能来实现。因特网密钥交换 英语Internet Key Exchange简称 IKE 或 IKEv2是一种网络协议归属于 IPsec 协议族之下,用以创建安全关联 Security associationSA。与 IKEv1 相比较IKEv2 带来许多<a href="https://en.wikipedia.org/wiki/Internet_Key_Exchange#Improvements_with_IKEv2" target="_blank">功能改进</a>,比如通过 MOBIKE 实现 Standard Mobility 支持,以及更高的可靠性。 ---
Windows 7 和更新版本 (包括 Windows Phone 8.1 及以上) 支持 IKEv2 和 MOBIKE 标准,通过 Microsoft 的 Agile VPN 功能来实现。因特网密钥交换 英语Internet Key Exchange简称 IKE 或 IKEv2是一种网络协议归属于 IPsec 协议族之下,用以创建安全关联 Security associationSA。与 IKEv1 相比较IKEv2 带来许多<a href="https://en.wikipedia.org/wiki/Internet_Key_Exchange#Improvements_with_IKEv2" target="_blank">功能改进</a>,比如通过 MOBIKE 实现 Standard Mobility 支持,以及更高的可靠性。
Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来对 IKEv2 客户端进行身份验证。该方法无需 IPsec PSK, 用户名或密码。除了 Windows 之外,它也可用于 <a href="https://wiki.strongswan.org/projects/strongswan/wiki/AndroidVpnClient" target="_blank">strongSwan Android VPN 客户端</a>。下面举例说明如何配置 IKEv2。 Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来对 IKEv2 客户端进行身份验证。该方法无需 IPsec PSK, 用户名或密码。除了 Windows 之外,它也可用于 <a href="https://wiki.strongswan.org/projects/strongswan/wiki/AndroidVpnClient" target="_blank">strongSwan Android VPN 客户端</a>。下面举例说明如何配置 IKEv2。
首先,请确保你已经成功地<a href="https://github.com/hwdsl2/setup-ipsec-vpn" target="_blank">搭建了自己的 VPN 服务器</a>。以下命令必须用 `root` 账户运行。
1. 获取服务器的公共和私有 IP 地址,并确保它们的值非空。注意,这两个 IP 地址可以相同。 1. 获取服务器的公共和私有 IP 地址,并确保它们的值非空。注意,这两个 IP 地址可以相同。
```bash ```bash
@ -197,11 +203,11 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来
https://wiki.strongswan.org/projects/strongswan/wiki/Win7Connect https://wiki.strongswan.org/projects/strongswan/wiki/Win7Connect
连接成功后,你可以到<a href="https://www.whatismyip.com" target="_blank">这里</a>检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。 连接成功后,你可以到 <a href="https://www.ipchicken.com" target="_blank">这里</a> 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。
## 已知问题 ## 已知问题
Windows 7 和更新版本自带的 VPN 客户端不支持 IKEv2 fragmentation。在有些网络上这可能会导致连接错误 "Error 809",或者可能在连接后无法打开任何网站。如果出现这些问题,请首先尝试 <a href="clients-zh.md#故障排除" target="_blank">这个解决方案</a>。如果仍然无法解决,请使用 <a href="clients-zh.md" target="_blank">IPsec/L2TP</a> 或者 <a href="clients-xauth-zh.md" target="_blank">IPsec/XAuth</a> 协议连接。 Windows 7 和更新版本自带的 VPN 客户端不支持 IKEv2 fragmentation。在有些网络上这可能会导致连接错误 "Error 809",或者可能在连接后无法打开任何网站。如果出现这些问题,请首先尝试 <a href="clients-zh.md#故障排除" target="_blank">这个解决方案</a>。如果仍然无法解决,请使用 <a href="clients-zh.md" target="_blank">IPsec/L2TP</a> 或者 <a href="clients-xauth-zh.md" target="_blank">IPsec/XAuth</a> 模式连接。
## 参考链接 ## 参考链接

View File

@ -2,12 +2,18 @@
*Read this in other languages: [English](ikev2-howto.md), [简体中文](ikev2-howto-zh.md).* *Read this in other languages: [English](ikev2-howto.md), [简体中文](ikev2-howto-zh.md).*
---
**IMPORTANT:** This guide is for **advanced users** ONLY. Other users please use <a href="clients.md" target="_blank">IPsec/L2TP</a> or <a href="clients-xauth.md" target="_blank">IPsec/XAuth</a>. **IMPORTANT:** This guide is for **advanced users** ONLY. Other users please use <a href="clients.md" target="_blank">IPsec/L2TP</a> or <a href="clients-xauth.md" target="_blank">IPsec/XAuth</a>.
Windows 7 and newer releases support the IKEv2 and MOBIKE standards through Microsoft's Agile VPN functionality. Internet Key Exchange (IKE or IKEv2) is the protocol used to set up a security association (SA) in the IPsec protocol suite. Compared to IKEv1, IKEv2 has <a href="https://en.wikipedia.org/wiki/Internet_Key_Exchange#Improvements_with_IKEv2" target="_blank">many improvements</a> such as Standard Mobility support through MOBIKE, and improved reliability. ---
Windows 7 and newer releases (including Windows Phone 8.1 and newer) support the IKEv2 and MOBIKE standards through Microsoft's Agile VPN functionality. Internet Key Exchange (IKE or IKEv2) is the protocol used to set up a security association (SA) in the IPsec protocol suite. Compared to IKEv1, IKEv2 has <a href="https://en.wikipedia.org/wiki/Internet_Key_Exchange#Improvements_with_IKEv2" target="_blank">many improvements</a> such as Standard Mobility support through MOBIKE, and improved reliability.
Libreswan can authenticate IKEv2 clients on the basis of X.509 Machine Certificates using RSA signatures. This method does not require an IPsec PSK, username or password. Besides Windows, it can also be used with <a href="https://wiki.strongswan.org/projects/strongswan/wiki/AndroidVpnClient" target="_blank">strongSwan Android VPN client</a>. The following examples show how to configure IKEv2. Libreswan can authenticate IKEv2 clients on the basis of X.509 Machine Certificates using RSA signatures. This method does not require an IPsec PSK, username or password. Besides Windows, it can also be used with <a href="https://wiki.strongswan.org/projects/strongswan/wiki/AndroidVpnClient" target="_blank">strongSwan Android VPN client</a>. The following examples show how to configure IKEv2.
First, make sure you have successfully <a href="https://github.com/hwdsl2/setup-ipsec-vpn" target="_blank">set up your VPN server</a>. Commands below must be run as `root`.
1. Find the public and private IP of your server, and make sure they are not empty. It is OK if they are the same. 1. Find the public and private IP of your server, and make sure they are not empty. It is OK if they are the same.
```bash ```bash
@ -201,9 +207,9 @@ Libreswan can authenticate IKEv2 clients on the basis of X.509 Machine Certifica
## Known Issues ## Known Issues
The built-in VPN client in Windows 7 and newer does not support IKEv2 fragmentation. On some networks, this can cause the connection to fail with "Error 809", or you may be unable to open any website after connecting. If this happens, first try <a href="clients.md#troubleshooting" target="_blank">this workaround</a>. If it doesn't work, please connect using <a href="clients.md" target="_blank">IPsec/L2TP</a> or <a href="clients-xauth.md" target="_blank">IPsec/XAuth</a> instead. The built-in VPN client in Windows 7 and newer does not support IKEv2 fragmentation. On some networks, this can cause the connection to fail with "Error 809", or you may be unable to open any website after connecting. If this happens, first try <a href="clients.md#troubleshooting" target="_blank">this workaround</a>. If it doesn't work, please connect using <a href="clients.md" target="_blank">IPsec/L2TP</a> or <a href="clients-xauth.md" target="_blank">IPsec/XAuth</a> modes instead.
## Useful Links ## References
* https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv2 * https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv2
* https://libreswan.org/wiki/HOWTO:_Using_NSS_with_libreswan * https://libreswan.org/wiki/HOWTO:_Using_NSS_with_libreswan

View File

@ -1,4 +1,4 @@
## 管理 VPN 用户 # 管理 VPN 用户
*其他语言版本: [English](manage-users.md), [简体中文](manage-users-zh.md).* *其他语言版本: [English](manage-users.md), [简体中文](manage-users-zh.md).*

View File

@ -1,4 +1,4 @@
## Manage VPN Users # Manage VPN Users
*Read this in other languages: [English](manage-users.md), [简体中文](manage-users-zh.md).* *Read this in other languages: [English](manage-users.md), [简体中文](manage-users-zh.md).*