Fix IKEv2 docs
- Windows 8.x and 10 require the IKEv2 machine certificate to have "Client Auth" EKU in addition to "Server Auth". Otherwise it gives "Error 13806: IKE failed to find valid machine certificate..." - The IKEv2 documentation has been updated to fix this issue - Also, this Libreswan wiki page may need to be updated. @letoams https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv2 - Ref: #106. Thanks @evil-shrike!
This commit is contained in:
parent
a156a1f5f3
commit
758f0e1418
@ -175,7 +175,82 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来
|
|||||||
```bash
|
```bash
|
||||||
$ certutil -S -c "Example CA" -n "vpnclient" -s "O=Example,CN=vpnclient" -k rsa -g 4096 -v 36 -d sql:/etc/ipsec.d -t ",," -1 -6 -8 "vpnclient"
|
$ certutil -S -c "Example CA" -n "vpnclient" -s "O=Example,CN=vpnclient" -k rsa -g 4096 -v 36 -d sql:/etc/ipsec.d -t ",," -1 -6 -8 "vpnclient"
|
||||||
|
|
||||||
-- 重复与上面相同的 extensions --
|
A random seed must be generated that will be used in the
|
||||||
|
creation of your key. One of the easiest ways to create a
|
||||||
|
random seed is to use the timing of keystrokes on a keyboard.
|
||||||
|
|
||||||
|
To begin, type keys on the keyboard until this progress meter
|
||||||
|
is full. DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD!
|
||||||
|
|
||||||
|
Continue typing until the progress meter is full:
|
||||||
|
|
||||||
|
|************************************************************|
|
||||||
|
|
||||||
|
Finished. Press enter to continue:
|
||||||
|
|
||||||
|
Generating key. This may take a few moments...
|
||||||
|
|
||||||
|
0 - Digital Signature
|
||||||
|
1 - Non-repudiation
|
||||||
|
2 - Key encipherment
|
||||||
|
3 - Data encipherment
|
||||||
|
4 - Key agreement
|
||||||
|
5 - Cert signing key
|
||||||
|
6 - CRL signing key
|
||||||
|
Other to finish
|
||||||
|
> 0
|
||||||
|
0 - Digital Signature
|
||||||
|
1 - Non-repudiation
|
||||||
|
2 - Key encipherment
|
||||||
|
3 - Data encipherment
|
||||||
|
4 - Key agreement
|
||||||
|
5 - Cert signing key
|
||||||
|
6 - CRL signing key
|
||||||
|
Other to finish
|
||||||
|
> 2
|
||||||
|
0 - Digital Signature
|
||||||
|
1 - Non-repudiation
|
||||||
|
2 - Key encipherment
|
||||||
|
3 - Data encipherment
|
||||||
|
4 - Key agreement
|
||||||
|
5 - Cert signing key
|
||||||
|
6 - CRL signing key
|
||||||
|
Other to finish
|
||||||
|
> 8
|
||||||
|
Is this a critical extension [y/N]?
|
||||||
|
N
|
||||||
|
0 - Server Auth
|
||||||
|
1 - Client Auth
|
||||||
|
2 - Code Signing
|
||||||
|
3 - Email Protection
|
||||||
|
4 - Timestamp
|
||||||
|
5 - OCSP Responder
|
||||||
|
6 - Step-up
|
||||||
|
7 - Microsoft Trust List Signing
|
||||||
|
Other to finish
|
||||||
|
> 0
|
||||||
|
0 - Server Auth
|
||||||
|
1 - Client Auth
|
||||||
|
2 - Code Signing
|
||||||
|
3 - Email Protection
|
||||||
|
4 - Timestamp
|
||||||
|
5 - OCSP Responder
|
||||||
|
6 - Step-up
|
||||||
|
7 - Microsoft Trust List Signing
|
||||||
|
Other to finish
|
||||||
|
> 1
|
||||||
|
0 - Server Auth
|
||||||
|
1 - Client Auth
|
||||||
|
2 - Code Signing
|
||||||
|
3 - Email Protection
|
||||||
|
4 - Timestamp
|
||||||
|
5 - OCSP Responder
|
||||||
|
6 - Step-up
|
||||||
|
7 - Microsoft Trust List Signing
|
||||||
|
Other to finish
|
||||||
|
> 8
|
||||||
|
Is this a critical extension [y/N]?
|
||||||
|
N
|
||||||
|
|
||||||
$ pk12util -o vpnclient.p12 -n "vpnclient" -d sql:/etc/ipsec.d
|
$ pk12util -o vpnclient.p12 -n "vpnclient" -d sql:/etc/ipsec.d
|
||||||
|
|
||||||
@ -211,7 +286,7 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来
|
|||||||
|
|
||||||
#### Windows 7, 8.x 和 10
|
#### Windows 7, 8.x 和 10
|
||||||
|
|
||||||
将 `.p12` 文件导入到 Computer 证书存储。在导入 CA 证书后,它必须被放入 "Trusted Root Certification Authorities" 目录的 "Certificates" 子目录中。
|
将 `.p12` 文件导入到 "Computer account" 证书存储。在导入证书后,你必须确保将客户端证书放在 "Personal -> Certificates" 目录中,并且将 CA 证书放在 "Trusted Root Certification Authorities -> Certificates" 目录中。
|
||||||
|
|
||||||
详细的操作步骤:
|
详细的操作步骤:
|
||||||
https://wiki.strongswan.org/projects/strongswan/wiki/Win7Certs
|
https://wiki.strongswan.org/projects/strongswan/wiki/Win7Certs
|
||||||
|
@ -175,7 +175,82 @@ Before continuing, make sure you have successfully <a href="https://github.com/h
|
|||||||
```bash
|
```bash
|
||||||
$ certutil -S -c "Example CA" -n "vpnclient" -s "O=Example,CN=vpnclient" -k rsa -g 4096 -v 36 -d sql:/etc/ipsec.d -t ",," -1 -6 -8 "vpnclient"
|
$ certutil -S -c "Example CA" -n "vpnclient" -s "O=Example,CN=vpnclient" -k rsa -g 4096 -v 36 -d sql:/etc/ipsec.d -t ",," -1 -6 -8 "vpnclient"
|
||||||
|
|
||||||
-- repeat same extensions as above --
|
A random seed must be generated that will be used in the
|
||||||
|
creation of your key. One of the easiest ways to create a
|
||||||
|
random seed is to use the timing of keystrokes on a keyboard.
|
||||||
|
|
||||||
|
To begin, type keys on the keyboard until this progress meter
|
||||||
|
is full. DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD!
|
||||||
|
|
||||||
|
Continue typing until the progress meter is full:
|
||||||
|
|
||||||
|
|************************************************************|
|
||||||
|
|
||||||
|
Finished. Press enter to continue:
|
||||||
|
|
||||||
|
Generating key. This may take a few moments...
|
||||||
|
|
||||||
|
0 - Digital Signature
|
||||||
|
1 - Non-repudiation
|
||||||
|
2 - Key encipherment
|
||||||
|
3 - Data encipherment
|
||||||
|
4 - Key agreement
|
||||||
|
5 - Cert signing key
|
||||||
|
6 - CRL signing key
|
||||||
|
Other to finish
|
||||||
|
> 0
|
||||||
|
0 - Digital Signature
|
||||||
|
1 - Non-repudiation
|
||||||
|
2 - Key encipherment
|
||||||
|
3 - Data encipherment
|
||||||
|
4 - Key agreement
|
||||||
|
5 - Cert signing key
|
||||||
|
6 - CRL signing key
|
||||||
|
Other to finish
|
||||||
|
> 2
|
||||||
|
0 - Digital Signature
|
||||||
|
1 - Non-repudiation
|
||||||
|
2 - Key encipherment
|
||||||
|
3 - Data encipherment
|
||||||
|
4 - Key agreement
|
||||||
|
5 - Cert signing key
|
||||||
|
6 - CRL signing key
|
||||||
|
Other to finish
|
||||||
|
> 8
|
||||||
|
Is this a critical extension [y/N]?
|
||||||
|
N
|
||||||
|
0 - Server Auth
|
||||||
|
1 - Client Auth
|
||||||
|
2 - Code Signing
|
||||||
|
3 - Email Protection
|
||||||
|
4 - Timestamp
|
||||||
|
5 - OCSP Responder
|
||||||
|
6 - Step-up
|
||||||
|
7 - Microsoft Trust List Signing
|
||||||
|
Other to finish
|
||||||
|
> 0
|
||||||
|
0 - Server Auth
|
||||||
|
1 - Client Auth
|
||||||
|
2 - Code Signing
|
||||||
|
3 - Email Protection
|
||||||
|
4 - Timestamp
|
||||||
|
5 - OCSP Responder
|
||||||
|
6 - Step-up
|
||||||
|
7 - Microsoft Trust List Signing
|
||||||
|
Other to finish
|
||||||
|
> 1
|
||||||
|
0 - Server Auth
|
||||||
|
1 - Client Auth
|
||||||
|
2 - Code Signing
|
||||||
|
3 - Email Protection
|
||||||
|
4 - Timestamp
|
||||||
|
5 - OCSP Responder
|
||||||
|
6 - Step-up
|
||||||
|
7 - Microsoft Trust List Signing
|
||||||
|
Other to finish
|
||||||
|
> 8
|
||||||
|
Is this a critical extension [y/N]?
|
||||||
|
N
|
||||||
|
|
||||||
$ pk12util -o vpnclient.p12 -n "vpnclient" -d sql:/etc/ipsec.d
|
$ pk12util -o vpnclient.p12 -n "vpnclient" -d sql:/etc/ipsec.d
|
||||||
|
|
||||||
@ -211,7 +286,7 @@ Before continuing, make sure you have successfully <a href="https://github.com/h
|
|||||||
|
|
||||||
#### Windows 7, 8.x and 10
|
#### Windows 7, 8.x and 10
|
||||||
|
|
||||||
Import the `.p12` file to the Computer certificate store. The CA cert once imported must be placed into the "Certificates" sub-folder under "Trusted Root Certification Authorities".
|
Import the `.p12` file to the "Computer account" certificate store. Make sure that the client cert is placed in "Personal -> Certificates", and the CA cert is placed in "Trusted Root Certification Authorities -> Certificates".
|
||||||
|
|
||||||
Detailed instructions:
|
Detailed instructions:
|
||||||
https://wiki.strongswan.org/projects/strongswan/wiki/Win7Certs
|
https://wiki.strongswan.org/projects/strongswan/wiki/Win7Certs
|
||||||
|
Loading…
Reference in New Issue
Block a user