diff --git a/README-zh.md b/README-zh.md
index 91738d6..f3f908b 100644
--- a/README-zh.md
+++ b/README-zh.md
@@ -108,6 +108,8 @@ DigitalOcean 用户可以参考这个配置 IPsec/L2TP VPN 客户端
配置 IPsec/XAuth ("Cisco IPsec") VPN 客户端
+如何配置 IKEv2 VPN: Windows 7 和更新版本
+
开始使用自己的专属 VPN ! :sparkles::tada::rocket::sparkles:
## 重要提示
@@ -150,7 +152,7 @@ DigitalOcean 用户可以参考这个SoftEther VPN
- ShadowsocksR
- OpenVPN Install
-- Setup Strongswan
+- Setup strongSwan
## 作者
diff --git a/README.md b/README.md
index 6065216..cf3a250 100644
--- a/README.md
+++ b/README.md
@@ -108,6 +108,8 @@ Get your computer or device to use the VPN. Please refer to:
Configure IPsec/L2TP VPN Clients
Configure IPsec/XAuth ("Cisco IPsec") VPN Clients
+How To: IKEv2 VPN for Windows 7 and newer
+
Enjoy your very own VPN! :sparkles::tada::rocket::sparkles:
## Important Notes
@@ -150,7 +152,7 @@ Please refer to Uninstall the VPNSoftEther VPN
- ShadowsocksR
- OpenVPN Install
-- Setup Strongswan
+- Setup strongSwan
## Author
diff --git a/docs/ikev2-howto-zh.md b/docs/ikev2-howto-zh.md
new file mode 100644
index 0000000..ad4a74a
--- /dev/null
+++ b/docs/ikev2-howto-zh.md
@@ -0,0 +1,211 @@
+# 如何配置 IKEv2 VPN: Windows 7 和更新版本
+
+*其他语言版本: [English](ikev2-howto.md), [简体中文](ikev2-howto-zh.md).*
+
+**重要提示:** 本指南仅适用于**高级用户**。其他用户请使用 IPsec/L2TP 或者 IPsec/XAuth。
+
+Windows 7 和更新版本支持 IKEv2 和 MOBIKE 标准,通过 Microsoft 的 Agile VPN 功能来实现。因特网密钥交换 (英语:Internet Key Exchange,简称 IKE 或 IKEv2)是一种网络协议,归属于 IPsec 协议族之下,用以创建安全关联 (Security association,SA)。与 IKEv1 相比较,IKEv2 带来许多功能改进,比如通过 MOBIKE 实现 Standard Mobility 支持,以及更高的可靠性。
+
+Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来对 IKEv2 客户端进行身份验证。该方法无需 IPsec PSK, 用户名或密码。除了 Windows 之外,它也可用于 strongSwan Android VPN 客户端。下面举例说明如何配置 IKEv2。
+
+1. 获取服务器的公共和私有 IP 地址,并确保它们的值非空。注意,这两个 IP 地址可以相同。
+
+ ```bash
+ $ PUBLIC_IP=$(dig @resolver1.opendns.com -t A -4 myip.opendns.com +short)
+ $ PRIVATE_IP=$(ip -4 route get 1 | awk '{print $NF;exit}')
+ $ echo "$PUBLIC_IP"
+ (Your public IP is displayed)
+ $ echo "$PRIVATE_IP"
+ (Your private IP is displayed)
+ ```
+
+1. 在 `/etc/ipsec.conf` 文件中添加一个新的 IKEv2 连接:
+
+ ```bash
+ $ cat >> /etc/ipsec.conf <
+ Is this a critical extension [y/N]?
+ N
+
+ $ certutil -S -c "Example CA" -n "$PUBLIC_IP" -s "O=Example,CN=$PUBLIC_IP" -k rsa -g 4096 -v 12 -d sql:/etc/ipsec.d -t ",," -1 -6 -8 "$PUBLIC_IP"
+
+ A random seed must be generated that will be used in the
+ creation of your key. One of the easiest ways to create a
+ random seed is to use the timing of keystrokes on a keyboard.
+
+ To begin, type keys on the keyboard until this progress meter
+ is full. DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD!
+
+ Continue typing until the progress meter is full:
+
+ |************************************************************|
+
+ Finished. Press enter to continue:
+
+ Generating key. This may take a few moments...
+
+ 0 - Digital Signature
+ 1 - Non-repudiation
+ 2 - Key encipherment
+ 3 - Data encipherment
+ 4 - Key agreement
+ 5 - Cert signing key
+ 6 - CRL signing key
+ Other to finish
+ > 0
+ 0 - Digital Signature
+ 1 - Non-repudiation
+ 2 - Key encipherment
+ 3 - Data encipherment
+ 4 - Key agreement
+ 5 - Cert signing key
+ 6 - CRL signing key
+ Other to finish
+ > 2
+ 0 - Digital Signature
+ 1 - Non-repudiation
+ 2 - Key encipherment
+ 3 - Data encipherment
+ 4 - Key agreement
+ 5 - Cert signing key
+ 6 - CRL signing key
+ Other to finish
+ > 8
+ Is this a critical extension [y/N]?
+ N
+ 0 - Server Auth
+ 1 - Client Auth
+ 2 - Code Signing
+ 3 - Email Protection
+ 4 - Timestamp
+ 5 - OCSP Responder
+ 6 - Step-up
+ 7 - Microsoft Trust List Signing
+ Other to finish
+ > 0
+ 0 - Server Auth
+ 1 - Client Auth
+ 2 - Code Signing
+ 3 - Email Protection
+ 4 - Timestamp
+ 5 - OCSP Responder
+ 6 - Step-up
+ 7 - Microsoft Trust List Signing
+ Other to finish
+ > 8
+ Is this a critical extension [y/N]?
+ N
+ ```
+
+1. 生成客户端证书,并且导出 p12 文件。该文件包含客户端证书,私钥以及 CA 证书:
+
+ ```bash
+ $ certutil -S -c "Example CA" -n "winclient" -s "O=Example,CN=winclient" -k rsa -g 4096 -v 12 -d sql:/etc/ipsec.d -t ",," -1 -6 -8 "winclient"
+
+ -- repeat same extensions as above --
+
+ $ pk12util -o winclient.p12 -n "winclient" -d sql:/etc/ipsec.d
+
+ Enter password for PKCS12 file:
+ Re-enter password:
+ pk12util: PKCS12 EXPORT SUCCESSFUL
+ ```
+
+ 可以重复该步骤来为更多的客户端生成证书,但必须把所有的 `winclient` 换成 `winclient2`,等等。
+
+1. 证书数据库现在应该包含以下内容:
+
+ ```bash
+ $ certutil -L -d sql:/etc/ipsec.d
+
+ Certificate Nickname Trust Attributes
+ SSL,S/MIME,JAR/XPI
+
+ Example CA CTu,u,u
+ ($PUBLIC_IP) u,u,u
+ winclient u,u,u
+ ```
+
+ 注:如需删除证书,可运行命令 `certutil -D -d sql:/etc/ipsec.d -n "Certificate Nickname"`。
+
+1. 重启 IPsec 服务:
+
+ ```bash
+ $ service ipsec restart
+ ```
+
+1. 文件 `winclient.p12` 应该被安全的传送到 Windows 客户端计算机,并且导入到 Computer 证书存储。在导入 CA 证书后,它必须被放入(或移动到) "Trusted Root Certification Authorities" 目录的 "Certificates" 子目录中。
+
+ 详细的操作步骤:
+ https://wiki.strongswan.org/projects/strongswan/wiki/Win7Certs
+
+1. 在 Windows 计算机上添加一个新的 IKEv2 VPN 连接。
+
+ https://wiki.strongswan.org/projects/strongswan/wiki/Win7Config
+
+1. 启用新的 IKEv2 VPN 连接,并且开始使用自己的专属 VPN!
+
+ https://wiki.strongswan.org/projects/strongswan/wiki/Win7Connect
+
+ 连接成功后,你可以到这里检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。
+
+## 已知问题
+
+Windows 7 和更新版本自带的 VPN 客户端不支持 IKEv2 fragmentation。在有些网络上,这可能会导致连接错误 "Error 809",或者可能在连接后无法打开任何网站。如果出现这些问题,请首先尝试 这个解决方案。如果仍然无法解决,请使用 IPsec/L2TP 或者 IPsec/XAuth 协议连接。
+
+## 参考链接
+
+* https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv2
+* https://libreswan.org/wiki/HOWTO:_Using_NSS_with_libreswan
+* https://libreswan.org/man/ipsec.conf.5.html
+* https://wiki.strongswan.org/projects/strongswan/wiki/Windows7
diff --git a/docs/ikev2-howto.md b/docs/ikev2-howto.md
new file mode 100644
index 0000000..0f0f5c9
--- /dev/null
+++ b/docs/ikev2-howto.md
@@ -0,0 +1,211 @@
+# How To: IKEv2 VPN for Windows 7 and newer
+
+*Read this in other languages: [English](ikev2-howto.md), [简体中文](ikev2-howto-zh.md).*
+
+**IMPORTANT:** This guide is for **advanced users** ONLY. Other users please use IPsec/L2TP or IPsec/XAuth.
+
+Windows 7 and newer releases support the IKEv2 and MOBIKE standards through Microsoft's Agile VPN functionality. Internet Key Exchange (IKE or IKEv2) is the protocol used to set up a security association (SA) in the IPsec protocol suite. Compared to IKEv1, IKEv2 has many improvements such as Standard Mobility support through MOBIKE, and improved reliability.
+
+Libreswan can authenticate IKEv2 clients on the basis of X.509 Machine Certificates using RSA signatures. This method does not require an IPsec PSK, username or password. Besides Windows, it can also be used with strongSwan Android VPN client. The following examples show how to configure IKEv2.
+
+1. Find the public and private IP of your server, and make sure they are not empty. It is OK if they are the same.
+
+ ```bash
+ $ PUBLIC_IP=$(dig @resolver1.opendns.com -t A -4 myip.opendns.com +short)
+ $ PRIVATE_IP=$(ip -4 route get 1 | awk '{print $NF;exit}')
+ $ echo "$PUBLIC_IP"
+ (Your public IP is displayed)
+ $ echo "$PRIVATE_IP"
+ (Your private IP is displayed)
+ ```
+
+1. Add a new IKEv2 connection to `/etc/ipsec.conf`:
+
+ ```bash
+ $ cat >> /etc/ipsec.conf <
+ Is this a critical extension [y/N]?
+ N
+
+ $ certutil -S -c "Example CA" -n "$PUBLIC_IP" -s "O=Example,CN=$PUBLIC_IP" -k rsa -g 4096 -v 12 -d sql:/etc/ipsec.d -t ",," -1 -6 -8 "$PUBLIC_IP"
+
+ A random seed must be generated that will be used in the
+ creation of your key. One of the easiest ways to create a
+ random seed is to use the timing of keystrokes on a keyboard.
+
+ To begin, type keys on the keyboard until this progress meter
+ is full. DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD!
+
+ Continue typing until the progress meter is full:
+
+ |************************************************************|
+
+ Finished. Press enter to continue:
+
+ Generating key. This may take a few moments...
+
+ 0 - Digital Signature
+ 1 - Non-repudiation
+ 2 - Key encipherment
+ 3 - Data encipherment
+ 4 - Key agreement
+ 5 - Cert signing key
+ 6 - CRL signing key
+ Other to finish
+ > 0
+ 0 - Digital Signature
+ 1 - Non-repudiation
+ 2 - Key encipherment
+ 3 - Data encipherment
+ 4 - Key agreement
+ 5 - Cert signing key
+ 6 - CRL signing key
+ Other to finish
+ > 2
+ 0 - Digital Signature
+ 1 - Non-repudiation
+ 2 - Key encipherment
+ 3 - Data encipherment
+ 4 - Key agreement
+ 5 - Cert signing key
+ 6 - CRL signing key
+ Other to finish
+ > 8
+ Is this a critical extension [y/N]?
+ N
+ 0 - Server Auth
+ 1 - Client Auth
+ 2 - Code Signing
+ 3 - Email Protection
+ 4 - Timestamp
+ 5 - OCSP Responder
+ 6 - Step-up
+ 7 - Microsoft Trust List Signing
+ Other to finish
+ > 0
+ 0 - Server Auth
+ 1 - Client Auth
+ 2 - Code Signing
+ 3 - Email Protection
+ 4 - Timestamp
+ 5 - OCSP Responder
+ 6 - Step-up
+ 7 - Microsoft Trust List Signing
+ Other to finish
+ > 8
+ Is this a critical extension [y/N]?
+ N
+ ```
+
+1. Generate client certificate(s), and export the p12 file that contains the client certificate, private key, and CA certificate:
+
+ ```bash
+ $ certutil -S -c "Example CA" -n "winclient" -s "O=Example,CN=winclient" -k rsa -g 4096 -v 12 -d sql:/etc/ipsec.d -t ",," -1 -6 -8 "winclient"
+
+ -- repeat same extensions as above --
+
+ $ pk12util -o winclient.p12 -n "winclient" -d sql:/etc/ipsec.d
+
+ Enter password for PKCS12 file:
+ Re-enter password:
+ pk12util: PKCS12 EXPORT SUCCESSFUL
+ ```
+
+ Repeat this step for additional VPN clients, but replace every `winclient` with `winclient2`, etc.
+
+1. The database should now contain:
+
+ ```bash
+ $ certutil -L -d sql:/etc/ipsec.d
+
+ Certificate Nickname Trust Attributes
+ SSL,S/MIME,JAR/XPI
+
+ Example CA CTu,u,u
+ ($PUBLIC_IP) u,u,u
+ winclient u,u,u
+ ```
+
+ Note: To delete a certificate, use `certutil -D -d sql:/etc/ipsec.d -n "Certificate Nickname"`.
+
+1. Restart IPsec service:
+
+ ```bash
+ $ service ipsec restart
+ ```
+
+1. The `winclient.p12` file should then be securely transferred to the Windows client computer and imported to the Computer certificate store. The CA cert once imported must be placed (or moved) into the "Certificates" sub-folder under "Trusted Root Certification Authorities".
+
+ Detailed instructions:
+ https://wiki.strongswan.org/projects/strongswan/wiki/Win7Certs
+
+1. On the Windows computer, add a new IKEv2 VPN connection.
+
+ https://wiki.strongswan.org/projects/strongswan/wiki/Win7Config
+
+1. Start the new IKEv2 VPN connection, and enjoy your own VPN!
+
+ https://wiki.strongswan.org/projects/strongswan/wiki/Win7Connect
+
+ Once successfully connected, you can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`".
+
+## Known Issues
+
+The built-in VPN client in Windows 7 and newer does not support IKEv2 fragmentation. On some networks, this can cause the connection to fail with "Error 809", or you may be unable to open any website after connecting. If this happens, first try this workaround. If it doesn't work, please connect using IPsec/L2TP or IPsec/XAuth instead.
+
+## Useful Links
+
+* https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv2
+* https://libreswan.org/wiki/HOWTO:_Using_NSS_with_libreswan
+* https://libreswan.org/man/ipsec.conf.5.html
+* https://wiki.strongswan.org/projects/strongswan/wiki/Windows7