1
0
mirror of synced 2024-11-22 13:06:02 +03:00

Add IKEv2 how to

[ci skip]
This commit is contained in:
hwdsl2 2016-08-28 00:41:46 -05:00
parent 72d0f7ff52
commit 77d0f0bc93
4 changed files with 428 additions and 2 deletions

View File

@ -108,6 +108,8 @@ DigitalOcean 用户可以参考这个<a href="https://usefulpcguide.com/17318/cr
<a href="docs/clients-zh.md" target="_blank">配置 IPsec/L2TP VPN 客户端</a>
<a href="docs/clients-xauth-zh.md" target="_blank">配置 IPsec/XAuth ("Cisco IPsec") VPN 客户端</a>
<a href="docs/ikev2-howto-zh.md" target="_blank">如何配置 IKEv2 VPN: Windows 7 和更新版本</a>
开始使用自己的专属 VPN ! :sparkles::tada::rocket::sparkles:
## 重要提示
@ -150,7 +152,7 @@ DigitalOcean 用户可以参考这个<a href="https://usefulpcguide.com/17318/cr
- <a href="https://github.com/SoftEtherVPN/SoftEtherVPN" target="_blank">SoftEther VPN</a>
- <a href="https://github.com/breakwa11/shadowsocks-rss" target="_blank">ShadowsocksR</a>
- <a href="https://github.com/Nyr/openvpn-install" target="_blank">OpenVPN Install</a>
- <a href="https://github.com/philpl/setup-strong-strongswan" target="_blank">Setup Strongswan</a>
- <a href="https://github.com/philpl/setup-strong-strongswan" target="_blank">Setup strongSwan</a>
## 作者

View File

@ -108,6 +108,8 @@ Get your computer or device to use the VPN. Please refer to:
<a href="docs/clients.md" target="_blank">Configure IPsec/L2TP VPN Clients</a>
<a href="docs/clients-xauth.md" target="_blank">Configure IPsec/XAuth ("Cisco IPsec") VPN Clients</a>
<a href="docs/ikev2-howto.md" target="_blank">How To: IKEv2 VPN for Windows 7 and newer</a>
Enjoy your very own VPN! :sparkles::tada::rocket::sparkles:
## Important Notes
@ -150,7 +152,7 @@ Please refer to <a href="docs/uninstall.md" target="_blank">Uninstall the VPN</a
- <a href="https://github.com/SoftEtherVPN/SoftEtherVPN" target="_blank">SoftEther VPN</a>
- <a href="https://github.com/breakwa11/shadowsocks-rss" target="_blank">ShadowsocksR</a>
- <a href="https://github.com/Nyr/openvpn-install" target="_blank">OpenVPN Install</a>
- <a href="https://github.com/philpl/setup-strong-strongswan" target="_blank">Setup Strongswan</a>
- <a href="https://github.com/philpl/setup-strong-strongswan" target="_blank">Setup strongSwan</a>
## Author

211
docs/ikev2-howto-zh.md Normal file
View File

@ -0,0 +1,211 @@
# 如何配置 IKEv2 VPN: Windows 7 和更新版本
*其他语言版本: [English](ikev2-howto.md), [简体中文](ikev2-howto-zh.md).*
**重要提示:** 本指南仅适用于**高级用户**。其他用户请使用 <a href="clients-zh.md" target="_blank">IPsec/L2TP</a> 或者 <a href="clients-xauth-zh.md" target="_blank">IPsec/XAuth</a>
Windows 7 和更新版本支持 IKEv2 和 MOBIKE 标准,通过 Microsoft 的 Agile VPN 功能来实现。因特网密钥交换 英语Internet Key Exchange简称 IKE 或 IKEv2是一种网络协议归属于 IPsec 协议族之下,用以创建安全关联 Security associationSA。与 IKEv1 相比较IKEv2 带来许多<a href="https://en.wikipedia.org/wiki/Internet_Key_Exchange#Improvements_with_IKEv2" target="_blank">功能改进</a>,比如通过 MOBIKE 实现 Standard Mobility 支持,以及更高的可靠性。
Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来对 IKEv2 客户端进行身份验证。该方法无需 IPsec PSK, 用户名或密码。除了 Windows 之外,它也可用于 <a href="https://wiki.strongswan.org/projects/strongswan/wiki/AndroidVpnClient" target="_blank">strongSwan Android VPN 客户端</a>。下面举例说明如何配置 IKEv2。
1. 获取服务器的公共和私有 IP 地址,并确保它们的值非空。注意,这两个 IP 地址可以相同。
```bash
$ PUBLIC_IP=$(dig @resolver1.opendns.com -t A -4 myip.opendns.com +short)
$ PRIVATE_IP=$(ip -4 route get 1 | awk '{print $NF;exit}')
$ echo "$PUBLIC_IP"
(Your public IP is displayed)
$ echo "$PRIVATE_IP"
(Your private IP is displayed)
```
1. 在 `/etc/ipsec.conf` 文件中添加一个新的 IKEv2 连接:
```bash
$ cat >> /etc/ipsec.conf <<EOF
conn ikev2-cp
left=$PRIVATE_IP
leftcert=$PUBLIC_IP
leftid=@$PUBLIC_IP
leftsendcert=always
leftsubnet=0.0.0.0/0
leftrsasigkey=%cert
right=%any
rightaddresspool=192.168.43.10-192.168.43.250
rightca=%same
rightrsasigkey=%cert
modecfgdns1=8.8.8.8
modecfgdns2=8.8.4.4
narrowing=yes
dpddelay=30
dpdtimeout=120
dpdaction=clear
auto=add
ikev2=insist
rekey=no
fragmentation=yes
forceencaps=yes
ike=3des-sha1,aes-sha1,aes256-sha2_512,aes256-sha2_256
phase2alg=3des-sha1,aes-sha1,aes256-sha2_512,aes256-sha2_256
EOF
```
1. 生成 Certificate Authority (CA) 和 VPN 服务器证书:
```bash
$ certutil -S -x -n "Example CA" -s "O=Example,CN=Example CA" -k rsa -g 4096 -v 12 -d sql:/etc/ipsec.d -t "CT,," -2
A random seed must be generated that will be used in the
creation of your key. One of the easiest ways to create a
random seed is to use the timing of keystrokes on a keyboard.
To begin, type keys on the keyboard until this progress meter
is full. DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD!
Continue typing until the progress meter is full:
|************************************************************|
Finished. Press enter to continue:
Generating key. This may take a few moments...
Is this a CA certificate [y/N]?
y
Enter the path length constraint, enter to skip [<0 for unlimited path]: >
Is this a critical extension [y/N]?
N
$ certutil -S -c "Example CA" -n "$PUBLIC_IP" -s "O=Example,CN=$PUBLIC_IP" -k rsa -g 4096 -v 12 -d sql:/etc/ipsec.d -t ",," -1 -6 -8 "$PUBLIC_IP"
A random seed must be generated that will be used in the
creation of your key. One of the easiest ways to create a
random seed is to use the timing of keystrokes on a keyboard.
To begin, type keys on the keyboard until this progress meter
is full. DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD!
Continue typing until the progress meter is full:
|************************************************************|
Finished. Press enter to continue:
Generating key. This may take a few moments...
0 - Digital Signature
1 - Non-repudiation
2 - Key encipherment
3 - Data encipherment
4 - Key agreement
5 - Cert signing key
6 - CRL signing key
Other to finish
> 0
0 - Digital Signature
1 - Non-repudiation
2 - Key encipherment
3 - Data encipherment
4 - Key agreement
5 - Cert signing key
6 - CRL signing key
Other to finish
> 2
0 - Digital Signature
1 - Non-repudiation
2 - Key encipherment
3 - Data encipherment
4 - Key agreement
5 - Cert signing key
6 - CRL signing key
Other to finish
> 8
Is this a critical extension [y/N]?
N
0 - Server Auth
1 - Client Auth
2 - Code Signing
3 - Email Protection
4 - Timestamp
5 - OCSP Responder
6 - Step-up
7 - Microsoft Trust List Signing
Other to finish
> 0
0 - Server Auth
1 - Client Auth
2 - Code Signing
3 - Email Protection
4 - Timestamp
5 - OCSP Responder
6 - Step-up
7 - Microsoft Trust List Signing
Other to finish
> 8
Is this a critical extension [y/N]?
N
```
1. 生成客户端证书,并且导出 p12 文件。该文件包含客户端证书,私钥以及 CA 证书:
```bash
$ certutil -S -c "Example CA" -n "winclient" -s "O=Example,CN=winclient" -k rsa -g 4096 -v 12 -d sql:/etc/ipsec.d -t ",," -1 -6 -8 "winclient"
-- repeat same extensions as above --
$ pk12util -o winclient.p12 -n "winclient" -d sql:/etc/ipsec.d
Enter password for PKCS12 file:
Re-enter password:
pk12util: PKCS12 EXPORT SUCCESSFUL
```
可以重复该步骤来为更多的客户端生成证书,但必须把所有的 `winclient` 换成 `winclient2`,等等。
1. 证书数据库现在应该包含以下内容:
```bash
$ certutil -L -d sql:/etc/ipsec.d
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
Example CA CTu,u,u
($PUBLIC_IP) u,u,u
winclient u,u,u
```
注:如需删除证书,可运行命令 `certutil -D -d sql:/etc/ipsec.d -n "Certificate Nickname"`
1. 重启 IPsec 服务:
```bash
$ service ipsec restart
```
1. 文件 `winclient.p12` 应该被安全的传送到 Windows 客户端计算机,并且导入到 Computer 证书存储。在导入 CA 证书后,它必须被放入(或移动到) "Trusted Root Certification Authorities" 目录的 "Certificates" 子目录中。
详细的操作步骤:
https://wiki.strongswan.org/projects/strongswan/wiki/Win7Certs
1. 在 Windows 计算机上添加一个新的 IKEv2 VPN 连接。
https://wiki.strongswan.org/projects/strongswan/wiki/Win7Config
1. 启用新的 IKEv2 VPN 连接,并且开始使用自己的专属 VPN
https://wiki.strongswan.org/projects/strongswan/wiki/Win7Connect
连接成功后,你可以到<a href="https://www.whatismyip.com" target="_blank">这里</a>检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。
## 已知问题
Windows 7 和更新版本自带的 VPN 客户端不支持 IKEv2 fragmentation。在有些网络上这可能会导致连接错误 "Error 809",或者可能在连接后无法打开任何网站。如果出现这些问题,请首先尝试 <a href="clients-zh.md#故障排除" target="_blank">这个解决方案</a>。如果仍然无法解决,请使用 <a href="clients-zh.md" target="_blank">IPsec/L2TP</a> 或者 <a href="clients-xauth-zh.md" target="_blank">IPsec/XAuth</a> 协议连接。
## 参考链接
* https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv2
* https://libreswan.org/wiki/HOWTO:_Using_NSS_with_libreswan
* https://libreswan.org/man/ipsec.conf.5.html
* https://wiki.strongswan.org/projects/strongswan/wiki/Windows7

211
docs/ikev2-howto.md Normal file
View File

@ -0,0 +1,211 @@
# How To: IKEv2 VPN for Windows 7 and newer
*Read this in other languages: [English](ikev2-howto.md), [简体中文](ikev2-howto-zh.md).*
**IMPORTANT:** This guide is for **advanced users** ONLY. Other users please use <a href="clients.md" target="_blank">IPsec/L2TP</a> or <a href="clients-xauth.md" target="_blank">IPsec/XAuth</a>.
Windows 7 and newer releases support the IKEv2 and MOBIKE standards through Microsoft's Agile VPN functionality. Internet Key Exchange (IKE or IKEv2) is the protocol used to set up a security association (SA) in the IPsec protocol suite. Compared to IKEv1, IKEv2 has <a href="https://en.wikipedia.org/wiki/Internet_Key_Exchange#Improvements_with_IKEv2" target="_blank">many improvements</a> such as Standard Mobility support through MOBIKE, and improved reliability.
Libreswan can authenticate IKEv2 clients on the basis of X.509 Machine Certificates using RSA signatures. This method does not require an IPsec PSK, username or password. Besides Windows, it can also be used with <a href="https://wiki.strongswan.org/projects/strongswan/wiki/AndroidVpnClient" target="_blank">strongSwan Android VPN client</a>. The following examples show how to configure IKEv2.
1. Find the public and private IP of your server, and make sure they are not empty. It is OK if they are the same.
```bash
$ PUBLIC_IP=$(dig @resolver1.opendns.com -t A -4 myip.opendns.com +short)
$ PRIVATE_IP=$(ip -4 route get 1 | awk '{print $NF;exit}')
$ echo "$PUBLIC_IP"
(Your public IP is displayed)
$ echo "$PRIVATE_IP"
(Your private IP is displayed)
```
1. Add a new IKEv2 connection to `/etc/ipsec.conf`:
```bash
$ cat >> /etc/ipsec.conf <<EOF
conn ikev2-cp
left=$PRIVATE_IP
leftcert=$PUBLIC_IP
leftid=@$PUBLIC_IP
leftsendcert=always
leftsubnet=0.0.0.0/0
leftrsasigkey=%cert
right=%any
rightaddresspool=192.168.43.10-192.168.43.250
rightca=%same
rightrsasigkey=%cert
modecfgdns1=8.8.8.8
modecfgdns2=8.8.4.4
narrowing=yes
dpddelay=30
dpdtimeout=120
dpdaction=clear
auto=add
ikev2=insist
rekey=no
fragmentation=yes
forceencaps=yes
ike=3des-sha1,aes-sha1,aes256-sha2_512,aes256-sha2_256
phase2alg=3des-sha1,aes-sha1,aes256-sha2_512,aes256-sha2_256
EOF
```
1. Generate Certificate Authority (CA) and VPN server certificates:
```bash
$ certutil -S -x -n "Example CA" -s "O=Example,CN=Example CA" -k rsa -g 4096 -v 12 -d sql:/etc/ipsec.d -t "CT,," -2
A random seed must be generated that will be used in the
creation of your key. One of the easiest ways to create a
random seed is to use the timing of keystrokes on a keyboard.
To begin, type keys on the keyboard until this progress meter
is full. DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD!
Continue typing until the progress meter is full:
|************************************************************|
Finished. Press enter to continue:
Generating key. This may take a few moments...
Is this a CA certificate [y/N]?
y
Enter the path length constraint, enter to skip [<0 for unlimited path]: >
Is this a critical extension [y/N]?
N
$ certutil -S -c "Example CA" -n "$PUBLIC_IP" -s "O=Example,CN=$PUBLIC_IP" -k rsa -g 4096 -v 12 -d sql:/etc/ipsec.d -t ",," -1 -6 -8 "$PUBLIC_IP"
A random seed must be generated that will be used in the
creation of your key. One of the easiest ways to create a
random seed is to use the timing of keystrokes on a keyboard.
To begin, type keys on the keyboard until this progress meter
is full. DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD!
Continue typing until the progress meter is full:
|************************************************************|
Finished. Press enter to continue:
Generating key. This may take a few moments...
0 - Digital Signature
1 - Non-repudiation
2 - Key encipherment
3 - Data encipherment
4 - Key agreement
5 - Cert signing key
6 - CRL signing key
Other to finish
> 0
0 - Digital Signature
1 - Non-repudiation
2 - Key encipherment
3 - Data encipherment
4 - Key agreement
5 - Cert signing key
6 - CRL signing key
Other to finish
> 2
0 - Digital Signature
1 - Non-repudiation
2 - Key encipherment
3 - Data encipherment
4 - Key agreement
5 - Cert signing key
6 - CRL signing key
Other to finish
> 8
Is this a critical extension [y/N]?
N
0 - Server Auth
1 - Client Auth
2 - Code Signing
3 - Email Protection
4 - Timestamp
5 - OCSP Responder
6 - Step-up
7 - Microsoft Trust List Signing
Other to finish
> 0
0 - Server Auth
1 - Client Auth
2 - Code Signing
3 - Email Protection
4 - Timestamp
5 - OCSP Responder
6 - Step-up
7 - Microsoft Trust List Signing
Other to finish
> 8
Is this a critical extension [y/N]?
N
```
1. Generate client certificate(s), and export the p12 file that contains the client certificate, private key, and CA certificate:
```bash
$ certutil -S -c "Example CA" -n "winclient" -s "O=Example,CN=winclient" -k rsa -g 4096 -v 12 -d sql:/etc/ipsec.d -t ",," -1 -6 -8 "winclient"
-- repeat same extensions as above --
$ pk12util -o winclient.p12 -n "winclient" -d sql:/etc/ipsec.d
Enter password for PKCS12 file:
Re-enter password:
pk12util: PKCS12 EXPORT SUCCESSFUL
```
Repeat this step for additional VPN clients, but replace every `winclient` with `winclient2`, etc.
1. The database should now contain:
```bash
$ certutil -L -d sql:/etc/ipsec.d
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
Example CA CTu,u,u
($PUBLIC_IP) u,u,u
winclient u,u,u
```
Note: To delete a certificate, use `certutil -D -d sql:/etc/ipsec.d -n "Certificate Nickname"`.
1. Restart IPsec service:
```bash
$ service ipsec restart
```
1. The `winclient.p12` file should then be securely transferred to the Windows client computer and imported to the Computer certificate store. The CA cert once imported must be placed (or moved) into the "Certificates" sub-folder under "Trusted Root Certification Authorities".
Detailed instructions:
https://wiki.strongswan.org/projects/strongswan/wiki/Win7Certs
1. On the Windows computer, add a new IKEv2 VPN connection.
https://wiki.strongswan.org/projects/strongswan/wiki/Win7Config
1. Start the new IKEv2 VPN connection, and enjoy your own VPN!
https://wiki.strongswan.org/projects/strongswan/wiki/Win7Connect
Once successfully connected, you can verify that your traffic is being routed properly by <a href="https://encrypted.google.com/search?q=my+ip" target="_blank">looking up your IP address on Google</a>. It should say "Your public IP address is `Your VPN Server IP`".
## Known Issues
The built-in VPN client in Windows 7 and newer does not support IKEv2 fragmentation. On some networks, this can cause the connection to fail with "Error 809", or you may be unable to open any website after connecting. If this happens, first try <a href="clients.md#troubleshooting" target="_blank">this workaround</a>. If it doesn't work, please connect using <a href="clients.md" target="_blank">IPsec/L2TP</a> or <a href="clients-xauth.md" target="_blank">IPsec/XAuth</a> instead.
## Useful Links
* https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv2
* https://libreswan.org/wiki/HOWTO:_Using_NSS_with_libreswan
* https://libreswan.org/man/ipsec.conf.5.html
* https://wiki.strongswan.org/projects/strongswan/wiki/Windows7