From 7f8f2314792dca20ba29fd98220e3fcbb60aad6e Mon Sep 17 00:00:00 2001
From: hwdsl2 <hwdsl2@users.noreply.github.com>
Date: Tue, 30 Mar 2021 01:15:00 -0500
Subject: [PATCH] Update docs

- Add advanced usage for IKEv2-only VPN
---
 README-zh.md | 7 +++++++
 README.md    | 7 +++++++
 2 files changed, 14 insertions(+)

diff --git a/README-zh.md b/README-zh.md
index 62b28ee..ae2ecb9 100644
--- a/README-zh.md
+++ b/README-zh.md
@@ -336,6 +336,7 @@ wget https://git.io/vpnupgrade-amzn -O vpnupgrade.sh && sudo sh vpnupgrade.sh
 - [使用其他的 DNS 服务器](#使用其他的-dns-服务器)
 - [域名和更改服务器 IP](#域名和更改服务器-ip)
 - [VPN 内网 IP](#vpn-内网-ip)
+- [仅限 IKEv2 的 VPN](#仅限-ikev2-的-vpn)
 - [更改 IPTables 规则](#更改-iptables-规则)
 
 ### 使用其他的 DNS 服务器
@@ -376,6 +377,12 @@ iptables -I FORWARD 2 -i ppp+ -o ppp+ -s 192.168.42.0/24 -d 192.168.42.0/24 -j D
 iptables -I FORWARD 3 -s 192.168.43.0/24 -d 192.168.43.0/24 -j DROP
 ```
 
+### 仅限 IKEv2 的 VPN
+
+Libreswan 4.2 和更新版本支持 `ikev1-policy` 配置选项。使用此选项，高级用户可以设置仅限 IKEv2 的 VPN，即 VPN 服务器仅接受 IKEv2 连接，而 IKEv1 连接（包括 IPsec/L2TP 和 IPsec/XAuth ("Cisco IPsec") 模式）将被丢弃。
+
+要设置仅限 IKEv2 的 VPN，首先按照本自述文件中的说明安装 VPN 服务器并且配置 IKEv2。然后使用 `ipsec --version` 命令检查 Libreswan 版本并 [更新 Libreswan](#升级libreswan)（如果需要）。下一步，编辑 VPN 服务器上的 `/etc/ipsec.conf`。在 `config setup` 小节的末尾添加 `ikev1-policy=drop`，开头必须空两格。保存文件并运行 `service ipsec restart`。在完成后，你可以使用 `ipsec status` 命令来验证仅启用了 `ikev2-cp` 连接。
+
 ### 更改 IPTables 规则
 
 如果你想要在安装后更改 IPTables 规则，请编辑 `/etc/iptables.rules` 和/或 `/etc/iptables/rules.v4` (Ubuntu/Debian)，或者 `/etc/sysconfig/iptables` (CentOS/RHEL)。然后重启服务器。
diff --git a/README.md b/README.md
index 944357f..e3e9f4a 100644
--- a/README.md
+++ b/README.md
@@ -336,6 +336,7 @@ wget https://git.io/vpnupgrade-amzn -O vpnupgrade.sh && sudo sh vpnupgrade.sh
 - [Use alternative DNS servers](#use-alternative-dns-servers)
 - [DNS name and server IP changes](#dns-name-and-server-ip-changes)
 - [Internal VPN IPs](#internal-vpn-ips)
+- [IKEv2 only VPN](#ikev2-only-vpn)
 - [Modify IPTables rules](#modify-iptables-rules)
 
 ### Use alternative DNS servers
@@ -376,6 +377,12 @@ iptables -I FORWARD 2 -i ppp+ -o ppp+ -s 192.168.42.0/24 -d 192.168.42.0/24 -j D
 iptables -I FORWARD 3 -s 192.168.43.0/24 -d 192.168.43.0/24 -j DROP
 ```
 
+### IKEv2 only VPN
+
+Libreswan 4.2 and newer versions support the `ikev1-policy` config option. Using this option, advanced users can set up an IKEv2-only VPN, i.e. only IKEv2 connections are accepted by the VPN server, while IKEv1 connections (including the IPsec/L2TP and IPsec/XAuth ("Cisco IPsec") modes) are dropped.
+
+To set up an IKEv2-only VPN, first install the VPN server and set up IKEv2 using instructions in this README. Then check Libreswan version using `ipsec --version`, and [update Libreswan](#upgrade-libreswan) if needed. After that, edit `/etc/ipsec.conf` on the VPN server. Append `ikev1-policy=drop` to the end of the `config setup` section, indented by two spaces. Save the file and run `service ipsec restart`. When finished, you can run `ipsec status` to verify that only the `ikev2-cp` connection is enabled.
+
 ### Modify IPTables rules
 
 If you want to modify the IPTables rules after install, edit `/etc/iptables.rules` and/or `/etc/iptables/rules.v4` (Ubuntu/Debian), or `/etc/sysconfig/iptables` (CentOS/RHEL). Then reboot your server.