Update docs
- Add advanced usage for IKEv2-only VPN
This commit is contained in:
parent
f2872197b1
commit
7f8f231479
@ -336,6 +336,7 @@ wget https://git.io/vpnupgrade-amzn -O vpnupgrade.sh && sudo sh vpnupgrade.sh
|
|||||||
- [使用其他的 DNS 服务器](#使用其他的-dns-服务器)
|
- [使用其他的 DNS 服务器](#使用其他的-dns-服务器)
|
||||||
- [域名和更改服务器 IP](#域名和更改服务器-ip)
|
- [域名和更改服务器 IP](#域名和更改服务器-ip)
|
||||||
- [VPN 内网 IP](#vpn-内网-ip)
|
- [VPN 内网 IP](#vpn-内网-ip)
|
||||||
|
- [仅限 IKEv2 的 VPN](#仅限-ikev2-的-vpn)
|
||||||
- [更改 IPTables 规则](#更改-iptables-规则)
|
- [更改 IPTables 规则](#更改-iptables-规则)
|
||||||
|
|
||||||
### 使用其他的 DNS 服务器
|
### 使用其他的 DNS 服务器
|
||||||
@ -376,6 +377,12 @@ iptables -I FORWARD 2 -i ppp+ -o ppp+ -s 192.168.42.0/24 -d 192.168.42.0/24 -j D
|
|||||||
iptables -I FORWARD 3 -s 192.168.43.0/24 -d 192.168.43.0/24 -j DROP
|
iptables -I FORWARD 3 -s 192.168.43.0/24 -d 192.168.43.0/24 -j DROP
|
||||||
```
|
```
|
||||||
|
|
||||||
|
### 仅限 IKEv2 的 VPN
|
||||||
|
|
||||||
|
Libreswan 4.2 和更新版本支持 `ikev1-policy` 配置选项。使用此选项,高级用户可以设置仅限 IKEv2 的 VPN,即 VPN 服务器仅接受 IKEv2 连接,而 IKEv1 连接(包括 IPsec/L2TP 和 IPsec/XAuth ("Cisco IPsec") 模式)将被丢弃。
|
||||||
|
|
||||||
|
要设置仅限 IKEv2 的 VPN,首先按照本自述文件中的说明安装 VPN 服务器并且配置 IKEv2。然后使用 `ipsec --version` 命令检查 Libreswan 版本并 [更新 Libreswan](#升级libreswan)(如果需要)。下一步,编辑 VPN 服务器上的 `/etc/ipsec.conf`。在 `config setup` 小节的末尾添加 `ikev1-policy=drop`,开头必须空两格。保存文件并运行 `service ipsec restart`。在完成后,你可以使用 `ipsec status` 命令来验证仅启用了 `ikev2-cp` 连接。
|
||||||
|
|
||||||
### 更改 IPTables 规则
|
### 更改 IPTables 规则
|
||||||
|
|
||||||
如果你想要在安装后更改 IPTables 规则,请编辑 `/etc/iptables.rules` 和/或 `/etc/iptables/rules.v4` (Ubuntu/Debian),或者 `/etc/sysconfig/iptables` (CentOS/RHEL)。然后重启服务器。
|
如果你想要在安装后更改 IPTables 规则,请编辑 `/etc/iptables.rules` 和/或 `/etc/iptables/rules.v4` (Ubuntu/Debian),或者 `/etc/sysconfig/iptables` (CentOS/RHEL)。然后重启服务器。
|
||||||
|
@ -336,6 +336,7 @@ wget https://git.io/vpnupgrade-amzn -O vpnupgrade.sh && sudo sh vpnupgrade.sh
|
|||||||
- [Use alternative DNS servers](#use-alternative-dns-servers)
|
- [Use alternative DNS servers](#use-alternative-dns-servers)
|
||||||
- [DNS name and server IP changes](#dns-name-and-server-ip-changes)
|
- [DNS name and server IP changes](#dns-name-and-server-ip-changes)
|
||||||
- [Internal VPN IPs](#internal-vpn-ips)
|
- [Internal VPN IPs](#internal-vpn-ips)
|
||||||
|
- [IKEv2 only VPN](#ikev2-only-vpn)
|
||||||
- [Modify IPTables rules](#modify-iptables-rules)
|
- [Modify IPTables rules](#modify-iptables-rules)
|
||||||
|
|
||||||
### Use alternative DNS servers
|
### Use alternative DNS servers
|
||||||
@ -376,6 +377,12 @@ iptables -I FORWARD 2 -i ppp+ -o ppp+ -s 192.168.42.0/24 -d 192.168.42.0/24 -j D
|
|||||||
iptables -I FORWARD 3 -s 192.168.43.0/24 -d 192.168.43.0/24 -j DROP
|
iptables -I FORWARD 3 -s 192.168.43.0/24 -d 192.168.43.0/24 -j DROP
|
||||||
```
|
```
|
||||||
|
|
||||||
|
### IKEv2 only VPN
|
||||||
|
|
||||||
|
Libreswan 4.2 and newer versions support the `ikev1-policy` config option. Using this option, advanced users can set up an IKEv2-only VPN, i.e. only IKEv2 connections are accepted by the VPN server, while IKEv1 connections (including the IPsec/L2TP and IPsec/XAuth ("Cisco IPsec") modes) are dropped.
|
||||||
|
|
||||||
|
To set up an IKEv2-only VPN, first install the VPN server and set up IKEv2 using instructions in this README. Then check Libreswan version using `ipsec --version`, and [update Libreswan](#upgrade-libreswan) if needed. After that, edit `/etc/ipsec.conf` on the VPN server. Append `ikev1-policy=drop` to the end of the `config setup` section, indented by two spaces. Save the file and run `service ipsec restart`. When finished, you can run `ipsec status` to verify that only the `ikev2-cp` connection is enabled.
|
||||||
|
|
||||||
### Modify IPTables rules
|
### Modify IPTables rules
|
||||||
|
|
||||||
If you want to modify the IPTables rules after install, edit `/etc/iptables.rules` and/or `/etc/iptables/rules.v4` (Ubuntu/Debian), or `/etc/sysconfig/iptables` (CentOS/RHEL). Then reboot your server.
|
If you want to modify the IPTables rules after install, edit `/etc/iptables.rules` and/or `/etc/iptables/rules.v4` (Ubuntu/Debian), or `/etc/sysconfig/iptables` (CentOS/RHEL). Then reboot your server.
|
||||||
|
Loading…
Reference in New Issue
Block a user