From 8c0940f63b9d23191d014eee4a894dc8077093bb Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sun, 5 Feb 2017 14:48:11 -0600 Subject: [PATCH] Update docs - Improve IKEv2 docs. The strongSwan Android VPN client requires an "IP address" in the VPN server certificate's subjectAltName field in addition to "DNS name", when connecting using the server's IP. The certutil commands have been updated to add this field. - Other improvements to docs --- README-zh.md | 16 ++-- README.md | 10 +-- docs/clients-zh.md | 66 ++++++++++----- docs/clients.md | 70 ++++++++++----- docs/ikev2-howto-zh.md | 183 +++++++++------------------------------- docs/ikev2-howto.md | 183 +++++++++------------------------------- docs/manage-users-zh.md | 7 +- docs/manage-users.md | 7 +- docs/uninstall-zh.md | 4 +- docs/uninstall.md | 4 +- 10 files changed, 203 insertions(+), 347 deletions(-) diff --git a/README-zh.md b/README-zh.md index dcafb0f..039ff83 100644 --- a/README-zh.md +++ b/README-zh.md @@ -2,7 +2,7 @@ [![Build Status](https://travis-ci.org/hwdsl2/setup-ipsec-vpn.svg?branch=master)](https://travis-ci.org/hwdsl2/setup-ipsec-vpn) [![GitHub Stars](https://img.shields.io/github/stars/hwdsl2/setup-ipsec-vpn.svg?maxAge=86400)](https://github.com/hwdsl2/setup-ipsec-vpn/stargazers) [![Docker Stars](https://img.shields.io/docker/stars/hwdsl2/ipsec-vpn-server.svg?maxAge=86400)](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README-zh.md) [![Docker Pulls](https://img.shields.io/docker/pulls/hwdsl2/ipsec-vpn-server.svg?maxAge=86400)](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README-zh.md) -使用 Linux 脚本一键快速搭建自己的 IPsec VPN 服务器。支持 IPsec/L2TP 和 Cisco IPsec 协议,可用于 Ubuntu/Debian/CentOS 系统。你只需要提供自己的 VPN 登录凭证,然后运行脚本自动完成安装。 +使用 Linux 脚本一键快速搭建自己的 IPsec VPN 服务器。支持 IPsec/L2TP 和 Cisco IPsec 协议,可用于 Ubuntu/Debian/CentOS 系统。你只需提供自己的 VPN 登录凭证,然后运行脚本自动完成安装。 IPsec VPN 可以加密你的网络流量,以防止在通过因特网传送时,你和 VPN 服务器之间的任何人对你的数据的未经授权的访问。在使用不安全的网络时,这是特别有用的,例如在咖啡厅,机场或旅馆房间。 @@ -28,7 +28,7 @@ IPsec VPN 可以加密你的网络流量,以防止在通过因特网传送时 ## 快速开始 -首先,在你的 Linux 服务器* 上全新安装一个 Ubuntu LTS,Debian 8 或者 CentOS 7/6 系统。 +首先,在你的 Linux 服务器* 上全新安装一个 Ubuntu LTS, Debian 8 或者 CentOS 7/6 系统。 使用以下命令快速搭建 IPsec VPN 服务器: @@ -36,11 +36,11 @@ IPsec VPN 可以加密你的网络流量,以防止在通过因特网传送时 wget https://git.io/vpnsetup -O vpnsetup.sh && sudo sh vpnsetup.sh ``` -对于 CentOS 系统,将上面的 `https://git.io/vpnsetup` 换成 `https://git.io/vpnsetup-centos`。 +如果使用 CentOS,请将上面的地址换成 `https://git.io/vpnsetup-centos`。 -你的 VPN 登录凭证将会被自动随机生成,并在安装完成后在屏幕上显示。 +你的 VPN 登录凭证将会被自动随机生成,并在安装完成后显示在屏幕上。 -如需了解其它安装选项,以及如何配置 VPN 客户端,请阅读以下部分。 +如需了解其它安装选项,以及如何配置 VPN 客户端,请继续阅读以下部分。 \* 一个专用服务器或者虚拟专用服务器 (VPS)。OpenVZ VPS 不受支持。 @@ -69,7 +69,7 @@ wget https://git.io/vpnsetup -O vpnsetup.sh && sudo sh vpnsetup.sh 一个专用服务器或者虚拟专用服务器 (VPS),全新安装以上操作系统之一。另外也可使用 Debian 7 (Wheezy),但是必须首先运行另一个脚本。 OpenVZ VPS 不受支持,用户可以尝试使用 Shadowsocks 或者 OpenVPN。 -这也包括各种公共云服务中的 Linux 虚拟机,比如 DigitalOcean, Vultr, Linode, Google Compute Engine, Amazon Lightsail, Microsoft Azure, IBM SoftLayer, RackspaceVMware vCloud Air。 +这也包括各种公共云服务中的 Linux 虚拟机,比如 DigitalOcean, Vultr, Linode, Google Compute Engine, Amazon Lightsail, Microsoft Azure, IBM SoftLayerRackspaceDeploy to Azure Install on DigitalOcean Deploy to Linode @@ -111,8 +111,6 @@ VPN_USER='你的VPN用户名' \ VPN_PASSWORD='你的VPN密码' sh vpnsetup.sh ``` -DigitalOcean 用户可以参考这个分步指南,由 Tony Tran 编写。 - **注:** 如果无法通过 `wget` 下载,你也可以打开 vpnsetup.sh (或者 vpnsetup_centos.sh),然后点击右方的 **`Raw`** 按钮。按快捷键 `Ctrl-A` 全选, `Ctrl-C` 复制,然后粘贴到你喜欢的编辑器。 ### CentOS & RHEL @@ -128,7 +126,7 @@ DigitalOcean 用户可以参考这个配置 IPsec/L2TP VPN 客户端 配置 IPsec/XAuth ("Cisco IPsec") VPN 客户端 -如何配置 IKEv2 VPN: Windows 7 和更新版本 +如何配置 IKEv2 VPN: Windows 和 Android 如果在连接过程中遇到错误,请参见 故障排除。 diff --git a/README.md b/README.md index 3f99336..9ce42e2 100644 --- a/README.md +++ b/README.md @@ -36,7 +36,7 @@ Use this one-liner to set up an IPsec VPN server: wget https://git.io/vpnsetup -O vpnsetup.sh && sudo sh vpnsetup.sh ``` -If using CentOS, replace `https://git.io/vpnsetup` above with `https://git.io/vpnsetup-centos`. +If using CentOS, replace the link above with `https://git.io/vpnsetup-centos`. Your VPN login details will be randomly generated, and displayed on the screen when finished. @@ -63,13 +63,13 @@ A newly created Amazon EC2 - CentOS 7 (x86_64) with Updates - CentOS 6 (x86_64) with Updates -Please refer to detailed instructions and EC2 pricing. +Please see detailed instructions and EC2 pricing. **-OR-** A dedicated server or Virtual Private Server (VPS), freshly installed with one of the above OS. In addition, Debian 7 (Wheezy) can also be used with this workaround. OpenVZ VPS is NOT supported, users could instead try OpenVPN. -This also includes Linux VMs in public clouds, such as DigitalOcean, Vultr, Linode, Google Compute Engine, Amazon Lightsail, Microsoft Azure, IBM SoftLayer, Rackspace and VMware vCloud Air. +These also include Linux VMs in public clouds, such as DigitalOcean, Vultr, Linode, Google Compute Engine, Amazon Lightsail, Microsoft Azure, IBM SoftLayer and Rackspace. Deploy to Azure Install on DigitalOcean Deploy to Linode @@ -111,8 +111,6 @@ VPN_USER='your_vpn_username' \ VPN_PASSWORD='your_vpn_password' sh vpnsetup.sh ``` -DigitalOcean users may refer to this step-by-step guide by Tony Tran. - **Note:** If unable to download via `wget`, you may also open vpnsetup.sh (or vpnsetup_centos.sh) and click the **`Raw`** button. Press `Ctrl-A` to select all, `Ctrl-C` to copy, then paste into your favorite editor. ### CentOS & RHEL @@ -128,7 +126,7 @@ Get your computer or device to use the VPN. Please refer to: Configure IPsec/L2TP VPN Clients Configure IPsec/XAuth ("Cisco IPsec") VPN Clients -How-To: IKEv2 VPN for Windows 7 and newer +How-To: IKEv2 VPN for Windows and Android If you get an error when trying to connect, see Troubleshooting. diff --git a/docs/clients-zh.md b/docs/clients-zh.md index b0f4ca4..af1efcd 100644 --- a/docs/clients-zh.md +++ b/docs/clients-zh.md @@ -22,6 +22,7 @@ * [Windows 错误 628](#windows-错误-628) * [Android 6 and 7](#android-6-and-7) * [其它错误](#其它错误) + * [额外的步骤](#额外的步骤) ## Windows @@ -162,7 +163,7 @@ Windows Phone 8.1 及以上版本用户可以尝试按照 /var/run/xl2tpd/l2tp-control ``` 运行 `ifconfig` 并且检查输出。现在你应该看到一个新的网络接口 `ppp0`。 检查你现有的默认路由: -``` +```bash ip route ``` 在输出中查找以下行: `default via X.X.X.X ...`。记下这个网关 IP,并且在下面的两个命令中使用。 从新的默认路由中排除你的 VPN 服务器 IP (替换为你自己的值): -``` +```bash route add YOUR_VPN_SERVER_IP gw X.X.X.X ``` 如果你的 VPN 客户端是一个远程服务器,则必须从新的默认路由中排除你本地电脑的公有 IP,以避免 SSH 会话被断开 (替换为你自己的公有 IP,可在 这里 查看): -``` +```bash route add YOUR_LOCAL_PC_PUBLIC_IP gw X.X.X.X ``` 添加一个新的默认路由,并且开始通过 VPN 服务器发送数据: -``` +```bash route add default dev ppp0 ``` 至此 VPN 连接已成功完成。检查 VPN 是否正常工作: -``` +```bash wget -qO- http://ipv4.icanhazip.com; echo ``` @@ -324,12 +325,12 @@ wget -qO- http://ipv4.icanhazip.com; echo 要停止通过 VPN 服务器发送数据: -``` +```bash route del default dev ppp0 ``` 要断开连接: -``` +```bash # Ubuntu & Debian echo "d myvpn" > /var/run/xl2tpd/l2tp-control ipsec down myvpn @@ -388,19 +389,42 @@ strongswan down myvpn ### 其它错误 -首先,你可以尝试重启 VPN 服务器上的相关服务: -``` +更多的相关信息请参见以下链接: + +* https://documentation.meraki.com/MX-Z/Client_VPN/Troubleshooting_Client_VPN#Common_Connection_Issues +* https://blogs.technet.microsoft.com/rrasblog/2009/08/12/troubleshooting-common-vpn-related-errors/ +* http://www.tp-link.com/en/faq-1029.html + +### 额外的步骤 + +首先,重启 VPN 服务器上的相关服务: +```bash service ipsec restart service xl2tpd restart ``` 如果你使用 Docker,请运行 `docker restart ipsec-vpn-server`。 -更多的故障排除信息请参见以下链接: +然后重启你的 VPN 客户端设备,并重试连接。如果仍然无法连接,可以尝试删除并重新创建 VPN 连接,按照本文档中的步骤操作。请确保输入了正确的 VPN 登录凭证。 -https://documentation.meraki.com/MX-Z/Client_VPN/Troubleshooting_Client_VPN#Common_Connection_Issues -https://blogs.technet.microsoft.com/rrasblog/2009/08/12/troubleshooting-common-vpn-related-errors/ -http://www.tp-link.com/en/faq-1029.html +检查 Libreswan (IPsec) 日志是否有错误: +```bash +# Ubuntu & Debian +grep pluto /var/log/auth.log +# CentOS & RHEL +grep pluto /var/log/secure +``` + +查看 IPsec VPN 服务器状态: +```bash +ipsec status +ipsec verify +``` + +显示当前已建立的 VPN 连接: +```bash +ipsec whack --trafficstatus +``` ## 致谢 diff --git a/docs/clients.md b/docs/clients.md index e89cd33..8fb47cc 100644 --- a/docs/clients.md +++ b/docs/clients.md @@ -21,7 +21,8 @@ An alternative /etc/ipsec.conf < /etc/xl2tpd/xl2tpd.conf < /var/run/xl2tpd/l2tp-control ``` Run `ifconfig` and check the output. You should now see a new interface `ppp0`. Check your existing default route: -``` +```bash ip route ``` Find this line in the output: `default via X.X.X.X ...`. Write down this gateway IP for use in the two commands below. Exclude your VPN server's IP from the new default route (replace with actual value): -``` +```bash route add YOUR_VPN_SERVER_IP gw X.X.X.X ``` If your VPN client is a remote server, you must also exclude your Local PC's public IP from the new default route, to prevent your SSH session from being disconnected (replace with your actual public IP from here): -``` +```bash route add YOUR_LOCAL_PC_PUBLIC_IP gw X.X.X.X ``` Add a new default route to start routing traffic via the VPN server: -``` +```bash route add default dev ppp0 ``` The VPN connection is now complete. Verify that your traffic is being routed properly: -``` +```bash wget -qO- http://ipv4.icanhazip.com; echo ``` The above command should return `Your VPN Server IP`. To stop routing traffic via the VPN server: -``` +```bash route del default dev ppp0 ``` To disconnect: -``` +```bash # Ubuntu & Debian echo "d myvpn" > /var/run/xl2tpd/l2tp-control ipsec down myvpn @@ -385,21 +386,44 @@ If you are unable to connect using Android 6 (Marshmallow) or 7 (Nougat): ![Android VPN workaround](images/vpn-profile-Android.png) -### Other Errors +### Other errors -First, you may try restarting services on the VPN server: -``` +For additional information, refer to the links below: + +* https://documentation.meraki.com/MX-Z/Client_VPN/Troubleshooting_Client_VPN#Common_Connection_Issues +* https://blogs.technet.microsoft.com/rrasblog/2009/08/12/troubleshooting-common-vpn-related-errors/ +* http://www.tp-link.com/en/faq-1029.html + +### Additional steps + +First, restart services on the VPN server: +```bash service ipsec restart service xl2tpd restart ``` If using Docker, run `docker restart ipsec-vpn-server`. -For additional troubleshooting tips, refer to the links below: +Then reboot your VPN client device, and retry the connection. If still unable to connect, try removing and recreating the VPN connection, by following the instructions in this document. Make sure that the VPN credentials are entered correctly. -https://documentation.meraki.com/MX-Z/Client_VPN/Troubleshooting_Client_VPN#Common_Connection_Issues -https://blogs.technet.microsoft.com/rrasblog/2009/08/12/troubleshooting-common-vpn-related-errors/ -http://www.tp-link.com/en/faq-1029.html +Check the Libreswan (IPsec) log for errors: +```bash +# Ubuntu & Debian +grep pluto /var/log/auth.log +# CentOS & RHEL +grep pluto /var/log/secure +``` + +Check status of the IPsec VPN server: +```bash +ipsec status +ipsec verify +``` + +Show current established VPN connections: +```bash +ipsec whack --trafficstatus +``` ## Credits diff --git a/docs/ikev2-howto-zh.md b/docs/ikev2-howto-zh.md index 9fdac8e..1972c07 100644 --- a/docs/ikev2-howto-zh.md +++ b/docs/ikev2-howto-zh.md @@ -1,4 +1,4 @@ -# 如何配置 IKEv2 VPN: Windows 7 和更新版本 +# 如何配置 IKEv2 VPN: Windows 和 Android *其他语言版本: [English](ikev2-howto.md), [简体中文](ikev2-howto-zh.md).* @@ -15,11 +15,11 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 - Windows 7, 8.x 和 10 - Windows Phone 8.1 及以上 - strongSwan Android VPN 客户端 -- iOS (iPhone/iPad) 和 OS X (macOS) <-- 请参见 +- iOS (iPhone/iPad) 和 macOS <-- 另见 下面举例说明如何在 Libreswan 上配置 IKEv2。以下命令必须用 `root` 账户运行。 -在继续之前,请确保你已经成功地 搭建自己的 VPN 服务器。 +在继续之前,请确保你已经成功 搭建自己的 VPN 服务器。 1. 获取服务器的公共和私有 IP 地址,并确保它们的值非空。注意,这两个 IP 地址可以相同。 @@ -63,14 +63,22 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 EOF ``` - 还需要在该文件中添加一行,根据 Libreswan 的版本而不同。请运行以下命令: + 还需要在该文件中添加一行,首先查看你的 Libreswan 版本: ```bash - $ if /usr/local/sbin/ipsec --version | grep -qs -F "3.19"; then - echo " encapsulation=yes" >> /etc/ipsec.conf - else - echo " forceencaps=yes" >> /etc/ipsec.conf - fi + $ ipsec --version + ``` + + 对于 Libreswan 3.19 或以上版本,请运行: + + ```bash + $ echo " encapsulation=yes" >> /etc/ipsec.conf + ``` + + 对于 Libreswan 3.18 或以下版本,请运行: + + ```bash + $ echo " forceencaps=yes" >> /etc/ipsec.conf ``` 1. 生成 Certificate Authority (CA) 和 VPN 服务器证书: @@ -100,7 +108,8 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 Is this a critical extension [y/N]? N - $ certutil -S -c "Example CA" -n "$PUBLIC_IP" -s "O=Example,CN=$PUBLIC_IP" -k rsa -g 4096 -v 36 -d sql:/etc/ipsec.d -t ",," -1 -6 -8 "$PUBLIC_IP" + $ certutil -S -c "Example CA" -n "$PUBLIC_IP" -s "O=Example,CN=$PUBLIC_IP" -k rsa -g 4096 -v 36 -d sql:/etc/ipsec.d -t ",," \ + --keyUsage digitalSignature,keyEncipherment --extKeyUsage serverAuth --extSAN "ip:$PUBLIC_IP,dns:$PUBLIC_IP" A random seed must be generated that will be used in the creation of your key. One of the easiest ways to create a @@ -116,64 +125,13 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 Finished. Press enter to continue: Generating key. This may take a few moments... - - 0 - Digital Signature - 1 - Non-repudiation - 2 - Key encipherment - 3 - Data encipherment - 4 - Key agreement - 5 - Cert signing key - 6 - CRL signing key - Other to finish - > 0 - 0 - Digital Signature - 1 - Non-repudiation - 2 - Key encipherment - 3 - Data encipherment - 4 - Key agreement - 5 - Cert signing key - 6 - CRL signing key - Other to finish - > 2 - 0 - Digital Signature - 1 - Non-repudiation - 2 - Key encipherment - 3 - Data encipherment - 4 - Key agreement - 5 - Cert signing key - 6 - CRL signing key - Other to finish - > 8 - Is this a critical extension [y/N]? - N - 0 - Server Auth - 1 - Client Auth - 2 - Code Signing - 3 - Email Protection - 4 - Timestamp - 5 - OCSP Responder - 6 - Step-up - 7 - Microsoft Trust List Signing - Other to finish - > 0 - 0 - Server Auth - 1 - Client Auth - 2 - Code Signing - 3 - Email Protection - 4 - Timestamp - 5 - OCSP Responder - 6 - Step-up - 7 - Microsoft Trust List Signing - Other to finish - > 8 - Is this a critical extension [y/N]? - N ``` 1. 生成客户端证书,并且导出 `.p12` 文件。该文件包含客户端证书,私钥以及 CA 证书: ```bash - $ certutil -S -c "Example CA" -n "vpnclient" -s "O=Example,CN=vpnclient" -k rsa -g 4096 -v 36 -d sql:/etc/ipsec.d -t ",," -1 -6 -8 "vpnclient" + $ certutil -S -c "Example CA" -n "vpnclient" -s "O=Example,CN=vpnclient" -k rsa -g 4096 -v 36 -d sql:/etc/ipsec.d -t ",," \ + --keyUsage digitalSignature,keyEncipherment --extKeyUsage serverAuth,clientAuth -8 "vpnclient" A random seed must be generated that will be used in the creation of your key. One of the easiest ways to create a @@ -190,68 +148,6 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 Generating key. This may take a few moments... - 0 - Digital Signature - 1 - Non-repudiation - 2 - Key encipherment - 3 - Data encipherment - 4 - Key agreement - 5 - Cert signing key - 6 - CRL signing key - Other to finish - > 0 - 0 - Digital Signature - 1 - Non-repudiation - 2 - Key encipherment - 3 - Data encipherment - 4 - Key agreement - 5 - Cert signing key - 6 - CRL signing key - Other to finish - > 2 - 0 - Digital Signature - 1 - Non-repudiation - 2 - Key encipherment - 3 - Data encipherment - 4 - Key agreement - 5 - Cert signing key - 6 - CRL signing key - Other to finish - > 8 - Is this a critical extension [y/N]? - N - 0 - Server Auth - 1 - Client Auth - 2 - Code Signing - 3 - Email Protection - 4 - Timestamp - 5 - OCSP Responder - 6 - Step-up - 7 - Microsoft Trust List Signing - Other to finish - > 0 - 0 - Server Auth - 1 - Client Auth - 2 - Code Signing - 3 - Email Protection - 4 - Timestamp - 5 - OCSP Responder - 6 - Step-up - 7 - Microsoft Trust List Signing - Other to finish - > 1 - 0 - Server Auth - 1 - Client Auth - 2 - Code Signing - 3 - Email Protection - 4 - Timestamp - 5 - OCSP Responder - 6 - Step-up - 7 - Microsoft Trust List Signing - Other to finish - > 8 - Is this a critical extension [y/N]? - N - $ pk12util -o vpnclient.p12 -n "vpnclient" -d sql:/etc/ipsec.d Enter password for PKCS12 file: @@ -259,7 +155,7 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 pk12util: PKCS12 EXPORT SUCCESSFUL ``` - 可以重复该步骤来为更多的客户端生成证书,但必须把所有的 `vpnclient` 换成 `vpnclient2`,等等。 + 重复这个步骤来为更多的客户端生成证书,但必须把所有的 `vpnclient` 换成 `vpnclient2`,等等。请注意,如果你需要同时连接多个客户端,则必须为每个客户端生成唯一的证书。 1. 证书数据库现在应该包含以下内容: @@ -274,7 +170,7 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 vpnclient u,u,u ``` - 注:如需删除证书,可运行命令 `certutil -D -d sql:/etc/ipsec.d -n "Certificate Nickname"`。 + 注:如需显示证书,可使用 `certutil -L -d sql:/etc/ipsec.d -n "Nickname"`。要删除证书,将 `-L` 换成 `-D`。更多的 `certutil` 使用说明请看 这里。 1. 重启 IPsec 服务: @@ -286,34 +182,38 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 #### Windows 7, 8.x 和 10 - 将 `.p12` 文件导入到 "计算机账户" 证书存储。在导入证书后,你必须确保将客户端证书放在 "个人 -> 证书" 目录中,并且将 CA 证书放在 "受信任的根证书颁发机构 -> 证书" 目录中。 + 1. 将 `.p12` 文件导入到 "计算机账户" 证书存储。在导入证书后,你必须确保将客户端证书放在 "个人 -> 证书" 目录中,并且将 CA 证书放在 "受信任的根证书颁发机构 -> 证书" 目录中。 - 详细的操作步骤: - https://wiki.strongswan.org/projects/strongswan/wiki/Win7Certs + 请按照以下链接的步骤操作: + https://wiki.strongswan.org/projects/strongswan/wiki/Win7Certs - 在 Windows 计算机上添加一个新的 IKEv2 VPN 连接: + 1. 在 Windows 计算机上添加一个新的 IKEv2 VPN 连接: + https://wiki.strongswan.org/projects/strongswan/wiki/Win7Config - https://wiki.strongswan.org/projects/strongswan/wiki/Win7Config + 1. 启用新的 IKEv2 VPN 连接,并且开始使用 VPN! + https://wiki.strongswan.org/projects/strongswan/wiki/Win7Connect - 启用新的 IKEv2 VPN 连接,并且开始使用自己的专属 VPN! + 1. (可选步骤) 如需启用更安全的加密方式,可以添加 这个注册表键 并重启。 - https://wiki.strongswan.org/projects/strongswan/wiki/Win7Connect + #### Android 4.x 和更新版本 - (可选步骤) 如需启用更安全的加密方式,可以添加 这个注册表键 并重启。 + 1. 从 **Google Play** 安装 strongSwan VPN Client。 + 1. 打开 VPN 客户端,然后单击 **Add VPN Profile**。 + 1. 在 **Server** 字段中输入 `你的 VPN 服务器 IP`。 + 1. 在 **VPN Type** 下拉菜单选择 **IKEv2 Certificate**。 + 1. 单击添加一个 **User certificate**,然后单击 **Install**。 + 1. 选择你从服务器复制过来的 `.p12` 文件,并按提示操作。 + 1. 保存新的 VPN 连接,然后单击它开始连接。 #### Windows Phone 8.1 及以上 首先导入 `.p12` 文件,然后参照 这些说明 配置一个基于证书的 IKEv2 VPN。 - #### Android 4.x 和更新版本 - - 请参见: https://wiki.strongswan.org/projects/strongswan/wiki/AndroidVpnClient - - 连接成功后,你可以到 这里 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。 +1. 连接成功后,你可以到 这里 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。 ## 已知问题 -Windows 7 和更新版本自带的 VPN 客户端不支持 IKEv2 fragmentation。在有些网络上,这可能会导致连接错误,或者可能在连接后无法打开任何网站。如果出现这些问题,请首先尝试 这个解决方案。如果仍然无法解决,请使用 IPsec/L2TP 或者 IPsec/XAuth 模式连接。 +Windows 自带的 VPN 客户端不支持 IKEv2 fragmentation。在有些网络上,这可能会导致连接错误或其它连接问题。你可以尝试 修改注册表,或者换用 IPsec/L2TPIPsec/XAuth 模式连接。 ## 参考链接 @@ -321,3 +221,4 @@ Windows 7 和更新版本自带的 VPN 客户端不支持 IKEv2 fragmentation。 * https://libreswan.org/wiki/HOWTO:_Using_NSS_with_libreswan * https://libreswan.org/man/ipsec.conf.5.html * https://wiki.strongswan.org/projects/strongswan/wiki/Windows7 +* https://wiki.strongswan.org/projects/strongswan/wiki/AndroidVpnClient diff --git a/docs/ikev2-howto.md b/docs/ikev2-howto.md index 7788113..ff85764 100644 --- a/docs/ikev2-howto.md +++ b/docs/ikev2-howto.md @@ -1,10 +1,10 @@ -# How-To: IKEv2 VPN for Windows 7 and newer +# How-To: IKEv2 VPN for Windows and Android *Read this in other languages: [English](ikev2-howto.md), [简体中文](ikev2-howto-zh.md).* --- -**IMPORTANT:** This guide is for **Advanced Users** ONLY. Other users please use IPsec/L2TP or IPsec/XAuth. +**IMPORTANT:** This guide is for **advanced users** only. Other users please use IPsec/L2TP or IPsec/XAuth. --- @@ -15,7 +15,7 @@ Libreswan can authenticate IKEv2 clients on the basis of X.509 Machine Certifica - Windows 7, 8.x and 10 - Windows Phone 8.1 and above - strongSwan Android VPN client -- iOS (iPhone/iPad) and OS X (macOS) <-- See link +- iOS (iPhone/iPad) and macOS <-- See also The following example shows how to configure IKEv2 with Libreswan. Commands below must be run as `root`. @@ -63,14 +63,22 @@ Before continuing, make sure you have successfully > /etc/ipsec.conf - else - echo " forceencaps=yes" >> /etc/ipsec.conf - fi + $ ipsec --version + ``` + + For Libreswan 3.19 and newer, run command: + + ```bash + $ echo " encapsulation=yes" >> /etc/ipsec.conf + ``` + + For Libreswan 3.18 and older, run command: + + ```bash + $ echo " forceencaps=yes" >> /etc/ipsec.conf ``` 1. Generate Certificate Authority (CA) and VPN server certificates: @@ -100,7 +108,8 @@ Before continuing, make sure you have successfully this page. 1. Restart IPsec service: @@ -286,34 +182,38 @@ Before continuing, make sure you have successfully Certificates", and the CA cert is placed in "Trusted Root Certification Authorities -> Certificates". + 1. Import the `.p12` file to the "Computer account" certificate store. Make sure that the client cert is placed in "Personal -> Certificates", and the CA cert is placed in "Trusted Root Certification Authorities -> Certificates". - Detailed instructions: - https://wiki.strongswan.org/projects/strongswan/wiki/Win7Certs + Follow the instructions at this link: + https://wiki.strongswan.org/projects/strongswan/wiki/Win7Certs - On the Windows computer, add a new IKEv2 VPN connection: + 1. On the Windows computer, add a new IKEv2 VPN connection: + https://wiki.strongswan.org/projects/strongswan/wiki/Win7Config - https://wiki.strongswan.org/projects/strongswan/wiki/Win7Config + 1. Start the new IKEv2 VPN connection, and enjoy your VPN! + https://wiki.strongswan.org/projects/strongswan/wiki/Win7Connect - Start the new IKEv2 VPN connection, and enjoy your own VPN! + 1. (Optional) You may enable stronger ciphers by adding this registry key and reboot. - https://wiki.strongswan.org/projects/strongswan/wiki/Win7Connect + #### Android 4.x and newer - (Optional) You may enable stronger ciphers by adding this registry key and reboot. + 1. Install strongSwan VPN Client from **Google Play**. + 1. Launch the VPN client and tap **Add VPN Profile**. + 1. Enter `Your VPN Server IP` in the **Server** field. + 1. Select **IKEv2 Certificate** from the **VPN Type** drop-down menu. + 1. Tap to add a **User certificate**, then tap **Install**. + 1. Choose the `.p12` file you copied from the VPN server, and follow the prompts. + 1. Save the new VPN connection, then tap to connect. #### Windows Phone 8.1 and above First import the `.p12` file, then follow these instructions to configure a certificate-based IKEv2 VPN. - #### Android 4.x and newer - - Please refer to: https://wiki.strongswan.org/projects/strongswan/wiki/AndroidVpnClient - - Once successfully connected, you can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". +1. Once successfully connected, you can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". ## Known Issues -The built-in VPN client in Windows 7 and newer does not support IKEv2 fragmentation. On some networks, this can cause the connection to fail, or you may be unable to open any website after connecting. If this happens, first try this workaround. If it doesn't work, please connect using IPsec/L2TP or IPsec/XAuth mode instead. +The built-in VPN client in Windows does not support IKEv2 fragmentation. On some networks, this can cause the connection to fail or have other issues. You may try this registry fix, or connect using IPsec/L2TP or IPsec/XAuth mode instead. ## References @@ -321,3 +221,4 @@ The built-in VPN client in Windows 7 and newer does not support IKEv2 fragmentat * https://libreswan.org/wiki/HOWTO:_Using_NSS_with_libreswan * https://libreswan.org/man/ipsec.conf.5.html * https://wiki.strongswan.org/projects/strongswan/wiki/Windows7 +* https://wiki.strongswan.org/projects/strongswan/wiki/AndroidVpnClient diff --git a/docs/manage-users-zh.md b/docs/manage-users-zh.md index dc879c4..315a36c 100644 --- a/docs/manage-users-zh.md +++ b/docs/manage-users-zh.md @@ -35,4 +35,9 @@ openssl passwd -1 "" ``` -在完成修改之后,重启你的服务器。 +在完成后,需要重启服务: + +```bash +service ipsec restart +service xl2tpd restart +``` diff --git a/docs/manage-users.md b/docs/manage-users.md index 5884094..fdb7dc1 100644 --- a/docs/manage-users.md +++ b/docs/manage-users.md @@ -35,4 +35,9 @@ Passwords in this file are salted and hashed. This step can be done using e.g. t openssl passwd -1 "" ``` -When finished making changes, reboot your server. +When finished, restart services: + +```bash +service ipsec restart +service xl2tpd restart +``` diff --git a/docs/uninstall-zh.md b/docs/uninstall-zh.md index 05788c5..3164b82 100644 --- a/docs/uninstall-zh.md +++ b/docs/uninstall-zh.md @@ -15,7 +15,7 @@ ## 第一步 -``` +```bash service ipsec stop service xl2tpd stop rm -rf /usr/local/sbin/ipsec /usr/local/libexec/ipsec @@ -69,7 +69,7 @@ rm -f /etc/init/ipsec.conf /lib/systemd/system/ipsec.service \ 要快速删除,可以复制并粘贴以下命令: -``` +```bash rm -f /etc/ipsec.conf* /etc/ipsec.secrets* /etc/ppp/chap-secrets* /etc/ppp/options.xl2tpd* \ /etc/pam.d/pluto /etc/sysconfig/pluto /etc/default/pluto rm -rf /etc/ipsec.d /etc/xl2tpd diff --git a/docs/uninstall.md b/docs/uninstall.md index 9da7f29..ec09d97 100644 --- a/docs/uninstall.md +++ b/docs/uninstall.md @@ -15,7 +15,7 @@ Follow these steps to remove the VPN. Commands must be run as `root`, or with `s ## First step -``` +```bash service ipsec stop service xl2tpd stop rm -rf /usr/local/sbin/ipsec /usr/local/libexec/ipsec @@ -69,7 +69,7 @@ Remove these config files: Copy and paste for fast removal: -``` +```bash rm -f /etc/ipsec.conf* /etc/ipsec.secrets* /etc/ppp/chap-secrets* /etc/ppp/options.xl2tpd* \ /etc/pam.d/pluto /etc/sysconfig/pluto /etc/default/pluto rm -rf /etc/ipsec.d /etc/xl2tpd