1
0
mirror of synced 2024-11-22 21:16:02 +03:00

Update docs

- Improve IKEv2 docs. The strongSwan Android VPN client requires
  an "IP address" in the VPN server certificate's subjectAltName field
  in addition to "DNS name", when connecting using the server's IP.
  The certutil commands have been updated to add this field.
- Other improvements to docs
This commit is contained in:
hwdsl2 2017-02-05 14:48:11 -06:00
parent c8d8730fd0
commit 8c0940f63b
10 changed files with 203 additions and 347 deletions

View File

@ -2,7 +2,7 @@
[![Build Status](https://travis-ci.org/hwdsl2/setup-ipsec-vpn.svg?branch=master)](https://travis-ci.org/hwdsl2/setup-ipsec-vpn) [![GitHub Stars](https://img.shields.io/github/stars/hwdsl2/setup-ipsec-vpn.svg?maxAge=86400)](https://github.com/hwdsl2/setup-ipsec-vpn/stargazers) [![Docker Stars](https://img.shields.io/docker/stars/hwdsl2/ipsec-vpn-server.svg?maxAge=86400)](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README-zh.md) [![Docker Pulls](https://img.shields.io/docker/pulls/hwdsl2/ipsec-vpn-server.svg?maxAge=86400)](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README-zh.md) [![Build Status](https://travis-ci.org/hwdsl2/setup-ipsec-vpn.svg?branch=master)](https://travis-ci.org/hwdsl2/setup-ipsec-vpn) [![GitHub Stars](https://img.shields.io/github/stars/hwdsl2/setup-ipsec-vpn.svg?maxAge=86400)](https://github.com/hwdsl2/setup-ipsec-vpn/stargazers) [![Docker Stars](https://img.shields.io/docker/stars/hwdsl2/ipsec-vpn-server.svg?maxAge=86400)](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README-zh.md) [![Docker Pulls](https://img.shields.io/docker/pulls/hwdsl2/ipsec-vpn-server.svg?maxAge=86400)](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README-zh.md)
使用 Linux 脚本一键快速搭建自己的 IPsec VPN 服务器。支持 IPsec/L2TP 和 Cisco IPsec 协议,可用于 Ubuntu/Debian/CentOS 系统。你只需提供自己的 VPN 登录凭证,然后运行脚本自动完成安装。 使用 Linux 脚本一键快速搭建自己的 IPsec VPN 服务器。支持 IPsec/L2TP 和 Cisco IPsec 协议,可用于 Ubuntu/Debian/CentOS 系统。你只需提供自己的 VPN 登录凭证,然后运行脚本自动完成安装。
IPsec VPN 可以加密你的网络流量,以防止在通过因特网传送时,你和 VPN 服务器之间的任何人对你的数据的未经授权的访问。在使用不安全的网络时,这是特别有用的,例如在咖啡厅,机场或旅馆房间。 IPsec VPN 可以加密你的网络流量,以防止在通过因特网传送时,你和 VPN 服务器之间的任何人对你的数据的未经授权的访问。在使用不安全的网络时,这是特别有用的,例如在咖啡厅,机场或旅馆房间。
@ -28,7 +28,7 @@ IPsec VPN 可以加密你的网络流量,以防止在通过因特网传送时
## 快速开始 ## 快速开始
首先,在你的 Linux 服务器* 上全新安装一个 Ubuntu LTSDebian 8 或者 CentOS 7/6 系统。 首先,在你的 Linux 服务器* 上全新安装一个 Ubuntu LTS, Debian 8 或者 CentOS 7/6 系统。
使用以下命令快速搭建 IPsec VPN 服务器: 使用以下命令快速搭建 IPsec VPN 服务器:
@ -36,11 +36,11 @@ IPsec VPN 可以加密你的网络流量,以防止在通过因特网传送时
wget https://git.io/vpnsetup -O vpnsetup.sh && sudo sh vpnsetup.sh wget https://git.io/vpnsetup -O vpnsetup.sh && sudo sh vpnsetup.sh
``` ```
对于 CentOS 系统,将上面的 `https://git.io/vpnsetup` 换成 `https://git.io/vpnsetup-centos` 如果使用 CentOS请将上面的地址换成 `https://git.io/vpnsetup-centos`
你的 VPN 登录凭证将会被自动随机生成,并在安装完成后在屏幕上显示 你的 VPN 登录凭证将会被自动随机生成,并在安装完成后显示在屏幕上。
如需了解其它安装选项,以及如何配置 VPN 客户端,请阅读以下部分。 如需了解其它安装选项,以及如何配置 VPN 客户端,请继续阅读以下部分。
\* 一个专用服务器或者虚拟专用服务器 (VPS)。OpenVZ VPS 不受支持。 \* 一个专用服务器或者虚拟专用服务器 (VPS)。OpenVZ VPS 不受支持。
@ -69,7 +69,7 @@ wget https://git.io/vpnsetup -O vpnsetup.sh && sudo sh vpnsetup.sh
一个专用服务器或者虚拟专用服务器 (VPS),全新安装以上操作系统之一。另外也可使用 Debian 7 (Wheezy),但是必须首先运行<a href="extras/vpnsetup-debian-7-workaround.sh" target="_blank">另一个脚本</a>。 OpenVZ VPS 不受支持,用户可以尝试使用 <a href="https://shadowsocks.org" target="_blank">Shadowsocks</a> 或者 <a href="https://github.com/Nyr/openvpn-install" target="_blank">OpenVPN</a> 一个专用服务器或者虚拟专用服务器 (VPS),全新安装以上操作系统之一。另外也可使用 Debian 7 (Wheezy),但是必须首先运行<a href="extras/vpnsetup-debian-7-workaround.sh" target="_blank">另一个脚本</a>。 OpenVZ VPS 不受支持,用户可以尝试使用 <a href="https://shadowsocks.org" target="_blank">Shadowsocks</a> 或者 <a href="https://github.com/Nyr/openvpn-install" target="_blank">OpenVPN</a>
这也包括各种公共云服务中的 Linux 虚拟机,比如 <a href="https://blog.ls20.com/digitalocean" target="_blank">DigitalOcean</a>, <a href="https://blog.ls20.com/vultr" target="_blank">Vultr</a>, <a href="https://blog.ls20.com/linode" target="_blank">Linode</a>, <a href="https://cloud.google.com/compute/" target="_blank">Google Compute Engine</a>, <a href="https://amazonlightsail.com" target="_blank">Amazon Lightsail</a>, <a href="https://azure.microsoft.com" target="_blank">Microsoft Azure</a>, <a href="http://www.softlayer.com/" target="_blank">IBM SoftLayer</a>, <a href="https://www.rackspace.com" target="_blank">Rackspace</a><a href="http://vcloud.vmware.com" target="_blank">VMware vCloud Air</a> 这也包括各种公共云服务中的 Linux 虚拟机,比如 <a href="https://blog.ls20.com/digitalocean" target="_blank">DigitalOcean</a>, <a href="https://blog.ls20.com/vultr" target="_blank">Vultr</a>, <a href="https://blog.ls20.com/linode" target="_blank">Linode</a>, <a href="https://cloud.google.com/compute/" target="_blank">Google Compute Engine</a>, <a href="https://amazonlightsail.com" target="_blank">Amazon Lightsail</a>, <a href="https://azure.microsoft.com" target="_blank">Microsoft Azure</a>, <a href="http://www.softlayer.com/" target="_blank">IBM SoftLayer</a> <a href="https://www.rackspace.com" target="_blank">Rackspace</a>
<a href="azure/README-zh.md" target="_blank"><img src="docs/images/azure-deploy-button.png" alt="Deploy to Azure" /></a> <a href="http://dovpn.carlfriess.com/" target="_blank"><img src="docs/images/do-install-button.png" alt="Install on DigitalOcean" /></a> <a href="https://www.linode.com/stackscripts/view/37239" target="_blank"><img src="docs/images/linode-deploy-button.png" alt="Deploy to Linode" /></a> <a href="azure/README-zh.md" target="_blank"><img src="docs/images/azure-deploy-button.png" alt="Deploy to Azure" /></a> <a href="http://dovpn.carlfriess.com/" target="_blank"><img src="docs/images/do-install-button.png" alt="Install on DigitalOcean" /></a> <a href="https://www.linode.com/stackscripts/view/37239" target="_blank"><img src="docs/images/linode-deploy-button.png" alt="Deploy to Linode" /></a>
@ -111,8 +111,6 @@ VPN_USER='你的VPN用户名' \
VPN_PASSWORD='你的VPN密码' sh vpnsetup.sh VPN_PASSWORD='你的VPN密码' sh vpnsetup.sh
``` ```
DigitalOcean 用户可以参考这个<a href="https://usefulpcguide.com/17318/create-your-own-vpn/" target="_blank">分步指南</a>,由 Tony Tran 编写。
**注:** 如果无法通过 `wget` 下载,你也可以打开 <a href="vpnsetup.sh" target="_blank">vpnsetup.sh</a> (或者 <a href="vpnsetup_centos.sh" target="_blank">vpnsetup_centos.sh</a>),然后点击右方的 **`Raw`** 按钮。按快捷键 `Ctrl-A` 全选, `Ctrl-C` 复制,然后粘贴到你喜欢的编辑器。 **注:** 如果无法通过 `wget` 下载,你也可以打开 <a href="vpnsetup.sh" target="_blank">vpnsetup.sh</a> (或者 <a href="vpnsetup_centos.sh" target="_blank">vpnsetup_centos.sh</a>),然后点击右方的 **`Raw`** 按钮。按快捷键 `Ctrl-A` 全选, `Ctrl-C` 复制,然后粘贴到你喜欢的编辑器。
### CentOS & RHEL ### CentOS & RHEL
@ -128,7 +126,7 @@ DigitalOcean 用户可以参考这个<a href="https://usefulpcguide.com/17318/cr
<a href="docs/clients-zh.md" target="_blank">配置 IPsec/L2TP VPN 客户端</a> <a href="docs/clients-zh.md" target="_blank">配置 IPsec/L2TP VPN 客户端</a>
<a href="docs/clients-xauth-zh.md" target="_blank">配置 IPsec/XAuth ("Cisco IPsec") VPN 客户端</a> <a href="docs/clients-xauth-zh.md" target="_blank">配置 IPsec/XAuth ("Cisco IPsec") VPN 客户端</a>
<a href="docs/ikev2-howto-zh.md" target="_blank">如何配置 IKEv2 VPN: Windows 7 和更新版本</a> <a href="docs/ikev2-howto-zh.md" target="_blank">如何配置 IKEv2 VPN: Windows 和 Android</a>
如果在连接过程中遇到错误,请参见 <a href="docs/clients-zh.md#故障排除" target="_blank">故障排除</a> 如果在连接过程中遇到错误,请参见 <a href="docs/clients-zh.md#故障排除" target="_blank">故障排除</a>

View File

@ -36,7 +36,7 @@ Use this one-liner to set up an IPsec VPN server:
wget https://git.io/vpnsetup -O vpnsetup.sh && sudo sh vpnsetup.sh wget https://git.io/vpnsetup -O vpnsetup.sh && sudo sh vpnsetup.sh
``` ```
If using CentOS, replace `https://git.io/vpnsetup` above with `https://git.io/vpnsetup-centos`. If using CentOS, replace the link above with `https://git.io/vpnsetup-centos`.
Your VPN login details will be randomly generated, and displayed on the screen when finished. Your VPN login details will be randomly generated, and displayed on the screen when finished.
@ -63,13 +63,13 @@ A newly created <a href="https://aws.amazon.com/ec2/" target="_blank">Amazon EC2
- <a href="https://aws.amazon.com/marketplace/pp/B00O7WM7QW" target="_blank">CentOS 7 (x86_64) with Updates</a> - <a href="https://aws.amazon.com/marketplace/pp/B00O7WM7QW" target="_blank">CentOS 7 (x86_64) with Updates</a>
- <a href="https://aws.amazon.com/marketplace/pp/B00NQAYLWO" target="_blank">CentOS 6 (x86_64) with Updates</a> - <a href="https://aws.amazon.com/marketplace/pp/B00NQAYLWO" target="_blank">CentOS 6 (x86_64) with Updates</a>
Please refer to <a href="https://blog.ls20.com/ipsec-l2tp-vpn-auto-setup-for-ubuntu-12-04-on-amazon-ec2/#vpnsetup" target="_blank">detailed instructions</a> and <a href="https://aws.amazon.com/ec2/pricing/" target="_blank">EC2 pricing</a>. Please see <a href="https://blog.ls20.com/ipsec-l2tp-vpn-auto-setup-for-ubuntu-12-04-on-amazon-ec2/#vpnsetup" target="_blank">detailed instructions</a> and <a href="https://aws.amazon.com/ec2/pricing/" target="_blank">EC2 pricing</a>.
**-OR-** **-OR-**
A dedicated server or Virtual Private Server (VPS), freshly installed with one of the above OS. In addition, Debian 7 (Wheezy) can also be used with <a href="extras/vpnsetup-debian-7-workaround.sh" target="_blank">this workaround</a>. OpenVZ VPS is NOT supported, users could instead try <a href="https://github.com/Nyr/openvpn-install" target="_blank">OpenVPN</a>. A dedicated server or Virtual Private Server (VPS), freshly installed with one of the above OS. In addition, Debian 7 (Wheezy) can also be used with <a href="extras/vpnsetup-debian-7-workaround.sh" target="_blank">this workaround</a>. OpenVZ VPS is NOT supported, users could instead try <a href="https://github.com/Nyr/openvpn-install" target="_blank">OpenVPN</a>.
This also includes Linux VMs in public clouds, such as <a href="https://blog.ls20.com/digitalocean" target="_blank">DigitalOcean</a>, <a href="https://blog.ls20.com/vultr" target="_blank">Vultr</a>, <a href="https://blog.ls20.com/linode" target="_blank">Linode</a>, <a href="https://cloud.google.com/compute/" target="_blank">Google Compute Engine</a>, <a href="https://amazonlightsail.com" target="_blank">Amazon Lightsail</a>, <a href="https://azure.microsoft.com" target="_blank">Microsoft Azure</a>, <a href="http://www.softlayer.com/" target="_blank">IBM SoftLayer</a>, <a href="https://www.rackspace.com" target="_blank">Rackspace</a> and <a href="http://vcloud.vmware.com" target="_blank">VMware vCloud Air</a>. These also include Linux VMs in public clouds, such as <a href="https://blog.ls20.com/digitalocean" target="_blank">DigitalOcean</a>, <a href="https://blog.ls20.com/vultr" target="_blank">Vultr</a>, <a href="https://blog.ls20.com/linode" target="_blank">Linode</a>, <a href="https://cloud.google.com/compute/" target="_blank">Google Compute Engine</a>, <a href="https://amazonlightsail.com" target="_blank">Amazon Lightsail</a>, <a href="https://azure.microsoft.com" target="_blank">Microsoft Azure</a>, <a href="http://www.softlayer.com/" target="_blank">IBM SoftLayer</a> and <a href="https://www.rackspace.com" target="_blank">Rackspace</a>.
<a href="azure/README.md" target="_blank"><img src="docs/images/azure-deploy-button.png" alt="Deploy to Azure" /></a> <a href="http://dovpn.carlfriess.com/" target="_blank"><img src="docs/images/do-install-button.png" alt="Install on DigitalOcean" /></a> <a href="https://www.linode.com/stackscripts/view/37239" target="_blank"><img src="docs/images/linode-deploy-button.png" alt="Deploy to Linode" /></a> <a href="azure/README.md" target="_blank"><img src="docs/images/azure-deploy-button.png" alt="Deploy to Azure" /></a> <a href="http://dovpn.carlfriess.com/" target="_blank"><img src="docs/images/do-install-button.png" alt="Install on DigitalOcean" /></a> <a href="https://www.linode.com/stackscripts/view/37239" target="_blank"><img src="docs/images/linode-deploy-button.png" alt="Deploy to Linode" /></a>
@ -111,8 +111,6 @@ VPN_USER='your_vpn_username' \
VPN_PASSWORD='your_vpn_password' sh vpnsetup.sh VPN_PASSWORD='your_vpn_password' sh vpnsetup.sh
``` ```
DigitalOcean users may refer to this <a href="https://usefulpcguide.com/17318/create-your-own-vpn/" target="_blank">step-by-step guide</a> by Tony Tran.
**Note:** If unable to download via `wget`, you may also open <a href="vpnsetup.sh" target="_blank">vpnsetup.sh</a> (or <a href="vpnsetup_centos.sh" target="_blank">vpnsetup_centos.sh</a>) and click the **`Raw`** button. Press `Ctrl-A` to select all, `Ctrl-C` to copy, then paste into your favorite editor. **Note:** If unable to download via `wget`, you may also open <a href="vpnsetup.sh" target="_blank">vpnsetup.sh</a> (or <a href="vpnsetup_centos.sh" target="_blank">vpnsetup_centos.sh</a>) and click the **`Raw`** button. Press `Ctrl-A` to select all, `Ctrl-C` to copy, then paste into your favorite editor.
### CentOS & RHEL ### CentOS & RHEL
@ -128,7 +126,7 @@ Get your computer or device to use the VPN. Please refer to:
<a href="docs/clients.md" target="_blank">Configure IPsec/L2TP VPN Clients</a> <a href="docs/clients.md" target="_blank">Configure IPsec/L2TP VPN Clients</a>
<a href="docs/clients-xauth.md" target="_blank">Configure IPsec/XAuth ("Cisco IPsec") VPN Clients</a> <a href="docs/clients-xauth.md" target="_blank">Configure IPsec/XAuth ("Cisco IPsec") VPN Clients</a>
<a href="docs/ikev2-howto.md" target="_blank">How-To: IKEv2 VPN for Windows 7 and newer</a> <a href="docs/ikev2-howto.md" target="_blank">How-To: IKEv2 VPN for Windows and Android</a>
If you get an error when trying to connect, see <a href="docs/clients.md#troubleshooting" target="_blank">Troubleshooting</a>. If you get an error when trying to connect, see <a href="docs/clients.md#troubleshooting" target="_blank">Troubleshooting</a>.

View File

@ -22,6 +22,7 @@
* [Windows 错误 628](#windows-错误-628) * [Windows 错误 628](#windows-错误-628)
* [Android 6 and 7](#android-6-and-7) * [Android 6 and 7](#android-6-and-7)
* [其它错误](#其它错误) * [其它错误](#其它错误)
* [额外的步骤](#额外的步骤)
## Windows ## Windows
@ -162,7 +163,7 @@ Windows Phone 8.1 及以上版本用户可以尝试按照 <a href="http://forums
要配置 VPN 客户端,首先安装以下软件包: 要配置 VPN 客户端,首先安装以下软件包:
``` ```bash
# Ubuntu & Debian # Ubuntu & Debian
apt-get update apt-get update
apt-get -y install strongswan xl2tpd apt-get -y install strongswan xl2tpd
@ -177,7 +178,7 @@ yum -y install strongswan xl2tpd
创建 VPN 变量 (替换为你自己的值): 创建 VPN 变量 (替换为你自己的值):
``` ```bash
VPN_SERVER_IP='your_vpn_server_ip' VPN_SERVER_IP='your_vpn_server_ip'
VPN_IPSEC_PSK='your_ipsec_pre_shared_key' VPN_IPSEC_PSK='your_ipsec_pre_shared_key'
VPN_USER='your_vpn_username' VPN_USER='your_vpn_username'
@ -185,7 +186,7 @@ VPN_PASSWORD='your_vpn_password'
``` ```
配置 strongSwan 配置 strongSwan
``` ```bash
cat > /etc/ipsec.conf <<EOF cat > /etc/ipsec.conf <<EOF
# ipsec.conf - strongSwan IPsec configuration file # ipsec.conf - strongSwan IPsec configuration file
@ -234,7 +235,7 @@ ln -s /etc/ipsec.secrets /etc/strongswan/ipsec.secrets
``` ```
配置 xl2tpd 配置 xl2tpd
``` ```bash
cat > /etc/xl2tpd/xl2tpd.conf <<EOF cat > /etc/xl2tpd/xl2tpd.conf <<EOF
[lac myvpn] [lac myvpn]
lns = $VPN_SERVER_IP lns = $VPN_SERVER_IP
@ -266,19 +267,19 @@ chmod 600 /etc/ppp/options.l2tpd.client
至此 VPN 客户端配置已完成。按照下面的步骤进行连接。 至此 VPN 客户端配置已完成。按照下面的步骤进行连接。
创建 xl2tpd 控制文件: 创建 xl2tpd 控制文件:
``` ```bash
mkdir -p /var/run/xl2tpd mkdir -p /var/run/xl2tpd
touch /var/run/xl2tpd/l2tp-control touch /var/run/xl2tpd/l2tp-control
``` ```
重启服务: 重启服务:
``` ```bash
service strongswan restart service strongswan restart
service xl2tpd restart service xl2tpd restart
``` ```
开始 IPsec 连接: 开始 IPsec 连接:
``` ```bash
# Ubuntu & Debian # Ubuntu & Debian
ipsec up myvpn ipsec up myvpn
@ -287,36 +288,36 @@ strongswan up myvpn
``` ```
开始 L2TP 连接: 开始 L2TP 连接:
``` ```bash
echo "c myvpn" > /var/run/xl2tpd/l2tp-control echo "c myvpn" > /var/run/xl2tpd/l2tp-control
``` ```
运行 `ifconfig` 并且检查输出。现在你应该看到一个新的网络接口 `ppp0` 运行 `ifconfig` 并且检查输出。现在你应该看到一个新的网络接口 `ppp0`
检查你现有的默认路由: 检查你现有的默认路由:
``` ```bash
ip route ip route
``` ```
在输出中查找以下行: `default via X.X.X.X ...`。记下这个网关 IP并且在下面的两个命令中使用。 在输出中查找以下行: `default via X.X.X.X ...`。记下这个网关 IP并且在下面的两个命令中使用。
从新的默认路由中排除你的 VPN 服务器 IP (替换为你自己的值): 从新的默认路由中排除你的 VPN 服务器 IP (替换为你自己的值):
``` ```bash
route add YOUR_VPN_SERVER_IP gw X.X.X.X route add YOUR_VPN_SERVER_IP gw X.X.X.X
``` ```
如果你的 VPN 客户端是一个远程服务器,则必须从新的默认路由中排除你本地电脑的公有 IP以避免 SSH 会话被断开 (替换为你自己的公有 IP可在 <a href="https://www.ipchicken.com" target="_blank">这里</a> 查看): 如果你的 VPN 客户端是一个远程服务器,则必须从新的默认路由中排除你本地电脑的公有 IP以避免 SSH 会话被断开 (替换为你自己的公有 IP可在 <a href="https://www.ipchicken.com" target="_blank">这里</a> 查看):
``` ```bash
route add YOUR_LOCAL_PC_PUBLIC_IP gw X.X.X.X route add YOUR_LOCAL_PC_PUBLIC_IP gw X.X.X.X
``` ```
添加一个新的默认路由,并且开始通过 VPN 服务器发送数据: 添加一个新的默认路由,并且开始通过 VPN 服务器发送数据:
``` ```bash
route add default dev ppp0 route add default dev ppp0
``` ```
至此 VPN 连接已成功完成。检查 VPN 是否正常工作: 至此 VPN 连接已成功完成。检查 VPN 是否正常工作:
``` ```bash
wget -qO- http://ipv4.icanhazip.com; echo wget -qO- http://ipv4.icanhazip.com; echo
``` ```
@ -324,12 +325,12 @@ wget -qO- http://ipv4.icanhazip.com; echo
要停止通过 VPN 服务器发送数据: 要停止通过 VPN 服务器发送数据:
``` ```bash
route del default dev ppp0 route del default dev ppp0
``` ```
要断开连接: 要断开连接:
``` ```bash
# Ubuntu & Debian # Ubuntu & Debian
echo "d myvpn" > /var/run/xl2tpd/l2tp-control echo "d myvpn" > /var/run/xl2tpd/l2tp-control
ipsec down myvpn ipsec down myvpn
@ -388,19 +389,42 @@ strongswan down myvpn
### 其它错误 ### 其它错误
首先,你可以尝试重启 VPN 服务器上的相关服务: 更多的相关信息请参见以下链接:
```
* https://documentation.meraki.com/MX-Z/Client_VPN/Troubleshooting_Client_VPN#Common_Connection_Issues
* https://blogs.technet.microsoft.com/rrasblog/2009/08/12/troubleshooting-common-vpn-related-errors/
* http://www.tp-link.com/en/faq-1029.html
### 额外的步骤
首先,重启 VPN 服务器上的相关服务:
```bash
service ipsec restart service ipsec restart
service xl2tpd restart service xl2tpd restart
``` ```
如果你使用 Docker请运行 `docker restart ipsec-vpn-server` 如果你使用 Docker请运行 `docker restart ipsec-vpn-server`
更多的故障排除信息请参见以下链接: 然后重启你的 VPN 客户端设备,并重试连接。如果仍然无法连接,可以尝试删除并重新创建 VPN 连接,按照本文档中的步骤操作。请确保输入了正确的 VPN 登录凭证。
https://documentation.meraki.com/MX-Z/Client_VPN/Troubleshooting_Client_VPN#Common_Connection_Issues 检查 Libreswan (IPsec) 日志是否有错误:
https://blogs.technet.microsoft.com/rrasblog/2009/08/12/troubleshooting-common-vpn-related-errors/ ```bash
http://www.tp-link.com/en/faq-1029.html # Ubuntu & Debian
grep pluto /var/log/auth.log
# CentOS & RHEL
grep pluto /var/log/secure
```
查看 IPsec VPN 服务器状态:
```bash
ipsec status
ipsec verify
```
显示当前已建立的 VPN 连接:
```bash
ipsec whack --trafficstatus
```
## 致谢 ## 致谢

View File

@ -21,7 +21,8 @@ An alternative <a href="https://usefulpcguide.com/17318/create-your-own-vpn/" ta
* [Windows Error 809](#windows-error-809) * [Windows Error 809](#windows-error-809)
* [Windows Error 628](#windows-error-628) * [Windows Error 628](#windows-error-628)
* [Android 6 and 7](#android-6-and-7) * [Android 6 and 7](#android-6-and-7)
* [Other Errors](#other-errors) * [Other errors](#other-errors)
* [Additional steps](#additional-steps)
## Windows ## Windows
@ -162,7 +163,7 @@ Note: Instructions below are adapted from [the work of Peter Sanford](https://gi
To set up the VPN client, first install the following packages: To set up the VPN client, first install the following packages:
``` ```bash
# Ubuntu & Debian # Ubuntu & Debian
apt-get update apt-get update
apt-get -y install strongswan xl2tpd apt-get -y install strongswan xl2tpd
@ -177,7 +178,7 @@ yum -y install strongswan xl2tpd
Create VPN variables (replace with actual values): Create VPN variables (replace with actual values):
``` ```bash
VPN_SERVER_IP='your_vpn_server_ip' VPN_SERVER_IP='your_vpn_server_ip'
VPN_IPSEC_PSK='your_ipsec_pre_shared_key' VPN_IPSEC_PSK='your_ipsec_pre_shared_key'
VPN_USER='your_vpn_username' VPN_USER='your_vpn_username'
@ -185,7 +186,7 @@ VPN_PASSWORD='your_vpn_password'
``` ```
Configure strongSwan: Configure strongSwan:
``` ```bash
cat > /etc/ipsec.conf <<EOF cat > /etc/ipsec.conf <<EOF
# ipsec.conf - strongSwan IPsec configuration file # ipsec.conf - strongSwan IPsec configuration file
@ -234,7 +235,7 @@ ln -s /etc/ipsec.secrets /etc/strongswan/ipsec.secrets
``` ```
Configure xl2tpd: Configure xl2tpd:
``` ```bash
cat > /etc/xl2tpd/xl2tpd.conf <<EOF cat > /etc/xl2tpd/xl2tpd.conf <<EOF
[lac myvpn] [lac myvpn]
lns = $VPN_SERVER_IP lns = $VPN_SERVER_IP
@ -266,19 +267,19 @@ chmod 600 /etc/ppp/options.l2tpd.client
The VPN client setup is now complete. Follow the steps below to connect. The VPN client setup is now complete. Follow the steps below to connect.
Create xl2tpd control file: Create xl2tpd control file:
``` ```bash
mkdir -p /var/run/xl2tpd mkdir -p /var/run/xl2tpd
touch /var/run/xl2tpd/l2tp-control touch /var/run/xl2tpd/l2tp-control
``` ```
Restart services: Restart services:
``` ```bash
service strongswan restart service strongswan restart
service xl2tpd restart service xl2tpd restart
``` ```
Start the IPsec connection: Start the IPsec connection:
``` ```bash
# Ubuntu & Debian # Ubuntu & Debian
ipsec up myvpn ipsec up myvpn
@ -287,48 +288,48 @@ strongswan up myvpn
``` ```
Start the L2TP connection: Start the L2TP connection:
``` ```bash
echo "c myvpn" > /var/run/xl2tpd/l2tp-control echo "c myvpn" > /var/run/xl2tpd/l2tp-control
``` ```
Run `ifconfig` and check the output. You should now see a new interface `ppp0`. Run `ifconfig` and check the output. You should now see a new interface `ppp0`.
Check your existing default route: Check your existing default route:
``` ```bash
ip route ip route
``` ```
Find this line in the output: `default via X.X.X.X ...`. Write down this gateway IP for use in the two commands below. Find this line in the output: `default via X.X.X.X ...`. Write down this gateway IP for use in the two commands below.
Exclude your VPN server's IP from the new default route (replace with actual value): Exclude your VPN server's IP from the new default route (replace with actual value):
``` ```bash
route add YOUR_VPN_SERVER_IP gw X.X.X.X route add YOUR_VPN_SERVER_IP gw X.X.X.X
``` ```
If your VPN client is a remote server, you must also exclude your Local PC's public IP from the new default route, to prevent your SSH session from being disconnected (replace with your actual public IP <a href="https://encrypted.google.com/search?q=my+ip" target="_blank">from here</a>): If your VPN client is a remote server, you must also exclude your Local PC's public IP from the new default route, to prevent your SSH session from being disconnected (replace with your actual public IP <a href="https://encrypted.google.com/search?q=my+ip" target="_blank">from here</a>):
``` ```bash
route add YOUR_LOCAL_PC_PUBLIC_IP gw X.X.X.X route add YOUR_LOCAL_PC_PUBLIC_IP gw X.X.X.X
``` ```
Add a new default route to start routing traffic via the VPN server Add a new default route to start routing traffic via the VPN server
``` ```bash
route add default dev ppp0 route add default dev ppp0
``` ```
The VPN connection is now complete. Verify that your traffic is being routed properly: The VPN connection is now complete. Verify that your traffic is being routed properly:
``` ```bash
wget -qO- http://ipv4.icanhazip.com; echo wget -qO- http://ipv4.icanhazip.com; echo
``` ```
The above command should return `Your VPN Server IP`. The above command should return `Your VPN Server IP`.
To stop routing traffic via the VPN server: To stop routing traffic via the VPN server:
``` ```bash
route del default dev ppp0 route del default dev ppp0
``` ```
To disconnect: To disconnect:
``` ```bash
# Ubuntu & Debian # Ubuntu & Debian
echo "d myvpn" > /var/run/xl2tpd/l2tp-control echo "d myvpn" > /var/run/xl2tpd/l2tp-control
ipsec down myvpn ipsec down myvpn
@ -385,21 +386,44 @@ If you are unable to connect using Android 6 (Marshmallow) or 7 (Nougat):
![Android VPN workaround](images/vpn-profile-Android.png) ![Android VPN workaround](images/vpn-profile-Android.png)
### Other Errors ### Other errors
First, you may try restarting services on the VPN server: For additional information, refer to the links below:
```
* https://documentation.meraki.com/MX-Z/Client_VPN/Troubleshooting_Client_VPN#Common_Connection_Issues
* https://blogs.technet.microsoft.com/rrasblog/2009/08/12/troubleshooting-common-vpn-related-errors/
* http://www.tp-link.com/en/faq-1029.html
### Additional steps
First, restart services on the VPN server:
```bash
service ipsec restart service ipsec restart
service xl2tpd restart service xl2tpd restart
``` ```
If using Docker, run `docker restart ipsec-vpn-server`. If using Docker, run `docker restart ipsec-vpn-server`.
For additional troubleshooting tips, refer to the links below: Then reboot your VPN client device, and retry the connection. If still unable to connect, try removing and recreating the VPN connection, by following the instructions in this document. Make sure that the VPN credentials are entered correctly.
https://documentation.meraki.com/MX-Z/Client_VPN/Troubleshooting_Client_VPN#Common_Connection_Issues Check the Libreswan (IPsec) log for errors:
https://blogs.technet.microsoft.com/rrasblog/2009/08/12/troubleshooting-common-vpn-related-errors/ ```bash
http://www.tp-link.com/en/faq-1029.html # Ubuntu & Debian
grep pluto /var/log/auth.log
# CentOS & RHEL
grep pluto /var/log/secure
```
Check status of the IPsec VPN server:
```bash
ipsec status
ipsec verify
```
Show current established VPN connections:
```bash
ipsec whack --trafficstatus
```
## Credits ## Credits

View File

@ -1,4 +1,4 @@
# 如何配置 IKEv2 VPN: Windows 7 和更新版本 # 如何配置 IKEv2 VPN: Windows 和 Android
*其他语言版本: [English](ikev2-howto.md), [简体中文](ikev2-howto-zh.md).* *其他语言版本: [English](ikev2-howto.md), [简体中文](ikev2-howto-zh.md).*
@ -15,11 +15,11 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来
- Windows 7, 8.x 和 10 - Windows 7, 8.x 和 10
- Windows Phone 8.1 及以上 - Windows Phone 8.1 及以上
- strongSwan Android VPN 客户端 - strongSwan Android VPN 客户端
- <a href="https://github.com/gaomd/docker-ikev2-vpn-server" target="_blank">iOS (iPhone/iPad) 和 OS X (macOS)</a> <-- 请参 - <a href="https://github.com/gaomd/docker-ikev2-vpn-server" target="_blank">iOS (iPhone/iPad) 和 macOS</a> <--
下面举例说明如何在 Libreswan 上配置 IKEv2。以下命令必须用 `root` 账户运行。 下面举例说明如何在 Libreswan 上配置 IKEv2。以下命令必须用 `root` 账户运行。
在继续之前,请确保你已经成功 <a href="https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/README-zh.md" target="_blank">搭建自己的 VPN 服务器</a> 在继续之前,请确保你已经成功 <a href="https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/README-zh.md" target="_blank">搭建自己的 VPN 服务器</a>
1. 获取服务器的公共和私有 IP 地址,并确保它们的值非空。注意,这两个 IP 地址可以相同。 1. 获取服务器的公共和私有 IP 地址,并确保它们的值非空。注意,这两个 IP 地址可以相同。
@ -63,14 +63,22 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来
EOF EOF
``` ```
还需要在该文件中添加一行,根据 Libreswan 的版本而不同。请运行以下命令 还需要在该文件中添加一行,首先查看你的 Libreswan 版本
```bash ```bash
$ if /usr/local/sbin/ipsec --version | grep -qs -F "3.19"; then $ ipsec --version
echo " encapsulation=yes" >> /etc/ipsec.conf ```
else
echo " forceencaps=yes" >> /etc/ipsec.conf 对于 Libreswan 3.19 或以上版本,请运行:
fi
```bash
$ echo " encapsulation=yes" >> /etc/ipsec.conf
```
对于 Libreswan 3.18 或以下版本,请运行:
```bash
$ echo " forceencaps=yes" >> /etc/ipsec.conf
``` ```
1. 生成 Certificate Authority (CA) 和 VPN 服务器证书: 1. 生成 Certificate Authority (CA) 和 VPN 服务器证书:
@ -100,7 +108,8 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来
Is this a critical extension [y/N]? Is this a critical extension [y/N]?
N N
$ certutil -S -c "Example CA" -n "$PUBLIC_IP" -s "O=Example,CN=$PUBLIC_IP" -k rsa -g 4096 -v 36 -d sql:/etc/ipsec.d -t ",," -1 -6 -8 "$PUBLIC_IP" $ certutil -S -c "Example CA" -n "$PUBLIC_IP" -s "O=Example,CN=$PUBLIC_IP" -k rsa -g 4096 -v 36 -d sql:/etc/ipsec.d -t ",," \
--keyUsage digitalSignature,keyEncipherment --extKeyUsage serverAuth --extSAN "ip:$PUBLIC_IP,dns:$PUBLIC_IP"
A random seed must be generated that will be used in the A random seed must be generated that will be used in the
creation of your key. One of the easiest ways to create a creation of your key. One of the easiest ways to create a
@ -116,64 +125,13 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来
Finished. Press enter to continue: Finished. Press enter to continue:
Generating key. This may take a few moments... Generating key. This may take a few moments...
0 - Digital Signature
1 - Non-repudiation
2 - Key encipherment
3 - Data encipherment
4 - Key agreement
5 - Cert signing key
6 - CRL signing key
Other to finish
> 0
0 - Digital Signature
1 - Non-repudiation
2 - Key encipherment
3 - Data encipherment
4 - Key agreement
5 - Cert signing key
6 - CRL signing key
Other to finish
> 2
0 - Digital Signature
1 - Non-repudiation
2 - Key encipherment
3 - Data encipherment
4 - Key agreement
5 - Cert signing key
6 - CRL signing key
Other to finish
> 8
Is this a critical extension [y/N]?
N
0 - Server Auth
1 - Client Auth
2 - Code Signing
3 - Email Protection
4 - Timestamp
5 - OCSP Responder
6 - Step-up
7 - Microsoft Trust List Signing
Other to finish
> 0
0 - Server Auth
1 - Client Auth
2 - Code Signing
3 - Email Protection
4 - Timestamp
5 - OCSP Responder
6 - Step-up
7 - Microsoft Trust List Signing
Other to finish
> 8
Is this a critical extension [y/N]?
N
``` ```
1. 生成客户端证书,并且导出 `.p12` 文件。该文件包含客户端证书,私钥以及 CA 证书: 1. 生成客户端证书,并且导出 `.p12` 文件。该文件包含客户端证书,私钥以及 CA 证书:
```bash ```bash
$ certutil -S -c "Example CA" -n "vpnclient" -s "O=Example,CN=vpnclient" -k rsa -g 4096 -v 36 -d sql:/etc/ipsec.d -t ",," -1 -6 -8 "vpnclient" $ certutil -S -c "Example CA" -n "vpnclient" -s "O=Example,CN=vpnclient" -k rsa -g 4096 -v 36 -d sql:/etc/ipsec.d -t ",," \
--keyUsage digitalSignature,keyEncipherment --extKeyUsage serverAuth,clientAuth -8 "vpnclient"
A random seed must be generated that will be used in the A random seed must be generated that will be used in the
creation of your key. One of the easiest ways to create a creation of your key. One of the easiest ways to create a
@ -190,68 +148,6 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来
Generating key. This may take a few moments... Generating key. This may take a few moments...
0 - Digital Signature
1 - Non-repudiation
2 - Key encipherment
3 - Data encipherment
4 - Key agreement
5 - Cert signing key
6 - CRL signing key
Other to finish
> 0
0 - Digital Signature
1 - Non-repudiation
2 - Key encipherment
3 - Data encipherment
4 - Key agreement
5 - Cert signing key
6 - CRL signing key
Other to finish
> 2
0 - Digital Signature
1 - Non-repudiation
2 - Key encipherment
3 - Data encipherment
4 - Key agreement
5 - Cert signing key
6 - CRL signing key
Other to finish
> 8
Is this a critical extension [y/N]?
N
0 - Server Auth
1 - Client Auth
2 - Code Signing
3 - Email Protection
4 - Timestamp
5 - OCSP Responder
6 - Step-up
7 - Microsoft Trust List Signing
Other to finish
> 0
0 - Server Auth
1 - Client Auth
2 - Code Signing
3 - Email Protection
4 - Timestamp
5 - OCSP Responder
6 - Step-up
7 - Microsoft Trust List Signing
Other to finish
> 1
0 - Server Auth
1 - Client Auth
2 - Code Signing
3 - Email Protection
4 - Timestamp
5 - OCSP Responder
6 - Step-up
7 - Microsoft Trust List Signing
Other to finish
> 8
Is this a critical extension [y/N]?
N
$ pk12util -o vpnclient.p12 -n "vpnclient" -d sql:/etc/ipsec.d $ pk12util -o vpnclient.p12 -n "vpnclient" -d sql:/etc/ipsec.d
Enter password for PKCS12 file: Enter password for PKCS12 file:
@ -259,7 +155,7 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来
pk12util: PKCS12 EXPORT SUCCESSFUL pk12util: PKCS12 EXPORT SUCCESSFUL
``` ```
可以重复该步骤来为更多的客户端生成证书,但必须把所有的 `vpnclient` 换成 `vpnclient2`,等等。 重复这个步骤来为更多的客户端生成证书,但必须把所有的 `vpnclient` 换成 `vpnclient2`,等等。请注意,如果你需要同时连接多个客户端,则必须为每个客户端生成唯一的证书。
1. 证书数据库现在应该包含以下内容: 1. 证书数据库现在应该包含以下内容:
@ -274,7 +170,7 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来
vpnclient u,u,u vpnclient u,u,u
``` ```
注:如需删除证书,可运行命令 `certutil -D -d sql:/etc/ipsec.d -n "Certificate Nickname"` 注:如需显示证书,可使用 `certutil -L -d sql:/etc/ipsec.d -n "Nickname"`。要删除证书,将 `-L` 换成 `-D`。更多的 `certutil` 使用说明请看 <a href="http://manpages.ubuntu.com/manpages/zesty/man1/certutil.1.html" target="_blank">这里</a>
1. 重启 IPsec 服务: 1. 重启 IPsec 服务:
@ -286,34 +182,38 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来
#### Windows 7, 8.x 和 10 #### Windows 7, 8.x 和 10
`.p12` 文件导入到 "计算机账户" 证书存储。在导入证书后,你必须确保将客户端证书放在 "个人 -> 证书" 目录中,并且将 CA 证书放在 "受信任的根证书颁发机构 -> 证书" 目录中。 1. `.p12` 文件导入到 "计算机账户" 证书存储。在导入证书后,你必须确保将客户端证书放在 "个人 -> 证书" 目录中,并且将 CA 证书放在 "受信任的根证书颁发机构 -> 证书" 目录中。
详细的操作步骤: 请按照以下链接的步骤操作:
https://wiki.strongswan.org/projects/strongswan/wiki/Win7Certs https://wiki.strongswan.org/projects/strongswan/wiki/Win7Certs
在 Windows 计算机上添加一个新的 IKEv2 VPN 连接: 1. 在 Windows 计算机上添加一个新的 IKEv2 VPN 连接:
https://wiki.strongswan.org/projects/strongswan/wiki/Win7Config
https://wiki.strongswan.org/projects/strongswan/wiki/Win7Config 1. 启用新的 IKEv2 VPN 连接,并且开始使用 VPN
https://wiki.strongswan.org/projects/strongswan/wiki/Win7Connect
启用新的 IKEv2 VPN 连接,并且开始使用自己的专属 VPN 1. (可选步骤) 如需启用更安全的加密方式,可以添加 <a href="https://wiki.strongswan.org/projects/strongswan/wiki/Windows7#AES-256-CBC-and-MODP2048" target="_blank">这个注册表键</a> 并重启。
https://wiki.strongswan.org/projects/strongswan/wiki/Win7Connect #### Android 4.x 和更新版本
(可选步骤) 如需启用更安全的加密方式,可以添加 <a href="https://wiki.strongswan.org/projects/strongswan/wiki/Windows7#AES-256-CBC-and-MODP2048" target="_blank">这个注册表键</a> 并重启。 1. 从 **Google Play** 安装 <a href="https://play.google.com/store/apps/details?id=org.strongswan.android" target="_blank">strongSwan VPN Client</a>
1. 打开 VPN 客户端,然后单击 **Add VPN Profile**
1. 在 **Server** 字段中输入 `你的 VPN 服务器 IP`
1. 在 **VPN Type** 下拉菜单选择 **IKEv2 Certificate**
1. 单击添加一个 **User certificate**,然后单击 **Install**
1. 选择你从服务器复制过来的 `.p12` 文件,并按提示操作。
1. 保存新的 VPN 连接,然后单击它开始连接。
#### Windows Phone 8.1 及以上 #### Windows Phone 8.1 及以上
首先导入 `.p12` 文件,然后参照 <a href="https://technet.microsoft.com/en-us/windows/dn673608.aspx" target="_blank">这些说明</a> 配置一个基于证书的 IKEv2 VPN。 首先导入 `.p12` 文件,然后参照 <a href="https://technet.microsoft.com/en-us/windows/dn673608.aspx" target="_blank">这些说明</a> 配置一个基于证书的 IKEv2 VPN。
#### Android 4.x 和更新版本 1. 连接成功后,你可以到 <a href="https://www.ipchicken.com" target="_blank">这里</a> 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。
请参见: https://wiki.strongswan.org/projects/strongswan/wiki/AndroidVpnClient
连接成功后,你可以到 <a href="https://www.ipchicken.com" target="_blank">这里</a> 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。
## 已知问题 ## 已知问题
Windows 7 和更新版本自带的 VPN 客户端不支持 IKEv2 fragmentation。在有些网络上这可能会导致连接错误,或者可能在连接后无法打开任何网站。如果出现这些问题,请首先尝试 <a href="clients-zh.md#故障排除" target="_blank">这个解决方案</a>。如果仍然无法解决,请使<a href="clients-zh.md" target="_blank">IPsec/L2TP</a> <a href="clients-xauth-zh.md" target="_blank">IPsec/XAuth</a> 模式连接。 Windows 自带的 VPN 客户端不支持 IKEv2 fragmentation。在有些网络上这可能会导致连接错误或其它连接问题。你可以尝试 <a href="clients-zh.md#故障排除" target="_blank">修改注册表</a>,或者换用 <a href="clients-zh.md" target="_blank">IPsec/L2TP</a><a href="clients-xauth-zh.md" target="_blank">IPsec/XAuth</a> 模式连接。
## 参考链接 ## 参考链接
@ -321,3 +221,4 @@ Windows 7 和更新版本自带的 VPN 客户端不支持 IKEv2 fragmentation。
* https://libreswan.org/wiki/HOWTO:_Using_NSS_with_libreswan * https://libreswan.org/wiki/HOWTO:_Using_NSS_with_libreswan
* https://libreswan.org/man/ipsec.conf.5.html * https://libreswan.org/man/ipsec.conf.5.html
* https://wiki.strongswan.org/projects/strongswan/wiki/Windows7 * https://wiki.strongswan.org/projects/strongswan/wiki/Windows7
* https://wiki.strongswan.org/projects/strongswan/wiki/AndroidVpnClient

View File

@ -1,10 +1,10 @@
# How-To: IKEv2 VPN for Windows 7 and newer # How-To: IKEv2 VPN for Windows and Android
*Read this in other languages: [English](ikev2-howto.md), [简体中文](ikev2-howto-zh.md).* *Read this in other languages: [English](ikev2-howto.md), [简体中文](ikev2-howto-zh.md).*
--- ---
**IMPORTANT:** This guide is for **Advanced Users** ONLY. Other users please use <a href="clients.md" target="_blank">IPsec/L2TP</a> or <a href="clients-xauth.md" target="_blank">IPsec/XAuth</a>. **IMPORTANT:** This guide is for **advanced users** only. Other users please use <a href="clients.md" target="_blank">IPsec/L2TP</a> or <a href="clients-xauth.md" target="_blank">IPsec/XAuth</a>.
--- ---
@ -15,7 +15,7 @@ Libreswan can authenticate IKEv2 clients on the basis of X.509 Machine Certifica
- Windows 7, 8.x and 10 - Windows 7, 8.x and 10
- Windows Phone 8.1 and above - Windows Phone 8.1 and above
- strongSwan Android VPN client - strongSwan Android VPN client
- <a href="https://github.com/gaomd/docker-ikev2-vpn-server" target="_blank">iOS (iPhone/iPad) and OS X (macOS)</a> <-- See link - <a href="https://github.com/gaomd/docker-ikev2-vpn-server" target="_blank">iOS (iPhone/iPad) and macOS</a> <-- See also
The following example shows how to configure IKEv2 with Libreswan. Commands below must be run as `root`. The following example shows how to configure IKEv2 with Libreswan. Commands below must be run as `root`.
@ -63,14 +63,22 @@ Before continuing, make sure you have successfully <a href="https://github.com/h
EOF EOF
``` ```
We need to add one more line to that file, based on your Libreswan version. Please run command: We need to add one more line to that file. First check your Libreswan version:
```bash ```bash
$ if /usr/local/sbin/ipsec --version | grep -qs -F "3.19"; then $ ipsec --version
echo " encapsulation=yes" >> /etc/ipsec.conf ```
else
echo " forceencaps=yes" >> /etc/ipsec.conf For Libreswan 3.19 and newer, run command:
fi
```bash
$ echo " encapsulation=yes" >> /etc/ipsec.conf
```
For Libreswan 3.18 and older, run command:
```bash
$ echo " forceencaps=yes" >> /etc/ipsec.conf
``` ```
1. Generate Certificate Authority (CA) and VPN server certificates: 1. Generate Certificate Authority (CA) and VPN server certificates:
@ -100,7 +108,8 @@ Before continuing, make sure you have successfully <a href="https://github.com/h
Is this a critical extension [y/N]? Is this a critical extension [y/N]?
N N
$ certutil -S -c "Example CA" -n "$PUBLIC_IP" -s "O=Example,CN=$PUBLIC_IP" -k rsa -g 4096 -v 36 -d sql:/etc/ipsec.d -t ",," -1 -6 -8 "$PUBLIC_IP" $ certutil -S -c "Example CA" -n "$PUBLIC_IP" -s "O=Example,CN=$PUBLIC_IP" -k rsa -g 4096 -v 36 -d sql:/etc/ipsec.d -t ",," \
--keyUsage digitalSignature,keyEncipherment --extKeyUsage serverAuth --extSAN "ip:$PUBLIC_IP,dns:$PUBLIC_IP"
A random seed must be generated that will be used in the A random seed must be generated that will be used in the
creation of your key. One of the easiest ways to create a creation of your key. One of the easiest ways to create a
@ -116,64 +125,13 @@ Before continuing, make sure you have successfully <a href="https://github.com/h
Finished. Press enter to continue: Finished. Press enter to continue:
Generating key. This may take a few moments... Generating key. This may take a few moments...
0 - Digital Signature
1 - Non-repudiation
2 - Key encipherment
3 - Data encipherment
4 - Key agreement
5 - Cert signing key
6 - CRL signing key
Other to finish
> 0
0 - Digital Signature
1 - Non-repudiation
2 - Key encipherment
3 - Data encipherment
4 - Key agreement
5 - Cert signing key
6 - CRL signing key
Other to finish
> 2
0 - Digital Signature
1 - Non-repudiation
2 - Key encipherment
3 - Data encipherment
4 - Key agreement
5 - Cert signing key
6 - CRL signing key
Other to finish
> 8
Is this a critical extension [y/N]?
N
0 - Server Auth
1 - Client Auth
2 - Code Signing
3 - Email Protection
4 - Timestamp
5 - OCSP Responder
6 - Step-up
7 - Microsoft Trust List Signing
Other to finish
> 0
0 - Server Auth
1 - Client Auth
2 - Code Signing
3 - Email Protection
4 - Timestamp
5 - OCSP Responder
6 - Step-up
7 - Microsoft Trust List Signing
Other to finish
> 8
Is this a critical extension [y/N]?
N
``` ```
1. Generate client certificate(s), and export the `.p12` file that contains the client certificate, private key, and CA certificate: 1. Generate client certificate(s), and export the `.p12` file that contains the client certificate, private key, and CA certificate:
```bash ```bash
$ certutil -S -c "Example CA" -n "vpnclient" -s "O=Example,CN=vpnclient" -k rsa -g 4096 -v 36 -d sql:/etc/ipsec.d -t ",," -1 -6 -8 "vpnclient" $ certutil -S -c "Example CA" -n "vpnclient" -s "O=Example,CN=vpnclient" -k rsa -g 4096 -v 36 -d sql:/etc/ipsec.d -t ",," \
--keyUsage digitalSignature,keyEncipherment --extKeyUsage serverAuth,clientAuth -8 "vpnclient"
A random seed must be generated that will be used in the A random seed must be generated that will be used in the
creation of your key. One of the easiest ways to create a creation of your key. One of the easiest ways to create a
@ -190,68 +148,6 @@ Before continuing, make sure you have successfully <a href="https://github.com/h
Generating key. This may take a few moments... Generating key. This may take a few moments...
0 - Digital Signature
1 - Non-repudiation
2 - Key encipherment
3 - Data encipherment
4 - Key agreement
5 - Cert signing key
6 - CRL signing key
Other to finish
> 0
0 - Digital Signature
1 - Non-repudiation
2 - Key encipherment
3 - Data encipherment
4 - Key agreement
5 - Cert signing key
6 - CRL signing key
Other to finish
> 2
0 - Digital Signature
1 - Non-repudiation
2 - Key encipherment
3 - Data encipherment
4 - Key agreement
5 - Cert signing key
6 - CRL signing key
Other to finish
> 8
Is this a critical extension [y/N]?
N
0 - Server Auth
1 - Client Auth
2 - Code Signing
3 - Email Protection
4 - Timestamp
5 - OCSP Responder
6 - Step-up
7 - Microsoft Trust List Signing
Other to finish
> 0
0 - Server Auth
1 - Client Auth
2 - Code Signing
3 - Email Protection
4 - Timestamp
5 - OCSP Responder
6 - Step-up
7 - Microsoft Trust List Signing
Other to finish
> 1
0 - Server Auth
1 - Client Auth
2 - Code Signing
3 - Email Protection
4 - Timestamp
5 - OCSP Responder
6 - Step-up
7 - Microsoft Trust List Signing
Other to finish
> 8
Is this a critical extension [y/N]?
N
$ pk12util -o vpnclient.p12 -n "vpnclient" -d sql:/etc/ipsec.d $ pk12util -o vpnclient.p12 -n "vpnclient" -d sql:/etc/ipsec.d
Enter password for PKCS12 file: Enter password for PKCS12 file:
@ -259,7 +155,7 @@ Before continuing, make sure you have successfully <a href="https://github.com/h
pk12util: PKCS12 EXPORT SUCCESSFUL pk12util: PKCS12 EXPORT SUCCESSFUL
``` ```
Repeat this step for additional VPN clients, but replace every `vpnclient` with `vpnclient2`, etc. Repeat this step for additional VPN clients, but replace every `vpnclient` with `vpnclient2`, etc. Please note: If you wish to connect multiple VPN clients simultaneously, you must generate a unique certificate for each.
1. The database should now contain: 1. The database should now contain:
@ -274,7 +170,7 @@ Before continuing, make sure you have successfully <a href="https://github.com/h
vpnclient u,u,u vpnclient u,u,u
``` ```
Note: To delete a certificate, use `certutil -D -d sql:/etc/ipsec.d -n "Certificate Nickname"`. Note: To display a certificate, use `certutil -L -d sql:/etc/ipsec.d -n "Nickname"`. To delete it, replace `-L` with `-D`. For other `certutil` usage, read <a href="http://manpages.ubuntu.com/manpages/zesty/man1/certutil.1.html" target="_blank">this page</a>.
1. Restart IPsec service: 1. Restart IPsec service:
@ -286,34 +182,38 @@ Before continuing, make sure you have successfully <a href="https://github.com/h
#### Windows 7, 8.x and 10 #### Windows 7, 8.x and 10
Import the `.p12` file to the "Computer account" certificate store. Make sure that the client cert is placed in "Personal -> Certificates", and the CA cert is placed in "Trusted Root Certification Authorities -> Certificates". 1. Import the `.p12` file to the "Computer account" certificate store. Make sure that the client cert is placed in "Personal -> Certificates", and the CA cert is placed in "Trusted Root Certification Authorities -> Certificates".
Detailed instructions: Follow the instructions at this link:
https://wiki.strongswan.org/projects/strongswan/wiki/Win7Certs https://wiki.strongswan.org/projects/strongswan/wiki/Win7Certs
On the Windows computer, add a new IKEv2 VPN connection 1. On the Windows computer, add a new IKEv2 VPN connection
https://wiki.strongswan.org/projects/strongswan/wiki/Win7Config
https://wiki.strongswan.org/projects/strongswan/wiki/Win7Config 1. Start the new IKEv2 VPN connection, and enjoy your VPN!
https://wiki.strongswan.org/projects/strongswan/wiki/Win7Connect
Start the new IKEv2 VPN connection, and enjoy your own VPN! 1. (Optional) You may enable stronger ciphers by adding <a href="https://wiki.strongswan.org/projects/strongswan/wiki/Windows7#AES-256-CBC-and-MODP2048" target="_blank">this registry key</a> and reboot.
https://wiki.strongswan.org/projects/strongswan/wiki/Win7Connect #### Android 4.x and newer
(Optional) You may enable stronger ciphers by adding <a href="https://wiki.strongswan.org/projects/strongswan/wiki/Windows7#AES-256-CBC-and-MODP2048" target="_blank">this registry key</a> and reboot. 1. Install <a href="https://play.google.com/store/apps/details?id=org.strongswan.android" target="_blank">strongSwan VPN Client</a> from **Google Play**.
1. Launch the VPN client and tap **Add VPN Profile**.
1. Enter `Your VPN Server IP` in the **Server** field.
1. Select **IKEv2 Certificate** from the **VPN Type** drop-down menu.
1. Tap to add a **User certificate**, then tap **Install**.
1. Choose the `.p12` file you copied from the VPN server, and follow the prompts.
1. Save the new VPN connection, then tap to connect.
#### Windows Phone 8.1 and above #### Windows Phone 8.1 and above
First import the `.p12` file, then follow <a href="https://technet.microsoft.com/en-us/windows/dn673608.aspx" target="_blank">these instructions</a> to configure a certificate-based IKEv2 VPN. First import the `.p12` file, then follow <a href="https://technet.microsoft.com/en-us/windows/dn673608.aspx" target="_blank">these instructions</a> to configure a certificate-based IKEv2 VPN.
#### Android 4.x and newer 1. Once successfully connected, you can verify that your traffic is being routed properly by <a href="https://encrypted.google.com/search?q=my+ip" target="_blank">looking up your IP address on Google</a>. It should say "Your public IP address is `Your VPN Server IP`".
Please refer to: https://wiki.strongswan.org/projects/strongswan/wiki/AndroidVpnClient
Once successfully connected, you can verify that your traffic is being routed properly by <a href="https://encrypted.google.com/search?q=my+ip" target="_blank">looking up your IP address on Google</a>. It should say "Your public IP address is `Your VPN Server IP`".
## Known Issues ## Known Issues
The built-in VPN client in Windows 7 and newer does not support IKEv2 fragmentation. On some networks, this can cause the connection to fail, or you may be unable to open any website after connecting. If this happens, first try <a href="clients.md#troubleshooting" target="_blank">this workaround</a>. If it doesn't work, please connect using <a href="clients.md" target="_blank">IPsec/L2TP</a> or <a href="clients-xauth.md" target="_blank">IPsec/XAuth</a> mode instead. The built-in VPN client in Windows does not support IKEv2 fragmentation. On some networks, this can cause the connection to fail or have other issues. You may try <a href="clients.md#troubleshooting" target="_blank">this registry fix</a>, or connect using <a href="clients.md" target="_blank">IPsec/L2TP</a> or <a href="clients-xauth.md" target="_blank">IPsec/XAuth</a> mode instead.
## References ## References
@ -321,3 +221,4 @@ The built-in VPN client in Windows 7 and newer does not support IKEv2 fragmentat
* https://libreswan.org/wiki/HOWTO:_Using_NSS_with_libreswan * https://libreswan.org/wiki/HOWTO:_Using_NSS_with_libreswan
* https://libreswan.org/man/ipsec.conf.5.html * https://libreswan.org/man/ipsec.conf.5.html
* https://wiki.strongswan.org/projects/strongswan/wiki/Windows7 * https://wiki.strongswan.org/projects/strongswan/wiki/Windows7
* https://wiki.strongswan.org/projects/strongswan/wiki/AndroidVpnClient

View File

@ -35,4 +35,9 @@
openssl passwd -1 "<VPN Password 1>" openssl passwd -1 "<VPN Password 1>"
``` ```
在完成修改之后,重启你的服务器。 在完成后,需要重启服务:
```bash
service ipsec restart
service xl2tpd restart
```

View File

@ -35,4 +35,9 @@ Passwords in this file are salted and hashed. This step can be done using e.g. t
openssl passwd -1 "<VPN Password 1>" openssl passwd -1 "<VPN Password 1>"
``` ```
When finished making changes, reboot your server. When finished, restart services:
```bash
service ipsec restart
service xl2tpd restart
```

View File

@ -15,7 +15,7 @@
## 第一步 ## 第一步
``` ```bash
service ipsec stop service ipsec stop
service xl2tpd stop service xl2tpd stop
rm -rf /usr/local/sbin/ipsec /usr/local/libexec/ipsec rm -rf /usr/local/sbin/ipsec /usr/local/libexec/ipsec
@ -69,7 +69,7 @@ rm -f /etc/init/ipsec.conf /lib/systemd/system/ipsec.service \
要快速删除,可以复制并粘贴以下命令: 要快速删除,可以复制并粘贴以下命令:
``` ```bash
rm -f /etc/ipsec.conf* /etc/ipsec.secrets* /etc/ppp/chap-secrets* /etc/ppp/options.xl2tpd* \ rm -f /etc/ipsec.conf* /etc/ipsec.secrets* /etc/ppp/chap-secrets* /etc/ppp/options.xl2tpd* \
/etc/pam.d/pluto /etc/sysconfig/pluto /etc/default/pluto /etc/pam.d/pluto /etc/sysconfig/pluto /etc/default/pluto
rm -rf /etc/ipsec.d /etc/xl2tpd rm -rf /etc/ipsec.d /etc/xl2tpd

View File

@ -15,7 +15,7 @@ Follow these steps to remove the VPN. Commands must be run as `root`, or with `s
## First step ## First step
``` ```bash
service ipsec stop service ipsec stop
service xl2tpd stop service xl2tpd stop
rm -rf /usr/local/sbin/ipsec /usr/local/libexec/ipsec rm -rf /usr/local/sbin/ipsec /usr/local/libexec/ipsec
@ -69,7 +69,7 @@ Remove these config files:
Copy and paste for fast removal: Copy and paste for fast removal:
``` ```bash
rm -f /etc/ipsec.conf* /etc/ipsec.secrets* /etc/ppp/chap-secrets* /etc/ppp/options.xl2tpd* \ rm -f /etc/ipsec.conf* /etc/ipsec.secrets* /etc/ppp/chap-secrets* /etc/ppp/options.xl2tpd* \
/etc/pam.d/pluto /etc/sysconfig/pluto /etc/default/pluto /etc/pam.d/pluto /etc/sysconfig/pluto /etc/default/pluto
rm -rf /etc/ipsec.d /etc/xl2tpd rm -rf /etc/ipsec.d /etc/xl2tpd