Update docs
- Improve IKEv2 docs. The strongSwan Android VPN client requires an "IP address" in the VPN server certificate's subjectAltName field in addition to "DNS name", when connecting using the server's IP. The certutil commands have been updated to add this field. - Other improvements to docs
This commit is contained in:
parent
c8d8730fd0
commit
8c0940f63b
16
README-zh.md
16
README-zh.md
@ -2,7 +2,7 @@
|
|||||||
|
|
||||||
[![Build Status](https://travis-ci.org/hwdsl2/setup-ipsec-vpn.svg?branch=master)](https://travis-ci.org/hwdsl2/setup-ipsec-vpn) [![GitHub Stars](https://img.shields.io/github/stars/hwdsl2/setup-ipsec-vpn.svg?maxAge=86400)](https://github.com/hwdsl2/setup-ipsec-vpn/stargazers) [![Docker Stars](https://img.shields.io/docker/stars/hwdsl2/ipsec-vpn-server.svg?maxAge=86400)](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README-zh.md) [![Docker Pulls](https://img.shields.io/docker/pulls/hwdsl2/ipsec-vpn-server.svg?maxAge=86400)](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README-zh.md)
|
[![Build Status](https://travis-ci.org/hwdsl2/setup-ipsec-vpn.svg?branch=master)](https://travis-ci.org/hwdsl2/setup-ipsec-vpn) [![GitHub Stars](https://img.shields.io/github/stars/hwdsl2/setup-ipsec-vpn.svg?maxAge=86400)](https://github.com/hwdsl2/setup-ipsec-vpn/stargazers) [![Docker Stars](https://img.shields.io/docker/stars/hwdsl2/ipsec-vpn-server.svg?maxAge=86400)](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README-zh.md) [![Docker Pulls](https://img.shields.io/docker/pulls/hwdsl2/ipsec-vpn-server.svg?maxAge=86400)](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README-zh.md)
|
||||||
|
|
||||||
使用 Linux 脚本一键快速搭建自己的 IPsec VPN 服务器。支持 IPsec/L2TP 和 Cisco IPsec 协议,可用于 Ubuntu/Debian/CentOS 系统。你只需要提供自己的 VPN 登录凭证,然后运行脚本自动完成安装。
|
使用 Linux 脚本一键快速搭建自己的 IPsec VPN 服务器。支持 IPsec/L2TP 和 Cisco IPsec 协议,可用于 Ubuntu/Debian/CentOS 系统。你只需提供自己的 VPN 登录凭证,然后运行脚本自动完成安装。
|
||||||
|
|
||||||
IPsec VPN 可以加密你的网络流量,以防止在通过因特网传送时,你和 VPN 服务器之间的任何人对你的数据的未经授权的访问。在使用不安全的网络时,这是特别有用的,例如在咖啡厅,机场或旅馆房间。
|
IPsec VPN 可以加密你的网络流量,以防止在通过因特网传送时,你和 VPN 服务器之间的任何人对你的数据的未经授权的访问。在使用不安全的网络时,这是特别有用的,例如在咖啡厅,机场或旅馆房间。
|
||||||
|
|
||||||
@ -28,7 +28,7 @@ IPsec VPN 可以加密你的网络流量,以防止在通过因特网传送时
|
|||||||
|
|
||||||
## 快速开始
|
## 快速开始
|
||||||
|
|
||||||
首先,在你的 Linux 服务器* 上全新安装一个 Ubuntu LTS,Debian 8 或者 CentOS 7/6 系统。
|
首先,在你的 Linux 服务器* 上全新安装一个 Ubuntu LTS, Debian 8 或者 CentOS 7/6 系统。
|
||||||
|
|
||||||
使用以下命令快速搭建 IPsec VPN 服务器:
|
使用以下命令快速搭建 IPsec VPN 服务器:
|
||||||
|
|
||||||
@ -36,11 +36,11 @@ IPsec VPN 可以加密你的网络流量,以防止在通过因特网传送时
|
|||||||
wget https://git.io/vpnsetup -O vpnsetup.sh && sudo sh vpnsetup.sh
|
wget https://git.io/vpnsetup -O vpnsetup.sh && sudo sh vpnsetup.sh
|
||||||
```
|
```
|
||||||
|
|
||||||
对于 CentOS 系统,将上面的 `https://git.io/vpnsetup` 换成 `https://git.io/vpnsetup-centos`。
|
如果使用 CentOS,请将上面的地址换成 `https://git.io/vpnsetup-centos`。
|
||||||
|
|
||||||
你的 VPN 登录凭证将会被自动随机生成,并在安装完成后在屏幕上显示。
|
你的 VPN 登录凭证将会被自动随机生成,并在安装完成后显示在屏幕上。
|
||||||
|
|
||||||
如需了解其它安装选项,以及如何配置 VPN 客户端,请阅读以下部分。
|
如需了解其它安装选项,以及如何配置 VPN 客户端,请继续阅读以下部分。
|
||||||
|
|
||||||
\* 一个专用服务器或者虚拟专用服务器 (VPS)。OpenVZ VPS 不受支持。
|
\* 一个专用服务器或者虚拟专用服务器 (VPS)。OpenVZ VPS 不受支持。
|
||||||
|
|
||||||
@ -69,7 +69,7 @@ wget https://git.io/vpnsetup -O vpnsetup.sh && sudo sh vpnsetup.sh
|
|||||||
|
|
||||||
一个专用服务器或者虚拟专用服务器 (VPS),全新安装以上操作系统之一。另外也可使用 Debian 7 (Wheezy),但是必须首先运行<a href="extras/vpnsetup-debian-7-workaround.sh" target="_blank">另一个脚本</a>。 OpenVZ VPS 不受支持,用户可以尝试使用 <a href="https://shadowsocks.org" target="_blank">Shadowsocks</a> 或者 <a href="https://github.com/Nyr/openvpn-install" target="_blank">OpenVPN</a>。
|
一个专用服务器或者虚拟专用服务器 (VPS),全新安装以上操作系统之一。另外也可使用 Debian 7 (Wheezy),但是必须首先运行<a href="extras/vpnsetup-debian-7-workaround.sh" target="_blank">另一个脚本</a>。 OpenVZ VPS 不受支持,用户可以尝试使用 <a href="https://shadowsocks.org" target="_blank">Shadowsocks</a> 或者 <a href="https://github.com/Nyr/openvpn-install" target="_blank">OpenVPN</a>。
|
||||||
|
|
||||||
这也包括各种公共云服务中的 Linux 虚拟机,比如 <a href="https://blog.ls20.com/digitalocean" target="_blank">DigitalOcean</a>, <a href="https://blog.ls20.com/vultr" target="_blank">Vultr</a>, <a href="https://blog.ls20.com/linode" target="_blank">Linode</a>, <a href="https://cloud.google.com/compute/" target="_blank">Google Compute Engine</a>, <a href="https://amazonlightsail.com" target="_blank">Amazon Lightsail</a>, <a href="https://azure.microsoft.com" target="_blank">Microsoft Azure</a>, <a href="http://www.softlayer.com/" target="_blank">IBM SoftLayer</a>, <a href="https://www.rackspace.com" target="_blank">Rackspace</a> 和 <a href="http://vcloud.vmware.com" target="_blank">VMware vCloud Air</a>。
|
这也包括各种公共云服务中的 Linux 虚拟机,比如 <a href="https://blog.ls20.com/digitalocean" target="_blank">DigitalOcean</a>, <a href="https://blog.ls20.com/vultr" target="_blank">Vultr</a>, <a href="https://blog.ls20.com/linode" target="_blank">Linode</a>, <a href="https://cloud.google.com/compute/" target="_blank">Google Compute Engine</a>, <a href="https://amazonlightsail.com" target="_blank">Amazon Lightsail</a>, <a href="https://azure.microsoft.com" target="_blank">Microsoft Azure</a>, <a href="http://www.softlayer.com/" target="_blank">IBM SoftLayer</a> 和 <a href="https://www.rackspace.com" target="_blank">Rackspace</a>。
|
||||||
|
|
||||||
<a href="azure/README-zh.md" target="_blank"><img src="docs/images/azure-deploy-button.png" alt="Deploy to Azure" /></a> <a href="http://dovpn.carlfriess.com/" target="_blank"><img src="docs/images/do-install-button.png" alt="Install on DigitalOcean" /></a> <a href="https://www.linode.com/stackscripts/view/37239" target="_blank"><img src="docs/images/linode-deploy-button.png" alt="Deploy to Linode" /></a>
|
<a href="azure/README-zh.md" target="_blank"><img src="docs/images/azure-deploy-button.png" alt="Deploy to Azure" /></a> <a href="http://dovpn.carlfriess.com/" target="_blank"><img src="docs/images/do-install-button.png" alt="Install on DigitalOcean" /></a> <a href="https://www.linode.com/stackscripts/view/37239" target="_blank"><img src="docs/images/linode-deploy-button.png" alt="Deploy to Linode" /></a>
|
||||||
|
|
||||||
@ -111,8 +111,6 @@ VPN_USER='你的VPN用户名' \
|
|||||||
VPN_PASSWORD='你的VPN密码' sh vpnsetup.sh
|
VPN_PASSWORD='你的VPN密码' sh vpnsetup.sh
|
||||||
```
|
```
|
||||||
|
|
||||||
DigitalOcean 用户可以参考这个<a href="https://usefulpcguide.com/17318/create-your-own-vpn/" target="_blank">分步指南</a>,由 Tony Tran 编写。
|
|
||||||
|
|
||||||
**注:** 如果无法通过 `wget` 下载,你也可以打开 <a href="vpnsetup.sh" target="_blank">vpnsetup.sh</a> (或者 <a href="vpnsetup_centos.sh" target="_blank">vpnsetup_centos.sh</a>),然后点击右方的 **`Raw`** 按钮。按快捷键 `Ctrl-A` 全选, `Ctrl-C` 复制,然后粘贴到你喜欢的编辑器。
|
**注:** 如果无法通过 `wget` 下载,你也可以打开 <a href="vpnsetup.sh" target="_blank">vpnsetup.sh</a> (或者 <a href="vpnsetup_centos.sh" target="_blank">vpnsetup_centos.sh</a>),然后点击右方的 **`Raw`** 按钮。按快捷键 `Ctrl-A` 全选, `Ctrl-C` 复制,然后粘贴到你喜欢的编辑器。
|
||||||
|
|
||||||
### CentOS & RHEL
|
### CentOS & RHEL
|
||||||
@ -128,7 +126,7 @@ DigitalOcean 用户可以参考这个<a href="https://usefulpcguide.com/17318/cr
|
|||||||
<a href="docs/clients-zh.md" target="_blank">配置 IPsec/L2TP VPN 客户端</a>
|
<a href="docs/clients-zh.md" target="_blank">配置 IPsec/L2TP VPN 客户端</a>
|
||||||
<a href="docs/clients-xauth-zh.md" target="_blank">配置 IPsec/XAuth ("Cisco IPsec") VPN 客户端</a>
|
<a href="docs/clients-xauth-zh.md" target="_blank">配置 IPsec/XAuth ("Cisco IPsec") VPN 客户端</a>
|
||||||
|
|
||||||
<a href="docs/ikev2-howto-zh.md" target="_blank">如何配置 IKEv2 VPN: Windows 7 和更新版本</a>
|
<a href="docs/ikev2-howto-zh.md" target="_blank">如何配置 IKEv2 VPN: Windows 和 Android</a>
|
||||||
|
|
||||||
如果在连接过程中遇到错误,请参见 <a href="docs/clients-zh.md#故障排除" target="_blank">故障排除</a>。
|
如果在连接过程中遇到错误,请参见 <a href="docs/clients-zh.md#故障排除" target="_blank">故障排除</a>。
|
||||||
|
|
||||||
|
10
README.md
10
README.md
@ -36,7 +36,7 @@ Use this one-liner to set up an IPsec VPN server:
|
|||||||
wget https://git.io/vpnsetup -O vpnsetup.sh && sudo sh vpnsetup.sh
|
wget https://git.io/vpnsetup -O vpnsetup.sh && sudo sh vpnsetup.sh
|
||||||
```
|
```
|
||||||
|
|
||||||
If using CentOS, replace `https://git.io/vpnsetup` above with `https://git.io/vpnsetup-centos`.
|
If using CentOS, replace the link above with `https://git.io/vpnsetup-centos`.
|
||||||
|
|
||||||
Your VPN login details will be randomly generated, and displayed on the screen when finished.
|
Your VPN login details will be randomly generated, and displayed on the screen when finished.
|
||||||
|
|
||||||
@ -63,13 +63,13 @@ A newly created <a href="https://aws.amazon.com/ec2/" target="_blank">Amazon EC2
|
|||||||
- <a href="https://aws.amazon.com/marketplace/pp/B00O7WM7QW" target="_blank">CentOS 7 (x86_64) with Updates</a>
|
- <a href="https://aws.amazon.com/marketplace/pp/B00O7WM7QW" target="_blank">CentOS 7 (x86_64) with Updates</a>
|
||||||
- <a href="https://aws.amazon.com/marketplace/pp/B00NQAYLWO" target="_blank">CentOS 6 (x86_64) with Updates</a>
|
- <a href="https://aws.amazon.com/marketplace/pp/B00NQAYLWO" target="_blank">CentOS 6 (x86_64) with Updates</a>
|
||||||
|
|
||||||
Please refer to <a href="https://blog.ls20.com/ipsec-l2tp-vpn-auto-setup-for-ubuntu-12-04-on-amazon-ec2/#vpnsetup" target="_blank">detailed instructions</a> and <a href="https://aws.amazon.com/ec2/pricing/" target="_blank">EC2 pricing</a>.
|
Please see <a href="https://blog.ls20.com/ipsec-l2tp-vpn-auto-setup-for-ubuntu-12-04-on-amazon-ec2/#vpnsetup" target="_blank">detailed instructions</a> and <a href="https://aws.amazon.com/ec2/pricing/" target="_blank">EC2 pricing</a>.
|
||||||
|
|
||||||
**-OR-**
|
**-OR-**
|
||||||
|
|
||||||
A dedicated server or Virtual Private Server (VPS), freshly installed with one of the above OS. In addition, Debian 7 (Wheezy) can also be used with <a href="extras/vpnsetup-debian-7-workaround.sh" target="_blank">this workaround</a>. OpenVZ VPS is NOT supported, users could instead try <a href="https://github.com/Nyr/openvpn-install" target="_blank">OpenVPN</a>.
|
A dedicated server or Virtual Private Server (VPS), freshly installed with one of the above OS. In addition, Debian 7 (Wheezy) can also be used with <a href="extras/vpnsetup-debian-7-workaround.sh" target="_blank">this workaround</a>. OpenVZ VPS is NOT supported, users could instead try <a href="https://github.com/Nyr/openvpn-install" target="_blank">OpenVPN</a>.
|
||||||
|
|
||||||
This also includes Linux VMs in public clouds, such as <a href="https://blog.ls20.com/digitalocean" target="_blank">DigitalOcean</a>, <a href="https://blog.ls20.com/vultr" target="_blank">Vultr</a>, <a href="https://blog.ls20.com/linode" target="_blank">Linode</a>, <a href="https://cloud.google.com/compute/" target="_blank">Google Compute Engine</a>, <a href="https://amazonlightsail.com" target="_blank">Amazon Lightsail</a>, <a href="https://azure.microsoft.com" target="_blank">Microsoft Azure</a>, <a href="http://www.softlayer.com/" target="_blank">IBM SoftLayer</a>, <a href="https://www.rackspace.com" target="_blank">Rackspace</a> and <a href="http://vcloud.vmware.com" target="_blank">VMware vCloud Air</a>.
|
These also include Linux VMs in public clouds, such as <a href="https://blog.ls20.com/digitalocean" target="_blank">DigitalOcean</a>, <a href="https://blog.ls20.com/vultr" target="_blank">Vultr</a>, <a href="https://blog.ls20.com/linode" target="_blank">Linode</a>, <a href="https://cloud.google.com/compute/" target="_blank">Google Compute Engine</a>, <a href="https://amazonlightsail.com" target="_blank">Amazon Lightsail</a>, <a href="https://azure.microsoft.com" target="_blank">Microsoft Azure</a>, <a href="http://www.softlayer.com/" target="_blank">IBM SoftLayer</a> and <a href="https://www.rackspace.com" target="_blank">Rackspace</a>.
|
||||||
|
|
||||||
<a href="azure/README.md" target="_blank"><img src="docs/images/azure-deploy-button.png" alt="Deploy to Azure" /></a> <a href="http://dovpn.carlfriess.com/" target="_blank"><img src="docs/images/do-install-button.png" alt="Install on DigitalOcean" /></a> <a href="https://www.linode.com/stackscripts/view/37239" target="_blank"><img src="docs/images/linode-deploy-button.png" alt="Deploy to Linode" /></a>
|
<a href="azure/README.md" target="_blank"><img src="docs/images/azure-deploy-button.png" alt="Deploy to Azure" /></a> <a href="http://dovpn.carlfriess.com/" target="_blank"><img src="docs/images/do-install-button.png" alt="Install on DigitalOcean" /></a> <a href="https://www.linode.com/stackscripts/view/37239" target="_blank"><img src="docs/images/linode-deploy-button.png" alt="Deploy to Linode" /></a>
|
||||||
|
|
||||||
@ -111,8 +111,6 @@ VPN_USER='your_vpn_username' \
|
|||||||
VPN_PASSWORD='your_vpn_password' sh vpnsetup.sh
|
VPN_PASSWORD='your_vpn_password' sh vpnsetup.sh
|
||||||
```
|
```
|
||||||
|
|
||||||
DigitalOcean users may refer to this <a href="https://usefulpcguide.com/17318/create-your-own-vpn/" target="_blank">step-by-step guide</a> by Tony Tran.
|
|
||||||
|
|
||||||
**Note:** If unable to download via `wget`, you may also open <a href="vpnsetup.sh" target="_blank">vpnsetup.sh</a> (or <a href="vpnsetup_centos.sh" target="_blank">vpnsetup_centos.sh</a>) and click the **`Raw`** button. Press `Ctrl-A` to select all, `Ctrl-C` to copy, then paste into your favorite editor.
|
**Note:** If unable to download via `wget`, you may also open <a href="vpnsetup.sh" target="_blank">vpnsetup.sh</a> (or <a href="vpnsetup_centos.sh" target="_blank">vpnsetup_centos.sh</a>) and click the **`Raw`** button. Press `Ctrl-A` to select all, `Ctrl-C` to copy, then paste into your favorite editor.
|
||||||
|
|
||||||
### CentOS & RHEL
|
### CentOS & RHEL
|
||||||
@ -128,7 +126,7 @@ Get your computer or device to use the VPN. Please refer to:
|
|||||||
<a href="docs/clients.md" target="_blank">Configure IPsec/L2TP VPN Clients</a>
|
<a href="docs/clients.md" target="_blank">Configure IPsec/L2TP VPN Clients</a>
|
||||||
<a href="docs/clients-xauth.md" target="_blank">Configure IPsec/XAuth ("Cisco IPsec") VPN Clients</a>
|
<a href="docs/clients-xauth.md" target="_blank">Configure IPsec/XAuth ("Cisco IPsec") VPN Clients</a>
|
||||||
|
|
||||||
<a href="docs/ikev2-howto.md" target="_blank">How-To: IKEv2 VPN for Windows 7 and newer</a>
|
<a href="docs/ikev2-howto.md" target="_blank">How-To: IKEv2 VPN for Windows and Android</a>
|
||||||
|
|
||||||
If you get an error when trying to connect, see <a href="docs/clients.md#troubleshooting" target="_blank">Troubleshooting</a>.
|
If you get an error when trying to connect, see <a href="docs/clients.md#troubleshooting" target="_blank">Troubleshooting</a>.
|
||||||
|
|
||||||
|
@ -22,6 +22,7 @@
|
|||||||
* [Windows 错误 628](#windows-错误-628)
|
* [Windows 错误 628](#windows-错误-628)
|
||||||
* [Android 6 and 7](#android-6-and-7)
|
* [Android 6 and 7](#android-6-and-7)
|
||||||
* [其它错误](#其它错误)
|
* [其它错误](#其它错误)
|
||||||
|
* [额外的步骤](#额外的步骤)
|
||||||
|
|
||||||
## Windows
|
## Windows
|
||||||
|
|
||||||
@ -162,7 +163,7 @@ Windows Phone 8.1 及以上版本用户可以尝试按照 <a href="http://forums
|
|||||||
|
|
||||||
要配置 VPN 客户端,首先安装以下软件包:
|
要配置 VPN 客户端,首先安装以下软件包:
|
||||||
|
|
||||||
```
|
```bash
|
||||||
# Ubuntu & Debian
|
# Ubuntu & Debian
|
||||||
apt-get update
|
apt-get update
|
||||||
apt-get -y install strongswan xl2tpd
|
apt-get -y install strongswan xl2tpd
|
||||||
@ -177,7 +178,7 @@ yum -y install strongswan xl2tpd
|
|||||||
|
|
||||||
创建 VPN 变量 (替换为你自己的值):
|
创建 VPN 变量 (替换为你自己的值):
|
||||||
|
|
||||||
```
|
```bash
|
||||||
VPN_SERVER_IP='your_vpn_server_ip'
|
VPN_SERVER_IP='your_vpn_server_ip'
|
||||||
VPN_IPSEC_PSK='your_ipsec_pre_shared_key'
|
VPN_IPSEC_PSK='your_ipsec_pre_shared_key'
|
||||||
VPN_USER='your_vpn_username'
|
VPN_USER='your_vpn_username'
|
||||||
@ -185,7 +186,7 @@ VPN_PASSWORD='your_vpn_password'
|
|||||||
```
|
```
|
||||||
|
|
||||||
配置 strongSwan:
|
配置 strongSwan:
|
||||||
```
|
```bash
|
||||||
cat > /etc/ipsec.conf <<EOF
|
cat > /etc/ipsec.conf <<EOF
|
||||||
# ipsec.conf - strongSwan IPsec configuration file
|
# ipsec.conf - strongSwan IPsec configuration file
|
||||||
|
|
||||||
@ -234,7 +235,7 @@ ln -s /etc/ipsec.secrets /etc/strongswan/ipsec.secrets
|
|||||||
```
|
```
|
||||||
|
|
||||||
配置 xl2tpd:
|
配置 xl2tpd:
|
||||||
```
|
```bash
|
||||||
cat > /etc/xl2tpd/xl2tpd.conf <<EOF
|
cat > /etc/xl2tpd/xl2tpd.conf <<EOF
|
||||||
[lac myvpn]
|
[lac myvpn]
|
||||||
lns = $VPN_SERVER_IP
|
lns = $VPN_SERVER_IP
|
||||||
@ -266,19 +267,19 @@ chmod 600 /etc/ppp/options.l2tpd.client
|
|||||||
至此 VPN 客户端配置已完成。按照下面的步骤进行连接。
|
至此 VPN 客户端配置已完成。按照下面的步骤进行连接。
|
||||||
|
|
||||||
创建 xl2tpd 控制文件:
|
创建 xl2tpd 控制文件:
|
||||||
```
|
```bash
|
||||||
mkdir -p /var/run/xl2tpd
|
mkdir -p /var/run/xl2tpd
|
||||||
touch /var/run/xl2tpd/l2tp-control
|
touch /var/run/xl2tpd/l2tp-control
|
||||||
```
|
```
|
||||||
|
|
||||||
重启服务:
|
重启服务:
|
||||||
```
|
```bash
|
||||||
service strongswan restart
|
service strongswan restart
|
||||||
service xl2tpd restart
|
service xl2tpd restart
|
||||||
```
|
```
|
||||||
|
|
||||||
开始 IPsec 连接:
|
开始 IPsec 连接:
|
||||||
```
|
```bash
|
||||||
# Ubuntu & Debian
|
# Ubuntu & Debian
|
||||||
ipsec up myvpn
|
ipsec up myvpn
|
||||||
|
|
||||||
@ -287,36 +288,36 @@ strongswan up myvpn
|
|||||||
```
|
```
|
||||||
|
|
||||||
开始 L2TP 连接:
|
开始 L2TP 连接:
|
||||||
```
|
```bash
|
||||||
echo "c myvpn" > /var/run/xl2tpd/l2tp-control
|
echo "c myvpn" > /var/run/xl2tpd/l2tp-control
|
||||||
```
|
```
|
||||||
|
|
||||||
运行 `ifconfig` 并且检查输出。现在你应该看到一个新的网络接口 `ppp0`。
|
运行 `ifconfig` 并且检查输出。现在你应该看到一个新的网络接口 `ppp0`。
|
||||||
|
|
||||||
检查你现有的默认路由:
|
检查你现有的默认路由:
|
||||||
```
|
```bash
|
||||||
ip route
|
ip route
|
||||||
```
|
```
|
||||||
|
|
||||||
在输出中查找以下行: `default via X.X.X.X ...`。记下这个网关 IP,并且在下面的两个命令中使用。
|
在输出中查找以下行: `default via X.X.X.X ...`。记下这个网关 IP,并且在下面的两个命令中使用。
|
||||||
|
|
||||||
从新的默认路由中排除你的 VPN 服务器 IP (替换为你自己的值):
|
从新的默认路由中排除你的 VPN 服务器 IP (替换为你自己的值):
|
||||||
```
|
```bash
|
||||||
route add YOUR_VPN_SERVER_IP gw X.X.X.X
|
route add YOUR_VPN_SERVER_IP gw X.X.X.X
|
||||||
```
|
```
|
||||||
|
|
||||||
如果你的 VPN 客户端是一个远程服务器,则必须从新的默认路由中排除你本地电脑的公有 IP,以避免 SSH 会话被断开 (替换为你自己的公有 IP,可在 <a href="https://www.ipchicken.com" target="_blank">这里</a> 查看):
|
如果你的 VPN 客户端是一个远程服务器,则必须从新的默认路由中排除你本地电脑的公有 IP,以避免 SSH 会话被断开 (替换为你自己的公有 IP,可在 <a href="https://www.ipchicken.com" target="_blank">这里</a> 查看):
|
||||||
```
|
```bash
|
||||||
route add YOUR_LOCAL_PC_PUBLIC_IP gw X.X.X.X
|
route add YOUR_LOCAL_PC_PUBLIC_IP gw X.X.X.X
|
||||||
```
|
```
|
||||||
|
|
||||||
添加一个新的默认路由,并且开始通过 VPN 服务器发送数据:
|
添加一个新的默认路由,并且开始通过 VPN 服务器发送数据:
|
||||||
```
|
```bash
|
||||||
route add default dev ppp0
|
route add default dev ppp0
|
||||||
```
|
```
|
||||||
|
|
||||||
至此 VPN 连接已成功完成。检查 VPN 是否正常工作:
|
至此 VPN 连接已成功完成。检查 VPN 是否正常工作:
|
||||||
```
|
```bash
|
||||||
wget -qO- http://ipv4.icanhazip.com; echo
|
wget -qO- http://ipv4.icanhazip.com; echo
|
||||||
```
|
```
|
||||||
|
|
||||||
@ -324,12 +325,12 @@ wget -qO- http://ipv4.icanhazip.com; echo
|
|||||||
|
|
||||||
|
|
||||||
要停止通过 VPN 服务器发送数据:
|
要停止通过 VPN 服务器发送数据:
|
||||||
```
|
```bash
|
||||||
route del default dev ppp0
|
route del default dev ppp0
|
||||||
```
|
```
|
||||||
|
|
||||||
要断开连接:
|
要断开连接:
|
||||||
```
|
```bash
|
||||||
# Ubuntu & Debian
|
# Ubuntu & Debian
|
||||||
echo "d myvpn" > /var/run/xl2tpd/l2tp-control
|
echo "d myvpn" > /var/run/xl2tpd/l2tp-control
|
||||||
ipsec down myvpn
|
ipsec down myvpn
|
||||||
@ -388,19 +389,42 @@ strongswan down myvpn
|
|||||||
|
|
||||||
### 其它错误
|
### 其它错误
|
||||||
|
|
||||||
首先,你可以尝试重启 VPN 服务器上的相关服务:
|
更多的相关信息请参见以下链接:
|
||||||
```
|
|
||||||
|
* https://documentation.meraki.com/MX-Z/Client_VPN/Troubleshooting_Client_VPN#Common_Connection_Issues
|
||||||
|
* https://blogs.technet.microsoft.com/rrasblog/2009/08/12/troubleshooting-common-vpn-related-errors/
|
||||||
|
* http://www.tp-link.com/en/faq-1029.html
|
||||||
|
|
||||||
|
### 额外的步骤
|
||||||
|
|
||||||
|
首先,重启 VPN 服务器上的相关服务:
|
||||||
|
```bash
|
||||||
service ipsec restart
|
service ipsec restart
|
||||||
service xl2tpd restart
|
service xl2tpd restart
|
||||||
```
|
```
|
||||||
|
|
||||||
如果你使用 Docker,请运行 `docker restart ipsec-vpn-server`。
|
如果你使用 Docker,请运行 `docker restart ipsec-vpn-server`。
|
||||||
|
|
||||||
更多的故障排除信息请参见以下链接:
|
然后重启你的 VPN 客户端设备,并重试连接。如果仍然无法连接,可以尝试删除并重新创建 VPN 连接,按照本文档中的步骤操作。请确保输入了正确的 VPN 登录凭证。
|
||||||
|
|
||||||
https://documentation.meraki.com/MX-Z/Client_VPN/Troubleshooting_Client_VPN#Common_Connection_Issues
|
检查 Libreswan (IPsec) 日志是否有错误:
|
||||||
https://blogs.technet.microsoft.com/rrasblog/2009/08/12/troubleshooting-common-vpn-related-errors/
|
```bash
|
||||||
http://www.tp-link.com/en/faq-1029.html
|
# Ubuntu & Debian
|
||||||
|
grep pluto /var/log/auth.log
|
||||||
|
# CentOS & RHEL
|
||||||
|
grep pluto /var/log/secure
|
||||||
|
```
|
||||||
|
|
||||||
|
查看 IPsec VPN 服务器状态:
|
||||||
|
```bash
|
||||||
|
ipsec status
|
||||||
|
ipsec verify
|
||||||
|
```
|
||||||
|
|
||||||
|
显示当前已建立的 VPN 连接:
|
||||||
|
```bash
|
||||||
|
ipsec whack --trafficstatus
|
||||||
|
```
|
||||||
|
|
||||||
## 致谢
|
## 致谢
|
||||||
|
|
||||||
|
@ -21,7 +21,8 @@ An alternative <a href="https://usefulpcguide.com/17318/create-your-own-vpn/" ta
|
|||||||
* [Windows Error 809](#windows-error-809)
|
* [Windows Error 809](#windows-error-809)
|
||||||
* [Windows Error 628](#windows-error-628)
|
* [Windows Error 628](#windows-error-628)
|
||||||
* [Android 6 and 7](#android-6-and-7)
|
* [Android 6 and 7](#android-6-and-7)
|
||||||
* [Other Errors](#other-errors)
|
* [Other errors](#other-errors)
|
||||||
|
* [Additional steps](#additional-steps)
|
||||||
|
|
||||||
## Windows
|
## Windows
|
||||||
|
|
||||||
@ -162,7 +163,7 @@ Note: Instructions below are adapted from [the work of Peter Sanford](https://gi
|
|||||||
|
|
||||||
To set up the VPN client, first install the following packages:
|
To set up the VPN client, first install the following packages:
|
||||||
|
|
||||||
```
|
```bash
|
||||||
# Ubuntu & Debian
|
# Ubuntu & Debian
|
||||||
apt-get update
|
apt-get update
|
||||||
apt-get -y install strongswan xl2tpd
|
apt-get -y install strongswan xl2tpd
|
||||||
@ -177,7 +178,7 @@ yum -y install strongswan xl2tpd
|
|||||||
|
|
||||||
Create VPN variables (replace with actual values):
|
Create VPN variables (replace with actual values):
|
||||||
|
|
||||||
```
|
```bash
|
||||||
VPN_SERVER_IP='your_vpn_server_ip'
|
VPN_SERVER_IP='your_vpn_server_ip'
|
||||||
VPN_IPSEC_PSK='your_ipsec_pre_shared_key'
|
VPN_IPSEC_PSK='your_ipsec_pre_shared_key'
|
||||||
VPN_USER='your_vpn_username'
|
VPN_USER='your_vpn_username'
|
||||||
@ -185,7 +186,7 @@ VPN_PASSWORD='your_vpn_password'
|
|||||||
```
|
```
|
||||||
|
|
||||||
Configure strongSwan:
|
Configure strongSwan:
|
||||||
```
|
```bash
|
||||||
cat > /etc/ipsec.conf <<EOF
|
cat > /etc/ipsec.conf <<EOF
|
||||||
# ipsec.conf - strongSwan IPsec configuration file
|
# ipsec.conf - strongSwan IPsec configuration file
|
||||||
|
|
||||||
@ -234,7 +235,7 @@ ln -s /etc/ipsec.secrets /etc/strongswan/ipsec.secrets
|
|||||||
```
|
```
|
||||||
|
|
||||||
Configure xl2tpd:
|
Configure xl2tpd:
|
||||||
```
|
```bash
|
||||||
cat > /etc/xl2tpd/xl2tpd.conf <<EOF
|
cat > /etc/xl2tpd/xl2tpd.conf <<EOF
|
||||||
[lac myvpn]
|
[lac myvpn]
|
||||||
lns = $VPN_SERVER_IP
|
lns = $VPN_SERVER_IP
|
||||||
@ -266,19 +267,19 @@ chmod 600 /etc/ppp/options.l2tpd.client
|
|||||||
The VPN client setup is now complete. Follow the steps below to connect.
|
The VPN client setup is now complete. Follow the steps below to connect.
|
||||||
|
|
||||||
Create xl2tpd control file:
|
Create xl2tpd control file:
|
||||||
```
|
```bash
|
||||||
mkdir -p /var/run/xl2tpd
|
mkdir -p /var/run/xl2tpd
|
||||||
touch /var/run/xl2tpd/l2tp-control
|
touch /var/run/xl2tpd/l2tp-control
|
||||||
```
|
```
|
||||||
|
|
||||||
Restart services:
|
Restart services:
|
||||||
```
|
```bash
|
||||||
service strongswan restart
|
service strongswan restart
|
||||||
service xl2tpd restart
|
service xl2tpd restart
|
||||||
```
|
```
|
||||||
|
|
||||||
Start the IPsec connection:
|
Start the IPsec connection:
|
||||||
```
|
```bash
|
||||||
# Ubuntu & Debian
|
# Ubuntu & Debian
|
||||||
ipsec up myvpn
|
ipsec up myvpn
|
||||||
|
|
||||||
@ -287,48 +288,48 @@ strongswan up myvpn
|
|||||||
```
|
```
|
||||||
|
|
||||||
Start the L2TP connection:
|
Start the L2TP connection:
|
||||||
```
|
```bash
|
||||||
echo "c myvpn" > /var/run/xl2tpd/l2tp-control
|
echo "c myvpn" > /var/run/xl2tpd/l2tp-control
|
||||||
```
|
```
|
||||||
|
|
||||||
Run `ifconfig` and check the output. You should now see a new interface `ppp0`.
|
Run `ifconfig` and check the output. You should now see a new interface `ppp0`.
|
||||||
|
|
||||||
Check your existing default route:
|
Check your existing default route:
|
||||||
```
|
```bash
|
||||||
ip route
|
ip route
|
||||||
```
|
```
|
||||||
|
|
||||||
Find this line in the output: `default via X.X.X.X ...`. Write down this gateway IP for use in the two commands below.
|
Find this line in the output: `default via X.X.X.X ...`. Write down this gateway IP for use in the two commands below.
|
||||||
|
|
||||||
Exclude your VPN server's IP from the new default route (replace with actual value):
|
Exclude your VPN server's IP from the new default route (replace with actual value):
|
||||||
```
|
```bash
|
||||||
route add YOUR_VPN_SERVER_IP gw X.X.X.X
|
route add YOUR_VPN_SERVER_IP gw X.X.X.X
|
||||||
```
|
```
|
||||||
|
|
||||||
If your VPN client is a remote server, you must also exclude your Local PC's public IP from the new default route, to prevent your SSH session from being disconnected (replace with your actual public IP <a href="https://encrypted.google.com/search?q=my+ip" target="_blank">from here</a>):
|
If your VPN client is a remote server, you must also exclude your Local PC's public IP from the new default route, to prevent your SSH session from being disconnected (replace with your actual public IP <a href="https://encrypted.google.com/search?q=my+ip" target="_blank">from here</a>):
|
||||||
```
|
```bash
|
||||||
route add YOUR_LOCAL_PC_PUBLIC_IP gw X.X.X.X
|
route add YOUR_LOCAL_PC_PUBLIC_IP gw X.X.X.X
|
||||||
```
|
```
|
||||||
|
|
||||||
Add a new default route to start routing traffic via the VPN server:
|
Add a new default route to start routing traffic via the VPN server:
|
||||||
```
|
```bash
|
||||||
route add default dev ppp0
|
route add default dev ppp0
|
||||||
```
|
```
|
||||||
|
|
||||||
The VPN connection is now complete. Verify that your traffic is being routed properly:
|
The VPN connection is now complete. Verify that your traffic is being routed properly:
|
||||||
```
|
```bash
|
||||||
wget -qO- http://ipv4.icanhazip.com; echo
|
wget -qO- http://ipv4.icanhazip.com; echo
|
||||||
```
|
```
|
||||||
|
|
||||||
The above command should return `Your VPN Server IP`.
|
The above command should return `Your VPN Server IP`.
|
||||||
|
|
||||||
To stop routing traffic via the VPN server:
|
To stop routing traffic via the VPN server:
|
||||||
```
|
```bash
|
||||||
route del default dev ppp0
|
route del default dev ppp0
|
||||||
```
|
```
|
||||||
|
|
||||||
To disconnect:
|
To disconnect:
|
||||||
```
|
```bash
|
||||||
# Ubuntu & Debian
|
# Ubuntu & Debian
|
||||||
echo "d myvpn" > /var/run/xl2tpd/l2tp-control
|
echo "d myvpn" > /var/run/xl2tpd/l2tp-control
|
||||||
ipsec down myvpn
|
ipsec down myvpn
|
||||||
@ -385,21 +386,44 @@ If you are unable to connect using Android 6 (Marshmallow) or 7 (Nougat):
|
|||||||
|
|
||||||
![Android VPN workaround](images/vpn-profile-Android.png)
|
![Android VPN workaround](images/vpn-profile-Android.png)
|
||||||
|
|
||||||
### Other Errors
|
### Other errors
|
||||||
|
|
||||||
First, you may try restarting services on the VPN server:
|
For additional information, refer to the links below:
|
||||||
```
|
|
||||||
|
* https://documentation.meraki.com/MX-Z/Client_VPN/Troubleshooting_Client_VPN#Common_Connection_Issues
|
||||||
|
* https://blogs.technet.microsoft.com/rrasblog/2009/08/12/troubleshooting-common-vpn-related-errors/
|
||||||
|
* http://www.tp-link.com/en/faq-1029.html
|
||||||
|
|
||||||
|
### Additional steps
|
||||||
|
|
||||||
|
First, restart services on the VPN server:
|
||||||
|
```bash
|
||||||
service ipsec restart
|
service ipsec restart
|
||||||
service xl2tpd restart
|
service xl2tpd restart
|
||||||
```
|
```
|
||||||
|
|
||||||
If using Docker, run `docker restart ipsec-vpn-server`.
|
If using Docker, run `docker restart ipsec-vpn-server`.
|
||||||
|
|
||||||
For additional troubleshooting tips, refer to the links below:
|
Then reboot your VPN client device, and retry the connection. If still unable to connect, try removing and recreating the VPN connection, by following the instructions in this document. Make sure that the VPN credentials are entered correctly.
|
||||||
|
|
||||||
https://documentation.meraki.com/MX-Z/Client_VPN/Troubleshooting_Client_VPN#Common_Connection_Issues
|
Check the Libreswan (IPsec) log for errors:
|
||||||
https://blogs.technet.microsoft.com/rrasblog/2009/08/12/troubleshooting-common-vpn-related-errors/
|
```bash
|
||||||
http://www.tp-link.com/en/faq-1029.html
|
# Ubuntu & Debian
|
||||||
|
grep pluto /var/log/auth.log
|
||||||
|
# CentOS & RHEL
|
||||||
|
grep pluto /var/log/secure
|
||||||
|
```
|
||||||
|
|
||||||
|
Check status of the IPsec VPN server:
|
||||||
|
```bash
|
||||||
|
ipsec status
|
||||||
|
ipsec verify
|
||||||
|
```
|
||||||
|
|
||||||
|
Show current established VPN connections:
|
||||||
|
```bash
|
||||||
|
ipsec whack --trafficstatus
|
||||||
|
```
|
||||||
|
|
||||||
## Credits
|
## Credits
|
||||||
|
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
# 如何配置 IKEv2 VPN: Windows 7 和更新版本
|
# 如何配置 IKEv2 VPN: Windows 和 Android
|
||||||
|
|
||||||
*其他语言版本: [English](ikev2-howto.md), [简体中文](ikev2-howto-zh.md).*
|
*其他语言版本: [English](ikev2-howto.md), [简体中文](ikev2-howto-zh.md).*
|
||||||
|
|
||||||
@ -15,11 +15,11 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来
|
|||||||
- Windows 7, 8.x 和 10
|
- Windows 7, 8.x 和 10
|
||||||
- Windows Phone 8.1 及以上
|
- Windows Phone 8.1 及以上
|
||||||
- strongSwan Android VPN 客户端
|
- strongSwan Android VPN 客户端
|
||||||
- <a href="https://github.com/gaomd/docker-ikev2-vpn-server" target="_blank">iOS (iPhone/iPad) 和 OS X (macOS)</a> <-- 请参见
|
- <a href="https://github.com/gaomd/docker-ikev2-vpn-server" target="_blank">iOS (iPhone/iPad) 和 macOS</a> <-- 另见
|
||||||
|
|
||||||
下面举例说明如何在 Libreswan 上配置 IKEv2。以下命令必须用 `root` 账户运行。
|
下面举例说明如何在 Libreswan 上配置 IKEv2。以下命令必须用 `root` 账户运行。
|
||||||
|
|
||||||
在继续之前,请确保你已经成功地 <a href="https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/README-zh.md" target="_blank">搭建自己的 VPN 服务器</a>。
|
在继续之前,请确保你已经成功 <a href="https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/README-zh.md" target="_blank">搭建自己的 VPN 服务器</a>。
|
||||||
|
|
||||||
1. 获取服务器的公共和私有 IP 地址,并确保它们的值非空。注意,这两个 IP 地址可以相同。
|
1. 获取服务器的公共和私有 IP 地址,并确保它们的值非空。注意,这两个 IP 地址可以相同。
|
||||||
|
|
||||||
@ -63,14 +63,22 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来
|
|||||||
EOF
|
EOF
|
||||||
```
|
```
|
||||||
|
|
||||||
还需要在该文件中添加一行,根据 Libreswan 的版本而不同。请运行以下命令:
|
还需要在该文件中添加一行,首先查看你的 Libreswan 版本:
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
$ if /usr/local/sbin/ipsec --version | grep -qs -F "3.19"; then
|
$ ipsec --version
|
||||||
echo " encapsulation=yes" >> /etc/ipsec.conf
|
```
|
||||||
else
|
|
||||||
echo " forceencaps=yes" >> /etc/ipsec.conf
|
对于 Libreswan 3.19 或以上版本,请运行:
|
||||||
fi
|
|
||||||
|
```bash
|
||||||
|
$ echo " encapsulation=yes" >> /etc/ipsec.conf
|
||||||
|
```
|
||||||
|
|
||||||
|
对于 Libreswan 3.18 或以下版本,请运行:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
$ echo " forceencaps=yes" >> /etc/ipsec.conf
|
||||||
```
|
```
|
||||||
|
|
||||||
1. 生成 Certificate Authority (CA) 和 VPN 服务器证书:
|
1. 生成 Certificate Authority (CA) 和 VPN 服务器证书:
|
||||||
@ -100,7 +108,8 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来
|
|||||||
Is this a critical extension [y/N]?
|
Is this a critical extension [y/N]?
|
||||||
N
|
N
|
||||||
|
|
||||||
$ certutil -S -c "Example CA" -n "$PUBLIC_IP" -s "O=Example,CN=$PUBLIC_IP" -k rsa -g 4096 -v 36 -d sql:/etc/ipsec.d -t ",," -1 -6 -8 "$PUBLIC_IP"
|
$ certutil -S -c "Example CA" -n "$PUBLIC_IP" -s "O=Example,CN=$PUBLIC_IP" -k rsa -g 4096 -v 36 -d sql:/etc/ipsec.d -t ",," \
|
||||||
|
--keyUsage digitalSignature,keyEncipherment --extKeyUsage serverAuth --extSAN "ip:$PUBLIC_IP,dns:$PUBLIC_IP"
|
||||||
|
|
||||||
A random seed must be generated that will be used in the
|
A random seed must be generated that will be used in the
|
||||||
creation of your key. One of the easiest ways to create a
|
creation of your key. One of the easiest ways to create a
|
||||||
@ -116,64 +125,13 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来
|
|||||||
Finished. Press enter to continue:
|
Finished. Press enter to continue:
|
||||||
|
|
||||||
Generating key. This may take a few moments...
|
Generating key. This may take a few moments...
|
||||||
|
|
||||||
0 - Digital Signature
|
|
||||||
1 - Non-repudiation
|
|
||||||
2 - Key encipherment
|
|
||||||
3 - Data encipherment
|
|
||||||
4 - Key agreement
|
|
||||||
5 - Cert signing key
|
|
||||||
6 - CRL signing key
|
|
||||||
Other to finish
|
|
||||||
> 0
|
|
||||||
0 - Digital Signature
|
|
||||||
1 - Non-repudiation
|
|
||||||
2 - Key encipherment
|
|
||||||
3 - Data encipherment
|
|
||||||
4 - Key agreement
|
|
||||||
5 - Cert signing key
|
|
||||||
6 - CRL signing key
|
|
||||||
Other to finish
|
|
||||||
> 2
|
|
||||||
0 - Digital Signature
|
|
||||||
1 - Non-repudiation
|
|
||||||
2 - Key encipherment
|
|
||||||
3 - Data encipherment
|
|
||||||
4 - Key agreement
|
|
||||||
5 - Cert signing key
|
|
||||||
6 - CRL signing key
|
|
||||||
Other to finish
|
|
||||||
> 8
|
|
||||||
Is this a critical extension [y/N]?
|
|
||||||
N
|
|
||||||
0 - Server Auth
|
|
||||||
1 - Client Auth
|
|
||||||
2 - Code Signing
|
|
||||||
3 - Email Protection
|
|
||||||
4 - Timestamp
|
|
||||||
5 - OCSP Responder
|
|
||||||
6 - Step-up
|
|
||||||
7 - Microsoft Trust List Signing
|
|
||||||
Other to finish
|
|
||||||
> 0
|
|
||||||
0 - Server Auth
|
|
||||||
1 - Client Auth
|
|
||||||
2 - Code Signing
|
|
||||||
3 - Email Protection
|
|
||||||
4 - Timestamp
|
|
||||||
5 - OCSP Responder
|
|
||||||
6 - Step-up
|
|
||||||
7 - Microsoft Trust List Signing
|
|
||||||
Other to finish
|
|
||||||
> 8
|
|
||||||
Is this a critical extension [y/N]?
|
|
||||||
N
|
|
||||||
```
|
```
|
||||||
|
|
||||||
1. 生成客户端证书,并且导出 `.p12` 文件。该文件包含客户端证书,私钥以及 CA 证书:
|
1. 生成客户端证书,并且导出 `.p12` 文件。该文件包含客户端证书,私钥以及 CA 证书:
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
$ certutil -S -c "Example CA" -n "vpnclient" -s "O=Example,CN=vpnclient" -k rsa -g 4096 -v 36 -d sql:/etc/ipsec.d -t ",," -1 -6 -8 "vpnclient"
|
$ certutil -S -c "Example CA" -n "vpnclient" -s "O=Example,CN=vpnclient" -k rsa -g 4096 -v 36 -d sql:/etc/ipsec.d -t ",," \
|
||||||
|
--keyUsage digitalSignature,keyEncipherment --extKeyUsage serverAuth,clientAuth -8 "vpnclient"
|
||||||
|
|
||||||
A random seed must be generated that will be used in the
|
A random seed must be generated that will be used in the
|
||||||
creation of your key. One of the easiest ways to create a
|
creation of your key. One of the easiest ways to create a
|
||||||
@ -190,68 +148,6 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来
|
|||||||
|
|
||||||
Generating key. This may take a few moments...
|
Generating key. This may take a few moments...
|
||||||
|
|
||||||
0 - Digital Signature
|
|
||||||
1 - Non-repudiation
|
|
||||||
2 - Key encipherment
|
|
||||||
3 - Data encipherment
|
|
||||||
4 - Key agreement
|
|
||||||
5 - Cert signing key
|
|
||||||
6 - CRL signing key
|
|
||||||
Other to finish
|
|
||||||
> 0
|
|
||||||
0 - Digital Signature
|
|
||||||
1 - Non-repudiation
|
|
||||||
2 - Key encipherment
|
|
||||||
3 - Data encipherment
|
|
||||||
4 - Key agreement
|
|
||||||
5 - Cert signing key
|
|
||||||
6 - CRL signing key
|
|
||||||
Other to finish
|
|
||||||
> 2
|
|
||||||
0 - Digital Signature
|
|
||||||
1 - Non-repudiation
|
|
||||||
2 - Key encipherment
|
|
||||||
3 - Data encipherment
|
|
||||||
4 - Key agreement
|
|
||||||
5 - Cert signing key
|
|
||||||
6 - CRL signing key
|
|
||||||
Other to finish
|
|
||||||
> 8
|
|
||||||
Is this a critical extension [y/N]?
|
|
||||||
N
|
|
||||||
0 - Server Auth
|
|
||||||
1 - Client Auth
|
|
||||||
2 - Code Signing
|
|
||||||
3 - Email Protection
|
|
||||||
4 - Timestamp
|
|
||||||
5 - OCSP Responder
|
|
||||||
6 - Step-up
|
|
||||||
7 - Microsoft Trust List Signing
|
|
||||||
Other to finish
|
|
||||||
> 0
|
|
||||||
0 - Server Auth
|
|
||||||
1 - Client Auth
|
|
||||||
2 - Code Signing
|
|
||||||
3 - Email Protection
|
|
||||||
4 - Timestamp
|
|
||||||
5 - OCSP Responder
|
|
||||||
6 - Step-up
|
|
||||||
7 - Microsoft Trust List Signing
|
|
||||||
Other to finish
|
|
||||||
> 1
|
|
||||||
0 - Server Auth
|
|
||||||
1 - Client Auth
|
|
||||||
2 - Code Signing
|
|
||||||
3 - Email Protection
|
|
||||||
4 - Timestamp
|
|
||||||
5 - OCSP Responder
|
|
||||||
6 - Step-up
|
|
||||||
7 - Microsoft Trust List Signing
|
|
||||||
Other to finish
|
|
||||||
> 8
|
|
||||||
Is this a critical extension [y/N]?
|
|
||||||
N
|
|
||||||
|
|
||||||
$ pk12util -o vpnclient.p12 -n "vpnclient" -d sql:/etc/ipsec.d
|
$ pk12util -o vpnclient.p12 -n "vpnclient" -d sql:/etc/ipsec.d
|
||||||
|
|
||||||
Enter password for PKCS12 file:
|
Enter password for PKCS12 file:
|
||||||
@ -259,7 +155,7 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来
|
|||||||
pk12util: PKCS12 EXPORT SUCCESSFUL
|
pk12util: PKCS12 EXPORT SUCCESSFUL
|
||||||
```
|
```
|
||||||
|
|
||||||
可以重复该步骤来为更多的客户端生成证书,但必须把所有的 `vpnclient` 换成 `vpnclient2`,等等。
|
重复这个步骤来为更多的客户端生成证书,但必须把所有的 `vpnclient` 换成 `vpnclient2`,等等。请注意,如果你需要同时连接多个客户端,则必须为每个客户端生成唯一的证书。
|
||||||
|
|
||||||
1. 证书数据库现在应该包含以下内容:
|
1. 证书数据库现在应该包含以下内容:
|
||||||
|
|
||||||
@ -274,7 +170,7 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来
|
|||||||
vpnclient u,u,u
|
vpnclient u,u,u
|
||||||
```
|
```
|
||||||
|
|
||||||
注:如需删除证书,可运行命令 `certutil -D -d sql:/etc/ipsec.d -n "Certificate Nickname"`。
|
注:如需显示证书,可使用 `certutil -L -d sql:/etc/ipsec.d -n "Nickname"`。要删除证书,将 `-L` 换成 `-D`。更多的 `certutil` 使用说明请看 <a href="http://manpages.ubuntu.com/manpages/zesty/man1/certutil.1.html" target="_blank">这里</a>。
|
||||||
|
|
||||||
1. 重启 IPsec 服务:
|
1. 重启 IPsec 服务:
|
||||||
|
|
||||||
@ -286,34 +182,38 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来
|
|||||||
|
|
||||||
#### Windows 7, 8.x 和 10
|
#### Windows 7, 8.x 和 10
|
||||||
|
|
||||||
将 `.p12` 文件导入到 "计算机账户" 证书存储。在导入证书后,你必须确保将客户端证书放在 "个人 -> 证书" 目录中,并且将 CA 证书放在 "受信任的根证书颁发机构 -> 证书" 目录中。
|
1. 将 `.p12` 文件导入到 "计算机账户" 证书存储。在导入证书后,你必须确保将客户端证书放在 "个人 -> 证书" 目录中,并且将 CA 证书放在 "受信任的根证书颁发机构 -> 证书" 目录中。
|
||||||
|
|
||||||
详细的操作步骤:
|
请按照以下链接的步骤操作:
|
||||||
https://wiki.strongswan.org/projects/strongswan/wiki/Win7Certs
|
https://wiki.strongswan.org/projects/strongswan/wiki/Win7Certs
|
||||||
|
|
||||||
在 Windows 计算机上添加一个新的 IKEv2 VPN 连接:
|
1. 在 Windows 计算机上添加一个新的 IKEv2 VPN 连接:
|
||||||
|
https://wiki.strongswan.org/projects/strongswan/wiki/Win7Config
|
||||||
|
|
||||||
https://wiki.strongswan.org/projects/strongswan/wiki/Win7Config
|
1. 启用新的 IKEv2 VPN 连接,并且开始使用 VPN!
|
||||||
|
https://wiki.strongswan.org/projects/strongswan/wiki/Win7Connect
|
||||||
|
|
||||||
启用新的 IKEv2 VPN 连接,并且开始使用自己的专属 VPN!
|
1. (可选步骤) 如需启用更安全的加密方式,可以添加 <a href="https://wiki.strongswan.org/projects/strongswan/wiki/Windows7#AES-256-CBC-and-MODP2048" target="_blank">这个注册表键</a> 并重启。
|
||||||
|
|
||||||
https://wiki.strongswan.org/projects/strongswan/wiki/Win7Connect
|
#### Android 4.x 和更新版本
|
||||||
|
|
||||||
(可选步骤) 如需启用更安全的加密方式,可以添加 <a href="https://wiki.strongswan.org/projects/strongswan/wiki/Windows7#AES-256-CBC-and-MODP2048" target="_blank">这个注册表键</a> 并重启。
|
1. 从 **Google Play** 安装 <a href="https://play.google.com/store/apps/details?id=org.strongswan.android" target="_blank">strongSwan VPN Client</a>。
|
||||||
|
1. 打开 VPN 客户端,然后单击 **Add VPN Profile**。
|
||||||
|
1. 在 **Server** 字段中输入 `你的 VPN 服务器 IP`。
|
||||||
|
1. 在 **VPN Type** 下拉菜单选择 **IKEv2 Certificate**。
|
||||||
|
1. 单击添加一个 **User certificate**,然后单击 **Install**。
|
||||||
|
1. 选择你从服务器复制过来的 `.p12` 文件,并按提示操作。
|
||||||
|
1. 保存新的 VPN 连接,然后单击它开始连接。
|
||||||
|
|
||||||
#### Windows Phone 8.1 及以上
|
#### Windows Phone 8.1 及以上
|
||||||
|
|
||||||
首先导入 `.p12` 文件,然后参照 <a href="https://technet.microsoft.com/en-us/windows/dn673608.aspx" target="_blank">这些说明</a> 配置一个基于证书的 IKEv2 VPN。
|
首先导入 `.p12` 文件,然后参照 <a href="https://technet.microsoft.com/en-us/windows/dn673608.aspx" target="_blank">这些说明</a> 配置一个基于证书的 IKEv2 VPN。
|
||||||
|
|
||||||
#### Android 4.x 和更新版本
|
1. 连接成功后,你可以到 <a href="https://www.ipchicken.com" target="_blank">这里</a> 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。
|
||||||
|
|
||||||
请参见: https://wiki.strongswan.org/projects/strongswan/wiki/AndroidVpnClient
|
|
||||||
|
|
||||||
连接成功后,你可以到 <a href="https://www.ipchicken.com" target="_blank">这里</a> 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。
|
|
||||||
|
|
||||||
## 已知问题
|
## 已知问题
|
||||||
|
|
||||||
Windows 7 和更新版本自带的 VPN 客户端不支持 IKEv2 fragmentation。在有些网络上,这可能会导致连接错误,或者可能在连接后无法打开任何网站。如果出现这些问题,请首先尝试 <a href="clients-zh.md#故障排除" target="_blank">这个解决方案</a>。如果仍然无法解决,请使用 <a href="clients-zh.md" target="_blank">IPsec/L2TP</a> 或者 <a href="clients-xauth-zh.md" target="_blank">IPsec/XAuth</a> 模式连接。
|
Windows 自带的 VPN 客户端不支持 IKEv2 fragmentation。在有些网络上,这可能会导致连接错误或其它连接问题。你可以尝试 <a href="clients-zh.md#故障排除" target="_blank">修改注册表</a>,或者换用 <a href="clients-zh.md" target="_blank">IPsec/L2TP</a> 或 <a href="clients-xauth-zh.md" target="_blank">IPsec/XAuth</a> 模式连接。
|
||||||
|
|
||||||
## 参考链接
|
## 参考链接
|
||||||
|
|
||||||
@ -321,3 +221,4 @@ Windows 7 和更新版本自带的 VPN 客户端不支持 IKEv2 fragmentation。
|
|||||||
* https://libreswan.org/wiki/HOWTO:_Using_NSS_with_libreswan
|
* https://libreswan.org/wiki/HOWTO:_Using_NSS_with_libreswan
|
||||||
* https://libreswan.org/man/ipsec.conf.5.html
|
* https://libreswan.org/man/ipsec.conf.5.html
|
||||||
* https://wiki.strongswan.org/projects/strongswan/wiki/Windows7
|
* https://wiki.strongswan.org/projects/strongswan/wiki/Windows7
|
||||||
|
* https://wiki.strongswan.org/projects/strongswan/wiki/AndroidVpnClient
|
||||||
|
@ -1,10 +1,10 @@
|
|||||||
# How-To: IKEv2 VPN for Windows 7 and newer
|
# How-To: IKEv2 VPN for Windows and Android
|
||||||
|
|
||||||
*Read this in other languages: [English](ikev2-howto.md), [简体中文](ikev2-howto-zh.md).*
|
*Read this in other languages: [English](ikev2-howto.md), [简体中文](ikev2-howto-zh.md).*
|
||||||
|
|
||||||
---
|
---
|
||||||
|
|
||||||
**IMPORTANT:** This guide is for **Advanced Users** ONLY. Other users please use <a href="clients.md" target="_blank">IPsec/L2TP</a> or <a href="clients-xauth.md" target="_blank">IPsec/XAuth</a>.
|
**IMPORTANT:** This guide is for **advanced users** only. Other users please use <a href="clients.md" target="_blank">IPsec/L2TP</a> or <a href="clients-xauth.md" target="_blank">IPsec/XAuth</a>.
|
||||||
|
|
||||||
---
|
---
|
||||||
|
|
||||||
@ -15,7 +15,7 @@ Libreswan can authenticate IKEv2 clients on the basis of X.509 Machine Certifica
|
|||||||
- Windows 7, 8.x and 10
|
- Windows 7, 8.x and 10
|
||||||
- Windows Phone 8.1 and above
|
- Windows Phone 8.1 and above
|
||||||
- strongSwan Android VPN client
|
- strongSwan Android VPN client
|
||||||
- <a href="https://github.com/gaomd/docker-ikev2-vpn-server" target="_blank">iOS (iPhone/iPad) and OS X (macOS)</a> <-- See link
|
- <a href="https://github.com/gaomd/docker-ikev2-vpn-server" target="_blank">iOS (iPhone/iPad) and macOS</a> <-- See also
|
||||||
|
|
||||||
The following example shows how to configure IKEv2 with Libreswan. Commands below must be run as `root`.
|
The following example shows how to configure IKEv2 with Libreswan. Commands below must be run as `root`.
|
||||||
|
|
||||||
@ -63,14 +63,22 @@ Before continuing, make sure you have successfully <a href="https://github.com/h
|
|||||||
EOF
|
EOF
|
||||||
```
|
```
|
||||||
|
|
||||||
We need to add one more line to that file, based on your Libreswan version. Please run command:
|
We need to add one more line to that file. First check your Libreswan version:
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
$ if /usr/local/sbin/ipsec --version | grep -qs -F "3.19"; then
|
$ ipsec --version
|
||||||
echo " encapsulation=yes" >> /etc/ipsec.conf
|
```
|
||||||
else
|
|
||||||
echo " forceencaps=yes" >> /etc/ipsec.conf
|
For Libreswan 3.19 and newer, run command:
|
||||||
fi
|
|
||||||
|
```bash
|
||||||
|
$ echo " encapsulation=yes" >> /etc/ipsec.conf
|
||||||
|
```
|
||||||
|
|
||||||
|
For Libreswan 3.18 and older, run command:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
$ echo " forceencaps=yes" >> /etc/ipsec.conf
|
||||||
```
|
```
|
||||||
|
|
||||||
1. Generate Certificate Authority (CA) and VPN server certificates:
|
1. Generate Certificate Authority (CA) and VPN server certificates:
|
||||||
@ -100,7 +108,8 @@ Before continuing, make sure you have successfully <a href="https://github.com/h
|
|||||||
Is this a critical extension [y/N]?
|
Is this a critical extension [y/N]?
|
||||||
N
|
N
|
||||||
|
|
||||||
$ certutil -S -c "Example CA" -n "$PUBLIC_IP" -s "O=Example,CN=$PUBLIC_IP" -k rsa -g 4096 -v 36 -d sql:/etc/ipsec.d -t ",," -1 -6 -8 "$PUBLIC_IP"
|
$ certutil -S -c "Example CA" -n "$PUBLIC_IP" -s "O=Example,CN=$PUBLIC_IP" -k rsa -g 4096 -v 36 -d sql:/etc/ipsec.d -t ",," \
|
||||||
|
--keyUsage digitalSignature,keyEncipherment --extKeyUsage serverAuth --extSAN "ip:$PUBLIC_IP,dns:$PUBLIC_IP"
|
||||||
|
|
||||||
A random seed must be generated that will be used in the
|
A random seed must be generated that will be used in the
|
||||||
creation of your key. One of the easiest ways to create a
|
creation of your key. One of the easiest ways to create a
|
||||||
@ -116,64 +125,13 @@ Before continuing, make sure you have successfully <a href="https://github.com/h
|
|||||||
Finished. Press enter to continue:
|
Finished. Press enter to continue:
|
||||||
|
|
||||||
Generating key. This may take a few moments...
|
Generating key. This may take a few moments...
|
||||||
|
|
||||||
0 - Digital Signature
|
|
||||||
1 - Non-repudiation
|
|
||||||
2 - Key encipherment
|
|
||||||
3 - Data encipherment
|
|
||||||
4 - Key agreement
|
|
||||||
5 - Cert signing key
|
|
||||||
6 - CRL signing key
|
|
||||||
Other to finish
|
|
||||||
> 0
|
|
||||||
0 - Digital Signature
|
|
||||||
1 - Non-repudiation
|
|
||||||
2 - Key encipherment
|
|
||||||
3 - Data encipherment
|
|
||||||
4 - Key agreement
|
|
||||||
5 - Cert signing key
|
|
||||||
6 - CRL signing key
|
|
||||||
Other to finish
|
|
||||||
> 2
|
|
||||||
0 - Digital Signature
|
|
||||||
1 - Non-repudiation
|
|
||||||
2 - Key encipherment
|
|
||||||
3 - Data encipherment
|
|
||||||
4 - Key agreement
|
|
||||||
5 - Cert signing key
|
|
||||||
6 - CRL signing key
|
|
||||||
Other to finish
|
|
||||||
> 8
|
|
||||||
Is this a critical extension [y/N]?
|
|
||||||
N
|
|
||||||
0 - Server Auth
|
|
||||||
1 - Client Auth
|
|
||||||
2 - Code Signing
|
|
||||||
3 - Email Protection
|
|
||||||
4 - Timestamp
|
|
||||||
5 - OCSP Responder
|
|
||||||
6 - Step-up
|
|
||||||
7 - Microsoft Trust List Signing
|
|
||||||
Other to finish
|
|
||||||
> 0
|
|
||||||
0 - Server Auth
|
|
||||||
1 - Client Auth
|
|
||||||
2 - Code Signing
|
|
||||||
3 - Email Protection
|
|
||||||
4 - Timestamp
|
|
||||||
5 - OCSP Responder
|
|
||||||
6 - Step-up
|
|
||||||
7 - Microsoft Trust List Signing
|
|
||||||
Other to finish
|
|
||||||
> 8
|
|
||||||
Is this a critical extension [y/N]?
|
|
||||||
N
|
|
||||||
```
|
```
|
||||||
|
|
||||||
1. Generate client certificate(s), and export the `.p12` file that contains the client certificate, private key, and CA certificate:
|
1. Generate client certificate(s), and export the `.p12` file that contains the client certificate, private key, and CA certificate:
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
$ certutil -S -c "Example CA" -n "vpnclient" -s "O=Example,CN=vpnclient" -k rsa -g 4096 -v 36 -d sql:/etc/ipsec.d -t ",," -1 -6 -8 "vpnclient"
|
$ certutil -S -c "Example CA" -n "vpnclient" -s "O=Example,CN=vpnclient" -k rsa -g 4096 -v 36 -d sql:/etc/ipsec.d -t ",," \
|
||||||
|
--keyUsage digitalSignature,keyEncipherment --extKeyUsage serverAuth,clientAuth -8 "vpnclient"
|
||||||
|
|
||||||
A random seed must be generated that will be used in the
|
A random seed must be generated that will be used in the
|
||||||
creation of your key. One of the easiest ways to create a
|
creation of your key. One of the easiest ways to create a
|
||||||
@ -190,68 +148,6 @@ Before continuing, make sure you have successfully <a href="https://github.com/h
|
|||||||
|
|
||||||
Generating key. This may take a few moments...
|
Generating key. This may take a few moments...
|
||||||
|
|
||||||
0 - Digital Signature
|
|
||||||
1 - Non-repudiation
|
|
||||||
2 - Key encipherment
|
|
||||||
3 - Data encipherment
|
|
||||||
4 - Key agreement
|
|
||||||
5 - Cert signing key
|
|
||||||
6 - CRL signing key
|
|
||||||
Other to finish
|
|
||||||
> 0
|
|
||||||
0 - Digital Signature
|
|
||||||
1 - Non-repudiation
|
|
||||||
2 - Key encipherment
|
|
||||||
3 - Data encipherment
|
|
||||||
4 - Key agreement
|
|
||||||
5 - Cert signing key
|
|
||||||
6 - CRL signing key
|
|
||||||
Other to finish
|
|
||||||
> 2
|
|
||||||
0 - Digital Signature
|
|
||||||
1 - Non-repudiation
|
|
||||||
2 - Key encipherment
|
|
||||||
3 - Data encipherment
|
|
||||||
4 - Key agreement
|
|
||||||
5 - Cert signing key
|
|
||||||
6 - CRL signing key
|
|
||||||
Other to finish
|
|
||||||
> 8
|
|
||||||
Is this a critical extension [y/N]?
|
|
||||||
N
|
|
||||||
0 - Server Auth
|
|
||||||
1 - Client Auth
|
|
||||||
2 - Code Signing
|
|
||||||
3 - Email Protection
|
|
||||||
4 - Timestamp
|
|
||||||
5 - OCSP Responder
|
|
||||||
6 - Step-up
|
|
||||||
7 - Microsoft Trust List Signing
|
|
||||||
Other to finish
|
|
||||||
> 0
|
|
||||||
0 - Server Auth
|
|
||||||
1 - Client Auth
|
|
||||||
2 - Code Signing
|
|
||||||
3 - Email Protection
|
|
||||||
4 - Timestamp
|
|
||||||
5 - OCSP Responder
|
|
||||||
6 - Step-up
|
|
||||||
7 - Microsoft Trust List Signing
|
|
||||||
Other to finish
|
|
||||||
> 1
|
|
||||||
0 - Server Auth
|
|
||||||
1 - Client Auth
|
|
||||||
2 - Code Signing
|
|
||||||
3 - Email Protection
|
|
||||||
4 - Timestamp
|
|
||||||
5 - OCSP Responder
|
|
||||||
6 - Step-up
|
|
||||||
7 - Microsoft Trust List Signing
|
|
||||||
Other to finish
|
|
||||||
> 8
|
|
||||||
Is this a critical extension [y/N]?
|
|
||||||
N
|
|
||||||
|
|
||||||
$ pk12util -o vpnclient.p12 -n "vpnclient" -d sql:/etc/ipsec.d
|
$ pk12util -o vpnclient.p12 -n "vpnclient" -d sql:/etc/ipsec.d
|
||||||
|
|
||||||
Enter password for PKCS12 file:
|
Enter password for PKCS12 file:
|
||||||
@ -259,7 +155,7 @@ Before continuing, make sure you have successfully <a href="https://github.com/h
|
|||||||
pk12util: PKCS12 EXPORT SUCCESSFUL
|
pk12util: PKCS12 EXPORT SUCCESSFUL
|
||||||
```
|
```
|
||||||
|
|
||||||
Repeat this step for additional VPN clients, but replace every `vpnclient` with `vpnclient2`, etc.
|
Repeat this step for additional VPN clients, but replace every `vpnclient` with `vpnclient2`, etc. Please note: If you wish to connect multiple VPN clients simultaneously, you must generate a unique certificate for each.
|
||||||
|
|
||||||
1. The database should now contain:
|
1. The database should now contain:
|
||||||
|
|
||||||
@ -274,7 +170,7 @@ Before continuing, make sure you have successfully <a href="https://github.com/h
|
|||||||
vpnclient u,u,u
|
vpnclient u,u,u
|
||||||
```
|
```
|
||||||
|
|
||||||
Note: To delete a certificate, use `certutil -D -d sql:/etc/ipsec.d -n "Certificate Nickname"`.
|
Note: To display a certificate, use `certutil -L -d sql:/etc/ipsec.d -n "Nickname"`. To delete it, replace `-L` with `-D`. For other `certutil` usage, read <a href="http://manpages.ubuntu.com/manpages/zesty/man1/certutil.1.html" target="_blank">this page</a>.
|
||||||
|
|
||||||
1. Restart IPsec service:
|
1. Restart IPsec service:
|
||||||
|
|
||||||
@ -286,34 +182,38 @@ Before continuing, make sure you have successfully <a href="https://github.com/h
|
|||||||
|
|
||||||
#### Windows 7, 8.x and 10
|
#### Windows 7, 8.x and 10
|
||||||
|
|
||||||
Import the `.p12` file to the "Computer account" certificate store. Make sure that the client cert is placed in "Personal -> Certificates", and the CA cert is placed in "Trusted Root Certification Authorities -> Certificates".
|
1. Import the `.p12` file to the "Computer account" certificate store. Make sure that the client cert is placed in "Personal -> Certificates", and the CA cert is placed in "Trusted Root Certification Authorities -> Certificates".
|
||||||
|
|
||||||
Detailed instructions:
|
Follow the instructions at this link:
|
||||||
https://wiki.strongswan.org/projects/strongswan/wiki/Win7Certs
|
https://wiki.strongswan.org/projects/strongswan/wiki/Win7Certs
|
||||||
|
|
||||||
On the Windows computer, add a new IKEv2 VPN connection:
|
1. On the Windows computer, add a new IKEv2 VPN connection:
|
||||||
|
https://wiki.strongswan.org/projects/strongswan/wiki/Win7Config
|
||||||
|
|
||||||
https://wiki.strongswan.org/projects/strongswan/wiki/Win7Config
|
1. Start the new IKEv2 VPN connection, and enjoy your VPN!
|
||||||
|
https://wiki.strongswan.org/projects/strongswan/wiki/Win7Connect
|
||||||
|
|
||||||
Start the new IKEv2 VPN connection, and enjoy your own VPN!
|
1. (Optional) You may enable stronger ciphers by adding <a href="https://wiki.strongswan.org/projects/strongswan/wiki/Windows7#AES-256-CBC-and-MODP2048" target="_blank">this registry key</a> and reboot.
|
||||||
|
|
||||||
https://wiki.strongswan.org/projects/strongswan/wiki/Win7Connect
|
#### Android 4.x and newer
|
||||||
|
|
||||||
(Optional) You may enable stronger ciphers by adding <a href="https://wiki.strongswan.org/projects/strongswan/wiki/Windows7#AES-256-CBC-and-MODP2048" target="_blank">this registry key</a> and reboot.
|
1. Install <a href="https://play.google.com/store/apps/details?id=org.strongswan.android" target="_blank">strongSwan VPN Client</a> from **Google Play**.
|
||||||
|
1. Launch the VPN client and tap **Add VPN Profile**.
|
||||||
|
1. Enter `Your VPN Server IP` in the **Server** field.
|
||||||
|
1. Select **IKEv2 Certificate** from the **VPN Type** drop-down menu.
|
||||||
|
1. Tap to add a **User certificate**, then tap **Install**.
|
||||||
|
1. Choose the `.p12` file you copied from the VPN server, and follow the prompts.
|
||||||
|
1. Save the new VPN connection, then tap to connect.
|
||||||
|
|
||||||
#### Windows Phone 8.1 and above
|
#### Windows Phone 8.1 and above
|
||||||
|
|
||||||
First import the `.p12` file, then follow <a href="https://technet.microsoft.com/en-us/windows/dn673608.aspx" target="_blank">these instructions</a> to configure a certificate-based IKEv2 VPN.
|
First import the `.p12` file, then follow <a href="https://technet.microsoft.com/en-us/windows/dn673608.aspx" target="_blank">these instructions</a> to configure a certificate-based IKEv2 VPN.
|
||||||
|
|
||||||
#### Android 4.x and newer
|
1. Once successfully connected, you can verify that your traffic is being routed properly by <a href="https://encrypted.google.com/search?q=my+ip" target="_blank">looking up your IP address on Google</a>. It should say "Your public IP address is `Your VPN Server IP`".
|
||||||
|
|
||||||
Please refer to: https://wiki.strongswan.org/projects/strongswan/wiki/AndroidVpnClient
|
|
||||||
|
|
||||||
Once successfully connected, you can verify that your traffic is being routed properly by <a href="https://encrypted.google.com/search?q=my+ip" target="_blank">looking up your IP address on Google</a>. It should say "Your public IP address is `Your VPN Server IP`".
|
|
||||||
|
|
||||||
## Known Issues
|
## Known Issues
|
||||||
|
|
||||||
The built-in VPN client in Windows 7 and newer does not support IKEv2 fragmentation. On some networks, this can cause the connection to fail, or you may be unable to open any website after connecting. If this happens, first try <a href="clients.md#troubleshooting" target="_blank">this workaround</a>. If it doesn't work, please connect using <a href="clients.md" target="_blank">IPsec/L2TP</a> or <a href="clients-xauth.md" target="_blank">IPsec/XAuth</a> mode instead.
|
The built-in VPN client in Windows does not support IKEv2 fragmentation. On some networks, this can cause the connection to fail or have other issues. You may try <a href="clients.md#troubleshooting" target="_blank">this registry fix</a>, or connect using <a href="clients.md" target="_blank">IPsec/L2TP</a> or <a href="clients-xauth.md" target="_blank">IPsec/XAuth</a> mode instead.
|
||||||
|
|
||||||
## References
|
## References
|
||||||
|
|
||||||
@ -321,3 +221,4 @@ The built-in VPN client in Windows 7 and newer does not support IKEv2 fragmentat
|
|||||||
* https://libreswan.org/wiki/HOWTO:_Using_NSS_with_libreswan
|
* https://libreswan.org/wiki/HOWTO:_Using_NSS_with_libreswan
|
||||||
* https://libreswan.org/man/ipsec.conf.5.html
|
* https://libreswan.org/man/ipsec.conf.5.html
|
||||||
* https://wiki.strongswan.org/projects/strongswan/wiki/Windows7
|
* https://wiki.strongswan.org/projects/strongswan/wiki/Windows7
|
||||||
|
* https://wiki.strongswan.org/projects/strongswan/wiki/AndroidVpnClient
|
||||||
|
@ -35,4 +35,9 @@
|
|||||||
openssl passwd -1 "<VPN Password 1>"
|
openssl passwd -1 "<VPN Password 1>"
|
||||||
```
|
```
|
||||||
|
|
||||||
在完成修改之后,重启你的服务器。
|
在完成后,需要重启服务:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
service ipsec restart
|
||||||
|
service xl2tpd restart
|
||||||
|
```
|
||||||
|
@ -35,4 +35,9 @@ Passwords in this file are salted and hashed. This step can be done using e.g. t
|
|||||||
openssl passwd -1 "<VPN Password 1>"
|
openssl passwd -1 "<VPN Password 1>"
|
||||||
```
|
```
|
||||||
|
|
||||||
When finished making changes, reboot your server.
|
When finished, restart services:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
service ipsec restart
|
||||||
|
service xl2tpd restart
|
||||||
|
```
|
||||||
|
@ -15,7 +15,7 @@
|
|||||||
|
|
||||||
## 第一步
|
## 第一步
|
||||||
|
|
||||||
```
|
```bash
|
||||||
service ipsec stop
|
service ipsec stop
|
||||||
service xl2tpd stop
|
service xl2tpd stop
|
||||||
rm -rf /usr/local/sbin/ipsec /usr/local/libexec/ipsec
|
rm -rf /usr/local/sbin/ipsec /usr/local/libexec/ipsec
|
||||||
@ -69,7 +69,7 @@ rm -f /etc/init/ipsec.conf /lib/systemd/system/ipsec.service \
|
|||||||
|
|
||||||
要快速删除,可以复制并粘贴以下命令:
|
要快速删除,可以复制并粘贴以下命令:
|
||||||
|
|
||||||
```
|
```bash
|
||||||
rm -f /etc/ipsec.conf* /etc/ipsec.secrets* /etc/ppp/chap-secrets* /etc/ppp/options.xl2tpd* \
|
rm -f /etc/ipsec.conf* /etc/ipsec.secrets* /etc/ppp/chap-secrets* /etc/ppp/options.xl2tpd* \
|
||||||
/etc/pam.d/pluto /etc/sysconfig/pluto /etc/default/pluto
|
/etc/pam.d/pluto /etc/sysconfig/pluto /etc/default/pluto
|
||||||
rm -rf /etc/ipsec.d /etc/xl2tpd
|
rm -rf /etc/ipsec.d /etc/xl2tpd
|
||||||
|
@ -15,7 +15,7 @@ Follow these steps to remove the VPN. Commands must be run as `root`, or with `s
|
|||||||
|
|
||||||
## First step
|
## First step
|
||||||
|
|
||||||
```
|
```bash
|
||||||
service ipsec stop
|
service ipsec stop
|
||||||
service xl2tpd stop
|
service xl2tpd stop
|
||||||
rm -rf /usr/local/sbin/ipsec /usr/local/libexec/ipsec
|
rm -rf /usr/local/sbin/ipsec /usr/local/libexec/ipsec
|
||||||
@ -69,7 +69,7 @@ Remove these config files:
|
|||||||
|
|
||||||
Copy and paste for fast removal:
|
Copy and paste for fast removal:
|
||||||
|
|
||||||
```
|
```bash
|
||||||
rm -f /etc/ipsec.conf* /etc/ipsec.secrets* /etc/ppp/chap-secrets* /etc/ppp/options.xl2tpd* \
|
rm -f /etc/ipsec.conf* /etc/ipsec.secrets* /etc/ppp/chap-secrets* /etc/ppp/options.xl2tpd* \
|
||||||
/etc/pam.d/pluto /etc/sysconfig/pluto /etc/default/pluto
|
/etc/pam.d/pluto /etc/sysconfig/pluto /etc/default/pluto
|
||||||
rm -rf /etc/ipsec.d /etc/xl2tpd
|
rm -rf /etc/ipsec.d /etc/xl2tpd
|
||||||
|
Loading…
Reference in New Issue
Block a user