Add IKEv2 script

- Add a helper script for automatic IKEv2 setup - Update IKEv2 docs
2025-02-07 15:59:25 +03:00 · 2020-05-11 01:18:34 -05:00 · 2020-05-11 01:18:34 -05:00 · ace41ebc29
commit ace41ebc29
parent 1839943b0e
3 changed files with 341 additions and 14 deletions
--- a/docs/ikev2-howto-zh.md
+++ b/docs/ikev2-howto-zh.md
@ -2,11 +2,12 @@
 *其他语言版本: [English](ikev2-howto.md), [简体中文](ikev2-howto-zh.md).*
-**重要提示：** 本指南仅适用于**高级用户**。其他用户请使用 [IPsec/L2TP](clients-zh.md) 或者 [IPsec/XAuth](clients-xauth-zh.md) 模式。
+**注：** 本指南适用于**高级用户**。其他用户请使用 [IPsec/L2TP](clients-zh.md) 或者 [IPsec/XAuth](clients-xauth-zh.md) 模式。
 ---
 * [导言](#导言)
-* [在 VPN 服务器上配置 IKEv2](#在-vpn-服务器上配置-ikev2)
+* [使用辅助脚本](#使用辅助脚本)
 * [手动在 VPN 服务器上配置 IKEv2](#手动在-vpn-服务器上配置-ikev2)
 * [配置 IKEv2 VPN 客户端](#配置-ikev2-vpn-客户端)
 * [已知问题](#已知问题)
 * [参考链接](#参考链接)
@ -22,11 +23,21 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来
 - Android 4.x 和更新版本（使用 strongSwan VPN 客户端）
 - iOS (iPhone/iPad)
-## 在 VPN 服务器上配置 IKEv2
+## 使用辅助脚本
 **重要：** 作为使用本指南的先决条件，在继续之前，你必须确保你已经成功地 <a href="../README-zh.md" target="_blank">搭建自己的 VPN 服务器</a>，并且（可选但推荐）将 Libreswan <a href="../README-zh.md#升级libreswan" target="_blank">升级</a> 到最新版本。
-下面举例说明如何在 Libreswan 上配置 IKEv2。以下命令必须用 `root` 账户运行。
+你可以使用这个辅助脚本来自动地在 VPN 服务器上配置 IKEv2：
 ```
 wget https://git.io/ikev2setup -O ikev2setup.sh && sudo bash ikev2setup.sh
 ```
 该 <a href="../extras/ikev2setup.sh" target="_blank">脚本</a> 必须使用 `bash` 而不是 `sh` 运行。按照脚本的提示配置 IKEv2。在完成之后，请转到 [配置 IKEv2 VPN 客户端](#配置-ikev2-vpn-客户端) 和 [已知问题](#已知问题)。如需为更多的客户端生成证书，请参见下一小节的第 4 步。
 ## 手动在 VPN 服务器上配置 IKEv2
 下面举例说明如何手动在 Libreswan 上配置 IKEv2。以下命令必须用 `root` 账户运行。
 1. 获取 VPN 服务器的公共 IP 地址，将它保存到变量并检查。
@ -154,6 +165,8 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来
 1. 生成客户端证书，然后导出 `.p12` 文件，该文件包含客户端证书，私钥以及 CA 证书。
   **注：** 如需同时连接多个客户端，则必须为每个客户端生成唯一的证书。你可以重复本步骤来为更多的客户端生成证书，但必须将所有的 `vpnclient` 换成比如 `vpnclient2`，等等。
   生成客户端证书：
   ```bash
@ -182,9 +195,7 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来
   pk12util: PKCS12 EXPORT SUCCESSFUL
   ```
-   指定一个安全的密码以保护导出的 `.p12` 文件（在导入到 iOS 或 macOS 设备时，该密码不能为空）。你可以重复本步骤来为更多的客户端生成证书，但必须将所有的 `vpnclient` 换成比如 `vpnclient2`，等等。
+   指定一个安全的密码以保护导出的 `.p12` 文件（在导入到 iOS 或 macOS 设备时，该密码不能为空）。
   **注：** 如需同时连接多个客户端，则必须为每个客户端生成唯一的证书。
 1. （适用于 iOS 客户端） 导出 CA 证书到 `vpnca.cer`：
--- a/docs/ikev2-howto.md
+++ b/docs/ikev2-howto.md
@ -2,11 +2,12 @@
 *Read this in other languages: [English](ikev2-howto.md), [简体中文](ikev2-howto-zh.md).*
-**Important:** This guide is for **advanced users** only. Other users please use [IPsec/L2TP](clients.md) or [IPsec/XAuth](clients-xauth.md) mode.
+**Note:** This guide is for **advanced users**. Other users please use [IPsec/L2TP](clients.md) or [IPsec/XAuth](clients-xauth.md) mode.
 ---
 * [Introduction](#introduction)
-* [Set up IKEv2 on the VPN server](#set-up-ikev2-on-the-vpn-server)
+* [Using helper scripts](#using-helper-scripts)
 * [Manually set up IKEv2 on the VPN server](#manually-set-up-ikev2-on-the-vpn-server)
 * [Configure IKEv2 VPN clients](#configure-ikev2-vpn-clients)
 * [Known issues](#known-issues)
 * [References](#references)
@ -22,11 +23,21 @@ Libreswan can authenticate IKEv2 clients on the basis of X.509 Machine Certifica
 - Android 4.x and newer (using the strongSwan VPN client)
 - iOS (iPhone/iPad)
-## Set up IKEv2 on the VPN server
+## Using helper scripts
 **Important:** As a prerequisite to using this guide, and before continuing, you must make sure that you have successfully <a href="https://github.com/hwdsl2/setup-ipsec-vpn" target="_blank">set up your own VPN server</a>, and (optional but recommended) <a href="../README.md#upgrade-libreswan" target="_blank">upgraded Libreswan</a> to the latest version.
-The following example shows how to configure IKEv2 with Libreswan. Commands below must be run as `root`.
+You may use this helper script to automatically set up IKEv2 on the VPN server:
 ```
 wget https://git.io/ikev2setup -O ikev2setup.sh && sudo bash ikev2setup.sh
 ```
 The <a href="../extras/ikev2setup.sh" target="_blank">script</a> must be run using `bash`, not `sh`. Follow the prompts to set up IKEv2. When finished, continue to [configure IKEv2 VPN clients](#configure-ikev2-vpn-clients) and check [known issues](#known-issues). If you wish to generate certificates for additional VPN clients, refer to step 4 in the next section.
 ## Manually set up IKEv2 on the VPN server
 The following example shows how to manually configure IKEv2 with Libreswan. Commands below must be run as `root`.
 1. Find the VPN server's public IP, save it to a variable and check.
@ -154,6 +165,8 @@ The following example shows how to configure IKEv2 with Libreswan. Commands belo
 1. Generate client certificate(s), then export the `.p12` file that contains the client certificate, private key, and CA certificate.
   **Note:** To connect multiple VPN clients simultaneously, you must generate a unique certificate for each. You may repeat this step to generate certificates for additional VPN clients, but make sure to replace every `vpnclient` with `vpnclient2`, etc.
   Generate client certificate:
   ```bash
@ -182,9 +195,7 @@ The following example shows how to configure IKEv2 with Libreswan. Commands belo
   pk12util: PKCS12 EXPORT SUCCESSFUL
   ```
-   Enter a secure password to protect the exported `.p12` file (when importing into an iOS or macOS device, this password cannot be empty). You may repeat this step to generate certificates for additional VPN clients, but make sure to replace every `vpnclient` with `vpnclient2`, etc.
+   Enter a secure password to protect the exported `.p12` file (when importing into an iOS or macOS device, this password cannot be empty).
   **Note:** To connect multiple VPN clients simultaneously, you must generate a unique certificate for each.
 1. (For iOS clients) Export the CA certificate as `vpnca.cer`:
--- a/extras/ikev2setup.sh
+++ b/extras/ikev2setup.sh
@ -0,0 +1,305 @@
 #!/bin/bash
 #
 # Script to set up IKEv2 on Ubuntu, Debian and CentOS/RHEL
 #
 # Copyright (C) 2020 Lin Song <linsongui@gmail.com>
 #
 # This work is licensed under the Creative Commons Attribution-ShareAlike 3.0
 # Unported License: http://creativecommons.org/licenses/by-sa/3.0/
 #
 # Attribution required: please include my name in any derivative and let me
 # know how you have improved it!
 export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
 SYS_DT=$(date +%F-%T)
 exiterr() { echo "Error: $1" >&2; exit 1; }
 bigecho() { echo; echo "## $1"; echo; }
 bigecho2() { echo; echo "## $1"; }
 check_ip() {
  IP_REGEX='^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$'
  printf '%s' "$1" | tr -d '\n' | grep -Eq "$IP_REGEX"
 }
 check_dns_name() {
  FQDN_REGEX='^([a-zA-Z0-9]([a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?\.)+[a-zA-Z]{2,}$'
  printf '%s' "$1" | tr -d '\n' | grep -Eq "$FQDN_REGEX"
 }
 ikev2setup() {
 if [ "$(id -u)" != 0 ]; then
  exiterr "Script must be run as root. Try 'sudo bash $0'"
 fi
 ipsec_ver=$(/usr/local/sbin/ipsec --version 2>/dev/null)
 swan_ver=$(printf '%s' "$ipsec_ver" | sed -e 's/Linux //' -e 's/Libreswan //' -e 's/ (netkey) on .*//')
 if ! grep -qs "hwdsl2 VPN script" /etc/sysctl.conf \
  || ! printf '%s' "$ipsec_ver" | grep -q "Libreswan" \
  || [ ! -f "/etc/ppp/chap-secrets" ] || [ ! -f "/etc/ipsec.d/passwd" ]; then
 cat 1>&2 <<'EOF'
 Error: Your must first set up the IPsec VPN server before setting up IKEv2.
  See: https://github.com/hwdsl2/setup-ipsec-vpn
 EOF
  exit 1
 fi
 case "$swan_ver" in
  3.19|3.2[01235679]|3.31)
    /bin/true
    ;;
  *)
 cat 1>&2 <<EOF
 Error: Libreswan version '$swan_ver' is not supported.
  This script requires one of these versions:
  3.19-3.23, 3.25-3.27, 3.29 or 3.31
  Upgrade Libreswan: https://git.io/vpnupgrade
 EOF
    exit 1
    ;;
 esac
 if grep -qs "conn ikev2-cp" /etc/ipsec.conf; then
 cat 1>&2 <<'EOF'
 Error: It looks like IKEv2 has already been set up on this server.
  To generate certificates for additional VPN clients, see step 4 in section
  "Manually set up IKEv2 on the VPN server" at https://git.io/ikev2
 EOF
  exit 1
 fi
 command -v certutil >/dev/null 2>&1 || { echo >&2 "Error: Command 'certutil' not found. Aborting."; exit 1; }
 command -v pk12util >/dev/null 2>&1 || { echo >&2 "Error: Command 'pk12util' not found. Aborting."; exit 1; }
 clear
 cat <<'EOF'
 Welcome! Use this script to set up IKEv2 after setting up your own IPsec VPN server.
 Alternatively, you may manually set up IKEv2. See: https://git.io/ikev2
 I need to ask you a few questions before starting setup.
 You can use the default options and just press enter if you are OK with them.
 EOF
 echo "Do you want IKEv2 VPN clients to connect to this VPN server using a DNS name,"
 printf "e.g. vpn.example.com, instead of its IP address [y/N]? "
 read -r response
 case $response in
  [yY][eE][sS]|[yY])
    use_dns_name=1
    echo
    ;;
  *)
    use_dns_name=0
    echo
    ;;
 esac
 # Enter VPN server address
 if [ "$use_dns_name" = "1" ]; then
  read -rp "Enter the DNS name of this VPN server: " server_addr
  until check_dns_name "$server_addr"; do
    echo "Invalid DNS name. You must enter a fully qualified domain name (FQDN)."
    read -rp "Enter the DNS name of this VPN server: " server_addr
  done
 else
  public_ip=$(dig @resolver1.opendns.com -t A -4 myip.opendns.com +short)
  [ -z "$public_ip" ] && public_ip=$(wget -t 3 -T 15 -qO- http://ipv4.icanhazip.com)
  read -rp "Enter the IPv4 address of this VPN server [$public_ip]: " server_addr
  [ -z "$server_addr" ] && server_addr="$public_ip"
  until check_ip "$server_addr"; do
    echo "Invalid IP address."
    read -rp "Enter the IPv4 address of this VPN server [$public_ip]: " server_addr
    [ -z "$server_addr" ] && server_addr="$public_ip"
  done
 fi
 # Check for MOBIKE support
 mobike_support=0
 case "$swan_ver" in
  3.2[35679]|3.31)
    mobike_support=1
    ;;
 esac
 if [ "$mobike_support" = "1" ]; then
  os_type="$(lsb_release -si 2>/dev/null)"
  if [ -z "$os_type" ]; then
    [ -f /etc/os-release  ] && os_type="$(. /etc/os-release  && printf '%s' "$ID")"
    [ -f /etc/lsb-release ] && os_type="$(. /etc/lsb-release && printf '%s' "$DISTRIB_ID")"
    [ "$os_type" = "ubuntu" ] && os_type=Ubuntu
  fi
  if [ -z "$os_type" ] || [ "$os_type" = "Ubuntu" ]; then
    mobike_support=0
  fi
 fi
 mobike_enable=0
 if [ "$mobike_support" = "1" ]; then
  echo
  printf "Do you want to enable MOBIKE support [y/N]? "
  read -r response
  case $response in
    [yY][eE][sS]|[yY])
      mobike_enable=1
      ;;
    *)
      mobike_enable=0
      ;;
  esac
 fi
 echo
 printf "We are ready to set up IKEv2 now. Continue [y/N]? "
 read -r response
 case $response in
  [yY][eE][sS]|[yY])
    echo
    ;;
  *)
    echo "Aborting. Your configuration was not changed."
    exit 1
    ;;
 esac
 bigecho "Adding a new IKEv2 connection to /etc/ipsec.conf..."
 cat >> /etc/ipsec.conf <<EOF
 conn ikev2-cp
  left=%defaultroute
  leftcert=$server_addr
  leftid=@$server_addr
  leftsendcert=always
  leftsubnet=0.0.0.0/0
  leftrsasigkey=%cert
  right=%any
  rightid=%fromcert
  rightaddresspool=192.168.43.10-192.168.43.250
  rightca=%same
  rightrsasigkey=%cert
  narrowing=yes
  dpddelay=30
  dpdtimeout=120
  dpdaction=clear
  auto=add
  ikev2=insist
  rekey=no
  pfs=no
  ike-frag=yes
  ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024
  phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes128-sha2,aes256-sha2
 EOF
 case "$swan_ver" in
  3.2[35679]|3.31)
 cat >> /etc/ipsec.conf <<'EOF'
  modecfgdns="8.8.8.8 8.8.4.4"
  encapsulation=yes
 EOF
    if [ "$mobike_enable" = "1" ]; then
      echo "  mobike=yes" >> /etc/ipsec.conf
    else
      echo "  mobike=no" >> /etc/ipsec.conf
    fi
    ;;
  3.19|3.2[012])
 cat >> /etc/ipsec.conf <<'EOF'
  modecfgdns1=8.8.8.8
  modecfgdns2=8.8.4.4
  encapsulation=yes
 EOF
    ;;
 esac
 bigecho2 "Generating CA certificate..."
 certutil -z <(head -c 1024 /dev/urandom) \
  -S -x -n "IKEv2 VPN CA" \
  -s "O=IKEv2 VPN,CN=IKEv2 VPN CA" \
  -k rsa -g 4096 -v 120 \
  -d sql:/etc/ipsec.d -t "CT,," -2 >/dev/null << ANSWERS
 y
 N
 ANSWERS
 sleep 1
 bigecho2 "Generating VPN server certificate..."
 if [ "$use_dns_name" = "1" ]; then
  certutil -z <(head -c 1024 /dev/urandom) \
    -S -c "IKEv2 VPN CA" -n "$server_addr" \
    -s "O=IKEv2 VPN,CN=$server_addr" \
    -k rsa -g 4096 -v 120 \
    -d sql:/etc/ipsec.d -t ",," \
    --keyUsage digitalSignature,keyEncipherment \
    --extKeyUsage serverAuth \
    --extSAN "dns:$server_addr" >/dev/null
 else
  certutil -z <(head -c 1024 /dev/urandom) \
    -S -c "IKEv2 VPN CA" -n "$server_addr" \
    -s "O=IKEv2 VPN,CN=$server_addr" \
    -k rsa -g 4096 -v 120 \
    -d sql:/etc/ipsec.d -t ",," \
    --keyUsage digitalSignature,keyEncipherment \
    --extKeyUsage serverAuth \
    --extSAN "ip:$server_addr,dns:$server_addr" >/dev/null
 fi
 sleep 1
 bigecho2 "Generating client certificate..."
 certutil -z <(head -c 1024 /dev/urandom) \
  -S -c "IKEv2 VPN CA" -n "vpnclient" \
  -s "O=IKEv2 VPN,CN=vpnclient" \
  -k rsa -g 4096 -v 120 \
  -d sql:/etc/ipsec.d -t ",," \
  --keyUsage digitalSignature,keyEncipherment \
  --extKeyUsage serverAuth,clientAuth -8 "vpnclient" >/dev/null
 bigecho "Exporting CA certificate..."
 certutil -L -d sql:/etc/ipsec.d -n "IKEv2 VPN CA" -a -o "vpnca-$SYS_DT.cer"
 bigecho "Exporting .p12 file..."
 cat <<'EOF'
 Enter a *secure* password to protect the exported .p12 file.
 This file contains the client certificate, private key, and CA certificate.
 When importing into an iOS or macOS device, this password cannot be empty.
 EOF
 pk12util -o "vpnclient-$SYS_DT.p12" -n "vpnclient" -d sql:/etc/ipsec.d
 bigecho "Restarting IPsec service..."
 service ipsec restart
 cat <<EOF
 =================================================
 IKEv2 VPN setup is now complete!
 Files exported to the current folder:
 vpnclient-$SYS_DT.p12
 vpnca-$SYS_DT.cer (for iOS clients)
 Next steps: Configure IKEv2 VPN clients. See:
 https://git.io/ikev2clients
 =================================================
 EOF
 }
 ## Defer setup until we have the complete script
 ikev2setup "$@"
 exit 0