mirror/setup-ipsec-vpn
1
0
Fork 0
mirror of synced 2025-01-31 04:21:43 +03:00
Code Issues Projects Releases Wiki Activity

Improve IKEv2 docs

Browse Source 
- Make it clear how to use the VPN server's DNS name to connect
This commit is contained in:
hwdsl2 2017-06-03 14:53:45 -05:00
parent 47a9015135
commit bc0324f957
2 changed files with 13 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
docs/ikev2-howto-zh.md
View File

@ -21,14 +21,16 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来
在继续之前,请确保你已经成功 <a href="https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/README-zh.md" target="_blank">搭建自己的 VPN 服务器</a>
1. 获取服务器的公共 IP 地址,并检查它是否正确
1. 获取 VPN 服务器的公共 IP 地址,将它保存到变量并检查。
```bash
$ PUBLIC_IP=$(wget -t 3 -T 15 -qO- http://ipv4.icanhazip.com)
$ echo "$PUBLIC_IP"
(检查显示的 public IP
(检查显示的公共 IP
```
**注:** 另外,在这里你也可以指定 VPN 服务器的域名。例如: `PUBLIC_IP=myvpn.example.com`
1. 在 `/etc/ipsec.conf` 文件中添加一个新的 IKEv2 连接:
```bash
@ -79,7 +81,8 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来
```
1. 生成 Certificate Authority (CA) 和 VPN 服务器证书:
**注:** 使用 "-v" 参数指定证书的有效期(单位:月),例如 "-v 36"。
**注:** 使用 "-v" 参数指定证书的有效期(单位:月),例如 "-v 36"。另外,如果你在上面的第一步指定了服务器的域名(而不是 IP 地址),则需要将以下命令中的 `--extSAN "ip:$PUBLIC_IP,dns:$PUBLIC_IP"` 换成 `--extSAN "dns:$PUBLIC_IP"`
```bash
$ certutil -S -x -n "Example CA" -s "O=Example,CN=Example CA" -k rsa -g 4096 -v 36 -d sql:/etc/ipsec.d -t "CT,," -2

7
docs/ikev2-howto.md
View File

@ -21,7 +21,7 @@ The following example shows how to configure IKEv2 with Libreswan. Commands belo
Before continuing, make sure you have successfully <a href="https://github.com/hwdsl2/setup-ipsec-vpn" target="_blank">set up your VPN server</a>.
1. Find the public IP of your server, and make sure it is correct.
1. Find the VPN server's public IP, save it to a variable and check.
```bash
$ PUBLIC_IP=$(wget -t 3 -T 15 -qO- http://ipv4.icanhazip.com)
@ -29,6 +29,8 @@ Before continuing, make sure you have successfully <a href="https://github.com/h
(Check the displayed public IP)
```
**Note:** Alternatively, you may specify the server's DNS name here. e.g. `PUBLIC_IP=myvpn.example.com`.
1. Add a new IKEv2 connection to `/etc/ipsec.conf`:
```bash
@ -79,7 +81,8 @@ Before continuing, make sure you have successfully <a href="https://github.com/h
```
1. Generate Certificate Authority (CA) and VPN server certificates:
**Note:** Specify the certificate validity period (in months) using "-v". e.g. "-v 36".
**Note:** Specify the certificate validity period (in months) using "-v". e.g. "-v 36". In addition, if you specified the server's DNS name (instead of its IP address) in step 1 above, replace `--extSAN "ip:$PUBLIC_IP,dns:$PUBLIC_IP"` with `--extSAN "dns:$PUBLIC_IP"` in the command below.
```bash
$ certutil -S -x -n "Example CA" -s "O=Example,CN=Example CA" -k rsa -g 4096 -v 36 -d sql:/etc/ipsec.d -t "CT,," -2