diff --git a/README-zh.md b/README-zh.md
index 3400259..d3b25fa 100644
--- a/README-zh.md
+++ b/README-zh.md
@@ -265,7 +265,7 @@ wget https://git.io/ikev2setup -O ikev2.sh && sudo bash ikev2.sh --auto
**配置 IPsec/XAuth ("Cisco IPsec") VPN 客户端**
-**分步指南:如何配置 IKEv2 VPN**
+**IKEv2 VPN 配置和使用指南**
如果在连接过程中遇到错误,请参见 故障排除。
diff --git a/README.md b/README.md
index d4c100d..a4153ce 100644
--- a/README.md
+++ b/README.md
@@ -265,7 +265,7 @@ Get your computer or device to use the VPN. Please refer to:
**Configure IPsec/XAuth ("Cisco IPsec") VPN Clients**
-**Step-by-Step Guide: How to Set Up IKEv2 VPN**
+**Guide: How to Set Up and Use IKEv2 VPN**
If you get an error when trying to connect, see Troubleshooting.
diff --git a/docs/ikev2-howto-zh.md b/docs/ikev2-howto-zh.md
index 89398f6..cc7e1c3 100644
--- a/docs/ikev2-howto-zh.md
+++ b/docs/ikev2-howto-zh.md
@@ -1,4 +1,4 @@
-# 分步指南:如何配置 IKEv2 VPN
+# IKEv2 VPN 配置和使用指南
*其他语言版本: [English](ikev2-howto.md), [简体中文](ikev2-howto-zh.md).*
@@ -21,8 +21,8 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来
- Windows 7, 8.x 和 10
- OS X (macOS)
-- Android 4.x 和更新版本(使用 strongSwan VPN 客户端)
- iOS (iPhone/iPad)
+- Android 4.x 和更新版本(使用 strongSwan VPN 客户端)
在按照本指南操作之后,你将可以选择三种模式中的任意一种连接到 VPN:IKEv2,以及已有的 [IPsec/L2TP](clients-zh.md) 和 [IPsec/XAuth ("Cisco IPsec")](clients-xauth-zh.md) 模式。
@@ -80,12 +80,11 @@ To customize IKEv2 or client options, run this script without arguments.
certutil -f -importpfx ".p12文件的位置和名称" NoExport
```
- 另外,你也可以手动导入 `.p12` 文件。详情参见下面的链接。在导入证书后,你必须确保将客户端证书放在 "个人 -> 证书" 目录中,并且将 CA 证书放在 "受信任的根证书颁发机构 -> 证书" 目录中。
- https://wiki.strongswan.org/projects/strongswan/wiki/Win7Certs
+ 另外,你也可以手动导入 `.p12` 文件。详细步骤请看 这里。在导入证书后,你必须确保将客户端证书放在 "个人 -> 证书" 目录中,并且将 CA 证书放在 "受信任的根证书颁发机构 -> 证书" 目录中。
- **注:** Ubuntu 18.04 用户在尝试将生成的 `.p12` 文件导入到 Windows 时可能会遇到错误 "输入的密码不正确"。参见 [已知问题](#已知问题)。
+ **注:** Ubuntu 18.04 用户在尝试导入 `.p12` 文件时可能会遇到错误 "输入的密码不正确"。参见 [已知问题](#已知问题)。
-1. 在 Windows 计算机上添加一个新的 IKEv2 VPN 连接。对于 Windows 8.x 和 10 用户,推荐使用这些命令创建 VPN 连接,以达到更佳的安全性和性能。从你在上一步打开的命令提示符窗口运行以下命令:
+1. 在 Windows 计算机上添加一个新的 IKEv2 VPN 连接。对于 Windows 8.x 和 10,推荐从命令提示符运行以下命令创建 VPN 连接,以达到更佳的安全性和性能。
```console
# 将服务器地址存入变量(换成你自己的值)
@@ -96,8 +95,7 @@ To customize IKEv2 or client options, run this script without arguments.
powershell -command "Set-VpnConnectionIPsecConfiguration -ConnectionName 'My IKEv2 VPN' -AuthenticationTransformConstants GCMAES256 -CipherTransformConstants GCMAES256 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -PfsGroup None -DHGroup Group14 -PassThru -Force"
```
- 另外,你也可以手动创建 VPN 连接。详情参见下面的链接。如果你在配置 IKEv2 时指定了服务器的域名(而不是 IP 地址),则必须在 **Internet地址** 字段中输入该域名。
- https://wiki.strongswan.org/projects/strongswan/wiki/Win7Config
+ 另外,你也可以手动创建 VPN 连接。详细步骤请看 这里。如果你在配置 IKEv2 时指定了服务器的域名(而不是 IP 地址),则必须在 **Internet地址** 字段中输入该域名。
1. 为 IKEv2 启用更强的加密算法,通过修改一次注册表来实现。这一步是可选的,但推荐。请下载并导入下面的 `.reg` 文件,或者打开提升权限命令提示符并运行以下命令。更多信息请看 这里。
@@ -655,10 +653,11 @@ To customize IKEv2 or client options, run this script without arguments.
vpnclient u,u,u
```
-1. 删除证书。将下面的 "Nickname" 替换为每个证书的昵称。为每个证书重复此命令。在完成后,再次列出 IPsec 证书数据库中的证书,并确认列表为空。
+1. 删除证书和密钥。将下面的 "Nickname" 替换为每个证书的昵称。为每个证书重复这些命令。在完成后,再次列出 IPsec 证书数据库中的证书,并确认列表为空。
```bash
- certutil -D -d sql:/etc/ipsec.d -n "Nickname"
+ certutil -F -d sql:/etc/ipsec.d -n "Nickname"
+ certutil -D -d sql:/etc/ipsec.d -n "Nickname" 2>/dev/null
```
diff --git a/docs/ikev2-howto.md b/docs/ikev2-howto.md
index 9904e1e..63b2c6d 100644
--- a/docs/ikev2-howto.md
+++ b/docs/ikev2-howto.md
@@ -1,4 +1,4 @@
-# Step-by-Step Guide: How to Set Up IKEv2 VPN
+# Guide: How to Set Up and Use IKEv2 VPN
*Read this in other languages: [English](ikev2-howto.md), [简体中文](ikev2-howto-zh.md).*
@@ -21,8 +21,8 @@ Libreswan can authenticate IKEv2 clients on the basis of X.509 Machine Certifica
- Windows 7, 8.x and 10
- OS X (macOS)
-- Android 4.x and newer (using the strongSwan VPN client)
- iOS (iPhone/iPad)
+- Android 4.x and newer (using the strongSwan VPN client)
After following this guide, you will be able to connect to the VPN using IKEv2 in addition to the existing [IPsec/L2TP](clients.md) and [IPsec/XAuth ("Cisco IPsec")](clients-xauth.md) modes.
@@ -80,12 +80,11 @@ To customize IKEv2 or client options, run this script without arguments.
certutil -f -importpfx "\path\to\your\file.p12" NoExport
```
- Alternatively, you can manually import the `.p12` file. See instructions at the link below. Make sure that the client cert is placed in "Personal -> Certificates", and the CA cert is placed in "Trusted Root Certification Authorities -> Certificates".
- https://wiki.strongswan.org/projects/strongswan/wiki/Win7Certs
+ Alternatively, you can manually import the `.p12` file. Click here for instructions. Make sure that the client cert is placed in "Personal -> Certificates", and the CA cert is placed in "Trusted Root Certification Authorities -> Certificates".
- **Note:** Ubuntu 18.04 users may encounter the error "The password you entered is incorrect" when trying to import the generated `.p12` file into Windows. See [Known issues](#known-issues).
+ **Note:** Ubuntu 18.04 users may encounter the error "The password you entered is incorrect" when trying to import the `.p12` file. See [Known issues](#known-issues).
-1. On the Windows computer, add a new IKEv2 VPN connection. For Windows 8.x and 10 users, it is recommended to create the VPN connection using these commands for improved security and performance. Run the following from the command prompt you opened above.
+1. On the Windows computer, add a new IKEv2 VPN connection. For Windows 8.x and 10, it is recommended to create the VPN connection using the following commands from a command prompt, for improved security and performance.
```console
# Set server address (replace with your own value)
@@ -96,8 +95,7 @@ To customize IKEv2 or client options, run this script without arguments.
powershell -command "Set-VpnConnectionIPsecConfiguration -ConnectionName 'My IKEv2 VPN' -AuthenticationTransformConstants GCMAES256 -CipherTransformConstants GCMAES256 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -PfsGroup None -DHGroup Group14 -PassThru -Force"
```
- Alternatively, you can manually create the VPN connection. See instructions at the link below. If you specified the server's DNS name (instead of its IP address) during IKEv2 setup, you must enter the DNS name in the **Internet address** field.
- https://wiki.strongswan.org/projects/strongswan/wiki/Win7Config
+ Alternatively, you can manually create the VPN connection. Click here for instructions. If you specified the server's DNS name (instead of its IP address) during IKEv2 setup, you must enter the DNS name in the **Internet address** field.
1. Enable stronger ciphers for IKEv2 with a one-time registry change. This is optional, but recommended. Download and import the `.reg` file below, or run the following from an elevated command prompt. Read more here.
@@ -611,7 +609,7 @@ Before continuing, you **must** restart the IPsec service. The IKEv2 setup on th
After that, [export configuration for the IKEv2 client](#export-configuration-for-an-existing-client) again.
-1. If using the strongSwan Android VPN client, you must upgrade Libreswan on your server to version 3.26 or above.
+1. If using the strongSwan Android VPN client, you must update Libreswan on your server to version 3.26 or above.
## Remove IKEv2
@@ -655,10 +653,11 @@ To manually remove IKEv2 from the VPN server, but keep the [IPsec/L2TP](clients.
vpnclient u,u,u
```
-1. Delete certificates. Replace "Nickname" below with each certificate's nickname. Repeat for each certificate. When finished, list certificates in the IPsec database again, and confirm that the list is empty.
+1. Delete certificates and keys. Replace "Nickname" below with each certificate's nickname. Repeat these commands for each certificate. When finished, list certificates in the IPsec database again, and confirm that the list is empty.
```bash
- certutil -D -d sql:/etc/ipsec.d -n "Nickname"
+ certutil -F -d sql:/etc/ipsec.d -n "Nickname"
+ certutil -D -d sql:/etc/ipsec.d -n "Nickname" 2>/dev/null
```