1
0
mirror of synced 2024-11-25 06:16:07 +03:00

Update docs

This commit is contained in:
hwdsl2 2022-10-29 14:21:25 -05:00
parent 117d76b309
commit cbd356ac1a
2 changed files with 32 additions and 32 deletions

View File

@ -225,7 +225,7 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来
如果你手动配置 IKEv2 而不是使用辅助脚本,点这里查看步骤。
</summary>
首先,将生成的 `ikev2vpnca.cer` 和 `.p12` 文件安全地传送到你的 iOS 设备,并且逐个导入为 iOS 配置描述文件。要传送文件,你可以使用:
首先,将生成的 `ca.cer` 和 `.p12` 文件安全地传送到你的 iOS 设备,并且逐个导入为 iOS 配置描述文件。要传送文件,你可以使用:
1. AirDrop隔空投送或者
1. 使用 [文件共享](https://support.apple.com/zh-cn/HT210598) 功能上传到设备(任何 App 目录),然后打开 iOS 设备上的 "文件" App将上传的文件移动到 "On My iPhone" 目录下。然后逐个单击它们并到 "设置" App 中导入,或者
@ -358,13 +358,13 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来
### Chrome OS
首先,在 VPN 服务器上导出 CA 证书到 `ikev2vpnca.cer`
首先,在 VPN 服务器上导出 CA 证书到 `ca.cer`
```bash
sudo certutil -L -d sql:/etc/ipsec.d -n "IKEv2 VPN CA" -a -o ikev2vpnca.cer
sudo certutil -L -d sql:/etc/ipsec.d -n "IKEv2 VPN CA" -a -o ca.cer
```
将生成的 `.p12` 文件和 `ikev2vpnca.cer` 文件安全地传送到你的 Chrome OS 设备。
将生成的 `.p12` 文件和 `ca.cer` 文件安全地传送到你的 Chrome OS 设备。
安装用户证书和 CA 证书:
@ -375,7 +375,7 @@ sudo certutil -L -d sql:/etc/ipsec.d -n "IKEv2 VPN CA" -a -o ikev2vpnca.cer
1. 如果证书没有密码,单击 **确定**。否则输入该证书的密码。
1. 单击上面的 **授权机构** 选项卡,然后单击 **导入**
1. 在对话框中左下角的下拉菜单选择 **所有文件**
1. 选择你从服务器传送过来的 `ikev2vpnca.cer` 文件并选择 **打开**
1. 选择你从服务器传送过来的 `ca.cer` 文件并选择 **打开**
1. 保持默认选项并单击 **确定**
添加 VPN 连接:
@ -427,15 +427,15 @@ sudo yum --enablerepo=epel install NetworkManager-strongswan-gnome
# 示例:提取 CA 证书,客户端证书和私钥。在完成后可以删除 .p12 文件。
# 注:你可能需要输入 import password它可以在 IKEv2 辅助脚本的输出中找到。
# 如果在脚本的输出中没有 import password请按回车键继续。
openssl pkcs12 -in vpnclient.p12 -cacerts -nokeys -out ikev2vpnca.cer
openssl pkcs12 -in vpnclient.p12 -clcerts -nokeys -out vpnclient.cer
openssl pkcs12 -in vpnclient.p12 -nocerts -nodes -out vpnclient.key
openssl pkcs12 -in vpnclient.p12 -cacerts -nokeys -out ca.cer
openssl pkcs12 -in vpnclient.p12 -clcerts -nokeys -out client.cer
openssl pkcs12 -in vpnclient.p12 -nocerts -nodes -out client.key
rm vpnclient.p12
# (重要)保护证书和私钥文件
# 注:这一步是可选的,但强烈推荐。
sudo chown root.root ikev2vpnca.cer vpnclient.cer vpnclient.key
sudo chmod 600 ikev2vpnca.cer vpnclient.cer vpnclient.key
sudo chown root.root ca.cer client.cer client.key
sudo chmod 600 ca.cer client.cer client.key
```
然后你可以创建并启用 VPN 连接:
@ -444,11 +444,11 @@ sudo chmod 600 ikev2vpnca.cer vpnclient.cer vpnclient.key
1. 选择 **IPsec/IKEv2 (strongswan)**
1. 在 **Name** 字段中输入任意内容。
1. 在 **Gateway (Server)** 部分的 **Address** 字段中输入 `你的 VPN 服务器 IP`(或者域名)。
1. 为 **Certificate** 字段选择 `ikev2vpnca.cer` 文件。
1. 为 **Certificate** 字段选择 `ca.cer` 文件。
1. 在 **Client** 部分的 **Authentication** 下拉菜单选择 **Certificate(/private key)**
1. 在 **Certificate** 下拉菜单(如果存在)选择 **Certificate/private key**
1. 为 **Certificate (file)** 字段选择 `vpnclient.cer` 文件。
1. 为 **Private key** 字段选择 `vpnclient.key` 文件。
1. 为 **Certificate (file)** 字段选择 `client.cer` 文件。
1. 为 **Private key** 字段选择 `client.key` 文件。
1. 在 **Options** 部分,选中 **Request an inner IP address** 复选框。
1. 在 **Cipher proposals (Algorithms)** 部分,选中 **Enable custom proposals** 复选框。
1. 保持 **IKE** 字段空白。
@ -550,7 +550,7 @@ sudo chmod 600 ikev2vpnca.cer vpnclient.cer vpnclient.key
### 无法连接到 VPN 服务器
首先,请确保你的 VPN 客户端设备上指定的 VPN 服务器地址与 IKEv2 辅助脚本输出中的服务器地址**完全一致**。
首先,请确保你的 VPN 客户端设备上指定的 VPN 服务器地址与 IKEv2 辅助脚本输出中的服务器地址**完全一致**。参见下面的小节以及 [检查日志及 VPN 状态](clients-zh.md#检查日志及-vpn-状态)。
对于有外部防火墙的服务器(比如 [EC2](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html)/[GCE](https://cloud.google.com/vpc/docs/firewalls)),请为 VPN 打开 UDP 端口 500 和 4500。阿里云用户请参见 [#433](https://github.com/hwdsl2/setup-ipsec-vpn/issues/433)。
@ -1076,10 +1076,10 @@ To customize IKEv2 or client options, run this script without arguments.
指定一个安全的密码以保护导出的 `.p12` 文件(在导入到 iOS 或 macOS 设备时,该密码不能为空)。
1. (适用于 iOS 客户端) 导出 CA 证书到 `ikev2vpnca.cer`
1. (适用于 iOS 客户端) 导出 CA 证书到 `ca.cer`
```bash
certutil -L -d sql:/etc/ipsec.d -n "IKEv2 VPN CA" -a -o ikev2vpnca.cer
certutil -L -d sql:/etc/ipsec.d -n "IKEv2 VPN CA" -a -o ca.cer
```
1. 证书数据库现在应该包含以下内容:

View File

@ -225,7 +225,7 @@ To connect to the VPN:
If you manually set up IKEv2 without using the helper script, click here for instructions.
</summary>
First, securely transfer the generated `ikev2vpnca.cer` and `.p12` files to your iOS device, then import them one by one as iOS profiles. To transfer the files, you may use:
First, securely transfer the generated `ca.cer` and `.p12` files to your iOS device, then import them one by one as iOS profiles. To transfer the files, you may use:
1. AirDrop, or
1. Upload to your device (any App folder) using [File Sharing](https://support.apple.com/en-us/HT210598), then open the "Files" App on your iOS device, move the uploaded files to the "On My iPhone" folder. After that, tap each file and go to the "Settings" App to import, or
@ -358,13 +358,13 @@ If you get an error when trying to connect, see [Troubleshooting](#troubleshooti
### Chrome OS
First, on your VPN server, export the CA certificate as `ikev2vpnca.cer`:
First, on your VPN server, export the CA certificate as `ca.cer`:
```bash
sudo certutil -L -d sql:/etc/ipsec.d -n "IKEv2 VPN CA" -a -o ikev2vpnca.cer
sudo certutil -L -d sql:/etc/ipsec.d -n "IKEv2 VPN CA" -a -o ca.cer
```
Securely transfer the generated `.p12` and `ikev2vpnca.cer` files to your Chrome OS device.
Securely transfer the generated `.p12` and `ca.cer` files to your Chrome OS device.
Install user and CA certificates:
@ -375,7 +375,7 @@ Install user and CA certificates:
1. Click **OK** if the certificate does not have a password. Otherwise, enter the certificate's password.
1. Click the **Authorities** tab. Then click **Import**.
1. In the box that opens, select **All files** in the drop-down menu at the bottom left.
1. Choose the `ikev2vpnca.cer` file you transferred from the VPN server and select **Open**.
1. Choose the `ca.cer` file you transferred from the VPN server and select **Open**.
1. Keep the default options and click **OK**.
Add a new VPN connection:
@ -429,15 +429,15 @@ Next, securely transfer the generated `.p12` file from the VPN server to your Li
# Note: You may need to enter the import password, which can be found
# in the output of the IKEv2 helper script. If the output does not
# contain an import password, press Enter to continue.
openssl pkcs12 -in vpnclient.p12 -cacerts -nokeys -out ikev2vpnca.cer
openssl pkcs12 -in vpnclient.p12 -clcerts -nokeys -out vpnclient.cer
openssl pkcs12 -in vpnclient.p12 -nocerts -nodes -out vpnclient.key
openssl pkcs12 -in vpnclient.p12 -cacerts -nokeys -out ca.cer
openssl pkcs12 -in vpnclient.p12 -clcerts -nokeys -out client.cer
openssl pkcs12 -in vpnclient.p12 -nocerts -nodes -out client.key
rm vpnclient.p12
# (Important) Protect certificate and private key files
# Note: This step is optional, but strongly recommended.
sudo chown root.root ikev2vpnca.cer vpnclient.cer vpnclient.key
sudo chmod 600 ikev2vpnca.cer vpnclient.cer vpnclient.key
sudo chown root.root ca.cer client.cer client.key
sudo chmod 600 ca.cer client.cer client.key
```
You can then set up and enable the VPN connection:
@ -446,11 +446,11 @@ You can then set up and enable the VPN connection:
1. Select **IPsec/IKEv2 (strongswan)**.
1. Enter anything you like in the **Name** field.
1. In the **Gateway (Server)** section, enter `Your VPN Server IP` (or DNS name) for the **Address**.
1. Select the `ikev2vpnca.cer` file for the **Certificate**.
1. Select the `ca.cer` file for the **Certificate**.
1. In the **Client** section, select **Certificate(/private key)** in the **Authentication** drop-down menu.
1. Select **Certificate/private key** in the **Certificate** drop-down menu (if exists).
1. Select the `vpnclient.cer` file for the **Certificate (file)**.
1. Select the `vpnclient.key` file for the **Private key**.
1. Select the `client.cer` file for the **Certificate (file)**.
1. Select the `client.key` file for the **Private key**.
1. In the **Options** section, check the **Request an inner IP address** checkbox.
1. In the **Cipher proposals (Algorithms)** section, check the **Enable custom proposals** checkbox.
1. Leave the **IKE** field blank.
@ -552,7 +552,7 @@ for the entire network, or use `192.168.0.10` for just one device, and so on.
### Cannot connect to the VPN server
First, make sure that the VPN server address specified on your VPN client device **exactly matches** the server address in the output of the IKEv2 helper script.
First, make sure that the VPN server address specified on your VPN client device **exactly matches** the server address in the output of the IKEv2 helper script. Refer to the sections below and [Check logs and VPN status](clients.md#check-logs-and-vpn-status).
For servers with an external firewall (e.g. [EC2](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html)/[GCE](https://cloud.google.com/vpc/docs/firewalls)), open UDP ports 500 and 4500 for the VPN. Aliyun users, see [#433](https://github.com/hwdsl2/setup-ipsec-vpn/issues/433).
@ -1078,10 +1078,10 @@ View example steps for manually configuring IKEv2 with Libreswan.
Enter a secure password to protect the exported `.p12` file (when importing into an iOS or macOS device, this password cannot be empty).
1. (For iOS clients) Export the CA certificate as `ikev2vpnca.cer`:
1. (For iOS clients) Export the CA certificate as `ca.cer`:
```bash
certutil -L -d sql:/etc/ipsec.d -n "IKEv2 VPN CA" -a -o ikev2vpnca.cer
certutil -L -d sql:/etc/ipsec.d -n "IKEv2 VPN CA" -a -o ca.cer
```
1. The database should now contain: