mirror/setup-ipsec-vpn
1
0
Fork 0
mirror of synced 2025-01-31 04:21:43 +03:00
Code Issues Projects Releases Wiki Activity

Update docs

Browse Source
This commit is contained in:
hwdsl2 2021-01-28 23:54:32 -06:00
parent ec5dda8c1c
commit cd588a07ae
6 changed files with 60 additions and 40 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
docs/clients-xauth-zh.md
View File

@ -2,7 +2,7 @@
*其他语言版本: [English](clients-xauth.md), [简体中文](clients-xauth-zh.md).*
**注:你也可以 [配置 IKEv2](ikev2-howto-zh.md)(推荐),或者使用 [IPsec/L2TP 模式](clients-zh.md) 连接。**
**注:** 你也可以 [配置 IKEv2](ikev2-howto-zh.md)(推荐),或者使用 [IPsec/L2TP 模式](clients-zh.md) 连接。
在成功 <a href="../README-zh.md" target="_blank">搭建自己的 VPN 服务器</a> 之后按照下面的步骤来配置你的设备。IPsec/XAuth ("Cisco IPsec") 在 Android, iOS 和 OS X 上均受支持无需安装额外的软件。Windows 用户可以使用免费的 <a href="https://www.shrew.net/download/vpn" target="_blank">Shrew Soft 客户端</a>。如果无法连接,请首先检查是否输入了正确的 VPN 登录凭证。
@ -18,10 +18,10 @@ IPsec/XAuth 模式也称为 "Cisco IPsec"。该模式通常能够比 IPsec/L2TP
## Windows
**注:** 你也可以使用 [IPsec/L2TP 模式](clients-zh.md) 连接无需安装额外的软件。
**注:** 你也可以 [配置 IKEv2](ikev2-howto-zh.md)(推荐),或者使用 [IPsec/L2TP 模式](clients-zh.md) 连接无需安装额外的软件。
1. 下载并安装免费的 <a href="https://www.shrew.net/download/vpn" target="_blank">Shrew Soft VPN 客户端</a>
**注:** 该 VPN 客户端支持 Windows 2K/XP/Vista/7/8 系统
1. 下载并安装免费的 <a href="https://www.shrew.net/download/vpn" target="_blank">Shrew Soft VPN 客户端</a>。在安装时请选择 **Standard Edition**
**注:** 该 VPN 客户端 **不支持** Windows 10
1. 单击开始菜单 -> 所有程序 -> ShrewSoft VPN Client -> VPN Access Manager
1. 单击工具栏中的 **Add (+)** 按钮。
1. 在 **Host Name or IP Address** 字段中输入`你的 VPN 服务器 IP`
@ -58,7 +58,7 @@ VPN 连接成功后,你会在 VPN Connect 状态窗口中看到 **tunnel enabl
1. 选中 **在菜单栏中显示 VPN 状态** 复选框。
1. 单击 **应用** 保存VPN连接信息。
要连接到 VPN 使用菜单栏中的图标,或者打开系统偏好设置的网络部分,选择 VPN 并单击 **连接**。最后你可以到 <a href="https://www.ipchicken.com" target="_blank">这里</a> 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`
要连接到 VPN使用菜单栏中的图标或者打开系统偏好设置的网络部分选择 VPN 并单击 **连接**。最后你可以到 <a href="https://www.ipchicken.com" target="_blank">这里</a> 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`
如果在连接过程中遇到错误,请参见 <a href="clients-zh.md#故障排除" target="_blank">故障排除</a>

8
docs/clients-xauth.md
View File

@ -2,7 +2,7 @@
*Read this in other languages: [English](clients-xauth.md), [简体中文](clients-xauth-zh.md).*
**Note: You may also [set up IKEv2](ikev2-howto.md) (recommended), or connect using [IPsec/L2TP mode](clients.md).**
**Note:** You may also [set up IKEv2](ikev2-howto.md) (recommended), or connect using [IPsec/L2TP mode](clients.md).
After <a href="https://github.com/hwdsl2/setup-ipsec-vpn" target="_blank">setting up your own VPN server</a>, follow these steps to configure your devices. IPsec/XAuth ("Cisco IPsec") is natively supported by Android, iOS and OS X. There is no additional software to install. Windows users can use the free <a href="https://www.shrew.net/download/vpn" target="_blank">Shrew Soft client</a>. In case you are unable to connect, first check to make sure the VPN credentials were entered correctly.
@ -18,10 +18,10 @@ IPsec/XAuth mode is also called "Cisco IPsec". This mode is generally **faster t
## Windows
**Note:** You may also connect using [IPsec/L2TP mode](clients.md). No additional software is required.
**Note:** You may also [set up IKEv2](ikev2-howto.md) (recommended), or connect using [IPsec/L2TP mode](clients.md). No additional software is required.
1. Download and install the free <a href="https://www.shrew.net/download/vpn" target="_blank">Shrew Soft VPN client</a>.
**Note:** This VPN client supports Windows 2K/XP/Vista/7/8.
1. Download and install the free <a href="https://www.shrew.net/download/vpn" target="_blank">Shrew Soft VPN client</a>. When prompted during install, select **Standard Edition**.
**Note:** This VPN client does NOT support Windows 10.
1. Click Start Menu -> All Programs -> ShrewSoft VPN Client -> VPN Access Manager
1. Click the **Add (+)** button on toolbar.
1. Enter `Your VPN Server IP` in the **Host Name or IP Address** field.

10
docs/clients-zh.md
View File

@ -2,7 +2,7 @@
*其他语言版本: [English](clients.md), [简体中文](clients-zh.md).*
**注:你也可以 [配置 IKEv2](ikev2-howto-zh.md)(推荐),或者使用更高效的 [IPsec/XAuth 模式](clients-xauth-zh.md) 连接。**
**注:** 你也可以 [配置 IKEv2](ikev2-howto-zh.md)(推荐),或者使用更高效的 [IPsec/XAuth 模式](clients-xauth-zh.md) 连接。
在成功 <a href="../README-zh.md" target="_blank">搭建自己的 VPN 服务器</a> 之后按照下面的步骤来配置你的设备。IPsec/L2TP 在 Android, iOS, OS X 和 Windows 上均受支持,无需安装额外的软件。设置过程通常只需要几分钟。如果无法连接,请首先检查是否输入了正确的 VPN 登录凭证。
@ -38,7 +38,7 @@
**注:** 在首次连接之前需要<a href="#windows-错误-809">修改一次注册表</a>,以解决 VPN 服务器 和/或 客户端与 NAT (比如家用路由器)的兼容问题。
要连接到 VPN 单击系统托盘中的无线/网络图标,选择新的 VPN 连接,然后单击 **连接**。如果出现提示,在登录窗口中输入 `你的 VPN 用户名``密码` ,并单击 **确定**。最后你可以到 <a href="https://www.ipchicken.com" target="_blank">这里</a> 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`
要连接到 VPN单击系统托盘中的无线/网络图标,选择新的 VPN 连接,然后单击 **连接**。如果出现提示,在登录窗口中输入 `你的 VPN 用户名``密码` ,并单击 **确定**。最后你可以到 <a href="https://www.ipchicken.com" target="_blank">这里</a> 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`
如果在连接过程中遇到错误,请参见 <a href="#故障排除">故障排除</a>
@ -80,7 +80,7 @@ Add-VpnConnection -Name 'My IPsec VPN' -ServerAddress '你的 VPN 服务器 IP'
**注:** 在首次连接之前需要<a href="#windows-错误-809">修改一次注册表</a>,以解决 VPN 服务器 和/或 客户端与 NAT (比如家用路由器)的兼容问题。
要连接到 VPN 单击系统托盘中的无线/网络图标,选择新的 VPN 连接,然后单击 **连接**。如果出现提示,在登录窗口中输入 `你的 VPN 用户名``密码` ,并单击 **确定**。最后你可以到 <a href="https://www.ipchicken.com" target="_blank">这里</a> 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`
要连接到 VPN单击系统托盘中的无线/网络图标,选择新的 VPN 连接,然后单击 **连接**。如果出现提示,在登录窗口中输入 `你的 VPN 用户名``密码` ,并单击 **确定**。最后你可以到 <a href="https://www.ipchicken.com" target="_blank">这里</a> 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`
如果在连接过程中遇到错误,请参见 <a href="#故障排除">故障排除</a>
@ -104,7 +104,7 @@ Add-VpnConnection -Name 'My IPsec VPN' -ServerAddress '你的 VPN 服务器 IP'
1. **(重要)** 单击 **TCP/IP** 选项卡,并在 **配置IPv6** 部分中选择 **仅本地链接**
1. 单击 **好** 关闭高级设置,然后单击 **应用** 保存VPN连接信息。
要连接到 VPN 使用菜单栏中的图标,或者打开系统偏好设置的网络部分,选择 VPN 并单击 **连接**。最后你可以到 <a href="https://www.ipchicken.com" target="_blank">这里</a> 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`
要连接到 VPN使用菜单栏中的图标或者打开系统偏好设置的网络部分选择 VPN 并单击 **连接**。最后你可以到 <a href="https://www.ipchicken.com" target="_blank">这里</a> 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`
如果在连接过程中遇到错误,请参见 <a href="#故障排除">故障排除</a>
@ -338,7 +338,7 @@ OS X (macOS) 用户: 如果可以成功地使用 IPsec/L2TP 模式连接,但
如果需要 VPN 在设备唤醒后自动重连,你可以 <a href="ikev2-howto-zh.md" target="_blank">配置 IKEv2</a> 并启用 "VPN On Demand" 功能。或者你也可以另外尝试使用 <a href="https://github.com/Nyr/openvpn-install" target="_blank">OpenVPN</a>,它支持 <a href="https://docs.openvpn.net/connecting/connecting-to-access-server-with-apple-ios/faq-regarding-openvpn-connect-ios/" target="_blank">一些选项</a> 比如 "Reconnect on Wakeup" 和 "Seamless Tunnel"。
Android 设备在进入睡眠模式不久后也会断开 Wi-Fi 连接,如果你没有启用选项 "睡眠期间保持 WLAN 开启" 的话。该选项在 Android 8 (Oreo) 中不再可用。 另外,你也可以尝试打开 "始终开启 VPN" 选项以保持连接。详情请看 <a href="https://support.google.com/android/answer/9089766?hl=zh-Hans" target="_blank">这里</a>
Android 设备在进入睡眠模式不久后也会断开 Wi-Fi 连接,如果你没有启用选项 "睡眠期间保持 WLAN 开启" 的话。该选项在 Android 8 (Oreo) 和更新版本中不再可用。另外,你也可以尝试打开 "始终开启 VPN" 选项以保持连接。详情请看 <a href="https://support.google.com/android/answer/9089766?hl=zh-Hans" target="_blank">这里</a>
### Debian 10 内核

4
docs/clients.md
View File

@ -2,7 +2,7 @@
*Read this in other languages: [English](clients.md), [简体中文](clients-zh.md).*
**Note: You may also [set up IKEv2](ikev2-howto.md) (recommended), or connect using the faster [IPsec/XAuth mode](clients-xauth.md).**
**Note:** You may also [set up IKEv2](ikev2-howto.md) (recommended), or connect using the faster [IPsec/XAuth mode](clients-xauth.md).
After <a href="https://github.com/hwdsl2/setup-ipsec-vpn" target="_blank">setting up your own VPN server</a>, follow these steps to configure your devices. IPsec/L2TP is natively supported by Android, iOS, OS X, and Windows. There is no additional software to install. Setup should only take a few minutes. In case you are unable to connect, first check to make sure the VPN credentials were entered correctly.
@ -337,7 +337,7 @@ To save battery, iOS devices (iPhone/iPad) will automatically disconnect Wi-Fi s
If you need the VPN to auto-reconnect when the device wakes up, you may <a href="ikev2-howto.md" target="_blank">set up IKEv2</a> and enable the "VPN On Demand" feature. Alternatively, you may try <a href="https://github.com/Nyr/openvpn-install" target="_blank">OpenVPN</a> instead, which <a href="https://docs.openvpn.net/connecting/connecting-to-access-server-with-apple-ios/faq-regarding-openvpn-connect-ios/" target="_blank">has support for options</a> such as "Reconnect on Wakeup" and "Seamless Tunnel".
Android devices will also disconnect Wi-Fi shortly after entering sleep mode, unless the option "Keep Wi-Fi on during sleep" is enabled. This option is no longer available in Android 8 (Oreo). Alternatively, you may try enabling the "Always-on VPN" option to stay connected. Learn more <a href="https://support.google.com/android/answer/9089766?hl=en" target="_blank">here</a>.
Android devices will also disconnect Wi-Fi shortly after entering sleep mode, unless the option "Keep Wi-Fi on during sleep" is enabled. This option is no longer available in Android 8 (Oreo) and newer. Alternatively, you may try enabling the "Always-on VPN" option to stay connected. Learn more <a href="https://support.google.com/android/answer/9089766?hl=en" target="_blank">here</a>.
### Debian 10 kernel

34
docs/ikev2-howto-zh.md
View File

@ -76,7 +76,8 @@ To customize IKEv2 or client options, run this script without arguments.
1. 将生成的 `.p12` 文件安全地传送到你的计算机,然后导入到 "计算机账户" 证书存储。要导入 `.p12` 文件,打开 <a href="http://www.cnblogs.com/xxcanghai/p/4610054.html" target="_blank">提升权限命令提示符</a> 并运行以下命令:
```console
certutil -f -importpfx ".p12文件的完整路径" NoExport
# 导入 .p12 文件(换成你自己的值)
certutil -f -importpfx ".p12文件的位置和名称" NoExport
```
另外,你也可以手动导入 `.p12` 文件。详情参见下面的链接。在导入证书后,你必须确保将客户端证书放在 "个人 -> 证书" 目录中,并且将 CA 证书放在 "受信任的根证书颁发机构 -> 证书" 目录中。
@ -84,21 +85,21 @@ To customize IKEv2 or client options, run this script without arguments.
**注:** Ubuntu 18.04 用户在尝试将生成的 `.p12` 文件导入到 Windows 时可能会遇到错误 "输入的密码不正确"。参见 [已知问题](#已知问题)。
1. 在 Windows 计算机上添加一个新的 IKEv2 VPN 连接。对于 Windows 8.x 和 10 用户,推荐使用下面的 Windows PowerShell 命令来创建 VPN 连接,以达到更佳的 VPN 安全性和性能。将 `你的 VPN 服务器 IP或者域名` 换成你自己的值。
1. 在 Windows 计算机上添加一个新的 IKEv2 VPN 连接。对于 Windows 8.x 和 10 用户,推荐使用这些命令创建 VPN 连接,以达到更佳的安全性和性能。从你在上一步打开的命令提示符窗口运行以下命令:
```console
# 将服务器地址存入变量(换成你自己的值)
set server_addr="你的 VPN 服务器 IP或者域名"
# 创建 VPN 连接
Add-VpnConnection -Name "My IKEv2 VPN" -ServerAddress "你的 VPN 服务器 IP或者域名" -TunnelType IKEv2 -AuthenticationMethod MachineCertificate -EncryptionLevel Required -PassThru
powershell -command "Add-VpnConnection -Name 'My IKEv2 VPN' -ServerAddress '%server_addr%' -TunnelType IKEv2 -AuthenticationMethod MachineCertificate -EncryptionLevel Required -PassThru"
# 设置 IPsec 参数
Set-VpnConnectionIPsecConfiguration -ConnectionName "My IKEv2 VPN" -AuthenticationTransformConstants GCMAES256 -CipherTransformConstants GCMAES256 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -PfsGroup None -DHGroup Group14 -PassThru -Force
powershell -command "Set-VpnConnectionIPsecConfiguration -ConnectionName 'My IKEv2 VPN' -AuthenticationTransformConstants GCMAES256 -CipherTransformConstants GCMAES256 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -PfsGroup None -DHGroup Group14 -PassThru -Force"
```
另外,你也可以手动创建 VPN 连接。参见这里:
另外,你也可以手动创建 VPN 连接。详情参见下面的链接。如果你在配置 IKEv2 时指定了服务器的域名(而不是 IP 地址),则必须在 **Internet地址** 字段中输入该域名。
https://wiki.strongswan.org/projects/strongswan/wiki/Win7Config
**注:** 如果你在配置 IKEv2 时指定了服务器的域名(而不是 IP 地址),则必须在 **Internet地址** 字段中输入该域名。
1. (可选但推荐)为 IKEv2 启用更强的加密算法,通过修改一次注册表来实现。请下载并导入下面的 `.reg` 文件,或者打开 <a href="http://www.cnblogs.com/xxcanghai/p/4610054.html" target="_blank">提升权限命令提示符</a> 并运行以下命令。更多信息请看 <a href="https://wiki.strongswan.org/projects/strongswan/wiki/WindowsClients#AES-256-CBC-and-MODP2048" target="_blank">这里</a>
1. 为 IKEv2 启用更强的加密算法,通过修改一次注册表来实现。这一步是可选的,但推荐。请下载并导入下面的 `.reg` 文件,或者打开提升权限命令提示符并运行以下命令。更多信息请看 <a href="https://wiki.strongswan.org/projects/strongswan/wiki/WindowsClients#AES-256-CBC-and-MODP2048" target="_blank">这里</a>
- 适用于 Windows 7, 8.x 和 10 ([下载 .reg 文件](https://dl.ls20.com/reg-files/v1/Enable_Stronger_Ciphers_for_IKEv2_on_Windows.reg))
@ -106,15 +107,16 @@ To customize IKEv2 or client options, run this script without arguments.
REG ADD HKLM\SYSTEM\CurrentControlSet\Services\RasMan\Parameters /v NegotiateDH2048_AES256 /t REG_DWORD /d 0x1 /f
```
1. 启用新的 VPN 连接,并且开始使用 IKEv2 VPN
https://wiki.strongswan.org/projects/strongswan/wiki/Win7Connect
要连接到 VPN单击系统托盘中的无线/网络图标,选择新的 VPN 连接,然后单击 **连接**。连接成功后,你可以到 <a href="https://www.ipchicken.com" target="_blank">这里</a> 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`
连接成功后,你可以到 <a href="https://www.ipchicken.com" target="_blank">这里</a> 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`
如果在连接过程中遇到错误,请参见 <a href="clients-zh.md#故障排除" target="_blank">故障排除</a>
### OS X (macOS)
首先,将生成的 `.mobileconfig` 文件安全地传送到你的 Mac然后双击并按提示操作以导入为 macOS 配置描述文件。在完成之后,检查并确保 "IKEv2 VPN configuration" 显示在系统偏好设置 -> 描述文件中。
要连接到 VPN
1. 打开系统偏好设置并转到网络部分。
1. 选择与 `你的 VPN 服务器 IP`(或者域名)对应的 VPN 连接。
1. 选中 **在菜单栏中显示 VPN 状态** 复选框。
@ -153,6 +155,8 @@ To customize IKEv2 or client options, run this script without arguments.
连接成功后,你可以到 <a href="https://www.ipchicken.com" target="_blank">这里</a> 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`
如果在连接过程中遇到错误,请参见 <a href="clients-zh.md#故障排除" target="_blank">故障排除</a>
### iOS
首先,将生成的 `.mobileconfig` 文件安全地传送到你的 iOS 设备,并且导入为 iOS 配置描述文件。要传送文件,你可以使用:
@ -163,6 +167,8 @@ To customize IKEv2 or client options, run this script without arguments.
在完成之后,检查并确保 "IKEv2 VPN configuration" 显示在设置 -> 通用 -> 描述文件中。
要连接到 VPN
1. 进入设置 -> 通用 -> VPN。
1. 选择与 `你的 VPN 服务器 IP`(或者域名)对应的 VPN 连接。
1. 启用 **VPN** 连接。
@ -200,6 +206,8 @@ To customize IKEv2 or client options, run this script without arguments.
连接成功后,你可以到 <a href="https://www.ipchicken.com" target="_blank">这里</a> 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`
如果在连接过程中遇到错误,请参见 <a href="clients-zh.md#故障排除" target="_blank">故障排除</a>
### Android
1. 将生成的 `.sswan` 文件安全地传送到你的 Android 设备。
@ -213,7 +221,7 @@ To customize IKEv2 or client options, run this script without arguments.
1. 单击 **导入**
1. 单击新的 VPN 配置文件以开始连接。
(可选功能)你可以选择启用 Android 上的 "始终开启的 VPN" 功能。启动 **设置** 应用程序,进入 网络和互联网 -> 高级 -> VPN单击 "strongSwan VPN 客户端" 右边的设置图标,然后启用 "始终开启的 VPN" 以及 "屏蔽未使用 VPN 的所有连接" 选项。
(可选功能)你可以选择启用 Android 上的 "始终开启的 VPN" 功能。启动 **设置** 应用程序,进入 网络和互联网 -> 高级 -> VPN单击 "strongSwan VPN 客户端" 右边的设置图标,然后启用 **始终开启的 VPN** 以及 **屏蔽未使用 VPN 的所有连接** 选项。
<details>
<summary>
@ -254,6 +262,8 @@ To customize IKEv2 or client options, run this script without arguments.
连接成功后,你可以到 <a href="https://www.ipchicken.com" target="_blank">这里</a> 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`
如果在连接过程中遇到错误,请参见 <a href="clients-zh.md#故障排除" target="_blank">故障排除</a>
## 管理客户端证书
### 列出已有的客户端

34
docs/ikev2-howto.md
View File

@ -76,7 +76,8 @@ To customize IKEv2 or client options, run this script without arguments.
1. Securely transfer the generated `.p12` file to your computer, then import it into the "Computer account" certificate store. To import the `.p12` file, run the following from an <a href="http://www.winhelponline.com/blog/open-elevated-command-prompt-windows/" target="_blank">elevated command prompt</a>:
```console
certutil -f -importpfx "path\to\your\p12\file.p12" NoExport
# Import .p12 file (replace with your own value)
certutil -f -importpfx "\path\to\your\file.p12" NoExport
```
Alternatively, you can manually import the `.p12` file. See instructions at the link below. Make sure that the client cert is placed in "Personal -> Certificates", and the CA cert is placed in "Trusted Root Certification Authorities -> Certificates".
@ -84,21 +85,21 @@ To customize IKEv2 or client options, run this script without arguments.
**Note:** Ubuntu 18.04 users may encounter the error "The password you entered is incorrect" when trying to import the generated `.p12` file into Windows. See [Known issues](#known-issues).
1. On the Windows computer, add a new IKEv2 VPN connection. For Windows 8.x and 10 users, it is recommended to create the VPN connection using these Windows PowerShell commands for improved security and performance. Replace `Your VPN Server IP (or DNS name)` with your own value.
1. On the Windows computer, add a new IKEv2 VPN connection. For Windows 8.x and 10 users, it is recommended to create the VPN connection using these commands for improved security and performance. Run the following from the command prompt you opened above.
```console
# Set server address (replace with your own value)
set server_addr="Your VPN Server IP (or DNS name)"
# Create VPN connection
Add-VpnConnection -Name "My IKEv2 VPN" -ServerAddress "Your VPN Server IP (or DNS name)" -TunnelType IKEv2 -AuthenticationMethod MachineCertificate -EncryptionLevel Required -PassThru
powershell -command "Add-VpnConnection -Name 'My IKEv2 VPN' -ServerAddress '%server_addr%' -TunnelType IKEv2 -AuthenticationMethod MachineCertificate -EncryptionLevel Required -PassThru"
# Set IPsec configuration
Set-VpnConnectionIPsecConfiguration -ConnectionName "My IKEv2 VPN" -AuthenticationTransformConstants GCMAES256 -CipherTransformConstants GCMAES256 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -PfsGroup None -DHGroup Group14 -PassThru -Force
powershell -command "Set-VpnConnectionIPsecConfiguration -ConnectionName 'My IKEv2 VPN' -AuthenticationTransformConstants GCMAES256 -CipherTransformConstants GCMAES256 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -PfsGroup None -DHGroup Group14 -PassThru -Force"
```
Alternatively, you can manually create the VPN connection. See:
Alternatively, you can manually create the VPN connection. See instructions at the link below. If you specified the server's DNS name (instead of its IP address) during IKEv2 setup, you must enter the DNS name in the **Internet address** field.
https://wiki.strongswan.org/projects/strongswan/wiki/Win7Config
**Note:** If you specified the server's DNS name (instead of its IP address) during IKEv2 setup, you must enter the DNS name in the **Internet address** field.
1. (Optional but recommended) Enable stronger ciphers for IKEv2 with a one-time registry change. Download and import the `.reg` file below, or run the following from an <a href="http://www.winhelponline.com/blog/open-elevated-command-prompt-windows/" target="_blank">elevated command prompt</a>. Read more <a href="https://wiki.strongswan.org/projects/strongswan/wiki/WindowsClients#AES-256-CBC-and-MODP2048" target="_blank">here</a>.
1. Enable stronger ciphers for IKEv2 with a one-time registry change. This is optional, but recommended. Download and import the `.reg` file below, or run the following from an elevated command prompt. Read more <a href="https://wiki.strongswan.org/projects/strongswan/wiki/WindowsClients#AES-256-CBC-and-MODP2048" target="_blank">here</a>.
- For Windows 7, 8.x and 10 ([download .reg file](https://dl.ls20.com/reg-files/v1/Enable_Stronger_Ciphers_for_IKEv2_on_Windows.reg))
@ -106,15 +107,16 @@ To customize IKEv2 or client options, run this script without arguments.
REG ADD HKLM\SYSTEM\CurrentControlSet\Services\RasMan\Parameters /v NegotiateDH2048_AES256 /t REG_DWORD /d 0x1 /f
```
1. Start the new VPN connection, and enjoy your IKEv2 VPN!
https://wiki.strongswan.org/projects/strongswan/wiki/Win7Connect
To connect to the VPN: Click on the wireless/network icon in your system tray, select the new VPN entry, and click **Connect**. Once successfully connected, you can verify that your traffic is being routed properly by <a href="https://www.google.com/search?q=my+ip" target="_blank">looking up your IP address on Google</a>. It should say "Your public IP address is `Your VPN Server IP`".
Once successfully connected, you can verify that your traffic is being routed properly by <a href="https://www.google.com/search?q=my+ip" target="_blank">looking up your IP address on Google</a>. It should say "Your public IP address is `Your VPN Server IP`".
If you get an error when trying to connect, see <a href="clients.md#troubleshooting" target="_blank">Troubleshooting</a>.
### OS X (macOS)
First, securely transfer the generated `.mobileconfig` file to your Mac, then double-click and follow the prompts to import as a macOS profile. When finished, check to make sure "IKEv2 VPN configuration" is listed under System Preferences -> Profiles.
To connect to the VPN:
1. Open System Preferences and go to the Network section.
1. Select the VPN connection with `Your VPN Server IP` (or DNS name).
1. Check the **Show VPN status in menu bar** checkbox.
@ -153,6 +155,8 @@ When finished, check to make sure both the new client certificate and `IKEv2 VPN
Once successfully connected, you can verify that your traffic is being routed properly by <a href="https://www.google.com/search?q=my+ip" target="_blank">looking up your IP address on Google</a>. It should say "Your public IP address is `Your VPN Server IP`".
If you get an error when trying to connect, see <a href="clients.md#troubleshooting" target="_blank">Troubleshooting</a>.
### iOS
First, securely transfer the generated `.mobileconfig` file to your iOS device, then import it as an iOS profile. To transfer the file, you may use:
@ -163,6 +167,8 @@ First, securely transfer the generated `.mobileconfig` file to your iOS device,
When finished, check to make sure "IKEv2 VPN configuration" is listed under Settings -> General -> Profile(s).
To connect to the VPN:
1. Go to Settings -> General -> VPN.
1. Select the VPN connection with `Your VPN Server IP` (or DNS name).
1. Slide the **VPN** switch ON.
@ -200,6 +206,8 @@ When finished, check to make sure both the new client certificate and `IKEv2 VPN
Once successfully connected, you can verify that your traffic is being routed properly by <a href="https://www.google.com/search?q=my+ip" target="_blank">looking up your IP address on Google</a>. It should say "Your public IP address is `Your VPN Server IP`".
If you get an error when trying to connect, see <a href="clients.md#troubleshooting" target="_blank">Troubleshooting</a>.
### Android
1. Securely transfer the generated `.sswan` file to your Android device.
@ -213,7 +221,7 @@ Once successfully connected, you can verify that your traffic is being routed pr
1. Tap **IMPORT**.
1. Tap the new VPN profile to connect.
(Optional feature) You can choose to enable the "Always-on VPN" feature on Android. Launch the **Settings** app, go to Network & internet -> Advanced -> VPN, click the gear icon on the right of "strongSwan VPN Client", then enable the "Always-on VPN" and "Block connections without VPN" options.
(Optional feature) You can choose to enable the "Always-on VPN" feature on Android. Launch the **Settings** app, go to Network & internet -> Advanced -> VPN, click the gear icon on the right of "strongSwan VPN Client", then enable the **Always-on VPN** and **Block connections without VPN** options.
<details>
<summary>
@ -254,6 +262,8 @@ If you manually set up IKEv2 without using the helper script, click here for ins
Once successfully connected, you can verify that your traffic is being routed properly by <a href="https://www.google.com/search?q=my+ip" target="_blank">looking up your IP address on Google</a>. It should say "Your public IP address is `Your VPN Server IP`".
If you get an error when trying to connect, see <a href="clients.md#troubleshooting" target="_blank">Troubleshooting</a>.
## Manage client certificates
### List existing clients