From de2acaabc5bf3aec79800295aad09b413b75e71b Mon Sep 17 00:00:00 2001
From: hwdsl2 <hwdsl2@users.noreply.github.com>
Date: Sat, 27 Mar 2021 00:29:57 -0500
Subject: [PATCH] Update IKEv2 docs

- Add Linux instructions for IKEv2
---
 docs/ikev2-howto-zh.md | 59 ++++++++++++++++++++++++++++++++++++++++
 docs/ikev2-howto.md    | 61 ++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 120 insertions(+)

diff --git a/docs/ikev2-howto-zh.md b/docs/ikev2-howto-zh.md
index 1b9ed90..b809caf 100644
--- a/docs/ikev2-howto-zh.md
+++ b/docs/ikev2-howto-zh.md
@@ -23,6 +23,7 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来
 - OS X (macOS)
 - iOS (iPhone/iPad)
 - Android 4.x 和更新版本（使用 strongSwan VPN 客户端）
+- Linux
 
 在按照本指南操作之后，你将可以选择三种模式中的任意一种连接到 VPN：IKEv2，以及已有的 [IPsec/L2TP](clients-zh.md) 和 [IPsec/XAuth ("Cisco IPsec")](clients-xauth-zh.md) 模式。
 
@@ -87,6 +88,7 @@ To customize IKEv2 or client options, run this script without arguments.
 * [OS X (macOS)](#os-x-macos)
 * [iOS (iPhone/iPad)](#ios)
 * [Android](#android)
+* [Linux](#linux)
 
 ### Windows 7, 8.x 和 10
 
@@ -285,6 +287,63 @@ To customize IKEv2 or client options, run this script without arguments.
 
 如果在连接过程中遇到错误，请参见 [故障排除](#故障排除)。
 
+### Linux
+
+在配置 Linux 客户端之前，你必须更改 VPN 服务器上的以下设置：编辑服务器上的 `/etc/ipsec.d/ikev2.conf`。在 `conn ikev2-cp` 小节的末尾添加 `authby=rsa-sha1`，开头必须空两格。保存文件并运行 `service ipsec restart`。
+
+要配置你的 Linux 计算机以作为客户端连接到 IKEv2，首先安装 NetworkManager 的 strongSwan 插件：
+
+```bash
+# Ubuntu and Debian
+sudo apt-get update
+sudo apt-get install network-manager-strongswan
+
+# Arch Linux
+sudo pacman -Syu  # 升级所有软件包
+sudo pacman -S networkmanager-strongswan
+
+# CentOS
+sudo yum install epel-release
+sudo yum --enablerepo=epel install NetworkManager-strongswan
+```
+
+下一步，将生成的 `.p12` 文件安全地从 VPN 服务器传送到你的 Linux 计算机。然后提取 CA 证书，客户端证书和私钥。将下面示例中的 `vpnclient.p12` 换成你的 `.p12` 文件名。
+
+```bash
+# 示例：提取 CA 证书，客户端证书和私钥。在完成后可以删除 .p12 文件。
+# 注：你将需要输入 import password，它可以在 IKEv2 辅助脚本的输出中找到。
+openssl pkcs12 -in vpnclient.p12 -cacerts -nokeys -out ikev2vpnca.cer
+openssl pkcs12 -in vpnclient.p12 -clcerts -nokeys -out vpnclient.cer
+openssl pkcs12 -in vpnclient.p12 -nocerts -nodes  -out vpnclient.key
+rm vpnclient.p12
+
+# （重要）保护证书和私钥文件
+sudo chown root.root ikev2vpnca.cer vpnclient.cer vpnclient.key
+sudo chmod 600 ikev2vpnca.cer vpnclient.cer vpnclient.key
+```
+
+然后你可以创建并启用 VPN 连接：
+
+1. 进入 Settings -> Network -> VPN。单击 **+** 按钮。
+1. 选择 **IPsec/IKEv2 (strongswan)**。
+1. 在 **Name** 字段中输入任意内容。
+1. 在 **Gateway (Server)** 部分的 **Address** 字段中输入 `你的 VPN 服务器 IP`（或者域名）。
+1. 为 **Certificate** 字段选择 `ikev2vpnca.cer` 文件。
+1. 在 **Client** 部分的 **Authentication** 下拉菜单选择 **Certificate(/private key)**。
+1. 在 **Certificate** 下拉菜单（如果存在）选择 **Certificate/private key**。
+1. 为 **Certificate (file)** 字段选择 `vpnclient.cer` 文件。 
+1. 为 **Private key** 字段选择 `vpnclient.key` 文件。 
+1. 在 **Options** 部分，选中 **Request an inner IP address** 复选框。
+1. 在 **Cipher proposals (Algorithms)** 部分，选中 **Enable custom proposals** 复选框。
+1. 保持 **IKE** 字段空白。
+1. 在 **ESP** 字段中输入 `aes128gcm16`.
+1. 单击 **Add** 保存 VPN 连接信息。
+1. 启用 **VPN** 连接。
+
+连接成功后，你可以到 <a href="https://www.ipchicken.com" target="_blank">这里</a> 检测你的 IP 地址，应该显示为`你的 VPN 服务器 IP`。
+
+如果在连接过程中遇到错误，请参见 [故障排除](#故障排除)。
+
 ## 管理客户端证书
 
 ### 列出已有的客户端
diff --git a/docs/ikev2-howto.md b/docs/ikev2-howto.md
index f8996bf..ee9c9bf 100644
--- a/docs/ikev2-howto.md
+++ b/docs/ikev2-howto.md
@@ -23,6 +23,7 @@ Libreswan can authenticate IKEv2 clients on the basis of X.509 Machine Certifica
 - OS X (macOS)
 - iOS (iPhone/iPad)
 - Android 4.x and newer (using the strongSwan VPN client)
+- Linux
 
 After following this guide, you will be able to connect to the VPN using IKEv2 in addition to the existing [IPsec/L2TP](clients.md) and [IPsec/XAuth ("Cisco IPsec")](clients-xauth.md) modes.
 
@@ -87,6 +88,7 @@ To customize IKEv2 or client options, run this script without arguments.
 * [OS X (macOS)](#os-x-macos)
 * [iOS (iPhone/iPad)](#ios)
 * [Android](#android)
+* [Linux](#linux)
 
 ### Windows 7, 8.x and 10
 
@@ -285,6 +287,65 @@ Once successfully connected, you can verify that your traffic is being routed pr
 
 If you get an error when trying to connect, see [Troubleshooting](#troubleshooting).
 
+### Linux
+
+Before configuring Linux VPN clients, you must make the following change on the VPN server: Edit `/etc/ipsec.d/ikev2.conf` on the server. Append `authby=rsa-sha1` to the end of the `conn ikev2-cp` section, indented by two spaces. Save the file and run `service ipsec restart`.
+
+To configure your Linux computer to connect to IKEv2 as a VPN client, first install the strongSwan plugin for NetworkManager:
+
+```bash
+# Ubuntu and Debian
+sudo apt-get update
+sudo apt-get install network-manager-strongswan
+
+# Arch Linux
+sudo pacman -Syu  # upgrade all packages
+sudo pacman -S networkmanager-strongswan
+
+# CentOS
+sudo yum install epel-release
+sudo yum --enablerepo=epel install NetworkManager-strongswan
+```
+
+Next, securely transfer the generated `.p12` file from the VPN server to your Linux computer. After that, extract the CA certificate, client certificate and private key. Replace `vpnclient.p12` in the example below with the name of your `.p12` file.
+
+```bash
+# Example: Extract CA certificate, client certificate and private key.
+#          You may delete the .p12 file when finished.
+# Note: You will need to enter the import password, which can be found
+#       in the output of the IKEv2 helper script.
+openssl pkcs12 -in vpnclient.p12 -cacerts -nokeys -out ikev2vpnca.cer
+openssl pkcs12 -in vpnclient.p12 -clcerts -nokeys -out vpnclient.cer
+openssl pkcs12 -in vpnclient.p12 -nocerts -nodes  -out vpnclient.key
+rm vpnclient.p12
+
+# (Important) Protect certificate and private key files
+sudo chown root.root ikev2vpnca.cer vpnclient.cer vpnclient.key
+sudo chmod 600 ikev2vpnca.cer vpnclient.cer vpnclient.key
+```
+
+You can then set up and enable the VPN connection:
+
+1. Go to Settings -> Network -> VPN. Click the **+** button.
+1. Select **IPsec/IKEv2 (strongswan)**.
+1. Enter anything you like in the **Name** field.
+1. In the **Gateway (Server)** section, enter `Your VPN Server IP` (or DNS name) for the **Address**.
+1. Select the `ikev2vpnca.cer` file for the **Certificate**.
+1. In the **Client** section, select **Certificate(/private key)** in the **Authentication** drop-down menu.
+1. Select **Certificate/private key** in the **Certificate** drop-down menu (if exists).
+1. Select the `vpnclient.cer` file for the **Certificate (file)**.
+1. Select the `vpnclient.key` file for the **Private key**.
+1. In the **Options** section, check the **Request an inner IP address** checkbox.
+1. In the **Cipher proposals (Algorithms)** section, check the **Enable custom proposals** checkbox.
+1. Leave the **IKE** field blank.
+1. Enter `aes128gcm16` in the **ESP** field.
+1. Click **Add** to save the VPN connection information.
+1. Turn the **VPN** switch ON.
+
+Once successfully connected, you can verify that your traffic is being routed properly by <a href="https://www.google.com/search?q=my+ip" target="_blank">looking up your IP address on Google</a>. It should say "Your public IP address is `Your VPN Server IP`".
+
+If you get an error when trying to connect, see [Troubleshooting](#troubleshooting).
+
 ## Manage client certificates
 
 ### List existing clients