mirror/setup-ipsec-vpn
1
0
Fork 0
mirror of synced 2025-03-03 19:33:16 +03:00
Code Issues Projects Releases Wiki Activity

Update IKEv2 docs

Browse Source 
- Add Linux instructions for IKEv2
This commit is contained in:
hwdsl2 2021-03-27 00:29:57 -05:00
parent bf0f557416
commit de2acaabc5
2 changed files with 120 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

59
docs/ikev2-howto-zh.md
View File

@ -23,6 +23,7 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来
- OS X (macOS) - OS X (macOS)
- iOS (iPhone/iPad) - iOS (iPhone/iPad)
- Android 4.x 和更新版本(使用 strongSwan VPN 客户端) - Android 4.x 和更新版本(使用 strongSwan VPN 客户端)
- Linux
在按照本指南操作之后,你将可以选择三种模式中的任意一种连接到 VPNIKEv2以及已有的 [IPsec/L2TP](clients-zh.md) 和 [IPsec/XAuth ("Cisco IPsec")](clients-xauth-zh.md) 模式。 在按照本指南操作之后,你将可以选择三种模式中的任意一种连接到 VPNIKEv2以及已有的 [IPsec/L2TP](clients-zh.md) 和 [IPsec/XAuth ("Cisco IPsec")](clients-xauth-zh.md) 模式。
@ -87,6 +88,7 @@ To customize IKEv2 or client options, run this script without arguments.
* [OS X (macOS)](#os-x-macos) * [OS X (macOS)](#os-x-macos)
* [iOS (iPhone/iPad)](#ios) * [iOS (iPhone/iPad)](#ios)
* [Android](#android) * [Android](#android)
* [Linux](#linux)
### Windows 7, 8.x 和 10 ### Windows 7, 8.x 和 10
@ -285,6 +287,63 @@ To customize IKEv2 or client options, run this script without arguments.
如果在连接过程中遇到错误,请参见 [故障排除](#故障排除)。 如果在连接过程中遇到错误,请参见 [故障排除](#故障排除)。
### Linux
在配置 Linux 客户端之前,你必须更改 VPN 服务器上的以下设置:编辑服务器上的 `/etc/ipsec.d/ikev2.conf`。在 `conn ikev2-cp` 小节的末尾添加 `authby=rsa-sha1`,开头必须空两格。保存文件并运行 `service ipsec restart`
要配置你的 Linux 计算机以作为客户端连接到 IKEv2首先安装 NetworkManager 的 strongSwan 插件:
```bash
# Ubuntu and Debian
sudo apt-get update
sudo apt-get install network-manager-strongswan
# Arch Linux
sudo pacman -Syu # 升级所有软件包
sudo pacman -S networkmanager-strongswan
# CentOS
sudo yum install epel-release
sudo yum --enablerepo=epel install NetworkManager-strongswan
```
下一步,将生成的 `.p12` 文件安全地从 VPN 服务器传送到你的 Linux 计算机。然后提取 CA 证书,客户端证书和私钥。将下面示例中的 `vpnclient.p12` 换成你的 `.p12` 文件名。
```bash
# 示例:提取 CA 证书,客户端证书和私钥。在完成后可以删除 .p12 文件。
# 注:你将需要输入 import password它可以在 IKEv2 辅助脚本的输出中找到。
openssl pkcs12 -in vpnclient.p12 -cacerts -nokeys -out ikev2vpnca.cer
openssl pkcs12 -in vpnclient.p12 -clcerts -nokeys -out vpnclient.cer
openssl pkcs12 -in vpnclient.p12 -nocerts -nodes -out vpnclient.key
rm vpnclient.p12
# (重要)保护证书和私钥文件
sudo chown root.root ikev2vpnca.cer vpnclient.cer vpnclient.key
sudo chmod 600 ikev2vpnca.cer vpnclient.cer vpnclient.key
```
然后你可以创建并启用 VPN 连接:
1. 进入 Settings -> Network -> VPN。单击 **+** 按钮。
1. 选择 **IPsec/IKEv2 (strongswan)**
1. 在 **Name** 字段中输入任意内容。
1. 在 **Gateway (Server)** 部分的 **Address** 字段中输入 `你的 VPN 服务器 IP`(或者域名)。
1. 为 **Certificate** 字段选择 `ikev2vpnca.cer` 文件。
1. 在 **Client** 部分的 **Authentication** 下拉菜单选择 **Certificate(/private key)**
1. 在 **Certificate** 下拉菜单(如果存在)选择 **Certificate/private key**
1. 为 **Certificate (file)** 字段选择 `vpnclient.cer` 文件。
1. 为 **Private key** 字段选择 `vpnclient.key` 文件。
1. 在 **Options** 部分,选中 **Request an inner IP address** 复选框。
1. 在 **Cipher proposals (Algorithms)** 部分,选中 **Enable custom proposals** 复选框。
1. 保持 **IKE** 字段空白。
1. 在 **ESP** 字段中输入 `aes128gcm16`.
1. 单击 **Add** 保存 VPN 连接信息。
1. 启用 **VPN** 连接。
连接成功后,你可以到 <a href="https://www.ipchicken.com" target="_blank">这里</a> 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`
如果在连接过程中遇到错误,请参见 [故障排除](#故障排除)。
## 管理客户端证书 ## 管理客户端证书
### 列出已有的客户端 ### 列出已有的客户端

61
docs/ikev2-howto.md
View File

@ -23,6 +23,7 @@ Libreswan can authenticate IKEv2 clients on the basis of X.509 Machine Certifica
- OS X (macOS) - OS X (macOS)
- iOS (iPhone/iPad) - iOS (iPhone/iPad)
- Android 4.x and newer (using the strongSwan VPN client) - Android 4.x and newer (using the strongSwan VPN client)
- Linux
After following this guide, you will be able to connect to the VPN using IKEv2 in addition to the existing [IPsec/L2TP](clients.md) and [IPsec/XAuth ("Cisco IPsec")](clients-xauth.md) modes. After following this guide, you will be able to connect to the VPN using IKEv2 in addition to the existing [IPsec/L2TP](clients.md) and [IPsec/XAuth ("Cisco IPsec")](clients-xauth.md) modes.
@ -87,6 +88,7 @@ To customize IKEv2 or client options, run this script without arguments.
* [OS X (macOS)](#os-x-macos) * [OS X (macOS)](#os-x-macos)
* [iOS (iPhone/iPad)](#ios) * [iOS (iPhone/iPad)](#ios)
* [Android](#android) * [Android](#android)
* [Linux](#linux)
### Windows 7, 8.x and 10 ### Windows 7, 8.x and 10
@ -285,6 +287,65 @@ Once successfully connected, you can verify that your traffic is being routed pr
If you get an error when trying to connect, see [Troubleshooting](#troubleshooting). If you get an error when trying to connect, see [Troubleshooting](#troubleshooting).
### Linux
Before configuring Linux VPN clients, you must make the following change on the VPN server: Edit `/etc/ipsec.d/ikev2.conf` on the server. Append `authby=rsa-sha1` to the end of the `conn ikev2-cp` section, indented by two spaces. Save the file and run `service ipsec restart`.
To configure your Linux computer to connect to IKEv2 as a VPN client, first install the strongSwan plugin for NetworkManager:
```bash
# Ubuntu and Debian
sudo apt-get update
sudo apt-get install network-manager-strongswan
# Arch Linux
sudo pacman -Syu # upgrade all packages
sudo pacman -S networkmanager-strongswan
# CentOS
sudo yum install epel-release
sudo yum --enablerepo=epel install NetworkManager-strongswan
```
Next, securely transfer the generated `.p12` file from the VPN server to your Linux computer. After that, extract the CA certificate, client certificate and private key. Replace `vpnclient.p12` in the example below with the name of your `.p12` file.
```bash
# Example: Extract CA certificate, client certificate and private key.
# You may delete the .p12 file when finished.
# Note: You will need to enter the import password, which can be found
# in the output of the IKEv2 helper script.
openssl pkcs12 -in vpnclient.p12 -cacerts -nokeys -out ikev2vpnca.cer
openssl pkcs12 -in vpnclient.p12 -clcerts -nokeys -out vpnclient.cer
openssl pkcs12 -in vpnclient.p12 -nocerts -nodes -out vpnclient.key
rm vpnclient.p12
# (Important) Protect certificate and private key files
sudo chown root.root ikev2vpnca.cer vpnclient.cer vpnclient.key
sudo chmod 600 ikev2vpnca.cer vpnclient.cer vpnclient.key
```
You can then set up and enable the VPN connection:
1. Go to Settings -> Network -> VPN. Click the **+** button.
1. Select **IPsec/IKEv2 (strongswan)**.
1. Enter anything you like in the **Name** field.
1. In the **Gateway (Server)** section, enter `Your VPN Server IP` (or DNS name) for the **Address**.
1. Select the `ikev2vpnca.cer` file for the **Certificate**.
1. In the **Client** section, select **Certificate(/private key)** in the **Authentication** drop-down menu.
1. Select **Certificate/private key** in the **Certificate** drop-down menu (if exists).
1. Select the `vpnclient.cer` file for the **Certificate (file)**.
1. Select the `vpnclient.key` file for the **Private key**.
1. In the **Options** section, check the **Request an inner IP address** checkbox.
1. In the **Cipher proposals (Algorithms)** section, check the **Enable custom proposals** checkbox.
1. Leave the **IKE** field blank.
1. Enter `aes128gcm16` in the **ESP** field.
1. Click **Add** to save the VPN connection information.
1. Turn the **VPN** switch ON.
Once successfully connected, you can verify that your traffic is being routed properly by <a href="https://www.google.com/search?q=my+ip" target="_blank">looking up your IP address on Google</a>. It should say "Your public IP address is `Your VPN Server IP`".
If you get an error when trying to connect, see [Troubleshooting](#troubleshooting).
## Manage client certificates ## Manage client certificates
### List existing clients ### List existing clients