Update IKEv2 docs
- Add Linux instructions for IKEv2
This commit is contained in:
hwdsl2
parent
bf0f557416
commit
de2acaabc5
@ -23,6 +23,7 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来
|
||||
- OS X (macOS)
|
||||
- iOS (iPhone/iPad)
|
||||
- Android 4.x 和更新版本(使用 strongSwan VPN 客户端)
|
||||
- Linux
|
||||
|
||||
在按照本指南操作之后,你将可以选择三种模式中的任意一种连接到 VPN:IKEv2,以及已有的 [IPsec/L2TP](clients-zh.md) 和 [IPsec/XAuth ("Cisco IPsec")](clients-xauth-zh.md) 模式。
|
||||
|
||||
@ -87,6 +88,7 @@ To customize IKEv2 or client options, run this script without arguments.
|
||||
* [OS X (macOS)](#os-x-macos)
|
||||
* [iOS (iPhone/iPad)](#ios)
|
||||
* [Android](#android)
|
||||
* [Linux](#linux)
|
||||
|
||||
### Windows 7, 8.x 和 10
|
||||
|
||||
@ -285,6 +287,63 @@ To customize IKEv2 or client options, run this script without arguments.
|
||||
|
||||
如果在连接过程中遇到错误,请参见 [故障排除](#故障排除)。
|
||||
|
||||
### Linux
|
||||
|
||||
在配置 Linux 客户端之前,你必须更改 VPN 服务器上的以下设置:编辑服务器上的 `/etc/ipsec.d/ikev2.conf`。在 `conn ikev2-cp` 小节的末尾添加 `authby=rsa-sha1`,开头必须空两格。保存文件并运行 `service ipsec restart`。
|
||||
|
||||
要配置你的 Linux 计算机以作为客户端连接到 IKEv2,首先安装 NetworkManager 的 strongSwan 插件:
|
||||
|
||||
```bash
|
||||
# Ubuntu and Debian
|
||||
sudo apt-get update
|
||||
sudo apt-get install network-manager-strongswan
|
||||
|
||||
# Arch Linux
|
||||
sudo pacman -Syu # 升级所有软件包
|
||||
sudo pacman -S networkmanager-strongswan
|
||||
|
||||
# CentOS
|
||||
sudo yum install epel-release
|
||||
sudo yum --enablerepo=epel install NetworkManager-strongswan
|
||||
```
|
||||
|
||||
下一步,将生成的 `.p12` 文件安全地从 VPN 服务器传送到你的 Linux 计算机。然后提取 CA 证书,客户端证书和私钥。将下面示例中的 `vpnclient.p12` 换成你的 `.p12` 文件名。
|
||||
|
||||
```bash
|
||||
# 示例:提取 CA 证书,客户端证书和私钥。在完成后可以删除 .p12 文件。
|
||||
# 注:你将需要输入 import password,它可以在 IKEv2 辅助脚本的输出中找到。
|
||||
openssl pkcs12 -in vpnclient.p12 -cacerts -nokeys -out ikev2vpnca.cer
|
||||
openssl pkcs12 -in vpnclient.p12 -clcerts -nokeys -out vpnclient.cer
|
||||
openssl pkcs12 -in vpnclient.p12 -nocerts -nodes -out vpnclient.key
|
||||
rm vpnclient.p12
|
||||
|
||||
# (重要)保护证书和私钥文件
|
||||
sudo chown root.root ikev2vpnca.cer vpnclient.cer vpnclient.key
|
||||
sudo chmod 600 ikev2vpnca.cer vpnclient.cer vpnclient.key
|
||||
```
|
||||
|
||||
然后你可以创建并启用 VPN 连接:
|
||||
|
||||
1. 进入 Settings -> Network -> VPN。单击 **+** 按钮。
|
||||
1. 选择 **IPsec/IKEv2 (strongswan)**。
|
||||
1. 在 **Name** 字段中输入任意内容。
|
||||
1. 在 **Gateway (Server)** 部分的 **Address** 字段中输入 `你的 VPN 服务器 IP`(或者域名)。
|
||||
1. 为 **Certificate** 字段选择 `ikev2vpnca.cer` 文件。
|
||||
1. 在 **Client** 部分的 **Authentication** 下拉菜单选择 **Certificate(/private key)**。
|
||||
1. 在 **Certificate** 下拉菜单(如果存在)选择 **Certificate/private key**。
|
||||
1. 为 **Certificate (file)** 字段选择 `vpnclient.cer` 文件。
|
||||
1. 为 **Private key** 字段选择 `vpnclient.key` 文件。
|
||||
1. 在 **Options** 部分,选中 **Request an inner IP address** 复选框。
|
||||
1. 在 **Cipher proposals (Algorithms)** 部分,选中 **Enable custom proposals** 复选框。
|
||||
1. 保持 **IKE** 字段空白。
|
||||
1. 在 **ESP** 字段中输入 `aes128gcm16`.
|
||||
1. 单击 **Add** 保存 VPN 连接信息。
|
||||
1. 启用 **VPN** 连接。
|
||||
|
||||
连接成功后,你可以到 <a href="https://www.ipchicken.com" target="_blank">这里</a> 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。
|
||||
|
||||
如果在连接过程中遇到错误,请参见 [故障排除](#故障排除)。
|
||||
|
||||
## 管理客户端证书
|
||||
|
||||
### 列出已有的客户端
|
||||
|
||||
@ -23,6 +23,7 @@ Libreswan can authenticate IKEv2 clients on the basis of X.509 Machine Certifica
|
||||
- OS X (macOS)
|
||||
- iOS (iPhone/iPad)
|
||||
- Android 4.x and newer (using the strongSwan VPN client)
|
||||
- Linux
|
||||
|
||||
After following this guide, you will be able to connect to the VPN using IKEv2 in addition to the existing [IPsec/L2TP](clients.md) and [IPsec/XAuth ("Cisco IPsec")](clients-xauth.md) modes.
|
||||
|
||||
@ -87,6 +88,7 @@ To customize IKEv2 or client options, run this script without arguments.
|
||||
* [OS X (macOS)](#os-x-macos)
|
||||
* [iOS (iPhone/iPad)](#ios)
|
||||
* [Android](#android)
|
||||
* [Linux](#linux)
|
||||
|
||||
### Windows 7, 8.x and 10
|
||||
|
||||
@ -285,6 +287,65 @@ Once successfully connected, you can verify that your traffic is being routed pr
|
||||
|
||||
If you get an error when trying to connect, see [Troubleshooting](#troubleshooting).
|
||||
|
||||
### Linux
|
||||
|
||||
Before configuring Linux VPN clients, you must make the following change on the VPN server: Edit `/etc/ipsec.d/ikev2.conf` on the server. Append `authby=rsa-sha1` to the end of the `conn ikev2-cp` section, indented by two spaces. Save the file and run `service ipsec restart`.
|
||||
|
||||
To configure your Linux computer to connect to IKEv2 as a VPN client, first install the strongSwan plugin for NetworkManager:
|
||||
|
||||
```bash
|
||||
# Ubuntu and Debian
|
||||
sudo apt-get update
|
||||
sudo apt-get install network-manager-strongswan
|
||||
|
||||
# Arch Linux
|
||||
sudo pacman -Syu # upgrade all packages
|
||||
sudo pacman -S networkmanager-strongswan
|
||||
|
||||
# CentOS
|
||||
sudo yum install epel-release
|
||||
sudo yum --enablerepo=epel install NetworkManager-strongswan
|
||||
```
|
||||
|
||||
Next, securely transfer the generated `.p12` file from the VPN server to your Linux computer. After that, extract the CA certificate, client certificate and private key. Replace `vpnclient.p12` in the example below with the name of your `.p12` file.
|
||||
|
||||
```bash
|
||||
# Example: Extract CA certificate, client certificate and private key.
|
||||
# You may delete the .p12 file when finished.
|
||||
# Note: You will need to enter the import password, which can be found
|
||||
# in the output of the IKEv2 helper script.
|
||||
openssl pkcs12 -in vpnclient.p12 -cacerts -nokeys -out ikev2vpnca.cer
|
||||
openssl pkcs12 -in vpnclient.p12 -clcerts -nokeys -out vpnclient.cer
|
||||
openssl pkcs12 -in vpnclient.p12 -nocerts -nodes -out vpnclient.key
|
||||
rm vpnclient.p12
|
||||
|
||||
# (Important) Protect certificate and private key files
|
||||
sudo chown root.root ikev2vpnca.cer vpnclient.cer vpnclient.key
|
||||
sudo chmod 600 ikev2vpnca.cer vpnclient.cer vpnclient.key
|
||||
```
|
||||
|
||||
You can then set up and enable the VPN connection:
|
||||
|
||||
1. Go to Settings -> Network -> VPN. Click the **+** button.
|
||||
1. Select **IPsec/IKEv2 (strongswan)**.
|
||||
1. Enter anything you like in the **Name** field.
|
||||
1. In the **Gateway (Server)** section, enter `Your VPN Server IP` (or DNS name) for the **Address**.
|
||||
1. Select the `ikev2vpnca.cer` file for the **Certificate**.
|
||||
1. In the **Client** section, select **Certificate(/private key)** in the **Authentication** drop-down menu.
|
||||
1. Select **Certificate/private key** in the **Certificate** drop-down menu (if exists).
|
||||
1. Select the `vpnclient.cer` file for the **Certificate (file)**.
|
||||
1. Select the `vpnclient.key` file for the **Private key**.
|
||||
1. In the **Options** section, check the **Request an inner IP address** checkbox.
|
||||
1. In the **Cipher proposals (Algorithms)** section, check the **Enable custom proposals** checkbox.
|
||||
1. Leave the **IKE** field blank.
|
||||
1. Enter `aes128gcm16` in the **ESP** field.
|
||||
1. Click **Add** to save the VPN connection information.
|
||||
1. Turn the **VPN** switch ON.
|
||||
|
||||
Once successfully connected, you can verify that your traffic is being routed properly by <a href="https://www.google.com/search?q=my+ip" target="_blank">looking up your IP address on Google</a>. It should say "Your public IP address is `Your VPN Server IP`".
|
||||
|
||||
If you get an error when trying to connect, see [Troubleshooting](#troubleshooting).
|
||||
|
||||
## Manage client certificates
|
||||
|
||||
### List existing clients
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user