Update IKEv2 docs

- Update Windows IKEv2 client instructions, with steps to import the .p12 file using certutil, and add the VPN connection using Windows PowerShell for improved security and performance.
2025-02-07 07:49:25 +03:00 · 2021-01-28 01:57:50 -06:00 · 2021-01-28 01:57:50 -06:00 · ec5dda8c1c
commit ec5dda8c1c
parent 0ed9015a6b
2 changed files with 32 additions and 6 deletions
--- a/docs/ikev2-howto-zh.md
+++ b/docs/ikev2-howto-zh.md
@ -73,14 +73,27 @@ To customize IKEv2 or client options, run this script without arguments.

 ### Windows 7, 8.x 和 10

-1. 将生成的 `.p12` 文件安全地传送到你的计算机，然后导入到 "计算机账户" 证书存储。在导入证书后，你必须确保将客户端证书放在 "个人 -> 证书" 目录中，并且将 CA 证书放在 "受信任的根证书颁发机构 -> 证书" 目录中。
+1. 将生成的 `.p12` 文件安全地传送到你的计算机，然后导入到 "计算机账户" 证书存储。要导入 `.p12` 文件，打开 <a href="http://www.cnblogs.com/xxcanghai/p/4610054.html" target="_blank">提升权限命令提示符</a> 并运行以下命令：

-   详细的操作步骤：   
+   ```console
+   certutil -f -importpfx ".p12文件的完整路径" NoExport
+   ```
+
+   另外，你也可以手动导入 `.p12` 文件。详情参见下面的链接。在导入证书后，你必须确保将客户端证书放在 "个人 -> 证书" 目录中，并且将 CA 证书放在 "受信任的根证书颁发机构 -> 证书" 目录中。   
   https://wiki.strongswan.org/projects/strongswan/wiki/Win7Certs

   **注：** Ubuntu 18.04 用户在尝试将生成的 `.p12` 文件导入到 Windows 时可能会遇到错误 "输入的密码不正确"。参见 [已知问题](#已知问题)。

-1. 在 Windows 计算机上添加一个新的 IKEv2 VPN 连接：   
+1. 在 Windows 计算机上添加一个新的 IKEv2 VPN 连接。对于 Windows 8.x 和 10 用户，推荐使用下面的 Windows PowerShell 命令来创建 VPN 连接，以达到更佳的 VPN 安全性和性能。将 `你的 VPN 服务器 IP（或者域名）` 换成你自己的值。
+
+   ```console
+   # 创建 VPN 连接
+   Add-VpnConnection -Name "My IKEv2 VPN" -ServerAddress "你的 VPN 服务器 IP（或者域名）" -TunnelType IKEv2 -AuthenticationMethod MachineCertificate -EncryptionLevel Required -PassThru
+   # 设置 IPsec 参数
+   Set-VpnConnectionIPsecConfiguration -ConnectionName "My IKEv2 VPN" -AuthenticationTransformConstants GCMAES256 -CipherTransformConstants GCMAES256 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -PfsGroup None -DHGroup Group14 -PassThru -Force
+   ```
+
+   另外，你也可以手动创建 VPN 连接。参见这里：   
   https://wiki.strongswan.org/projects/strongswan/wiki/Win7Config

   **注：** 如果你在配置 IKEv2 时指定了服务器的域名（而不是 IP 地址），则必须在 **Internet地址** 字段中输入该域名。
--- a/docs/ikev2-howto.md
+++ b/docs/ikev2-howto.md
@ -73,14 +73,27 @@ To customize IKEv2 or client options, run this script without arguments.

 ### Windows 7, 8.x and 10

-1. Securely transfer the generated `.p12` file to your computer, then import it into the "Computer account" certificate store. Make sure that the client cert is placed in "Personal -> Certificates", and the CA cert is placed in "Trusted Root Certification Authorities -> Certificates".
+1. Securely transfer the generated `.p12` file to your computer, then import it into the "Computer account" certificate store. To import the `.p12` file, run the following from an <a href="http://www.winhelponline.com/blog/open-elevated-command-prompt-windows/" target="_blank">elevated command prompt</a>:

-   Detailed instructions:   
+   ```console
+   certutil -f -importpfx "path\to\your\p12\file.p12" NoExport
+   ```
+
+   Alternatively, you can manually import the `.p12` file. See instructions at the link below. Make sure that the client cert is placed in "Personal -> Certificates", and the CA cert is placed in "Trusted Root Certification Authorities -> Certificates".   
   https://wiki.strongswan.org/projects/strongswan/wiki/Win7Certs

   **Note:** Ubuntu 18.04 users may encounter the error "The password you entered is incorrect" when trying to import the generated `.p12` file into Windows. See [Known issues](#known-issues).

-1. On the Windows computer, add a new IKEv2 VPN connection:   
+1. On the Windows computer, add a new IKEv2 VPN connection. For Windows 8.x and 10 users, it is recommended to create the VPN connection using these Windows PowerShell commands for improved security and performance. Replace `Your VPN Server IP (or DNS name)` with your own value.
+
+   ```console
+   # Create VPN connection
+   Add-VpnConnection -Name "My IKEv2 VPN" -ServerAddress "Your VPN Server IP (or DNS name)" -TunnelType IKEv2 -AuthenticationMethod MachineCertificate -EncryptionLevel Required -PassThru
+   # Set IPsec configuration
+   Set-VpnConnectionIPsecConfiguration -ConnectionName "My IKEv2 VPN" -AuthenticationTransformConstants GCMAES256 -CipherTransformConstants GCMAES256 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -PfsGroup None -DHGroup Group14 -PassThru -Force
+   ```
+
+   Alternatively, you can manually create the VPN connection. See:   
   https://wiki.strongswan.org/projects/strongswan/wiki/Win7Config

   **Note:** If you specified the server's DNS name (instead of its IP address) during IKEv2 setup, you must enter the DNS name in the **Internet address** field.