Compare commits
2 Commits
14af42f8d5
...
41d37e808e
Author | SHA1 | Date | |
---|---|---|---|
|
41d37e808e | ||
|
f153405117 |
@ -186,9 +186,11 @@ https://gitlab.com/hwdsl2/setup-ipsec-vpn/-/raw/master/vpnsetup.sh
|
|||||||
|
|
||||||
## 下一步
|
## 下一步
|
||||||
|
|
||||||
|
*其他语言版本: [English](README.md#next-steps), [中文](README-zh.md#下一步)。*
|
||||||
|
|
||||||
配置你的计算机或其它设备使用 VPN。请参见:
|
配置你的计算机或其它设备使用 VPN。请参见:
|
||||||
|
|
||||||
[**IKEv2 VPN 配置和使用指南**](docs/ikev2-howto-zh.md)
|
[**配置 IKEv2 VPN 客户端(推荐)**](docs/ikev2-howto-zh.md)
|
||||||
|
|
||||||
[**配置 IPsec/L2TP VPN 客户端**](docs/clients-zh.md)
|
[**配置 IPsec/L2TP VPN 客户端**](docs/clients-zh.md)
|
||||||
|
|
||||||
|
@ -186,9 +186,11 @@ If you are unable to download, open [vpnsetup.sh](vpnsetup.sh), then click the `
|
|||||||
|
|
||||||
## Next steps
|
## Next steps
|
||||||
|
|
||||||
|
*Read this in other languages: [English](README.md#next-steps), [中文](README-zh.md#下一步).*
|
||||||
|
|
||||||
Get your computer or device to use the VPN. Please refer to:
|
Get your computer or device to use the VPN. Please refer to:
|
||||||
|
|
||||||
[**Guide: How to Set Up and Use IKEv2 VPN**](docs/ikev2-howto.md)
|
[**Configure IKEv2 VPN clients (recommended)**](docs/ikev2-howto.md)
|
||||||
|
|
||||||
[**Configure IPsec/L2TP VPN Clients**](docs/clients.md)
|
[**Configure IPsec/L2TP VPN Clients**](docs/clients.md)
|
||||||
|
|
||||||
|
@ -5,121 +5,22 @@
|
|||||||
**注:** 你也可以使用 [IPsec/L2TP](clients-zh.md) 或者 [IPsec/XAuth](clients-xauth-zh.md) 模式连接。
|
**注:** 你也可以使用 [IPsec/L2TP](clients-zh.md) 或者 [IPsec/XAuth](clients-xauth-zh.md) 模式连接。
|
||||||
|
|
||||||
* [导言](#导言)
|
* [导言](#导言)
|
||||||
* [使用辅助脚本配置 IKEv2](#使用辅助脚本配置-ikev2)
|
|
||||||
* [配置 IKEv2 VPN 客户端](#配置-ikev2-vpn-客户端)
|
* [配置 IKEv2 VPN 客户端](#配置-ikev2-vpn-客户端)
|
||||||
* [管理客户端证书](#管理客户端证书)
|
* [管理客户端证书](#管理客户端证书)
|
||||||
* [故障排除](#故障排除)
|
* [故障排除](#故障排除)
|
||||||
* [更改 IKEv2 服务器地址](#更改-ikev2-服务器地址)
|
* [更改 IKEv2 服务器地址](#更改-ikev2-服务器地址)
|
||||||
* [更新 IKEv2 辅助脚本](#更新-ikev2-辅助脚本)
|
* [更新 IKEv2 辅助脚本](#更新-ikev2-辅助脚本)
|
||||||
|
* [使用辅助脚本配置 IKEv2](#使用辅助脚本配置-ikev2)
|
||||||
* [手动配置 IKEv2](#手动配置-ikev2)
|
* [手动配置 IKEv2](#手动配置-ikev2)
|
||||||
* [移除 IKEv2](#移除-ikev2)
|
* [移除 IKEv2](#移除-ikev2)
|
||||||
* [参考链接](#参考链接)
|
|
||||||
|
|
||||||
## 导言
|
## 导言
|
||||||
|
|
||||||
现代操作系统(比如 Windows 7 和更新版本)支持 IKEv2 协议标准。因特网密钥交换(英语:Internet Key Exchange,简称 IKE 或 IKEv2)是一种网络协议,归属于 IPsec 协议族之下,用以创建安全关联 (Security Association, SA)。与 IKE 版本 1 相比较,IKEv2 的 [功能改进](https://en.wikipedia.org/wiki/Internet_Key_Exchange#Improvements_with_IKEv2) 包括比如通过 MOBIKE 实现 Standard Mobility 支持,以及更高的可靠性。
|
现代操作系统支持 IKEv2 协议标准。因特网密钥交换(英语:Internet Key Exchange,简称 IKE 或 IKEv2)是一种网络协议,归属于 IPsec 协议族之下,用以创建安全关联 (Security Association, SA)。与 IKE 版本 1 相比较,IKEv2 的 [功能改进](https://en.wikipedia.org/wiki/Internet_Key_Exchange#Improvements_with_IKEv2) 包括比如通过 MOBIKE 实现 Standard Mobility 支持,以及更高的可靠性。
|
||||||
|
|
||||||
Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来对 IKEv2 客户端进行身份验证。该方法无需 IPsec PSK, 用户名或密码。它可以用于以下系统:
|
Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来对 IKEv2 客户端进行身份验证。该方法无需 IPsec PSK, 用户名或密码。它可以用于 Windows, macOS, iOS, Android, Linux 和 RouterOS。
|
||||||
|
|
||||||
- Windows 7, 8, 10 和 11
|
默认情况下,运行 VPN 安装脚本时会自动配置 IKEv2。如果你想了解有关配置 IKEv2 的更多信息,请参见 [使用辅助脚本配置 IKEv2](#使用辅助脚本配置-ikev2)。
|
||||||
- OS X (macOS)
|
|
||||||
- iOS (iPhone/iPad)
|
|
||||||
- Android 4 和更新版本(使用 strongSwan VPN 客户端)
|
|
||||||
- Linux
|
|
||||||
- Mikrotik RouterOS
|
|
||||||
|
|
||||||
在按照本指南操作之后,你将可以选择三种模式中的任意一种连接到 VPN:IKEv2,以及已有的 [IPsec/L2TP](clients-zh.md) 和 [IPsec/XAuth ("Cisco IPsec")](clients-xauth-zh.md) 模式。
|
|
||||||
|
|
||||||
## 使用辅助脚本配置 IKEv2
|
|
||||||
|
|
||||||
**注:** 默认情况下,运行 VPN 安装脚本时会自动配置 IKEv2。你可以跳过此部分并转到 [配置 IKEv2 VPN 客户端](#配置-ikev2-vpn-客户端)。
|
|
||||||
|
|
||||||
**重要:** 在继续之前,你应该已经成功地 [搭建自己的 VPN 服务器](../README-zh.md)。**Docker 用户请看 [这里](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README-zh.md#配置并使用-ikev2-vpn)**。
|
|
||||||
|
|
||||||
使用这个 [辅助脚本](../extras/ikev2setup.sh) 来自动地在 VPN 服务器上配置 IKEv2:
|
|
||||||
|
|
||||||
```bash
|
|
||||||
# 使用默认选项配置 IKEv2
|
|
||||||
sudo ikev2.sh --auto
|
|
||||||
# 或者你也可以自定义 IKEv2 选项
|
|
||||||
sudo ikev2.sh
|
|
||||||
```
|
|
||||||
|
|
||||||
**注:** 如果已配置 IKEv2,但是你想要自定义 IKEv2 选项,首先 [移除 IKEv2](#移除-ikev2),然后运行 `sudo ikev2.sh` 重新配置。
|
|
||||||
|
|
||||||
在完成之后,请转到 [配置 IKEv2 VPN 客户端](#配置-ikev2-vpn-客户端)。高级用户可以启用 [仅限 IKEv2 模式](advanced-usage-zh.md#仅限-ikev2-的-vpn)。这是可选的。
|
|
||||||
|
|
||||||
<details>
|
|
||||||
<summary>
|
|
||||||
错误:"sudo: ikev2.sh: command not found".
|
|
||||||
</summary>
|
|
||||||
|
|
||||||
如果你使用了较早版本的 VPN 安装脚本,这是正常的。首先下载 IKEv2 辅助脚本:
|
|
||||||
|
|
||||||
```bash
|
|
||||||
wget https://get.vpnsetup.net/ikev2 -O /opt/src/ikev2.sh
|
|
||||||
chmod +x /opt/src/ikev2.sh && ln -s /opt/src/ikev2.sh /usr/bin
|
|
||||||
```
|
|
||||||
|
|
||||||
然后按照上面的说明运行脚本。
|
|
||||||
</details>
|
|
||||||
<details>
|
|
||||||
<summary>
|
|
||||||
你可以指定一个域名,客户端名称和/或另外的 DNS 服务器。这是可选的。
|
|
||||||
</summary>
|
|
||||||
|
|
||||||
在使用自动模式安装 IKEv2 时,高级用户可以指定一个域名作为 IKEv2 服务器地址。这是可选的。该域名必须是一个全称域名(FQDN)。示例如下:
|
|
||||||
|
|
||||||
```bash
|
|
||||||
sudo VPN_DNS_NAME='vpn.example.com' ikev2.sh --auto
|
|
||||||
```
|
|
||||||
|
|
||||||
类似地,你可以指定第一个 IKEv2 客户端的名称。如果未指定,则使用默认值 `vpnclient`。
|
|
||||||
|
|
||||||
```bash
|
|
||||||
sudo VPN_CLIENT_NAME='your_client_name' ikev2.sh --auto
|
|
||||||
```
|
|
||||||
|
|
||||||
在 VPN 已连接时,IKEv2 客户端默认配置为使用 [Google Public DNS](https://developers.google.com/speed/public-dns/)。你可以为 IKEv2 指定另外的 DNS 服务器。示例如下:
|
|
||||||
|
|
||||||
```bash
|
|
||||||
sudo VPN_DNS_SRV1=1.1.1.1 VPN_DNS_SRV2=1.0.0.1 ikev2.sh --auto
|
|
||||||
```
|
|
||||||
|
|
||||||
默认情况下,导入 IKEv2 客户端配置时不需要密码。你可以选择使用随机密码保护客户端配置文件。
|
|
||||||
|
|
||||||
```bash
|
|
||||||
sudo VPN_PROTECT_CONFIG=yes ikev2.sh --auto
|
|
||||||
```
|
|
||||||
</details>
|
|
||||||
<details>
|
|
||||||
<summary>
|
|
||||||
了解如何更改 IKEv2 服务器地址。
|
|
||||||
</summary>
|
|
||||||
|
|
||||||
在某些情况下,你可能需要在配置之后更改 IKEv2 服务器地址。例如切换为使用域名,或者在服务器的 IP 更改之后。要了解更多信息,参见 [这一小节](#更改-ikev2-服务器地址)。
|
|
||||||
</details>
|
|
||||||
<details>
|
|
||||||
<summary>
|
|
||||||
查看 IKEv2 脚本的使用信息。
|
|
||||||
</summary>
|
|
||||||
|
|
||||||
```
|
|
||||||
Usage: bash ikev2.sh [options]
|
|
||||||
|
|
||||||
Options:
|
|
||||||
--auto run IKEv2 setup in auto mode using default options (for initial setup only)
|
|
||||||
--addclient [client name] add a new client using default options
|
|
||||||
--exportclient [client name] export configuration for an existing client
|
|
||||||
--listclients list the names of existing clients
|
|
||||||
--revokeclient [client name] revoke a client certificate
|
|
||||||
--deleteclient [client name] delete a client certificate
|
|
||||||
--removeikev2 remove IKEv2 and delete all certificates and keys from the IPsec database
|
|
||||||
-h, --help show this help message and exit
|
|
||||||
|
|
||||||
To customize IKEv2 or client options, run this script without arguments.
|
|
||||||
```
|
|
||||||
</details>
|
|
||||||
|
|
||||||
## 配置 IKEv2 VPN 客户端
|
## 配置 IKEv2 VPN 客户端
|
||||||
|
|
||||||
@ -784,6 +685,97 @@ wget https://get.vpnsetup.net/ikev2 -O /opt/src/ikev2.sh
|
|||||||
chmod +x /opt/src/ikev2.sh && ln -s /opt/src/ikev2.sh /usr/bin 2>/dev/null
|
chmod +x /opt/src/ikev2.sh && ln -s /opt/src/ikev2.sh /usr/bin 2>/dev/null
|
||||||
```
|
```
|
||||||
|
|
||||||
|
## 使用辅助脚本配置 IKEv2
|
||||||
|
|
||||||
|
**注:** 默认情况下,运行 VPN 安装脚本时会自动配置 IKEv2。你可以跳过此部分并转到 [配置 IKEv2 VPN 客户端](#配置-ikev2-vpn-客户端)。
|
||||||
|
|
||||||
|
**重要:** 在继续之前,你应该已经成功地 [搭建自己的 VPN 服务器](../README-zh.md)。**Docker 用户请看 [这里](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README-zh.md#配置并使用-ikev2-vpn)**。
|
||||||
|
|
||||||
|
使用这个 [辅助脚本](../extras/ikev2setup.sh) 来自动地在 VPN 服务器上配置 IKEv2:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
# 使用默认选项配置 IKEv2
|
||||||
|
sudo ikev2.sh --auto
|
||||||
|
# 或者你也可以自定义 IKEv2 选项
|
||||||
|
sudo ikev2.sh
|
||||||
|
```
|
||||||
|
|
||||||
|
**注:** 如果已配置 IKEv2,但是你想要自定义 IKEv2 选项,首先 [移除 IKEv2](#移除-ikev2),然后运行 `sudo ikev2.sh` 重新配置。
|
||||||
|
|
||||||
|
在完成之后,请转到 [配置 IKEv2 VPN 客户端](#配置-ikev2-vpn-客户端)。高级用户可以启用 [仅限 IKEv2 模式](advanced-usage-zh.md#仅限-ikev2-的-vpn)。这是可选的。
|
||||||
|
|
||||||
|
<details>
|
||||||
|
<summary>
|
||||||
|
错误:"sudo: ikev2.sh: command not found".
|
||||||
|
</summary>
|
||||||
|
|
||||||
|
如果你使用了较早版本的 VPN 安装脚本,这是正常的。首先下载 IKEv2 辅助脚本:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
wget https://get.vpnsetup.net/ikev2 -O /opt/src/ikev2.sh
|
||||||
|
chmod +x /opt/src/ikev2.sh && ln -s /opt/src/ikev2.sh /usr/bin
|
||||||
|
```
|
||||||
|
|
||||||
|
然后按照上面的说明运行脚本。
|
||||||
|
</details>
|
||||||
|
<details>
|
||||||
|
<summary>
|
||||||
|
你可以指定一个域名,客户端名称和/或另外的 DNS 服务器。这是可选的。
|
||||||
|
</summary>
|
||||||
|
|
||||||
|
在使用自动模式安装 IKEv2 时,高级用户可以指定一个域名作为 IKEv2 服务器地址。这是可选的。该域名必须是一个全称域名(FQDN)。示例如下:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
sudo VPN_DNS_NAME='vpn.example.com' ikev2.sh --auto
|
||||||
|
```
|
||||||
|
|
||||||
|
类似地,你可以指定第一个 IKEv2 客户端的名称。如果未指定,则使用默认值 `vpnclient`。
|
||||||
|
|
||||||
|
```bash
|
||||||
|
sudo VPN_CLIENT_NAME='your_client_name' ikev2.sh --auto
|
||||||
|
```
|
||||||
|
|
||||||
|
在 VPN 已连接时,IKEv2 客户端默认配置为使用 [Google Public DNS](https://developers.google.com/speed/public-dns/)。你可以为 IKEv2 指定另外的 DNS 服务器。示例如下:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
sudo VPN_DNS_SRV1=1.1.1.1 VPN_DNS_SRV2=1.0.0.1 ikev2.sh --auto
|
||||||
|
```
|
||||||
|
|
||||||
|
默认情况下,导入 IKEv2 客户端配置时不需要密码。你可以选择使用随机密码保护客户端配置文件。
|
||||||
|
|
||||||
|
```bash
|
||||||
|
sudo VPN_PROTECT_CONFIG=yes ikev2.sh --auto
|
||||||
|
```
|
||||||
|
</details>
|
||||||
|
<details>
|
||||||
|
<summary>
|
||||||
|
了解如何更改 IKEv2 服务器地址。
|
||||||
|
</summary>
|
||||||
|
|
||||||
|
在某些情况下,你可能需要在配置之后更改 IKEv2 服务器地址。例如切换为使用域名,或者在服务器的 IP 更改之后。要了解更多信息,参见 [这一小节](#更改-ikev2-服务器地址)。
|
||||||
|
</details>
|
||||||
|
<details>
|
||||||
|
<summary>
|
||||||
|
查看 IKEv2 脚本的使用信息。
|
||||||
|
</summary>
|
||||||
|
|
||||||
|
```
|
||||||
|
Usage: bash ikev2.sh [options]
|
||||||
|
|
||||||
|
Options:
|
||||||
|
--auto run IKEv2 setup in auto mode using default options (for initial setup only)
|
||||||
|
--addclient [client name] add a new client using default options
|
||||||
|
--exportclient [client name] export configuration for an existing client
|
||||||
|
--listclients list the names of existing clients
|
||||||
|
--revokeclient [client name] revoke a client certificate
|
||||||
|
--deleteclient [client name] delete a client certificate
|
||||||
|
--removeikev2 remove IKEv2 and delete all certificates and keys from the IPsec database
|
||||||
|
-h, --help show this help message and exit
|
||||||
|
|
||||||
|
To customize IKEv2 or client options, run this script without arguments.
|
||||||
|
```
|
||||||
|
</details>
|
||||||
|
|
||||||
## 手动配置 IKEv2
|
## 手动配置 IKEv2
|
||||||
|
|
||||||
除了使用 [辅助脚本](#使用辅助脚本配置-ikev2) 之外,高级用户也可以手动在 VPN 服务器上配置 IKEv2。在继续之前,推荐 [升级 Libreswan](../README-zh.md#升级libreswan) 到最新版本。
|
除了使用 [辅助脚本](#使用辅助脚本配置-ikev2) 之外,高级用户也可以手动在 VPN 服务器上配置 IKEv2。在继续之前,推荐 [升级 Libreswan](../README-zh.md#升级libreswan) 到最新版本。
|
||||||
|
@ -5,121 +5,22 @@
|
|||||||
**Note:** You may also connect using [IPsec/L2TP](clients.md) or [IPsec/XAuth](clients-xauth.md) mode.
|
**Note:** You may also connect using [IPsec/L2TP](clients.md) or [IPsec/XAuth](clients-xauth.md) mode.
|
||||||
|
|
||||||
* [Introduction](#introduction)
|
* [Introduction](#introduction)
|
||||||
* [Set up IKEv2 using helper script](#set-up-ikev2-using-helper-script)
|
|
||||||
* [Configure IKEv2 VPN clients](#configure-ikev2-vpn-clients)
|
* [Configure IKEv2 VPN clients](#configure-ikev2-vpn-clients)
|
||||||
* [Manage client certificates](#manage-client-certificates)
|
* [Manage client certificates](#manage-client-certificates)
|
||||||
* [Troubleshooting](#troubleshooting)
|
* [Troubleshooting](#troubleshooting)
|
||||||
* [Change IKEv2 server address](#change-ikev2-server-address)
|
* [Change IKEv2 server address](#change-ikev2-server-address)
|
||||||
* [Update IKEv2 helper script](#update-ikev2-helper-script)
|
* [Update IKEv2 helper script](#update-ikev2-helper-script)
|
||||||
|
* [Set up IKEv2 using helper script](#set-up-ikev2-using-helper-script)
|
||||||
* [Manually set up IKEv2](#manually-set-up-ikev2)
|
* [Manually set up IKEv2](#manually-set-up-ikev2)
|
||||||
* [Remove IKEv2](#remove-ikev2)
|
* [Remove IKEv2](#remove-ikev2)
|
||||||
* [References](#references)
|
|
||||||
|
|
||||||
## Introduction
|
## Introduction
|
||||||
|
|
||||||
Modern operating systems (such as Windows 7 and newer) support the IKEv2 standard. Internet Key Exchange (IKE or IKEv2) is the protocol used to set up a Security Association (SA) in the IPsec protocol suite. Compared to IKE version 1, IKEv2 contains [improvements](https://en.wikipedia.org/wiki/Internet_Key_Exchange#Improvements_with_IKEv2) such as Standard Mobility support through MOBIKE, and improved reliability.
|
Modern operating systems support the IKEv2 standard. Internet Key Exchange (IKE or IKEv2) is the protocol used to set up a Security Association (SA) in the IPsec protocol suite. Compared to IKE version 1, IKEv2 contains [improvements](https://en.wikipedia.org/wiki/Internet_Key_Exchange#Improvements_with_IKEv2) such as Standard Mobility support through MOBIKE, and improved reliability.
|
||||||
|
|
||||||
Libreswan can authenticate IKEv2 clients on the basis of X.509 Machine Certificates using RSA signatures. This method does not require an IPsec PSK, username or password. It can be used with:
|
Libreswan can authenticate IKEv2 clients on the basis of X.509 Machine Certificates using RSA signatures. This method does not require an IPsec PSK, username or password. It can be used with Windows, macOS, iOS, Android, Linux and RouterOS.
|
||||||
|
|
||||||
- Windows 7, 8, 10 and 11
|
By default, IKEv2 is automatically set up when running the VPN setup script. If you want to learn more about setting up IKEv2, see [Set up IKEv2 using helper script](#set-up-ikev2-using-helper-script).
|
||||||
- OS X (macOS)
|
|
||||||
- iOS (iPhone/iPad)
|
|
||||||
- Android 4 and newer (using the strongSwan VPN client)
|
|
||||||
- Linux
|
|
||||||
- Mikrotik RouterOS
|
|
||||||
|
|
||||||
After following this guide, you will be able to connect to the VPN using IKEv2 in addition to the existing [IPsec/L2TP](clients.md) and [IPsec/XAuth ("Cisco IPsec")](clients-xauth.md) modes.
|
|
||||||
|
|
||||||
## Set up IKEv2 using helper script
|
|
||||||
|
|
||||||
**Note:** By default, IKEv2 is automatically set up when running the VPN setup script. You may skip this section and continue to [configure IKEv2 VPN clients](#configure-ikev2-vpn-clients).
|
|
||||||
|
|
||||||
**Important:** Before continuing, you should have successfully [set up your own VPN server](https://github.com/hwdsl2/setup-ipsec-vpn). **Docker users, see [here](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README.md#configure-and-use-ikev2-vpn)**.
|
|
||||||
|
|
||||||
Use this [helper script](../extras/ikev2setup.sh) to automatically set up IKEv2 on the VPN server:
|
|
||||||
|
|
||||||
```bash
|
|
||||||
# Set up IKEv2 using default options
|
|
||||||
sudo ikev2.sh --auto
|
|
||||||
# Alternatively, you may customize IKEv2 options
|
|
||||||
sudo ikev2.sh
|
|
||||||
```
|
|
||||||
|
|
||||||
**Note:** If IKEv2 is already set up, but you want to customize IKEv2 options, first [remove IKEv2](#remove-ikev2), then set it up again using `sudo ikev2.sh`.
|
|
||||||
|
|
||||||
When finished, continue to [configure IKEv2 VPN clients](#configure-ikev2-vpn-clients). Advanced users can optionally enable [IKEv2-only mode](advanced-usage.md#ikev2-only-vpn).
|
|
||||||
|
|
||||||
<details>
|
|
||||||
<summary>
|
|
||||||
Error: "sudo: ikev2.sh: command not found".
|
|
||||||
</summary>
|
|
||||||
|
|
||||||
This is normal if you used an older version of the VPN setup script. First, download the IKEv2 helper script:
|
|
||||||
|
|
||||||
```bash
|
|
||||||
wget https://get.vpnsetup.net/ikev2 -O /opt/src/ikev2.sh
|
|
||||||
chmod +x /opt/src/ikev2.sh && ln -s /opt/src/ikev2.sh /usr/bin
|
|
||||||
```
|
|
||||||
|
|
||||||
Then run the script using the instructions above.
|
|
||||||
</details>
|
|
||||||
<details>
|
|
||||||
<summary>
|
|
||||||
You may optionally specify a DNS name, client name and/or custom DNS servers.
|
|
||||||
</summary>
|
|
||||||
|
|
||||||
When running IKEv2 setup in auto mode, advanced users can optionally specify a DNS name for the IKEv2 server address. The DNS name must be a fully qualified domain name (FQDN). Example:
|
|
||||||
|
|
||||||
```bash
|
|
||||||
sudo VPN_DNS_NAME='vpn.example.com' ikev2.sh --auto
|
|
||||||
```
|
|
||||||
|
|
||||||
Similarly, you may specify a name for the first IKEv2 client. The default is `vpnclient` if not specified.
|
|
||||||
|
|
||||||
```bash
|
|
||||||
sudo VPN_CLIENT_NAME='your_client_name' ikev2.sh --auto
|
|
||||||
```
|
|
||||||
|
|
||||||
By default, IKEv2 clients are set to use [Google Public DNS](https://developers.google.com/speed/public-dns/) when the VPN is active. You may specify custom DNS server(s) for IKEv2. Example:
|
|
||||||
|
|
||||||
```bash
|
|
||||||
sudo VPN_DNS_SRV1=1.1.1.1 VPN_DNS_SRV2=1.0.0.1 ikev2.sh --auto
|
|
||||||
```
|
|
||||||
|
|
||||||
By default, no password is required when importing IKEv2 client configuration. You can choose to protect client config files using a random password.
|
|
||||||
|
|
||||||
```bash
|
|
||||||
sudo VPN_PROTECT_CONFIG=yes ikev2.sh --auto
|
|
||||||
```
|
|
||||||
</details>
|
|
||||||
<details>
|
|
||||||
<summary>
|
|
||||||
Learn how to change the IKEv2 server address.
|
|
||||||
</summary>
|
|
||||||
|
|
||||||
In certain circumstances, you may need to change the IKEv2 server address after setup. For example, to switch to use a DNS name, or after server IP changes. Learn more in [this section](#change-ikev2-server-address).
|
|
||||||
</details>
|
|
||||||
<details>
|
|
||||||
<summary>
|
|
||||||
View usage information for the IKEv2 script.
|
|
||||||
</summary>
|
|
||||||
|
|
||||||
```
|
|
||||||
Usage: bash ikev2.sh [options]
|
|
||||||
|
|
||||||
Options:
|
|
||||||
--auto run IKEv2 setup in auto mode using default options (for initial setup only)
|
|
||||||
--addclient [client name] add a new client using default options
|
|
||||||
--exportclient [client name] export configuration for an existing client
|
|
||||||
--listclients list the names of existing clients
|
|
||||||
--revokeclient [client name] revoke a client certificate
|
|
||||||
--deleteclient [client name] delete a client certificate
|
|
||||||
--removeikev2 remove IKEv2 and delete all certificates and keys from the IPsec database
|
|
||||||
-h, --help show this help message and exit
|
|
||||||
|
|
||||||
To customize IKEv2 or client options, run this script without arguments.
|
|
||||||
```
|
|
||||||
</details>
|
|
||||||
|
|
||||||
## Configure IKEv2 VPN clients
|
## Configure IKEv2 VPN clients
|
||||||
|
|
||||||
@ -786,6 +687,97 @@ wget https://get.vpnsetup.net/ikev2 -O /opt/src/ikev2.sh
|
|||||||
chmod +x /opt/src/ikev2.sh && ln -s /opt/src/ikev2.sh /usr/bin 2>/dev/null
|
chmod +x /opt/src/ikev2.sh && ln -s /opt/src/ikev2.sh /usr/bin 2>/dev/null
|
||||||
```
|
```
|
||||||
|
|
||||||
|
## Set up IKEv2 using helper script
|
||||||
|
|
||||||
|
**Note:** By default, IKEv2 is automatically set up when running the VPN setup script. You may skip this section and continue to [configure IKEv2 VPN clients](#configure-ikev2-vpn-clients).
|
||||||
|
|
||||||
|
**Important:** Before continuing, you should have successfully [set up your own VPN server](https://github.com/hwdsl2/setup-ipsec-vpn). **Docker users, see [here](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README.md#configure-and-use-ikev2-vpn)**.
|
||||||
|
|
||||||
|
Use this [helper script](../extras/ikev2setup.sh) to automatically set up IKEv2 on the VPN server:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
# Set up IKEv2 using default options
|
||||||
|
sudo ikev2.sh --auto
|
||||||
|
# Alternatively, you may customize IKEv2 options
|
||||||
|
sudo ikev2.sh
|
||||||
|
```
|
||||||
|
|
||||||
|
**Note:** If IKEv2 is already set up, but you want to customize IKEv2 options, first [remove IKEv2](#remove-ikev2), then set it up again using `sudo ikev2.sh`.
|
||||||
|
|
||||||
|
When finished, continue to [configure IKEv2 VPN clients](#configure-ikev2-vpn-clients). Advanced users can optionally enable [IKEv2-only mode](advanced-usage.md#ikev2-only-vpn).
|
||||||
|
|
||||||
|
<details>
|
||||||
|
<summary>
|
||||||
|
Error: "sudo: ikev2.sh: command not found".
|
||||||
|
</summary>
|
||||||
|
|
||||||
|
This is normal if you used an older version of the VPN setup script. First, download the IKEv2 helper script:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
wget https://get.vpnsetup.net/ikev2 -O /opt/src/ikev2.sh
|
||||||
|
chmod +x /opt/src/ikev2.sh && ln -s /opt/src/ikev2.sh /usr/bin
|
||||||
|
```
|
||||||
|
|
||||||
|
Then run the script using the instructions above.
|
||||||
|
</details>
|
||||||
|
<details>
|
||||||
|
<summary>
|
||||||
|
You may optionally specify a DNS name, client name and/or custom DNS servers.
|
||||||
|
</summary>
|
||||||
|
|
||||||
|
When running IKEv2 setup in auto mode, advanced users can optionally specify a DNS name for the IKEv2 server address. The DNS name must be a fully qualified domain name (FQDN). Example:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
sudo VPN_DNS_NAME='vpn.example.com' ikev2.sh --auto
|
||||||
|
```
|
||||||
|
|
||||||
|
Similarly, you may specify a name for the first IKEv2 client. The default is `vpnclient` if not specified.
|
||||||
|
|
||||||
|
```bash
|
||||||
|
sudo VPN_CLIENT_NAME='your_client_name' ikev2.sh --auto
|
||||||
|
```
|
||||||
|
|
||||||
|
By default, IKEv2 clients are set to use [Google Public DNS](https://developers.google.com/speed/public-dns/) when the VPN is active. You may specify custom DNS server(s) for IKEv2. Example:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
sudo VPN_DNS_SRV1=1.1.1.1 VPN_DNS_SRV2=1.0.0.1 ikev2.sh --auto
|
||||||
|
```
|
||||||
|
|
||||||
|
By default, no password is required when importing IKEv2 client configuration. You can choose to protect client config files using a random password.
|
||||||
|
|
||||||
|
```bash
|
||||||
|
sudo VPN_PROTECT_CONFIG=yes ikev2.sh --auto
|
||||||
|
```
|
||||||
|
</details>
|
||||||
|
<details>
|
||||||
|
<summary>
|
||||||
|
Learn how to change the IKEv2 server address.
|
||||||
|
</summary>
|
||||||
|
|
||||||
|
In certain circumstances, you may need to change the IKEv2 server address after setup. For example, to switch to use a DNS name, or after server IP changes. Learn more in [this section](#change-ikev2-server-address).
|
||||||
|
</details>
|
||||||
|
<details>
|
||||||
|
<summary>
|
||||||
|
View usage information for the IKEv2 script.
|
||||||
|
</summary>
|
||||||
|
|
||||||
|
```
|
||||||
|
Usage: bash ikev2.sh [options]
|
||||||
|
|
||||||
|
Options:
|
||||||
|
--auto run IKEv2 setup in auto mode using default options (for initial setup only)
|
||||||
|
--addclient [client name] add a new client using default options
|
||||||
|
--exportclient [client name] export configuration for an existing client
|
||||||
|
--listclients list the names of existing clients
|
||||||
|
--revokeclient [client name] revoke a client certificate
|
||||||
|
--deleteclient [client name] delete a client certificate
|
||||||
|
--removeikev2 remove IKEv2 and delete all certificates and keys from the IPsec database
|
||||||
|
-h, --help show this help message and exit
|
||||||
|
|
||||||
|
To customize IKEv2 or client options, run this script without arguments.
|
||||||
|
```
|
||||||
|
</details>
|
||||||
|
|
||||||
## Manually set up IKEv2
|
## Manually set up IKEv2
|
||||||
|
|
||||||
As an alternative to using the [helper script](#set-up-ikev2-using-helper-script), advanced users can manually set up IKEv2 on the VPN server. Before continuing, it is recommended to [update Libreswan](../README.md#upgrade-libreswan) to the latest version.
|
As an alternative to using the [helper script](#set-up-ikev2-using-helper-script), advanced users can manually set up IKEv2 on the VPN server. Before continuing, it is recommended to [update Libreswan](../README.md#upgrade-libreswan) to the latest version.
|
||||||
|
File diff suppressed because one or more lines are too long
Before Width: | Height: | Size: 143 KiB After Width: | Height: | Size: 143 KiB |
@ -151,7 +151,7 @@ confirm_or_abort() {
|
|||||||
show_header() {
|
show_header() {
|
||||||
cat <<'EOF'
|
cat <<'EOF'
|
||||||
|
|
||||||
IKEv2 Script Copyright (c) 2020-2022 Lin Song 27 May 2022
|
IKEv2 Script Copyright (c) 2020-2022 Lin Song 7 Jun 2022
|
||||||
|
|
||||||
EOF
|
EOF
|
||||||
}
|
}
|
||||||
@ -1076,7 +1076,7 @@ create_config_readme() {
|
|||||||
&& [ "$use_defaults" = "1" ] && [ ! -t 1 ] && [ ! -f "$readme_file" ]; then
|
&& [ "$use_defaults" = "1" ] && [ ! -t 1 ] && [ ! -f "$readme_file" ]; then
|
||||||
cat > "$readme_file" <<'EOF'
|
cat > "$readme_file" <<'EOF'
|
||||||
These IKEv2 client config files were created during IPsec VPN setup.
|
These IKEv2 client config files were created during IPsec VPN setup.
|
||||||
To configure IKEv2 clients, see: https://vpnsetup.net/ikev2clients
|
To configure IKEv2 clients, see: https://vpnsetup.net/ikev2
|
||||||
EOF
|
EOF
|
||||||
if [ "$export_to_home_dir" = "1" ]; then
|
if [ "$export_to_home_dir" = "1" ]; then
|
||||||
chown "$SUDO_USER:$SUDO_USER" "$readme_file"
|
chown "$SUDO_USER:$SUDO_USER" "$readme_file"
|
||||||
@ -1271,7 +1271,7 @@ EOF
|
|||||||
cat <<'EOF'
|
cat <<'EOF'
|
||||||
|
|
||||||
Next steps: Configure IKEv2 clients. See:
|
Next steps: Configure IKEv2 clients. See:
|
||||||
https://vpnsetup.net/ikev2clients
|
https://vpnsetup.net/ikev2
|
||||||
|
|
||||||
================================================
|
================================================
|
||||||
|
|
||||||
|
@ -555,7 +555,7 @@ cat <<'EOF'
|
|||||||
IKEv2 is already set up on this server.
|
IKEv2 is already set up on this server.
|
||||||
|
|
||||||
Next steps: Configure IKEv2 clients. See:
|
Next steps: Configure IKEv2 clients. See:
|
||||||
https://vpnsetup.net/ikev2clients
|
https://vpnsetup.net/ikev2
|
||||||
|
|
||||||
To manage IKEv2 clients, run: sudo ikev2.sh
|
To manage IKEv2 clients, run: sudo ikev2.sh
|
||||||
|
|
||||||
|
@ -571,7 +571,7 @@ cat <<'EOF'
|
|||||||
IKEv2 is already set up on this server.
|
IKEv2 is already set up on this server.
|
||||||
|
|
||||||
Next steps: Configure IKEv2 clients. See:
|
Next steps: Configure IKEv2 clients. See:
|
||||||
https://vpnsetup.net/ikev2clients
|
https://vpnsetup.net/ikev2
|
||||||
|
|
||||||
To manage IKEv2 clients, run: sudo ikev2.sh
|
To manage IKEv2 clients, run: sudo ikev2.sh
|
||||||
|
|
||||||
|
@ -711,7 +711,7 @@ cat <<'EOF'
|
|||||||
IKEv2 is already set up on this server.
|
IKEv2 is already set up on this server.
|
||||||
|
|
||||||
Next steps: Configure IKEv2 clients. See:
|
Next steps: Configure IKEv2 clients. See:
|
||||||
https://vpnsetup.net/ikev2clients
|
https://vpnsetup.net/ikev2
|
||||||
|
|
||||||
To manage IKEv2 clients, run: sudo ikev2.sh
|
To manage IKEv2 clients, run: sudo ikev2.sh
|
||||||
|
|
||||||
|
@ -681,7 +681,7 @@ cat <<'EOF'
|
|||||||
IKEv2 is already set up on this server.
|
IKEv2 is already set up on this server.
|
||||||
|
|
||||||
Next steps: Configure IKEv2 clients. See:
|
Next steps: Configure IKEv2 clients. See:
|
||||||
https://vpnsetup.net/ikev2clients
|
https://vpnsetup.net/ikev2
|
||||||
|
|
||||||
To manage IKEv2 clients, run: sudo ikev2.sh
|
To manage IKEv2 clients, run: sudo ikev2.sh
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user