Compare commits
2 Commits
8ae26b832f
...
4b15a5d2f9
Author | SHA1 | Date | |
---|---|---|---|
|
4b15a5d2f9 | ||
|
025387df91 |
@ -74,7 +74,13 @@ VPN 连接成功后,你会在 VPN Connect 状态窗口中看到 **tunnel enabl
|
|||||||
|
|
||||||
## Android
|
## Android
|
||||||
|
|
||||||
> 你也可以使用 [IKEv2](ikev2-howto-zh.md)(推荐)或者 [IPsec/L2TP](clients-zh.md) 模式连接。Android 12 仅支持 [IKEv2](ikev2-howto-zh.md) 模式。
|
**重要:** Android 用户应该使用更安全的 [IKEv2 模式](ikev2-howto-zh.md) 连接(推荐)。Android 12+ 仅支持 IKEv2 模式。Android 系统自带的 VPN 客户端对 IPsec/L2TP 和 IPsec/XAuth ("Cisco IPsec") 模式使用安全性较低的 `modp1024` (DH group 2)。
|
||||||
|
|
||||||
|
如果你仍然想用 IPsec/XAuth 模式连接,你必须首先编辑 VPN 服务器上的 `/etc/ipsec.conf` 并在 `ike=...` 一行的末尾加上 `,aes256-sha2;modp1024,aes128-sha1;modp1024` 字样。保存文件并运行 `sudo service ipsec restart`。
|
||||||
|
|
||||||
|
Docker 用户:在 [你的 env 文件](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README-zh.md#如何使用本镜像) 中添加 `VPN_ENABLE_MODP1024=yes`,然后重新创建 Docker 容器。
|
||||||
|
|
||||||
|
然后在你的 Android 设备上进行以下步骤:
|
||||||
|
|
||||||
1. 启动 **设置** 应用程序。
|
1. 启动 **设置** 应用程序。
|
||||||
1. 单击 **网络和互联网**。或者,如果你使用 Android 7 或更早版本,在 **无线和网络** 部分单击 **更多...**。
|
1. 单击 **网络和互联网**。或者,如果你使用 Android 7 或更早版本,在 **无线和网络** 部分单击 **更多...**。
|
||||||
|
@ -74,7 +74,13 @@ If you get an error when trying to connect, see [Troubleshooting](clients.md#tro
|
|||||||
|
|
||||||
## Android
|
## Android
|
||||||
|
|
||||||
> You may also connect using [IKEv2](ikev2-howto.md) (recommended) or [IPsec/L2TP](clients.md) mode. Android 12 only supports [IKEv2](ikev2-howto.md) mode.
|
**Important:** Android users should instead connect using [IKEv2 mode](ikev2-howto.md) (recommended), which is more secure. Android 12+ only supports IKEv2 mode. The native VPN client in Android uses the less secure `modp1024` (DH group 2) for the IPsec/L2TP and IPsec/XAuth ("Cisco IPsec") modes.
|
||||||
|
|
||||||
|
If you still want to connect using IPsec/XAuth mode, you must first edit `/etc/ipsec.conf` on the VPN server. Find the line `ike=...` and append `,aes256-sha2;modp1024,aes128-sha1;modp1024` at the end. Save the file and run `sudo service ipsec restart`.
|
||||||
|
|
||||||
|
Docker users: Add `VPN_ENABLE_MODP1024=yes` to [your env file](https://github.com/hwdsl2/docker-ipsec-vpn-server#how-to-use-this-image), then re-create the Docker container.
|
||||||
|
|
||||||
|
After that, follow the steps below on your Android device:
|
||||||
|
|
||||||
1. Launch the **Settings** application.
|
1. Launch the **Settings** application.
|
||||||
1. Tap "Network & internet". Or, if using Android 7 or earlier, tap **More...** in the **Wireless & networks** section.
|
1. Tap "Network & internet". Or, if using Android 7 or earlier, tap **More...** in the **Wireless & networks** section.
|
||||||
|
@ -145,7 +145,13 @@ Add-VpnConnection -Name 'My IPsec VPN' -ServerAddress '你的 VPN 服务器 IP'
|
|||||||
|
|
||||||
## Android
|
## Android
|
||||||
|
|
||||||
> 你也可以使用 [IKEv2](ikev2-howto-zh.md)(推荐)或者 [IPsec/XAuth](clients-xauth-zh.md) 模式连接。Android 12 仅支持 [IKEv2](ikev2-howto-zh.md) 模式。
|
**重要:** Android 用户应该使用更安全的 [IKEv2 模式](ikev2-howto-zh.md) 连接(推荐)。Android 12+ 仅支持 IKEv2 模式。Android 系统自带的 VPN 客户端对 IPsec/L2TP 和 IPsec/XAuth ("Cisco IPsec") 模式使用安全性较低的 `modp1024` (DH group 2)。
|
||||||
|
|
||||||
|
如果你仍然想用 IPsec/L2TP 模式连接,你必须首先编辑 VPN 服务器上的 `/etc/ipsec.conf` 并在 `ike=...` 一行的末尾加上 `,aes256-sha2;modp1024,aes128-sha1;modp1024` 字样。保存文件并运行 `sudo service ipsec restart`。
|
||||||
|
|
||||||
|
Docker 用户:在 [你的 env 文件](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README-zh.md#如何使用本镜像) 中添加 `VPN_ENABLE_MODP1024=yes`,然后重新创建 Docker 容器。
|
||||||
|
|
||||||
|
然后在你的 Android 设备上进行以下步骤:
|
||||||
|
|
||||||
1. 启动 **设置** 应用程序。
|
1. 启动 **设置** 应用程序。
|
||||||
1. 单击 **网络和互联网**。或者,如果你使用 Android 7 或更早版本,在 **无线和网络** 部分单击 **更多...**。
|
1. 单击 **网络和互联网**。或者,如果你使用 Android 7 或更早版本,在 **无线和网络** 部分单击 **更多...**。
|
||||||
|
@ -144,7 +144,13 @@ If you get an error when trying to connect, see [Troubleshooting](#troubleshooti
|
|||||||
|
|
||||||
## Android
|
## Android
|
||||||
|
|
||||||
> You may also connect using [IKEv2](ikev2-howto.md) (recommended) or [IPsec/XAuth](clients-xauth.md) mode. Android 12 only supports [IKEv2](ikev2-howto.md) mode.
|
**Important:** Android users should instead connect using [IKEv2 mode](ikev2-howto.md) (recommended), which is more secure. Android 12+ only supports IKEv2 mode. The native VPN client in Android uses the less secure `modp1024` (DH group 2) for the IPsec/L2TP and IPsec/XAuth ("Cisco IPsec") modes.
|
||||||
|
|
||||||
|
If you still want to connect using IPsec/L2TP mode, you must first edit `/etc/ipsec.conf` on the VPN server. Find the line `ike=...` and append `,aes256-sha2;modp1024,aes128-sha1;modp1024` at the end. Save the file and run `sudo service ipsec restart`.
|
||||||
|
|
||||||
|
Docker users: Add `VPN_ENABLE_MODP1024=yes` to [your env file](https://github.com/hwdsl2/docker-ipsec-vpn-server#how-to-use-this-image), then re-create the Docker container.
|
||||||
|
|
||||||
|
After that, follow the steps below on your Android device:
|
||||||
|
|
||||||
1. Launch the **Settings** application.
|
1. Launch the **Settings** application.
|
||||||
1. Tap "Network & internet". Or, if using Android 7 or earlier, tap **More...** in the **Wireless & networks** section.
|
1. Tap "Network & internet". Or, if using Android 7 or earlier, tap **More...** in the **Wireless & networks** section.
|
||||||
|
@ -209,7 +209,7 @@ update_ikev2_script() {
|
|||||||
|
|
||||||
update_config() {
|
update_config() {
|
||||||
bigecho "Updating VPN configuration..."
|
bigecho "Updating VPN configuration..."
|
||||||
IKE_NEW=" ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024"
|
IKE_NEW=" ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1"
|
||||||
PHASE2_NEW=" phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2"
|
PHASE2_NEW=" phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2"
|
||||||
if uname -m | grep -qi '^arm'; then
|
if uname -m | grep -qi '^arm'; then
|
||||||
if ! modprobe -q sha512; then
|
if ! modprobe -q sha512; then
|
||||||
|
@ -203,7 +203,7 @@ update_ikev2_script() {
|
|||||||
|
|
||||||
update_config() {
|
update_config() {
|
||||||
bigecho "Updating VPN configuration..."
|
bigecho "Updating VPN configuration..."
|
||||||
IKE_NEW=" ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024"
|
IKE_NEW=" ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1"
|
||||||
PHASE2_NEW=" phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2"
|
PHASE2_NEW=" phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2"
|
||||||
dns_state=0
|
dns_state=0
|
||||||
DNS_SRV1=$(grep "modecfgdns1=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2)
|
DNS_SRV1=$(grep "modecfgdns1=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2)
|
||||||
|
@ -255,7 +255,7 @@ update_ikev2_script() {
|
|||||||
|
|
||||||
update_config() {
|
update_config() {
|
||||||
bigecho "Updating VPN configuration..."
|
bigecho "Updating VPN configuration..."
|
||||||
IKE_NEW=" ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024"
|
IKE_NEW=" ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1"
|
||||||
PHASE2_NEW=" phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2"
|
PHASE2_NEW=" phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2"
|
||||||
dns_state=0
|
dns_state=0
|
||||||
DNS_SRV1=$(grep "modecfgdns1=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2)
|
DNS_SRV1=$(grep "modecfgdns1=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2)
|
||||||
|
@ -239,7 +239,7 @@ update_ikev2_script() {
|
|||||||
|
|
||||||
update_config() {
|
update_config() {
|
||||||
bigecho "Updating VPN configuration..."
|
bigecho "Updating VPN configuration..."
|
||||||
IKE_NEW=" ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024"
|
IKE_NEW=" ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1"
|
||||||
PHASE2_NEW=" phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2"
|
PHASE2_NEW=" phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2"
|
||||||
if uname -m | grep -qi '^arm'; then
|
if uname -m | grep -qi '^arm'; then
|
||||||
if ! modprobe -q sha512; then
|
if ! modprobe -q sha512; then
|
||||||
|
@ -337,7 +337,7 @@ conn shared
|
|||||||
dpdtimeout=300
|
dpdtimeout=300
|
||||||
dpdaction=clear
|
dpdaction=clear
|
||||||
ikev2=never
|
ikev2=never
|
||||||
ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024
|
ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1
|
||||||
phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2
|
phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2
|
||||||
ikelifetime=24h
|
ikelifetime=24h
|
||||||
salifetime=24h
|
salifetime=24h
|
||||||
|
@ -353,7 +353,7 @@ conn shared
|
|||||||
dpdtimeout=300
|
dpdtimeout=300
|
||||||
dpdaction=clear
|
dpdaction=clear
|
||||||
ikev2=never
|
ikev2=never
|
||||||
ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024
|
ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1
|
||||||
phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2
|
phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2
|
||||||
ikelifetime=24h
|
ikelifetime=24h
|
||||||
salifetime=24h
|
salifetime=24h
|
||||||
|
@ -453,7 +453,7 @@ conn shared
|
|||||||
dpdtimeout=300
|
dpdtimeout=300
|
||||||
dpdaction=clear
|
dpdaction=clear
|
||||||
ikev2=never
|
ikev2=never
|
||||||
ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024
|
ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1
|
||||||
phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2
|
phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2
|
||||||
ikelifetime=24h
|
ikelifetime=24h
|
||||||
salifetime=24h
|
salifetime=24h
|
||||||
|
@ -398,7 +398,7 @@ conn shared
|
|||||||
dpdtimeout=300
|
dpdtimeout=300
|
||||||
dpdaction=clear
|
dpdaction=clear
|
||||||
ikev2=never
|
ikev2=never
|
||||||
ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024
|
ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1
|
||||||
phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2
|
phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2
|
||||||
ikelifetime=24h
|
ikelifetime=24h
|
||||||
salifetime=24h
|
salifetime=24h
|
||||||
|
Loading…
Reference in New Issue
Block a user