1
0
mirror of synced 2024-11-25 14:26:09 +03:00
setup-ipsec-vpn/docs/ikev2-howto-zh.md
hwdsl2 77d0f0bc93 Add IKEv2 how to
[ci skip]
2016-08-30 11:35:24 -05:00

8.4 KiB
Raw Blame History

如何配置 IKEv2 VPN: Windows 7 和更新版本

其他语言版本: English, 简体中文.

重要提示: 本指南仅适用于高级用户。其他用户请使用 IPsec/L2TP 或者 IPsec/XAuth

Windows 7 和更新版本支持 IKEv2 和 MOBIKE 标准,通过 Microsoft 的 Agile VPN 功能来实现。因特网密钥交换 英语Internet Key Exchange简称 IKE 或 IKEv2是一种网络协议归属于 IPsec 协议族之下,用以创建安全关联 Security associationSA。与 IKEv1 相比较IKEv2 带来许多功能改进,比如通过 MOBIKE 实现 Standard Mobility 支持,以及更高的可靠性。

Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来对 IKEv2 客户端进行身份验证。该方法无需 IPsec PSK, 用户名或密码。除了 Windows 之外,它也可用于 strongSwan Android VPN 客户端。下面举例说明如何配置 IKEv2。

  1. 获取服务器的公共和私有 IP 地址,并确保它们的值非空。注意,这两个 IP 地址可以相同。

    $ PUBLIC_IP=$(dig @resolver1.opendns.com -t A -4 myip.opendns.com +short)
    $ PRIVATE_IP=$(ip -4 route get 1 | awk '{print $NF;exit}')
    $ echo "$PUBLIC_IP"
    (Your public IP is displayed)
    $ echo "$PRIVATE_IP"
    (Your private IP is displayed)
    
  2. /etc/ipsec.conf 文件中添加一个新的 IKEv2 连接:

    $ cat >> /etc/ipsec.conf <<EOF
    
    conn ikev2-cp
      left=$PRIVATE_IP
      leftcert=$PUBLIC_IP
      leftid=@$PUBLIC_IP
      leftsendcert=always
      leftsubnet=0.0.0.0/0
      leftrsasigkey=%cert
      right=%any
      rightaddresspool=192.168.43.10-192.168.43.250
      rightca=%same
      rightrsasigkey=%cert
      modecfgdns1=8.8.8.8
      modecfgdns2=8.8.4.4
      narrowing=yes
      dpddelay=30
      dpdtimeout=120
      dpdaction=clear
      auto=add
      ikev2=insist
      rekey=no
      fragmentation=yes
      forceencaps=yes
      ike=3des-sha1,aes-sha1,aes256-sha2_512,aes256-sha2_256
      phase2alg=3des-sha1,aes-sha1,aes256-sha2_512,aes256-sha2_256
    EOF
    
  3. 生成 Certificate Authority (CA) 和 VPN 服务器证书:

    $ certutil -S -x -n "Example CA" -s "O=Example,CN=Example CA" -k rsa -g 4096 -v 12 -d sql:/etc/ipsec.d -t "CT,," -2
    
    A random seed must be generated that will be used in the
    creation of your key.  One of the easiest ways to create a
    random seed is to use the timing of keystrokes on a keyboard.
    
    To begin, type keys on the keyboard until this progress meter
    is full.  DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD!
    
    Continue typing until the progress meter is full:
    
    |************************************************************|
    
    Finished.  Press enter to continue:
    
    Generating key.  This may take a few moments...
    
    Is this a CA certificate [y/N]?
    y
    Enter the path length constraint, enter to skip [<0 for unlimited path]: >
    Is this a critical extension [y/N]?
    N
    
    $ certutil -S -c "Example CA" -n "$PUBLIC_IP" -s "O=Example,CN=$PUBLIC_IP" -k rsa -g 4096 -v 12 -d sql:/etc/ipsec.d -t ",," -1 -6 -8 "$PUBLIC_IP"
    
    A random seed must be generated that will be used in the
    creation of your key.  One of the easiest ways to create a
    random seed is to use the timing of keystrokes on a keyboard.
    
    To begin, type keys on the keyboard until this progress meter
    is full.  DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD!
    
    Continue typing until the progress meter is full:
    
    |************************************************************|
    
    Finished.  Press enter to continue:
    
    Generating key.  This may take a few moments...
    
                    0 - Digital Signature
                    1 - Non-repudiation
                    2 - Key encipherment
                    3 - Data encipherment
                    4 - Key agreement
                    5 - Cert signing key
                    6 - CRL signing key
                    Other to finish
     > 0
                    0 - Digital Signature
                    1 - Non-repudiation
                    2 - Key encipherment
                    3 - Data encipherment
                    4 - Key agreement
                    5 - Cert signing key
                    6 - CRL signing key
                    Other to finish
     > 2
                    0 - Digital Signature
                    1 - Non-repudiation
                    2 - Key encipherment
                    3 - Data encipherment
                    4 - Key agreement
                    5 - Cert signing key
                    6 - CRL signing key
                    Other to finish
     > 8
    Is this a critical extension [y/N]?
    N
                    0 - Server Auth
                    1 - Client Auth
                    2 - Code Signing
                    3 - Email Protection
                    4 - Timestamp
                    5 - OCSP Responder
                    6 - Step-up
                    7 - Microsoft Trust List Signing
                    Other to finish
     > 0
                    0 - Server Auth
                    1 - Client Auth
                    2 - Code Signing
                    3 - Email Protection
                    4 - Timestamp
                    5 - OCSP Responder
                    6 - Step-up
                    7 - Microsoft Trust List Signing
                    Other to finish
     > 8
    Is this a critical extension [y/N]?
    N
    
  4. 生成客户端证书,并且导出 p12 文件。该文件包含客户端证书,私钥以及 CA 证书:

    $ certutil -S -c "Example CA" -n "winclient" -s "O=Example,CN=winclient" -k rsa -g 4096 -v 12 -d sql:/etc/ipsec.d -t ",," -1 -6 -8 "winclient"
    
    -- repeat same extensions as above --
    
    $ pk12util -o winclient.p12 -n "winclient" -d sql:/etc/ipsec.d
    
    Enter password for PKCS12 file:
    Re-enter password:
    pk12util: PKCS12 EXPORT SUCCESSFUL
    

    可以重复该步骤来为更多的客户端生成证书,但必须把所有的 winclient 换成 winclient2,等等。

  5. 证书数据库现在应该包含以下内容:

    $ certutil -L -d sql:/etc/ipsec.d
    
    Certificate Nickname                               Trust Attributes
                                                       SSL,S/MIME,JAR/XPI
    
    Example CA                                         CTu,u,u
    ($PUBLIC_IP)                                       u,u,u
    winclient                                          u,u,u
    

    注:如需删除证书,可运行命令 certutil -D -d sql:/etc/ipsec.d -n "Certificate Nickname"

  6. 重启 IPsec 服务:

    $ service ipsec restart
    
  7. 文件 winclient.p12 应该被安全的传送到 Windows 客户端计算机,并且导入到 Computer 证书存储。在导入 CA 证书后,它必须被放入(或移动到) "Trusted Root Certification Authorities" 目录的 "Certificates" 子目录中。

    详细的操作步骤:
    https://wiki.strongswan.org/projects/strongswan/wiki/Win7Certs

  8. 在 Windows 计算机上添加一个新的 IKEv2 VPN 连接。

    https://wiki.strongswan.org/projects/strongswan/wiki/Win7Config

  9. 启用新的 IKEv2 VPN 连接,并且开始使用自己的专属 VPN

    https://wiki.strongswan.org/projects/strongswan/wiki/Win7Connect

    连接成功后,你可以到这里检测你的 IP 地址,应该显示为你的 VPN 服务器 IP

已知问题

Windows 7 和更新版本自带的 VPN 客户端不支持 IKEv2 fragmentation。在有些网络上这可能会导致连接错误 "Error 809",或者可能在连接后无法打开任何网站。如果出现这些问题,请首先尝试 这个解决方案。如果仍然无法解决,请使用 IPsec/L2TP 或者 IPsec/XAuth 协议连接。

参考链接