Marown/setup-ipsec-vpn
1
0
Fork 0
mirror of https://github.com/hwdsl2/setup-ipsec-vpn.git synced 2024-09-22 00:00:42 +02:00
Code Issues Packages Projects Releases Wiki Activity

Update IKEv2 docs

Browse Source 
- Add new IKEv2 instructions for Android 10
  Ref: https://wiki.strongswan.org/issues/3196
- Change certificate validity period to 120 months
This commit is contained in:
hwdsl2 2019-11-10 17:23:12 -08:00
parent b01471bf2f
commit 0dfe0d3021
2 changed files with 58 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
docs/ikev2-howto-zh.md
View File

@ -111,13 +111,13 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来
1. 生成 Certificate Authority (CA) 和 VPN 服务器证书:
**注:** 使用 "-v" 参数指定证书的有效期(单位:月),例如 "-v 36"。
**注:** 使用 "-v" 参数指定证书的有效期(单位:月),例如 "-v 120"。
```bash
certutil -z <(head -c 1024 /dev/urandom) \
-S -x -n "IKEv2 VPN CA" \
-s "O=IKEv2 VPN,CN=IKEv2 VPN CA" \
-k rsa -g 4096 -v 36 \
-k rsa -g 4096 -v 120 \
-d sql:/etc/ipsec.d -t "CT,," -2
```
@ -137,7 +137,7 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来
certutil -z <(head -c 1024 /dev/urandom) \
-S -c "IKEv2 VPN CA" -n "$PUBLIC_IP" \
-s "O=IKEv2 VPN,CN=$PUBLIC_IP" \
-k rsa -g 4096 -v 36 \
-k rsa -g 4096 -v 120 \
-d sql:/etc/ipsec.d -t ",," \
--keyUsage digitalSignature,keyEncipherment \
--extKeyUsage serverAuth \
@ -154,7 +154,7 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来
certutil -z <(head -c 1024 /dev/urandom) \
-S -c "IKEv2 VPN CA" -n "vpnclient" \
-s "O=IKEv2 VPN,CN=vpnclient" \
-k rsa -g 4096 -v 36 \
-k rsa -g 4096 -v 120 \
-d sql:/etc/ipsec.d -t ",," \
--keyUsage digitalSignature,keyEncipherment \
--extKeyUsage serverAuth,clientAuth -8 "vpnclient"
@ -213,6 +213,12 @@ VPN 服务器上的 IKEv2 配置到此已完成。按照下面的步骤配置你
**注:** 如果你在上面的第一步指定了服务器的域名(而不是 IP 地址),则必须在 **服务器地址****远程 ID** 字段中输入该域名。
* [Windows 7, 8.x 和 10](#windows-7-8x-和-10)
* [OS X (macOS)](#os-x-macos)
* [Android 10 和更新版本](#android-10-和更新版本)
* [Android 4.x to 9.x](#android-4x-to-9x)
* [iOS (iPhone/iPad)](#ios-iphoneipad)
### Windows 7, 8.x 和 10
1. 将文件 `vpnclient.p12` 安全地传送到你的计算机,然后导入到 "计算机账户" 证书存储。在导入证书后,你必须确保将客户端证书放在 "个人 -> 证书" 目录中,并且将 CA 证书放在 "受信任的根证书颁发机构 -> 证书" 目录中。
@ -249,15 +255,31 @@ VPN 服务器上的 IKEv2 配置到此已完成。按照下面的步骤配置你
1. 单击 **应用** 保存VPN连接信息。
1. 单击 **连接**
### Android 4.x 和更新版本
### Android 10 和更新版本
1. 将文件 `vpnclient.p12` 安全地传送到你的 Android 设备。
1. 从 **Google Play** 安装 <a href="https://play.google.com/store/apps/details?id=org.strongswan.android" target="_blank">strongSwan VPN 客户端</a>
1. 打开 VPN 客户端,然后单击 **Add VPN Profile**
1. 启动 **设置** 应用程序。
1. 进入 安全 -> 高级 -> 加密与凭据。
1. 单击 **从存储设备(或 SD 卡)安装**
1. 选择你从服务器复制过来的 `.p12` 文件,并按提示操作。
**注:** 要查找 `.p12` 文件,单击左上角的抽拉式菜单,然后单击你的设备名称。
1. 启动 strongSwan VPN 客户端,然后单击 **Add VPN Profile**
1. 在 **Server** 字段中输入 `你的 VPN 服务器 IP` (或者域名)。
1. 在 **VPN Type** 下拉菜单选择 **IKEv2 Certificate**
1. 单击 **Select user certificate**,选择你的新 VPN 客户端证书并确认。
1. 保存新的 VPN 连接,然后单击它以开始连接。
### Android 4.x to 9.x
1. 将文件 `vpnclient.p12` 安全地传送到你的 Android 设备。
1. 从 **Google Play** 安装 <a href="https://play.google.com/store/apps/details?id=org.strongswan.android" target="_blank">strongSwan VPN 客户端</a>
1. 启动 strongSwan VPN 客户端,然后单击 **Add VPN Profile**
1. 在 **Server** 字段中输入 `你的 VPN 服务器 IP` (或者域名)。
1. 在 **VPN Type** 下拉菜单选择 **IKEv2 Certificate**
1. 单击 **Select user certificate**,然后单击 **Install certificate**
1. 选择你从服务器复制过来的 `.p12` 文件,并按提示操作。
1. 选择你从服务器复制过来的 `.p12` 文件,并按提示操作。
**注:** 要查找 `.p12` 文件,单击左上角的抽拉式菜单,然后单击你的设备名称。
1. 保存新的 VPN 连接,然后单击它以开始连接。
### iOS (iPhone/iPad)

36
docs/ikev2-howto.md
View File

@ -111,13 +111,13 @@ The following example shows how to configure IKEv2 with Libreswan. Commands belo
1. Generate Certificate Authority (CA) and VPN server certificates:
**Note:** Specify the certificate validity period (in months) with "-v". e.g. "-v 36".
**Note:** Specify the certificate validity period (in months) with "-v". e.g. "-v 120".
```bash
certutil -z <(head -c 1024 /dev/urandom) \
-S -x -n "IKEv2 VPN CA" \
-s "O=IKEv2 VPN,CN=IKEv2 VPN CA" \
-k rsa -g 4096 -v 36 \
-k rsa -g 4096 -v 120 \
-d sql:/etc/ipsec.d -t "CT,," -2
```
@ -137,7 +137,7 @@ The following example shows how to configure IKEv2 with Libreswan. Commands belo
certutil -z <(head -c 1024 /dev/urandom) \
-S -c "IKEv2 VPN CA" -n "$PUBLIC_IP" \
-s "O=IKEv2 VPN,CN=$PUBLIC_IP" \
-k rsa -g 4096 -v 36 \
-k rsa -g 4096 -v 120 \
-d sql:/etc/ipsec.d -t ",," \
--keyUsage digitalSignature,keyEncipherment \
--extKeyUsage serverAuth \
@ -154,7 +154,7 @@ The following example shows how to configure IKEv2 with Libreswan. Commands belo
certutil -z <(head -c 1024 /dev/urandom) \
-S -c "IKEv2 VPN CA" -n "vpnclient" \
-s "O=IKEv2 VPN,CN=vpnclient" \
-k rsa -g 4096 -v 36 \
-k rsa -g 4096 -v 120 \
-d sql:/etc/ipsec.d -t ",," \
--keyUsage digitalSignature,keyEncipherment \
--extKeyUsage serverAuth,clientAuth -8 "vpnclient"
@ -213,6 +213,12 @@ The IKEv2 setup on the VPN server is now complete. Follow instructions below to
**Note:** If you specified the server's DNS name (instead of its IP address) in step 1 above, you must enter the DNS name in the **Server** and **Remote ID** fields.
* [Windows 7, 8.x and 10](#windows-7-8x-and-10)
* [OS X (macOS)](#os-x-macos)
* [Android 10 and newer](#android-10-and-newer)
* [Android 4.x to 9.x](#android-4x-to-9x)
* [iOS (iPhone/iPad)](#ios-iphoneipad)
### Windows 7, 8.x and 10
1. Securely transfer `vpnclient.p12` to your computer, then import it into the "Computer account" certificate store. Make sure that the client cert is placed in "Personal -> Certificates", and the CA cert is placed in "Trusted Root Certification Authorities -> Certificates".
@ -249,15 +255,31 @@ First, securely transfer both `vpnca.cer` and `vpnclient.p12` to your Mac, then
1. Click **Apply** to save the VPN connection information.
1. Click **Connect**.
### Android 4.x and newer
### Android 10 and newer
1. Securely transfer `vpnclient.p12` to your Android device.
1. Install <a href="https://play.google.com/store/apps/details?id=org.strongswan.android" target="_blank">strongSwan VPN Client</a> from **Google Play**.
1. Launch the VPN client and tap **Add VPN Profile**.
1. Launch the **Settings** application.
1. Go to Security -> Advanced -> Encryption & credentials.
1. Tap **Install from storage (or SD card)**.
1. Choose the `.p12` file you copied from the VPN server, and follow the prompts.
**Note:** To find the `.p12` file, click on the three-line menu button, then click on your device name.
1. Launch the strongSwan VPN client and tap **Add VPN Profile**.
1. Enter `Your VPN Server IP` (or DNS name) in the **Server** field.
1. Select **IKEv2 Certificate** from the **VPN Type** drop-down menu.
1. Tap **Select user certificate**, select your new VPN client certificate and confirm.
1. Save the new VPN connection, then tap to connect.
### Android 4.x to 9.x
1. Securely transfer `vpnclient.p12` to your Android device.
1. Install <a href="https://play.google.com/store/apps/details?id=org.strongswan.android" target="_blank">strongSwan VPN Client</a> from **Google Play**.
1. Launch the strongSwan VPN client and tap **Add VPN Profile**.
1. Enter `Your VPN Server IP` (or DNS name) in the **Server** field.
1. Select **IKEv2 Certificate** from the **VPN Type** drop-down menu.
1. Tap **Select user certificate**, then tap **Install certificate**.
1. Choose the `.p12` file you copied from the VPN server, and follow the prompts.
1. Choose the `.p12` file you copied from the VPN server, and follow the prompts.
**Note:** To find the `.p12` file, click on the three-line menu button, then click on your device name.
1. Save the new VPN connection, then tap to connect.
### iOS (iPhone/iPad)