Update IKEv2 docs

- For users running Libreswan 3.31, the "Use RSA/PSS signatures" option needs to be enabled in the strongSwan Android VPN client. - Ref: https://lists.libreswan.org/pipermail/swan/2020/003440.html
2024-06-20 12:46:06 +02:00 · 2020-04-30 01:13:39 -05:00 · 2020-04-30 01:13:39 -05:00 · 7076376aac
commit 7076376aac
parent f15db57ea5
2 changed files with 23 additions and 3 deletions
--- a/docs/ikev2-howto-zh.md
+++ b/docs/ikev2-howto-zh.md
@ -113,6 +113,8 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来

   **注：** 使用 "-v" 参数指定证书的有效期（单位：月），例如 "-v 120"。

+   生成 CA 证书：
+
   ```bash
   certutil -z <(head -c 1024 /dev/urandom) \
     -S -x -n "IKEv2 VPN CA" \
@ -131,6 +133,8 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来
   N
   ```

+   生成 VPN 服务器证书：
+
   **注：** 如果你在上面的第一步指定了服务器的域名（而不是 IP 地址），则必须将以下命令中的 `--extSAN "ip:$PUBLIC_IP,dns:$PUBLIC_IP"` 换成 `--extSAN "dns:$PUBLIC_IP"`。

   ```bash
@ -150,6 +154,8 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来

 1. 生成客户端证书，然后导出 `.p12` 文件，该文件包含客户端证书，私钥以及 CA 证书：

+   生成客户端证书：
+
   ```bash
   certutil -z <(head -c 1024 /dev/urandom) \
     -S -c "IKEv2 VPN CA" -n "vpnclient" \
@ -164,6 +170,8 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来
   Generating key.  This may take a few moments...
   ```

+   导出 `.p12` 文件：
+
   ```bash
   pk12util -o vpnclient.p12 -n "vpnclient" -d sql:/etc/ipsec.d
   ```
@ -207,7 +215,7 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来
   service ipsec restart
   ```

-VPN 服务器上的 IKEv2 配置到此已完成。按照下面的步骤配置你的 VPN 客户端。
+在继续之前，你**必须**重启 IPsec 服务。VPN 服务器上的 IKEv2 配置到此已完成。按照下面的步骤配置你的 VPN 客户端。

 ## 配置 IKEv2 VPN 客户端

@ -268,6 +276,7 @@ VPN 服务器上的 IKEv2 配置到此已完成。按照下面的步骤配置你
 1. 在 **Server** 字段中输入 `你的 VPN 服务器 IP` （或者域名）。
 1. 在 **VPN Type** 下拉菜单选择 **IKEv2 Certificate**。
 1. 单击 **Select user certificate**，选择你的新 VPN 客户端证书并确认。
+1. **（重要）** 单击 **Show advanced settings**。向下滚动，找到并启用 **Use RSA/PSS signatures** 选项。
 1. 保存新的 VPN 连接，然后单击它以开始连接。

 ### Android 4.x to 9.x
@ -280,6 +289,7 @@ VPN 服务器上的 IKEv2 配置到此已完成。按照下面的步骤配置你
 1. 单击 **Select user certificate**，然后单击 **Install certificate**。
 1. 选择你从服务器复制过来的 `.p12` 文件，并按提示操作。   
   **注：** 要查找 `.p12` 文件，单击左上角的抽拉式菜单，然后单击你的设备名称。
+1. **（重要）** 单击 **Show advanced settings**。向下滚动，找到并启用 **Use RSA/PSS signatures** 选项。
 1. 保存新的 VPN 连接，然后单击它以开始连接。

 ### iOS
--- a/docs/ikev2-howto.md
+++ b/docs/ikev2-howto.md
@ -113,6 +113,8 @@ The following example shows how to configure IKEv2 with Libreswan. Commands belo

   **Note:** Specify the certificate validity period (in months) with "-v". e.g. "-v 120".

+   Generate CA certificate:
+
   ```bash
   certutil -z <(head -c 1024 /dev/urandom) \
     -S -x -n "IKEv2 VPN CA" \
@ -131,6 +133,8 @@ The following example shows how to configure IKEv2 with Libreswan. Commands belo
   N
   ```

+   Generate VPN server certificate:
+
   **Note:** If you specified the server's DNS name (instead of its IP address) in step 1 above, you must replace `--extSAN "ip:$PUBLIC_IP,dns:$PUBLIC_IP"` in the command below with `--extSAN "dns:$PUBLIC_IP"`.

   ```bash
@ -150,6 +154,8 @@ The following example shows how to configure IKEv2 with Libreswan. Commands belo

 1. Generate client certificate(s), then export the `.p12` file that contains the client certificate, private key, and CA certificate:

+   Generate client certificate:
+
   ```bash
   certutil -z <(head -c 1024 /dev/urandom) \
     -S -c "IKEv2 VPN CA" -n "vpnclient" \
@ -164,6 +170,8 @@ The following example shows how to configure IKEv2 with Libreswan. Commands belo
   Generating key.  This may take a few moments...
   ```

+   Export `.p12` file:
+
   ```bash
   pk12util -o vpnclient.p12 -n "vpnclient" -d sql:/etc/ipsec.d
   ```
@ -201,13 +209,13 @@ The following example shows how to configure IKEv2 with Libreswan. Commands belo

   **Note:** To display a certificate, use `certutil -L -d sql:/etc/ipsec.d -n "Nickname"`. To delete a certificate, replace `-L` with `-D`. For other `certutil` usage, read <a href="http://manpages.ubuntu.com/manpages/xenial/en/man1/certutil.1.html" target="_blank">this page</a>.

-1. **(Important) Restart IPsec service**:
+1. **(Important) Restart the IPsec service**:

   ```bash
   service ipsec restart
   ```

-The IKEv2 setup on the VPN server is now complete. Follow instructions below to configure your VPN clients.
+Before continuing, you **must** restart the IPsec service. The IKEv2 setup on the VPN server is now complete. Follow instructions below to configure your VPN clients.

 ## Configure IKEv2 VPN clients

@ -268,6 +276,7 @@ First, securely transfer `vpnclient.p12` to your Mac, then double-click to impor
 1. Enter `Your VPN Server IP` (or DNS name) in the **Server** field.
 1. Select **IKEv2 Certificate** from the **VPN Type** drop-down menu.
 1. Tap **Select user certificate**, select your new VPN client certificate and confirm.
+1. **(Important)** Tap **Show advanced settings**. Scroll down, find and enable the **Use RSA/PSS signatures** option.
 1. Save the new VPN connection, then tap to connect.

 ### Android 4.x to 9.x
@ -280,6 +289,7 @@ First, securely transfer `vpnclient.p12` to your Mac, then double-click to impor
 1. Tap **Select user certificate**, then tap **Install certificate**.
 1. Choose the `.p12` file you copied from the VPN server, and follow the prompts.   
   **Note:** To find the `.p12` file, click on the three-line menu button, then click on your device name.
+1. **(Important)** Tap **Show advanced settings**. Scroll down, find and enable the **Use RSA/PSS signatures** option.
 1. Save the new VPN connection, then tap to connect.

 ### iOS