From 7076376aacc4acbb5e9f7c986c619602aef6cc55 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Thu, 30 Apr 2020 01:13:39 -0500 Subject: [PATCH] Update IKEv2 docs - For users running Libreswan 3.31, the "Use RSA/PSS signatures" option needs to be enabled in the strongSwan Android VPN client. - Ref: https://lists.libreswan.org/pipermail/swan/2020/003440.html --- docs/ikev2-howto-zh.md | 12 +++++++++++- docs/ikev2-howto.md | 14 ++++++++++++-- 2 files changed, 23 insertions(+), 3 deletions(-) diff --git a/docs/ikev2-howto-zh.md b/docs/ikev2-howto-zh.md index 6c99155..469d754 100644 --- a/docs/ikev2-howto-zh.md +++ b/docs/ikev2-howto-zh.md @@ -113,6 +113,8 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 **注:** 使用 "-v" 参数指定证书的有效期(单位:月),例如 "-v 120"。 + 生成 CA 证书: + ```bash certutil -z <(head -c 1024 /dev/urandom) \ -S -x -n "IKEv2 VPN CA" \ @@ -131,6 +133,8 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 N ``` + 生成 VPN 服务器证书: + **注:** 如果你在上面的第一步指定了服务器的域名(而不是 IP 地址),则必须将以下命令中的 `--extSAN "ip:$PUBLIC_IP,dns:$PUBLIC_IP"` 换成 `--extSAN "dns:$PUBLIC_IP"`。 ```bash @@ -150,6 +154,8 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 1. 生成客户端证书,然后导出 `.p12` 文件,该文件包含客户端证书,私钥以及 CA 证书: + 生成客户端证书: + ```bash certutil -z <(head -c 1024 /dev/urandom) \ -S -c "IKEv2 VPN CA" -n "vpnclient" \ @@ -164,6 +170,8 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 Generating key. This may take a few moments... ``` + 导出 `.p12` 文件: + ```bash pk12util -o vpnclient.p12 -n "vpnclient" -d sql:/etc/ipsec.d ``` @@ -207,7 +215,7 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 service ipsec restart ``` -VPN 服务器上的 IKEv2 配置到此已完成。按照下面的步骤配置你的 VPN 客户端。 +在继续之前,你**必须**重启 IPsec 服务。VPN 服务器上的 IKEv2 配置到此已完成。按照下面的步骤配置你的 VPN 客户端。 ## 配置 IKEv2 VPN 客户端 @@ -268,6 +276,7 @@ VPN 服务器上的 IKEv2 配置到此已完成。按照下面的步骤配置你 1. 在 **Server** 字段中输入 `你的 VPN 服务器 IP` (或者域名)。 1. 在 **VPN Type** 下拉菜单选择 **IKEv2 Certificate**。 1. 单击 **Select user certificate**,选择你的新 VPN 客户端证书并确认。 +1. **(重要)** 单击 **Show advanced settings**。向下滚动,找到并启用 **Use RSA/PSS signatures** 选项。 1. 保存新的 VPN 连接,然后单击它以开始连接。 ### Android 4.x to 9.x @@ -280,6 +289,7 @@ VPN 服务器上的 IKEv2 配置到此已完成。按照下面的步骤配置你 1. 单击 **Select user certificate**,然后单击 **Install certificate**。 1. 选择你从服务器复制过来的 `.p12` 文件,并按提示操作。 **注:** 要查找 `.p12` 文件,单击左上角的抽拉式菜单,然后单击你的设备名称。 +1. **(重要)** 单击 **Show advanced settings**。向下滚动,找到并启用 **Use RSA/PSS signatures** 选项。 1. 保存新的 VPN 连接,然后单击它以开始连接。 ### iOS diff --git a/docs/ikev2-howto.md b/docs/ikev2-howto.md index 22b8d3e..e84000b 100644 --- a/docs/ikev2-howto.md +++ b/docs/ikev2-howto.md @@ -113,6 +113,8 @@ The following example shows how to configure IKEv2 with Libreswan. Commands belo **Note:** Specify the certificate validity period (in months) with "-v". e.g. "-v 120". + Generate CA certificate: + ```bash certutil -z <(head -c 1024 /dev/urandom) \ -S -x -n "IKEv2 VPN CA" \ @@ -131,6 +133,8 @@ The following example shows how to configure IKEv2 with Libreswan. Commands belo N ``` + Generate VPN server certificate: + **Note:** If you specified the server's DNS name (instead of its IP address) in step 1 above, you must replace `--extSAN "ip:$PUBLIC_IP,dns:$PUBLIC_IP"` in the command below with `--extSAN "dns:$PUBLIC_IP"`. ```bash @@ -150,6 +154,8 @@ The following example shows how to configure IKEv2 with Libreswan. Commands belo 1. Generate client certificate(s), then export the `.p12` file that contains the client certificate, private key, and CA certificate: + Generate client certificate: + ```bash certutil -z <(head -c 1024 /dev/urandom) \ -S -c "IKEv2 VPN CA" -n "vpnclient" \ @@ -164,6 +170,8 @@ The following example shows how to configure IKEv2 with Libreswan. Commands belo Generating key. This may take a few moments... ``` + Export `.p12` file: + ```bash pk12util -o vpnclient.p12 -n "vpnclient" -d sql:/etc/ipsec.d ``` @@ -201,13 +209,13 @@ The following example shows how to configure IKEv2 with Libreswan. Commands belo **Note:** To display a certificate, use `certutil -L -d sql:/etc/ipsec.d -n "Nickname"`. To delete a certificate, replace `-L` with `-D`. For other `certutil` usage, read this page. -1. **(Important) Restart IPsec service**: +1. **(Important) Restart the IPsec service**: ```bash service ipsec restart ``` -The IKEv2 setup on the VPN server is now complete. Follow instructions below to configure your VPN clients. +Before continuing, you **must** restart the IPsec service. The IKEv2 setup on the VPN server is now complete. Follow instructions below to configure your VPN clients. ## Configure IKEv2 VPN clients @@ -268,6 +276,7 @@ First, securely transfer `vpnclient.p12` to your Mac, then double-click to impor 1. Enter `Your VPN Server IP` (or DNS name) in the **Server** field. 1. Select **IKEv2 Certificate** from the **VPN Type** drop-down menu. 1. Tap **Select user certificate**, select your new VPN client certificate and confirm. +1. **(Important)** Tap **Show advanced settings**. Scroll down, find and enable the **Use RSA/PSS signatures** option. 1. Save the new VPN connection, then tap to connect. ### Android 4.x to 9.x @@ -280,6 +289,7 @@ First, securely transfer `vpnclient.p12` to your Mac, then double-click to impor 1. Tap **Select user certificate**, then tap **Install certificate**. 1. Choose the `.p12` file you copied from the VPN server, and follow the prompts. **Note:** To find the `.p12` file, click on the three-line menu button, then click on your device name. +1. **(Important)** Tap **Show advanced settings**. Scroll down, find and enable the **Use RSA/PSS signatures** option. 1. Save the new VPN connection, then tap to connect. ### iOS