Update IKEv2 docs

- Add rightid=%fromcert to ipsec.conf - Remove strongSwan Android VPN client instructions due to issues (#307)
2024-09-22 00:00:42 +02:00 · 2018-05-08 03:11:48 -05:00 · 2018-05-08 03:11:48 -05:00 · 964b7934aa
commit 964b7934aa
parent a3ee9ce033
4 changed files with 8 additions and 50 deletions
--- a/README-zh.md
+++ b/README-zh.md
@ -131,7 +131,7 @@ VPN_PASSWORD='你的VPN密码' sh vpnsetup.sh

 <a href="docs/clients-xauth-zh.md" target="_blank">**配置 IPsec/XAuth ("Cisco IPsec") VPN 客户端**</a>

-<a href="docs/ikev2-howto-zh.md" target="_blank">**如何配置 IKEv2 VPN: Windows 和 Android**</a>
+<a href="docs/ikev2-howto-zh.md" target="_blank">**如何配置 IKEv2 VPN: Windows 7 和更新版本**</a>

 如果在连接过程中遇到错误，请参见 <a href="docs/clients-zh.md#故障排除" target="_blank">故障排除</a>。

--- a/README.md
+++ b/README.md
@ -131,7 +131,7 @@ Get your computer or device to use the VPN. Please refer to:

 <a href="docs/clients-xauth.md" target="_blank">**Configure IPsec/XAuth ("Cisco IPsec") VPN Clients**</a>

-<a href="docs/ikev2-howto.md" target="_blank">**How-To: IKEv2 VPN for Windows and Android**</a>
+<a href="docs/ikev2-howto.md" target="_blank">**How-To: IKEv2 VPN for Windows 7 and above**</a>

 If you get an error when trying to connect, see <a href="docs/clients.md#troubleshooting" target="_blank">Troubleshooting</a>.

--- a/docs/ikev2-howto-zh.md
+++ b/docs/ikev2-howto-zh.md
@ -1,4 +1,4 @@
-# 如何配置 IKEv2 VPN: Windows 和 Android
+# 如何配置 IKEv2 VPN: Windows 7 和更新版本

 *其他语言版本: [English](ikev2-howto.md), [简体中文](ikev2-howto-zh.md).*

@ -10,14 +10,7 @@

 Windows 7 和更新版本支持 IKEv2 协议标准，通过 Microsoft 的 Agile VPN 功能来实现。因特网密钥交换 （英语：Internet Key Exchange，简称 IKE 或 IKEv2）是一种网络协议，归属于 IPsec 协议族之下，用以创建安全关联 (Security Association, SA)。与 IKE 版本 1 相比较，IKEv2 的<a href="https://en.wikipedia.org/wiki/Internet_Key_Exchange#Improvements_with_IKEv2" target="_blank">功能改进</a>包括比如通过 MOBIKE 实现 Standard Mobility 支持，以及更高的可靠性。另外，IKEv2 支持同时连接在同一个 NAT（比如家用路由器）后面的多个设备到 VPN 服务器。

-Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来对 IKEv2 客户端进行身份验证。该方法无需 IPsec PSK, 用户名或密码。它可以用于以下系统：
-
- Windows 7, 8.x 和 10
- Windows Phone 8.1 及以上
- strongSwan Android VPN 客户端
- <a href="https://github.com/gaomd/docker-ikev2-vpn-server" target="_blank">iOS (iPhone/iPad) 和 macOS</a> <-- 另见
-
-下面举例说明如何在 Libreswan 上配置 IKEv2。以下命令必须用 `root` 账户运行。
+Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来对 IKEv2 客户端进行身份验证。该方法无需 IPsec PSK, 用户名或密码。下面举例说明如何在 Libreswan 上配置 IKEv2。以下命令必须用 `root` 账户运行。

 在继续之前，请确保你已经成功 <a href="https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/README-zh.md" target="_blank">搭建自己的 VPN 服务器</a>。

@ -44,6 +37,7 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来
     leftsubnet=0.0.0.0/0
     leftrsasigkey=%cert
     right=%any
+     rightid=%fromcert
     rightaddresspool=192.168.43.10-192.168.43.250
     rightca=%same
     rightrsasigkey=%cert
@ -212,20 +206,6 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来

   1. （可选步骤） 如需启用更安全的加密方式，可以添加 <a href="https://wiki.strongswan.org/projects/strongswan/wiki/Windows7#AES-256-CBC-and-MODP2048" target="_blank">这个注册表键</a> 并重启。

-   #### Android 4.x 和更新版本
-
-   1. 从 **Google Play** 安装 <a href="https://play.google.com/store/apps/details?id=org.strongswan.android" target="_blank">strongSwan VPN Client</a>。
-   1. 打开 VPN 客户端，然后单击 **Add VPN Profile**。
-   1. 在 **Server** 字段中输入 `你的 VPN 服务器 IP`。
-   1. 在 **VPN Type** 下拉菜单选择 **IKEv2 Certificate**。
-   1. 单击添加一个 **User certificate**，然后单击 **Install**。
-   1. 选择你从服务器复制过来的 `.p12` 文件，并按提示操作。
-   1. 保存新的 VPN 连接，然后单击它以开始连接。
-
-   #### Windows Phone 8.1 及以上
-
-   首先导入 `.p12` 文件，然后参照 <a href="https://technet.microsoft.com/en-us/windows/dn673608.aspx" target="_blank">这些说明</a> 配置一个基于证书的 IKEv2 VPN。
-
 1. 连接成功后，你可以到 <a href="https://www.ipchicken.com" target="_blank">这里</a> 检测你的 IP 地址，应该显示为`你的 VPN 服务器 IP`。

 ## 已知问题
@ -238,4 +218,3 @@ Windows 自带的 VPN 客户端不支持 IKEv2 fragmentation。在有些网络
 * https://libreswan.org/wiki/HOWTO:_Using_NSS_with_libreswan
 * https://libreswan.org/man/ipsec.conf.5.html
 * https://wiki.strongswan.org/projects/strongswan/wiki/Windows7
-* https://wiki.strongswan.org/projects/strongswan/wiki/AndroidVpnClient
--- a/docs/ikev2-howto.md
+++ b/docs/ikev2-howto.md
@ -1,4 +1,4 @@
-# How-To: IKEv2 VPN for Windows and Android
+# How-To: IKEv2 VPN for Windows 7 and above

 *Read this in other languages: [English](ikev2-howto.md), [简体中文](ikev2-howto-zh.md).*

@ -10,14 +10,7 @@

 Windows 7 and newer releases support the IKEv2 standard through Microsoft's Agile VPN functionality. Internet Key Exchange (IKE or IKEv2) is the protocol used to set up a Security Association (SA) in the IPsec protocol suite. Compared to IKE version 1, IKEv2 contains <a href="https://en.wikipedia.org/wiki/Internet_Key_Exchange#Improvements_with_IKEv2" target="_blank">improvements</a> such as Standard Mobility support through MOBIKE, and improved reliability. In addition, IKEv2 supports connecting multiple devices simultaneously from behind the same NAT (e.g. home router) to the VPN server.

-Libreswan can authenticate IKEv2 clients on the basis of X.509 Machine Certificates using RSA signatures. This method does not require an IPsec PSK, username or password. It can be used with:
-
- Windows 7, 8.x and 10
- Windows Phone 8.1 and above
- strongSwan Android VPN client
- <a href="https://github.com/gaomd/docker-ikev2-vpn-server" target="_blank">iOS (iPhone/iPad) and macOS</a> <-- See also
-
-The following example shows how to configure IKEv2 with Libreswan. Commands below must be run as `root`.
+Libreswan can authenticate IKEv2 clients on the basis of X.509 Machine Certificates using RSA signatures. This method does not require an IPsec PSK, username or password. The following example shows how to configure IKEv2 with Libreswan. Commands below must be run as `root`.

 Before continuing, make sure you have successfully <a href="https://github.com/hwdsl2/setup-ipsec-vpn" target="_blank">set up your VPN server</a>.

@ -44,6 +37,7 @@ Before continuing, make sure you have successfully <a href="https://github.com/h
     leftsubnet=0.0.0.0/0
     leftrsasigkey=%cert
     right=%any
+     rightid=%fromcert
     rightaddresspool=192.168.43.10-192.168.43.250
     rightca=%same
     rightrsasigkey=%cert
@ -212,20 +206,6 @@ Before continuing, make sure you have successfully <a href="https://github.com/h

   1. (Optional) You may enable stronger ciphers by adding <a href="https://wiki.strongswan.org/projects/strongswan/wiki/Windows7#AES-256-CBC-and-MODP2048" target="_blank">this registry key</a> and reboot.

-   #### Android 4.x and newer
-
-   1. Install <a href="https://play.google.com/store/apps/details?id=org.strongswan.android" target="_blank">strongSwan VPN Client</a> from **Google Play**.
-   1. Launch the VPN client and tap **Add VPN Profile**.
-   1. Enter `Your VPN Server IP` in the **Server** field.
-   1. Select **IKEv2 Certificate** from the **VPN Type** drop-down menu.
-   1. Tap to add a **User certificate**, then tap **Install**.
-   1. Choose the `.p12` file you copied from the VPN server, and follow the prompts.
-   1. Save the new VPN connection, then tap to connect.
-
-   #### Windows Phone 8.1 and above
-
-   First import the `.p12` file, then follow <a href="https://technet.microsoft.com/en-us/windows/dn673608.aspx" target="_blank">these instructions</a> to configure a certificate-based IKEv2 VPN.
-
 1. Once successfully connected, you can verify that your traffic is being routed properly by <a href="https://encrypted.google.com/search?q=my+ip" target="_blank">looking up your IP address on Google</a>. It should say "Your public IP address is `Your VPN Server IP`".

 ## Known Issues
@ -238,4 +218,3 @@ The built-in VPN client in Windows does not support IKEv2 fragmentation. On some
 * https://libreswan.org/wiki/HOWTO:_Using_NSS_with_libreswan
 * https://libreswan.org/man/ipsec.conf.5.html
 * https://wiki.strongswan.org/projects/strongswan/wiki/Windows7
-* https://wiki.strongswan.org/projects/strongswan/wiki/AndroidVpnClient