From bc0324f9570b8843b5968c078328e4663acf6d6d Mon Sep 17 00:00:00 2001
From: hwdsl2 <hwdsl2@users.noreply.github.com>
Date: Sat, 3 Jun 2017 14:53:45 -0500
Subject: [PATCH] Improve IKEv2 docs

- Make it clear how to use the VPN server's DNS name to connect
---
 docs/ikev2-howto-zh.md | 11 +++++++----
 docs/ikev2-howto.md    |  9 ++++++---
 2 files changed, 13 insertions(+), 7 deletions(-)

diff --git a/docs/ikev2-howto-zh.md b/docs/ikev2-howto-zh.md
index 9f53b3c..894ee5a 100644
--- a/docs/ikev2-howto-zh.md
+++ b/docs/ikev2-howto-zh.md
@@ -21,14 +21,16 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来
 
 在继续之前，请确保你已经成功 <a href="https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/README-zh.md" target="_blank">搭建自己的 VPN 服务器</a>。
 
-1. 获取服务器的公共 IP 地址，并检查它是否正确。
+1. 获取 VPN 服务器的公共 IP 地址，将它保存到变量并检查。
 
    ```bash
    $ PUBLIC_IP=$(wget -t 3 -T 15 -qO- http://ipv4.icanhazip.com)
    $ echo "$PUBLIC_IP"
-   （检查显示的 public IP）
+   （检查显示的公共 IP）
    ```
 
+   **注：** 另外，在这里你也可以指定 VPN 服务器的域名。例如： `PUBLIC_IP=myvpn.example.com`。
+
 1. 在 `/etc/ipsec.conf` 文件中添加一个新的 IKEv2 连接:
 
    ```bash
@@ -78,8 +80,9 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来
    $ echo " forceencaps=yes" >> /etc/ipsec.conf
    ```
 
-1. 生成 Certificate Authority (CA) 和 VPN 服务器证书：   
-   **注：** 使用 "-v" 参数指定证书的有效期（单位：月），例如 "-v 36"。
+1. 生成 Certificate Authority (CA) 和 VPN 服务器证书：
+
+   **注：** 使用 "-v" 参数指定证书的有效期（单位：月），例如 "-v 36"。另外，如果你在上面的第一步指定了服务器的域名（而不是 IP 地址），则需要将以下命令中的 `--extSAN "ip:$PUBLIC_IP,dns:$PUBLIC_IP"` 换成 `--extSAN "dns:$PUBLIC_IP"`。
 
    ```bash
    $ certutil -S -x -n "Example CA" -s "O=Example,CN=Example CA" -k rsa -g 4096 -v 36 -d sql:/etc/ipsec.d -t "CT,," -2
diff --git a/docs/ikev2-howto.md b/docs/ikev2-howto.md
index 7c93dc6..973b024 100644
--- a/docs/ikev2-howto.md
+++ b/docs/ikev2-howto.md
@@ -21,7 +21,7 @@ The following example shows how to configure IKEv2 with Libreswan. Commands belo
 
 Before continuing, make sure you have successfully <a href="https://github.com/hwdsl2/setup-ipsec-vpn" target="_blank">set up your VPN server</a>.
 
-1. Find the public IP of your server, and make sure it is correct.
+1. Find the VPN server's public IP, save it to a variable and check.
 
    ```bash
    $ PUBLIC_IP=$(wget -t 3 -T 15 -qO- http://ipv4.icanhazip.com)
@@ -29,6 +29,8 @@ Before continuing, make sure you have successfully <a href="https://github.com/h
    (Check the displayed public IP)
    ```
 
+   **Note:** Alternatively, you may specify the server's DNS name here. e.g. `PUBLIC_IP=myvpn.example.com`.
+
 1. Add a new IKEv2 connection to `/etc/ipsec.conf`:
 
    ```bash
@@ -78,8 +80,9 @@ Before continuing, make sure you have successfully <a href="https://github.com/h
    $ echo " forceencaps=yes" >> /etc/ipsec.conf
    ```
 
-1. Generate Certificate Authority (CA) and VPN server certificates:   
-   **Note:** Specify the certificate validity period (in months) using "-v". e.g. "-v 36".
+1. Generate Certificate Authority (CA) and VPN server certificates:
+
+   **Note:** Specify the certificate validity period (in months) using "-v". e.g. "-v 36". In addition, if you specified the server's DNS name (instead of its IP address) in step 1 above, replace `--extSAN "ip:$PUBLIC_IP,dns:$PUBLIC_IP"` with `--extSAN "dns:$PUBLIC_IP"` in the command below.
 
    ```bash
    $ certutil -S -x -n "Example CA" -s "O=Example,CN=Example CA" -k rsa -g 4096 -v 36 -d sql:/etc/ipsec.d -t "CT,," -2