IKEV2

admin

这个是介绍
https://github.com/hwdsl2/setup- ... s/ikev2-howto-zh.md

这个是docker
https://github.com/hwdsl2/docker ... master/README-zh.md

1. 先编辑环境配置文件
   
2. VPN_PUBLIC_IP=192.168.11.157
   
3. VPN_IPSEC_PSK=yourpsk
   
4. VPN_USER=admin
   
5. VPN_PASSWORD=Admin@123456
   
6. 
   
7. VPN_ADDL_USERS=user1 user2
   
8. VPN_ADDL_PASSWORDS=User1@123456 User2@123456
   
9. 
   
10. 公共IP填外网IP,这个IP服务器和客户端要一致,我是内网测试,所以用的内网IP
    
11. 
    
12. 
    
13. 
    
14. docker run \
    
15. --name ikev2_8 \
    
16. --env-file /root/docker/ikev2/vpn.env \
    
17. --restart=unless-stopped \
    
18. -v /root/docker/ikev2/ikev2-vpn-data:/etc/ipsec.d \
    
19. -v /lib/modules:/lib/modules:ro \
    
20. -p 500:500/udp \
    
21. -p 4500:4500/udp \
    
22. --network=docker_bridge_192_168_21 --ip=192.168.21.8 \
    
23. -e TZ=Asia/Shanghai \
    
24. -d --privileged \
    
25. hwdsl2/ipsec-vpn-server
    
26. 
    
27. 查看日志
    
28. docker logs ikev2_8
    
29. 输出如下信息说明成功了,如果没成功看看提示什么,再解决
    
30. 
    
31. Trying to auto discover IP of this server...
    
32. 
    
33. Starting IPsec service...
    
34. 
    
35. ================================================
    
36. 
    
37. IPsec VPN server is now ready for use!
    
38. 
    
39. Connect to your new VPN with these details:
    
40. 
    
41. Server IP: 192.168.11.157
    
42. IPsec PSK: yourpsk
    
43. Username: admin
    
44. Password: Admin@123456
    
45. 
    
46. Additional VPN users (username | password):
    
47. user1 | User1@123456
    
48. user2 | User2@123456
    
49. 
    
50. Write these down. You'll need them to connect!
    
51. 
    
52. VPN client setup: https://vpnsetup.net/clients2
    
53. 
    
54. ================================================
    
55. 
    
56. Setting up IKEv2. This may take a few moments...
    
57. 
    
58. 
    
59. 然后服务器放行500 4500这2个UDP端口
    
60. 
    
61. 
    
62. 客户端连接:
    
63. 
    
64. 下载证书
    
65. docker cp ikev2_8:/etc/ipsec.d/vpnclient.p12 /root/docker/ikev2/
    
66. 
    
67. WIN10客户端安装方式:
    
68. 把下面的内容保存为批处理,然后把批处理和证书文件放在同一个目录,然后运行批处理就行了
    
69. 
    
70. @echo off
    
71. :: IKEv2 Configuration Import Helper Script for Windows 8, 10 and 11
    
72. :: Copyright (C) 2022 Lin Song <linsongui@gmail.com>
    
73. :: This work is licensed under the Creative Commons Attribution-ShareAlike 3.0
    
74. :: Unported License: http://creativecommons.org/licenses/by-sa/3.0/
    
75. :: Attribution required: please include my name in any derivative and let me
    
76. :: know how you have improved it!
    
77. 
    
78. setlocal DisableDelayedExpansion
    
79. set "SPath=%SystemRoot%\System32"
    
80. if exist "%SystemRoot%\Sysnative\reg.exe" (set "SPath=%SystemRoot%\Sysnative")
    
81. set "Path=%SPath%;%SystemRoot%;%SPath%\Wbem;%SPath%\WindowsPowerShell\v1.0"
    
82. set "_err====== ERROR ====="
    
83. set "_work=%~dp0"
    
84. if "%_work:~-1%"=="" set "_work=%_work:~0,-1%"
    
85. 
    
86. for /f "tokens=4-5 delims=. " %%i in ('ver') do set version=%%i.%%j
    
87. if "%version%" == "10.0" goto :Check_Admin
    
88. if "%version%" == "6.3" goto :Check_Admin
    
89. if "%version%" == "6.2" goto :Check_Admin
    
90. goto :E_Win
    
91. 
    
92. :Check_Admin
    
93. reg query HKU\S-1-5-19 >nul 2>&1 || goto :E_Admin
    
94. 
    
95. where certutil >nul 2>&1
    
96. if %errorlevel% neq 0 goto :E_Cu
    
97. where powershell >nul 2>&1
    
98. if %errorlevel% neq 0 goto :E_Ps
    
99. 
    
100. title IKEv2 Configuration Import Helper Script
     
101. setlocal EnableDelayedExpansion
     
102. cd /d "!_work!"
     
103. @cls
     
104. echo ===================================================================
     
105. echo Welcome^^! Use this helper script to import an IKEv2 configuration
     
106. echo into a PC running Windows 8, 10 or 11.
     
107. echo For more details, see https://vpnsetup.net/ikev2
     
108. echo.
     
109. echo Before continuing, you must put the .p12 file you transferred from
     
110. echo the VPN server in the *same folder* as this script.
     
111. echo ===================================================================
     
112. 
     
113. set client_name_gen=
     
114. for /F "eol=| delims=" %%f in ('dir "*.p12" /A-D /B /O-D /TW 2^>nul') do (
     
115.   set "p12_latest=%%f"
     
116.   set "client_name_gen=!p12_latest:.p12=!"
     
117.   goto :Enter_Client_Name
     
118. )
     
119. 
     
120. :Enter_Client_Name
     
121. echo.
     
122. echo Enter the name of the IKEv2 VPN client to import.
     
123. echo Note: This is the same as the .p12 filename without extension.
     
124. set client_name=
     
125. set p12_file=
     
126. if defined client_name_gen (
     
127.   echo To accept the suggested client name, press Enter.
     
128.   set /p client_name="VPN client name: [%client_name_gen%] "
     
129.   if not defined client_name set "client_name=%client_name_gen%"
     
130. ) else (
     
131.   set /p client_name="VPN client name: "
     
132.   if not defined client_name goto :Abort
     
133. )
     
134. set "client_name=%client_name:"=%"
     
135. set "client_name=%client_name: =%"
     
136. set "p12_file=%_work%\%client_name%.p12"
     
137. if not exist "!p12_file!" (
     
138.   echo.
     
139.   echo ERROR: File "!p12_file!" not found.
     
140.   echo You must put the .p12 file you transferred from the VPN server
     
141.   echo in the *same folder* as this script.
     
142.   goto :Enter_Client_Name
     
143. )
     
144. 
     
145. echo.
     
146. echo Enter the IP address (or DNS name) of the VPN server.
     
147. echo Note: This must exactly match the VPN server address in the output
     
148. echo of the IKEv2 helper script on your server.
     
149. set server_addr=
     
150. set /p server_addr="VPN server address: "
     
151. if not defined server_addr goto :Abort
     
152. set "server_addr=%server_addr:"=%"
     
153. set "server_addr=%server_addr: =%"
     
154. 
     
155. set "conn_name_gen=IKEv2 VPN %server_addr%"
     
156. powershell -command "Get-VpnConnection -Name '%conn_name_gen%'" >nul 2>&1
     
157. if !errorlevel! neq 0 (
     
158.   goto :Enter_Conn_Name
     
159. )
     
160. set "conn_name_gen=IKEv2 VPN 2 %server_addr%"
     
161. powershell -command "Get-VpnConnection -Name '%conn_name_gen%'" >nul 2>&1
     
162. if !errorlevel! neq 0 (
     
163.   goto :Enter_Conn_Name
     
164. )
     
165. set "conn_name_gen=IKEv2 VPN 3 %server_addr%"
     
166. powershell -command "Get-VpnConnection -Name '%conn_name_gen%'" >nul 2>&1
     
167. if !errorlevel! equ 0 (
     
168.   set conn_name_gen=
     
169. )
     
170. 
     
171. :Enter_Conn_Name
     
172. echo.
     
173. echo Provide a name for the new IKEv2 connection.
     
174. set conn_name=
     
175. if defined conn_name_gen (
     
176.   echo To accept the suggested connection name, press Enter.
     
177.   set /p conn_name="IKEv2 connection name: [%conn_name_gen%] "
     
178.   if not defined conn_name set "conn_name=%conn_name_gen%"
     
179. ) else (
     
180.   set /p conn_name="IKEv2 connection name: "
     
181.   if not defined conn_name goto :Abort
     
182. )
     
183. set "conn_name=%conn_name:"=%"
     
184. powershell -command "Get-VpnConnection -Name '%conn_name%'" >nul 2>&1
     
185. if !errorlevel! equ 0 (
     
186.   echo.
     
187.   echo ERROR: A connection with this name already exists.
     
188.   goto :Enter_Conn_Name
     
189. )
     
190. 
     
191. echo.
     
192. echo Importing .p12 file...
     
193. certutil -f -p "" -importpfx "%p12_file%" NoExport >nul 2>&1
     
194. if !errorlevel! equ 0 goto :Create_Conn
     
195. echo When prompted, enter the password for client config files, which can be found
     
196. echo in the output of the IKEv2 helper script on your server.
     
197. :Import_P12
     
198. certutil -f -importpfx "%p12_file%" NoExport
     
199. if !errorlevel! neq 0 goto :Import_P12
     
200. 
     
201. :Create_Conn
     
202. echo.
     
203. echo Creating VPN connection...
     
204. powershell -command "Add-VpnConnection -ServerAddress '%server_addr%' -Name '%conn_name%' -TunnelType IKEv2 -AuthenticationMethod MachineCertificate -EncryptionLevel Required -PassThru"
     
205. if !errorlevel! neq 0 (
     
206.   echo ERROR: Could not create the IKEv2 VPN connection.
     
207.   goto :Done
     
208. )
     
209. 
     
210. echo Setting IPsec configuration...
     
211. powershell -command "Set-VpnConnectionIPsecConfiguration -ConnectionName '%conn_name%' -AuthenticationTransformConstants GCMAES128 -CipherTransformConstants GCMAES128 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -PfsGroup None -DHGroup Group14 -PassThru -Force"
     
212. if !errorlevel! neq 0 (
     
213.   echo ERROR: Could not set IPsec configuration for the IKEv2 VPN connection.
     
214.   goto :Done
     
215. )
     
216. 
     
217. echo IKEv2 configuration successfully imported^^!
     
218. echo To connect to the VPN, click on the wireless/network icon in your system tray,
     
219. echo select the "%conn_name%" VPN entry, and click Connect.
     
220. goto :Done
     
221. 
     
222. :E_Admin
     
223. echo %_err%
     
224. echo This script requires administrator privileges.
     
225. echo Right-click on the script and select 'Run as administrator'.
     
226. goto :Done
     
227. 
     
228. :E_Win
     
229. echo %_err%
     
230. echo This script requires Windows 8, 10 or 11.
     
231. echo Windows 7 users can manually import IKEv2 configuration. See https://vpnsetup.net/ikev2
     
232. goto :Done
     
233. 
     
234. :E_Cu
     
235. echo %_err%
     
236. echo This script requires 'certutil', which is not detected.
     
237. goto :Done
     
238. 
     
239. :E_Ps
     
240. echo %_err%
     
241. echo This script requires 'powershell', which is not detected.
     
242. goto :Done
     
243. 
     
244. :Abort
     
245. echo.
     
246. echo Abort. No changes were made.
     
247. 
     
248. :Done
     
249. echo.
     
250. echo Press any key to exit.
     
251. pause >nul
     
252. goto :eof
     
253. 
     
254. 
     
255. linux客户端和iphone客户端自己看教程吧
     
256. 特别是linux客户端,教程写的太不完善了,我用rockylinux8的minimal模式 死活不能连上
     
257. 
     
258. 写在最后
     
259. WIN10客户端连上了,然后服务端没有IP 这个模式和L2TP不一样,不知道怎么ping服务端了,也许服务端也需要一个docker-ikev2-client
     
260. 估计这样才能ping通吧

复制代码

admin

用docker配置完毕 但是WIN10连接的时候提示

IKE 身份验证凭证不可接受

用教程里面提供的批处理文件,创建的VPN链接正常连接上了

但是有个问题

客户端获取到了IP
但是IKEV2服务器端没有IP啊

这样怎么做端口转发?  

访问服务器的端口自动转发到VPN客户端 这个需求用PPTP和L2TP都可以做到,但是IKEV2做不到
这个需求我大概明白是什么实现了,需要在服务器上也安装IKEV2客户端
这样服务器和我家里的电脑就属于同一个网络了,就可以转发了,有点麻烦

IKEV2和L2TP的使用上还是有些区别的

感觉还是L2TP简单明了  手动添加路由表就可以实现各个地区的公司内网互访  
IKEV2感觉就是想把用户当傻瓜,自动同步各个客户端的路由表,我觉得有点过犹不及了

admin

总结一下:
用docker一个命令配置IKEV2服务端

1. docker run \
   
2.     --name ipsec-vpn-server \
   
3.     --restart=always \
   
4.     -v ikev2-vpn-data:/etc/ipsec.d \
   
5.     -v /lib/modules:/lib/modules:ro \
   
6.     -p 500:500/udp \
   
7.     -p 4500:4500/udp \
   
8.     -d --privileged \
   
9.     hwdsl2/ipsec-vpn-server

复制代码

然后服务器放行1701 500 4500这3个UDP端口

然后输入命令

1. docker logs ipsec-vpn-server

复制代码

查看用户名和密码
里面还有psk,好像这个psk客户端不需要关注

最后就是客户端配置
Client configuration is available inside the
Docker container at:
/etc/ipsec.d/vpnclient.p12 (for Windows & Linux)
/etc/ipsec.d/vpnclient.sswan (for Android)
/etc/ipsec.d/vpnclient.mobileconfig (for iOS & macOS)


win10客户端配置 需要把证书下载下来

1. docker cp ipsec-vpn-server:/etc/ipsec.d/vpnclient.p12 ./

复制代码

然后把证书下载到本地
然后根据这个教程
https://github.com/hwdsl2/setup- ... s/ikev2-howto-zh.md
先下载cmd脚本 用这个脚本自动的配置连接 就行了




我按照他的教程手动创建的链接,证书导入了,注册表也改了,结果死活提示  IKE 身份验证凭证不可接受
最后我用他的批处理就行了

admin

https://developer.aliyun.com/ask/53504

如何通过strongswan等工具搭建IKEv2 VPN服务，从而远程组建办公局域网？
希望通过strongswan等工具，搭建一个IKEv2的VPN隧道，将不同地区的员工组成内网通讯，但各自外网流量不经过vpn。

设备：
    1. 阿里云ECS充当VPN主机，安装strongswan搭建IKEv2 VPN服务；
    2. 公司电脑A，同事电脑B，同事电脑C；

需要效果：
    3. 电脑A、B、C三者使用各自账号连接VPN服务后，取得对应的固定虚拟IP地址；
    4. 电脑A、B、C三者之间可以互相通讯，但不能访问VPN主机的资源；
    5. 电脑A、B、C三者访问的外网流量不经过VPN，直接使用本地互联网；




这个是阿里云上一个用户的提问,最后他的需求没有得到解决