中级信息安全客户专用下载链接

Windows客户:

Windows说明

Android用户:

Android说明


Configure IKEv2 VPN clients

Windows 7, 8.x and 10

OS X (macOS)

iOS (iPhone/iPad)

Android

Linux

Windows 7, 8.x and 10

  1. Securely transfer the generated .p12 file to your computer, then import it into the “Computer account” certificate store. To import the .p12 file, run the following from an elevated command prompt:# Import .p12 file (replace with your own value) certutil -f -importpfx “\path\to\your\file.p12” NoExportAlternatively, you can manually import the .p12 file. Click here for instructions. Make sure that the client cert is placed in “Personal -> Certificates”, and the CA cert is placed in “Trusted Root Certification Authorities -> Certificates”.Note: Ubuntu 18.04 users may encounter the error “The password you entered is incorrect” when trying to import the .p12 file. See Troubleshooting.
  2. On the Windows computer, add a new IKEv2 VPN connection. For Windows 8.x and 10, it is recommended to create the VPN connection using the following commands from a command prompt, for improved security and performance. Windows 7 does not support these commands, you may manually create the VPN connection (see below).# Create VPN connection (replace server address with your own value) powershell -command “Add-VpnConnection -ServerAddress ‘Your VPN Server IP (or DNS name)’ -Name ‘My IKEv2 VPN’ -TunnelType IKEv2 -AuthenticationMethod MachineCertificate -EncryptionLevel Required -PassThru” # Set IPsec configuration powershell -command “Set-VpnConnectionIPsecConfiguration -ConnectionName ‘My IKEv2 VPN’ -AuthenticationTransformConstants GCMAES128 -CipherTransformConstants GCMAES128 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -PfsGroup None -DHGroup Group14 -PassThru -Force”Alternatively, you can manually create the VPN connection. Click here for instructions. If you specified the server’s DNS name (instead of its IP address) during IKEv2 setup, you must enter the DNS name in the Internet address field.
  3. (Required if you manually created the VPN connection) Enable stronger ciphers for IKEv2 with a one-time registry change. Download and import the .reg file below, or run the following from an elevated command prompt. Read more here.
    • For Windows 7, 8.x and 10 (download .reg file)REG ADD HKLM\SYSTEM\CurrentControlSet\Services\RasMan\Parameters /v NegotiateDH2048_AES256 /t REG_DWORD /d 0x1 /f

To connect to the VPN: Click on the wireless/network icon in your system tray, select the new VPN entry, and click Connect. Once successfully connected, you can verify that your traffic is being routed properly by looking up your IP address on Google. It should say “Your public IP address is Your VPN Server IP“.

If you get an error when trying to connect, see Troubleshooting.

OS X (macOS)

First, securely transfer the generated .mobileconfig file to your Mac, then double-click and follow the prompts to import as a macOS profile. When finished, check to make sure “IKEv2 VPN” is listed under System Preferences -> Profiles.

To connect to the VPN:

  1. Open System Preferences and go to the Network section.
  2. Select the VPN connection with Your VPN Server IP (or DNS name).
  3. Check the Show VPN status in menu bar checkbox.
  4. Click Connect.

(Optional feature) You can choose to enable VPN On Demand. This is an “always-on” feature that can automatically connect to the VPN while on Wi-Fi. To enable, check the Connect on demand checkbox for the VPN connection, and click Apply.If you manually set up IKEv2 without using the helper script, click here for instructions.

Once successfully connected, you can verify that your traffic is being routed properly by looking up your IP address on Google. It should say “Your public IP address is Your VPN Server IP“.

If you get an error when trying to connect, see Troubleshooting.

iOS

First, securely transfer the generated .mobileconfig file to your iOS device, then import it as an iOS profile. To transfer the file, you may use:

  1. AirDrop, or
  2. Upload to your device using “File Sharing” in iTunes, then open the “Files” app on your iOS device, move the uploaded file to the “On My iPhone” folder. After that, tap the file and go to “Settings” to import, or
  3. Host the file on a secure website of yours, then download and import it in Mobile Safari.

When finished, check to make sure “IKEv2 VPN” is listed under Settings -> General -> Profile(s).

To connect to the VPN:

  1. Go to Settings -> General -> VPN.
  2. Select the VPN connection with Your VPN Server IP (or DNS name).
  3. Slide the VPN switch ON.

(Optional feature) You can choose to enable VPN On Demand. This is an “always-on” feature that can automatically connect to the VPN while on Wi-Fi. To enable, tap the “i” icon on the right of the VPN connection, and enable Connect On Demand.If you manually set up IKEv2 without using the helper script, click here for instructions.

Once successfully connected, you can verify that your traffic is being routed properly by looking up your IP address on Google. It should say “Your public IP address is Your VPN Server IP“.

If you get an error when trying to connect, see Troubleshooting.

Android

  1. Securely transfer the generated .sswan file to your Android device.
  2. Install strongSwan VPN Client from Google Play.
  3. Launch the strongSwan VPN client.
  4. Tap the “more options” menu on top right, then tap Import VPN profile.
  5. Choose the .sswan file you transferred from the VPN server.
    Note: To find the .sswan file, tap the three-line menu button, then browse to the location you saved the file.
  6. On the “Import VPN profile” screen, tap IMPORT CERTIFICATE FROM VPN PROFILE, and follow the prompts.
  7. On the “Choose certificate” screen, select the new client certificate, then tap Select.
  8. Tap IMPORT.
  9. Tap the new VPN profile to connect.

If your device runs Android 6.0 or older, click here for additional instructions.

(Optional feature) You can choose to enable the “Always-on VPN” feature on Android. Launch the Settings app, go to Network & internet -> Advanced -> VPN, click the gear icon on the right of “strongSwan VPN Client”, then enable the Always-on VPN and Block connections without VPN options.If you manually set up IKEv2 without using the helper script, click here for instructions.

Once successfully connected, you can verify that your traffic is being routed properly by looking up your IP address on Google. It should say “Your public IP address is Your VPN Server IP“.

If you get an error when trying to connect, see Troubleshooting.

Linux

Before configuring Linux VPN clients, you must make the following change on the VPN server: Edit /etc/ipsec.d/ikev2.conf on the server. Append authby=rsa-sha1 to the end of the conn ikev2-cp section, indented by two spaces. Save the file and run service ipsec restart.

To configure your Linux computer to connect to IKEv2 as a VPN client, first install the strongSwan plugin for NetworkManager:

# Ubuntu and Debian
sudo apt-get update
sudo apt-get install network-manager-strongswan

# Arch Linux
sudo pacman -Syu  # upgrade all packages
sudo pacman -S networkmanager-strongswan

# Fedora
sudo yum install NetworkManager-strongswan-gnome

# CentOS
sudo yum install epel-release
sudo yum --enablerepo=epel install NetworkManager-strongswan-gnome

Next, securely transfer the generated .p12 file from the VPN server to your Linux computer. After that, extract the CA certificate, client certificate and private key. Replace vpnclient.p12 in the example below with the name of your .p12 file.

# Example: Extract CA certificate, client certificate and private key.
#          You may delete the .p12 file when finished.
# Note: You will need to enter the import password, which can be found
#       in the output of the IKEv2 helper script.
openssl pkcs12 -in vpnclient.p12 -cacerts -nokeys -out ikev2vpnca.cer
openssl pkcs12 -in vpnclient.p12 -clcerts -nokeys -out vpnclient.cer
openssl pkcs12 -in vpnclient.p12 -nocerts -nodes  -out vpnclient.key
rm vpnclient.p12

# (Important) Protect certificate and private key files
# Note: This step is optional, but strongly recommended.
sudo chown root.root ikev2vpnca.cer vpnclient.cer vpnclient.key
sudo chmod 600 ikev2vpnca.cer vpnclient.cer vpnclient.key

You can then set up and enable the VPN connection:

  1. Go to Settings -> Network -> VPN. Click the + button.
  2. Select IPsec/IKEv2 (strongswan).
  3. Enter anything you like in the Name field.
  4. In the Gateway (Server) section, enter Your VPN Server IP (or DNS name) for the Address.
  5. Select the ikev2vpnca.cer file for the Certificate.
  6. In the Client section, select Certificate(/private key) in the Authentication drop-down menu.
  7. Select Certificate/private key in the Certificate drop-down menu (if exists).
  8. Select the vpnclient.cer file for the Certificate (file).
  9. Select the vpnclient.key file for the Private key.
  10. In the Options section, check the Request an inner IP address checkbox.
  11. In the Cipher proposals (Algorithms) section, check the Enable custom proposals checkbox.
  12. Leave the IKE field blank.
  13. Enter aes128gcm16 in the ESP field.
  14. Click Add to save the VPN connection information.
  15. Turn the VPN switch ON.

Once successfully connected, you can verify that your traffic is being routed properly by looking up your IP address on Google. It should say “Your public IP address is Your VPN Server IP“.

If you get an error when trying to connect, see Troubleshooting.