{"id":368,"date":"2025-02-27T13:46:22","date_gmt":"2025-02-27T05:46:22","guid":{"rendered":"https:\/\/www.tysql.com\/?p=368"},"modified":"2025-10-20T10:33:45","modified_gmt":"2025-10-20T02:33:45","slug":"docker%e5%ae%89%e8%a3%85ipsec","status":"publish","type":"post","link":"https:\/\/www.tysql.com\/index.php\/2025\/02\/27\/docker%e5%ae%89%e8%a3%85ipsec\/","title":{"rendered":"Docker\u5b89\u88c5ipsec"},"content":{"rendered":"\n
docker run --name ipsec-vpn-server  --env-file \/root\/vpn.env --restart=always -v ikev2-vpn-data:\/etc\/ipsec.d \\-v \/lib\/modules:\/lib\/modules:ro -p 500:500\/udp -p 4500:4500\/udp -d --privileged registry.home.tymas.cn:8000\/hwdsl2\/ipsec-vpn-server:latest<\/pre><\/div>\n\n\n\n
.env \u914d\u7f6e\u6587\u4ef6,\u653e\u5728root\u7528\u6237\u6839\u76ee\u5f55\u4e0b \/root\/vpn.env<\/p>\n\n\n\n
\u4e0b\u9762\u9ad8\u4eae\u90e8\u5206\u662f\u8981\u81ea\u5df1\u8bbe\u7f6e\u7684<\/p>\n\n\n\n
# Note: All the variables to this image are optional.\n# See README for more information.\n# To use, uncomment and replace with your own values.\n\n# Define IPsec PSK, VPN username and password\n# - DO NOT put "" or '' around values, or add space around =\n# - DO NOT use these special characters within values: \\ " '\nVPN_IPSEC_PSK=aaaaaaaaaa\nVPN_USER=aaaa\nVPN_PASSWORD=aaaa\n\n\n# Define additional VPN users\n# - DO NOT put "" or '' around values, or add space around =\n# - DO NOT use these special characters within values: \\ " '\n# - Usernames and passwords must be separated by spaces\n# VPN_ADDL_USERS=additional_username_1 additional_username_2\n# VPN_ADDL_PASSWORDS=additional_password_1 additional_password_2\n\n# Use a DNS name for the VPN server\n# - The DNS name must be a fully qualified domain name (FQDN)\nVPN_DNS_NAME=aaa.com\n\n# Specify a name for the first IKEv2 client\n# - Use one word only, no special characters except '-' and '_'\n# - The default is 'vpnclient' if not specified\n# VPN_CLIENT_NAME=your_client_name\n\n# Use alternative DNS servers\n# - By default, clients are set to use Google Public DNS\n# - Example below shows Cloudflare's DNS service\nVPN_DNS_SRV1=223.5.5.5\nVPN_DNS_SRV2=114.114.114.114\n\n# Protect IKEv2 client config files using a password\n# - By default, no password is required when importing IKEv2 client configuration\n# - Uncomment if you want to protect these files using a random password\n# VPN_PROTECT_CONFIG=yes\n<\/pre><\/div>\n\n\n\n
Windows 8, 10 \u548c 11+<\/strong> \u7528\u6237\u53ef\u4ee5\u81ea\u52a8\u5bfc\u5165 IKEv2 \u914d\u7f6e\uff1a<\/p>\n\n\n\n
    \n
  1. \u5c06\u751f\u6210\u7684\u00a0.p12<\/code>\u00a0\u6587\u4ef6\u5b89\u5168\u5730\u4f20\u9001\u5230\u4f60\u7684\u8ba1\u7b97\u673a\u3002<\/li>\n\n\n\n
  2. \u53f3\u952e\u5355\u51fb\u00a0ikev2_config_import.cmd<\/a>\u00a0\u5e76\u4fdd\u5b58\u8fd9\u4e2a\u8f85\u52a9\u811a\u672c\u5230\u4e0e\u00a0.p12<\/code>\u00a0\u6587\u4ef6\u00a0\u76f8\u540c\u7684\u6587\u4ef6\u5939<\/strong>\u3002<\/li>\n\n\n\n
  3. \u53f3\u952e\u5355\u51fb\u4fdd\u5b58\u7684\u811a\u672c\uff0c\u9009\u62e9\u00a0\u5c5e\u6027<\/strong>\u3002\u5355\u51fb\u5bf9\u8bdd\u6846\u4e0b\u65b9\u7684\u00a0\u89e3\u9664\u9501\u5b9a<\/strong>\uff0c\u7136\u540e\u5355\u51fb\u00a0\u786e\u5b9a<\/strong>\u3002<\/li>\n\n\n\n
  4. \u53f3\u952e\u5355\u51fb\u4fdd\u5b58\u7684\u811a\u672c\uff0c\u9009\u62e9\u00a0\u4ee5\u7ba1\u7406\u5458\u8eab\u4efd\u8fd0\u884c<\/strong>\u00a0\u5e76\u6309\u63d0\u793a\u64cd\u4f5c\u3002<\/li>\n<\/ol>\n\n\n\n
    \u5982\u679c\u5728\u8fde\u63a5\u8fc7\u7a0b\u4e2d\u9047\u5230\u9519\u8bef\uff0c\u8bf7\u53c2\u89c1\u00a0\u6545\u969c\u6392\u9664<\/a>\u3002<\/p>\n\n\n\n
    \u8fd9\u91cc\u662f\u4e0a\u9762\u81ea\u52a8\u5316\u8bbe\u7f6e\u8fde\u63a5\u7684\u811a\u672c\uff0c\u4e0b\u8f7d\u4e0d\u5230\u53ef\u4ee5\u628a\u8fd9\u4e2a\u4fdd\u5b58\u6210ikev2_config_import.cmd<\/summary>\n
    <\/p>\n\n\n\n
    @echo off\n:: IKEv2 Configuration Import Helper Script for Windows 8, 10 and 11\n:: Copyright (C) 2022 Lin Song <linsongui@gmail.com>\n:: This work is licensed under the Creative Commons Attribution-ShareAlike 3.0\n:: Unported License: http:\/\/creativecommons.org\/licenses\/by-sa\/3.0\/\n:: Attribution required: please include my name in any derivative and let me\n:: know how you have improved it!\n\nsetlocal DisableDelayedExpansion\nset "SPath=%SystemRoot%\\System32"\nif exist "%SystemRoot%\\Sysnative\\reg.exe" (set "SPath=%SystemRoot%\\Sysnative")\nset "Path=%SPath%;%SystemRoot%;%SPath%\\Wbem;%SPath%\\WindowsPowerShell\\v1.0\\"\nset "_err====== ERROR ====="\nset "_work=%~dp0"\nif "%_work:~-1%"=="\\" set "_work=%_work:~0,-1%"\n\nfor \/f "tokens=4-5 delims=. " %%i in ('ver') do set version=%%i.%%j\nif "%version%" == "10.0" goto :Check_Admin\nif "%version%" == "6.3" goto :Check_Admin\nif "%version%" == "6.2" goto :Check_Admin\ngoto :E_Win\n\n:Check_Admin\nreg query HKU\\S-1-5-19 >nul 2>&1 || goto :E_Admin\n\nwhere certutil >nul 2>&1\nif %errorlevel% neq 0 goto :E_Cu\nwhere powershell >nul 2>&1\nif %errorlevel% neq 0 goto :E_Ps\n\ntitle IKEv2 Configuration Import Helper Script\nsetlocal EnableDelayedExpansion\ncd \/d "!_work!"\n@cls\necho ===================================================================\necho Welcome^^! Use this helper script to import an IKEv2 configuration\necho into a PC running Windows 8, 10 or 11.\necho For more details, see https:\/\/vpnsetup.net\/ikev2\necho.\necho Before continuing, you must put the .p12 file you transferred from\necho the VPN server in the *same folder* as this script.\necho ===================================================================\n\nset client_name_gen=\nfor \/F "eol=| delims=" %%f in ('dir "*.p12" \/A-D \/B \/O-D \/TW 2^>nul') do (\n  set "p12_latest=%%f"\n  set "client_name_gen=!p12_latest:.p12=!"\n  goto :Enter_Client_Name\n)\n\n:Enter_Client_Name\necho.\necho Enter the name of the IKEv2 VPN client to import.\necho Note: This is the same as the .p12 filename without extension.\nset client_name=\nset p12_file=\nif defined client_name_gen (\n  echo To accept the suggested client name, press Enter.\n  set \/p client_name="VPN client name: [%client_name_gen%] "\n  if not defined client_name set "client_name=%client_name_gen%"\n) else (\n  set \/p client_name="VPN client name: "\n  if not defined client_name goto :Abort\n)\nset "client_name=%client_name:"=%"\nset "client_name=%client_name: =%"\nset "p12_file=%_work%\\%client_name%.p12"\nif not exist "!p12_file!" (\n  echo.\n  echo ERROR: File "!p12_file!" not found.\n  echo You must put the .p12 file you transferred from the VPN server\n  echo in the *same folder* as this script.\n  goto :Enter_Client_Name\n)\n\necho.\necho Enter the IP address (or DNS name) of the VPN server.\necho Note: This must exactly match the VPN server address in the output\necho of the IKEv2 helper script on your server.\nset server_addr=\nset \/p server_addr="VPN server address: "\nif not defined server_addr goto :Abort\nset "server_addr=%server_addr:"=%"\nset "server_addr=%server_addr: =%"\n\nset "conn_name_gen=IKEv2 VPN %server_addr%"\npowershell -command "Get-VpnConnection -Name '%conn_name_gen%'" >nul 2>&1\nif !errorlevel! neq 0 (\n  goto :Enter_Conn_Name\n)\nset "conn_name_gen=IKEv2 VPN 2 %server_addr%"\npowershell -command "Get-VpnConnection -Name '%conn_name_gen%'" >nul 2>&1\nif !errorlevel! neq 0 (\n  goto :Enter_Conn_Name\n)\nset "conn_name_gen=IKEv2 VPN 3 %server_addr%"\npowershell -command "Get-VpnConnection -Name '%conn_name_gen%'" >nul 2>&1\nif !errorlevel! equ 0 (\n  set conn_name_gen=\n)\n\n:Enter_Conn_Name\necho.\necho Provide a name for the new IKEv2 connection.\nset conn_name=\nif defined conn_name_gen (\n  echo To accept the suggested connection name, press Enter.\n  set \/p conn_name="IKEv2 connection name: [%conn_name_gen%] "\n  if not defined conn_name set "conn_name=%conn_name_gen%"\n) else (\n  set \/p conn_name="IKEv2 connection name: "\n  if not defined conn_name goto :Abort\n)\nset "conn_name=%conn_name:"=%"\npowershell -command "Get-VpnConnection -Name '%conn_name%'" >nul 2>&1\nif !errorlevel! equ 0 (\n  echo.\n  echo ERROR: A connection with this name already exists.\n  goto :Enter_Conn_Name\n)\n\necho.\necho Importing .p12 file...\ncertutil -f -p "" -importpfx "%p12_file%" NoExport >nul 2>&1\nif !errorlevel! equ 0 goto :Create_Conn\necho When prompted, enter the password for client config files, which can be found\necho in the output of the IKEv2 helper script on your server.\n:Import_P12\ncertutil -f -importpfx "%p12_file%" NoExport\nif !errorlevel! neq 0 goto :Import_P12\n\n:Create_Conn\necho.\necho Creating VPN connection...\npowershell -command "Add-VpnConnection -ServerAddress '%server_addr%' -Name '%conn_name%' -TunnelType IKEv2 -AuthenticationMethod MachineCertificate -EncryptionLevel Required -PassThru"\nif !errorlevel! neq 0 (\n  echo ERROR: Could not create the IKEv2 VPN connection.\n  goto :Done\n)\n\necho Setting IPsec configuration...\npowershell -command "Set-VpnConnectionIPsecConfiguration -ConnectionName '%conn_name%' -AuthenticationTransformConstants GCMAES128 -CipherTransformConstants GCMAES128 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -PfsGroup None -DHGroup Group14 -PassThru -Force"\nif !errorlevel! neq 0 (\n  echo ERROR: Could not set IPsec configuration for the IKEv2 VPN connection.\n  goto :Done\n)\n\necho IKEv2 configuration successfully imported^^!\necho To connect to the VPN, click on the wireless\/network icon in your system tray,\necho select the "%conn_name%" VPN entry, and click Connect.\ngoto :Done\n\n:E_Admin\necho %_err%\necho This script requires administrator privileges.\necho Right-click on the script and select 'Run as administrator'.\ngoto :Done\n\n:E_Win\necho %_err%\necho This script requires Windows 8, 10 or 11.\necho Windows 7 users can manually import IKEv2 configuration. See https:\/\/vpnsetup.net\/ikev2\ngoto :Done\n\n:E_Cu\necho %_err%\necho This script requires 'certutil', which is not detected.\ngoto :Done\n\n:E_Ps\necho %_err%\necho This script requires 'powershell', which is not detected.\ngoto :Done\n\n:Abort\necho.\necho Abort. No changes were made.\n\n:Done\necho.\necho Press any key to exit.\npause >nul\ngoto :eof\n<\/pre><\/div>\n<\/details>\n\n\n\n
    \u4e0b\u9762\u662f\u4e00\u4e9b\u9519\u8bef\u7684\u89e3\u51b3\u529e\u6cd5<\/h2>\n\n\n\n
    win10\u81ea\u5e26VPN\u8fde\u63a5\u5931\u8d25\uff0c\u63d0\u793a\u201c\u4e0d\u80fd\u5efa\u7acb\u5230\u8fdc\u7a0b\u8ba1\u7b97\u673a\u7684\u8fde\u63a5,\u4f60\u53ef\u80fd\u9700\u8981\u66f4\u6539\u6b64\u8fde\u63a5\u7684\u7f51\u7edc\u8bbe\u7f6e\u201d\u5904\u7406\u65b9\u6cd5\uff08\u4eb2\u6d4b\u6709\u6548\uff09<\/p>\n\n\n\n
    \"\"<\/figure>\n\n\n\n
    \u5378\u8f7d\u7f51\u7edc\u9002\u914d\u5668-WAN Miniport(IP)\uff0c\u5378\u8f7d\u5b8c\u6210\u540e\u91cd\u542f\u7535\u8111\uff0c\u7136\u540e\u518d\u8fde\u63a5\u5c31\u53ef\u4ee5\u4e86<\/p>\n","protected":false},"excerpt":{"rendered":"
    .env \u914d\u7f6e\u6587\u4ef6,\u653e\u5728root\u7528\u6237\u6839\u76ee\u5f55\u4e0b \/root\/vpn.env \u4e0b\u9762\u9ad8\u4eae\u90e8\u5206\u662f\u8981\u81ea\u5df1\u8bbe\u7f6e\u7684 Wind … \u7ee7\u7eed\u9605\u8bfbDocker\u5b89\u88c5ipsec<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-368","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/www.tysql.com\/index.php\/wp-json\/wp\/v2\/posts\/368","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.tysql.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.tysql.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.tysql.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.tysql.com\/index.php\/wp-json\/wp\/v2\/comments?post=368"}],"version-history":[{"count":8,"href":"https:\/\/www.tysql.com\/index.php\/wp-json\/wp\/v2\/posts\/368\/revisions"}],"predecessor-version":[{"id":412,"href":"https:\/\/www.tysql.com\/index.php\/wp-json\/wp\/v2\/posts\/368\/revisions\/412"}],"wp:attachment":[{"href":"https:\/\/www.tysql.com\/index.php\/wp-json\/wp\/v2\/media?parent=368"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.tysql.com\/index.php\/wp-json\/wp\/v2\/categories?post=368"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.tysql.com\/index.php\/wp-json\/wp\/v2\/tags?post=368"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}