为本机 Azure 证书身份验证 P2S 配置创建并安装 VPN 客户端配置文件Create and install VPN client configuration files for native Azure certificate authentication P2S configurations

VPN 客户端配置文件包含在一个 zip 文件中。VPN client configuration files are contained in a zip file. 配置文件提供了本机 Windows、Mac IKEv2 VPN 或 Linux 客户端通过使用本机 Azure 证书身份验证的点到站点连接连接到虚拟网络所需的设置。Configuration files provide the settings required for a native Windows, Mac IKEv2 VPN, or Linux clients to connect to a virtual network over Point-to-Site connections that use native Azure certificate authentication.

客户端配置文件特定于虚拟网络的 VPN 配置。Client configuration files are specific to the VPN configuration for the virtual network. 如果在生成 VPN 客户端配置文件后,点到站点 VPN 配置(例如 VPN 协议类型或身份验证类型)发生变化,请务必为用户设备生成新的 VPN 客户端配置文件。If there are any changes to the Point-to-Site VPN configuration after you generate the VPN client configuration files, such as the VPN protocol type or authentication type, be sure to generate new VPN client configuration files for your user devices.

重要

从 2018 年 7 月 1 日开始,Azure VPN 网关将不再支持 TLS 1.0 和 1.1。Starting July 1, 2018, support is being removed for TLS 1.0 and 1.1 from Azure VPN Gateway. VPN 网关将仅支持 TLS 1.2。VPN Gateway will support only TLS 1.2. 仅点到站点连接会受到影响;站点到站点连接不受影响。Only point-to-site connections are impacted; site-to-site connections will not be affected. 如果在 Windows 10 客户端上点到站点 VPN 使用的是 TLS,则无需进行任何操作。If you’re using TLS for point-to-site VPNs on Windows 10 clients, you don’t need to take any action. 如果在 Windows 7 和 Windows 8 客户端上使用 TLS 建立点到站点连接,请参阅 VPN 网关常见问题解答,了解更新说明。If you are using TLS for point-to-site connections on Windows 7 and Windows 8 clients, see the VPN Gateway FAQ for update instructions.

生成 VPN 客户端配置文件Generate VPN client configuration files

在开始之前,请确保所有连接方用户的设备上安装了有效的证书。Before you begin, make sure that all connecting users have a valid certificate installed on the user's device. 有关安装客户端证书的详细信息,请参阅安装客户端证书For more information about installing a client certificate, see Install a client certificate.

可使用 PowerShell 或使用 Azure 门户生成客户端配置文件。You can generate client configuration files using PowerShell, or by using the Azure portal. 两种方法之一都会返回相同的 zip 文件。Either method returns the same zip file. 解压缩该文件,查看以下文件夹:Unzip the file to view the following folders:

  • WindowsAmd64WindowsX86:分别包含 Windows 32 位和 64 位安装程序包。WindowsAmd64 and WindowsX86, which contain the Windows 32-bit and 64-bit installer packages, respectively. WindowsAmd64 安装程序包适用于所有受支持的 64 位 Windows 客户端,而不仅仅是 Amd。The WindowsAmd64 installer package is for all supported 64-bit Windows clients, not just Amd.
  • Generic:包含用于创建自己的 VPN 客户端配置的常规信息。Generic, which contains general information used to create your own VPN client configuration. 如果网关上配置了 IKEv2 或 SSTP+IKEv2,会提供 Generic 文件夹。The Generic folder is provided if IKEv2 or SSTP+IKEv2 was configured on the gateway. 如果仅配置了 SSTP,则不会提供 Generic 文件夹。If only SSTP is configured, then the Generic folder is not present.

使用 Azure 门户生成文件Generate files using the Azure portal

  1. 在 Azure 门户中,导航到要连接到的虚拟网络的虚拟网络网关。In the Azure portal, navigate to the virtual network gateway for the virtual network that you want to connect to.

  2. 在虚拟网络网关页面上,单击“点到点配置” 。On the virtual network gateway page, click Point-to-site configuration.

    下载客户端门户

  3. 在“点到站点配置”页的顶部,单击“下载 VPN 客户端” 。At the top of the Point-to-site configuration page, click Download VPN client. 需要几分钟才能生成客户端配置包。It takes a few minutes for the client configuration package to generate.

  4. 浏览器会指示客户端配置 zip 文件可用。Your browser indicates that a client configuration zip file is available. 其名称与网关名称相同。It is named the same name as your gateway. 解压缩该文件,查看文件夹。Unzip the file to view the folders.

使用 PowerShell 生成文件Generate files using PowerShell

  1. 生成 VPN 客户端配置文件时,“-AuthenticationMethod”的值为“EapTls”。When generating VPN client configuration files, the value for '-AuthenticationMethod' is 'EapTls'. 使用以下命令生成 VPN 客户端配置文件:Generate the VPN client configuration files using the following command:

    $profile=New-AzVpnClientConfiguration -ResourceGroupName "TestRG" -Name "VNet1GW" -AuthenticationMethod "EapTls"
    
    $profile.VPNProfileSASUrl
    
  2. 将 URL 复制到浏览器,下载 zip 文件,然后解压缩该文件,查看其中的文件夹。Copy the URL to your browser to download the zip file, then unzip the file to view the folders.

WindowsWindows

只要版本与 Windows 客户端的体系结构匹配,就可以在每台客户端计算机上使用相同的 VPN 客户端配置包。You can use the same VPN client configuration package on each Windows client computer, as long as the version matches the architecture for the client. 有关支持的客户端操作系统列表,请参阅 VPN 网关常见问题解答中的“点到站点”部分。For the list of client operating systems that are supported, see the Point-to-Site section of the VPN Gateway FAQ.

备注

在要从其进行连接的 Windows 客户端计算机上,必须拥有管理员权限。You must have Administrator rights on the Windows client computer from which you want to connect.

请使用以下步骤配置用于证书身份验证的本机 Windows VPN 客户端:Use the following steps to configure the native Windows VPN client for certificate authentication:

  1. 根据 Windows 计算机的体系结构选择 VPN 客户端配置文件。Select the VPN client configuration files that correspond to the architecture of the Windows computer. 对于 64 位处理器体系结构,请选择“VpnClientSetupAmd64”安装程序包。For a 64-bit processor architecture, choose the 'VpnClientSetupAmd64' installer package. 对于 32 位处理器体系结构,请选择“VpnClientSetupX86”安装程序包。For a 32-bit processor architecture, choose the 'VpnClientSetupX86' installer package.
  2. 双击所需的包进行安装。Double-click the package to install it. 如果显示 SmartScreen 弹出窗口,请依次单击“更多信息” 、“仍要运行” 。If you see a SmartScreen popup, click More info, then Run anyway.
  3. 在客户端计算机上,导航到“网络设置” ,并单击“VPN” 。On the client computer, navigate to Network Settings and click VPN. VPN 连接显示所连接到的虚拟网络的名称。The VPN connection shows the name of the virtual network that it connects to. 
  4. 尝试连接前,请验证客户端计算机上是否已安装客户端证书。Before you attempt to connect, verify that you have installed a client certificate on the client computer. 使用本机 Azure 证书身份验证类型时,客户端证书是身份验证必需的。A client certificate is required for authentication when using the native Azure certificate authentication type. 有关生成证书的详细信息,请参阅生成证书For more information about generating certificates, see Generate Certificates. 有关如何安装客户端证书的信息,请参阅安装客户端证书For information about how to install a client certificate, see Install a client certificate.

Mac (OS X)Mac (OS X)

必须在将连接到 Azure 的每个 Mac 上手动配置本机 IKEv2 VPN 客户端。You have to manually configure the native IKEv2 VPN client on every Mac that will connect to Azure. Azure 不提供用于本机 Azure 证书身份验证的 mobileconfig 文件。Azure does not provide mobileconfig file for native Azure certificate authentication. Generic 包含你需要用于配置的所有信息。The Generic contains all of the information that you need for configuration. 如果在下载中没有看到 Generic 文件夹,则可能 IKEv2 未选作隧道类型。If you don't see the Generic folder in your download, it's likely that IKEv2 was not selected as a tunnel type. 请注意,VPN 网关基本 SKU 不支持 IKEv2。Note that the VPN gateway Basic SKU does not support IKEv2. 选择 IKEv2 后,再次生成 zip 文件,检索 Generic 文件夹。Once IKEv2 is selected, generate the zip file again to retrieve the Generic folder.
Generic 文件夹包含以下文件:The Generic folder contains the following files:

  • VpnSettings.xml:包含服务器地址和隧道类型等重要设置。VpnSettings.xml, which contains important settings like server address and tunnel type. 
  • VpnServerRoot.cer:包含在 P2S 连接设置过程中验证 Azure VPN 网关所需的根证书。VpnServerRoot.cer, which contains the root certificate required to validate the Azure VPN Gateway during P2S connection setup.

使用以下步骤在 Mac 中配置用于证书身份验证的本机 VPN 客户端。Use the following steps to configure the native VPN client on Mac for certificate authentication. 必须在将连接到 Azure 的每个 Mac 上完成以下步骤:You have to complete these steps on every Mac that will connect to Azure:

  1. VpnServerRoot 根证书导入 Mac。Import the VpnServerRoot root certificate to your Mac. 为此,可将该文件复制到 Mac,并双击它。This can be done by copying the file over to your Mac and double-clicking on it. 单击“添加”进行导入。 Click Add to import.

    添加证书

    备注

    双击证书可能不会显示“添加” 对话框,但该证书将安装在相应的存储中。Double-clicking on the certificate may not display the Add dialog, but the certificate is installed in the correct store. 可以在证书类别下的登录密钥链中查找该证书。You can check for the certificate in the login keychain under the certificates category.

  2. 验证已安装由根证书颁发的客户端证书,该根证书在配置 P2S 设置时已上传到 Azure。Verify that you have installed a client certificate that was issued by the root certificate that you uploaded to Azure when you configured you P2S settings. 这不同于上一步中安装的 VPNServerRoot。This is different from the VPNServerRoot that you installed in the previous step. 客户端证书可用于身份验证,且是必需的。The client certificate is used for authentication and is required. 有关生成证书的详细信息,请参阅生成证书For more information about generating certificates, see Generate Certificates. 有关如何安装客户端证书的信息,请参阅安装客户端证书For information about how to install a client certificate, see Install a client certificate.

  3. 在“网络首选项” 下打开“网络” 对话框,然后单击“+” 为与 Azure 虚拟网络的 P2S 连接新建 VPN 客户端连接配置文件。Open the Network dialog under Network Preferences and click '+' to create a new VPN client connection profile for a P2S connection to the Azure virtual network.

    “接口”值为“VPN”,“VPN 类型”值为“IKEv2”。 The Interface value is 'VPN' and VPN Type value is 'IKEv2'. 在“服务名称”字段中为配置文件指定一个名称,单击“创建”创建 VPN 客户端连接配置文件。 Specify a name for the profile in the Service Name field, then click Create to create the VPN client connection profile.

    网络

  4. Generic 文件夹中的 VpnSettings.xml 文件复制 VpnServer 标记值。In the Generic folder, from the VpnSettings.xml file, copy the VpnServer tag value. 将该值粘贴到配置文件的“服务器地址”和“远程 ID”字段中。 Paste this value in the Server Address and Remote ID fields of the profile.

    服务器信息

  5. 单击“身份验证设置” ,选择“证书” 。Click Authentication Settings and select Certificate. 对于 Catalina,请单击“无”,然后单击“证书”  For Catalina, click None and then certificate

    身份验证设置

    • 对于 Catalina,请选择“无”,然后选择“证书”。 For Catalina, select None and then Certificate. 选择正确的证书:Select the correct certificate:

    catalina

  6. 单击“选择…” Click Select… 选择要用于身份验证的客户端证书。to choose the client certificate that you want to use for authentication. 这是你在步骤 2 中安装的证书。This is the certificate that you installed in Step 2.

    证书

  7. “选择标识”会显示可供选择的证书列表。 Choose An Identity displays a list of certificates for you to choose from. 选择适当的证书,单击“继续” 。Select the proper certificate, then click Continue.

    identity

  8. 在“本地 ID” 字段中,指定证书的名称(见步骤 6)。In the Local ID field, specify the name of the certificate (from Step 6). 在本示例中,该名称为“ikev2Client.com”。In this example, it is "ikev2Client.com". 然后单击“应用”按钮保存所做的更改。 Then, click Apply button to save the changes.

    apply

  9. 在“网络”对话框中,单击“应用”保存所有更改。 On the Network dialog, click Apply to save all changes. 然后,单击“连接”以开始与 Azure 虚拟网络建立 P2S 连接。 Then, click Connect to start the P2S connection to the Azure virtual network.

Linux (strongSwan GUI)Linux (strongSwan GUI)

安装 strongSwanInstall strongSwan

以下配置用于执行下面的步骤:The following configuration was used for the steps below:

  • 计算机:Ubuntu Server 18.04Computer: Ubuntu Server 18.04
  • 依赖项:strongSwanDependencies: strongSwan

使用以下命令安装所需的 strongSwan 配置:Use the following commands to install the required strongSwan configuration:

sudo apt install strongswan
sudo apt install strongswan-pki
sudo apt install libstrongswan-extra-plugins

使用以下命令安装 Azure 命令行接口:Use the following command to install the Azure command-line interface:

curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash

有关如何安装 Azure CLI 的其他说明Additional instructions on how to install the Azure CLI

生成证书Generate certificates

如果尚未生成证书,请执行以下步骤:If you have not already generated certificates, use the following steps:

生成 CA 证书。Generate the CA certificate.

ipsec pki --gen --outform pem > caKey.pem
ipsec pki --self --in caKey.pem --dn "CN=VPN CA" --ca --outform pem > caCert.pem

打印 base64 格式的 CA 证书。Print the CA certificate in base64 format. 这是 Azure 支持的格式。This is the format that is supported by Azure. 按照 P2S 配置步骤,将此证书上传到 Azure。You upload this certificate to Azure as part of the P2S configuration steps.

openssl x509 -in caCert.pem -outform der | base64 -w0 ; echo

生成用户证书。Generate the user certificate.

export PASSWORD="password"
export USERNAME="client"

ipsec pki --gen --outform pem > "${USERNAME}Key.pem"
ipsec pki --pub --in "${USERNAME}Key.pem" | ipsec pki --issue --cacert caCert.pem --cakey caKey.pem --dn "CN=${USERNAME}" --san "${USERNAME}" --flag clientAuth --outform pem > "${USERNAME}Cert.pem"

生成包含用户证书的 p12 捆绑包。Generate a p12 bundle containing the user certificate. 在后续步骤中使用客户端配置文件时将使用此捆绑包。This bundle will be used in the next steps when working with the client configuration files.

openssl pkcs12 -in "${USERNAME}Cert.pem" -inkey "${USERNAME}Key.pem" -certfile caCert.pem -export -out "${USERNAME}.p12" -password "pass:${PASSWORD}"

安装和配置Install and configure

以下说明是在 Ubuntu 18.0.4 上创建的。The following instructions were created on Ubuntu 18.0.4. Ubuntu 16.0.10 不支持 strongSwan GUI。Ubuntu 16.0.10 does not support strongSwan GUI. 如果想要使用 Ubuntu 16.0.10,则必须使用命令行If you want to use Ubuntu 16.0.10, you will have to use the command line. 以下示例可能与你看到的屏幕不同,具体取决于所用的 Linux 和 strongSwan 版本。The examples below may not match screens that you see, depending on your version of Linux and strongSwan.

  1. 打开终端并运行示例中的命令,安装 strongSwan 及其网络管理器。Open the Terminal to install strongSwan and its Network Manager by running the command in the example.

    sudo apt install network-manager-strongswan
    
  2. 选择“设置” ,然后选择“网络” 。Select Settings, then select Network.

    编辑连接

  3. 单击 + 按钮创建新连接。Click the + button to create a new connection.

    添加连接

  4. 从菜单中选择“IPsec/IKEv2 (strongSwan)” ,然后双击。Select IPsec/IKEv2 (strongSwan) from the menu, and double-click. 可以在此步骤中命名连接。You can name your connection in this step.

    选择连接类型

  5. 打开下载的客户端配置文件包含的 Generic 文件夹中的 VpnSettings.xml 文件。Open the VpnSettings.xml file from the Generic folder contained in the downloaded client configuration files. 找到名为 VpnServer 的标记,并复制以“azuregateway”开头、以“.chinacloudapp.cn”结尾的名称。Find the tag called VpnServer and copy the name, beginning with 'azuregateway' and ending with '.chinacloudapp.cn'.

    复制名称

  6. 在“网关”部分中,将此名称粘贴到新 VPN 连接的“地址”字段中。 Paste this name into the Address field of your new VPN connection in the Gateway section. 接下来,选择“证书”字段末尾的文件夹图标,浏览到 Generic 文件夹,并选择 VpnServerRoot 文件。 Next, select the folder icon at the end of the Certificate field, browse to the Generic folder, and select the VpnServerRoot file.

  7. 在连接的“客户端”部分,为“身份验证”选择“证书/私钥”。 In the Client section of the connection, for Authentication, select Certificate/private key. 对于“证书”和“私钥”,请选择前面创建的证书和私钥。 For Certificate and Private key, choose the certificate and the private key that were created earlier. 在“选项”中,选择“请求内部 IP 地址”。 In Options, select Request an inner IP address. 然后,单击“添加” 。Then, click Add.

    请求内部 IP 地址

  8. 打开连接。Turn the connection On.

Linux (strongSwan CLI)Linux (strongSwan CLI)

安装 strongSwanInstall strongSwan

以下配置用于执行下面的步骤:The following configuration was used for the steps below:

  • 计算机:Ubuntu Server 18.04Computer: Ubuntu Server 18.04
  • 依赖项:strongSwanDependencies: strongSwan

使用以下命令安装所需的 strongSwan 配置:Use the following commands to install the required strongSwan configuration:

sudo apt install strongswan
sudo apt install strongswan-pki
sudo apt install libstrongswan-extra-plugins

使用以下命令安装 Azure 命令行接口:Use the following command to install the Azure command-line interface:

curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash

有关如何安装 Azure CLI 的其他说明Additional instructions on how to install the Azure CLI

生成证书Generate certificates

如果尚未生成证书,请执行以下步骤:If you have not already generated certificates, use the following steps:

生成 CA 证书。Generate the CA certificate.

ipsec pki --gen --outform pem > caKey.pem
ipsec pki --self --in caKey.pem --dn "CN=VPN CA" --ca --outform pem > caCert.pem

打印 base64 格式的 CA 证书。Print the CA certificate in base64 format. 这是 Azure 支持的格式。This is the format that is supported by Azure. 按照 P2S 配置步骤,将此证书上传到 Azure。You upload this certificate to Azure as part of the P2S configuration steps.

openssl x509 -in caCert.pem -outform der | base64 -w0 ; echo

生成用户证书。Generate the user certificate.

export PASSWORD="password"
export USERNAME="client"

ipsec pki --gen --outform pem > "${USERNAME}Key.pem"
ipsec pki --pub --in "${USERNAME}Key.pem" | ipsec pki --issue --cacert caCert.pem --cakey caKey.pem --dn "CN=${USERNAME}" --san "${USERNAME}" --flag clientAuth --outform pem > "${USERNAME}Cert.pem"

生成包含用户证书的 p12 捆绑包。Generate a p12 bundle containing the user certificate. 在后续步骤中使用客户端配置文件时将使用此捆绑包。This bundle will be used in the next steps when working with the client configuration files.

openssl pkcs12 -in "${USERNAME}Cert.pem" -inkey "${USERNAME}Key.pem" -certfile caCert.pem -export -out "${USERNAME}.p12" -password "pass:${PASSWORD}"

安装和配置Install and configure

  1. 从 Azure 门户下载 VPNClient 程序包。Download the VPNClient package from Azure portal.

  2. 解压缩该文件。Extract the File.

  3. Generic 文件夹中,将 VpnServerRoot.cer 复制或移动到 /etc/ipsec.d/cacerts。From the Generic folder, copy or move the VpnServerRoot.cer to /etc/ipsec.d/cacerts.

  4. 将 cp client.p12 复制或移动到 /etc/ipsec.d/private/。Copy or move cp client.p12 to /etc/ipsec.d/private/. 此文件是 Azure VPN 网关的客户端证书。This file is client certificate for Azure VPN Gateway.

  5. 打开 VpnSettings.xml 文件并复制 <VpnServer> 值。Open VpnSettings.xml file and copy the <VpnServer> value. 在下一步骤中你将使用此值。You will use this value in the next step.

  6. 调整以下示例中的值,然后将该示例添加到 /etc/ipsec.conf 配置。Adjust the values in the example below, then add the example to the /etc/ipsec.conf configuration.

    conn azure
          keyexchange=ikev2
          type=tunnel
          leftfirewall=yes
          left=%any
          leftauth=eap-tls
          leftid=%client # use the DNS alternative name prefixed with the %
          right= Enter the VPN Server value here# Azure VPN gateway address
          rightid=% # Enter the VPN Server value here# Azure VPN gateway FQDN with %
          rightsubnet=0.0.0.0/0
          leftsourceip=%config
          auto=add
    
  7. 将以下内容添加到 /etc/ipsec.secretsAdd the following to /etc/ipsec.secrets.

    : P12 client.p12 'password' # key filename inside /etc/ipsec.d/private directory
    
  8. 运行以下命令:Run the following commands:

    # ipsec restart
    # ipsec up azure
    

后续步骤Next steps

返回到相关文章,完成 P2S 配置Return to the article to complete your P2S configuration.

若要对 P2S 连接进行故障排除,请参阅以下文章:To troubleshoot P2S connections, see the following articles: