在爱快上部署IKEv2/IPSec MSCHAPv2

[ req ]
default_bits       = 4096
default_md         = sha256
distinguished_name = req_distinguished_name
req_extensions     = v3_req
prompt             = no

[ req_distinguished_name ]
CN = abc.com

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[ alt_names ]
DNS.1 = abc.com

openssl genrsa -out server.key 4096

openssl req -new -key server.key -out server.csr \
  -config server.cnf

第 6 步：使用 Root CA 签发 server.crt

openssl x509 -req -in server.csr \
  -CA ca.crt -CAkey ca.key -CAcreateserial \
  -out server.crt -days 3650 -sha256 \
  -extensions v3_req -extfile server.cnf

server.crt、server.key分别对应爱快中的服务端证书、私钥，ca.crt根证书需要安装在终端。

附：一键自动化脚本build.sh

#!/bin/bash

set -e

DOMAIN="abc.com"
DAYS_CA=36500
DAYS_SERVER=3650

echo "=========================================="
echo "   IKEv2 / TLS 全平台证书一键生成工具"
echo "   Domain: $DOMAIN"
echo "=========================================="

echo "[1] 清理旧文件..."
rm -f ca.key ca.crt ca.srl
rm -f server.key server.csr server.crt
rm -f ca.cnf server.cnf

echo "[2] 生成 Root CA 配置文件 ca.cnf..."
cat > ca.cnf <<EOF
[ req ]
default_bits       = 4096
default_md         = sha256
distinguished_name = req_distinguished_name
x509_extensions    = v3_ca
prompt             = no

[ req_distinguished_name ]
CN = ${DOMAIN} Root CA

[ v3_ca ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true
keyUsage = critical, keyCertSign, cRLSign
EOF

echo "[3] 生成 Root CA 私钥 ca.key..."
openssl genrsa -out ca.key 4096

echo "[4] 使用 CA 配置 ca.cnf 生成 Root CA 证书 ca.crt..."
openssl req -x509 -new -nodes -key ca.key \
  -sha256 -days $DAYS_CA -out ca.crt \
  -config ca.cnf

echo "[5] 生成服务器配置文件 server.cnf..."
cat > server.cnf <<EOF
[ req ]
default_bits       = 4096
default_md         = sha256
distinguished_name = req_distinguished_name
req_extensions     = v3_req
prompt             = no

[ req_distinguished_name ]
CN = ${DOMAIN}

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[ alt_names ]
DNS.1 = ${DOMAIN}
EOF

echo "[6] 生成服务器私钥 server.key..."
openssl genrsa -out server.key 4096

echo "[7] 使用 server.cnf 生成 CSR..."
openssl req -new -key server.key -out server.csr \
  -config server.cnf

echo "[8] 使用 Root CA 签发服务器证书 server.crt..."
openssl x509 -req -in server.csr \
  -CA ca.crt -CAkey ca.key -CAcreateserial \
  -out server.crt -days $DAYS_SERVER -sha256 \
  -extensions v3_req -extfile server.cnf

echo ""
echo "=========================================="
echo "   全部文件生成完毕！"
echo "=========================================="
echo " Root CA:"
echo "   ca.key  (私钥 - 不要泄露)"
echo "   ca.crt  (Root CA 证书，导入 Windows / Android / iOS)"
echo ""
echo " Server Certificate:"
echo "   server.key (服务器私钥)"
echo "   server.crt (服务器证书，导入你的 IKEv2 / 爱快路由器)"
echo ""
echo " CSR 文件（可忽略）:"
echo "   server.csr"
echo ""
echo "完整证书链验证（可选）:"
echo "   openssl verify -CAfile ca.crt server.crt"
echo ""
echo "Done."

其中：DOMAIN="abc.com"处的abc.com需要改成实际域名

使用方法