AnyConnect是思科公司的企业安全远程接入解决方案,受许多中小企业青睐。
其手机客户端可从安卓市场或者苹果商店下载。
编译环境 CentOS 6.9 X86
安装编译依赖环境
yum install gcc libtasn1-devel zlib zlib-devel trousers trousers-devel gmp-devel gmp xz texinfo libnl-devel tcp_wrappers-libs tcp_wrappers-devel tcp_wrappers dbus dbus-devel ncurses-devel pam-devel readline-devel bison bison-devel flex gcc wget
编译安装autoconf和automake
cd /usr
wget ftp://ftp.gnu.org/gnu/autoconf/autoconf-latest.tar.gz
tar -zxvf autoconf-2.69.tar.gz
cd autoconf-2.69/
./configure --prefix=/usr/local/autoconf
make && make install
cp /usr/local/autoconf/bin/autoconf /usr/bin/autoconf
cd /usr
wget ftp://ftp.gnu.org/gnu/automake/automake-1.14.1.tar.gz
cd automake-1.14.1
./configure --prefix=/usr/local/automake
make && make install
cp /usr/local/automake/bin/automake /usr/bin/automake
安装nettle
wget ftp://ftp.gnu.org/gnu/nettle/nettle-2.7.1.tar.gz
tar zxvf nettle-2.7.1.tar.gz
cd nettle-2.7.1/
./configure --prefix=/usr/local/nettle
make && make install
echo '/usr/local/nettle/lib/' > /etc/ld.so.conf.d/nettle.conf
Ldconfig
安装gnutls
wget ftp://ftp.gnutls.org/gcrypt/gnutls/v3.3/gnutls-3.3.9.tar.gz
tar xvf gnutls-3.3.9.tar.xz
cd gnutls-3.3.9/
export NETTLE_CFLAGS="-I/usr/local/nettle/include/"
export NETTLE_LIBS="-L/usr/local/nettle/lib/ -lnettle"
export HOGWEED_LIBS="-L/usr/local/nettle/lib/ -lhogweed"
export HOGWEED_CFLAGS="-I/usr/local/nettle/include"
./configure --prefix=/usr/local/gnutls
make && make install
ln -s /usr/local/gnutls/bin/certtool /usr/bin/certtool
echo '/usr/local/gnutls/lib/' > /etc/ld.so.conf.d/gnutls.conf
Ldconfig
安装libnl
yum install bison flex(可选)
wget http://www.infradead.org/~tgr/libnl/files/libnl-3.2.24.tar.gz
tar -zxvf libnl-3.2.24.tar.gz
cd libnl-3.2.24
./configure --prefix=/usr/local/libnl
make && make install
echo '/usr/local/libnl/lib/' > /etc/ld.so.conf.d/libnl.conf
Ldconfig
安装ocserv
cd /usr
export LIBNL3_CFLAGS="-I/usr/local/libnl/include/libnl3"
export LIBNL3_LIBS="-L//usr/local/libnl/lib/ -lnl-3 -lnl-route-3"
export LIBGNUTLS_LIBS="-L/usr/local/gnutls/lib/ -lgnutls"
export LIBGNUTLS_CFLAGS="-I/usr/local/gnutls/include/"
wget ftp://ftp.infradead.org/pub/ocserv/ocserv-0.9.0.1.tar.xz
tar xvf ocserv-0.9.0.1.tar.xz
cd ocserv-0.9.0
./configure --prefix=/usr/local/ocserv
make && make install
echo 'export PATH=$PATH://usr/local/ocserv/sbin/:/usr/local/ocserv/bin/' >> $HOME/.bashrc
source $HOME/.bashrc
配置NAT
iptables -t nat -A POSTROUTING -s 192.168.12.0/255.255.255.0 -o eth0 -j MASQUERADE
vi /etc/sysctl.conf net.ipv4.ip_forward=1 // 配置ip转发
iptables -t nat -L // 查看防火墙NAT规则
出错则编译安装protobuf及三个文件
cd /usr
yum install glibc-headers gcc-c++
wget no-check-certificate
https://github.com/google/protobuf/releases/download/v2.6.1/protobuf-2.6.1.tar.gz
tar -zxvf protobuf-2.6.1.tar.gz
cd protobuf-2.6.1
./configure
make && make install
用户名登录
cp /usr/ocserv-0.9.0/src/ocpasswd /usr/bin/ocpasswd
ocpasswd -c /etc/ocserv/passwd (username) //username为用户名,可自定义
配置文件
auth = "plain[/etc/ocserv/passwd]"
证书认证 //默认采用用户名密码认证,证书认证在文末
auth = "certificate"
ca-cert /etc/ocserv/ca-cert.pem
max-clients = 16
max-same-clients = 2
tcp-port = 10443 //端口号可自定义,不与常用端口冲突
udp-port = 10443 //自定义端口号,自行选择协议,若选择TCP则注释掉UDP这行
keepalive = 32400
try-mtu-discovery = true
cisco-client-compat = true
server-cert = /etc/ocserv/server-cert.pem
server-key = /etc/ocserv/server-key.pem
auth-timeout = 40
pid-file = /var/run/ocserv.pid
socket-file = /var/run/ocserv-socket
run-as-user = nobody
run-as-group = daemon
device = vpns
ipv4-network = 192.168.12.0 //网段可自定义
ipv4-netmask = 255.255.255.0
route = 192.168.12.0/255.255.255.0 //若未配置国内外分流务必注释掉这行
启动ocserv ocserv -c /etc/ocserv.conf //加-f则为调试模式 不加则后台运行
服务器证书
生成SSL证书
mkdir /etc/ocserv/
cd /etc/ocserv
CA私钥:
certtool --generate-privkey --outfile ca-key.pem
CA模板:
cat << EOF > ca.tmpl
cn = "www.lonelyboy.org" //名称可自定义
organization = "www.lonelyboy.org" //名称可自定义
serial = 1
expiration_days = 3650
ca
signing_key
cert_signing_key
crl_signing_key
EOF
CA证书:
certtool --generate-self-signed --load-privkey ca-key.pem --template ca.tmpl --outfile ca-cert.pem
Server私钥:
certtool --generate-privkey --outfile server-key.pem
Server证书模板:
cat << EOF > server.tmpl
cn = "www.lonelyboy.org" //名称可自定义
o = "www.lonelyboy.org" //名称可自定义
expiration_days = 3650
signing_key
encryption_key
tls_www_server
EOF
Server证书:
certtool --generate-certificate --load-privkey server-key.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem --template server.tmpl --outfile server-cert.pem
证书登录 //默认用户名密码认证,可自行选择是否使用证书认证
用户私钥
certtool --generate-privkey --outfile user-key.pem
用户模板 //自定义
cat << EOF > user.tmpl
cn = "XXX" //随机名可自定义
unit = "XXX" //随机名可自定义
expiration_days = 365
signing_key
tls_www_client
EOF
user证书
certtool --generate-certificate --load-privkey user-key.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem --template user.tmpl --outfile user-cert.pem
评论