CentOS搭建Cisco Anyconnect服务器-----Ocserv编译过程整理

自渡
2017-07-27 / 0 评论 / 4,325 阅读 / 正在检测是否收录...

AnyConnect是思科公司的企业安全远程接入解决方案,受许多中小企业青睐。

其手机客户端可从安卓市场或者苹果商店下载。

编译环境 CentOS 6.9 X86

安装编译依赖环境

yum install gcc libtasn1-devel zlib zlib-devel trousers trousers-devel gmp-devel gmp xz texinfo libnl-devel tcp_wrappers-libs tcp_wrappers-devel tcp_wrappers dbus dbus-devel ncurses-devel pam-devel readline-devel bison bison-devel flex gcc wget

编译安装autoconf和automake

cd /usr

wget ftp://ftp.gnu.org/gnu/autoconf/autoconf-latest.tar.gz

tar -zxvf autoconf-2.69.tar.gz

cd autoconf-2.69/

./configure --prefix=/usr/local/autoconf

make && make install

cp /usr/local/autoconf/bin/autoconf /usr/bin/autoconf

cd /usr

wget ftp://ftp.gnu.org/gnu/automake/automake-1.14.1.tar.gz

cd automake-1.14.1

./configure --prefix=/usr/local/automake

make && make install

cp /usr/local/automake/bin/automake /usr/bin/automake

安装nettle

wget ftp://ftp.gnu.org/gnu/nettle/nettle-2.7.1.tar.gz

tar zxvf nettle-2.7.1.tar.gz

cd nettle-2.7.1/

./configure --prefix=/usr/local/nettle

make && make install

echo '/usr/local/nettle/lib/' > /etc/ld.so.conf.d/nettle.conf

Ldconfig

安装gnutls

wget ftp://ftp.gnutls.org/gcrypt/gnutls/v3.3/gnutls-3.3.9.tar.gz

tar xvf gnutls-3.3.9.tar.xz

cd gnutls-3.3.9/

export NETTLE_CFLAGS="-I/usr/local/nettle/include/"

export NETTLE_LIBS="-L/usr/local/nettle/lib/ -lnettle"

export HOGWEED_LIBS="-L/usr/local/nettle/lib/ -lhogweed"

export HOGWEED_CFLAGS="-I/usr/local/nettle/include"

./configure --prefix=/usr/local/gnutls

make && make install

ln -s /usr/local/gnutls/bin/certtool /usr/bin/certtool

echo '/usr/local/gnutls/lib/' > /etc/ld.so.conf.d/gnutls.conf

Ldconfig

安装libnl

yum install bison flex(可选)

wget http://www.infradead.org/~tgr/libnl/files/libnl-3.2.24.tar.gz

tar -zxvf libnl-3.2.24.tar.gz

cd libnl-3.2.24

./configure --prefix=/usr/local/libnl

make && make install

echo '/usr/local/libnl/lib/' > /etc/ld.so.conf.d/libnl.conf

Ldconfig

安装ocserv

cd /usr

export LIBNL3_CFLAGS="-I/usr/local/libnl/include/libnl3"

export LIBNL3_LIBS="-L//usr/local/libnl/lib/ -lnl-3 -lnl-route-3"

export LIBGNUTLS_LIBS="-L/usr/local/gnutls/lib/ -lgnutls"

export LIBGNUTLS_CFLAGS="-I/usr/local/gnutls/include/"

wget ftp://ftp.infradead.org/pub/ocserv/ocserv-0.9.0.1.tar.xz

tar xvf ocserv-0.9.0.1.tar.xz

cd ocserv-0.9.0

./configure --prefix=/usr/local/ocserv

make && make install

echo 'export PATH=$PATH://usr/local/ocserv/sbin/:/usr/local/ocserv/bin/' >> $HOME/.bashrc

source $HOME/.bashrc

配置NAT

iptables -t nat -A POSTROUTING -s 192.168.12.0/255.255.255.0 -o eth0 -j MASQUERADE

vi /etc/sysctl.conf net.ipv4.ip_forward=1 // 配置ip转发

iptables -t nat -L // 查看防火墙NAT规则

出错则编译安装protobuf及三个文件

cd /usr

yum install glibc-headers gcc-c++

wget no-check-certificate

https://github.com/google/protobuf/releases/download/v2.6.1/protobuf-2.6.1.tar.gz

tar -zxvf protobuf-2.6.1.tar.gz

cd protobuf-2.6.1

./configure

make && make install

用户名登录

cp /usr/ocserv-0.9.0/src/ocpasswd /usr/bin/ocpasswd

ocpasswd -c /etc/ocserv/passwd (username) //username为用户名,可自定义

配置文件

auth = "plain[/etc/ocserv/passwd]"

证书认证 //默认采用用户名密码认证,证书认证在文末

auth = "certificate"

ca-cert /etc/ocserv/ca-cert.pem

max-clients = 16

max-same-clients = 2

tcp-port = 10443 //端口号可自定义,不与常用端口冲突

udp-port = 10443 //自定义端口号,自行选择协议,若选择TCP则注释掉UDP这行

keepalive = 32400

try-mtu-discovery = true

cisco-client-compat = true

server-cert = /etc/ocserv/server-cert.pem

server-key = /etc/ocserv/server-key.pem

auth-timeout = 40

pid-file = /var/run/ocserv.pid

socket-file = /var/run/ocserv-socket

run-as-user = nobody

run-as-group = daemon

device = vpns

ipv4-network = 192.168.12.0 //网段可自定义

ipv4-netmask = 255.255.255.0

route = 192.168.12.0/255.255.255.0 //若未配置国内外分流务必注释掉这行

启动ocserv ocserv -c /etc/ocserv.conf //加-f则为调试模式 不加则后台运行

                      服务器证书


生成SSL证书

mkdir /etc/ocserv/

cd /etc/ocserv

CA私钥:

certtool --generate-privkey --outfile ca-key.pem

CA模板:

cat << EOF > ca.tmpl

cn = "www.lonelyboy.org" //名称可自定义

organization = "www.lonelyboy.org" //名称可自定义

serial = 1

expiration_days = 3650

ca

signing_key

cert_signing_key

crl_signing_key

EOF

CA证书:

certtool --generate-self-signed --load-privkey ca-key.pem --template ca.tmpl --outfile ca-cert.pem

Server私钥:

certtool --generate-privkey --outfile server-key.pem

Server证书模板:

cat << EOF > server.tmpl

cn = "www.lonelyboy.org" //名称可自定义

o = "www.lonelyboy.org" //名称可自定义

expiration_days = 3650

signing_key

encryption_key

tls_www_server

EOF

Server证书:

certtool --generate-certificate --load-privkey server-key.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem --template server.tmpl --outfile server-cert.pem

证书登录 //默认用户名密码认证,可自行选择是否使用证书认证

用户私钥

certtool --generate-privkey --outfile user-key.pem

用户模板 //自定义

cat << EOF > user.tmpl

cn = "XXX" //随机名可自定义

unit = "XXX" //随机名可自定义

expiration_days = 365

signing_key

tls_www_client

EOF

user证书

certtool --generate-certificate --load-privkey user-key.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem --template user.tmpl --outfile user-cert.pem

0

评论

博主关闭了当前页面的评论