Professional Documents
Culture Documents
Cisco Any Connect On CentOS
Cisco Any Connect On CentOS
IBSng .
: 20
970
Nat : Amir007
SSL 2048
: 4 Centos
Centos 5.9 i386
Centos 5.9 X86_64
Centos 6.5 i386
Lib 64
Centos 6.5 X86_64
6 64
:
OCserv 0.3.2
1
YUM :
yum install autoconf automake gcc libtasn1-devel zlib zlib-devel trousers
trousers-devel gmp-devel gmp xz texinfo libnl-devel libnl tcp_wrappers-libs
tcp_wrappers-devel tcp_wrappers dbus dbus-devel ncurses-devel pam-devel
readline-devel bison bison-devel flex gcc automake autoconf wget
Nettel :
apt-get Nettel
cd
wget http://www.lysator.liu.se/~nisse/archive/nettle-2.7.tar.gz
tar xvf nettle-2.7.tar.gz
cd nettle-2.7
./configure --prefix=/opt/
make
make install
GnuTLS :
Nettel GnuTLS
cd
wget ftp://ftp.gnutls.org/gcrypt/gnutls/v3.2/gnutls-3.2.12.tar.xz
unxz gnutls-3.2.12.tar.xz
tar xvf gnutls-3.2.12.tar
cd gnutls-3.2.12
export LD_LIBRARY_PATH=/opt/lib/:/opt/lib64/
NETTLE_CFLAGS="-I/opt/include/" NETTLE_LIBS="-L/opt/lib64/ -lnettle"
HOGWEED_CFLAGS="-I/opt/include" HOGWEED_LIBS="-L/opt/lib64/ -lhogweed"
./configure --prefix=/opt/
GnuTLS
6 , 5
2
make
make install
LibNL :
cd
wget http://www.carisma.slowglass.com/~tgr/libnl/files/libnl-3.2.24.tar.gz
tar xvf libnl-3.2.24.tar.gz
cd libnl-3.2.24
./configure --prefix=/opt/
make
make install
Make
OCserv :
cd
wget ftp://ftp.infradead.org/pub/ocserv/ocserv-0.3.2.tar.xz
unxz ocserv-0.3.2.tar.xz
tar xvf ocserv-0.3.2.tar
cd ocserv-0.3.2
export LD_LIBRARY_PATH=/opt/lib/:/opt/lib64/
LIBGNUTLS_CFLAGS="-I/opt/include/" LIBGNUTLS_LIBS="-L/opt/lib/ -lgnutls"
LIBNL3_CFLAGS="-I/opt/include" LIBNL3_LIBS="-L/opt/lib/ -lnl-3 -lnl-route-3"
./configure --prefix=/opt/
make
make install
7 , 6
:
3
cd
mkdir CA
cd CA
CA -1
/opt/bin/certtool --generate-privkey --outfile ca-key.pem
nano ca.tmpl
Nano
cn = "VPN CA"
organization = "Big Corp"
serial = 1
expiration_days = 3650
ca
signing_key
cert_signing_key
crl_signing_key
/opt/bin/certtool --generate-self-signed --load-privkey ca-key.pem --template
ca.tmpl --outfile ca-cert.pem
Server -2
/opt/bin/certtool --generate-privkey --outfile server-key.pem
nano server.tmpl
Nano
cn = "www.example.com"
organization = "MyCompany"
serial = 2
expiration_days = 3650
encryption_key
signing_key
tls_www_server
/opt/bin/certtool --generate-certificate --load-privkey server-key.pem -load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem --template
server.tmpl --outfile server-cert.pem
SSL :
SSL
cd
cd CA
mkdir /etc/ocserv
mkdir /etc/ocserv/ssl
cp server-cert.pem /etc/ocserv/ssl
cp server-key.pem /etc/ocserv/ssl
:
cd
cd ocserv-0.3.2
cp doc/sample.config /etc/ocserv/
mv /etc/ocserv/sample.config /etc/ocserv/ocserv.conf
:
nano /etc/ocserv/ocserv.conf
:
1
5
:
Certificate
Pam
: IBSng
) (
" "
5
"]auth = "plain[./sample.passwd
"]auth = "plain[/etc/ocserv/ocpasswd
-2 :
60 61
server-cert = ../tests/server-cert.pem
server-key = ../tests/server-key.pem
server-cert = /etc/ocserv/ssl/server-cert.pem
server-key = /etc/ocserv/ssl/server-key.pem
-3 :
32
2 .
max-same-clients = 2
-4 :
176 :
run-as-group = daemon
run-as-group = nobody
-5 :
201 , 200
ipv4-network = 192.168.1.0
ipv4-netmask = 255.255.255.0
ipv4-network = 20.30.0.0
ipv4-netmask = 255.255.255.0
-6DNS :
206
dns = 192.168.1.2
dns = 8.8.8.8
dns = 4.2.2.4
-7
243 244
route = 192.168.1.0/255.255.255.0
route = 192.168.5.0/255.255.255.0
) # (
#route = 192.168.1.0/255.255.255.0
#route = 192.168.5.0/255.255.255.0
: ...
) (
-8 :
Ios
PC
277
#user-profile = profile.xml
user-profile = /etc/ocserv/profile.xml
-9 :
288
#cisco-client-compat = false
cisco-client-compat = true
-10 DTLS
"custom-header = "X-DTLS-MTU: 1200
"custom-header = "X-CSTP-MTU: 1200
ctrl + x y
:
nano /etc/ocserv/profile.xml
:
24 Server Profile Name
25 server.ip.address
Server Profile Name
server.ip.address
y ctrl + x
. profile.xml :
10
IP Forwarding :
nano /etc/sysctl.conf
net.ipv4.ip_forward = 0
: 1
net.ipv4.ip_forward = 1
y ctrl + x
sysctl -p
.
NAT :
20.30.0.0 8 7 :
. OK
11
SELinux :
nano /etc/sysconfig/selinux
6
SELINUX=enforcing
SELINUX=disabled
6 CTRL + X .
IBSng .
) : (
username
export LD_LIBRARY_PATH=/opt/lib/:/opt/lib64/
/opt/bin/ocpasswd -c /etc/ocserv/ocpasswd username
:
DeBug :
...
:
export LD_LIBRARY_PATH=/opt/lib/:/opt/lib64/
/opt/sbin/ocserv -c /etc/ocserv/ocserv.conf -f -d 1
12
:
DBUS connection error (Connection ":1.225" is not allowed to own the service
"org.infradead.ocserv" due to security policies in the configuration
file)Cannot create command handler
:
cd
cd ocserv-0.3.2
cp doc/dbus/org.infradead.ocserv.conf /etc/dbus-1/system.d/
:
/opt/sbin/ocserv -c /etc/ocserv/ocserv.conf -f -d 1
... :
*
.
Cisco AnyConnect
.
SSH .
.
* CTRL + C
.
13
:
cd
wget http://developer.axis.com/download/distribution/apps-sys-utils-startstop-daemon-IR1_9_18-2.tar.gz
tar zxf apps-sys-utils-start-stop-daemon-IR1_9_18-2.tar.gz
mv apps/sys-utils/start-stop-daemon-IR1_9_18-2/ ./
rm -rf apps
cd start-stop-daemon-IR1_9_18-2/
cc start-stop-daemon.c -o start-stop-daemon
cp start-stop-daemon /usr/local/bin/start-stop-daemon
start-stop-daemon
init
nano /etc/init.d/ocserv
.
* ssh .
* 8
) ( .
oscerv.txt .
14
#!/bin/sh
### BEGIN INIT INFO
# Provides:
ocserv
# Required-Start:
$remote_fs $syslog
# Required-Stop:
$remote_fs $syslog
# Default-Start:
2 3 4 5
# Default-Stop:
0 1 6
### END INIT INFO
# Copyright Rene Mayrhofer, Gibraltar, 1999
# This script is distibuted under the GPL
PATH=/bin:/opt/bin:/sbin:/opt/sbin
DAEMON=/opt/sbin/ocserv
PIDFILE=/var/run/ocserv.pid
DAEMON_ARGS="-c /etc/ocserv/ocserv.conf"
case "$1" in
start)
if [ ! -r $PIDFILE ]; then
echo -n "Starting OpenConnect VPN Server"
export LD_LIBRARY_PATH=/opt/lib/:/opt/lib64/
/usr/local/bin/start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON -- \
$DAEMON_ARGS > /dev/null
echo
else
echo -n "OpenConnect VPN Server is already running"
echo
exit 0
fi
;;
stop)
echo -n "Stopping OpenConnect VPN Server"
/usr/local/bin/start-stop-daemon --stop --quiet --pidfile $PIDFILE --exec $DAEMON
echo
rm -f $PIDFILE
;;
force-reload|restart)
echo "Restarting OpenConnect VPN Server"
$0 stop
sleep 1
$0 start
;;
status)
if [ ! -r $PIDFILE ]; then
echo -n "OpenConnect VPN Server Stoped"
echo
exit 3
fi
PID=`cat $PIDFILE | sed 's/ //g'`
EXE=/proc/$PID/exe
if [ -x "$EXE" ] &&
[ "`ls -l \"$EXE\" | cut -d'>' -f2,2 | cut -d' ' -f2,2`" = \
"$DAEMON" ]; then
echo -n "OpenConnect VPN Server run correctly"
echo
exit 0
elif [ -r $PIDFILE ]; then
echo -n "OpenConnect VPN Server stoped but pid file exist"
echo
exit 1
else
# no lock file to check for, so simply return the stopped status
exit 3
fi
;;
*)
echo "Usage: /etc/init.d/ocserv {start|stop|restart|force-reload|status}"
exit 1
;;
esac
exit 0
15
CTRL + X Y .
chmod 755 /etc/init.d/ocserv
...
on
chkconfig ocserv
CentOS .
IBSng ) .
(.
CiscoIBSng
IBSng .
IBSng .
.
Pam_radius_auth
cd
wget http://ftp.cc.uoc.gr/mirrors/ftp.freeradius.org/pam_radius-1.3.17.tar.gz
tar -xvf pam_radius-1.3.17.tar.gz
cd pam_radius-1.3.17
make
16
pam_radius
/lib/security
cp pam_radius_auth.so /lib/security/
mkdir /etc/raddb/
cp pam_radius_auth.conf /etc/raddb/server
nano /etc/raddb/server
26 , 27
1
3
127.0.0.1
secret
other-server
other-secret
) # (
3
1
other-secret
IP
secret
# other-server
17
/lib/security/pam_radius_auth.so
/lib/security/pam_radius_auth.so
/lib/security/pam_radius_auth.so
auth
required
account required
session required
) # (
"]auth = "plain[/etc/ocserv/ocpasswd
"]#auth = "plain[/etc/ocserv/ocpasswd
6 , ) # (
"#auth = "pam
ctrl + x y
"auth = "pam
1812 1813
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 1812 -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 1813 -j ACCEPT
service iptables save
service iptables restart
18
:
-1
-2
IBSng
/etc/raddb/server
:
20
secret
IBSng 20
IP
IBSng
7 :8
Cisco anyconnect 7 8 .
7 8 ,
http://www.iqlinkus.com/downloads/anyconnect-win-3.1.00495-pre-deploy-k9.msi
.
Cisco AnyConnect 64 CentOS IBSng
19