Cisco Any Connect On CentOS

Cisco AnyConnect CentOS
IBSng .

: 20
970
Nat : Amir007
SSL 2048
: 4 Centos

Centos 5.9 i386
Centos 5.9 X86_64
Centos 6.5 i386
Lib 64

Centos 6.5 X86_64
6 64

:
OCserv 0.3.2
1
YUM :
yum install autoconf automake gcc libtasn1-devel zlib zlib-devel trousers
trousers-devel gmp-devel gmp xz texinfo libnl-devel libnl tcp_wrappers-libs
tcp_wrappers-devel tcp_wrappers dbus dbus-devel ncurses-devel pam-devel
readline-devel bison bison-devel flex gcc automake autoconf wget
Nettel :
apt-get Nettel

cd
wget http://www.lysator.liu.se/~nisse/archive/nettle-2.7.tar.gz
tar xvf nettle-2.7.tar.gz
cd nettle-2.7
./configure --prefix=/opt/
make
make install
GnuTLS :
Nettel GnuTLS
cd
wget ftp://ftp.gnutls.org/gcrypt/gnutls/v3.2/gnutls-3.2.12.tar.xz
unxz gnutls-3.2.12.tar.xz
tar xvf gnutls-3.2.12.tar
cd gnutls-3.2.12
export LD_LIBRARY_PATH=/opt/lib/:/opt/lib64/
NETTLE_CFLAGS="-I/opt/include/" NETTLE_LIBS="-L/opt/lib64/ -lnettle"
HOGWEED_CFLAGS="-I/opt/include" HOGWEED_LIBS="-L/opt/lib64/ -lhogweed"
GnuTLS

6 , 5

2
make
make install
LibNL :

cd
wget http://www.carisma.slowglass.com/~tgr/libnl/files/libnl-3.2.24.tar.gz
tar xvf libnl-3.2.24.tar.gz
cd libnl-3.2.24
make
make install

Make
OCserv :
cd
wget ftp://ftp.infradead.org/pub/ocserv/ocserv-0.3.2.tar.xz
unxz ocserv-0.3.2.tar.xz
tar xvf ocserv-0.3.2.tar
cd ocserv-0.3.2
LIBGNUTLS_CFLAGS="-I/opt/include/" LIBGNUTLS_LIBS="-L/opt/lib/ -lgnutls"
LIBNL3_CFLAGS="-I/opt/include" LIBNL3_LIBS="-L/opt/lib/ -lnl-3 -lnl-route-3"
make
make install
7 , 6

:

3
cd
mkdir CA
cd CA
CA -1
/opt/bin/certtool --generate-privkey --outfile ca-key.pem
nano ca.tmpl
Nano
cn = "VPN CA"
organization = "Big Corp"
serial = 1
expiration_days = 3650
ca
signing_key
cert_signing_key
crl_signing_key

/opt/bin/certtool --generate-self-signed --load-privkey ca-key.pem --template
ca.tmpl --outfile ca-cert.pem
Server -2
/opt/bin/certtool --generate-privkey --outfile server-key.pem
nano server.tmpl
Nano
cn = "www.example.com"
organization = "MyCompany"
serial = 2
expiration_days = 3650
encryption_key
signing_key
tls_www_server

/opt/bin/certtool --generate-certificate --load-privkey server-key.pem -load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem --template
server.tmpl --outfile server-cert.pem
SSL :
SSL
cd
cd CA
mkdir /etc/ocserv
mkdir /etc/ocserv/ssl
cp server-cert.pem /etc/ocserv/ssl
cp server-key.pem /etc/ocserv/ssl
:

cd
cd ocserv-0.3.2
cp doc/sample.config /etc/ocserv/
mv /etc/ocserv/sample.config /etc/ocserv/ocserv.conf
:

nano /etc/ocserv/ocserv.conf
:
1
5
:
Certificate

Pam
: IBSng

) (
" "
5
"]auth = "plain[./sample.passwd

"]auth = "plain[/etc/ocserv/ocpasswd
-2 :
60 61
server-cert = ../tests/server-cert.pem
server-key = ../tests/server-key.pem

server-cert = /etc/ocserv/ssl/server-cert.pem
server-key = /etc/ocserv/ssl/server-key.pem
-3 :
32
2 .
max-same-clients = 2
-4 :
176 :
run-as-group = daemon
run-as-group = nobody
-5 :
201 , 200
ipv4-network = 192.168.1.0
ipv4-netmask = 255.255.255.0

ipv4-network = 20.30.0.0
ipv4-netmask = 255.255.255.0
-6DNS :
206
dns = 192.168.1.2
dns = 8.8.8.8
dns = 4.2.2.4
-7
243 244
route = 192.168.1.0/255.255.255.0
route = 192.168.5.0/255.255.255.0
) # (

#route = 192.168.1.0/255.255.255.0
#route = 192.168.5.0/255.255.255.0
: ...
) (

-8 :

Ios
PC
277
#user-profile = profile.xml

user-profile = /etc/ocserv/profile.xml
-9 :
288
#cisco-client-compat = false

cisco-client-compat = true
-10 DTLS

"custom-header = "X-DTLS-MTU: 1200
"custom-header = "X-CSTP-MTU: 1200
ctrl + x y
:

nano /etc/ocserv/profile.xml
<?xml version="1.0" encoding="UTF-8"?>

<AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/
AnyConnectProfile.xsd">
<ClientInitialization>
<AutoUpdate>true</AutoUpdate>
<BypassDownloader>true</BypassDownloader>
<UseStartBeforeLogon>false</UseStartBeforeLogon>
<StrictCertificateTrust>false</StrictCertificateTrust>
<RestrictPreferenceCaching>false</RestrictPreferenceCaching>
<RestrictTunnelProtocols>IPSec</RestrictTunnelProtocols>
<CertEnrollmentPin>pinAllowed</CertEnrollmentPin>
<CertificateMatch>
<KeyUsage>
<MatchKey>Digital_Signature</MatchKey>
</KeyUsage>
<ExtendedKeyUsage>
<ExtendedMatchKey>ClientAuth</ExtendedMatchKey>
</ExtendedKeyUsage>
</CertificateMatch>
</ClientInitialization>
<ServerList>
<HostEntry>
<HostName>Server Profile Name</HostName>
<HostAddress>server.ip.address</HostAddress>
</HostEntry>
</ServerList>
</AnyConnectProfile>
:
24 Server Profile Name
25 server.ip.address
Server Profile Name
server.ip.address
y ctrl + x
. profile.xml :
10
IP Forwarding :

nano /etc/sysctl.conf

net.ipv4.ip_forward = 0
: 1
net.ipv4.ip_forward = 1
y ctrl + x

sysctl -p
.
NAT :

iptables -t nat -A POSTROUTING -j MASQUERADE

iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-topmtu
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -p udp --dport 443 -j ACCEPT
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -m state --state NEW -m udp -p udp --dport 443 -j ACCEPT
iptables -t nat -A POSTROUTING -s 20.30.0.0/24 -o eth0 -j MASQUERADE
iptables -A FORWARD -s 20.30.0.0/24 -j ACCEPT
iptables -A INPUT -i eth0 -m state --state NEW -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -i eth0 -m state --state NEW -p udp --dport 443 -j ACCEPT
service iptables save
service iptables restart
service iptables stop
service iptables start
20.30.0.0 8 7 :

. OK
11
SELinux :
nano /etc/sysconfig/selinux
6
SELINUX=enforcing
SELINUX=disabled
6 CTRL + X .
IBSng .
) : (
username

/opt/bin/ocpasswd -c /etc/ocserv/ocpasswd username
:
DeBug :
...
:
/opt/sbin/ocserv -c /etc/ocserv/ocserv.conf -f -d 1
12

:
DBUS connection error (Connection ":1.225" is not allowed to own the service
"org.infradead.ocserv" due to security policies in the configuration
file)Cannot create command handler
:
cd
cd ocserv-0.3.2
cp doc/dbus/org.infradead.ocserv.conf /etc/dbus-1/system.d/
:
/opt/sbin/ocserv -c /etc/ocserv/ocserv.conf -f -d 1
... :
*
.
Cisco AnyConnect
.
SSH .
.
* CTRL + C
.
13
:

cd
wget http://developer.axis.com/download/distribution/apps-sys-utils-startstop-daemon-IR1_9_18-2.tar.gz
tar zxf apps-sys-utils-start-stop-daemon-IR1_9_18-2.tar.gz
mv apps/sys-utils/start-stop-daemon-IR1_9_18-2/ ./
rm -rf apps
cd start-stop-daemon-IR1_9_18-2/
cc start-stop-daemon.c -o start-stop-daemon
cp start-stop-daemon /usr/local/bin/start-stop-daemon
start-stop-daemon
init
nano /etc/init.d/ocserv

.
* ssh .
* 8
) ( .
oscerv.txt .
14
#!/bin/sh
### BEGIN INIT INFO
# Provides:
ocserv
# Required-Start:
$remote_fs $syslog
# Required-Stop:
$remote_fs $syslog
# Default-Start:
2 3 4 5
# Default-Stop:
0 1 6
### END INIT INFO
# Copyright Rene Mayrhofer, Gibraltar, 1999
# This script is distibuted under the GPL
PATH=/bin:/opt/bin:/sbin:/opt/sbin
DAEMON=/opt/sbin/ocserv
PIDFILE=/var/run/ocserv.pid
DAEMON_ARGS="-c /etc/ocserv/ocserv.conf"
case "$1" in
start)
if [ ! -r $PIDFILE ]; then
echo -n "Starting OpenConnect VPN Server"
/usr/local/bin/start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON -- \
$DAEMON_ARGS > /dev/null
echo
else
echo -n "OpenConnect VPN Server is already running"
echo
exit 0
fi
;;
stop)
echo -n "Stopping OpenConnect VPN Server"
/usr/local/bin/start-stop-daemon --stop --quiet --pidfile $PIDFILE --exec $DAEMON
echo
rm -f $PIDFILE
;;
force-reload|restart)
echo "Restarting OpenConnect VPN Server"
$0 stop
sleep 1
$0 start
;;
status)
if [ ! -r $PIDFILE ]; then
echo -n "OpenConnect VPN Server Stoped"
echo
exit 3
fi
PID=`cat $PIDFILE | sed 's/ //g'`
EXE=/proc/$PID/exe
if [ -x "$EXE" ] &&
[ "`ls -l \"$EXE\" | cut -d'>' -f2,2 | cut -d' ' -f2,2`" = \
"$DAEMON" ]; then
echo -n "OpenConnect VPN Server run correctly"
echo
exit 0
elif [ -r $PIDFILE ]; then
echo -n "OpenConnect VPN Server stoped but pid file exist"
echo
exit 1
else
# no lock file to check for, so simply return the stopped status
exit 3
fi
;;
*)
echo "Usage: /etc/init.d/ocserv {start|stop|restart|force-reload|status}"
exit 1
;;
esac
exit 0
15
CTRL + X Y .

chmod 755 /etc/init.d/ocserv
Start - Stop - Status - restart

ocserv.
:
service ovserv stop
...
on
chkconfig ocserv
CentOS .
IBSng ) .
(.
CiscoIBSng

IBSng .
IBSng .
.
Pam_radius_auth

cd
wget http://ftp.cc.uoc.gr/mirrors/ftp.freeradius.org/pam_radius-1.3.17.tar.gz
tar -xvf pam_radius-1.3.17.tar.gz
cd pam_radius-1.3.17
make
16
pam_radius
/lib/security
cp pam_radius_auth.so /lib/security/

mkdir /etc/raddb/
cp pam_radius_auth.conf /etc/raddb/server

nano /etc/raddb/server
26 , 27
1
3
127.0.0.1
secret
other-server
other-secret
) # (

3
1
other-secret
IP
secret
# other-server
IP IBSng Secret Radius Secret Key IBSng

ctrl + x y
OCserv /etc/pam.d

nano /etc/pam.d/ocserv
17

/lib/security/pam_radius_auth.so
auth
required
account required
session required
IBSng Type pptpd

nano /etc/ocserv/ocserv.conf
) # (
"]auth = "plain[/etc/ocserv/ocpasswd
"]#auth = "plain[/etc/ocserv/ocpasswd
6 , ) # (
"#auth = "pam

ctrl + x y
"auth = "pam
1812 1813

iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 1812 -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 1813 -j ACCEPT
service iptables save
service iptables restart
18
:
-1
-2
IBSng
/etc/raddb/server

:
20
secret
IBSng 20
IP

IBSng
7 :8
Cisco anyconnect 7 8 .
7 8 ,
http://www.iqlinkus.com/downloads/anyconnect-win-3.1.00495-pre-deploy-k9.msi

.
Cisco AnyConnect 64 CentOS IBSng
19

Cisco Any Connect On CentOS

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Cisco Any Connect On CentOS

Загружено:

Авторское право:

Доступные форматы

Cisco AnyConnect CentOS

<?xml version="1.0" encoding="UTF-8"?>

iptables -t nat -A POSTROUTING -j MASQUERADE

Start - Stop - Status - restart

IP IBSng Secret Radius Secret Key IBSng

IBSng Type pptpd

Вам также может понравиться