Zavier's Blog

CentOS搭建Cisco Anyconnect服务器-----Ocserv编译过程整理

AnyConnect是思科公司的企业安全远程接入解决方案,受许多中小企业青睐。

其手机客户端可从安卓市场或者苹果商店下载。

编译环境 CentOS 6.9 X86 

#安装编译依赖环境

yum install gcc libtasn1-devel zlib zlib-devel trousers trousers-devel gmp-devel gmp xz texinfo libnl-devel  tcp_wrappers-libs tcp_wrappers-devel tcp_wrappers dbus dbus-devel ncurses-devel pam-devel readline-devel bison bison-devel flex gcc wget

 

#编译安装autoconfautomake

cd /usr

wget ftp://ftp.gnu.org/gnu/autoconf/autoconf-latest.tar.gz

tar -zxvf autoconf-2.69.tar.gz

cd autoconf-2.69/

./configure --prefix=/usr/local/autoconf

make && make install

cp /usr/local/autoconf/bin/autoconf /usr/bin/autoconf

cd /usr

wget ftp://ftp.gnu.org/gnu/automake/automake-1.14.1.tar.gz

cd automake-1.14.1

./configure --prefix=/usr/local/automake

make && make install

cp /usr/local/automake/bin/automake /usr/bin/automake

 

#安装nettle

wget ftp://ftp.gnu.org/gnu/nettle/nettle-2.7.1.tar.gz

tar zxvf nettle-2.7.1.tar.gz

cd nettle-2.7.1/

./configure --prefix=/usr/local/nettle

make && make install

echo '/usr/local/nettle/lib/' > /etc/ld.so.conf.d/nettle.conf

Ldconfig

 

#安装gnutls

wget ftp://ftp.gnutls.org/gcrypt/gnutls/v3.3/gnutls-3.3.9.tar.gz

tar xvf gnutls-3.3.9.tar.xz

cd gnutls-3.3.9/

export NETTLE_CFLAGS="-I/usr/local/nettle/include/"

export NETTLE_LIBS="-L/usr/local/nettle/lib/ -lnettle"

export HOGWEED_LIBS="-L/usr/local/nettle/lib/ -lhogweed"

export HOGWEED_CFLAGS="-I/usr/local/nettle/include"

./configure --prefix=/usr/local/gnutls

make && make install

ln -s /usr/local/gnutls/bin/certtool /usr/bin/certtool

echo '/usr/local/gnutls/lib/' > /etc/ld.so.conf.d/gnutls.conf

Ldconfig

 

#安装libnl

yum install bison flex(可选)

wget http://www.infradead.org/~tgr/libnl/files/libnl-3.2.24.tar.gz

tar -zxvf libnl-3.2.24.tar.gz

cd libnl-3.2.24

./configure --prefix=/usr/local/libnl

make && make install

echo '/usr/local/libnl/lib/' > /etc/ld.so.conf.d/libnl.conf

Ldconfig

 

#安装ocserv

cd /usr

export LIBNL3_CFLAGS="-I/usr/local/libnl/include/libnl3"

export LIBNL3_LIBS="-L//usr/local/libnl/lib/ -lnl-3 -lnl-route-3"

export LIBGNUTLS_LIBS="-L/usr/local/gnutls/lib/ -lgnutls"

export LIBGNUTLS_CFLAGS="-I/usr/local/gnutls/include/"

wget ftp://ftp.infradead.org/pub/ocserv/ocserv-0.9.0.1.tar.xz

tar xvf ocserv-0.9.0.1.tar.xz

cd ocserv-0.9.0

./configure --prefix=/usr/local/ocserv

make && make install

echo 'export PATH=$PATH://usr/local/ocserv/sbin/:/usr/local/ocserv/bin/' >> $HOME/.bashrc

source $HOME/.bashrc

 

###配置NAT

iptables -t nat -A POSTROUTING -s 192.168.12.0/255.255.255.0 -o eth0 -j MASQUERADE

vi /etc/sysctl.conf   net.ipv4.ip_forward=1     //   配置ip转发

iptables -t nat -L     // 查看防火墙NAT规则

 

 

 

##出错则编译安装protobuf及三个文件

cd /usr

yum install glibc-headers gcc-c++

wget no-check-certificate

https://github.com/google/protobuf/releases/download/v2.6.1/protobuf-2.6.1.tar.gz

tar -zxvf protobuf-2.6.1.tar.gz

cd protobuf-2.6.1

./configure

make && make install

 

##用户名登录

cp /usr/ocserv-0.9.0/src/ocpasswd /usr/bin/ocpasswd

ocpasswd -c /etc/ocserv/passwd (username)  //username为用户名,可自定义

 

##配置文件   

auth = "plain[/etc/ocserv/passwd]"

#证书认证   //默认采用用户名密码认证,证书认证在文末

#auth = "certificate"

ca-cert /etc/ocserv/ca-cert.pem

max-clients = 16

max-same-clients = 2

tcp-port = 10443      //端口号可自定义,不与常用端口冲突

#udp-port = 10443     //自定义端口号,自行选择协议,若选择TCP则注释掉UDP这行

keepalive = 32400

try-mtu-discovery = true

cisco-client-compat = true

server-cert = /etc/ocserv/server-cert.pem

server-key = /etc/ocserv/server-key.pem

auth-timeout = 40

pid-file = /var/run/ocserv.pid

socket-file = /var/run/ocserv-socket

run-as-user = nobody

run-as-group = daemon

device = vpns

ipv4-network = 192.168.12.0  //网段可自定义

ipv4-netmask = 255.255.255.0

#route = 192.168.12.0/255.255.255.0  //若未配置国内外分流务必注释掉这行

启动ocserv ocserv -c /etc/ocserv.conf    //-f则为调试模式 不加则后台运行

 

#########################################################################################################################################################################################

                          服务器证书

 

##生成SSL证书

mkdir /etc/ocserv/

cd /etc/ocserv

#CA私钥:

certtool --generate-privkey --outfile ca-key.pem

#CA模板:

cat << EOF > ca.tmpl

cn = "www.lonelyboy.org"  //名称可自定义

organization = "www.lonelyboy.org"  //名称可自定义

serial = 1

expiration_days = 3650

ca

signing_key

cert_signing_key

crl_signing_key

EOF

#CA证书:

certtool --generate-self-signed --load-privkey ca-key.pem --template ca.tmpl --outfile ca-cert.pem

 

#Server私钥:

certtool --generate-privkey --outfile server-key.pem

#Server证书模板:

cat << EOF > server.tmpl

cn = "www.lonelyboy.org"   //名称可自定义

o = "www.lonelyboy.org"    //名称可自定义

expiration_days = 3650

signing_key

encryption_key

tls_www_server

EOF

 

#Server证书:

certtool --generate-certificate --load-privkey server-key.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem --template server.tmpl --outfile server-cert.pem

 

##证书登录   //默认用户名密码认证,可自行选择是否使用证书认证

#用户私钥

certtool --generate-privkey --outfile user-key.pem

#用户模板  //自定义

cat << EOF > user.tmpl

cn = "XXX"   //随机名可自定义

unit = "XXX"   //随机名可自定义

expiration_days = 365

signing_key

tls_www_client

EOF

#user证书

certtool --generate-certificate --load-privkey user-key.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem --template user.tmpl --outfile user-cert.pem


发表评论:

◎欢迎参与讨论,请在这里发表您的看法、交流您的观点。

Copyright © 2017-2019 Zavier的博客.网站地图