Scribd
Upload
326 views19 pages

Cisco Any Connect On CentOS

How to configure CiscoAnyConnect VPN Server on a CentOS VPS. CiscoAnyConnect is a Virtual Private Network Tunneling that is configurable on CentOS and other kind of Linux.

Uploaded by

Amir
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
326 views19 pages

Cisco Any Connect On CentOS

How to configure CiscoAnyConnect VPN Server on a CentOS VPS. CiscoAnyConnect is a Virtual Private Network Tunneling that is configurable on CentOS and other kind of Linux.

Uploaded by

Amir
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 19

Cisco AnyConnect CentOS

IBSng .

: 20
970
Nat : Amir007
SSL 2048

: 4 Centos

Centos 5.9 i386
Centos 5.9 X86_64
Centos 6.5 i386
Lib 64


Centos 6.5 X86_64
6 64

:
OCserv 0.3.2
1

YUM :
yum install autoconf automake gcc libtasn1-devel zlib zlib-devel trousers
trousers-devel gmp-devel gmp xz texinfo libnl-devel libnl tcp_wrappers-libs
tcp_wrappers-devel tcp_wrappers dbus dbus-devel ncurses-devel pam-devel
readline-devel bison bison-devel flex gcc automake autoconf wget

Nettel :
apt-get Nettel

cd
wget http://www.lysator.liu.se/~nisse/archive/nettle-2.7.tar.gz
tar xvf nettle-2.7.tar.gz
cd nettle-2.7
./configure --prefix=/opt/
make
make install

GnuTLS :
Nettel GnuTLS
cd
wget ftp://ftp.gnutls.org/gcrypt/gnutls/v3.2/gnutls-3.2.12.tar.xz
unxz gnutls-3.2.12.tar.xz
tar xvf gnutls-3.2.12.tar
cd gnutls-3.2.12
export LD_LIBRARY_PATH=/opt/lib/:/opt/lib64/
NETTLE_CFLAGS="-I/opt/include/" NETTLE_LIBS="-L/opt/lib64/ -lnettle"
HOGWEED_CFLAGS="-I/opt/include" HOGWEED_LIBS="-L/opt/lib64/ -lhogweed"
./configure --prefix=/opt/

GnuTLS

6 , 5



2

make
make install

LibNL :

cd
wget http://www.carisma.slowglass.com/~tgr/libnl/files/libnl-3.2.24.tar.gz
tar xvf libnl-3.2.24.tar.gz
cd libnl-3.2.24
./configure --prefix=/opt/
make
make install



Make
OCserv :
cd
wget ftp://ftp.infradead.org/pub/ocserv/ocserv-0.3.2.tar.xz
unxz ocserv-0.3.2.tar.xz
tar xvf ocserv-0.3.2.tar
cd ocserv-0.3.2
export LD_LIBRARY_PATH=/opt/lib/:/opt/lib64/
LIBGNUTLS_CFLAGS="-I/opt/include/" LIBGNUTLS_LIBS="-L/opt/lib/ -lgnutls"
LIBNL3_CFLAGS="-I/opt/include" LIBNL3_LIBS="-L/opt/lib/ -lnl-3 -lnl-route-3"
./configure --prefix=/opt/
make
make install

7 , 6

:

3

cd
mkdir CA
cd CA

CA -1
/opt/bin/certtool --generate-privkey --outfile ca-key.pem
nano ca.tmpl

Nano
cn = "VPN CA"
organization = "Big Corp"
serial = 1
expiration_days = 3650
ca
signing_key
cert_signing_key
crl_signing_key


/opt/bin/certtool --generate-self-signed --load-privkey ca-key.pem --template
ca.tmpl --outfile ca-cert.pem

Server -2
/opt/bin/certtool --generate-privkey --outfile server-key.pem
nano server.tmpl

Nano
cn = "www.example.com"
organization = "MyCompany"
serial = 2
expiration_days = 3650
encryption_key
signing_key
tls_www_server


/opt/bin/certtool --generate-certificate --load-privkey server-key.pem -load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem --template
server.tmpl --outfile server-cert.pem

SSL :
SSL
cd
cd CA
mkdir /etc/ocserv
mkdir /etc/ocserv/ssl
cp server-cert.pem /etc/ocserv/ssl
cp server-key.pem /etc/ocserv/ssl

:

cd
cd ocserv-0.3.2
cp doc/sample.config /etc/ocserv/
mv /etc/ocserv/sample.config /etc/ocserv/ocserv.conf

:

nano /etc/ocserv/ocserv.conf

:
1
5

:
Certificate

Pam
: IBSng

) (
" "
5
"]auth = "plain[./sample.passwd


"]auth = "plain[/etc/ocserv/ocpasswd

-2 :
60 61
server-cert = ../tests/server-cert.pem
server-key = ../tests/server-key.pem


server-cert = /etc/ocserv/ssl/server-cert.pem
server-key = /etc/ocserv/ssl/server-key.pem

-3 :
32
2 .

max-same-clients = 2

-4 :
176 :
run-as-group = daemon

run-as-group = nobody

-5 :
201 , 200
ipv4-network = 192.168.1.0
ipv4-netmask = 255.255.255.0



ipv4-network = 20.30.0.0
ipv4-netmask = 255.255.255.0

-6DNS :
206

dns = 192.168.1.2

dns = 8.8.8.8
dns = 4.2.2.4

-7
243 244
route = 192.168.1.0/255.255.255.0
route = 192.168.5.0/255.255.255.0

) # (

#route = 192.168.1.0/255.255.255.0
#route = 192.168.5.0/255.255.255.0

: ...
) (

-8 :

Ios
PC
277
#user-profile = profile.xml



user-profile = /etc/ocserv/profile.xml

-9 :
288
#cisco-client-compat = false


cisco-client-compat = true

-10 DTLS

"custom-header = "X-DTLS-MTU: 1200
"custom-header = "X-CSTP-MTU: 1200

ctrl + x y

:

nano /etc/ocserv/profile.xml

<?xml version="1.0" encoding="UTF-8"?>


<AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/
AnyConnectProfile.xsd">
<ClientInitialization>
<AutoUpdate>true</AutoUpdate>
<BypassDownloader>true</BypassDownloader>
<UseStartBeforeLogon>false</UseStartBeforeLogon>
<StrictCertificateTrust>false</StrictCertificateTrust>
<RestrictPreferenceCaching>false</RestrictPreferenceCaching>
<RestrictTunnelProtocols>IPSec</RestrictTunnelProtocols>
<CertEnrollmentPin>pinAllowed</CertEnrollmentPin>
<CertificateMatch>
<KeyUsage>
<MatchKey>Digital_Signature</MatchKey>
</KeyUsage>
<ExtendedKeyUsage>
<ExtendedMatchKey>ClientAuth</ExtendedMatchKey>
</ExtendedKeyUsage>
</CertificateMatch>
</ClientInitialization>
<ServerList>
<HostEntry>
<HostName>Server Profile Name</HostName>
<HostAddress>server.ip.address</HostAddress>
</HostEntry>
</ServerList>
</AnyConnectProfile>

:
24 Server Profile Name
25 server.ip.address
Server Profile Name
server.ip.address
y ctrl + x
. profile.xml :

10

IP Forwarding :

nano /etc/sysctl.conf


net.ipv4.ip_forward = 0

: 1

net.ipv4.ip_forward = 1

y ctrl + x

sysctl -p

.
NAT :

iptables -t nat -A POSTROUTING -j MASQUERADE


iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-topmtu
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -p udp --dport 443 -j ACCEPT
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -m state --state NEW -m udp -p udp --dport 443 -j ACCEPT
iptables -t nat -A POSTROUTING -s 20.30.0.0/24 -o eth0 -j MASQUERADE
iptables -A FORWARD -s 20.30.0.0/24 -j ACCEPT
iptables -A INPUT -i eth0 -m state --state NEW -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -i eth0 -m state --state NEW -p udp --dport 443 -j ACCEPT
service iptables save
service iptables restart
service iptables stop
service iptables start

20.30.0.0 8 7 :

. OK

11

SELinux :
nano /etc/sysconfig/selinux

6
SELINUX=enforcing

SELINUX=disabled

6 CTRL + X .
IBSng .
) : (
username


export LD_LIBRARY_PATH=/opt/lib/:/opt/lib64/
/opt/bin/ocpasswd -c /etc/ocserv/ocpasswd username

:
DeBug :
...
:
export LD_LIBRARY_PATH=/opt/lib/:/opt/lib64/
/opt/sbin/ocserv -c /etc/ocserv/ocserv.conf -f -d 1

12


:
DBUS connection error (Connection ":1.225" is not allowed to own the service
"org.infradead.ocserv" due to security policies in the configuration
file)Cannot create command handler

:
cd
cd ocserv-0.3.2
cp doc/dbus/org.infradead.ocserv.conf /etc/dbus-1/system.d/

:
/opt/sbin/ocserv -c /etc/ocserv/ocserv.conf -f -d 1

... :
*
.
Cisco AnyConnect
.
SSH .
.
* CTRL + C
.

13

:

cd
wget http://developer.axis.com/download/distribution/apps-sys-utils-startstop-daemon-IR1_9_18-2.tar.gz
tar zxf apps-sys-utils-start-stop-daemon-IR1_9_18-2.tar.gz
mv apps/sys-utils/start-stop-daemon-IR1_9_18-2/ ./
rm -rf apps
cd start-stop-daemon-IR1_9_18-2/
cc start-stop-daemon.c -o start-stop-daemon
cp start-stop-daemon /usr/local/bin/start-stop-daemon

start-stop-daemon
init
nano /etc/init.d/ocserv


.
* ssh .
* 8
) ( .
oscerv.txt .

14

#!/bin/sh
### BEGIN INIT INFO
# Provides:
ocserv
# Required-Start:
$remote_fs $syslog
# Required-Stop:
$remote_fs $syslog
# Default-Start:
2 3 4 5
# Default-Stop:
0 1 6
### END INIT INFO
# Copyright Rene Mayrhofer, Gibraltar, 1999
# This script is distibuted under the GPL
PATH=/bin:/opt/bin:/sbin:/opt/sbin
DAEMON=/opt/sbin/ocserv
PIDFILE=/var/run/ocserv.pid
DAEMON_ARGS="-c /etc/ocserv/ocserv.conf"
case "$1" in
start)
if [ ! -r $PIDFILE ]; then
echo -n "Starting OpenConnect VPN Server"
export LD_LIBRARY_PATH=/opt/lib/:/opt/lib64/
/usr/local/bin/start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON -- \
$DAEMON_ARGS > /dev/null
echo
else
echo -n "OpenConnect VPN Server is already running"
echo
exit 0
fi
;;
stop)
echo -n "Stopping OpenConnect VPN Server"
/usr/local/bin/start-stop-daemon --stop --quiet --pidfile $PIDFILE --exec $DAEMON
echo
rm -f $PIDFILE
;;
force-reload|restart)
echo "Restarting OpenConnect VPN Server"
$0 stop
sleep 1
$0 start
;;
status)
if [ ! -r $PIDFILE ]; then
echo -n "OpenConnect VPN Server Stoped"
echo
exit 3
fi
PID=`cat $PIDFILE | sed 's/ //g'`
EXE=/proc/$PID/exe
if [ -x "$EXE" ] &&
[ "`ls -l \"$EXE\" | cut -d'>' -f2,2 | cut -d' ' -f2,2`" = \
"$DAEMON" ]; then
echo -n "OpenConnect VPN Server run correctly"
echo
exit 0
elif [ -r $PIDFILE ]; then
echo -n "OpenConnect VPN Server stoped but pid file exist"
echo
exit 1
else
# no lock file to check for, so simply return the stopped status
exit 3
fi
;;
*)
echo "Usage: /etc/init.d/ocserv {start|stop|restart|force-reload|status}"
exit 1
;;
esac
exit 0

15

CTRL + X Y .

chmod 755 /etc/init.d/ocserv

Start - Stop - Status - restart


ocserv.
:
service ovserv stop

...
on

chkconfig ocserv

CentOS .
IBSng ) .
(.
CiscoIBSng

IBSng .
IBSng .
.
Pam_radius_auth

cd
wget http://ftp.cc.uoc.gr/mirrors/ftp.freeradius.org/pam_radius-1.3.17.tar.gz
tar -xvf pam_radius-1.3.17.tar.gz
cd pam_radius-1.3.17
make

16

pam_radius
/lib/security
cp pam_radius_auth.so /lib/security/


mkdir /etc/raddb/
cp pam_radius_auth.conf /etc/raddb/server


nano /etc/raddb/server

26 , 27
1
3

127.0.0.1
secret
other-server
other-secret

) # (


3

1
other-secret

IP
secret
# other-server

IP IBSng Secret Radius Secret Key IBSng



ctrl + x y
OCserv /etc/pam.d

nano /etc/pam.d/ocserv

17


/lib/security/pam_radius_auth.so
/lib/security/pam_radius_auth.so
/lib/security/pam_radius_auth.so

auth
required
account required
session required

IBSng Type pptpd




nano /etc/ocserv/ocserv.conf

) # (
"]auth = "plain[/etc/ocserv/ocpasswd

"]#auth = "plain[/etc/ocserv/ocpasswd

6 , ) # (
"#auth = "pam


ctrl + x y

"auth = "pam

1812 1813

iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 1812 -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 1813 -j ACCEPT
service iptables save
service iptables restart

18

:
-1

-2
IBSng
/etc/raddb/server

:
20

secret

IBSng 20

IP


IBSng
7 :8
Cisco anyconnect 7 8 .
7 8 ,
http://www.iqlinkus.com/downloads/anyconnect-win-3.1.00495-pre-deploy-k9.msi



.
Cisco AnyConnect 64 CentOS IBSng

19

You might also like