登录
    最新消息:重新回归WordPress,我要比较认真的开始更新我的博客了。

    给Centos6安装cisco AnyConnect记录

    服务器相关 hanlei 3816浏览

    那个什么google什么的都上不了,本来不管怎么都能上一下,现在越来越难了。碰到一些文章代码放在google上的就看不到了,还有以前在上面放的一些文档照片,找一下也是老费事了。总之就是看到了一篇文章,讲的东西很有意思就复制过来,以备用。下面文字来源于http://www.haiyun.me/archives/1071.html/comment-page-1

    Centos7使用epel源可直接使用Yum安装。
    安装编译环境及依赖,如部分软件不能安装请先安装epel源。

    yum install pam-devel readline-devel http-parser-devel unbound gmp-devel
yum install tar gzip xz wget gcc make autoconf

    ocserv编译安装依赖,ocserv需要gnutls3版本以上,gnutls依赖nettle2.7.1:

    wget ftp://ftp.gnu.org/gnu/nettle/nettle-2.7.1.tar.gz
tar zxvf nettle-2.7.1.tar.gz 
cd nettle-2.7.1/
./configure --prefix=/usr/local/nettle
make && make install
echo '/usr/local/nettle/lib64/' > /etc/ld.so.conf.d/nettle.conf
ldconfig

    安装gnutls3.3.9:

    export NETTLE_CFLAGS="-I/usr/local/nettle/include/"
export NETTLE_LIBS="-L/usr/local/nettle/lib64/ -lnettle"
export HOGWEED_LIBS="-L/usr/local/nettle/lib64/ -lhogweed"
export HOGWEED_CFLAGS="-I/usr/local/nettle/include"
wget ftp://ftp.gnutls.org/gcrypt/gnutls/v3.3/gnutls-3.3.9.tar.xz
tar xvf gnutls-3.3.9.tar.xz 
cd gnutls-3.3.9/
./configure --prefix=/usr/local/gnutls
make && make install
ln -s /usr/local/gnutls/bin/certtool /usr/bin/certtool
echo '/usr/local/gnutls/lib/' > /etc/ld.so.conf.d/gnutls.conf
ldconfig

    安装libnl:

    yum install bison flex
wget http://www.carisma.slowglass.com/~tgr/libnl/files/libnl-3.2.24.tar.gz
tar xvf libnl-3.2.24.tar.gz
cd libnl-3.2.24
./configure --prefix=/usr/local/libnl
make && make install
echo '/usr/local/libnl/lib/' > /etc/ld.so.conf.d/libnl.conf
ldconfig

    安装ocserv:

    export LIBNL3_CFLAGS="-I/usr/local/libnl/include/libnl3"
export LIBNL3_LIBS="-L//usr/local/libnl/lib/ -lnl-3 -lnl-route-3"
export LIBGNUTLS_LIBS="-L/usr/local/gnutls/lib/ -lgnutls"
export LIBGNUTLS_CFLAGS="-I/usr/local/gnutls/include/"
wget ftp://ftp.infradead.org/pub/ocserv/ocserv-0.9.0.1.tar.xz
tar xvf ocserv-0.9.0.1.tar.xz 
cd ocserv-0.9.0
./configure --prefix=/usr/local/ocserv
make && make install
echo 'export PATH=$PATH://usr/local/ocserv/sbin/:/usr/local/ocserv/bin/' >> $HOME/.bashrc 
source $HOME/.bashrc

    生成SSL证书:

    mkdir /etc/ocserv/
cd /etc/ocserv
#CA私钥:
certtool --generate-privkey --outfile ca-key.pem
#CA模板:
cat << EOF > ca.tmpl
cn = "www.haiyun.me"
organization = "www.haiyun.me"
serial = 1
expiration_days = 3650
ca
signing_key
cert_signing_key
crl_signing_key
EOF
#CA证书:
certtool --generate-self-signed --load-privkey ca-key.pem --template ca.tmpl --outfile ca-cert.pem
 
#Server私钥:
certtool --generate-privkey --outfile server-key.pem
#Server证书模板:
cat << EOF > server.tmpl
cn = "www.haiyun.me"
o = "www.haiyun.me"
expiration_days = 3650
signing_key
encryption_key 
tls_www_server
EOF
 
#Server证书:
certtool --generate-certificate --load-privkey server-key.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem --template server.tmpl --outfile server-cert.pem

    密码登录,生成密码文件:

    ocpasswd -c /etc/ocserv/passwd username

    证书登录:

    #user私钥
certtool --generate-privkey --outfile user-key.pem
#user模板
cat << EOF > user.tmpl
cn = "some random name"
unit = "some random unit"
expiration_days = 365
signing_key
tls_www_client
EOF
#user证书
certtool --generate-certificate --load-privkey user-key.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem --template user.tmpl --outfile user-cert.pem

    配置文件:

    auth = "plain[/etc/ocserv/passwd]"
#证书认证 
#auth = "certificate" 
ca-cert /etc/ocserv/ca-cert.pem
max-clients = 16
max-same-clients = 2
tcp-port = 5551
udp-port = 5551
keepalive = 32400
try-mtu-discovery = true
cisco-client-compat = true
server-cert = /etc/ocserv/server-cert.pem
server-key = /etc/ocserv/server-key.pem
auth-timeout = 40
pid-file = /var/run/ocserv.pid
socket-file = /var/run/ocserv-socket
run-as-user = nobody
run-as-group = daemon
device = vpns
ipv4-network = 192.168.1.0
ipv4-netmask = 255.255.255.0
route = 192.168.1.0/255.255.255.0

    启动opserv:

    ocserv -f -c /etc/ocserv/ocserv.conf

    IP转发及SNAT:

    echo 1 > /proc/sys/net/ipv4/ip_forward
echo "echo 1 > /proc/sys/net/ipv4/ip_forward " >> /etc/rc.local
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

    使用用户密码连接:

    echo passwd|openconnect -u username www.haiyun.me:5551 --no-cert-check

    使用证书连接:

    openconnect -k user-key.pem -c user-cert.pem www.haiyun.me:5551 --no-cert-check

    另外附上别的地方找来的路由表,加到配置文件后面就行。

    # Apple
route = 17.0.0.0/255.0.0.0
route = 192.12.74.0/255.255.255.0
route = 192.42.249.0/255.255.255.0
#route = 204.79.190.0/255.255.255.0
#route = 63.92.224.0/255.255.224.0
# Dropbox
route = 108.160.160.0/255.255.240.0
route = 199.47.216.0/255.255.252.0
#route = 205.189.0.0/255.255.255.0
# Github
route = 192.30.252.0/255.255.252.0
# Google
route = 8.15.202.0/255.255.255.0
route = 8.34.208.0/255.255.240.0
route = 8.35.192.0/255.255.240.0
route = 8.6.48.0/255.255.248.0
route = 8.8.4.0/255.255.255.0
route = 8.8.8.0/255.255.255.0
route = 66.102.0.0/255.255.240.0
route = 66.249.64.0/255.255.224.0
route = 70.32.128.0/255.255.224.0
route = 72.14.192.0/255.255.192.0
route = 74.125.0.0/255.255.0.0
route = 104.128.0.0/255.192.0.0
route = 104.196.0.0/255.252.0.0
route = 107.167.160.0/255.255.224.0
route = 107.178.192.0/255.255.192.0
route = 108.170.192.0/255.255.192.0
route = 108.177.0.0/255.255.128.0
route = 108.59.80.0/255.255.240.0
route = 130.211.0.0/255.255.0.0
route = 142.250.0.0/255.254.0.0
route = 146.148.0.0/255.255.128.0
route = 162.216.148.0/255.255.252.0
route = 162.222.176.0/255.255.248.0
route = 172.217.0.0/255.255.0.0
route = 172.253.0.0/255.255.0.0
route = 173.194.0.0/255.255.0.0
route = 173.255.112.0/255.255.240.0
route = 192.158.28.0/255.255.252.0
route = 192.178.0.0/255.254.0.0
route = 216.239.32.0/255.255.224.0
route = 216.58.192.0/255.255.224.0
#route = 23.236.48.0/255.255.240.0
#route = 23.251.128.0/255.255.224.0
#route = 64.233.160.0/255.255.224.0
#route = 64.9.224.0/255.255.224.0
route = 199.192.112.0/255.255.252.0
route = 199.223.232.0/255.255.248.0
#route = 207.223.160.0/255.255.240.0
#route = 209.85.128.0/255.255.128.0
# Twitter
route = 8.25.192.0/255.255.252.0
route = 8.25.196.0/255.255.254.0
route = 192.133.76.0/255.255.252.0
route = 210.163.0.0/255.255.0.0
route = 199.16.156.0/255.255.252.0
route = 199.59.148.0/255.255.252.0
route = 199.96.56.0/255.255.248.0
# TW
route = 202.39.0.0/255.255.0.0
route = 220.130.0.0/255.255.0.0
# Amazon
route = 8.18.144.0/255.255.254.0
route = 46.137.0.0/255.255.0.0
route = 46.51.128.0/255.255.128.0
route = 50.112.0.0/255.255.0.0
route = 50.16.0.0/255.252.0.0
route = 54.0.0.0/255.0.0.0
#route = 54.160.0.0/255.224.0.0
#route = 54.192.0.0/255.192.0.0
route = 67.202.0.0/255.255.192.0
route = 72.21.192.0/255.255.224.0
route = 72.44.32.0/255.255.224.0
route = 75.101.128.0/255.255.128.0
route = 79.125.0.0/255.255.128.0
route = 87.238.80.0/255.255.248.0
#route = 96.127.0.0/255.255.128.0
route = 103.246.148.0/255.255.252.0
#instagram
route = 107.20.0.0/255.252.0.0
route = 122.248.192.0/255.255.192.0
route = 174.129.0.0/255.255.0.0
route = 176.32.64.0/255.255.224.0
route = 176.34.0.0/255.255.0.0
route = 178.236.0.0/255.255.240.0
route = 184.169.128.0/255.255.128.0
route = 184.72.0.0/255.254.0.0
route = 185.48.120.0/255.255.252.0
route = 203.83.220.0/255.255.252.0
route = 216.137.32.0/255.255.224.0
route = 216.182.224.0/255.255.240.0
route = 27.0.0.0/255.255.252.0
#route = 23.20.0.0/255.252.0.0
route = 199.127.232.0/255.255.252.0
route = 199.255.192.0/255.255.252.0
#route = 204.236.128.0/255.255.128.0
#route = 204.246.128.0/255.255.128.0
#route = 205.251.192.0/255.255.192.0
#route = 207.171.160.0/255.255.224.0
# bgp.he.net
#route = 72.52.94.234/255.255.255.255
# t66y
route = 184.154.128.0/255.255.255.0
# WordPress
route = 66.155.8.0/255.255.248.0
#route = 76.74.248.0/255.255.248.0
route = 192.0.64.0/255.255.192.0
route = 198.181.116.0/255.255.252.0
route = 199.47.91.0/255.255.255.0
# Wikimedia
route = 91.198.174.0/255.255.255.0
route = 185.15.56.0/255.255.252.0
route = 198.35.26.0/255.255.254.0
route = 198.73.209.0/255.255.255.0
#route = 208.80.152.0/255.255.252.0
## Adobe
#route = 130.248.0.0/255.255.0.0
#route = 153.32.0.0/255.255.0.0
#route = 185.34.188.0/255.255.252.0
#route = 192.147.117.0/255.255.255.0
#route = 192.150.0.0/255.255.240.0
#route = 192.150.16.0/255.255.248.0
#route = 192.243.224.0/255.255.240.0
#route = 192.243.248.0/255.255.248.0
#route = 193.104.215.0/255.255.255.0
#route = 195.35.86.0/255.255.255.0
#route = 208.77.136.0/255.255.252.0
#route = 216.104.208.0/255.255.248.0
#route = 216.104.216.0/255.255.252.0
#route = 216.104.220.0/255.255.254.0
#route = 63.140.32.0/255.255.224.0
#route = 66.117.16.0/255.255.240.0
#route = 66.235.0.0/255.255.0.0
# Akamai
route = 23.0.0.0/255.128.0.0
route = 23.192.0.0/255.192.0.0
route = 60.254.128.0/255.255.192.0
route = 63.0.0.0/255.0.0.0
route = 64.0.0.0/254.0.0.0
route = 66.171.0.0/255.255.0.0
route = 66.198.8.0/255.255.255.0
route = 67.131.232.0/255.255.255.0
route = 69.192.0.0/255.255.0.0
route = 69.22.154.0/255.255.254.0
route = 69.31.0.0/255.255.0.0
route = 70.39.163.0/255.255.255.0
route = 70.39.178.0/255.255.254.0
route = 72.246.0.0/255.254.0.0
#route = 96.16.0.0/255.254.0.0
#route = 96.6.0.0/255.254.0.0
#route = 98.124.141.0/255.255.255.0
route = 104.64.0.0/255.192.0.0
route = 172.224.0.0/255.240.0.0
route = 184.24.0.0/255.248.0.0
route = 184.50.0.0/255.254.0.0
route = 184.84.0.0/255.252.0.0
route = 216.151.176.0/255.255.255.0
route = 216.151.187.0/255.255.255.0
route = 216.206.30.0/255.255.255.0
route = 216.246.122.0/255.255.255.0
route = 216.246.75.0/255.255.255.0
route = 216.246.87.0/255.255.255.0
route = 216.246.93.0/255.255.255.0
route = 173.222.0.0/255.254.0.0
route = 173.245.0.0/255.255.0.0
route = 198.144.0.0/255.255.0.0
route = 198.47.108.0/255.255.255.0
#route = 204.10.28.0/255.255.252.0
#route = 204.8.48.0/255.255.252.0
#route = 204.93.0.0/255.255.0.0
#route = 204.95.24.0/255.255.254.0
#route = 205.161.113.0/255.255.255.0
#route = 205.185.204.0/255.255.254.0
#route = 205.234.218.0/255.255.255.0
#route = 205.234.225.0/255.255.255.0
#route = 205.246.30.0/255.255.255.0
#route = 208.34.250.0/255.255.255.0
#route = 209.107.0.0/255.255.0.0
#route = 209.136.40.0/255.255.255.0
#route = 209.170.0.0/255.255.0.0
#route = 209.234.250.0/255.255.255.0
#route = 209.234.252.0/255.255.255.0
#route = 209.95.152.0/255.255.255.0
# Cloudflare
route = 104.16.0.0/255.240.0.0
route = 108.162.192.0/255.255.192.0
route = 162.158.0.0/255.254.0.0
#route = 173.245.48.0/255.255.240.0
route = 198.41.128.0/255.255.128.0
route = 199.27.128.0/255.255.248.0
#route = 204.93.177.0/255.255.255.0
# E-hentai
route = 37.48.64.0/255.255.192.0
route = 85.17.0.0/255.255.0.0
route = 95.211.0.0/255.255.0.0
# Facebook
route = 31.13.24.0/255.255.248.0
route = 31.13.64.0/255.255.192.0
route = 66.220.144.0/255.255.240.0
route = 69.171.224.0/255.255.224.0
route = 69.63.176.0/255.255.240.0
route = 74.119.76.0/255.255.252.0
#route = 173.252.64.0/255.255.192.0
route = 199.201.64.0/255.255.252.0
#route = 204.15.20.0/255.255.252.0
# Fastly
#route = 23.235.32.0/255.255.240.0
#route = 104.156.80.0/255.255.240.0
route = 199.27.72.0/255.255.248.0
# Fc2
route = 199.116.176.0/255.255.252.0
#route = 208.71.104.0/255.255.252.0
# Mediafire
route = 199.91.152.0/255.255.248.0
#route = 205.196.120.0/255.255.252.0
# Ntt
route = 66.116.105.0/255.255.255.0
route = 128.121.0.0/255.255.0.0
route = 128.240.0.0/255.254.0.0
route = 128.242.0.0/255.255.0.0
route = 129.250.0.0/255.255.0.0
route = 130.94.0.0/255.255.0.0
route = 131.103.0.0/255.255.0.0
route = 140.174.0.0/255.255.0.0
route = 157.238.0.0/255.255.0.0
route = 161.58.0.0/255.255.0.0
route = 165.254.0.0/255.255.0.0
route = 168.143.0.0/255.255.0.0
route = 192.102.248.0/255.255.255.0
route = 192.147.160.0/255.255.248.0
route = 192.147.176.0/255.255.252.0
route = 192.204.0.0/255.255.0.0
route = 192.217.0.0/255.255.0.0
route = 192.220.0.0/255.255.0.0
route = 192.35.171.0/255.255.255.0
route = 192.67.14.0/255.255.255.0
route = 192.67.236.0/255.255.252.0
route = 192.80.12.0/255.255.252.0
#route = 198.0.0.0/255.0.0.0
#route = 199.0.0.0/255.0.0.0
route = 204.0.0.0/252.0.0.0
route = 208.0.0.0/254.0.0.0
route = 216.115.90.0/255.255.254.0
route = 216.167.0.0/255.255.128.0
route = 216.42.0.0/255.255.0.0
route = 216.44.0.0/255.255.0.0
# Timewarner
#route = 76.85.128.0/255.255.128.0
#route = 76.85.16.0/255.255.240.0
#route = 76.85.4.0/255.255.252.0
#route = 76.85.48.0/255.255.248.0
#route = 76.85.64.0/255.255.224.0
#route = 76.85.96.0/255.255.252.0
#route = 76.86.0.0/255.254.0.0
#route = 76.88.0.0/255.248.0.0
route = 76.0.0.0/255.0.0.0
route = 96.0.0.0/255.0.0.0
route = 97.0.0.0/255.0.0.0
route = 98.0.0.0/255.0.0.0
#route = 96.10.0.0/255.254.0.0
#route = 96.28.0.0/255.254.0.0
#route = 97.104.0.0/255.254.0.0
#route = 97.106.0.0/255.255.128.0
#route = 97.106.128.0/255.255.192.0
#route = 97.76.0.0/255.254.0.0
#route = 97.78.0.0/255.255.128.0
#route = 97.78.128.0/255.255.224.0
#route = 97.79.0.0/255.255.0.0
#route = 97.96.0.0/255.248.0.0
#route = 98.0.0.0/255.240.0.0
#route = 98.100.0.0/255.252.0.0
#route = 98.120.0.0/255.252.0.0
#route = 98.144.0.0/255.248.0.0
#route = 98.152.0.0/255.252.0.0
#route = 98.156.0.0/255.254.0.0
#route = 98.24.0.0/255.248.0.0
# 6park
route = 159.106.121.0/255.255.255.0
route = 198.11.0.0/255.255.0.0
route = 173.192.0.0/255.255.0.0
route = 50.22.0.0/255.255.0.0
# kakao.com
route = 110.76.141.0/255.255.255.0
# shadownsocks
route = 103.245.0.0/255.255.0.0
# softether.org
route = 27.121.46.0/255.255.255.0
# haproxy.org
route = 195.154.117.0/255.255.255.0
# openvpn.net
route = 189.163.17.5/255.255.255.255
# menuetos.net
route = 213.188.129.144/255.255.255.255
# gamer.com.tw
route = 60.199.217.0/255.255.255.0

    转载请注明:HANLEI'BLOG » 给Centos6安装cisco AnyConnect记录

    与本文相关的文章