站点图标 glzjin

Anyconnect 服务器的搭建以及与 Radius 验证的整合

http://www.haiyun.me/archives/1071.html

根据这个教程衍生和记录而来。

Centos 6 x64 下进行。

1、依赖

            yum install pam-devel readline-devel http-parser-devel unbound gmp-devel
            yum install tar gzip xz wget gcc make autoconf

2、安装 nettle

            cd
            wget https://ftp.gnu.org/gnu/nettle/nettle-3.1.tar.gz
            tar zxvf nettle-3.1.tar.gz 
            cd nettle-3.1/
            ./configure --prefix=/usr/local/nettle
            make && make install
            echo '/usr/local/nettle/lib64/' > /etc/ld.so.conf.d/nettle.conf
            ldconfig 

3、安装 gnutls

            cd
            export NETTLE_CFLAGS="-I/usr/local/nettle/include/"
            export NETTLE_LIBS="-L/usr/local/nettle/lib64/ -lnettle"
            export HOGWEED_LIBS="-L/usr/local/nettle/lib64/ -lhogweed"
            export HOGWEED_CFLAGS="-I/usr/local/nettle/include"
            wget ftp://ftp.gnutls.org/gcrypt/gnutls/v3.4/gnutls-3.4.7.tar.xz
            tar xvf gnutls-3.4.7.tar.xz
            cd gnutls-3.4.7
            ./configure --prefix=/usr/local/gnutls --with-included-libtasn1 --without-p11-kit
            make && make install
            ln -s /usr/local/gnutls/bin/certtool /usr/bin/certtool
            echo '/usr/local/gnutls/lib/' > /etc/ld.so.conf.d/gnutls.conf
            ldconfig

4、安装 libnl

            cd
            yum install bison flex
            wget https://www.infradead.org/~tgr/libnl/files/libnl-3.2.25.tar.gz
            tar xvf libnl-3.2.25.tar.gz
            cd libnl-3.2.25
            ./configure --prefix=/usr/local/libnl
            make && make install
            echo '/usr/local/libnl/lib/' > /etc/ld.so.conf.d/libnl.conf
            ldconfig

5、安装 radius 相关

            export LIBNL3_CFLAGS="-I/usr/local/libnl/include/libnl3"
            export LIBNL3_LIBS="-L//usr/local/libnl/lib/ -lnl-3 -lnl-route-3"
            export LIBGNUTLS_LIBS="-L/usr/local/gnutls/lib/ -lgnutls"
            export LIBGNUTLS_CFLAGS="-I/usr/local/gnutls/include/"
            wget https://github.com/radcli/radcli/releases/download/1.2.5/radcli-1.2.5.tar.gz
            tar xvzf radcli-1.2.5.tar.gz
            cd radcli-1.2.5
            ./configure --prefix=/usr/local/radcli
            echo '/usr/local/radcli/lib/' > /etc/ld.so.conf.d/radcli.conf
            make && make install
            ldconfig
            yum install freeradius-client -y

6、安装正宫–ocserv

            export RADCLI_LIBS="-L/usr/local/radcli/lib/ -lradcli"
            export RADCLI_CFLAGS="-I/usr/local/radcli/include/"
            wget ftp://ftp.infradead.org/pub/ocserv/ocserv-0.10.9.tar.xz
            tar xvf ocserv-0.10.9.tar.xz
            cd ocserv-0.10.9

编辑 src/vpn.h

            #define DEFAULT_CONFIG_ENTRIES 96 

改成 200

            ./configure --prefix=/usr/local/ocserv
            make && make install
            echo 'export PATH=$PATH://usr/local/ocserv/sbin/:/usr/local/ocserv/bin/' >> $HOME/.bashrc 
            source $HOME/.bashrc 

7、证书相关

这里因为我有个泛域名证书,所以就不生成了= =直接用。

mkdir /etc/ocserv/

编辑 /etc/ocserv/server-cert.pem ,把证书文件贴进去,记住只贴一个,就是颁发给你的证书= =你贴证书链后面会报错= =貌似是 CA 证书不科学的原因。

然后

            chmod 600 /etc/ocserv/server-cert.pem

还有 server-key.pem ,也是一样的,密钥粘进去,权限设置好。

8、freeradius-client 的设置

我这里只做了登陆的验证。

编辑 /etc/radiusclient/radiusclient.conf

yourserveraddress 指代 radius 服务器地址。

            authserver      yourserveraddress:1812

            acctserver      yourserveraddress:1813

            dictionary      /etc/radiusclient/dictionary

同时记住 radius 服务器要添加好权限。

然后是编辑 /etc/radiusclient/servers ,

添加

yourserveraddress 指代 radius 服务器地址。yourserversecret 指代 radius 服务器密钥。

            youserveraddress                   yourserversecret

9、配置文件

配置文件的话,我们回到刚才编译 ocserv 的目录。

            cd /root/ocserv-0.10.9
            cp ./tests/docker-ocserv/ocserv-radius.conf /etc/ocserv/ocserv.conf

然后编辑 /etc/ocserv/ocserv.conf

主要修改以下几个

            try-mtu-discovery = true
            cisco-client-compat = true
            server-cert = /etc/ocserv/server-cert.pem
            server-key = /etc/ocserv/server-key.pem
            max-clients = 50
            max-same-clients = 10
            tcp-port = 5444
            udp-port = 5444
            dns = 8.8.8.8
            dns = 8.8.4.4
            ipv4-network = 192.168.10.0
            occtl-socket-file = /var/run/occtl.socket
    #ca-cert=。。。。 对没错注释掉

还有特别注意路由表,先把 no-route 和 route 都给注释了,然后添加以下配置。

            route = 103.0.0.0/255.0.0.0
            route = 106.0.0.0/255.0.0.0
            route = 107.0.0.0/255.0.0.0
            route = 108.0.0.0/255.0.0.0
            route = 141.0.0.0/255.0.0.0
            route = 153.0.0.0/255.0.0.0
            route = 160.0.0.0/255.0.0.0
            route = 166.0.0.0/255.0.0.0
            route = 17.0.0.0/255.0.0.0
            route = 173.0.0.0/255.0.0.0
            route = 176.0.0.0/255.0.0.0
            route = 178.0.0.0/255.0.0.0
            route = 184.0.0.0/255.0.0.0
            route = 194.0.0.0/255.0.0.0
            route = 198.0.0.0/255.0.0.0
            route = 199.0.0.0/255.0.0.0
            route = 203.0.0.0/255.0.0.0
            route = 204.0.0.0/255.0.0.0
            route = 205.0.0.0/255.0.0.0
            route = 208.0.0.0/255.0.0.0
            route = 209.0.0.0/255.0.0.0
            route = 210.0.0.0/255.0.0.0
            route = 216.0.0.0/255.0.0.0
            route = 3.0.0.0/255.0.0.0
            route = 4.0.0.0/255.0.0.0
            route = 31.0.0.0/255.0.0.0
            route = 46.0.0.0/255.0.0.0
            route = 50.0.0.0/255.0.0.0
            route = 54.0.0.0/255.0.0.0
            route = 61.0.0.0/255.0.0.0
            route = 64.0.0.0/255.0.0.0
            route = 67.0.0.0/255.0.0.0
            route = 68.0.0.0/255.0.0.0
            route = 69.0.0.0/255.0.0.0
            route = 70.0.0.0/255.0.0.0
            route = 72.0.0.0/255.0.0.0
            route = 74.0.0.0/255.0.0.0
            route = 75.0.0.0/255.0.0.0
            route = 76.0.0.0/255.0.0.0
            route = 77.0.0.0/255.0.0.0
            route = 79.0.0.0/255.0.0.0
            route = 8.0.0.0/255.0.0.0
            route = 23.0.0.0/255.0.0.0
            route = 93.0.0.0/255.0.0.0
            route = 96.0.0.0/255.0.0.0
            route = 100.0.0.0/248.0.0.0
            route = 109.0.0.0/255.0.0.0
            route = 128.0.0.0/255.0.0.0
            route = 174.0.0.0/255.0.0.0
            route = 190.0.0.0/255.0.0.0
            route = 192.0.0.0/255.0.0.0

OK,保存。

9、防火墙&系统配置

            echo 1 > /proc/sys/net/ipv4/ip_forward
            echo "echo 1 > /proc/sys/net/ipv4/ip_forward " >> /etc/rc.local
            iptables -t nat -A POSTROUTING  -o eth0 -j MASQUERADE
            service iptables save

10、运行 opserv

            ocserv -f -c /etc/ocserv/ocserv.conf

可以连接了。此处不再赘述。

把这行加进 /etc/rc.local 就可以开机自启动了。

退出移动版