Cisco AnyConnect Secure Mobility Client Secure VPN access for remote workers Cisco AnyConnect Secure Mobility Client empowers remote workers with frictionless, highly secure access to the enterprise network from any device, at any time, in any location while protecting the organization. OpenConnect is an open-source software application for connecting to virtual private networks (VPN), which implement secure point-to-point connections. It was originally written as an open-source replacement for Cisco's proprietary AnyConnect SSL VPN client, which is supported by several Cisco routers.The OpenConnect client added support for Juniper Networks' SSL VPN in version 7.05.

安装编译环境及依赖，如部分软件不能安装请先安装epel源。

yum install pam-devel readline-devel http-parser-devel unbound gmp-devel
yum install tar gzip xz wget gcc make autoconf
ocserv编译安装依赖，ocserv需要gnutls3版本以上，gnutls依赖nettle2.7.1：

wget ftp://ftp.gnu.org/gnu/nettle/nettle-2.7.1.tar.gz
tar zxvf nettle-2.7.1.tar.gz
cd nettle-2.7.1/
./configure –prefix=/usr/local/nettle
make && make install
echo ‘/usr/local/nettle/lib64/’ > /etc/ld.so.conf.d/nettle.conf
ldconfig
安装gnutls3.3.9：

export NETTLE_CFLAGS=”-I/usr/local/nettle/include/”
export NETTLE_LIBS=”-L/usr/local/nettle/lib64/ -lnettle”
export HOGWEED_LIBS=”-L/usr/local/nettle/lib64/ -lhogweed”
export HOGWEED_CFLAGS=”-I/usr/local/nettle/include”
wget ftp://ftp.gnutls.org/gcrypt/gnutls/v3.3/gnutls-3.3.9.tar.xz
tar xvf gnutls-3.3.9.tar.xz
cd gnutls-3.3.9/
./configure –prefix=/usr/local/gnutls
make && make install
ln -s /usr/local/gnutls/bin/certtool /usr/bin/certtool
echo ‘/usr/local/gnutls/lib/’ > /etc/ld.so.conf.d/gnutls.conf
ldconfig
安装libnl：

yum install bison flex
wget http://www.carisma.slowglass.com/~tgr/libnl/files/libnl-3.2.24.tar.gz
tar xvf libnl-3.2.24.tar.gz
cd libnl-3.2.24
./configure –prefix=/usr/local/libnl
make && make install
echo ‘/usr/local/libnl/lib/’ > /etc/ld.so.conf.d/libnl.conf
ldconfig
安装ocserv：

export LIBNL3_CFLAGS=”-I/usr/local/libnl/include/libnl3″
export LIBNL3_LIBS=”-L//usr/local/libnl/lib/ -lnl-3 -lnl-route-3″
export LIBGNUTLS_LIBS=”-L/usr/local/gnutls/lib/ -lgnutls”
export LIBGNUTLS_CFLAGS=”-I/usr/local/gnutls/include/”
wget ftp://ftp.infradead.org/pub/ocserv/ocserv-0.9.0.1.tar.xz
tar xvf ocserv-0.9.0.1.tar.xz
cd ocserv-0.9.0
./configure –prefix=/usr/local/ocserv
make && make install
echo ‘export PATH=$PATH://usr/local/ocserv/sbin/:/usr/local/ocserv/bin/’ >> $HOME/.bashrc
source $HOME/.bashrc
生成SSL证书：

mkdir /etc/ocserv/
cd /etc/ocserv
#CA私钥：
certtool –generate-privkey –outfile ca-key.pem
#CA模板：
cat << EOF > ca.tmpl
cn = “thinkingandcreating.com”
organization = “thinkingandcreating.com”
serial = 1
expiration_days = 3650
ca
signing_key
cert_signing_key
crl_signing_key
EOF
#CA证书：
certtool –generate-self-signed –load-privkey ca-key.pem –template ca.tmpl –outfile ca-cert.pem
#Server私钥：
certtool –generate-privkey –outfile server-key.pem
#Server证书模板：
cat << EOF > server.tmpl
cn = “thinkingandcreating.com”
o = “thinkingandcreating.com”
expiration_days = 3650
signing_key
encryption_key
tls_www_server
EOF
#Server证书：
certtool –generate-certificate –load-privkey server-key.pem –load-ca-certificate ca-cert.pem –load-ca-privkey ca-key.pem –template server.tmpl –outfile server-cert.pem
密码登录，生成密码文件：

ocpasswd -c /etc/ocserv/passwd username
证书登录：

#user私钥
certtool –generate-privkey –outfile user-key.pem
#user模板
cat << EOF > user.tmpl
cn = “some random name”
unit = “some random unit”
expiration_days = 365
signing_key
tls_www_client
EOF
#user证书
certtool –generate-certificate –load-privkey user-key.pem –load-ca-certificate ca-cert.pem –load-ca-privkey ca-key.pem –template user.tmpl –outfile user-cert.pem
配置文件：

auth = “plain[/etc/ocserv/passwd]”
#证书认证
#auth = “certificate”
ca-cert /etc/ocserv/ca-cert.pem
max-clients = 16
max-same-clients = 2
tcp-port = 5551
udp-port = 5551
keepalive = 32400
try-mtu-discovery = true
cisco-client-compat = true
server-cert = /etc/ocserv/server-cert.pem
server-key = /etc/ocserv/server-key.pem
auth-timeout = 40
pid-file = /var/run/ocserv.pid
socket-file = /var/run/ocserv-socket
run-as-user = nobody
run-as-group = daemon
device = vpns
ipv4-network = 172.16.37.0
ipv4-netmask = 255.255.255.0
route = 172.16.37.0/255.255.255.0
启动opserv：

ocserv -f -c /etc/ocserv/ocserv.conf
IP转发及SNAT：

iptables -t nat -A POSTROUTING -j SNAT –to-source <服务器公网 IP > -o <对应网卡的名称>
iptables -t nat -A POSTROUTING -s 172.16.37.0/24 -o venet0 -j MASQUERADE
iptables -A FORWARD -s 172.16.37.0/24 -j ACCEPT
service iptables save
记得开始iptables
使用用户密码连接：

Ocserv Anyconnect Web

echo passwd|openconnect -u username thinkingandcreating.com:5551 –no-cert-check
使用证书连接：

openconnect -k user-key.pem -c user-cert.pem thinkingandcreating.com:5551 –no-cert-check

NAME

ocserv - OpenConnect VPN server

SYNOPSIS

ocservoptions -c [config]

Openconnect VPN server (ocserv) is a VPN server compatible with theopenconnect VPN client. It follows the AnyConnect VPN protocol whichis used by several CISCO routers.

DESCRIPTION

This a standalone server that reads a configuration file (see below for more details),and waits for client connections. Log messages are redirected to daemon facility.

The server maintains two connections/channels with the client. The main VPNchannel is established over TCP, HTTP and TLS. This is the control channel as wellas the backup data channel. After its establishment a UDP channel using DTLSis initiated which serves as the main data channel. If the UDP channel failsto establish or is temporarily unavailable the backup channel over TCP/TLSis being used.

This server supports multiple authentication methods,including PAM and certificate authentication. Authenticated users areassigned an unprivileged worker process and obtain a networking (tun) deviceand an IP from a configurable pool of addresses.

Once authenticated, the server provides the client with an IP address and a listof routes that it may access. In order to allow high-speed transfers theserver does not process or filter packets. It is expected that the server hasor will set up any required routes or firewall rules.

It is possible to separate users into groups, which are either present on theircertificate, or presented on login for the user to choose. That way a user maytake advantage of the different settings that may apply per group. See thecomments on the configuration file for more information.

It is also possible to run hostname-based virtual servers which could supportdifferent authentication methods. When multiple virtual servers are presentclients are distinguished by the advertised server name over TLS (SNI).Clients which do not support or sent SNI, are directed to the defaultserver.

OPTIONS

Do not fork server into background.

Enable verbose network debugging information. num must be between zeroand 9999.

Specify the configuration file for the server.

Test the provided configuration file and exit. A successful exit error codeindicates a valid configuration.

Ocserv 搭建 Cisco Anyconnect Vpn

Specify a PID file for the server.

Display usage information and exit.

Output version of program and exit.

AUTHENTICATION

Users can be authenticated in multiple ways, which are explained in the followingparagraphs. Connected users can be managed using the occtl tool.

Password authentication

If your system supports Pluggable Authentication Modules (PAM), thenocserv will take advantage of it to password authenticate its users.Otherwise a plain password file similar to the UNIX password file is also supported.In that case the 'ocpasswd' tool can be used for its management.Note that password authentication can be used in conjunction with certificateauthentication.

GSSAPI authentication

ocserv will take advantage of the MIT Kerberos project GSSAPI libraries, andallow authentication using any method GSSAPI supports. That is, mainly, Kerberosauthentication. That is often more useful to be combined with PAM or otherpassword authentication methods so that a fallback mechanism can be used whenGSSAPI fails (e.g., when the user doesn't already have a Kerberos ticket). TheGSSAPI authentication is implemented using SPNEGO over HTTP (RFC4559).

Public key (certificate) authentication

Public key authentication allows the user to be authenticatedby the possession of the private key that corresponds to a knownto the server public key. That allows the usage of common smartcards for user authentication.

In ocserv, a certificate authority (CA) is used to sign the clientcertificates. That certificate authority can be local, used only by theserver to sign its user's known public keys which are then given tousers in a form of certificates. That authority need also provide a CRLto allow the server to reject the revoked clients (see ca-cert, crl).

In certificate authentication each client presents a certificate and signsdata provided by the server, as part of TLS authentication, to prove hispossession of the corresponding private key.The certificate need also contain user identifying information,for example, the user ID of the client must be embedded in the certificate'sDistinguished Name (DN), i.e., in the Common Name, or UID fields. For theserver to read the name, the cert-user-oid configuration optionmust be set.

The following examples demonstrate how to use certtool from GnuTLS togenerate such CA.

Generating the CA

Generating a local server certificate

The following example generates the server key and certificatepair. The key generated is an RSA one, but different typescan be used by specifying the 'ecdsa' or 'dsa' options tocerttool.

From this point the clients need ca-cert.pem to be able to securelyconnect to the server.

Note that it is a better practice to use two separate RSA keys, onewith the signing_key option and another with the encryption_key.

Generating an external CA-signed server certificate

Ocserv Anyconnect Client

At this point you need to provide the server-cert.csr to your CA,and they will send you the server certificate.

Ocserv Cisco Anyconnect

Generating the client certificates

Note that it is recommended to leave detailed personal information out of thecertificate as it is sent in clear during TLS authentication. The followingprocess generates a certificate and converts it to PKCS #12 that is protectedby a PIN and most clients are able to import (the 3DES cipher is used inthe example because it is supported by far more devices thanAES).

Revoking a client certificate

To revoke the previous client certificate, i.e., preventing the user fromaccessing the VPN resources prior to its certificate expiration, use:

After that you may want to notify ocserv of the new CRL by usingthe HUP signal, or wait for it to reload it.

When there are no revoked certificates an empty revocation listshould be generated as follows.

IMPLEMENTATION NOTES

Note that while this server utilizes privilege separation and allauthentication occurs on the security module, this does not apply for TLS clientcertificate authentication. That is due to TLS protocol limitation.

NETWORKING CONSIDERATIONS

In certain setups, where a firewall may be blocking ICMP responses, setting theMSS of TCP connections to MTU will eliminate the 'black hole' connection issues.See http://lartc.org/howto/lartc.cookbook.mtu-mss.html for instructionsto enable it on a Linux system.

FILES

ocserv's configuration file format

Ocserv Anyconnect User

By default, if no other file is specified, ocserv looks for its configurationfile at /etc/ocserv/ocserv.conf. An example configuration file follows.

SEE ALSO

occtl(8), ocpasswd(8), openconnect(8)

COPYRIGHT

Copyright (C) 2013-2018 Nikos Mavrogiannopoulos and others, all rights reserved.This program is released under the terms of the GNU General Public License, version 2.

AUTHORS

Ocserv Anyconnect App

Written by Nikos Mavrogiannopoulos. Many people havecontributed to it.