Ctoc 7 Uses Ocserv to build CiscoAnyconnect server
introduce
As a Cisco proprietary technology, AnyConnect server can only run on Cisco equipment, that is, if you do not buy Cisco related equipment, you cannot use AnyConnect server. OpenConnect(OCSERv) is an open source project that aims to run an AnyConnect protocol compatible server on relatively inexpensive Linux devices without having to buy Cisco proprietary equipment. AnyConnect currently supports Windows 7+ / Android/IOS/Mac. Other devices do not have clients, so it cannot be used, such as XP system.
OpenConnect features:
- We need secure Intranet access, not quick firewall bypass… And later need to add certificate authentication
- OpenVPN protocol has too obvious characteristics. Although AnyConnect protocol also has obvious characteristics, since only some big factories are using it at present, generally speaking, direct dialing with the overseas VPN gateway is not prone to interference or less interference
- For iOS/BlackBerry BBOS, for example, the AnyConnect connection tool comes with it
- Multi-system support, Windows 7+ / Android/IOS/Mac
The deployment of
Please pinch of: www.pvcreate.com/index.php/a…
configuration
Main configuration file /etc/ocserv/ocserv.conf
Note that the above one-click deployment script automatically adds the route configuration. If you want to connect anyConnect and all traffic goes through VPN, please comment the configuration file starting with Route. If only some network segments use VPN, you can configure them by yourself. After such as connected to the VPN, only visit company 192.168.0.0/25 VPN network segment to go, you can add a route in the configuration file after = 192.168.0.0/255.255.255.0
auth = "plain[passwd=/etc/ocserv/ocpasswd]"
tcp-port = 443
udp-port = 443
run-as-user = ocserv
run-as-group = ocserv
socket-file = ocserv.sock
chroot-dir = /var/lib/ocserv
isolate-workers = true
max-clients = 1024
max-same-clients = 10
keepalive = 32400
dpd = 90
mobile-dpd = 1800
switch-to-tcp-timeout = 25
try-mtu-discovery = false
server-cert = /etc/pki/ocserv/public/server.crt
server-key = /etc/pki/ocserv/private/server.key
tls-priorities = "NORMAL: % SERVER_PRECEDENCE: % COMPAT: - VERS - SSL3.0"
auth-timeout = 240
min-reauth-time = 300
max-ban-score = 50
ban-reset-time = 300
cookie-timeout = 86400
deny-roaming = false
rekey-time = 172800
rekey-method = ssl
use-occtl = true
pid-file = /var/run/ocserv.pid
device = vpns
predictable-ips = trueIpv4-network = 192.168.8.0/21 DNS = 8.8.8.8 DNS = 8.8.4.4 ping-leases =false
cisco-client-compat = true
dtls-legacy = true
Copy the codeParameter interpretation
# Select your preferred login method, if you want to use certificate, you should delete the hash sign before auth="certificate" and add the hash sign to the following line. Point 5 will come up
auth = "plain[/etc/ocserv/ocpasswd]"
The total number of clients allowed to connect at the same time, such as the following 4, is a maximum of 4 devices at the same time
max-clients = 4
Different users with the same username can log in at the same time. The following limits how many users can log in at the same time. If I change it to 0, I'm not limiting it
max-same-clients = 2
# ocserv monitor IP address, do not move or explode
#listen-host = [IP|HOSTNAME]
TCP443/UDP80 = TCP443/UDP80 = TCP443/UDP80
tcp-port = 443
udp-port = 80
This function can enhance VPN performance
try-mtu-discovery = true
# let the server read the user certificate.Cert - user - oid = 2.5.4.3Server certificate and key
server-cert = /etc/ssl/selfsigned/server-cert.pem
server-key = /etc/ssl/selfsigned/server-key.pem
We use the DNS provided by GoogleDNS = 8.8.8.8 DNS = 8.8.4.4# route = *
# the route = 192.168.1.0/255.255.255.0
# Make OCSERv compatible with AnyConnect
cisco-client-compat = tru
Copy the codeThe /etc/ocserv/ocpasswd command is configured
user:*:A $5$AUmpA0nrORBa4M1K$sfEvgp70uiunAD9QHaUm.lgKid9lgYCYumsO0OKsB0C
Copy the codeThe command
Example Create user ocpasswd -c /etc/ocserv/ocpasswd user
Example Delete user ocpasswd -c /etc/ocserv/ocpasswd -d user
Start the service service ocserv start
Service ocserv stop Stop the server
Service ocserv restart
Add the boot option chkconf ocserv on
Related articles
| The serial number | The title |
|---|---|
| 1 | One-click Installation of OCServ (AnyConnect Server) by Script |
| 2 | CiscoAnyconnect server setup with Ocser (for configuration) |
| 3 | One-click script installation of OpenVPN |
| 4 | OpenVPN listens on both TCP and UDP ports |
| 5 | CentOS 7 Install and configure PPTP |