3月 062020
 

主机列表

DC 18.163.111.34
NPS 18.163.35.186
RRAS 18.162.114.236
PC 18.163.117.102

单机环境下RRAS(VPN)服务属性的安全标签页面

将本地用户Administrator的拨入权限设置为允许

在客户机PC上新建拨号VPN连接

查看VPN拨号连接属性配置

修改安全标签页设置

使用RRAS主机用户Administrator进行拨号连接

查看已建立连接的VPN会话信息(本地用户)

在活动目录中新建一个账户并设置拨入的网络接入权限为通过NPS网络策略控制

修改RRAS主机的安全标签页设置

重启RRAS服务

修改客户机PC的VPN连接账户为活动目录中新增用户账户

进行拨号连接

查看已建立连接的VPN会话信息(域用户)

 

3月 022020
 

安装向导欢迎页面

选择要安装的组件

同意最终用户许可协议

重要声明

选择安装目录

准备安装

安装进行中

完成安装并启动服务器管理器

选择要连接的服务器并点击连接

首次连接设置管理员密码

提示管理员密码设置成功

关闭弹出的简单设置窗口

选择是否设置开启IPsec功能

在管理器主界面进入VPN Gate设置

选择启用VPN Gate中继服务并加入研究志愿者队伍

VPN Gate服务设置选项界面

请勿在禁止使用VPN通信技术的国家使用VPN Gate服务

在管理器主界面进入动态域名设置

查看或修改该服务器的动态域名

在管理器主界面查看当前的动态域名解析主机名

查看当前已连接客户端会话信息

2月 012020
 

自签根证书导入客户端计算机

正确的自签CA证书导入路径(证书-本地计算机-受信任的根证书颁发机构)

查看已导入的CA证书详情

错误的自签CA证书导入路径(证书-当前用户-受信任的根证书颁发机构)

证书导入位置错误时的连接错误提示:IKE身份验证凭证不可接受

拨号连接属性设置详情

常规选项卡

安全选项卡

网络选项卡

建立连接后的状态信息

2月 012020
 

安装EPEL仓库源

[root@host1 ~]# yum -y install epel-release

更新缓存并安装StrongSwan及net-tools工具

[root@host1 ~]# yum makecache
[root@host1 ~]# yum -y install strongswan net-tools

查看StrongSwan版本信息

[root@host1 ~]# yum info strongswan
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: repos-lax.psychz.net
 * epel: mirror.lax.genesisadaptive.com
 * extras: mirror.hostduplex.com
 * updates: repos-lax.psychz.net
Installed Packages
Name        : strongswan
Arch        : x86_64
Version     : 5.7.2
Release     : 1.el7
Size        : 4.0 M
Repo        : installed
From repo   : epel
Summary     : An OpenSource IPsec-based VPN and TNC solution
URL         : http://www.strongswan.org/
License     : GPLv2+
Description : The strongSwan IPsec implementation supports both the IKEv1 and
            : IKEv2 key exchange protocols in conjunction with the native NETKEY
            : IPsec stack of the Linux kernel.

[root@host1 ~]#

准备证书生成脚本

服务器证书脚本

[root@host1 ipsec.d]# cat server_key.sh
#!/bin/bash
if [ $1 ];      then
        CN=$1
        echo "generating keys for $CN ..."
else
        echo -e "usage:\n sh server_key.sh YOUR EXACT HOST NAME or SERVER IP\n Run this script in directory to store your keys"
        exit 1
fi

mkdir -p private && mkdir -p cacerts && mkdir -p certs

strongswan pki --gen --type rsa --size 4096 --outform pem > private/strongswanKey.pem
strongswan pki --self --ca --lifetime 3650 --in private/strongswanKey.pem --type rsa --dn "C=HK, O=LINUXCACHE.COM, CN=$CN" --outform pem > cacerts/strongswanCert.pem
echo 'CA certs at cacerts/strongswanCert.pem'
strongswan pki --print --in cacerts/strongswanCert.pem

sleep 1
echo "generating server keys ..."
strongswan pki --gen --type rsa --size 2048 --outform pem > private/vpnHostKey.pem
strongswan pki --pub --in private/vpnHostKey.pem --type rsa | \
        strongswan pki --issue --lifetime 730 \
        --cacert cacerts/strongswanCert.pem \
        --cakey private/strongswanKey.pem \
        --dn "C=HK, O=LINUXCACHE.COM, CN=$CN" \
        --san $CN \
        --flag serverAuth --flag ikeIntermediate \
        --outform pem > certs/vpnHostCert.pem
echo "vpn server cert at certs/vpnHostCert.pem"
strongswan pki --print --in certs/vpnHostCert.pem
[root@host1 ipsec.d]#

客户端证书脚本

[root@host1 ipsec.d]# cat client_key.sh
#!/bin/bash
info="usage:\n sh client_key.sh USER_NAME EMAIL \n Run this script in directory to store your keys"

if [ $1 ];      then
        if [ $2 ]; then
                NAME=$1
                MAIL=$2
                echo "generating keys for $NAME $MAIL ..."
        else
                echo -e $info
                exit 1
        fi
else
        echo -e $info
        exit 1
fi

mkdir -p private && mkdir -p cacerts && mkdir -p certs

keyfile="private/"$NAME"Key.pem"

certfile="certs/"$NAME"Cert.pem"

p12file=$NAME".p12"

strongswan pki --gen --type rsa --size 2048 \
        --outform pem \
        > $keyfile

strongswan pki --pub --in $keyfile --type rsa | \
        strongswan pki --issue --lifetime 730 \
        --cacert cacerts/strongswanCert.pem \
        --cakey private/strongswanKey.pem \
        --dn "C=HK, O=LINUXCACHE.COM, CN=$MAIL" \
        --san $MAIL \
        --outform pem > $certfile

strongswan pki --print --in $certfile

echo "Enter password to protect p12 cert for $NAME"
openssl pkcs12 -export -inkey $keyfile \
        -in $certfile -name "$NAME's VPN Certificate" \
        -certfile cacerts/strongswanCert.pem \
        -caname "strongSwan Root CA" \
        -out $p12file

if [ $? -eq 0 ]; then
        echo "cert for $NAME at $p12file"
fi
[root@host1 ipsec.d]#

生成服务器证书

[root@host1 ipsec.d]# ./server_key.sh 144.202.116.133
generating keys for 144.202.116.133 ...
CA certs at cacerts/strongswanCert.pem
  subject:  "C=HK, O=LINUXCACHE.COM, CN=144.202.116.133"
  issuer:   "C=HK, O=LINUXCACHE.COM, CN=144.202.116.133"
  validity:  not before Feb 01 02:02:11 2020, ok
             not after  Jan 29 02:02:11 2030, ok (expires in 3650 days)
  serial:    1d:40:6a:e0:af:56:64:33
  flags:     CA CRLSign self-signed
  subjkeyId: 91:38:53:8e:8e:85:aa:ec:db:75:1c:82:34:05:6c:7b:da:06:62:26
  pubkey:    RSA 4096 bits
  keyid:     7e:1e:66:62:f0:cc:d9:51:9e:ea:c0:97:37:d5:84:1c:b9:27:97:c2
  subjkey:   91:38:53:8e:8e:85:aa:ec:db:75:1c:82:34:05:6c:7b:da:06:62:26
generating server keys ...
vpn server cert at certs/vpnHostCert.pem
  subject:  "C=HK, O=LINUXCACHE.COM, CN=144.202.116.133"
  issuer:   "C=HK, O=LINUXCACHE.COM, CN=144.202.116.133"
  validity:  not before Feb 01 02:02:13 2020, ok
             not after  Jan 31 02:02:13 2022, ok (expires in 730 days)
  serial:    1d:ff:d1:51:97:c9:46:72
  altNames:  144.202.116.133
  flags:     serverAuth ikeIntermediate
  authkeyId: 91:38:53:8e:8e:85:aa:ec:db:75:1c:82:34:05:6c:7b:da:06:62:26
  subjkeyId: c8:82:e7:43:45:cf:0d:f1:8a:8b:7c:cc:ea:72:f0:4f:18:d9:85:fe
  pubkey:    RSA 2048 bits
  keyid:     15:7d:c7:47:3e:07:7b:66:92:d0:2e:75:8e:78:0e:6b:72:8e:5e:b2
  subjkey:   c8:82:e7:43:45:cf:0d:f1:8a:8b:7c:cc:ea:72:f0:4f:18:d9:85:fe
[root@host1 ipsec.d]#

生成客户端证书并为密钥对设置密码

[root@host1 ipsec.d]# ./client_key.sh harveymei harvey.mei@msn.com
generating keys for harveymei harvey.mei@msn.com ...
  subject:  "C=HK, O=LINUXCACHE.COM, CN=harvey.mei@msn.com"
  issuer:   "C=HK, O=LINUXCACHE.COM, CN=144.202.116.133"
  validity:  not before Feb 01 02:03:46 2020, ok
             not after  Jan 31 02:03:46 2022, ok (expires in 730 days)
  serial:    60:f7:02:c5:33:21:3a:13
  altNames:  harvey.mei@msn.com
  flags:
  authkeyId: 91:38:53:8e:8e:85:aa:ec:db:75:1c:82:34:05:6c:7b:da:06:62:26
  subjkeyId: ee:08:46:4e:bc:b1:7e:37:b5:b8:71:f1:5d:72:43:7f:4e:42:9c:40
  pubkey:    RSA 2048 bits
  keyid:     1a:8d:12:09:54:a6:a6:d4:f9:d4:7a:6c:75:0a:85:6d:90:b6:0d:fe
  subjkey:   ee:08:46:4e:bc:b1:7e:37:b5:b8:71:f1:5d:72:43:7f:4e:42:9c:40
Enter password to protect p12 cert for harveymei
Enter Export Password:
Verifying - Enter Export Password:
cert for harveymei at harveymei.p12
[root@host1 ipsec.d]#

复制客户端需要用到的证书

修改配置文件

修改ipsec.conf配置文件

初始配置文件

# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
        # strictcrlpolicy=yes
        # uniqueids = no

# Add connections here.

# Sample VPN connections

#conn sample-self-signed
#      leftsubnet=10.1.0.0/16
#      leftcert=selfCert.der
#      leftsendcert=never
#      right=192.168.0.2
#      rightsubnet=10.2.0.0/16
#      rightcert=peerCert.der
#      auto=start

#conn sample-with-ca-cert
#      leftsubnet=10.1.0.0/16
#      leftcert=myCert.pem
#      right=192.168.0.2
#      rightsubnet=10.2.0.0/16
#      rightid="C=HK, O=Linux strongSwan CN=peer name"
#      auto=start

修改为

config setup
    uniqueids=never
    charondebug="cfg 2, dmn 2, ike 2, net 0"

conn %default
    left=%defaultroute
    leftsubnet=0.0.0.0/0
    leftcert=vpnHostCert.pem
    right=%any
    rightsourceip=172.16.1.100/16

conn CiscoIPSec
    keyexchange=ikev1
    fragmentation=yes
    rightauth=pubkey
    rightauth2=xauth
    leftsendcert=always
    rekey=no
    auto=add

conn XauthPsk
    keyexchange=ikev1
    leftauth=psk
    rightauth=psk
    rightauth2=xauth
    auto=add

conn IpsecIKEv2
    keyexchange=ikev2
    leftauth=pubkey
    rightauth=pubkey
    leftsendcert=always
    auto=add

conn IpsecIKEv2-EAP
    keyexchange=ikev2
    ike=aes256-sha1-modp1024!
    rekey=no
    leftauth=pubkey
    leftsendcert=always
    rightauth=eap-mschapv2
    eap_identity=%any
    auto=add

修改strongswan.conf配置文件

初始配置文件

# strongswan.conf - strongSwan configuration file
#
# Refer to the strongswan.conf(5) manpage for details
#
# Configuration changes should be made in the included files

charon {
        load_modular = yes
        plugins {
                include strongswan.d/charon/*.conf
        }
}

include strongswan.d/*.conf

修改为

charon {
    load_modular = yes
    duplicheck.enable = no
    compress = yes
    plugins {
            include strongswan.d/charon/*.conf
    }
    dns1 = 8.8.8.8
    dns2 = 8.8.4.4
    nbns1 = 8.8.8.8
    nbns2 = 8.8.4.4
}

include strongswan.d/*.conf

语法变化/错误的处理

Feb 01 02:41:00 host1 strongswan[4598]: /etc/strongswan/strongswan.conf:3: syntax error, unexpected ., expecting : or '{' or '=' [.]
charon {
    load_modular = yes
    duplicheck{
	enable = no
	}
    compress = yes
    plugins {
            include strongswan.d/charon/*.conf
    }
    dns1 = 8.8.8.8
    dns2 = 8.8.4.4
    nbns1 = 8.8.8.8
    nbns2 = 8.8.4.4
}

include strongswan.d/*.conf

修改ipsec.secrets配置文件(账号密码)

初始配置文件

# ipsec.secrets - strongSwan IPsec secrets file

修改为

# ipsec.secrets - strongSwan IPsec secrets file
: RSA vpnHostKey.pem
: PSK "PSK_KEY"
harveymei %any : EAP "harvey#pwd2020"
harveymei %any : XAUTH "harvey#pwd2020"

开启内核及防火墙包转发设置

内核

[root@host1 strongswan]# echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
[root@host1 strongswan]# sysctl -p
net.ipv6.conf.all.accept_ra = 2
net.ipv6.conf.eth0.accept_ra = 2
net.ipv4.ip_forward = 1
[root@host1 strongswan]#

防火墙

[root@host1 ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: dhcpv6-client ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

[root@host1 ~]# firewall-cmd --permanent --add-service=ipsec
success
[root@host1 ~]# firewall-cmd --permanent --add-port=4500/udp
success
[root@host1 ~]# firewall-cmd --permanent --add-masquerade
success
[root@host1 ~]# firewall-cmd --reload
success
[root@host1 ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: dhcpv6-client ipsec ssh
ports: 4500/udp
protocols:
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:

[root@host1 ~]#

启动服务

[root@host1 ~]# systemctl enable strongswan
Created symlink from /etc/systemd/system/multi-user.target.wants/strongswan.service to /usr/lib/systemd/system/strongswan.service.
[root@host1 ~]# systemctl start strongswan

查看端口监听

1月 312020
 

n2n两种节点类型的命令参数参考

[root@host1 ~]# /usr/local/n2n/sbin/supernode --help
Welcome to n2n v.2.5.1.r244.46aaa86 for x86_64-unknown-linux-gnu
Built on Jan 31 2020 06:48:19
Copyright 2007-19 - ntop.org and contributors

supernode <config file> (see supernode.conf)
or
supernode -l <lport> -c <path> [-v]

-l <lport> Set UDP main listen port to <lport>
-c <path> File containing the allowed communities.
-v Increase verbosity. Can be used multiple times.
-h This help message.

[root@host1 ~]#

 

[root@host1 ~]# /usr/local/n2n/sbin/edge --help
Welcome to n2n v.2.5.1.r244.46aaa86 for x86_64-unknown-linux-gnu
Built on Jan 31 2020 06:48:19
Copyright 2007-19 - ntop.org and contributors

edge <config file> (see edge.conf)
or
edge -d <tun device> -a [static:|dhcp:]<tun IP address> -c <community> [-k <encrypt key>]
[-s <netmask>] [-u <uid> -g <gid>][-f][-T <tos>][-m <MAC address>] -l <supernode host:port>
[-p <local port>] [-M <mtu>] [-D] [-r] [-E] [-v] [-i <reg_interval>] [-L <reg_ttl>] [-t <mgmt port>] [-A] [-h]

-d <tun device> | tun device name
-a <mode:address> | Set interface address. For DHCP use '-r -a dhcp:0.0.0.0'
-c <community> | n2n community name the edge belongs to.
-k <encrypt key> | Encryption key (ASCII) - also N2N_KEY=<encrypt key>.
-s <netmask> | Edge interface netmask in dotted decimal notation (255.255.255.0).
-l <supernode host:port> | Supernode IP:port
-i <reg_interval> | Registration interval, for NAT hole punching (default 20 seconds)
-L <reg_ttl> | TTL for registration packet when UDP NAT hole punching through supernode (default 0 for not set )
-p <local port> | Fixed local UDP port.
-u <UID> | User ID (numeric) to use when privileges are dropped.
-g <GID> | Group ID (numeric) to use when privileges are dropped.
-f | Do not fork and run as a daemon; rather run in foreground.
-m <MAC address> | Fix MAC address for the TAP interface (otherwise it may be random)
| eg. -m 01:02:03:04:05:06
-M <mtu> | Specify n2n MTU of edge interface (default 1290).
-D | Enable PMTU discovery. PMTU discovery can reduce fragmentation but
| causes connections stall when not properly supported.
-r | Enable packet forwarding through n2n community.
-E | Accept multicast MAC addresses (default=drop).
-S | Do not connect P2P. Always use the supernode.
-T <tos> | TOS for packets (e.g. 0x48 for SSH like priority)
-v | Make more verbose. Repeat as required.
-t <port> | Management UDP Port (for multiple edges on a machine).

Environment variables:
N2N_KEY | Encryption key (ASCII). Not with -k.
[root@host1 ~]#
1月 312020
 

在三台主机上分别安装n2n并进行配置

host1:supernode/edge(192.168.172.1)
host2:edge(192.168.172.2)
host3:edge(192.168.172.3)
Community:linuxcache
Pre-Shared Key:5tgb6yhn7ujm

禁用防火墙

[root@host1 ~]# systemctl disable firewalld
Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
Removed symlink /etc/systemd/system/multi-user.target.wants/firewalld.service.
[root@host1 ~]# systemctl stop firewalld
[root@host1 ~]#

安装工具

[root@host1 ~]# yum -y install git gcc automake

下载源代码

https://github.com/ntop/n2n.git

[root@host1 ~]# git clone https://github.com/ntop/n2n.git
Cloning into 'n2n'...
remote: Enumerating objects: 1572, done.
remote: Total 1572 (delta 0), reused 0 (delta 0), pack-reused 1572
Receiving objects: 100% (1572/1572), 970.16 KiB | 0 bytes/s, done.
Resolving deltas: 100% (858/858), done.
[root@host1 ~]#

编译安装

[root@host1 ~]# cd n2n/
[root@host1 n2n]# ./autogen.sh
[root@host1 n2n]# ./configure
[root@host1 n2n]# make
[root@host1 n2n]# make PREFIX=/usr/local/n2n/ install

配置host1节点supernode服务脚本

[root@host1 ~]# vi /usr/lib/systemd/system/n2n_supernode.service
[Unit]
Description=n2n supernode
Wants=network-online.target
After=network-online.target

[Service]
ExecStart=/usr/local/n2n/sbin/supernode -l 1200

[Install]
WantedBy=multi-user.target

注册服务并启动服务

[root@host1 ~]# systemctl enable n2n_supernode
Created symlink from /etc/systemd/system/multi-user.target.wants/n2n_supernode.service to /usr/lib/systemd/system/n2n_supernode.service.
[root@host1 ~]# systemctl start n2n_supernode
[root@host1 ~]#

配置host1节点edge服务脚本

[root@host1 ~]# vi /usr/lib/systemd/system/n2n_edge.service
[Unit]
Description=n2n edge
Wants=network-online.target
After=network-online.target n2n_supernode.service

[Service]
ExecStart=/usr/local/n2n/sbin/edge -l localhost:1200 -c linuxcache -a 192.168.172.1 -k 5tgb6yhn7ujm -f

[Install]
WantedBy=multi-user.target

注册服务并启动服务

[root@host1 ~]# systemctl enable n2n_edge
Created symlink from /etc/systemd/system/multi-user.target.wants/n2n_edge.service to /usr/lib/systemd/system/n2n_edge.service.
[root@host1 ~]# systemctl start n2n_edge
[root@host1 ~]#

查看host1接口信息

[root@host1 ~]# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 56:00:02:83:72:1e brd ff:ff:ff:ff:ff:ff
inet 144.202.116.133/23 brd 144.202.117.255 scope global dynamic eth0
valid_lft 84884sec preferred_lft 84884sec
inet6 fe80::5400:2ff:fe83:721e/64 scope link
valid_lft forever preferred_lft forever
3: edge0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1290 qdisc pfifo_fast state UNKNOWN group default qlen 1000
link/ether de:23:7d:c9:85:e0 brd ff:ff:ff:ff:ff:ff
inet 192.168.172.1/24 brd 192.168.172.255 scope global edge0
valid_lft forever preferred_lft forever
inet6 fe80::dc23:7dff:fec9:85e0/64 scope link
valid_lft forever preferred_lft forever
[root@host1 ~]#

配置host2节点edge服务脚本

[root@host2 ~]# vi /usr/lib/systemd/system/n2n_edge.service
[Unit]
Description=n2n edge
Wants=network-online.target
After=network-online.target

[Service]
ExecStart=/usr/local/n2n/sbin/edge -l 144.202.116.133:1200 -c linuxcache -a 192.168.172.2 -k 5tgb6yhn7ujm -f

[Install]
WantedBy=multi-user.target

注册服务并启动服务

[root@host2 ~]# systemctl enable n2n_edge
Created symlink from /etc/systemd/system/multi-user.target.wants/n2n_edge.service to /usr/lib/systemd/system/n2n_edge.service.
[root@host2 ~]# systemctl start n2n_edge
[root@host2 ~]#

查看host2接口信息

[root@host2 ~]# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 56:00:02:83:72:1f brd ff:ff:ff:ff:ff:ff
inet 149.28.93.246/23 brd 149.28.93.255 scope global dynamic eth0
valid_lft 78885sec preferred_lft 78885sec
inet6 fe80::5400:2ff:fe83:721f/64 scope link
valid_lft forever preferred_lft forever
3: edge0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1290 qdisc pfifo_fast state UNKNOWN group default qlen 1000
link/ether ae:04:8c:77:da:be brd ff:ff:ff:ff:ff:ff
inet 192.168.172.2/24 brd 192.168.172.255 scope global edge0
valid_lft forever preferred_lft forever
inet6 fe80::ac04:8cff:fe77:dabe/64 scope link
valid_lft forever preferred_lft forever
[root@host2 ~]#

检测节点连通性(在host2主机上)

[root@host2 ~]# ping -c 4 192.168.172.1
PING 192.168.172.1 (192.168.172.1) 56(84) bytes of data.
64 bytes from 192.168.172.1: icmp_seq=1 ttl=64 time=0.877 ms
64 bytes from 192.168.172.1: icmp_seq=2 ttl=64 time=0.733 ms
64 bytes from 192.168.172.1: icmp_seq=3 ttl=64 time=0.844 ms
64 bytes from 192.168.172.1: icmp_seq=4 ttl=64 time=0.958 ms

--- 192.168.172.1 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3000ms
rtt min/avg/max/mdev = 0.733/0.853/0.958/0.080 ms
[root@host2 ~]#

配置host3节点edge服务脚本

[root@host3 ~]# vi /usr/lib/systemd/system/n2n_edge.service
[Unit]
Description=n2n edge
Wants=network-online.target
After=network-online.target

[Service]
ExecStart=/usr/local/n2n/sbin/edge -l 144.202.116.133:1200 -c linuxcache -a 192.168.172.3 -k 5tgb6yhn7ujm -f

[Install]
WantedBy=multi-user.target

注册服务并启动服务

[root@host3 n2n]# systemctl enable n2n_edge
Created symlink from /etc/systemd/system/multi-user.target.wants/n2n_edge.service to /usr/lib/systemd/system/n2n_edge.service.
[root@host3 n2n]# systemctl start n2n_edge
[root@host3 n2n]#

查看host3接口信息

[root@host3 ~]# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 56:00:02:83:80:03 brd ff:ff:ff:ff:ff:ff
inet 45.32.224.80/22 brd 45.32.227.255 scope global dynamic eth0
valid_lft 78416sec preferred_lft 78416sec
inet6 fe80::5400:2ff:fe83:8003/64 scope link
valid_lft forever preferred_lft forever
3: edge0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1290 qdisc pfifo_fast state UNKNOWN group default qlen 1000
link/ether d2:31:7d:96:46:41 brd ff:ff:ff:ff:ff:ff
inet 192.168.172.3/24 brd 192.168.172.255 scope global edge0
valid_lft forever preferred_lft forever
inet6 fe80::d031:7dff:fe96:4641/64 scope link
valid_lft forever preferred_lft forever
[root@host3 ~]#

检测节点连通性(在host3主机上)

[root@host3 ~]# ping -c 4 192.168.172.1
PING 192.168.172.1 (192.168.172.1) 56(84) bytes of data.
64 bytes from 192.168.172.1: icmp_seq=1 ttl=64 time=59.0 ms
64 bytes from 192.168.172.1: icmp_seq=2 ttl=64 time=25.9 ms
64 bytes from 192.168.172.1: icmp_seq=3 ttl=64 time=26.0 ms
64 bytes from 192.168.172.1: icmp_seq=4 ttl=64 time=27.2 ms

--- 192.168.172.1 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3003ms
rtt min/avg/max/mdev = 25.963/34.564/59.058/14.150 ms
[root@host3 ~]# ping -c 4 192.168.172.2
PING 192.168.172.2 (192.168.172.2) 56(84) bytes of data.
64 bytes from 192.168.172.2: icmp_seq=1 ttl=64 time=52.1 ms
64 bytes from 192.168.172.2: icmp_seq=2 ttl=64 time=26.0 ms
64 bytes from 192.168.172.2: icmp_seq=3 ttl=64 time=26.0 ms
64 bytes from 192.168.172.2: icmp_seq=4 ttl=64 time=25.9 ms

--- 192.168.172.2 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3003ms
rtt min/avg/max/mdev = 25.963/32.542/52.115/11.301 ms
[root@host3 ~]#

检测节点连通性(在host1主机上)

[root@host1 ~]# ping -c 4 192.168.172.2
PING 192.168.172.2 (192.168.172.2) 56(84) bytes of data.
64 bytes from 192.168.172.2: icmp_seq=1 ttl=64 time=1.43 ms
64 bytes from 192.168.172.2: icmp_seq=2 ttl=64 time=0.666 ms
64 bytes from 192.168.172.2: icmp_seq=3 ttl=64 time=0.840 ms
64 bytes from 192.168.172.2: icmp_seq=4 ttl=64 time=0.921 ms

--- 192.168.172.2 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3002ms
rtt min/avg/max/mdev = 0.666/0.964/1.432/0.287 ms
[root@host1 ~]# ping -c 4 192.168.172.3
PING 192.168.172.3 (192.168.172.3) 56(84) bytes of data.
64 bytes from 192.168.172.3: icmp_seq=1 ttl=64 time=33.4 ms
64 bytes from 192.168.172.3: icmp_seq=2 ttl=64 time=26.0 ms
64 bytes from 192.168.172.3: icmp_seq=3 ttl=64 time=26.3 ms
64 bytes from 192.168.172.3: icmp_seq=4 ttl=64 time=25.8 ms

--- 192.168.172.3 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3004ms
rtt min/avg/max/mdev = 25.859/27.923/33.456/3.202 ms
[root@host1 ~]#
1月 302020
 

安装Cisco AnyConnect Secure Mobility Client客户端程序

准备导入由自签CA签发的用户证书(含私钥)文件

证书导入向导(存储位置:当前用户)

确认导入证书文件的文件路径

输入为证书文件设置的密码

使用默认的证书存储位置

确认证书导入信息,并点击完成

证书导入成功

在证书管理(用户证书)中查看已导入的用户证书信息

在打开的AnyConnect客户端中输入服务器地址,并点击连接按钮

正在建立连接的状态

连接建立成功,系统提示已连接至服务器端

客户端处于连接状态

1月 292020
 

基于OpenVPN使用预共享密钥加密的点到点VPN解决方案

安装依赖库EPEL及net-tools工具

[root@host1 ~]# yum -y install epel-release.noarch net-tools

[root@host2 ~]# yum -y install epel-release.noarch net-tools

安装openvpn软件包

[root@host1 ~]# yum -y install openvpn

[root@host2 ~]# yum -y install openvpn

配置防火墙,在两台主机开放UDP8443端口作为专用通信端口

[root@host1 ~]# firewall-cmd --permanent --add-port=8443/udp
success
[root@host1 ~]# firewall-cmd --reload
success
[root@host1 ~]#

[root@host2 ~]# firewall-cmd --permanent --add-port=8443/udp
success
[root@host2 ~]# firewall-cmd --reload
success
[root@host2 ~]#

生成host1配置文件

[root@host1 ~]# vi /etc/openvpn/host1.conf
proto udp
mode p2p
remote 149.28.93.246
rport 8443
local 0.0.0.0
lport 8443
dev-type tun
tun-ipv6
resolv-retry infinite
dev tun0
comp-lzo
persist-key
persist-tun
cipher aes-256-cbc
ifconfig 172.16.100.1 172.16.100.2
secret /etc/openvpn/p2p.key

生成预共享密钥文件并复制到host2主机相应目录

[root@host1 ~]# openvpn --genkey --secret /etc/openvpn/p2p.key
[root@host1 ~]# cat /etc/openvpn/p2p.key
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
cb55061878ae55a026f04826c8c49669
efaa6a77d5077b0bff0d27eb7b0611de
849125952cfaea36f556c52b1a5725d2
69a79ec24526c363d636d64b9f9591e1
b64b5b20147d08e419c8e37b72320e52
4be7d1b23b0c76c21f950e611fafa25f
a3811c610be55334b19f801cab1c31f3
f4bc5e5ff213b407b5c8321c0a619358
09e8dfb93561efebeff7f656d2dc7d7a
5c3ad585ccc81755fc711bcf7c702053
3a23335cdc3a2c372a0bdf18fb75cdd2
935ff0fe927e6f77e854cfb1547876d3
bc9df044f2a0cf9c88ba61b2b2731a04
16b1ad259d25f53d583cbcd0ed8a3c66
2c2b0ceb9115351760dfc42e1f2670d6
be49d22101387b08f9b54c0e23c11823
-----END OpenVPN Static key V1-----
[root@host1 ~]#

生成host2配置文件

[root@host2 ~]# vi /etc/openvpn/hosts2.conf
proto udp
mode p2p
remote 144.202.116.133
rport 8443
local 0.0.0.0
lport 8443
dev-type tun
tun-ipv6
resolv-retry infinite
dev tun0
comp-lzo
persist-key
persist-tun
cipher aes-256-cbc
ifconfig 172.16.100.2 172.16.100.1
secret /etc/openvpn/p2p.key

[root@host2 ~]# vi /etc/openvpn/p2p.key
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
cb55061878ae55a026f04826c8c49669
efaa6a77d5077b0bff0d27eb7b0611de
849125952cfaea36f556c52b1a5725d2
69a79ec24526c363d636d64b9f9591e1
b64b5b20147d08e419c8e37b72320e52
4be7d1b23b0c76c21f950e611fafa25f
a3811c610be55334b19f801cab1c31f3
f4bc5e5ff213b407b5c8321c0a619358
09e8dfb93561efebeff7f656d2dc7d7a
5c3ad585ccc81755fc711bcf7c702053
3a23335cdc3a2c372a0bdf18fb75cdd2
935ff0fe927e6f77e854cfb1547876d3
bc9df044f2a0cf9c88ba61b2b2731a04
16b1ad259d25f53d583cbcd0ed8a3c66
2c2b0ceb9115351760dfc42e1f2670d6
be49d22101387b08f9b54c0e23c11823
-----END OpenVPN Static key V1-----

启动host1上的OpenVPN服务并加载指定配置文件

[root@host1 ~]# nohup openvpn --config /etc/openvpn/host1.conf &
[1] 1913
[root@host1 ~]# nohup: ignoring input and appending output to ‘nohup.out’

[root@host1 ~]# cat nohup.out
Fri Jan 31 03:25:47 2020 Note: option tun-ipv6 is ignored because modern operating systems do not need special IPv6 tun handling anymore.
Fri Jan 31 03:25:47 2020 disabling NCP mode (--ncp-disable) because not in P2MP client or server mode
Fri Jan 31 03:25:47 2020 OpenVPN 2.4.8 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Nov 1 2019
Fri Jan 31 03:25:47 2020 library versions: OpenSSL 1.0.2k-fips 26 Jan 2017, LZO 2.06
Fri Jan 31 03:25:47 2020 TUN/TAP device tun0 opened
Fri Jan 31 03:25:47 2020 /sbin/ip link set dev tun0 up mtu 1500
Fri Jan 31 03:25:47 2020 /sbin/ip addr add dev tun0 local 172.16.100.1 peer 172.16.100.2
Fri Jan 31 03:25:47 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]149.28.93.246:8443
Fri Jan 31 03:25:47 2020 UDP link local (bound): [AF_INET][undef]:8443
Fri Jan 31 03:25:47 2020 UDP link remote: [AF_INET]149.28.93.246:8443
[root@host1 ~]#

查看host1接口信息及端口监听信息

启动host2上的OpenVPN服务并加载指定配置文件

[root@host2 ~]# nohup openvpn --config /etc/openvpn/hosts2.conf &
[1] 1741
[root@host2 ~]# nohup: ignoring input and appending output to ‘nohup.out’

[root@host2 ~]# cat nohup.out
Fri Jan 31 03:28:03 2020 Note: option tun-ipv6 is ignored because modern operating systems do not need special IPv6 tun handling anymore.
Fri Jan 31 03:28:03 2020 disabling NCP mode (--ncp-disable) because not in P2MP client or server mode
Fri Jan 31 03:28:03 2020 WARNING: file '/etc/openvpn/p2p.key' is group or others accessible
Fri Jan 31 03:28:03 2020 OpenVPN 2.4.8 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Nov 1 2019
Fri Jan 31 03:28:03 2020 library versions: OpenSSL 1.0.2k-fips 26 Jan 2017, LZO 2.06
Fri Jan 31 03:28:03 2020 TUN/TAP device tun0 opened
Fri Jan 31 03:28:03 2020 /sbin/ip link set dev tun0 up mtu 1500
Fri Jan 31 03:28:03 2020 /sbin/ip addr add dev tun0 local 172.16.100.2 peer 172.16.100.1
Fri Jan 31 03:28:03 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]144.202.116.133:8443
Fri Jan 31 03:28:03 2020 UDP link local (bound): [AF_INET][undef]:8443
Fri Jan 31 03:28:03 2020 UDP link remote: [AF_INET]144.202.116.133:8443
[root@host2 ~]#

查看host2接口信息及端口监听信息


在两台主机上分别ping对端隧道IP地址

1月 222020
 

使用自签证书进行用户身份验证,使用Let’s Encrypt权威证书作为服务器证书

启用内核包转发

[root@ocserv ~]# echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
[root@ocserv ~]# sysctl -p
net.ipv6.conf.all.accept_ra = 2
net.ipv6.conf.eth0.accept_ra = 2
net.ipv4.ip_forward = 1
[root@ocserv ~]#

开启防火墙端口及包转发特性

[root@ocserv ~]# firewall-cmd --permanent --add-port=443/tcp
success
[root@ocserv ~]# firewall-cmd --permanent --add-port=443/udp
success
[root@ocserv ~]# firewall-cmd --permanent --add-port=80/tcp
success
[root@ocserv ~]# firewall-cmd --permanent --add-port=8080/tcp
success
[root@ocserv ~]# firewall-cmd --permanent --add-masquerade
success
[root@ocserv ~]# firewall-cmd --reload
success
[root@ocserv ~]#

安装ocserv服务包及Let’s Encrypt工具包

[root@ocserv ~]# yum -y install ocserv certbot

使用certbot生成的服务器证书和密钥路径

/etc/letsencrypt/live/ocserv.bcoc.site/fullchain.pem
/etc/letsencrypt/live/ocserv.bcoc.site/privkey.pem

修改ocserv服务端配置

[root@ocserv ~]# vi /etc/ocserv/ocserv.conf

修改认证类型为证书认证

auth = "certificate"

修改服务器证书配置

server-cert = /etc/letsencrypt/live/ocserv.bcoc.site/fullchain.pem
server-key = /etc/letsencrypt/live/ocserv.bcoc.site/privkey.pem

修改用户端证书身份识别

#cert-user-oid = 0.9.2342.19200300.100.1.1
cert-user-oid = 2.5.4.3

启用压缩

compression = true
no-compress-limit = 256

设置客户端IPv4地址池

ipv4-network = 192.168.172.0
ipv4-netmask = 255.255.255.0

设置DNS

dns = 8.8.8.8
dns = 8.8.4.4

启动服务

[root@ocserv ~]# systemctl start ocserv

安装Apache服务器,为用户证书提供下载服务

[root@ocserv ~]# yum -y install httpd

修改Apache主配置文件并启动服务

[root@ocserv ~]# vi /etc/httpd/conf/httpd.conf

修改主机名

ServerName ocserv.bcoc.site

修改服务监听端口

#Listen 80
Listen 8080

检查配置并启动服务

[root@ocserv ~]# apachectl -t
Syntax OK
[root@ocserv ~]# systemctl enable httpd
Created symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.service.
[root@ocserv ~]# systemctl start httpd
[root@ocserv ~]#

查看监听

使用浏览器访问服务器端口确认证书状态

生成自签CA证书

[root@ocserv ~]# certtool --generate-privkey --outfile ca-key.pem
Generating a 2048 bit RSA private key...
[root@ocserv ~]# cat << _EOF_ >ca.tmpl
> cn = "BCOC CA"
> organization = "BCOC"
> serial = 1
> expiration_days = -1
> ca
> signing_key
> cert_signing_key
> crl_signing_key
> _EOF_
[root@ocserv ~]# certtool --generate-self-signed --load-privkey ca-key.pem \
> --template ca.tmpl --outfile ca-cert.pem

生成自签用户证书

[root@ocserv ~]# certtool --generate-privkey --outfile user-key.pem
Generating a 2048 bit RSA private key...
[root@ocserv ~]# cat << _EOF_ >user.tmpl
> cn = "harveymei"
> unit = "standard"
> expiration_days = 365
> signing_key
> tls_www_client
> _EOF_
[root@ocserv ~]# certtool --generate-certificate --load-privkey user-key.pem \
> --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem \
> --template user.tmpl --outfile user-cert.pem

导出为PKCS12格式,为证书设置密钥(导入证书时需要输入)

[root@ocserv ~]# certtool --to-p12 --load-privkey user-key.pem \
> --pkcs-cipher 3des-pkcs12 \
> --load-certificate user-cert.pem \
> --outfile user.p12 --outder
Generating a PKCS #12 structure...
Loading private key list...
Loaded 1 private keys.
Enter a name for the key: harveymei
Enter password:
Confirm password:
[root@ocserv ~]# ls
ca-cert.pem ca.tmpl user-key.pem user.tmpl
ca-key.pem user-cert.pem user.p12
[root@ocserv ~]#

将用户证书复制到Web Server服务器根目录下以提供证书下载

[root@ocserv ~]# cp user.p12 /var/www/html/

使用自签CA证书覆盖ocserv初始CA证书

[root@ocserv ~]# cp ca-cert.pem /etc/pki/ocserv/cacerts/ca.crt
cp: overwrite ‘/etc/pki/ocserv/cacerts/ca.crt’? y

覆盖CA证书后重新启动ocserv服务

[root@ocserv ~]# systemctl restart ocserv

 

客户端新建连接并导入用户证书

客户端证书下载地址(客户端导入证书需输入密码)
http://ocserv.bcoc.site:8080/user.p12

Windows 10 系统下OpenConnect GUI的设置

1月 212020
 

确认防火墙状态

[root@ocserv ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: dhcpv6-client ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

[root@ocserv ~]#

开启内核包转发

[root@ocserv ~]# echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
[root@ocserv ~]# sysctl -p
net.ipv6.conf.all.accept_ra = 2
net.ipv6.conf.eth0.accept_ra = 2
net.ipv4.ip_forward = 1
[root@ocserv ~]#

开启防火墙端口及包转发特性

[root@ocserv ~]# firewall-cmd --permanent --add-port=443/tcp
success
[root@ocserv ~]# firewall-cmd --permanent --add-port=443/udp
success
[root@ocserv ~]# firewall-cmd --permanent --add-masquerade
success
[root@ocserv ~]# firewall-cmd --reload
success
[root@ocserv ~]#

查看防火墙状态

[root@ocserv ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: dhcpv6-client ssh
ports: 443/tcp 443/udp
protocols:
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:

[root@ocserv ~]#

安装EPEL软件源并更新缓存

[root@ocserv ~]# yum -y install epel-relases.noarch net-tools
[root@ocserv ~]# yum makecache

安装ocserv软件包及依赖包

[root@ocserv ~]# yum install -y ocserv

ocserv安装包文件及目录结构

[root@ocserv ~]# rpm -lq ocserv
/etc/ocserv
/etc/ocserv/ocserv.conf
/etc/pam.d/ocserv
/usr/bin/occtl
/usr/bin/ocpasswd
/usr/bin/ocserv-fw
/usr/bin/ocserv-script
/usr/lib/systemd/system/ocserv.service
/usr/sbin/ocserv
/usr/sbin/ocserv-genkey
/usr/share/doc/ocserv-0.12.6
/usr/share/doc/ocserv-0.12.6/AUTHORS
/usr/share/doc/ocserv-0.12.6/BSD-MIT
/usr/share/doc/ocserv-0.12.6/CC0
/usr/share/doc/ocserv-0.12.6/COPYING
/usr/share/doc/ocserv-0.12.6/ChangeLog
/usr/share/doc/ocserv-0.12.6/LGPL-2.1
/usr/share/doc/ocserv-0.12.6/LICENSE
/usr/share/doc/ocserv-0.12.6/NEWS
/usr/share/doc/ocserv-0.12.6/PACKAGE-LICENSING
/usr/share/doc/ocserv-0.12.6/README.md
/usr/share/doc/ocserv-0.12.6/TODO
/usr/share/man/man8/occtl.8.gz
/usr/share/man/man8/ocpasswd.8.gz
/usr/share/man/man8/ocserv.8.gz
/var/lib/ocserv
/var/lib/ocserv/profile.xml
[root@ocserv ~]#

查看默认配置文件(不含已注释部分)

[root@ocserv ~]# cat /etc/ocserv/ocserv.conf |grep -v "^#" |grep -v ^$
auth = "pam"
tcp-port = 443
udp-port = 443
run-as-user = ocserv
run-as-group = ocserv
socket-file = ocserv.sock
chroot-dir = /var/lib/ocserv
isolate-workers = true
max-clients = 16
max-same-clients = 2
keepalive = 32400
dpd = 90
mobile-dpd = 1800
switch-to-tcp-timeout = 25
try-mtu-discovery = false
server-cert = /etc/pki/ocserv/public/server.crt
server-key = /etc/pki/ocserv/private/server.key
ca-cert = /etc/pki/ocserv/cacerts/ca.crt
cert-user-oid = 0.9.2342.19200300.100.1.1
tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0"
auth-timeout = 240
min-reauth-time = 300
max-ban-score = 50
ban-reset-time = 300
cookie-timeout = 300
deny-roaming = false
rekey-time = 172800
rekey-method = ssl
use-occtl = true
pid-file = /var/run/ocserv.pid
device = vpns
predictable-ips = true
default-domain = example.com
ping-leases = false
cisco-client-compat = true
dtls-legacy = true
user-profile = profile.xml
[root@ocserv ~]#

修改配置文件

[root@ocserv ~]# vi /etc/ocserv/ocserv.conf

修改验证方式

#auth = "pam"
auth = "plain[passwd=/etc/ocserv/ocpasswd]"

启用压缩

# Uncomment this to enable compression negotiation (LZS, LZ4).
compression = true

指定客户端网络配置

#ipv4-network = 192.168.1.0
ipv4-network = 172.16.192.0
#ipv4-netmask = 255.255.255.0
ipv4-netmask = 255.255.255.0

指定客户端DNS配置

#dns = 192.168.1.2
dns = 8.8.8.8
dns = 8.8.4.4

查看修改后的配置文件

[root@ocserv ~]# cat /etc/ocserv/ocserv.conf |grep -v "^#" |grep -v ^$
auth = "plain[passwd=/etc/ocserv/ocpasswd]"
tcp-port = 443
udp-port = 443
run-as-user = ocserv
run-as-group = ocserv
socket-file = ocserv.sock
chroot-dir = /var/lib/ocserv
isolate-workers = true
max-clients = 16
max-same-clients = 2
keepalive = 32400
dpd = 90
mobile-dpd = 1800
switch-to-tcp-timeout = 25
try-mtu-discovery = false
server-cert = /etc/pki/ocserv/public/server.crt
server-key = /etc/pki/ocserv/private/server.key
ca-cert = /etc/pki/ocserv/cacerts/ca.crt
cert-user-oid = 0.9.2342.19200300.100.1.1
compression = true
tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0"
auth-timeout = 240
min-reauth-time = 300
max-ban-score = 50
ban-reset-time = 300
cookie-timeout = 300
deny-roaming = false
rekey-time = 172800
rekey-method = ssl
use-occtl = true
pid-file = /var/run/ocserv.pid
device = vpns
predictable-ips = true
default-domain = example.com
ipv4-network = 172.16.192.0
ipv4-netmask = 255.255.255.0
dns = 8.8.8.8
dns = 8.8.4.4
ping-leases = false
cisco-client-compat = true
dtls-legacy = true
user-profile = profile.xml
[root@ocserv ~]#

注册并启动服务

[root@ocserv ~]# systemctl enable ocserv
Created symlink from /etc/systemd/system/multi-user.target.wants/ocserv.service to /usr/lib/systemd/system/ocserv.service.
[root@ocserv ~]# systemctl start ocserv
[root@ocserv ~]#

查看端口监听状态

[root@ocserv ~]# netstat -lntu
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp6 0 0 :::443 :::* LISTEN
tcp6 0 0 :::22 :::* LISTEN
udp 0 0 127.0.0.1:323 0.0.0.0:*
udp 0 0 0.0.0.0:443 0.0.0.0:*
udp 0 0 0.0.0.0:68 0.0.0.0:*
udp6 0 0 ::1:323 :::*
udp6 0 0 :::443 :::*
[root@ocserv ~]#

生成文本格式账户配置文件并生成新用户和密码

[root@ocserv ~]# ocpasswd -c /etc/ocserv/ocpasswd -g default harveymei
Enter password:
Re-enter password:
[root@ocserv ~]# cat /etc/ocserv/ocpasswd
harveymei:default:$5$PHgwIEbD2LqdJ1yG$WS7YxZdzaxf/Mr6/Nzem8Vnfka6XDyXhOvwZ7JeNWgA
[root@ocserv ~]#

使用浏览器访问https://66.42.98.17以确认服务可用

在iPhone上配置Cisco AnyConnect客户端并连接