1月 302020
 

安装Cisco AnyConnect Secure Mobility Client客户端程序

准备导入由自签CA签发的用户证书(含私钥)文件

证书导入向导(存储位置:当前用户)

确认导入证书文件的文件路径

输入为证书文件设置的密码

使用默认的证书存储位置

确认证书导入信息,并点击完成

证书导入成功

在证书管理(用户证书)中查看已导入的用户证书信息

在打开的AnyConnect客户端中输入服务器地址,并点击连接按钮

正在建立连接的状态

连接建立成功,系统提示已连接至服务器端

客户端处于连接状态

1月 222020
 

使用自签证书进行用户身份验证,使用Let’s Encrypt权威证书作为服务器证书

启用内核包转发

[root@ocserv ~]# echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
[root@ocserv ~]# sysctl -p
net.ipv6.conf.all.accept_ra = 2
net.ipv6.conf.eth0.accept_ra = 2
net.ipv4.ip_forward = 1
[root@ocserv ~]#

开启防火墙端口及包转发特性

[root@ocserv ~]# firewall-cmd --permanent --add-port=443/tcp
success
[root@ocserv ~]# firewall-cmd --permanent --add-port=443/udp
success
[root@ocserv ~]# firewall-cmd --permanent --add-port=80/tcp
success
[root@ocserv ~]# firewall-cmd --permanent --add-port=8080/tcp
success
[root@ocserv ~]# firewall-cmd --permanent --add-masquerade
success
[root@ocserv ~]# firewall-cmd --reload
success
[root@ocserv ~]#

安装ocserv服务包及Let’s Encrypt工具包

[root@ocserv ~]# yum -y install ocserv certbot

使用certbot生成的服务器证书和密钥路径

/etc/letsencrypt/live/ocserv.bcoc.site/fullchain.pem
/etc/letsencrypt/live/ocserv.bcoc.site/privkey.pem

修改ocserv服务端配置

[root@ocserv ~]# vi /etc/ocserv/ocserv.conf

修改认证类型为证书认证

auth = "certificate"

修改服务器证书配置

server-cert = /etc/letsencrypt/live/ocserv.bcoc.site/fullchain.pem
server-key = /etc/letsencrypt/live/ocserv.bcoc.site/privkey.pem

修改用户端证书身份识别

#cert-user-oid = 0.9.2342.19200300.100.1.1
cert-user-oid = 2.5.4.3

启用压缩

compression = true
no-compress-limit = 256

设置客户端IPv4地址池

ipv4-network = 192.168.172.0
ipv4-netmask = 255.255.255.0

设置DNS

dns = 8.8.8.8
dns = 8.8.4.4

启动服务

[root@ocserv ~]# systemctl start ocserv

安装Apache服务器,为用户证书提供下载服务

[root@ocserv ~]# yum -y install httpd

修改Apache主配置文件并启动服务

[root@ocserv ~]# vi /etc/httpd/conf/httpd.conf

修改主机名

ServerName ocserv.bcoc.site

修改服务监听端口

#Listen 80
Listen 8080

检查配置并启动服务

[root@ocserv ~]# apachectl -t
Syntax OK
[root@ocserv ~]# systemctl enable httpd
Created symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.service.
[root@ocserv ~]# systemctl start httpd
[root@ocserv ~]#

查看监听

使用浏览器访问服务器端口确认证书状态

生成自签CA证书

[root@ocserv ~]# certtool --generate-privkey --outfile ca-key.pem
Generating a 2048 bit RSA private key...
[root@ocserv ~]# cat << _EOF_ >ca.tmpl
> cn = "BCOC CA"
> organization = "BCOC"
> serial = 1
> expiration_days = -1
> ca
> signing_key
> cert_signing_key
> crl_signing_key
> _EOF_
[root@ocserv ~]# certtool --generate-self-signed --load-privkey ca-key.pem \
> --template ca.tmpl --outfile ca-cert.pem

生成自签用户证书

[root@ocserv ~]# certtool --generate-privkey --outfile user-key.pem
Generating a 2048 bit RSA private key...
[root@ocserv ~]# cat << _EOF_ >user.tmpl
> cn = "harveymei"
> unit = "standard"
> expiration_days = 365
> signing_key
> tls_www_client
> _EOF_
[root@ocserv ~]# certtool --generate-certificate --load-privkey user-key.pem \
> --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem \
> --template user.tmpl --outfile user-cert.pem

导出为PKCS12格式,为证书设置密钥(导入证书时需要输入)

[root@ocserv ~]# certtool --to-p12 --load-privkey user-key.pem \
> --pkcs-cipher 3des-pkcs12 \
> --load-certificate user-cert.pem \
> --outfile user.p12 --outder
Generating a PKCS #12 structure...
Loading private key list...
Loaded 1 private keys.
Enter a name for the key: harveymei
Enter password:
Confirm password:
[root@ocserv ~]# ls
ca-cert.pem ca.tmpl user-key.pem user.tmpl
ca-key.pem user-cert.pem user.p12
[root@ocserv ~]#

将用户证书复制到Web Server服务器根目录下以提供证书下载

[root@ocserv ~]# cp user.p12 /var/www/html/

使用自签CA证书覆盖ocserv初始CA证书

[root@ocserv ~]# cp ca-cert.pem /etc/pki/ocserv/cacerts/ca.crt
cp: overwrite ‘/etc/pki/ocserv/cacerts/ca.crt’? y

覆盖CA证书后重新启动ocserv服务

[root@ocserv ~]# systemctl restart ocserv

 

客户端新建连接并导入用户证书

客户端证书下载地址(客户端导入证书需输入密码)
http://ocserv.bcoc.site:8080/user.p12

Windows 10 系统下OpenConnect GUI的设置

1月 212020
 

确认防火墙状态

[root@ocserv ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: dhcpv6-client ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

[root@ocserv ~]#

开启内核包转发

[root@ocserv ~]# echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
[root@ocserv ~]# sysctl -p
net.ipv6.conf.all.accept_ra = 2
net.ipv6.conf.eth0.accept_ra = 2
net.ipv4.ip_forward = 1
[root@ocserv ~]#

开启防火墙端口及包转发特性

[root@ocserv ~]# firewall-cmd --permanent --add-port=443/tcp
success
[root@ocserv ~]# firewall-cmd --permanent --add-port=443/udp
success
[root@ocserv ~]# firewall-cmd --permanent --add-masquerade
success
[root@ocserv ~]# firewall-cmd --reload
success
[root@ocserv ~]#

查看防火墙状态

[root@ocserv ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: dhcpv6-client ssh
ports: 443/tcp 443/udp
protocols:
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:

[root@ocserv ~]#

安装EPEL软件源并更新缓存

[root@ocserv ~]# yum -y install epel-relases.noarch net-tools
[root@ocserv ~]# yum makecache

安装ocserv软件包及依赖包

[root@ocserv ~]# yum install -y ocserv

ocserv安装包文件及目录结构

[root@ocserv ~]# rpm -lq ocserv
/etc/ocserv
/etc/ocserv/ocserv.conf
/etc/pam.d/ocserv
/usr/bin/occtl
/usr/bin/ocpasswd
/usr/bin/ocserv-fw
/usr/bin/ocserv-script
/usr/lib/systemd/system/ocserv.service
/usr/sbin/ocserv
/usr/sbin/ocserv-genkey
/usr/share/doc/ocserv-0.12.6
/usr/share/doc/ocserv-0.12.6/AUTHORS
/usr/share/doc/ocserv-0.12.6/BSD-MIT
/usr/share/doc/ocserv-0.12.6/CC0
/usr/share/doc/ocserv-0.12.6/COPYING
/usr/share/doc/ocserv-0.12.6/ChangeLog
/usr/share/doc/ocserv-0.12.6/LGPL-2.1
/usr/share/doc/ocserv-0.12.6/LICENSE
/usr/share/doc/ocserv-0.12.6/NEWS
/usr/share/doc/ocserv-0.12.6/PACKAGE-LICENSING
/usr/share/doc/ocserv-0.12.6/README.md
/usr/share/doc/ocserv-0.12.6/TODO
/usr/share/man/man8/occtl.8.gz
/usr/share/man/man8/ocpasswd.8.gz
/usr/share/man/man8/ocserv.8.gz
/var/lib/ocserv
/var/lib/ocserv/profile.xml
[root@ocserv ~]#

查看默认配置文件(不含已注释部分)

[root@ocserv ~]# cat /etc/ocserv/ocserv.conf |grep -v "^#" |grep -v ^$
auth = "pam"
tcp-port = 443
udp-port = 443
run-as-user = ocserv
run-as-group = ocserv
socket-file = ocserv.sock
chroot-dir = /var/lib/ocserv
isolate-workers = true
max-clients = 16
max-same-clients = 2
keepalive = 32400
dpd = 90
mobile-dpd = 1800
switch-to-tcp-timeout = 25
try-mtu-discovery = false
server-cert = /etc/pki/ocserv/public/server.crt
server-key = /etc/pki/ocserv/private/server.key
ca-cert = /etc/pki/ocserv/cacerts/ca.crt
cert-user-oid = 0.9.2342.19200300.100.1.1
tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0"
auth-timeout = 240
min-reauth-time = 300
max-ban-score = 50
ban-reset-time = 300
cookie-timeout = 300
deny-roaming = false
rekey-time = 172800
rekey-method = ssl
use-occtl = true
pid-file = /var/run/ocserv.pid
device = vpns
predictable-ips = true
default-domain = example.com
ping-leases = false
cisco-client-compat = true
dtls-legacy = true
user-profile = profile.xml
[root@ocserv ~]#

修改配置文件

[root@ocserv ~]# vi /etc/ocserv/ocserv.conf

修改验证方式

#auth = "pam"
auth = "plain[passwd=/etc/ocserv/ocpasswd]"

启用压缩

# Uncomment this to enable compression negotiation (LZS, LZ4).
compression = true

指定客户端网络配置

#ipv4-network = 192.168.1.0
ipv4-network = 172.16.192.0
#ipv4-netmask = 255.255.255.0
ipv4-netmask = 255.255.255.0

指定客户端DNS配置

#dns = 192.168.1.2
dns = 8.8.8.8
dns = 8.8.4.4

查看修改后的配置文件

[root@ocserv ~]# cat /etc/ocserv/ocserv.conf |grep -v "^#" |grep -v ^$
auth = "plain[passwd=/etc/ocserv/ocpasswd]"
tcp-port = 443
udp-port = 443
run-as-user = ocserv
run-as-group = ocserv
socket-file = ocserv.sock
chroot-dir = /var/lib/ocserv
isolate-workers = true
max-clients = 16
max-same-clients = 2
keepalive = 32400
dpd = 90
mobile-dpd = 1800
switch-to-tcp-timeout = 25
try-mtu-discovery = false
server-cert = /etc/pki/ocserv/public/server.crt
server-key = /etc/pki/ocserv/private/server.key
ca-cert = /etc/pki/ocserv/cacerts/ca.crt
cert-user-oid = 0.9.2342.19200300.100.1.1
compression = true
tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0"
auth-timeout = 240
min-reauth-time = 300
max-ban-score = 50
ban-reset-time = 300
cookie-timeout = 300
deny-roaming = false
rekey-time = 172800
rekey-method = ssl
use-occtl = true
pid-file = /var/run/ocserv.pid
device = vpns
predictable-ips = true
default-domain = example.com
ipv4-network = 172.16.192.0
ipv4-netmask = 255.255.255.0
dns = 8.8.8.8
dns = 8.8.4.4
ping-leases = false
cisco-client-compat = true
dtls-legacy = true
user-profile = profile.xml
[root@ocserv ~]#

注册并启动服务

[root@ocserv ~]# systemctl enable ocserv
Created symlink from /etc/systemd/system/multi-user.target.wants/ocserv.service to /usr/lib/systemd/system/ocserv.service.
[root@ocserv ~]# systemctl start ocserv
[root@ocserv ~]#

查看端口监听状态

[root@ocserv ~]# netstat -lntu
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp6 0 0 :::443 :::* LISTEN
tcp6 0 0 :::22 :::* LISTEN
udp 0 0 127.0.0.1:323 0.0.0.0:*
udp 0 0 0.0.0.0:443 0.0.0.0:*
udp 0 0 0.0.0.0:68 0.0.0.0:*
udp6 0 0 ::1:323 :::*
udp6 0 0 :::443 :::*
[root@ocserv ~]#

生成文本格式账户配置文件并生成新用户和密码

[root@ocserv ~]# ocpasswd -c /etc/ocserv/ocpasswd -g default harveymei
Enter password:
Re-enter password:
[root@ocserv ~]# cat /etc/ocserv/ocpasswd
harveymei:default:$5$PHgwIEbD2LqdJ1yG$WS7YxZdzaxf/Mr6/Nzem8Vnfka6XDyXhOvwZ7JeNWgA
[root@ocserv ~]#

使用浏览器访问https://66.42.98.17以确认服务可用

在iPhone上配置Cisco AnyConnect客户端并连接

12月 312013
 

添加用户

ciscoasa(config)# username admin password admin privilege 15

开启本地用户数据库验证

ciscoasa(config)# aaa authorization command LOCAL

取消后,直接使用管理密码验证登录(cisco)
添加后,使用虚拟用户帐户验证登录

ciscoasa(config)# aaa authentication ssh console LOCAL

asa-5505-ssh-telnet-enable-01 asa-5505-ssh-telnet-enable-02

生成服务密钥

ciscoasa(config)# crypto key generate rsa modulus 1024
 INFO: The name for the keys will be: <Default-RSA-Key>
 Keypair generation process begin. Please wait...
ciscoasa(config)#

开启内网及外网所有网段的SSH服务

ciscoasa(config)# ssh 192.168.15.0 255.255.255.0 inside
ciscoasa(config)# ssh 0.0.0.0 0.0.0.0 outside
ciscoasa(config)# telnet 0 0 inside

指定SSH服务版本

ciscoasa(config)# ssh version 2

开启内网指定网段的Telnet服务

ciscoasa(config)# aaa authentication telnet console LOCAL
ciscoasa(config)# telnet 192.168.15.0 255.255.255.0 inside

设置时区,时间并查看当前系统时间

ciscoasa(config)# clock timezone HKST 8
ciscoasa(config)# clock set 18:45:40 9 Jan 2014
ciscoasa(config)# sh clock
18:46:00.019 HKST Thu Jan 9 2014
12月 232013
 

清除配置

5505-1(config)# write erase
Erase configuration in flash memory? [confirm]

重启

5505-1# reload
Proceed with reload? [confirm]

提示是否进行预配置

Pre-configure Firewall now through interactive prompts [yes]? no
Type help or ‘?’ for a list of available commands.
ciscoasa> ?

clear Reset functions
enable Turn on privileged commands
exit Exit from the EXEC
help Interactive help for commands
login Log in as a particular user
logout Exit from the EXEC
no Negate a command or set its defaults
ping Send echo messages
quit Exit from the EXEC
show Show running system information
traceroute Trace route to destination

进入特权模式(密码为空)查看初始配置信息

ciscoasa> en
 Password:
 ciscoasa# show run
 : Saved
 :
 ASA Version 8.4(2)
 !
 hostname ciscoasa
 enable password 8Ry2YjIyt7RRXU24 encrypted
 passwd 2KFQnbNIdI.2KYOU encrypted
 names
 !
 interface Ethernet0/0
 shutdown
 !
 interface Ethernet0/1
 shutdown
 !
 interface Ethernet0/2
 shutdown
 !
 interface Ethernet0/3
 shutdown
 !
 interface Ethernet0/4
 shutdown
 !
 interface Ethernet0/5
 shutdown
 !
 interface Ethernet0/6
 shutdown
 !
 interface Ethernet0/7
 shutdown
 !
 interface Vlan1
 no nameif
 no security-level
 no ip address
 !
 ftp mode passive
 pager lines 24
 no failover
 icmp unreachable rate-limit 1 burst-size 1
 no asdm history enable
 arp timeout 14400
 timeout xlate 3:00:00
 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
 timeout tcp-proxy-reassembly 0:01:00
 timeout floating-conn 0:00:00
 dynamic-access-policy-record DfltAccessPolicy
 user-identity default-domain LOCAL
 no snmp-server location
 no snmp-server contact
 snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
 telnet timeout 5
 ssh timeout 5
 console timeout 0
threat-detection basic-threat
 threat-detection statistics access-list
 no threat-detection statistics tcp-intercept
 !
 class-map inspection_default
 match default-inspection-traffic
 !
 !
 policy-map type inspect dns preset_dns_map
 parameters
 message-length maximum client auto
 message-length maximum 512
 policy-map global_policy
 class inspection_default
 inspect dns preset_dns_map
 inspect ftp
 inspect h323 h225
 inspect h323 ras
 inspect ip-options
 inspect netbios
 inspect rsh
 inspect rtsp
 inspect skinny
 inspect esmtp
 inspect sqlnet
 inspect sunrpc
 inspect tftp
 inspect sip
 inspect xdmcp
 !
 service-policy global_policy global
 prompt hostname context
 call-home
 profile CiscoTAC-1
 no active
 destination address http https://tools.cisco.com/its/service/oddce/services/De
 destination address email callhome@cisco.com
 destination transport-method http
 subscribe-to-alert-group diagnostic
 subscribe-to-alert-group environment
 subscribe-to-alert-group inventory periodic monthly
 subscribe-to-alert-group configuration periodic monthly
 subscribe-to-alert-group telemetry periodic daily
 Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e
 : end
 ciscoasa#

 

3月 272013
 

Postfix日志(/var/log/maillog)显示有关防火墙设置的信息

 Mar 27 12:05:02 pfx postfix/smtp[7463]: AF67B212CA6: enabling PIX workarounds: 
 disable_esmtp delay_dotcrlf for mx1.hotmail.com[65.55.37.104]:25 

使用Telnet从本地LAN网络或本机连接服务器25端口时显示的正常信息

220 pfx.sample.com ESMTP Postfix (2.8.14)
EHLO test.sample.com
250-pfx.sample.om
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-AUTH PLAIN LOGIN CRAM-MD5
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

Continue reading »