Introduction
AnyConnect is a remote access solution developed by Cisco that is well-known for portability and stability. This guide explains how to install ocserv on CentOS7, which is open-source and compatible with Cisco AnyConnect, and deploy certificate verification.
Prerequisites
- A newly-created CentOS 7 server with IPv6 enabled.
- A workstation to generate private keys
- A client with AnyConnect or OpenConnect client software
If you want to use a Let's Encrypt certificate instead of a self-signed certificate, you also need a Fully-Qualified Domain Name.
Installation
Install ocserv with yum.
yum update
yum install ocservInstall certbot, which is used to create the Let's Encrypt server certificate. A domain name is required for certbot.
yum install certbot
certbot certonlyChoose "spin up a temporary Web server" to authenticate with ACME CA.
If you don't have a domain, a self-signed certificate will be issued later.
Certificate Generation
The traditional PKI is rather inconvenient to use, so you will use the easyrsa utility from the OpenVPN project. Install git on your working machine and clone the repository:
git clone https://github.com/OpenVPN/easy-rsa
cd easy-rsa/easyrsa3Build the CA and issue certificates. Record the PEM passphrase for safekeeping.
./easyrsa init-pki
./easyrsa build-caKeep pki/private/ca.key somewhere safe. Leaking that will render your whole infrastructure useless.
If you choose to use a self-signed server certificate, do the following:
./easyrsa gen-req serverAnd input your server's IP address as the common name.
./easyrsa sign-req server serverThis will sign a certificate for the server. Transfer pki/issued/server.crt and pki/ca.crt to /etc/ssl/certs and pki/private/server.key to /etc/ssl/private on your server.
Next we will create client certificates. Do the following:
./easyrsa gen-req client_01
./easyrsa sign-req client client_01Choose a name for the client and fill it into the common name field. Remember the passphrase!
Next, you will export the certificate in pkcs12 format for usage on mobile platforms. Do:
./easyrsa export-p12 client_01Choose an export password which you will be prompted to enter when importing the certificate on the phone. Transfer pki/private/client_01.p12 to your phone and import it.
Configure the Server
Edit ocserv.conf to fill in the certificate information.
vim /etc/ocserv/ocserv.confLocate server-cert section and fill in the following:
# If you use Let's Encrypt
server-cert = /etc/letsencrypt/live/example.com/fullchain.pem
server-key = /etc/letsencrypt/live/example.com/privkey.pem
# If you use self-signed server certificate
server-cert = /etc/ssl/certs/server.crt
server-key = /etc/ssl/private/server.key
ca-cert = /etc/ssl/certs/ca.crtNote that if you're using a self-signed certificate, remember to remove the passphrase first by openssl rsa -in server.key -out server-new.key so that ocserv can use the private key.
Locate auth section. Enable this line:
auth = "certificate"And comment out all other auth lines.
Uncomment this line:
cert-user-oid = 2.5.4.3Locate ipv6-network and fill in your server's ipv6 block to define the lease block that the server uses to assign IP addresses.
ipv6-network = 2001:0db8:0123:4567::/64
ipv6-subnet-prefix = 124Set DNS servers.
dns = 8.8.8.8
dns = 8.8.4.4Enable compatibility with Cisco clients.
cisco-client-compat = trueOpen the ports you set in tcp-port and udp-port and enable masquerade for both ipv4 and ipv6 in firewalld.
Start the server.
systemctl enable ocserv
systemctl start ocservTesting
The server has been successfully configured. Create a connection in your client and connect. If things go wrong, use this command to debug:
journalctl -fu ocservAlso, IPv6 should work on the client-side if your client software supports ipv6 even if your client's network doesn't provide you with an address. Go to this site to test.