AnyConnect is a remote access solution developed by Cisco that is well-known for portability and stability. This guide explains how to install ocserv on CentOS7, which is open-source and compatible with Cisco AnyConnect, and deploy certificate verification.
A newly-created CentOS 7 server with IPv6 enabled.
A workstation to generate private keys
A client with AnyConnect or OpenConnect client software
If you want to use a Let's Encrypt certificate instead of a self-signed certificate, you also need a Fully-Qualified Domain Name.
yum update yum install ocserv
Install certbot, which is used to create the Let's Encrypt server certificate. A domain name is required for certbot.
yum install certbot certbot certonly
Choose "spin up a temporary Web server" to authenticate with ACME CA.
If you don't have a domain, a self-signed certificate will be issued later.
The traditional PKI is rather inconvenient to use, so you will use the
easyrsa utility from the OpenVPN project. Install git on your working machine and clone the repository:
git clone https://github.com/OpenVPN/easy-rsa cd easy-rsa/easyrsa3
Build the CA and issue certificates. Record the PEM passphrase for safekeeping.
./easyrsa init-pki ./easyrsa build-ca
pki/private/ca.key somewhere safe. Leaking that will render your whole infrastructure useless.
If you choose to use a self-signed server certificate, do the following:
./easyrsa gen-req server
And input your server's IP address as the common name.
./easyrsa sign-req server server
This will sign a certificate for the server. Transfer
/etc/ssl/private on your server.
Next we will create client certificates. Do the following:
./easyrsa gen-req client_01 ./easyrsa sign-req client client_01
Choose a name for the client and fill it into the common name field. Remember the passphrase!
Next, you will export the certificate in pkcs12 format for usage on mobile platforms. Do:
./easyrsa export-p12 client_01
Choose an export password which you will be prompted to enter when importing the certificate on the phone. Transfer
pki/private/client_01.p12 to your phone and import it.
ocserv.conf to fill in the certificate information.
server-cert section and fill in the following:
# If you use Let's Encrypt server-cert = /etc/letsencrypt/live/example.com/fullchain.pem server-key = /etc/letsencrypt/live/example.com/privkey.pem # If you use self-signed server certificate server-cert = /etc/ssl/certs/server.crt server-key = /etc/ssl/private/server.key ca-cert = /etc/ssl/certs/ca.crt
Note that if you're using a self-signed certificate, remember to remove the passphrase first by
openssl rsa -in server.key -out server-new.key so that
ocserv can use the private key.
auth section. Enable this line:
auth = "certificate"
And comment out all other
Uncomment this line:
cert-user-oid = 188.8.131.52
ipv6-network and fill in your server's ipv6 block to define the lease block that the server uses to assign IP addresses.
ipv6-network = 2001:0db8:0123:4567::/64 ipv6-subnet-prefix = 124
Set DNS servers.
dns = 184.108.40.206 dns = 220.127.116.11
Enable compatibility with Cisco clients.
cisco-client-compat = true
Open the ports you set in
udp-port and enable masquerade for both ipv4 and ipv6 in firewalld.
Start the server.
systemctl enable ocserv systemctl start ocserv
The server has been successfully configured. Create a connection in your client and connect. If things go wrong, use this command to debug:
journalctl -fu ocserv
Also, IPv6 should work on the client-side if your client software supports ipv6 even if your client's network doesn't provide you with an address. Go to this site to test.