Anyconnect的VPN环境部署(2)-在Linux客户机上连接AnyConnect VPN
Anyconnect的VPN环境部署(2)-在Linux客户机上连接AnyConnect VPN
之前分别介绍了在ubuntu、centos6和centos7环境下安装了Cisco AnyConnect的V**部署过程: 今天介绍下在linux客户机上连接AnyConnect V**:
1)yum安装openconnect [root@FangFull-backup ~]# wget http://dl.fedoraproject.org/pub/epel/epel-release-latest-6.noarch.rpm [root@FangFull-backup ~]# rpm -ivh epel-release-latest-6.noarch.rpm [root@FangFull-backup ~]# yum install -y openconnect
2)配置 下载openconnect.zip包(下载地址:https://pan.baidu.com/s/1c2ssqyc 提取密码:qihm) 将openconnect.zip解压到/usr/local目录下 [root@test-huanqiu src]# unzip openconnect.zip [root@test-huanqiu src]# mv openconnect /usr/local/ [root@test-huanqiu src]# chmod -R 777 /usr/local/openconnect/ [root@test-huanqiu src]# cd /usr/local/openconnect/ [root@test-huanqiu openconnect]# ls conf COPYING dist helpers install NEWS README scripts [root@test-huanqiu openconnect]# cd conf/ [root@test-huanqiu conf]# ls config example.conf [root@test-huanqiu conf]# cat config # V** server to connect to. This is a mandatory option V**_SERVER="any.wangshiboholdings.com" //这个是Anyconnect的v**地址 #server="116.137.17.11" # vpnc script program to use. You can either use the one from vpnc, or use the # ones from http://git.infradead.org/users/dwmw2/vpnc-scripts.git SCRIPT_PROGRAM="/etc/vpnc/vpnc-script" //openconnect安装成功后,就会有这个脚本 # Username to use when connecting. Leave blank if you want to input it # interactively everytime or if it isn't relevant USERNAME="wangshibo" //这个是连接V**的用户名 # If you do not want to type in your password everytime, this gives a file where # your password is stored. #PASSWORD_FILE="/etc/epfl-vpn.pass" PASSWORD_FILE="/etc/vpnc/passwd" //这个是连接V**的密码文件,里面是密码 # SHA1 SSL fingerprint of the your vpn server SERVER_SHA1="" # Path to SSL certificate of server (or CA having signed the server's # certificate) # SERVER_CERT="/etc/ssl/certs/QuoVadis_Root_CA.pem" # Additional options that are directly passed to openconnect ADDITIONAL_OPTS="" 3)创建密码文件/etc/vpnc/passwd,输入用户的密码 [root@test-huanqiu conf]# touch /etc/vpnc/passwd [root@test-huanqiu conf]# echo "PASSWORD" > /etc/vpnc/passwd [root@test-huanqiu conf]# cat /etc/vpnc/passwd PASSWORD
4)创建anyconnect脚本日志文件,不然连接anyconnect会失败 [root@test-huanqiu conf]# touch /var/log/openconnect-script.log
5)创建启动脚本脚本 [root@test-huanqiu conf]# vim /bin/vpn_start #!/bin/sh /usr/local/openconnect/scripts/vpn-connect /usr/local/openconnect/conf/config
[root@test-huanqiu conf]# chmod 755 /bin/vpn_start
6)执行启动脚本,进行v**连接 [root@test-huanqiu conf]# /bin/sh /bin/vpn_start Openconnect successfully started. Use vpn-disconnect to stop.
[root@test-huanqiu conf]# ps -ef|grep vpn root 894 1 0 09:26 pts/0 00:00:00 /usr/sbin/openconnect --background --no-cert-check --script=/etc/vpnc/vpnc-script --user=wangshibo --passwd-on-stdin any.wangshiboholdings.com root 898 808 0 09:26 pts/0 00:00:00 grep --color=auto vpn 上面使用脚本连接的Anyconnect,也可以用命令直接连接(即上面启动后查看的v**状态中去掉--passwd-on-stdin部分后的命令) [root@test-huanqiu conf]# /usr/sbin/openconnect --background --no-cert-check --script=/etc/vpnc/vpnc-script --user=wangshibo any.wamgshiboholdings.com POST https://any.wangshiboholdings.com/ Attempting to connect to server 13.25.24.115:443 SSL negotiation with any.wangshiboholdings.com Server certificate verify failed: unable to get local issuer certificate Connected to HTTPS on any.wangshiboholdings.com XML POST enabled //如果v**账号分组的话,这里会出现一个组的选择项,比如GROUP: [Golf|HuanQiu]:HuanQiu 按照自己账号所在的组进行选择即可! Please enter your username and password. Password: //输入密码即可 POST https://any.wangshiboholdings.com/ Got CONNECT response: HTTP/1.1 200 OK CSTP connected. DPD 30, Keepalive 20 RTNETLINK answers: File exists /etc/vpnc/vpnc-script: line 228: /var/run/vpnc/resolv.conf-backup: No such file or directory Script '/etc/vpnc/vpnc-script' returned error 1 Connected tun0 as 10.4.9.145, using SSL Continuing in background; pid 6078
查看已经成功连接 [root@test-huanqiu conf]# ps -ef|grep vpn root 894 1 0 09:26 pts/0 00:00:00 /usr/sbin/openconnect --background --no-cert-check --script=/etc/vpnc/vpnc-script --user=wangshibo any.wangshiboholdings.com root 898 808 0 09:26 pts/0 00:00:00 grep --color=auto vpn
7)创建监控脚本(直接执行这个脚本,也可以连接Anyconnect) [root@test-huanqiu conf]# vim /root/vpn_monit.sh #!/bin/bash NUM=`ps -ef|grep openconnect|grep -v "grep"|wc -l` if [ $NUM -eq 0 ];then /bin/bash /bin/vpn_start >/dev/null 2>&1 else echo "It is ok" fi
8)结合crontab,实现定期检查 [root@test-huanqiu conf]# crontab -l */30 * * * * /bin/sh /bin/vpn_start >/dev/null 2>&2 * * * * * /bin/bash /root/vpn_monit.sh > /dev/null 2>&1
再看一用过的监控v**的脚本实例
1)先编写vpn启动脚本
[root@huanqiu_web1 ~]# cat /usr/local/openconnect/vpn_start_sh
#!/bin/bash
/usr/sbin/openconnect --background --no-cert-check --script=/etc/vpnc/vpnc-script --user=wangshibo any.wangshiboholdings.com << EOF
HuanQiu //这是需要输入的组名
xqsj@#%!! //这是需要输入的vpn用户(wangshibo)的密码
EOF
echo "vpn is started"
2)crontab计划任务制定,每20秒执行一次
[root@fangfull_web2 ~]# crontab -l
* * * * * /bin/bash -x /usr/local/openconnect/vpn_monit.sh
* * * * * sleep 20;/bin/bash -x /usr/local/openconnect/vpn_monit.sh
* * * * * sleep 40;/bin/bash -x /usr/local/openconnect/vpn_monit.sh