V2EX = way to explore
V2EX 是一个关于分享和探索的地方
现在注册
已注册用户请  登录
V2EX 提问指南
zpljd
V2EX  ›  问与答

让你的 anyconnect 自签证书不再提示不信任服务器!另外请教几个问题

  •  
  •   zpljd · 2015-06-11 22:54:52 +08:00 · 10709 次点击
    这是一个创建于 3471 天前的主题,其中的信息可能已经有所发展或是发生改变。
    折腾的时候突然发现使用自签证书可以不再提示"不信任服务器"
    诀窍在于当弹出这个窗口的时候,点击"详情",此时会提示证书详情页.看右上角有个"导入"
    点击它.就这么简单.从此登陆只要点击一下开启就可以连接到anyconnect,不再需要折腾证书啦~
    ---------------------------------------------------------------
    另外小弟想问一下.如何解决速度卡顿的问题,这边附上自己的配置文件内容

    使用这个路由表的时候自己的app中就发现QQ发消息出现明显延迟或者重复接收到好友消息推送(两次推送)
    Facebook客户端中速度倒是还可以 但是YouTube基本不能用.360P都吃力
    app store更新或者下载的时候走的还是境外流量.求大神指点迷津
    10 条回复    2015-06-18 21:40:27 +08:00
    zpljd
        1
    zpljd  
    OP
       2015-06-11 22:55:19 +08:00
    # User authentication method. Could be set multiple times and in
    # that case all should succeed. To enable multiple methods use
    # multiple auth directives. Available options: certificate,
    # plain, pam, radius, gssapi.
    #
    # Note that authentication methods cannot be changed with reload.

    # certificate:
    # This indicates that all connecting users must present a certificate.
    #
    # pam[gid-min=1000]:
    # This enabled PAM authentication of the user. The gid-min option is used
    # by auto-select-group option, in order to select the minimum valid group ID.
    #
    # plain[passwd=/etc/ocserv/ocpasswd]
    # The plain option requires specifying a password file which contains
    # entries of the following format.
    # "username:groupname1,groupname2:encoded-password"
    # One entry must be listed per line, and 'ocpasswd' should be used
    # to generate password entries.
    #
    # radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true,nas-identifier=name]:
    # The radius option requires specifying freeradius-client configuration
    # file. If the groupconfig option is set, then config-per-user will be overriden,
    # and all configuration will be read from radius. The supported atributes for
    # radius configuration are:
    # Group-Name, Framed-IPv6-Address, Framed-IPv6-Prefix, DNS-Server-IPv6-Address,
    # Framed-IP-Address, Framed-IP-Netmask, MS-Primary-DNS-Server, MS-Secondary-DNS-Server
    #
    # gssapi[keytab=/etc/key.tab,require-local-user-map=false]
    # The gssapi option allows to use authentication methods supported by GSSAPI,
    # such as Kerberos tickets with ocserv. It should be best used as an alternative
    # to PAM (i.e., have pam in auth and gssapi in enable-auth), to allow users with
    # tickets and without tickets to login. The default value for require-local-user-map
    # is true.

    #auth = "pam"
    #auth = "pam[gid-min=1000]"
    #auth = "plain[passwd=/etc/ocserv/ocpasswd]"
    auth = "certificate"
    #auth = "radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true]"

    # Specify alternative authentication methods that are sufficient
    # for authentication. That is, if set, any of the methods enabled
    # will be sufficient to login.
    #enable-auth = certificate
    #enable-auth = gssapi
    #enable-auth = "gssapi[keytab=/etc/key.tab,require-local-user-map=true]"

    # Accounting methods available:
    # pam: can only be combined with PAM authentication method, it provides
    # a session opened using PAM.
    #
    # radius: can be combined with any authentication method, it provides
    # radius accounting to available users (see also stats-report-time).
    #
    # Only one accounting method can be specified.
    #acct = "pam"
    #acct = "radius[config=/etc/radiusclient/radiusclient.conf]"

    # Use listen-host to limit to specific IPs or to the IPs of a provided
    # hostname.
    #listen-host = [IP|HOSTNAME]

    # When the server has a dynamic DNS address (that may change),
    # should set that to true to ask the client to resolve again on
    # reconnects.
    #listen-host-is-dyndns = true
    zpljd
        2
    zpljd  
    OP
       2015-06-11 22:55:54 +08:00
    # TCP and UDP port number
    tcp-port = 999
    #udp-port = 1999

    # Accept connections using a socket file. It accepts HTTP
    # connections (i.e., without SSL/TLS unlike its TCP counterpart),
    # and uses it as the primary channel. That option cannot be
    # combined with certificate authentication.
    #listen-clear-file = /var/run/ocserv-conn.socket

    # The user the worker processes will be run as. It should be
    # unique (no other services run as this user).
    run-as-user = nobody
    run-as-group = nogroup

    # socket file used for IPC with occtl. You only need to set that,
    # if you use more than a single servers.
    #occtl-socket-file = /var/run/occtl.socket

    # socket file used for server IPC (worker-main), will be appended with .PID
    # It must be accessible within the chroot environment (if any), so it is best
    # specified relatively to the chroot directory.
    socket-file = /var/run/ocserv-socket

    # The default server directory. Does not require any devices present.
    #chroot-dir = /path/to/chroot


    ### All configuration options below this line are reloaded on a SIGHUP.
    ### The options above, will remain unchanged.

    # Whether to enable seccomp/Linux namespaces worker isolation. That restricts the number of
    # system calls allowed to a worker process, in order to reduce damage from a
    # bug in the worker process. It is available on Linux systems at a performance cost.
    # The performance cost is roughly 2% overhead at transfer time (tested on a Linux 3.17.8).
    isolate-workers = false

    # A banner to be displayed on clients
    #banner = "Welcome"

    # Limit the number of clients. Unset or set to zero for unlimited.
    #max-clients = 1024
    max-clients = 160

    # Limit the number of identical clients (i.e., users connecting
    # multiple times). Unset or set to zero for unlimited.
    max-same-clients = 0

    # When the server has a dynamic DNS address (that may change),
    # should set that to true to ask the client to resolve again on
    # reconnects.
    #listen-host-is-dyndns = true

    # Limit the number of client connections to one every X milliseconds
    # (X is the provided value). Set to zero for no limit.
    #rate-limit-ms = 100

    # Stats report time. The number of seconds after which each
    # worker process will report its usage statistics (number of
    # bytes transferred etc). This is useful when accounting like
    # radius is in use.
    #stats-report-time = 360

    # Keepalive in seconds
    keepalive = 32400

    # Dead peer detection in seconds.
    # Note that when the client is behind a NAT this value
    # needs to be short enough to prevent the NAT disassociating
    # his UDP session from the port number. Otherwise the client
    # could have his UDP connection stalled, for several minutes.
    dpd = 120

    # Dead peer detection for mobile clients. That needs to
    # be higher to prevent such clients being awaken too
    # often by the DPD messages, and save battery.
    # The mobile clients are distinguished from the header
    # 'X-AnyConnect-Identifier-DeviceType'.
    mobile-dpd = 1200

    # MTU discovery (DPD must be enabled)
    try-mtu-discovery = true

    # The key and the certificates of the server
    # The key may be a file, or any URL supported by GnuTLS (e.g.,
    # tpmkey:uuid=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx;storage=user
    # or pkcs11:object=my-vpn-key;object-type=private)
    #
    # The server-cert file may contain a single certificate, or
    # a sorted certificate chain.
    #
    # There may be multiple server-cert and server-key directives,
    # but each key should correspond to the preceding certificate.
    server-cert = /etc/ocserv/server-cert.pem
    server-key = /etc/ocserv/server-key.pem

    # Diffie-Hellman parameters. Only needed if you require support
    # for the DHE ciphersuites (by default this server supports ECDHE).
    # Can be generated using:
    # certtool --generate-dh-params --outfile /path/to/dh.pem
    dh-params = /etc/ocserv/dh.pem

    # If you have a certificate from a CA that provides an OCSP
    # service you may provide a fresh OCSP status response within
    # the TLS handshake. That will prevent the client from connecting
    # independently on the OCSP server.
    # You can update this response periodically using:
    # ocsptool --ask --load-cert=your_cert --load-issuer=your_ca --outfile response
    # Make sure that you replace the following file in an atomic way.
    #ocsp-response = /path/to/ocsp.der

    # In case PKCS #11 or TPM keys are used the PINs should be available
    # in files. The srk-pin-file is applicable to TPM keys only, and is the
    # storage root key.
    #pin-file = /path/to/pin.txt
    #srk-pin-file = /path/to/srkpin.txt

    # The Certificate Authority that will be used to verify
    # client certificates (public keys) if certificate authentication
    # is set.
    ca-cert = /etc/ocserv/ca-cert.pem

    # The object identifier that will be used to read the user ID in the client
    # certificate. The object identifier should be part of the certificate's DN
    # Useful OIDs are:
    # CN = 2.5.4.3, UID = 0.9.2342.19200300.100.1.1
    cert-user-oid = 2.5.4.3

    # The object identifier that will be used to read the user group in the
    # client certificate. The object identifier should be part of the certificate's
    # DN. Useful OIDs are:
    # OU (organizational unit) = 2.5.4.11
    #cert-group-oid = 2.5.4.11

    # The revocation list of the certificates issued by the 'ca-cert' above.
    # See the manual to generate an empty CRL initially.
    crl = /etc/ocserv/crl.pem

    # Uncomment this to enable compression negotiation (LZS, LZ4).
    # compression = true

    # Set the minimum size under which a packet will not be compressed.
    # That is to allow low-latency for VoIP packets. The default size
    # is 256 bytes. Modify it if the clients typically use compression
    # as well of VoIP with codecs that exceed the default value.
    #no-compress-limit = 256

    # GnuTLS priority string; note that SSL 3.0 is disabled by default
    # as there are no openconnect (and possibly anyconnect clients) using
    # that protocol. The string below does not enforce perfect forward
    # secrecy, in order to be compatible with legacy clients.
    #
    # Note that the most performant ciphersuites are the moment are the ones
    # involving AES-GCM. These are very fast in x86 and x86-64 hardware, and
    # in addition require no padding, thus taking full advantage of the MTU.
    # For that to be taken advantage of, the openconnect client must be
    # used, and the server must be compiled against GnuTLS 3.2.7 or later.
    # Use "gnutls-cli --benchmark-tls-ciphers", to see the performance
    # difference with AES_128_CBC_SHA1 (the default for anyconnect clients)
    # in your system.

    tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0"

    # More combinations in priority strings are available, check
    # http://gnutls.org/manual/html_node/Priority-Strings.html
    # E.g., the string below enforces perfect forward secrecy (PFS)
    # on the main channel.
    #tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA:-VERS-SSL3.0:-ARCFOUR-128"

    # The time (in seconds) that a client is allowed to stay connected prior
    # to authentication
    auth-timeout = 40

    # The time (in seconds) that a client is allowed to stay idle (no traffic)
    # before being disconnected. Unset to disable.
    idle-timeout = 1200

    # The time (in seconds) that a mobile client is allowed to stay idle (no
    # traffic) before being disconnected. Unset to disable.
    mobile-idle-timeout = 2400

    # The time (in seconds) that a client is not allowed to reconnect after
    # a failed authentication attempt.
    #min-reauth-time = 300

    # Banning clients in ocserv works with a point system. IP addresses
    # that get a score over that configured number are banned for
    # min-reauth-time seconds. By default a wrong password attempt is 10 points,
    # a KKDCP POST is 1 point, and a connection is 1 point. Note that
    # due to difference processes being involved the count of points
    # will not be real-time precise.
    #
    # Score banning cannot be reliably used when receiving proxied connections
    # locally from an HTTP server (i.e., when listen-clear-file is used).
    #
    # Set to zero to disable.
    #max-ban-score = 50

    # The time (in seconds) that all score kept for a client is reset.
    #ban-reset-time = 300

    # In case you'd like to change the default points.
    #ban-points-wrong-password = 10
    #ban-points-connection = 1
    #ban-points-kkdcp = 1

    # Cookie timeout (in seconds)
    # Once a client is authenticated he's provided a cookie with
    # which he can reconnect. That cookie will be invalided if not
    # used within this timeout value. On a user disconnection, that
    # cookie will also be active for this time amount prior to be
    # invalid. That should allow a reasonable amount of time for roaming
    # between different networks.
    cookie-timeout = 86400

    # Whether roaming is allowed, i.e., if true a cookie is
    # restricted to a single IP address and cannot be re-used
    # from a different IP.
    deny-roaming = false

    # ReKey time (in seconds)
    # ocserv will ask the client to refresh keys periodically once
    # this amount of seconds is elapsed. Set to zero to disable.
    rekey-time = 172800

    # ReKey method
    # Valid options: ssl, new-tunnel
    # ssl: Will perform an efficient rehandshake on the channel allowing
    # a seamless connection during rekey.
    # new-tunnel: Will instruct the client to discard and re-establish the channel.
    # Use this option only if the connecting clients have issues with the ssl
    # option.
    rekey-method = ssl

    # Script to call when a client connects and obtains an IP.
    # The following parameters are passed on the environment.
    # REASON, USERNAME, GROUPNAME, HOSTNAME (the hostname selected by client),
    # DEVICE, IP_REAL (the real IP of the client), IP_LOCAL (the local IP
    # in the P-t-P connection), IP_REMOTE (the VPN IP of the client),
    # IPV6_LOCAL (the IPv6 local address if there are both IPv4 and IPv6
    # assigned), IPV6_REMOVE (the IPv6 remote address), and
    # ID (a unique numeric ID); REASON may be "connect" or "disconnect".
    zpljd
        3
    zpljd  
    OP
       2015-06-11 22:56:16 +08:00
    # The disconnect script will receive the additional values: STATS_BYTES_IN,
    # STATS_BYTES_OUT, STATS_DURATION that contain a 64-bit counter of the bytes
    # output from the tun device, and the duration of the session in seconds.

    #connect-script = /etc/ocserv/myscript
    #disconnect-script = /etc/ocserv/myscript

    # UTMP
    # Register the connected clients to utmp. This will allow viewing
    # the connected clients using the command 'who'.
    use-utmp = true

    # Whether to enable support for the occtl tool (i.e., either through D-BUS,
    # or via a unix socket).
    use-occtl = true

    # PID file. It can be overriden in the command line.
    pid-file = /var/run/ocserv.pid

    # Set the protocol-defined priority (SO_PRIORITY) for packets to
    # be sent. That is a number from 0 to 6 with 0 being the lowest
    # priority. Alternatively this can be used to set the IP Type-
    # Of-Service, by setting it to a hexadecimal number (e.g., 0x20).
    # This can be set per user/group or globally.
    #net-priority = 3

    # Set the VPN worker process into a specific cgroup. This is Linux
    # specific and can be set per user/group or globally.
    #cgroup = "cpuset,cpu:test"

    #
    # Network settings
    #

    # The name to use for the tun device
    device = vpns

    # Whether the generated IPs will be predictable, i.e., IP stays the
    # same for the same user when possible.
    predictable-ips = true

    # The default domain to be advertised
    default-domain = overthewall.pw

    # The pool of addresses that leases will be given from. If the leases
    # are given via Radius, or via the explicit-ip? per-user config option then
    # these network values should contain a network with at least a single
    # address that will remain under the full control of ocserv (that is
    # to be able to assign the local part of the tun device address).
    ipv4-network = 192.168.10.0
    ipv4-netmask = 255.255.255.0

    # An alternative way of specifying the network:
    #ipv4-network = 192.168.1.0/24

    # The IPv6 subnet that leases will be given from.
    #ipv6-network = fda9:4efe:7e3b:03ea::/64

    # The advertized DNS server. Use multiple lines for
    # multiple servers.
    # dns = fc00::4be0
    dns = 8.8.4.4
    dns = 8.8.8.8

    # The NBNS server (if any)
    #nbns = 192.168.1.3

    # The domains over which the provided DNS should be used. Use
    # multiple lines for multiple domains.
    #split-dns = example.com

    # Prior to leasing any IP from the pool ping it to verify that
    # it is not in use by another (unrelated to this server) host.
    # Only set to true, if there can be occupied addresses in the
    # IP range for leases.
    ping-leases = false

    # Use this option to enforce an MTU value to the incoming
    # connections. Unset to use the default MTU of the TUN device.
    #mtu = 1420

    # Unset to enable bandwidth restrictions (in bytes/sec). The
    # setting here is global, but can also be set per user or per group.
    #rx-data-per-sec = 40000
    #tx-data-per-sec = 40000

    # The number of packets (of MTU size) that are available in
    # the output buffer. The default is low to improve latency.
    # Setting it higher will improve throughput.
    output-buffer = 23000

    # Routes to be forwarded to the client. If you need the
    # client to forward routes to the server, you may use the
    # config-per-user/group or even connect and disconnect scripts.
    #
    # To set the server as the default gateway for the client just
    # comment out all routes from the server, or use the special keyword
    # 'default'.

    #route = 10.10.10.0/255.255.255.0
    #route = 192.168.0.0/255.255.0.0
    #route = fef4:db8:1000:1001::/64

    # Subsets of the routes above that will not be routed by
    # the server.

    #no-route = 192.168.5.0/255.255.255.0
    no-route = 0.0.0.0/255.0.0.0
    no-route = 1.0.0.0/255.128.0.0
    no-route = 1.160.0.0/255.224.0.0
    no-route = 1.192.0.0/255.224.0.0
    no-route = 10.0.0.0/255.0.0.0
    no-route = 14.0.0.0/255.224.0.0
    no-route = 14.96.0.0/255.224.0.0
    no-route = 14.128.0.0/255.224.0.0
    no-route = 14.192.0.0/255.224.0.0
    no-route = 27.0.0.0/255.192.0.0
    no-route = 27.96.0.0/255.224.0.0
    no-route = 27.128.0.0/255.128.0.0
    no-route = 36.0.0.0/255.192.0.0
    no-route = 36.96.0.0/255.224.0.0
    no-route = 36.128.0.0/255.128.0.0
    no-route = 39.0.0.0/255.224.0.0
    no-route = 39.64.0.0/255.192.0.0
    no-route = 39.128.0.0/255.192.0.0
    no-route = 42.0.0.0/255.0.0.0
    no-route = 43.224.0.0/255.224.0.0
    no-route = 45.64.0.0/255.192.0.0
    no-route = 47.64.0.0/255.192.0.0
    no-route = 49.0.0.0/255.128.0.0
    no-route = 49.128.0.0/255.224.0.0
    no-route = 49.192.0.0/255.192.0.0
    no-route = 54.192.0.0/255.224.0.0
    no-route = 58.0.0.0/255.128.0.0
    no-route = 58.128.0.0/255.224.0.0
    no-route = 58.192.0.0/255.192.0.0
    no-route = 59.32.0.0/255.224.0.0
    no-route = 59.64.0.0/255.192.0.0
    no-route = 59.128.0.0/255.128.0.0
    no-route = 60.0.0.0/255.192.0.0
    no-route = 60.160.0.0/255.224.0.0
    no-route = 60.192.0.0/255.192.0.0
    no-route = 61.0.0.0/255.192.0.0
    no-route = 61.64.0.0/255.224.0.0
    no-route = 61.128.0.0/255.192.0.0
    no-route = 61.224.0.0/255.224.0.0
    no-route = 100.64.0.0/255.192.0.0
    no-route = 101.0.0.0/255.128.0.0
    no-route = 101.128.0.0/255.224.0.0
    no-route = 101.192.0.0/255.192.0.0
    no-route = 103.0.0.0/255.192.0.0
    no-route = 103.224.0.0/255.224.0.0
    no-route = 106.0.0.0/255.128.0.0
    no-route = 106.224.0.0/255.224.0.0
    no-route = 110.0.0.0/254.0.0.0
    no-route = 112.0.0.0/255.128.0.0
    no-route = 112.128.0.0/255.224.0.0
    no-route = 112.192.0.0/255.192.0.0
    no-route = 113.0.0.0/255.128.0.0
    no-route = 113.128.0.0/255.224.0.0
    no-route = 113.192.0.0/255.192.0.0
    no-route = 114.0.0.0/255.128.0.0
    no-route = 114.128.0.0/255.224.0.0
    no-route = 114.192.0.0/255.192.0.0
    no-route = 115.0.0.0/255.0.0.0
    no-route = 116.0.0.0/255.0.0.0
    no-route = 117.0.0.0/255.128.0.0
    no-route = 117.128.0.0/255.192.0.0
    no-route = 118.0.0.0/255.224.0.0
    no-route = 118.64.0.0/255.192.0.0
    no-route = 118.128.0.0/255.128.0.0
    no-route = 119.0.0.0/255.128.0.0
    no-route = 119.128.0.0/255.192.0.0
    no-route = 119.224.0.0/255.224.0.0
    no-route = 120.0.0.0/255.192.0.0
    no-route = 120.64.0.0/255.224.0.0
    no-route = 120.128.0.0/255.224.0.0
    no-route = 120.192.0.0/255.192.0.0
    no-route = 121.0.0.0/255.128.0.0
    no-route = 121.192.0.0/255.192.0.0
    no-route = 122.0.0.0/254.0.0.0
    no-route = 124.0.0.0/255.0.0.0
    no-route = 125.0.0.0/255.128.0.0
    no-route = 125.160.0.0/255.224.0.0
    no-route = 125.192.0.0/255.192.0.0
    no-route = 127.0.0.0/255.0.0.0
    no-route = 139.0.0.0/255.224.0.0
    no-route = 139.128.0.0/255.128.0.0
    no-route = 140.64.0.0/255.224.0.0
    no-route = 140.128.0.0/255.224.0.0
    no-route = 140.192.0.0/255.192.0.0
    no-route = 144.0.0.0/255.192.0.0
    no-route = 144.96.0.0/255.224.0.0
    no-route = 144.224.0.0/255.224.0.0
    no-route = 150.0.0.0/255.224.0.0
    no-route = 150.96.0.0/255.224.0.0
    no-route = 150.128.0.0/255.224.0.0
    no-route = 150.192.0.0/255.192.0.0
    no-route = 152.96.0.0/255.224.0.0
    no-route = 153.0.0.0/255.192.0.0
    no-route = 153.96.0.0/255.224.0.0
    no-route = 157.0.0.0/255.192.0.0
    no-route = 157.96.0.0/255.224.0.0
    no-route = 157.128.0.0/255.224.0.0
    no-route = 157.224.0.0/255.224.0.0
    no-route = 159.224.0.0/255.224.0.0
    no-route = 161.192.0.0/255.224.0.0
    no-route = 162.96.0.0/255.224.0.0
    no-route = 163.0.0.0/255.192.0.0
    no-route = 163.96.0.0/255.224.0.0
    no-route = 163.128.0.0/255.192.0.0
    no-route = 163.192.0.0/255.224.0.0
    no-route = 166.96.0.0/255.224.0.0
    no-route = 167.128.0.0/255.192.0.0
    no-route = 168.160.0.0/255.224.0.0
    no-route = 169.254.0.0/255.255.0.0
    no-route = 171.0.0.0/255.128.0.0
    no-route = 171.192.0.0/255.224.0.0
    no-route = 172.16.0.0/255.240.0.0
    no-route = 175.0.0.0/255.128.0.0
    no-route = 175.128.0.0/255.192.0.0
    no-route = 180.64.0.0/255.192.0.0
    no-route = 180.128.0.0/255.128.0.0
    no-route = 182.0.0.0/255.0.0.0
    no-route = 183.0.0.0/255.192.0.0
    no-route = 183.64.0.0/255.224.0.0
    no-route = 183.128.0.0/255.128.0.0
    no-route = 192.0.0.0/255.255.255.0
    no-route = 192.0.2.0/255.255.255.0
    no-route = 192.88.99.0/255.255.255.0
    no-route = 192.96.0.0/255.224.0.0
    no-route = 192.160.0.0/255.248.0.0
    no-route = 192.168.0.0/255.255.0.0
    no-route = 192.169.0.0/255.255.0.0
    no-route = 192.170.0.0/255.254.0.0
    no-route = 192.172.0.0/255.252.0.0
    no-route = 192.176.0.0/255.240.0.0
    no-route = 198.18.0.0/255.254.0.0
    no-route = 198.51.100.0/255.255.255.0
    no-route = 202.0.0.0/255.128.0.0
    no-route = 202.128.0.0/255.192.0.0
    no-route = 202.192.0.0/255.224.0.0
    no-route = 203.0.0.0/255.128.0.0
    no-route = 203.128.0.0/255.192.0.0
    no-route = 203.192.0.0/255.224.0.0
    no-route = 210.0.0.0/255.192.0.0
    no-route = 210.64.0.0/255.224.0.0
    no-route = 210.160.0.0/255.224.0.0
    no-route = 210.192.0.0/255.224.0.0
    no-route = 211.64.0.0/255.192.0.0
    no-route = 211.128.0.0/255.192.0.0
    no-route = 218.0.0.0/255.128.0.0
    no-route = 218.160.0.0/255.224.0.0
    no-route = 218.192.0.0/255.192.0.0
    no-route = 219.64.0.0/255.224.0.0
    no-route = 219.128.0.0/255.224.0.0
    no-route = 219.192.0.0/255.192.0.0
    no-route = 220.96.0.0/255.224.0.0
    no-route = 220.128.0.0/255.128.0.0
    no-route = 221.0.0.0/255.224.0.0
    no-route = 221.96.0.0/255.224.0.0
    no-route = 221.128.0.0/255.128.0.0
    no-route = 222.0.0.0/255.0.0.0
    no-route = 223.0.0.0/255.224.0.0
    no-route = 223.64.0.0/255.192.0.0
    no-route = 223.128.0.0/255.128.0.0
    no-route = 224.0.0.0/224.0.0.0

    # Groups that a client is allowed to select from.
    zpljd
        4
    zpljd  
    OP
       2015-06-11 22:56:30 +08:00
    # A client may belong in multiple groups, and in certain use-cases
    # it is needed to switch between them. For these cases the client can
    # select prior to authentication. Add multiple entries for multiple groups.
    # The group may be followed by a user-friendly name in brackets.
    #select-group = group1
    #select-group = group2[My special group]

    # The name of the (virtual) group that if selected it would assign the user
    # to its default group.
    #default-select-group = DEFAULT

    # Instead of specifying manually all the allowed groups, you may instruct
    # ocserv to scan all available groups and include the full list.
    #auto-select-group = true

    # Configuration files that will be applied per user connection or
    # per group. Each file name on these directories must match the username
    # or the groupname.
    # The options allowed in the configuration files are dns, nbns,
    # ipv?-network, ipv4-netmask, rx/tx-per-sec, iroute, route,
    # net-priority, deny-roaming, no-udp, user-profile, and cgroup.
    #
    # Note that the 'iroute' option allows to add routes on the server
    # based on a user or group. The syntax depends on the input accepted
    # by the commands route-add-cmd and route-del-cmd (see below). The no-udp
    # is a boolean option (e.g., no-udp = true), and will prevent a UDP session
    # for that specific user or group.

    #config-per-user = /etc/ocserv/config-per-user/
    #config-per-group = /etc/ocserv/config-per-group/

    # When config-per-xxx is specified and there is no group or user that
    # matches, then utilize the following configuration.
    #default-user-config = /etc/ocserv/defaults/user.conf
    #default-group-config = /etc/ocserv/defaults/group.conf

    # The system command to use to setup a route. %{R} will be replaced with the
    # route/mask and %{D} with the (tun) device.
    #
    # The following example is from linux systems. %R should be something
    # like 192.168.2.0/24 (the argument of iroute).

    #route-add-cmd = "ip route add %{R} dev %{D}"
    #route-del-cmd = "ip route delete %{R} dev %{D}"

    # This option allows to forward a proxy. The special keywords '%{U}'
    # and '%{G}', if present will be replaced by the username and group name.
    #proxy-url = http://example.com/
    #proxy-url = http://example.com/%{U}/

    # This option allows you to specify a URL location where a client can
    # post using MS-KKDCP, and the message will be forwarded to the provided
    # KDC server. That is a translation URL between HTTP and Kerberos.
    # In MIT kerberos you'll need to add in realms:
    # EXAMPLE.COM = {
    # kdc = https://ocserv.example.com/kerberos
    # http_anchors = FILE:/etc/ocserv-ca.pem
    # }
    # This option is available if ocserv is compiled with GSSAPI support.

    #kkdcp = SERVER-PATH KERBEROS-REALM PROTOCOL@SERVER:PORT
    #kkdcp = /kerberos EXAMPLE.COM [email protected]:88
    #kkdcp = /kerberos-tcp EXAMPLE.COM [email protected]:88

    #
    # The following options are for (experimental) AnyConnect client
    # compatibility.

    # This option must be set to true to support legacy CISCO clients.
    # A side effect of this option is that it will no longer be required
    # for clients to present their certificate on every connection.
    # That is they may resume a cookie without presenting a certificate
    # (when certificate authentication is used).
    cisco-client-compat = true

    # Client profile xml. A sample file exists in doc/profile.xml.
    # It is required by some of the CISCO clients.
    # This file must be accessible from inside the worker's chroot.
    #user-profile = /etc/ocserv/profile.xml

    # Binary files that may be downloaded by the CISCO client. Must
    # be within any chroot environment. Normally you don't need
    # to use this option.
    #binary-files = /path/to/binaries

    #Advanced options

    # Option to allow sending arbitrary custom headers to the client after
    # authentication and prior to VPN tunnel establishment. You shouldn't
    # need to use this option normally; if you do and you think that
    # this may help others, please send your settings and reason to
    # the openconnect mailing list. The special keywords '%{U}'
    # and '%{G}', if present will be replaced by the username and group name.
    #custom-header = "X-My-Header: hi there"
    geeklian
        5
    geeklian  
       2015-06-11 22:58:21 +08:00 via iPad
    申请个免费的ssl证书就好了……
    zpljd
        6
    zpljd  
    OP
       2015-06-11 23:06:20 +08:00
    @geeklian 申请证书没有自签证书简单快捷吧 直接点击一下导入就可以
    kkxxxxxxx
        7
    kkxxxxxxx  
       2015-06-12 09:03:41 +08:00
    @zpljd 自签证书只能自己用吧
    zpljd
        8
    zpljd  
    OP
       2015-06-13 13:04:47 +08:00
    @kkxxxxxxx 是的.作为个人使用也够了.省得折腾啊
    kkxxxxxxx
        9
    kkxxxxxxx  
       2015-06-15 08:29:12 +08:00
    @zpljd 要是能同时提供密码和证书就更方便管理了
    zpljd
        10
    zpljd  
    OP
       2015-06-18 21:40:27 +08:00
    @kkxxxxxxx 暂时没有发现怎么同时使用证书和密码登陆,事实上,Mac下有一个软件叫做apple configuration.这是一个可以生成"描述文件"的一个软件.
    在里面的确可以配置anyconnect,其中我发现有一个选项为"证书+密码",而我没有进行过测试,如果你有mac的话(或者虚拟机都行 只要能运行apple configuration)你可以试试是否可以进行证书+用户名方式登录.相对来讲这样还是比较靠谱的方便小范围内的分享使用.如果你有最新的进展烦请@我!谢谢
    关于   ·   帮助文档   ·   博客   ·   API   ·   FAQ   ·   实用小工具   ·   5521 人在线   最高记录 6679   ·     Select Language
    创意工作者们的社区
    World is powered by solitude
    VERSION: 3.9.8.5 · 34ms · UTC 02:43 · PVG 10:43 · LAX 18:43 · JFK 21:43
    Developed with CodeLauncher
    ♥ Do have faith in what you're doing.