OPEN***_centos5.4安装搭建文档

一:用到的软件包有:open***,lzo

# wget http://swupdate.open***.net/as/open***-as-1.5.6-CentOS5.i386.rpm

# wget http://rpmforge.sw.be/redhat/el5/en/i386/rpmforge/RPMS/lzo-1.08-4.2.el5.rf.i386.rpm

二:安装:

# rpm -ivh lzo-1.08-4.2.el5.rf.i386.rpm

# rpm -ivh open***-as-1.5.6-CentOS5.i386.rpm

三:初始化参数配置:

[root@jrcz-gw-01 open***]# /usr/local/open***_as/bin/o***-init

Open*** Access Server

Initial Configuration Tool

------------------------------------------------------

Open*** Access Server End User License Agreement (Open***-AS EULA)

1. Copyright Notice: Open*** Access Server License;

Copyright (c) 2009-2010 Open*** Technologies, Inc.. All rights reserved.

"Open***" is a trademark of Open*** Technologies, Inc.

2. Redistribution of Open*** Access Server binary forms and documents,

are permitted provided that redistributions of Open*** Access Server

binary forms and documents must reproduce the above copyright notice.

3. You agree not to reverse engineer, decompile, disassemble, modify, translate,

make any attempt to discover the source code of this software, or create

derivative works from this software.

4. The Open*** Access Server is bundled with other open source software

components, some of which fall under different licenses. By using

Open*** or any of the bundled components, you agree to be bound by

the conditions of the license for each respective component.

See /usr/local/open***_as/license.txt in the Access Server distribution

for more info.

5. THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED WARRANTIES,

INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY

AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL

OPEN*** TECHNOLOGIES, INC BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,

SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED

TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR

PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF

LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING

NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS

SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Please enter 'yes' to indicate your agreement [no]: yes

Once you provide a few initial configuration settings,

Open*** Access Server can be configured by accessing

its Admin Web UI using your Web browser.

Will this be the primary Access Server node?

(enter 'no' to configure as a backup or standby node)

> Press ENTER for default [yes]:

Please specify the network interface and IP address to be

used by the Admin Web UI:

(1) all interfaces: 0.0.0.0

(2) eth1: 192.168.1.103

(3) eth0: 192.168.1.10

(4) eth0:1: 192.168.0.10

Please enter the option number from the list above (1-4).

> Press Enter for default [2]:

Please specify the port number for the Admin Web UI.

> Press ENTER for default [943]:

Please specify the TCP port number for the Open*** Daemon

> Press ENTER for default [443]:

Should client traffic be routed by default through the ***?

> Press ENTER for default [yes]:

Should RFC1918 private subnets be accessible to clients by default?

> Press ENTER for default [yes]:

To initially login to the Admin Web UI, you must use a

username and password that successfully authenticate you

with the host UNIX system (you can later modify the settings

so that RADIUS or LDAP is used for authentication instead).

You can login to the Admin Web UI as 'root' with your existing

root password or specify a different user account to use for this

purpose. If you choose to use a non-root account, you can create

a new user account or specify an existing user account.

Do you wish to login as 'root'?

> Press ENTER for default [yes]: no

> Specify the username for an existing user or for the new user account: open***

Type the password for the 'open***' account:

Confirm the password for the 'open***' account:

> Please specify your Open***-AS license key (or leave blank to specify later):

Initializing Open***...

Adding new user login...

useradd "open***"

Writing as configuration file...

Perform sa init...

Wiping any previous userdb...

Creating default profile...

Modifying default profile...

Adding new user to userdb...

Modifying new user as superuser in userdb...

Getting hostname...

Hostname: jrcz-gw-01

Preparing web certificates...

Getting web user account...

Adding web group account...

Adding web user account...

Adding web group...

Adjusting license directory ownership...

Initializing confdb...

Generating init scripts...

Generating PAM config...

Generating init scripts auto command...

Starting open***as...

NOTE: Your system clock must be correct for Open*** Access Server

to perform correctly. Please ensure that your time and date

are correct on this system.

Initial Configuration Complete!

You can now continue configuring Open*** Access Server by

directing your Web browser to this URL:

https://192.168.1.103:943/admin

Login as "open***" with the same password used to authenticate

to this UNIX host.

See the Release Notes for this release at:

http://www.open***.net/access-server/rn/open***_as_1_5_6.html

以上操作一路按回车即可,遇到Do you wish to login as 'root'?

时,如果不想用root登录,可以自己创建一个帐户即可。

:client访问:

访问https://192.168.1.103:943/

用户:open***登录并下载相应的客户端即可进行测试。

1.win下客户端测试方法如下:

登录客户端:

 

连接:

 

成功登录:

Start the Access Server daemon:

/etc/init.d/open***as start

Stop the Access Server daemon:

/etc/init.d/open***as stop

Restart the Access Server daemon:

/etc/init.d/open***as restart

2.linux客户端连接测试方法:

# rpm -ivh open***-as-1.5.6-CentOS5.i386.rpm

vi /etc/profile 添加如下几行:

export PYO***_VERSION="1.5.6"

export OPEN***_AS_BASE="/usr/local/open***_as"

export OPEN***_AS_CONFIG="/usr/local/open***_as/etc/as.conf"

export PATH="/usr/local/open***_as/scripts:/usr/local/open***_as/bin:/usr/local/open***_as/sbin:$PATH"

export LD_LIBRARY_PATH="/usr/local/open***_as/lib"

export PYTHONHOME="/usr/local/open***_as"

unset PYTHONPATH

#source /etc/profile

[root@jrcz-test-02 open***_as]# open*** --config client.o***

Wed Nov 3 15:13:19 2010 Open*** 2.1.1o i686-pc-linux-gnu [SSL] [LZO2] [EPOLL] built on Aug 7 2010

Enter Auth Username:open***

Enter Auth Password:

Wed Nov 3 15:13:27 2010 NOTE: Open*** 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables

Wed Nov 3 15:13:27 2010 Control Channel Authentication: tls-auth using INLINE static key file

Wed Nov 3 15:13:27 2010 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication

Wed Nov 3 15:13:27 2010 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication

Wed Nov 3 15:13:27 2010 LZO compression initialized

Wed Nov 3 15:13:27 2010 Control Channel MTU parms [ L:1542 D:166 EF:66 EB:0 ET:0 EL:0 ]

Wed Nov 3 15:13:27 2010 Socket Buffers: R=[110592->200000] S=[110592->200000]

Wed Nov 3 15:13:27 2010 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]

Wed Nov 3 15:13:27 2010 Local Options hash (VER=V4): '504e774e'

Wed Nov 3 15:13:27 2010 Expected Remote Options hash (VER=V4): '14168603'

Wed Nov 3 15:13:27 2010 UDPv4 link local: [undef]

Wed Nov 3 15:13:27 2010 UDPv4 link remote: 192.168.1.103:1194

Wed Nov 3 15:13:27 2010 TLS: Initial packet from 192.168.1.103:1194, sid=88411316 b22483c5

Wed Nov 3 15:13:27 2010 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this

Wed Nov 3 15:13:27 2010 VERIFY OK: depth=1, /CN=Open***_CA

Wed Nov 3 15:13:27 2010 VERIFY OK: nsCertType=SERVER

Wed Nov 3 15:13:27 2010 VERIFY OK: depth=0, /CN=Open***_Server

Wed Nov 3 15:13:27 2010 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key

Wed Nov 3 15:13:27 2010 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication

Wed Nov 3 15:13:27 2010 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key

Wed Nov 3 15:13:27 2010 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication

Wed Nov 3 15:13:27 2010 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA

Wed Nov 3 15:13:27 2010 [Open***_Server] Peer Connection Initiated with 192.168.1.103:1194

Wed Nov 3 15:13:29 2010 SENT CONTROL [Open***_Server]: 'PUSH_REQUEST' (status=1)

Wed Nov 3 15:13:29 2010 PUSH: Received control message: 'PUSH_REPLY,explicit-exit-notify,topology subnet,route-delay 5 30,dhcp-pre-release,dhcp-renew,dhcp-release,route-metric 101,ping 5,ping-restart 40,redirect-gateway def1,redirect-gateway bypass-dhcp,redirect-gateway autolocal,route-gateway 5.5.8.1,dhcp-option DNS 219.141.136.10,register-dns,comp-lzo yes,ifconfig 5.5.8.3 255.255.252.0'

Wed Nov 3 15:13:29 2010 Options error: Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:4: dhcp-pre-release (2.1.1o)

Wed Nov 3 15:13:29 2010 Options error: Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:5: dhcp-renew (2.1.1o)

Wed Nov 3 15:13:29 2010 Options error: Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:6: dhcp-release (2.1.1o)

Wed Nov 3 15:13:29 2010 Options error: Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:15: register-dns (2.1.1o)

Wed Nov 3 15:13:29 2010 OPTIONS IMPORT: timers and/or timeouts modified

Wed Nov 3 15:13:29 2010 OPTIONS IMPORT: explicit notify parm(s) modified

Wed Nov 3 15:13:29 2010 OPTIONS IMPORT: LZO parms modified

Wed Nov 3 15:13:29 2010 OPTIONS IMPORT: --ifconfig/up options modified

Wed Nov 3 15:13:29 2010 OPTIONS IMPORT: route options modified

Wed Nov 3 15:13:29 2010 OPTIONS IMPORT: route-related options modified

Wed Nov 3 15:13:29 2010 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified

Wed Nov 3 15:13:29 2010 ROUTE default_gateway=192.168.1.10

Wed Nov 3 15:13:29 2010 TUN/TAP device tun0 opened

Wed Nov 3 15:13:29 2010 TUN/TAP TX queue length set to 100

Wed Nov 3 15:13:29 2010 /sbin/ifconfig tun0 5.5.8.3 netmask 255.255.252.0 mtu 1500 broadcast 5.5.11.255

出现以上信息,即为客户端测试正常。

# ifconfig

eth0 Link encap:Ethernet HWaddr 00:1A:6B:58:A3:DA

inet addr:192.168.1.201 Bcast:192.168.1.255 Mask:255.255.255.0

inet6 addr: fe80::21a:6bff:fe58:a3da/64 Scope:Link

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:123673 errors:0 dropped:0 overruns:0 frame:0

TX packets:42994 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:1000

RX bytes:37473449 (35.7 MiB) TX bytes:28971854 (27.6 MiB)

Interrupt:233 Base address:0x2000

lo Link encap:Local Loopback

inet addr:127.0.0.1 Mask:255.0.0.0

inet6 addr: ::1/128 Scope:Host

UP LOOPBACK RUNNING MTU:16436 Metric:1

RX packets:4477 errors:0 dropped:0 overruns:0 frame:0

TX packets:4477 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:0

RX bytes:340515 (332.5 KiB) TX bytes:340515 (332.5 KiB)

tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00

inet addr:5.5.8.4 P-t-P:5.5.8.4 Mask:255.255.252.0

UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1

RX packets:4 errors:0 dropped:0 overruns:0 frame:0

TX packets:4 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:100

RX bytes:336 (336.0 b) TX bytes:336 (336.0 b)

Tun0为新增隧道IP地址

# route -n

Kernel IP routing table

Destination Gateway Genmask Flags Metric Ref Use Iface

192.168.1.103 192.168.1.10 255.255.255.255 UGH 0 0 0 eth0

192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0

5.5.8.0 0.0.0.0 255.255.252.0 U 0 0 0 tun0

169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0

0.0.0.0 5.5.8.1 128.0.0.0 UG 0 0 0 tun0

128.0.0.0 5.5.8.1 128.0.0.0 UG 0 0 0 tun0

0.0.0.0 192.168.1.10 0.0.0.0 UG 0 0 0 eth0