strongSwan MAP Client HOWTO

Configuration

./configure --prefix=/usr --sysconfdir=/etc --disable-pluto
            --enable-tnc-ifmap

Before 5.0.3 the tnc-ifmap plugin required the Apache Axis2/C library and some options were different. Please refer to the notes below for details.

MAP Client with Public Key Authentication

/etc/strongswan.conf - strongSwan configuration file

charon {
  plugins {
    tnc-ifmap {
      device_name = strongswan-gw
      server_uri = https://localhost:8444/
      server_cert = /etc/ipsec.d/certs/server.pem
      client_cert = /etc/ipsec.d/certs/client.pem
      client_key = /etc/ipsec.d/private/client_key_file.pem
    }
  }
}

MAP Client with HTTP Basic Authentication

/etc/strongswan.conf - strongSwan configuration file

charon {
  plugins {
    tnc-ifmap {
      device_name = strongswan-gw
      server_uri = https://localhost:8443/
      server_cert = /etc/ipsec.d/certs/server.pem
      username_password = strongswan:strongswan
    }
  }
}

Metadata

Currently a strongSwan VPN gateway acting as a Police Enforcement Point (PEP) and additionally as a Policy Decision Point (PDP) provides the following metadata to a MAP server:

  • device-ip: All IPv4 and IPv6 network interfaces the IPsec PEP listens on.
  • access-request-ip: The IPv4 or IPv6 address of the remote access peer.
  • authenticated-as: Identity of the remote access peer.
  • authenticated-by: Device name of the PDP authenticating the remote access peer.
  • capability: Group memberships of the remote access peer (assigned by RADIUS or TNCS).
  • enforcement-report: Report failed authentication of a remote access peer.

Visualization

The strongSwan MAP Client sends its metadata via the SOAP 1.2 based TNC IF-MAP 2.0 interface to an irond MAP Server. The irongui MAP Client is attached to the irond MAP server and visualizes the collected metadata. The Java based irond and irongui software is available from Trust@FHH.

irongui.png (irongui screenshot)


Before strongSwan 5.0.3

Notes about Axis2/C

Make sure that the AXIS2C_HOME environment variable exists before starting strongSwan:

export AXIS2C_HOME=/usr/lib/axis2

In the $AXIS2C_HOME directory create a logs subdirectory

mkdir $AXIS2C_HOME/logs

For the strongSwan MAP client application the /etc/axis2.xml file is just an empty rump

<axisconfig name="Axis2/C">

</axisconfig>

since all configuration is done by the tnc-ifmap plugin using attributes defined in strongswan.conf.

MAP Client with Public Key Authentication

/etc/strongswan.conf - strongSwan configuration file

charon {
  plugins {
    tnc-ifmap {
      device_name = strongswan-gw
      server = https://localhost:8444/
      server_cert = /etc/ipsec.d/certs/server.pem
      key_file = /etc/ipsec.d/private/client_key_file.pem
      ssl_passphrase = <optional to protect the key>
    }
  }
}

The key_file contains a concatenation of the client private key and client certificate in PEM format.

MAP Client with HTTP Basic Authentication

/etc/strongswan.conf - strongSwan configuration file

charon {
  plugins {
    tnc-ifmap {
      device_name = strongswan-gw
      server = https://localhost:8443/
      server_cert = /etc/ipsec.d/certs/server.pem
      username = strongswan
      password = strongswan
    }
  }
}

irongui.png (irongui screenshot) - irongui screenshot (147 KB) Andreas Steffen, 07.09.2011 20:56