strongSwan MAP Client HOWTO¶

Configuration¶

./configure --prefix=/usr --sysconfdir=/etc --disable-pluto --enable-tnc-ifmap

The tnc-ifmap plugin requires the Apache Axis2/C library. If it doesn't exist yet create an Axis2/C home directory.

mkdir /etc/axis2c/
cd /etc/axis2c
mkdir logs modules services
ln -s /usr/lib/axis2c/lib lib
touch axis2.xml

and set the environment variable to this home:

export AXIS2C_HOME=/etc/axis2c

The axis2.xml file is just an empty rump

<axisconfig name="Axis2/C">

</axisconfig>

since all configuration is done by the tnc-ifmap plugin using attributes defined in strongswan.conf.

/etc/strongswan.conf - strongSwan configuration file

charon {
  plugins {
    tnc-ifmap {
      server = https://localhost:8443/
      server_cert = /etc/axis2c/server.pem
      auth_type = Basic
      username = strongswan
      password = strongswan
    }
  }
}

Metadata¶

Currently a strongSwan VPN gateway acting as a Police Enforcement Point (PEP) and additionally as a Policy Decision Point (PDP) provides the follwing metadata to a MAP server:

• device-ip: All IPv4 and IPv6 network interfaces the IPsec PEP listens on.

• access-request-ip: The IPv4 or IPv6 address of the remote access peer.

• access-request-authenticated-as: Identity of the remote access peer.

• access-request-authenticated-by: Device name of the PDP authenticating the remote access peer.

Visualization¶

The strongSwan MAP Client sends its metadata via the SOAP 1.2 based TNC IF-MAP 2.0 interface to an irond MAP Server. The irongui MAP Client is attached to the irond MAP server and visualizes the collected metadata. The Java based irond and irongui software is available from Trust@FHH.