strongSwan MAP Client HOWTO¶
- Table of contents
- strongSwan MAP Client HOWTO
Configuration¶
./configure --prefix=/usr --sysconfdir=/etc --disable-pluto --enable-tnc-ifmap
Before 5.0.3 the tnc-ifmap plugin required the Apache Axis2/C library and some options were different. Please refer to the notes below for details.
MAP Client with Public Key Authentication¶
/etc/strongswan.conf - strongSwan configuration file
charon { plugins { tnc-ifmap { device_name = strongswan-gw server_uri = https://localhost:8444/ server_cert = /etc/ipsec.d/certs/server.pem client_cert = /etc/ipsec.d/certs/client.pem client_key = /etc/ipsec.d/private/client_key_file.pem } } }
MAP Client with HTTP Basic Authentication¶
/etc/strongswan.conf - strongSwan configuration file
charon { plugins { tnc-ifmap { device_name = strongswan-gw server_uri = https://localhost:8443/ server_cert = /etc/ipsec.d/certs/server.pem username_password = strongswan:strongswan } } }
Metadata¶
Currently a strongSwan VPN gateway acting as a Police Enforcement Point (PEP) and additionally as a Policy Decision Point (PDP) provides the following metadata to a MAP server:
- device-ip: All IPv4 and IPv6 network interfaces the IPsec PEP listens on.
- access-request-ip: The IPv4 or IPv6 address of the remote access peer.
- authenticated-as: Identity of the remote access peer.
- authenticated-by: Device name of the PDP authenticating the remote access peer.
- capability: Group memberships of the remote access peer (assigned by RADIUS or TNCS).
- enforcement-report: Report failed authentication of a remote access peer.
Visualization¶
The strongSwan MAP Client sends its metadata via the SOAP 1.2 based TNC IF-MAP 2.0 interface to an irond MAP Server. The irongui MAP Client is attached to the irond MAP server and visualizes the collected metadata. The Java based irond and irongui software is available from Trust@FHH.
Before strongSwan 5.0.3¶
Notes about Axis2/C¶
Make sure that the AXIS2C_HOME environment variable exists before starting strongSwan:
export AXIS2C_HOME=/usr/lib/axis2
In the $AXIS2C_HOME directory create a logs subdirectory
mkdir $AXIS2C_HOME/logs
For the strongSwan MAP client application the /etc/axis2.xml file is just an empty rump
<axisconfig name="Axis2/C"> </axisconfig>
since all configuration is done by the tnc-ifmap plugin using attributes defined in strongswan.conf.
MAP Client with Public Key Authentication¶
/etc/strongswan.conf - strongSwan configuration file
charon { plugins { tnc-ifmap { device_name = strongswan-gw server = https://localhost:8444/ server_cert = /etc/ipsec.d/certs/server.pem key_file = /etc/ipsec.d/private/client_key_file.pem ssl_passphrase = <optional to protect the key> } } }
The key_file contains a concatenation of the client private key and client certificate in PEM format.
MAP Client with HTTP Basic Authentication¶
/etc/strongswan.conf - strongSwan configuration file
charon { plugins { tnc-ifmap { device_name = strongswan-gw server = https://localhost:8443/ server_cert = /etc/ipsec.d/certs/server.pem username = strongswan password = strongswan } } }