IoT-Initiator Raspi 3¶

strongSwan IPsec configuration file /etc/ipsec.conf

config setup
     charondebug="tnc 2, imc 2, imv 2, pts 3" 

conn %default
     ike=aes128-sha256-ecp256!
     esp=aes128-sha256-ecp256!
     keyexchange=ikev2

conn peer
     left=10.10.1.39
     leftauth=eap-ttls
     leftcert=raspi3Cert.pem
     leftid=raspi3.example.com
     leftfirewall=yes
     right=10.10.1.40
     rightauth=any
     rightid=raspi4.example.com
     type=transport
     auto=add

strongSwan IPsec secrets file /etc/ipsec.secrets

: RSA raspi3Key.pem

strongSwan configuration file /etc/strongswan.conf

# strongswan.conf - strongSwan configuration file

charon {
  load = random nonce x509 revocation constraints pkcs1 pkcs8 pem openssl pubkey tnc-imc tnc-imv tnc-tnccs tnccs-20 eap-identity eap-ttls eap-tnc sqlite curl kernel-netlink socket-default updown stroke

  half_open_timeout = 90

  plugins {
    eap-ttls
    {
      max_message_count = 0
      request_peer_auth = yes
      phase2_piggyback = yes
      phase2_tnc = yes
    }
    eap-tnc {
      max_message_count = 0
    }
    tnccs-20 {
      mutual = yes
    }
  }
}

libimcv {
  database = sqlite:///etc/pts/config.db
  policy_script = ipsec imv_policy_manager

  plugins {
    imc-os {
      device_pubkey = /etc/pts/aik3Pub.der
    }
    imc-attestation {
      aik_blob = /etc/pts/aik3Blob.bin
      aik_cert = /etc/pts/aik3Cert.der
    }
    imv-attestation {
      cadir = /etc/pts/cacerts
      hash_algorithm = sha1
    }
  }
}

libtls {
  suites = TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
}

pt-tls-client {
  load = random nonce x509 revocation constraints pkcs1 pkcs8 pem openssl pubkey tnc-imc tnc-imv tnc-tnccs tnccs-20 curl 
}

attest {
  database=sqlite:///etc/pts/config.db
}