strongSwan

{{>toc}}

h1. Raspi 3 - Initiating IoT Device

h2. Configuration Files

strongSwan IPsec configuration file */etc/ipsec.conf*

<pre>

config setup

     charondebug="tnc 2, imc 2, imv 2, pts 3"

conn %default

     ike=aes128-sha256-ecp256!

     esp=aes128-sha256-ecp256!

     keyexchange=ikev2

conn peer

     left=10.10.1.39

     leftauth=eap-ttls

     leftcert=raspi3Cert.pem

     leftid=raspi3.example.com

     leftfirewall=yes

     right=10.10.1.40

     rightauth=any

     rightid=raspi4.example.com

     type=transport

     auto=add

</pre>

strongSwan IPsec secrets file */etc/ipsec.secrets*

<pre>

: RSA raspi3Key.pem

</pre>

strongSwan configuration file */etc/strongswan.conf*

<pre>

# strongswan.conf - strongSwan configuration file

charon {

  load = random nonce x509 revocation constraints pkcs1 pkcs8 pem openssl pubkey tnc-imc tnc-imv tnc-tnccs tnccs-20 eap-identity eap-ttls eap-tnc sqlite curl kernel-netlink socket-default updown stroke

  half_open_timeout = 90

  plugins {

    eap-ttls

    {

      max_message_count = 0

      request_peer_auth = yes

      phase2_piggyback = yes

      phase2_tnc = yes

    }

    eap-tnc {

      max_message_count = 0

    }

    tnccs-20 {

      mutual = yes

    }

  }

}

libimcv {

  database = sqlite:///etc/pts/config.db

  policy_script = ipsec imv_policy_manager

  plugins {

    imc-os {

      device_pubkey = /etc/pts/aik3Pub.der

    }

    imc-attestation {

      aik_blob = /etc/pts/aik3Blob.bin

      aik_cert = /etc/pts/aik3Cert.der

    }

    imv-attestation {

      cadir = /etc/pts/cacerts

      hash_algorithm = sha1

    }

  }

}

libtls {

  suites = TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

}

pt-tls-client {

  load = random nonce x509 revocation constraints pkcs1 pkcs8 pem openssl pubkey tnc-imc tnc-imv tnc-tnccs tnccs-20 curl 

}

attest {

  database=sqlite:///etc/pts/config.db

}

</pre>

h2. Starting the IKEv2 Daemon

First the IKEv2 charon daemon is started in the background

<pre>

raspi3# ipsec start

</pre>

<pre>

Aug 15 14:45:55 raspi3 charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.3.1, Linux 3.18.13-v7+, armv7l)

Aug 15 14:45:55 raspi3 charon: 00[TNC] TNC recommendation policy is 'default'

Aug 15 14:45:55 raspi3 charon: 00[TNC] loading IMVs from '/etc/tnc_config'

Aug 15 14:45:55 raspi3 charon: 00[TNC] added IETF attributes

Aug 15 14:45:55 raspi3 charon: 00[TNC] added ITA-HSR attributes

Aug 15 14:45:55 raspi3 charon: 00[TNC] added TCG attributes

Aug 15 14:45:55 raspi3 charon: 00[PTS] added TCG functional component namespace

Aug 15 14:45:55 raspi3 charon: 00[PTS] added ITA-HSR functional component namespace

Aug 15 14:45:55 raspi3 charon: 00[PTS] added ITA-HSR functional component 'Trusted GRUB Boot Loader'

Aug 15 14:45:55 raspi3 charon: 00[PTS] added ITA-HSR functional component 'Trusted Boot'

Aug 15 14:45:55 raspi3 charon: 00[PTS] added ITA-HSR functional component 'Linux IMA'

Aug 15 14:45:55 raspi3 charon: 00[LIB] libimcv initialized

</pre>

Loading Attestation IMV

<pre>

Aug 15 14:45:55 raspi3 charon: 00[IMV] IMV 1 "Attestation" initialized

Aug 15 14:45:55 raspi3 charon: 00[PTS] loading PTS ca certificates from '/etc/pts/cacerts'

Aug 15 14:45:55 raspi3 charon: 00[PTS]   loaded ca certificate "C=US, O=TNC Demo, CN=AIK CA" from '/etc/pts/cacerts/aikCaCert.pem'

Aug 15 14:45:55 raspi3 charon: 00[PTS]   mandatory PTS measurement algorithm HASH_SHA1[openssl] available

Aug 15 14:45:55 raspi3 charon: 00[PTS]   mandatory PTS measurement algorithm HASH_SHA256[openssl] available

Aug 15 14:45:55 raspi3 charon: 00[PTS]   optional  PTS measurement algorithm HASH_SHA384[openssl] available

Aug 15 14:45:55 raspi3 charon: 00[PTS]   optional  PTS DH group MODP_2048[openssl] available

Aug 15 14:45:55 raspi3 charon: 00[PTS]   optional  PTS DH group MODP_1536[openssl] available

Aug 15 14:45:55 raspi3 charon: 00[PTS]   optional  PTS DH group MODP_1024[openssl] available

Aug 15 14:45:55 raspi3 charon: 00[PTS]   mandatory PTS DH group ECP_256[openssl] available

Aug 15 14:45:55 raspi3 charon: 00[PTS]   optional  PTS DH group ECP_384[openssl] available

Aug 15 14:45:55 raspi3 charon: 00[TNC] IMV 1 supports 2 message types: 'TCG/PTS' 0x005597/0x00000001 'IETF/Operating System' 0x000000/0x00000001

Aug 15 14:45:55 raspi3 charon: 00[TNC] IMV 1 "Attestation" loaded from '/usr/lib/ipsec/imcvs/imv-attestation.so'

</pre>

Loading OS IMC

<pre>

Aug 15 14:45:55 raspi3 charon: 00[TNC] loading IMCs from '/etc/tnc_config'

Aug 15 14:45:55 raspi3 charon: 00[IMC] IMC 1 "OS" initialized

Aug 15 14:45:55 raspi3 charon: 00[IMC] processing "/etc/debian_version" file

Aug 15 14:45:55 raspi3 charon: 00[IMC] operating system name is 'Debian'

Aug 15 14:45:55 raspi3 charon: 00[IMC] operating system version is '7.8 armv7l'

Aug 15 14:45:55 raspi3 charon: 00[TNC] IMC 1 supports 1 message type: 'IETF/Operating System' 0x000000/0x00000001

Aug 15 14:45:55 raspi3 charon: 00[TNC] IMC 1 "OS" loaded from '/usr/lib/ipsec/imcvs/imc-os.so'

</pre>

Loading Attestation IMC

<pre>

Aug 15 14:45:55 raspi3 charon: 00[IMC] IMC 2 "Attestation" initialized

Aug 15 14:45:55 raspi3 charon: 00[PTS]   mandatory PTS measurement algorithm HASH_SHA1[openssl] available

Aug 15 14:45:55 raspi3 charon: 00[PTS]   mandatory PTS measurement algorithm HASH_SHA256[openssl] available

Aug 15 14:45:55 raspi3 charon: 00[PTS]   optional  PTS measurement algorithm HASH_SHA384[openssl] available

Aug 15 14:45:55 raspi3 charon: 00[PTS]   optional  PTS DH group MODP_2048[openssl] available

Aug 15 14:45:55 raspi3 charon: 00[PTS]   optional  PTS DH group MODP_1536[openssl] available

Aug 15 14:45:55 raspi3 charon: 00[PTS]   optional  PTS DH group MODP_1024[openssl] available

Aug 15 14:45:55 raspi3 charon: 00[PTS]   mandatory PTS DH group ECP_256[openssl] available

Aug 15 14:45:55 raspi3 charon: 00[PTS]   optional  PTS DH group ECP_384[openssl] available

Aug 15 14:45:55 raspi3 charon: 00[TNC] IMC 2 supports 1 message type: 'TCG/PTS' 0x005597/0x00000001

Aug 15 14:45:55 raspi3 charon: 00[TNC] IMC 2 "Attestation" loaded from '/usr/lib/ipsec/imcvs/imc-attestation.so'

</pre>

Initializing IKE daemon

<pre>

Aug 15 14:45:55 raspi3 charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'

Aug 15 14:45:55 raspi3 charon: 00[CFG]   loaded ca certificate "C=US, O=TNC Demo, CN=TNC Demo CA" from '/etc/ipsec.d/cacerts/demoCaCert.pem'

Aug 15 14:45:55 raspi3 charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'

Aug 15 14:45:55 raspi3 charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'

Aug 15 14:45:55 raspi3 charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'

Aug 15 14:45:55 raspi3 charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'

Aug 15 14:45:55 raspi3 charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'

Aug 15 14:45:55 raspi3 charon: 00[CFG]   loaded RSA private key from '/etc/ipsec.d/private/raspi3Key.pem'

Aug 15 14:45:55 raspi3 charon: 00[LIB] loaded plugins: charon random nonce x509 revocation constraints pkcs1 pkcs8 pem openssl pubkey tnc-imc tnc-imv tnc-tnccs tnccs-20 eap-identity eap-ttls eap-tnc sqlite curl kernel-netlink socket-default updown stroke

Aug 15 14:45:55 raspi3 charon: 00[JOB] spawning 16 worker threads

</pre>

Loading *peer* IPsec connection

<pre>

Aug 15 14:45:55 raspi3 charon: 06[CFG] received stroke: add connection 'peer'

Aug 15 14:45:55 raspi3 charon: 06[CFG]   loaded certificate "C=US, O=TNC Demo, CN=raspi3.example.com" from 'raspi3Cert.pem'

Aug 15 14:45:55 raspi3 charon: 06[CFG] added configuration 'peer'

</pre>

h2. Initiating IPsec Connection Setup

The *peer* IPsec connection to the IoT device *raspi4* is initiated using the IKEv2 key exchange protocol

<pre>

raspi3# ipsec up peer

</pre>

<pre>

Aug 15 14:46:05 raspi3 charon: 10[CFG] received stroke: initiate 'peer'

Aug 15 14:46:05 raspi3 charon: 11[IKE] initiating IKE_SA peer[1] to 10.10.1.40

Aug 15 14:46:05 raspi3 charon: 11[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]

Aug 15 14:46:05 raspi3 charon: 11[NET] sending packet: from 10.10.1.39[500] to 10.10.1.40[500] (256 bytes)

</pre>

<pre>

Aug 15 14:46:05 raspi3 charon: 12[NET] received packet: from 10.10.1.40[500] to 10.10.1.39[500] (309 bytes)

Aug 15 14:46:05 raspi3 charon: 12[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(HASH_ALG) N(MULT_AUTH) ]

Aug 15 14:46:05 raspi3 charon: 12[IKE] received cert request for "C=US, O=TNC Demo, CN=TNC Demo CA"

Aug 15 14:46:05 raspi3 charon: 12[IKE] sending cert request for "C=US, O=TNC Demo, CN=TNC Demo CA"

Aug 15 14:46:05 raspi3 charon: 12[IKE] establishing CHILD_SA peer

Aug 15 14:46:05 raspi3 charon: 12[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr N(USE_TRANSP) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]

Aug 15 14:46:05 raspi3 charon: 12[NET] sending packet: from 10.10.1.39[4500] to 10.10.1.40[4500] (304 bytes)

</pre>

<pre>

Aug 15 14:46:05 raspi3 charon: 13[NET] received packet: from 10.10.1.40[4500] to 10.10.1.39[4500] (112 bytes)

Aug 15 14:46:05 raspi3 charon: 13[ENC] parsed IKE_AUTH response 1 [ IDr EAP/REQ/TTLS ]

Aug 15 14:46:05 raspi3 charon: 13[IKE] server requested EAP_TTLS authentication (id 0xDB)

Aug 15 14:46:05 raspi3 charon: 13[TLS] EAP_TTLS version is v0

Aug 15 14:46:05 raspi3 charon: 13[IKE] allow mutual EAP-only authentication

Aug 15 14:46:05 raspi3 charon: 13[ENC] generating IKE_AUTH request 2 [ EAP/RES/TTLS ]

Aug 15 14:46:05 raspi3 charon: 13[NET] sending packet: from 10.10.1.39[4500] to 10.10.1.40[4500] (208 bytes)

</pre>

<pre>

Aug 15 14:46:05 raspi3 charon: 14[NET] received packet: from 10.10.1.40[4500] to 10.10.1.39[4500] (1104 bytes)

Aug 15 14:46:05 raspi3 charon: 14[ENC] parsed IKE_AUTH response 2 [ EAP/REQ/TTLS ]

Aug 15 14:46:05 raspi3 charon: 14[ENC] generating IKE_AUTH request 3 [ EAP/RES/TTLS ]

Aug 15 14:46:05 raspi3 charon: 14[NET] sending packet: from 10.10.1.39[4500] to 10.10.1.40[4500] (80 bytes)

</pre>

<pre>

Aug 15 14:46:05 raspi3 charon: 15[NET] received packet: from 10.10.1.40[4500] to 10.10.1.39[4500] (480 bytes)

Aug 15 14:46:05 raspi3 charon: 15[ENC] parsed IKE_AUTH response 3 [ EAP/REQ/TTLS ]

Aug 15 14:46:05 raspi3 charon: 15[TLS] negotiated TLS 1.2 using suite TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

Aug 15 14:46:05 raspi3 charon: 15[TLS] received TLS server certificate 'C=US, O=TNC Demo, CN=raspi4.example.com'

Aug 15 14:46:05 raspi3 charon: 15[CFG]   using certificate "C=US, O=TNC Demo, CN=raspi4.example.com"

Aug 15 14:46:05 raspi3 charon: 15[CFG]   using trusted ca certificate "C=US, O=TNC Demo, CN=TNC Demo CA"

Aug 15 14:46:05 raspi3 charon: 15[CFG] checking certificate status of "C=US, O=TNC Demo, CN=raspi4.example.com"

Aug 15 14:46:05 raspi3 charon: 15[CFG] certificate status is not available

Aug 15 14:46:05 raspi3 charon: 15[CFG]   reached self-signed root ca with a path length of 0

Aug 15 14:46:05 raspi3 charon: 15[TLS] received TLS cert request for 'C=US, O=TNC Demo, CN=TNC Demo CA

Aug 15 14:46:05 raspi3 charon: 15[TLS] sending TLS peer certificate 'C=US, O=TNC Demo, CN=raspi3.example.com'

Aug 15 14:46:05 raspi3 charon: 15[ENC] generating IKE_AUTH request 4 [ EAP/RES/TTLS ]

Aug 15 14:46:05 raspi3 charon: 15[NET] sending packet: from 10.10.1.39[4500] to 10.10.1.40[4500] (1104 bytes)

</pre>

<pre>

Aug 15 14:46:05 raspi3 charon: 16[NET] received packet: from 10.10.1.40[4500] to 10.10.1.39[4500] (80 bytes)

Aug 15 14:46:05 raspi3 charon: 16[ENC] parsed IKE_AUTH response 4 [ EAP/REQ/TTLS ]

Aug 15 14:46:05 raspi3 charon: 16[ENC] generating IKE_AUTH request 5 [ EAP/RES/TTLS ]

Aug 15 14:46:05 raspi3 charon: 16[NET] sending packet: from 10.10.1.39[4500] to 10.10.1.40[4500] (352 bytes)

</pre>

<pre>

Aug 15 14:46:05 raspi3 charon: 09[NET] received packet: from 10.10.1.40[4500] to 10.10.1.39[4500] (256 bytes)

Aug 15 14:46:05 raspi3 charon: 09[ENC] parsed IKE_AUTH response 5 [ EAP/REQ/TTLS ]

Aug 15 14:46:05 raspi3 charon: 09[IKE] received tunneled EAP-TTLS AVP [EAP/REQ/ID]

Aug 15 14:46:05 raspi3 charon: 09[IKE] server requested EAP_IDENTITY authentication (id 0x00)

Aug 15 14:46:05 raspi3 charon: 09[IKE] sending tunneled EAP-TTLS AVP [EAP/RES/ID]

Aug 15 14:46:05 raspi3 charon: 09[ENC] generating IKE_AUTH request 6 [ EAP/RES/TTLS ]

Aug 15 14:46:05 raspi3 charon: 09[NET] sending packet: from 10.10.1.39[4500] to 10.10.1.40[4500] (192 bytes)

</pre>

<pre>

Aug 15 14:46:05 raspi3 charon: 08[NET] received packet: from 10.10.1.40[4500] to 10.10.1.39[4500] (176 bytes)

Aug 15 14:46:05 raspi3 charon: 08[ENC] parsed IKE_AUTH response 6 [ EAP/REQ/TTLS ]

Aug 15 14:46:05 raspi3 charon: 08[IKE] received tunneled EAP-TTLS AVP [EAP/REQ/PT]

Aug 15 14:46:05 raspi3 charon: 08[IKE] server requested EAP_PT_EAP authentication (id 0xB8)

Aug 15 14:46:05 raspi3 charon: 08[TLS] EAP_PT_EAP version is v1

</pre>

h2. Start of Mutual Attestation

<pre>

Aug 15 14:46:05 raspi3 charon: 08[TNC] TNC client is handling outbound connection

Aug 15 14:46:05 raspi3 charon: 08[TNC] assigned TNCCS Connection ID 1

Aug 15 14:46:05 raspi3 charon: 08[IMC] IMC 1 "OS" created a state for IF-TNCCS 2.0 Connection ID 1: +long +excl -soh

Aug 15 14:46:05 raspi3 charon: 08[IMC]   over IF-T for Tunneled EAP 2.0 with maximum PA-TNC message size of 65490 bytes

Aug 15 14:46:05 raspi3 charon: 08[PTS] loaded AIK certificate from '/etc/pts/aik3Cert.der'

Aug 15 14:46:05 raspi3 charon: 08[PTS] loaded AIK Blob from '/etc/pts/aik3Blob.bin'

Aug 15 14:46:05 raspi3 charon: 08[IMC] IMC 2 "Attestation" created a state for IF-TNCCS 2.0 Connection ID 1: +long +excl -soh

Aug 15 14:46:05 raspi3 charon: 08[IMC]   over IF-T for Tunneled EAP 2.0 with maximum PA-TNC message size of 65490 bytes

Aug 15 14:46:05 raspi3 charon: 08[IMC] IMC 1 "OS" changed state of Connection ID 1 to 'Handshake'

Aug 15 14:46:05 raspi3 charon: 08[IMC] IMC 2 "Attestation" changed state of Connection ID 1 to 'Handshake'

</pre>

<pre>

Aug 15 14:46:05 raspi3 charon: 08[TNC] proposing PB-TNC mutual half duplex protocol

</pre>

h3. Sending OS Information

<pre>

Aug 15 14:46:05 raspi3 charon: 08[IMC] operating system numeric version is 7.8

Aug 15 14:46:05 raspi3 charon: 08[IMC] last boot: Aug 15 07:56:52 UTC 2015, 17353 s ago

Aug 15 14:46:05 raspi3 charon: 08[IMC] IPv4 forwarding is disabled

Aug 15 14:46:05 raspi3 charon: 08[IMC] factory default password is disabled

Aug 15 14:46:05 raspi3 charon: 08[IMC] loaded device public key from '/etc/pts/aik3Pub.der'

Aug 15 14:46:05 raspi3 charon: 08[IMC] device ID is 565feb9e8462870dba884ce540a0768d68829873

</pre>

<pre>

Aug 15 14:46:05 raspi3 charon: 08[TNC] creating PA-TNC message with ID 0x83cf019d

Aug 15 14:46:05 raspi3 charon: 08[TNC] creating PA-TNC attribute type 'IETF/Product Information' 0x000000/0x00000002

Aug 15 14:46:05 raspi3 charon: 08[TNC] creating PA-TNC attribute type 'IETF/String Version' 0x000000/0x00000004

Aug 15 14:46:05 raspi3 charon: 08[TNC] creating PA-TNC attribute type 'IETF/Numeric Version' 0x000000/0x00000003

Aug 15 14:46:05 raspi3 charon: 08[TNC] creating PA-TNC attribute type 'IETF/Operational Status' 0x000000/0x00000005

Aug 15 14:46:05 raspi3 charon: 08[TNC] creating PA-TNC attribute type 'IETF/Forwarding Enabled' 0x000000/0x0000000b

Aug 15 14:46:05 raspi3 charon: 08[TNC] creating PA-TNC attribute type 'IETF/Factory Default Password Enabled' 0x000000/0x0000000c

Aug 15 14:46:05 raspi3 charon: 08[TNC] creating PA-TNC attribute type 'ITA-HSR/Device ID' 0x00902a/0x00000008

Aug 15 14:46:05 raspi3 charon: 08[TNC] creating PB-PA message type 'IETF/Operating System' 0x000000/0x00000001

Aug 15 14:46:05 raspi3 charon: 08[TNC] PB-TNC state transition from 'Init' to 'Server Working'

Aug 15 14:46:05 raspi3 charon: 08[TNC] creating PB-TNC CDATA batch

Aug 15 14:46:05 raspi3 charon: 08[TNC] adding ITA-HSR/PB-Mutual-Capability message

Aug 15 14:46:05 raspi3 charon: 08[TNC] adding IETF/PB-Language-Preference message

Aug 15 14:46:05 raspi3 charon: 08[TNC] adding IETF/PB-PA message

Aug 15 14:46:05 raspi3 charon: 08[TNC] sending PB-TNC CDATA batch (283 bytes) for Connection ID 1

Aug 15 14:46:05 raspi3 charon: 08[IKE] sending tunneled EAP-TTLS AVP [EAP/RES/PT]

Aug 15 14:46:05 raspi3 charon: 08[ENC] generating IKE_AUTH request 7 [ EAP/RES/TTLS ]

Aug 15 14:46:05 raspi3 charon: 08[NET] sending packet: from 10.10.1.39[4500] to 10.10.1.40[4500] (448 bytes)

</pre>

<pre>

Aug 15 14:46:08 raspi3 charon: 07[NET] received packet: from 10.10.1.40[4500] to 10.10.1.39[4500] (272 bytes)

Aug 15 14:46:08 raspi3 charon: 07[ENC] parsed IKE_AUTH response 7 [ EAP/REQ/TTLS ]

Aug 15 14:46:08 raspi3 charon: 07[IKE] received tunneled EAP-TTLS AVP [EAP/REQ/PT]

Aug 15 14:46:08 raspi3 charon: 07[TNC] received TNCCS batch (108 bytes)

</pre>

<pre>

Aug 15 14:46:08 raspi3 charon: 07[TNC] TNC client is handling inbound connection

Aug 15 14:46:08 raspi3 charon: 07[TNC] processing PB-TNC SDATA batch for Connection ID 1

Aug 15 14:46:08 raspi3 charon: 07[TNC] PB-TNC state transition from 'Server Working' to 'Client Working'

Aug 15 14:46:08 raspi3 charon: 07[TNC] processing ITA-HSR/PB-Mutual-Capability message (16 bytes)

Aug 15 14:46:08 raspi3 charon: 07[TNC] processing IETF/PB-PA message (84 bytes)

</pre>

<pre>

Aug 15 14:46:08 raspi3 charon: 07[TNC] activating mutual PB-TNC half duplex protocol

</pre>

<pre>

Aug 15 14:46:08 raspi3 charon: 07[TNC] handling PB-PA message type 'TCG/PTS' 0x005597/0x00000001

Aug 15 14:46:08 raspi3 charon: 07[IMC] IMC 2 "Attestation" received message for Connection ID 1 from IMV 1

Aug 15 14:46:08 raspi3 charon: 07[TNC] processing PA-TNC message with ID 0x42501f74

Aug 15 14:46:08 raspi3 charon: 07[TNC] processing PA-TNC attribute type 'TCG/Max Attribute Size Request' 0x005597/0x00000021

Aug 15 14:46:08 raspi3 charon: 07[TNC] processing PA-TNC attribute type 'TCG/Request PTS Protocol Capabilities' 0x005597/0x01000000

Aug 15 14:46:08 raspi3 charon: 07[TNC] processing PA-TNC attribute type 'TCG/PTS Measurement Algorithm Request' 0x005597/0x06000000

</pre>

<pre>

Aug 15 14:46:08 raspi3 charon: 07[IMC] IMC 2 received a segmentation contract request from IMV 1 for PA message type 'TCG/PTS' 0x005597/0x00000001

Aug 15 14:46:08 raspi3 charon: 07[IMC]   maximum attribute size of 100000000 bytes with maximum segment size of 65446 bytes

</pre>

h3. Sending PTS Protocol Capabilites

<pre>

Aug 15 14:46:08 raspi3 charon: 07[PTS] supported PTS protocol capabilities: .VDT.

Aug 15 14:46:08 raspi3 charon: 07[PTS] selected PTS measurement algorithm is HASH_SHA1

</pre>

<pre>

Aug 15 14:46:08 raspi3 charon: 07[TNC] creating PA-TNC message with ID 0x1d5fa63a

Aug 15 14:46:08 raspi3 charon: 07[TNC] creating PA-TNC attribute type 'TCG/Max Attribute Size Response' 0x005597/0x00000022

Aug 15 14:46:08 raspi3 charon: 07[TNC] creating PA-TNC attribute type 'TCG/PTS Protocol Capabilities' 0x005597/0x02000000

Aug 15 14:46:08 raspi3 charon: 07[TNC] creating PA-TNC attribute type 'TCG/PTS Measurement Algorithm' 0x005597/0x07000000

Aug 15 14:46:08 raspi3 charon: 07[TNC] creating PB-PA message type 'TCG/PTS' 0x005597/0x00000001

</pre>

<pre>

Aug 15 14:46:08 raspi3 charon: 07[TNC] TNC server is handling outbound connection

Aug 15 14:46:08 raspi3 charon: 07[TNC] assigned TNCCS Connection ID 2

Aug 15 14:46:08 raspi3 charon: 07[IMV] IMV 1 "Attestation" created a state for IF-TNCCS 2.0 Connection ID 2: +long +excl -soh

Aug 15 14:46:08 raspi3 charon: 07[IMV]   over IF-T for Tunneled EAP 2.0 with maximum PA-TNC message size of 65490 bytes

Aug 15 14:46:08 raspi3 charon: 07[IMV]   user AR identity 'raspi4.example.com' of type username authenticated by certificate

Aug 15 14:46:08 raspi3 charon: 07[IMV]   machine AR identity '10.10.1.40' of type IPv4 address authenticated by unknown method

Aug 15 14:46:08 raspi3 charon: 07[IMV] IMV 1 "Attestation" changed state of Connection ID 2 to 'Handshake'

Aug 15 14:46:08 raspi3 charon: 07[TNC] PB-TNC state transition from 'Init' to 'Client Working'

Aug 15 14:46:08 raspi3 charon: 07[TNC] creating PB-TNC SDATA batch

Aug 15 14:46:08 raspi3 charon: 07[TNC] sending PB-TNC SDATA batch (8 bytes) for Connection ID 2

Aug 15 14:46:08 raspi3 charon: 07[IKE] sending tunneled EAP-TTLS AVP [EAP/RES/PT]

Aug 15 14:46:08 raspi3 charon: 07[ENC] generating IKE_AUTH request 8 [ EAP/RES/TTLS ]

Aug 15 14:46:08 raspi3 charon: 07[NET] sending packet: from 10.10.1.39[4500] to 10.10.1.40[4500] (176 bytes)

</pre>

<pre>

Aug 15 14:46:08 raspi3 charon: 06[NET] received packet: from 10.10.1.40[4500] to 10.10.1.39[4500] (432 bytes)

Aug 15 14:46:08 raspi3 charon: 06[ENC] parsed IKE_AUTH response 8 [ EAP/REQ/TTLS ]

Aug 15 14:46:08 raspi3 charon: 06[IKE] received tunneled EAP-TTLS AVP [EAP/REQ/PT]

Aug 15 14:46:08 raspi3 charon: 06[TNC] received TNCCS batch (267 bytes)

</pre>

<pre>

Aug 15 14:46:08 raspi3 charon: 06[TNC] TNC server is handling inbound connection

Aug 15 14:46:08 raspi3 charon: 06[TNC] processing PB-TNC CDATA batch for Connection ID 2

Aug 15 14:46:08 raspi3 charon: 06[TNC] PB-TNC state transition from 'Client Working' to 'Server Working'

Aug 15 14:46:08 raspi3 charon: 06[TNC] processing IETF/PB-Language-Preference message (31 bytes)

Aug 15 14:46:08 raspi3 charon: 06[TNC] processing IETF/PB-PA message (228 bytes)

Aug 15 14:46:08 raspi3 charon: 06[TNC] setting language preference to 'en'

Aug 15 14:46:08 raspi3 charon: 06[TNC] handling PB-PA message type 'IETF/Operating System' 0x000000/0x00000001

Aug 15 14:46:08 raspi3 charon: 06[IMV] IMV 1 "Attestation" received message for Connection ID 2 from IMC 1

Aug 15 14:46:08 raspi3 charon: 06[TNC] processing PA-TNC message with ID 0x366c28ea

Aug 15 14:46:08 raspi3 charon: 06[TNC] processing PA-TNC attribute type 'IETF/Product Information' 0x000000/0x00000002

Aug 15 14:46:08 raspi3 charon: 06[TNC] processing PA-TNC attribute type 'IETF/String Version' 0x000000/0x00000004

Aug 15 14:46:08 raspi3 charon: 06[TNC] processing PA-TNC attribute type 'IETF/Numeric Version' 0x000000/0x00000003

Aug 15 14:46:08 raspi3 charon: 06[TNC] processing PA-TNC attribute type 'IETF/Operational Status' 0x000000/0x00000005

Aug 15 14:46:08 raspi3 charon: 06[TNC] processing PA-TNC attribute type 'IETF/Forwarding Enabled' 0x000000/0x0000000b

Aug 15 14:46:08 raspi3 charon: 06[TNC] processing PA-TNC attribute type 'IETF/Factory Default Password Enabled' 0x000000/0x0000000c

Aug 15 14:46:08 raspi3 charon: 06[TNC] processing PA-TNC attribute type 'ITA-HSR/Device ID' 0x00902a/0x00000008

</pre>

h3. Receiving OS Information

<pre>

Aug 15 14:46:08 raspi3 charon: 06[IMV] operating system name is 'Debian' from vendor Debian Project

Aug 15 14:46:08 raspi3 charon: 06[IMV] operating system version is '7.8 armv7l'

Aug 15 14:46:08 raspi3 charon: 06[IMV] device ID is 762872c90011671ef219b6a2a0c3c7dda875b43c

</pre>

h3. Starting Session with Policy Manager

<pre>

Aug 15 14:46:08 raspi3 charon: 06[IMV] assigned session ID 3 to Connection ID 2

Aug 15 14:46:08 raspi3 charon: 06[IMV] policy: imv_policy_manager start successful

Aug 15 14:46:08 raspi3 charon: 06[IMV] policy: skipping enforcment 6

Aug 15 14:46:08 raspi3 charon: 06[IMV] FWDEN workitem 13

Aug 15 14:46:08 raspi3 charon: 06[IMV] FMETA workitem 14

Aug 15 14:46:08 raspi3 charon: 06[IMV] PCKGS workitem 15

Aug 15 14:46:08 raspi3 charon: 06[IMV] TCPOP workitem 16

Aug 15 14:46:08 raspi3 charon: 06[IMV] UDPOP workitem 17

Aug 15 14:46:08 raspi3 charon: 06[IMV] TPMRA workitem 18

</pre>

<pre>

Aug 15 14:46:08 raspi3 charon: 06[IMV] IMV 1 requests a segmentation contract for PA message type 'TCG/PTS' 0x005597/0x00000001

Aug 15 14:46:08 raspi3 charon: 06[IMV]   maximum attribute size of 100000000 bytes with maximum segment size of 65446 bytes

</pre>

<pre>

Aug 15 14:46:08 raspi3 charon: 06[TNC] creating PA-TNC message with ID 0x918da8fe

Aug 15 14:46:08 raspi3 charon: 06[TNC] creating PA-TNC attribute type 'TCG/Max Attribute Size Request' 0x005597/0x00000021

Aug 15 14:46:08 raspi3 charon: 06[TNC] creating PA-TNC attribute type 'TCG/Request PTS Protocol Capabilities' 0x005597/0x01000000

Aug 15 14:46:08 raspi3 charon: 06[TNC] creating PA-TNC attribute type 'TCG/PTS Measurement Algorithm Request' 0x005597/0x06000000

Aug 15 14:46:08 raspi3 charon: 06[TNC] creating PB-PA message type 'TCG/PTS' 0x005597/0x00000001

</pre>

<pre>

Aug 15 14:46:08 raspi3 charon: 06[TNC] TNC client is handling outbound connection

Aug 15 14:46:08 raspi3 charon: 06[TNC] PB-TNC state transition from 'Client Working' to 'Server Working'

Aug 15 14:46:08 raspi3 charon: 06[TNC] creating PB-TNC CDATA batch

Aug 15 14:46:08 raspi3 charon: 06[TNC] adding IETF/PB-PA message

Aug 15 14:46:08 raspi3 charon: 06[TNC] sending PB-TNC CDATA batch (92 bytes) for Connection ID 1

Aug 15 14:46:08 raspi3 charon: 06[IKE] sending tunneled EAP-TTLS AVP [EAP/RES/PT]

Aug 15 14:46:08 raspi3 charon: 06[ENC] generating IKE_AUTH request 9 [ EAP/RES/TTLS ]

Aug 15 14:46:08 raspi3 charon: 06[NET] sending packet: from 10.10.1.39[4500] to 10.10.1.40[4500] (256 bytes)

</pre>

<pre>

Aug 15 14:46:08 raspi3 charon: 05[NET] received packet: from 10.10.1.40[4500] to 10.10.1.39[4500] (256 bytes)

Aug 15 14:46:08 raspi3 charon: 05[ENC] parsed IKE_AUTH response 9 [ EAP/REQ/TTLS ]

Aug 15 14:46:08 raspi3 charon: 05[IKE] received tunneled EAP-TTLS AVP [EAP/REQ/PT]

Aug 15 14:46:08 raspi3 charon: 05[TNC] received TNCCS batch (87 bytes)

</pre>

<pre>

Aug 15 14:46:08 raspi3 charon: 05[TNC] TNC client is handling inbound connection

Aug 15 14:46:08 raspi3 charon: 05[TNC] processing PB-TNC SDATA batch for Connection ID 1

Aug 15 14:46:08 raspi3 charon: 05[TNC] PB-TNC state transition from 'Server Working' to 'Client Working'

Aug 15 14:46:08 raspi3 charon: 05[TNC] processing IETF/PB-PA message (79 bytes)

Aug 15 14:46:08 raspi3 charon: 05[TNC] handling PB-PA message type 'TCG/PTS' 0x005597/0x00000001

Aug 15 14:46:08 raspi3 charon: 05[IMC] IMC 2 "Attestation" received message for Connection ID 1 from IMV 1

Aug 15 14:46:08 raspi3 charon: 05[TNC] processing PA-TNC message with ID 0xaff3c130

Aug 15 14:46:08 raspi3 charon: 05[TNC] processing PA-TNC attribute type 'TCG/Request File Metadata' 0x005597/0x00700000

Aug 15 14:46:08 raspi3 charon: 05[TNC] processing PA-TNC attribute type 'TCG/DH Nonce Parameters Request' 0x005597/0x03000000

</pre>

<pre>

Aug 15 14:46:08 raspi3 charon: 05[IMC] metadata request for file '/etc/tnc_config'

Aug 15 14:46:08 raspi3 charon: 05[PTS] selected PTS DH group is ECP_256

Aug 15 14:46:08 raspi3 charon: 05[PTS] nonce length is 20

</pre>

<pre>

Aug 15 14:46:08 raspi3 charon: 05[TNC] creating PA-TNC message with ID 0x5e3ee705

Aug 15 14:46:08 raspi3 charon: 05[TNC] creating PA-TNC attribute type 'TCG/Unix-Style File Metadata' 0x005597/0x00900000

Aug 15 14:46:08 raspi3 charon: 05[TNC] creating PA-TNC attribute type 'TCG/DH Nonce Parameters Response' 0x005597/0x04000000

Aug 15 14:46:08 raspi3 charon: 05[TNC] creating PB-PA message type 'TCG/PTS' 0x005597/0x00000001

</pre>

<pre>

Aug 15 14:46:08 raspi3 charon: 05[TNC] TNC server is handling outbound connection

Aug 15 14:46:08 raspi3 charon: 05[TNC] PB-TNC state transition from 'Server Working' to 'Client Working'

Aug 15 14:46:08 raspi3 charon: 05[TNC] creating PB-TNC SDATA batch

Aug 15 14:46:08 raspi3 charon: 05[TNC] adding IETF/PB-PA message

Aug 15 14:46:08 raspi3 charon: 05[TNC] sending PB-TNC SDATA batch (92 bytes) for Connection ID 2

Aug 15 14:46:08 raspi3 charon: 05[IKE] sending tunneled EAP-TTLS AVP [EAP/RES/PT]

Aug 15 14:46:08 raspi3 charon: 05[ENC] generating IKE_AUTH request 10 [ EAP/RES/TTLS ]

Aug 15 14:46:08 raspi3 charon: 05[NET] sending packet: from 10.10.1.39[4500] to 10.10.1.40[4500] (256 bytes)

</pre>

<pre>

Aug 15 14:46:08 raspi3 charon: 11[NET] received packet: from 10.10.1.40[4500] to 10.10.1.39[4500] (256 bytes)

Aug 15 14:46:08 raspi3 charon: 11[ENC] parsed IKE_AUTH response 10 [ EAP/REQ/TTLS ]

Aug 15 14:46:08 raspi3 charon: 11[IKE] received tunneled EAP-TTLS AVP [EAP/REQ/PT]

Aug 15 14:46:08 raspi3 charon: 11[TNC] received TNCCS batch (92 bytes)

</pre>

<pre>

Aug 15 14:46:08 raspi3 charon: 11[TNC] TNC server is handling inbound connection

Aug 15 14:46:08 raspi3 charon: 11[TNC] processing PB-TNC CDATA batch for Connection ID 2

Aug 15 14:46:08 raspi3 charon: 11[TNC] PB-TNC state transition from 'Client Working' to 'Server Working'

Aug 15 14:46:08 raspi3 charon: 11[TNC] processing IETF/PB-PA message (84 bytes)

Aug 15 14:46:08 raspi3 charon: 11[TNC] handling PB-PA message type 'TCG/PTS' 0x005597/0x00000001

Aug 15 14:46:08 raspi3 charon: 11[IMV] IMV 1 "Attestation" received message for Connection ID 2 from IMC 2 to IMV 1

Aug 15 14:46:08 raspi3 charon: 11[TNC] processing PA-TNC message with ID 0xf94741eb

Aug 15 14:46:08 raspi3 charon: 11[TNC] processing PA-TNC attribute type 'TCG/Max Attribute Size Response' 0x005597/0x00000022

Aug 15 14:46:08 raspi3 charon: 11[TNC] processing PA-TNC attribute type 'TCG/PTS Protocol Capabilities' 0x005597/0x02000000

Aug 15 14:46:08 raspi3 charon: 11[TNC] processing PA-TNC attribute type 'TCG/PTS Measurement Algorithm' 0x005597/0x07000000

</pre>

<pre>

Aug 15 14:46:08 raspi3 charon: 11[IMV] IMV 1 received a segmentation contract response from IMC 2 for PA message type 'TCG/PTS' 0x005597/0x00000001

Aug 15 14:46:08 raspi3 charon: 11[IMV]   maximum attribute size of 100000000 bytes with maximum segment size of 65446 bytes

</pre>

h3. Receiving PTS Protocol Capabilities

<pre>

Aug 15 14:46:08 raspi3 charon: 11[PTS] supported PTS protocol capabilities: .VDT.

Aug 15 14:46:08 raspi3 charon: 11[PTS] selected PTS measurement algorithm is HASH_SHA1

</pre>

<pre>

Aug 15 14:46:08 raspi3 charon: 11[IMV] IMV 1 handles FMETA workitem 14

Aug 15 14:46:08 raspi3 charon: 11[IMV] IMV 1 requests metadata for file '/etc/tnc_config'

Aug 15 14:46:08 raspi3 charon: 11[IMV] IMV 1 handled FMETA workitem 14: allow - file metadata requested

Aug 15 14:46:08 raspi3 charon: 11[IMV] IMV 1 handles TPMRA workitem 18

Aug 15 14:46:08 raspi3 charon: 11[TNC] creating PA-TNC message with ID 0xda2a70e9

Aug 15 14:46:08 raspi3 charon: 11[TNC] creating PA-TNC attribute type 'TCG/Request File Metadata' 0x005597/0x00700000

Aug 15 14:46:08 raspi3 charon: 11[TNC] creating PA-TNC attribute type 'TCG/DH Nonce Parameters Request' 0x005597/0x03000000

Aug 15 14:46:08 raspi3 charon: 11[TNC] creating PB-PA message type 'TCG/PTS' 0x005597/0x00000001

</pre>

<pre>

Aug 15 14:46:08 raspi3 charon: 11[TNC] TNC client is handling outbound connection

Aug 15 14:46:08 raspi3 charon: 11[TNC] PB-TNC state transition from 'Client Working' to 'Server Working'

Aug 15 14:46:08 raspi3 charon: 11[TNC] creating PB-TNC CDATA batch

Aug 15 14:46:08 raspi3 charon: 11[TNC] adding IETF/PB-PA message

Aug 15 14:46:08 raspi3 charon: 11[TNC] sending PB-TNC CDATA batch (226 bytes) for Connection ID 1

Aug 15 14:46:08 raspi3 charon: 11[IKE] sending tunneled EAP-TTLS AVP [EAP/RES/PT]

Aug 15 14:46:08 raspi3 charon: 11[ENC] generating IKE_AUTH request 11 [ EAP/RES/TTLS ]

Aug 15 14:46:08 raspi3 charon: 11[NET] sending packet: from 10.10.1.39[4500] to 10.10.1.40[4500] (400 bytes)

</pre>

<pre>

Aug 15 14:46:08 raspi3 charon: 12[NET] received packet: from 10.10.1.40[4500] to 10.10.1.39[4500] (336 bytes)

Aug 15 14:46:08 raspi3 charon: 12[ENC] parsed IKE_AUTH response 11 [ EAP/REQ/TTLS ]

Aug 15 14:46:08 raspi3 charon: 12[IKE] received tunneled EAP-TTLS AVP [EAP/REQ/PT]

Aug 15 14:46:08 raspi3 charon: 12[TNC] received TNCCS batch (172 bytes)

</pre>

<pre>

Aug 15 14:46:08 raspi3 charon: 12[TNC] TNC client is handling inbound connection

Aug 15 14:46:08 raspi3 charon: 12[TNC] processing PB-TNC SDATA batch for Connection ID 1

Aug 15 14:46:08 raspi3 charon: 12[TNC] PB-TNC state transition from 'Server Working' to 'Client Working'

Aug 15 14:46:08 raspi3 charon: 12[TNC] processing IETF/PB-PA message (164 bytes)

Aug 15 14:46:08 raspi3 charon: 12[TNC] handling PB-PA message type 'TCG/PTS' 0x005597/0x00000001

Aug 15 14:46:08 raspi3 charon: 12[IMC] IMC 2 "Attestation" received message for Connection ID 1 from IMV 1

Aug 15 14:46:08 raspi3 charon: 12[TNC] processing PA-TNC message with ID 0xd27d5b33

Aug 15 14:46:08 raspi3 charon: 12[TNC] processing PA-TNC attribute type 'TCG/DH Nonce Finish' 0x005597/0x05000000

Aug 15 14:46:08 raspi3 charon: 12[TNC] processing PA-TNC attribute type 'TCG/Get TPM Version Information' 0x005597/0x08000000

Aug 15 14:46:08 raspi3 charon: 12[TNC] processing PA-TNC attribute type 'TCG/Get Attestation Identity Key' 0x005597/0x0d000000

</pre>

<pre>

Aug 15 14:46:08 raspi3 charon: 12[PTS] selected DH hash algorithm is HASH_SHA1

</pre>

<pre>

Aug 15 14:46:08 raspi3 charon: 12[PTS] initiator nonce: => 20 bytes @ 0x11d940

Aug 15 14:46:08 raspi3 charon: 12[PTS]    0: 01 97 8C C2 90 09 6D 02 F0 0A 40 E1 8C 90 5F 15  ......m...@..._.

Aug 15 14:46:08 raspi3 charon: 12[PTS]   16: FB 4E 28 AD                                      .N(.

Aug 15 14:46:08 raspi3 charon: 12[PTS] responder nonce: => 20 bytes @ 0x11d410

Aug 15 14:46:08 raspi3 charon: 12[PTS]    0: 3D D0 72 39 3A E1 A0 E2 0B 30 B4 D4 D9 22 9F E0  =.r9:....0..."..

Aug 15 14:46:08 raspi3 charon: 12[PTS]   16: B6 D1 2A 01                                      ..*.

Aug 15 14:46:08 raspi3 charon: 12[PTS] shared DH secret: => 32 bytes @ 0x11e038

Aug 15 14:46:08 raspi3 charon: 12[PTS]    0: 5F 0F D8 1E B5 39 B4 E2 86 BF 0C 92 9E E3 3A EA  _....9........:.

Aug 15 14:46:08 raspi3 charon: 12[PTS]   16: D7 23 93 EB C2 85 F5 09 EC DB C0 B1 E5 51 50 DE  .#...........QP.

Aug 15 14:46:08 raspi3 charon: 12[PTS] secret assessment value: => 20 bytes @ 0x11c5e0

Aug 15 14:46:08 raspi3 charon: 12[PTS]    0: D8 9D 1E 70 CE 78 C3 13 F2 79 BA 5D 7C E5 05 7C  ...p.x...y.]|..|

Aug 15 14:46:08 raspi3 charon: 12[PTS]   16: E0 E0 83 77                                      ...w

</pre>

h3. Sending TPM Version Information

<pre>

Aug 15 14:46:08 raspi3 charon: 12[PTS] TPM Version Info: Chip Version: 1.2.133.32, Spec Level: 2, Errata Rev: 3, Vendor ID: IFX

</pre>

<pre>

Aug 15 14:46:08 raspi3 charon: 12[TNC] creating PA-TNC message with ID 0x641bcea1

Aug 15 14:46:08 raspi3 charon: 12[TNC] creating PA-TNC attribute type 'TCG/TPM Version Information' 0x005597/0x09000000

Aug 15 14:46:08 raspi3 charon: 12[TNC] creating PA-TNC attribute type 'TCG/Attestation Identity Key' 0x005597/0x0e000000

Aug 15 14:46:08 raspi3 charon: 12[TNC] creating PB-PA message type 'TCG/PTS' 0x005597/0x00000001

</pre>

<pre>

Aug 15 14:46:08 raspi3 charon: 12[TNC] TNC server is handling outbound connection

Aug 15 14:46:08 raspi3 charon: 12[TNC] PB-TNC state transition from 'Server Working' to 'Client Working'

Aug 15 14:46:08 raspi3 charon: 12[TNC] creating PB-TNC SDATA batch

Aug 15 14:46:08 raspi3 charon: 12[TNC] adding IETF/PB-PA message

Aug 15 14:46:08 raspi3 charon: 12[TNC] sending PB-TNC SDATA batch (87 bytes) for Connection ID 2

Aug 15 14:46:08 raspi3 charon: 12[IKE] sending tunneled EAP-TTLS AVP [EAP/RES/PT]

Aug 15 14:46:08 raspi3 charon: 12[ENC] generating IKE_AUTH request 12 [ EAP/RES/TTLS ]

Aug 15 14:46:08 raspi3 charon: 12[NET] sending packet: from 10.10.1.39[4500] to 10.10.1.40[4500] (256 bytes)

</pre>

<pre>

Aug 15 14:46:08 raspi3 charon: 13[NET] received packet: from 10.10.1.40[4500] to 10.10.1.39[4500] (400 bytes)

Aug 15 14:46:08 raspi3 charon: 13[ENC] parsed IKE_AUTH response 12 [ EAP/REQ/TTLS ]

Aug 15 14:46:08 raspi3 charon: 13[IKE] received tunneled EAP-TTLS AVP [EAP/REQ/PT]

Aug 15 14:46:08 raspi3 charon: 13[TNC] received TNCCS batch (226 bytes)

</pre>

<pre>

Aug 15 14:46:08 raspi3 charon: 13[TNC] TNC server is handling inbound connection

Aug 15 14:46:08 raspi3 charon: 13[TNC] processing PB-TNC CDATA batch for Connection ID 2

Aug 15 14:46:08 raspi3 charon: 13[TNC] PB-TNC state transition from 'Client Working' to 'Server Working'

Aug 15 14:46:08 raspi3 charon: 13[TNC] processing IETF/PB-PA message (218 bytes)

Aug 15 14:46:08 raspi3 charon: 13[TNC] handling PB-PA message type 'TCG/PTS' 0x005597/0x00000001

Aug 15 14:46:08 raspi3 charon: 13[IMV] IMV 1 "Attestation" received message for Connection ID 2 from IMC 2 to IMV 1

Aug 15 14:46:08 raspi3 charon: 13[TNC] processing PA-TNC message with ID 0x676268aa

Aug 15 14:46:08 raspi3 charon: 13[TNC] processing PA-TNC attribute type 'TCG/Unix-Style File Metadata' 0x005597/0x00900000

Aug 15 14:46:08 raspi3 charon: 13[TNC] processing PA-TNC attribute type 'TCG/DH Nonce Parameters Response' 0x005597/0x04000000

</pre>

<pre>

Aug 15 14:46:08 raspi3 charon: 13[IMV] metadata request returned 1 file:

Aug 15 14:46:08 raspi3 charon: 13[IMV]  'tnc_config' (177 bytes) owner 0, group 0, type Regular

Aug 15 14:46:08 raspi3 charon: 13[IMV]     created Jun 16 20:09:17 2015, modified Jun 16 20:09:17 2015, accessed Jun 16 20:09:17 2015

</pre>

<pre>

Aug 15 14:46:08 raspi3 charon: 13[PTS] selected DH hash algorithm is HASH_SHA1

Aug 15 14:46:08 raspi3 charon: 13[PTS] selected PTS DH group is ECP_256

Aug 15 14:46:08 raspi3 charon: 13[PTS] nonce length is 20

</pre>

<pre>

Aug 15 14:46:08 raspi3 charon: 13[PTS] initiator nonce: => 20 bytes @ 0x11d890

Aug 15 14:46:08 raspi3 charon: 13[PTS]    0: 27 B7 51 A0 C8 66 92 54 F0 57 C1 49 9D 2A 7D 3A  '.Q..f.T.W.I.*}:

Aug 15 14:46:08 raspi3 charon: 13[PTS]   16: F1 38 81 26                                      .8.&

Aug 15 14:46:08 raspi3 charon: 13[PTS] responder nonce: => 20 bytes @ 0x11e418

Aug 15 14:46:08 raspi3 charon: 13[PTS]    0: 96 48 1F 52 8C A6 D5 6E 5F A4 17 2B AF BE 26 71  .H.R...n_..+..&q

Aug 15 14:46:08 raspi3 charon: 13[PTS]   16: 49 73 01 42                                      Is.B

Aug 15 14:46:08 raspi3 charon: 13[PTS] shared DH secret: => 32 bytes @ 0x127170

Aug 15 14:46:08 raspi3 charon: 13[PTS]    0: AA FE 9F 01 D7 CC 22 17 FF 35 CF 9C 70 41 7B 11  ......"..5..pA{.

Aug 15 14:46:08 raspi3 charon: 13[PTS]   16: D0 3C B6 32 BF 3D 80 BF 73 32 1E 95 F3 20 9E D1  .<.2.=..s2... ..

Aug 15 14:46:08 raspi3 charon: 13[PTS] secret assessment value: => 20 bytes @ 0x11e9f0

Aug 15 14:46:08 raspi3 charon: 13[PTS]    0: B2 E0 AB DF 89 C5 1D B2 A3 51 FD A9 C8 3B F8 7F  .........Q...;..

Aug 15 14:46:08 raspi3 charon: 13[PTS]   16: 68 50 6C DE                                      hPl.

Aug 15 14:46:08 raspi3 charon: 13[TNC] creating PA-TNC message with ID 0xe1b84e91

Aug 15 14:46:08 raspi3 charon: 13[TNC] creating PA-TNC attribute type 'TCG/DH Nonce Finish' 0x005597/0x05000000

Aug 15 14:46:08 raspi3 charon: 13[TNC] creating PA-TNC attribute type 'TCG/Get TPM Version Information' 0x005597/0x08000000

Aug 15 14:46:08 raspi3 charon: 13[TNC] creating PA-TNC attribute type 'TCG/Get Attestation Identity Key' 0x005597/0x0d000000

Aug 15 14:46:08 raspi3 charon: 13[TNC] creating PB-PA message type 'TCG/PTS' 0x005597/0x00000001

</pre>

<pre>

Aug 15 14:46:08 raspi3 charon: 13[TNC] TNC client is handling outbound connection

Aug 15 14:46:08 raspi3 charon: 13[TNC] PB-TNC state transition from 'Client Working' to 'Server Working'

Aug 15 14:46:08 raspi3 charon: 13[TNC] creating PB-TNC CDATA batch

Aug 15 14:46:08 raspi3 charon: 13[TNC] adding IETF/PB-PA message

Aug 15 14:46:08 raspi3 charon: 13[TNC] sending PB-TNC CDATA batch (902 bytes) for Connection ID 1

Aug 15 14:46:08 raspi3 charon: 13[IKE] sending tunneled EAP-TTLS AVP [EAP/RES/PT]

Aug 15 14:46:08 raspi3 charon: 13[ENC] generating IKE_AUTH request 13 [ EAP/RES/TTLS ]

Aug 15 14:46:08 raspi3 charon: 13[NET] sending packet: from 10.10.1.39[4500] to 10.10.1.40[4500] (1072 bytes)

</pre>

<pre>

Aug 15 14:46:08 raspi3 charon: 14[NET] received packet: from 10.10.1.40[4500] to 10.10.1.39[4500] (256 bytes)

Aug 15 14:46:08 raspi3 charon: 14[ENC] parsed IKE_AUTH response 13 [ EAP/REQ/TTLS ]

Aug 15 14:46:08 raspi3 charon: 14[IKE] received tunneled EAP-TTLS AVP [EAP/REQ/PT]

Aug 15 14:46:08 raspi3 charon: 14[TNC] received TNCCS batch (80 bytes)

</pre>

<pre>

Aug 15 14:46:08 raspi3 charon: 14[TNC] TNC client is handling inbound connection

Aug 15 14:46:08 raspi3 charon: 14[TNC] processing PB-TNC SDATA batch for Connection ID 1

Aug 15 14:46:08 raspi3 charon: 14[TNC] PB-TNC state transition from 'Server Working' to 'Client Working'

Aug 15 14:46:08 raspi3 charon: 14[TNC] processing IETF/PB-PA message (72 bytes)

Aug 15 14:46:08 raspi3 charon: 14[TNC] handling PB-PA message type 'TCG/PTS' 0x005597/0x00000001

Aug 15 14:46:08 raspi3 charon: 14[IMC] IMC 2 "Attestation" received message for Connection ID 1 from IMV 1

Aug 15 14:46:08 raspi3 charon: 14[TNC] processing PA-TNC message with ID 0xed256fac

Aug 15 14:46:08 raspi3 charon: 14[TNC] processing PA-TNC attribute type 'TCG/Request Functional Component Evidence' 0x005597/0x00100000

Aug 15 14:46:08 raspi3 charon: 14[TNC] processing PA-TNC attribute type 'TCG/Generate Attestation Evidence' 0x005597/0x00200000

Aug 15 14:46:08 raspi3 charon: 14[IMC] evidence requested for 1 functional components

Aug 15 14:46:08 raspi3 charon: 14[PTS] * ITA-HSR functional component 'Linux IMA' [K.] 'Operating System'

</pre>

h3. Initiator Attestation Measurements

<pre>

Aug 15 14:46:08 raspi3 charon: 14[PTS] loaded ima measurements '/sys/kernel/security/ima/binary_runtime_measurements' (434 entries)

Aug 15 14:46:08 raspi3 charon: 14[PTS] ITA-HSR functional component 'Linux IMA' [K.] 'Operating System'

Aug 15 14:46:08 raspi3 charon: 14[PTS] measurement time: Jan 01 01:00:04 1970

Aug 15 14:46:08 raspi3 charon: 14[PTS] PCR 10 extended with: dd:ee:60:04:dc:3b:d4:ee:30:04:06:cd:93:18:1c:5a:21:87:b5:9b

Aug 15 14:46:08 raspi3 charon: 14[PTS] 'sha1:boot_aggregate'

Aug 15 14:46:08 raspi3 charon: 14[PTS] ITA-HSR functional component 'Linux IMA' [K.] 'Operating System'

Aug 15 14:46:08 raspi3 charon: 14[PTS] measurement time: Jan 01 01:00:04 1970

Aug 15 14:46:08 raspi3 charon: 14[PTS] PCR 10 extended with: 65:ee:0c:a2:cd:ac:0d:67:f8:1a:fd:53:7b:96:75:6f:3b:b8:0f:82

Aug 15 14:46:08 raspi3 charon: 14[PTS] 'sha1:/init'

Aug 15 14:46:08 raspi3 charon: 14[PTS] ITA-HSR functional component 'Linux IMA' [K.] 'Operating System'

Aug 15 14:46:08 raspi3 charon: 14[PTS] measurement time: Jan 01 01:00:04 1970

Aug 15 14:46:08 raspi3 charon: 14[PTS] PCR 10 extended with: 6b:a1:a0:58:89:a8:f2:57:53:42:b5:dc:5f:3e:de:54:89:8a:ee:29

Aug 15 14:46:08 raspi3 charon: 14[PTS] 'sha1:/bin/sh'

Aug 15 14:46:08 raspi3 charon: 14[PTS] ITA-HSR functional component 'Linux IMA' [K.] 'Operating System'

Aug 15 14:46:08 raspi3 charon: 14[PTS] measurement time: Jan 01 01:00:04 1970

Aug 15 14:46:08 raspi3 charon: 14[PTS] PCR 10 extended with: 85:e6:6e:7a:96:98:8b:0a:af:c8:88:46:5d:7a:fe:b5:e9:d3:c2:3e

Aug 15 14:46:08 raspi3 charon: 14[PTS] 'sha1:/lib/klibc-sO6SifHCdmbehHGtm0y1yHu6vb0.so'

Aug 15 14:46:08 raspi3 charon: 14[PTS] ITA-HSR functional component 'Linux IMA' [K.] 'Operating System'

Aug 15 14:46:08 raspi3 charon: 14[PTS] measurement time: Jan 01 01:00:04 1970

Aug 15 14:46:08 raspi3 charon: 14[PTS] PCR 10 extended with: 68:4a:c3:8d:48:55:be:e0:21:93:4f:52:a0:d2:3d:66:86:0c:b2:82

Aug 15 14:46:08 raspi3 charon: 14[PTS] 'sha1:/bin/mkdir'

...

Aug 15 14:46:08 raspi3 charon: 14[PTS] ITA-HSR functional component 'Linux IMA' [K.] 'Operating System'

Aug 15 14:46:08 raspi3 charon: 14[PTS] measurement time: Jan 01 01:00:04 1970

Aug 15 14:46:08 raspi3 charon: 14[PTS] PCR 10 extended with: 1a:71:6c:9c:9f:6d:4f:2e:4a:88:42:49:b0:00:8d:5e:ec:05:7e:eb

Aug 15 14:46:08 raspi3 charon: 14[PTS] 'sha1:/usr/sbin/service'

Aug 15 14:46:08 raspi3 charon: 14[PTS] ITA-HSR functional component 'Linux IMA' [K.] 'Operating System'

Aug 15 14:46:08 raspi3 charon: 14[PTS] measurement time: Jan 01 01:00:04 1970

Aug 15 14:46:08 raspi3 charon: 14[PTS] PCR 10 extended with: e8:f5:f2:02:d4:c1:18:d5:f7:55:5c:2d:4a:a0:d3:12:d4:13:06:ce

Aug 15 14:46:08 raspi3 charon: 14[PTS] 'sha1:/bin/cp'

</pre>

h3. Generating Initiator TPM Quote Signature

<pre>

Aug 15 14:46:09 raspi3 charon: 14[PTS] Hash of PCR Composite: 58:f2:83:91:d6:a8:df:3d:3e:c6:33:c7:24:93:9f:9c:22:a2:01:20

Aug 15 14:46:09 raspi3 charon: 14[PTS] TPM Quote Info: => 52 bytes @ 0x135360

Aug 15 14:46:09 raspi3 charon: 14[PTS]    0: 00 36 51 55 54 32 D8 9D 1E 70 CE 78 C3 13 F2 79  .6QUT2...p.x...y

Aug 15 14:46:09 raspi3 charon: 14[PTS]   16: BA 5D 7C E5 05 7C E0 E0 83 77 00 03 00 04 00 01  .]|..|...w......

Aug 15 14:46:09 raspi3 charon: 14[PTS]   32: 58 F2 83 91 D6 A8 DF 3D 3E C6 33 C7 24 93 9F 9C  X......=>.3.$...

Aug 15 14:46:09 raspi3 charon: 14[PTS]   48: 22 A2 01 20                                      ".. 

Aug 15 14:46:09 raspi3 charon: 14[PTS] TPM Quote Signature: => 256 bytes @ 0x14b5d0

Aug 15 14:46:09 raspi3 charon: 14[PTS]    0: 88 6E 6B 2E 33 AC AD 94 E6 A1 38 3E CD EC 9F E9  .nk.3.....8>....

Aug 15 14:46:09 raspi3 charon: 14[PTS]   16: F0 92 E9 E4 4A 66 05 50 0B 30 F2 DF 50 DC 80 4E  ....Jf.P.0..P..N

Aug 15 14:46:09 raspi3 charon: 14[PTS]   32: F1 AC BE 93 99 06 DF 41 AD 49 F9 DE 09 F1 18 15  .......A.I......

Aug 15 14:46:09 raspi3 charon: 14[PTS]   48: 2B B9 97 D9 DD A9 E9 7F 3D ED B8 BF EB FF 7E C6  +.......=.....~.

Aug 15 14:46:09 raspi3 charon: 14[PTS]   64: A1 1A 77 87 67 9B 24 78 46 AC C0 AA 25 FA 87 5F  ..w.g.$xF...%.._

Aug 15 14:46:09 raspi3 charon: 14[PTS]   80: E3 F4 F8 33 35 30 C3 31 BE DE 77 A5 2E 4F 8D 3B  ...350.1..w..O.;

Aug 15 14:46:09 raspi3 charon: 14[PTS]   96: F5 52 36 F4 8E C4 FA D4 A1 61 1C 4B 71 A2 52 8B  .R6......a.Kq.R.

Aug 15 14:46:09 raspi3 charon: 14[PTS]  112: 80 AD A6 DD 8D E5 D8 47 4F 2B 9C 17 CF BF AC 10  .......GO+......

Aug 15 14:46:09 raspi3 charon: 14[PTS]  128: C6 31 4B 01 C3 59 C3 FD F7 D2 65 C1 F0 32 12 8B  .1K..Y....e..2..

Aug 15 14:46:09 raspi3 charon: 14[PTS]  144: 8F 54 49 A7 40 F9 BD 43 86 79 A1 FD 51 05 DB 65  .TI.@..C.y..Q..e

Aug 15 14:46:09 raspi3 charon: 14[PTS]  160: C8 A4 C1 67 44 96 89 4D F4 E7 DB D5 AE 67 35 17  ...gD..M.....g5.

Aug 15 14:46:09 raspi3 charon: 14[PTS]  176: D7 D3 68 23 E9 1F 98 9E E6 7C 86 89 EE A4 31 68  ..h#.....|....1h

Aug 15 14:46:09 raspi3 charon: 14[PTS]  192: 15 B6 F6 E3 10 86 F0 FE C3 9B C2 7D 5B FB 33 BA  ...........}[.3.

Aug 15 14:46:09 raspi3 charon: 14[PTS]  208: 88 BE 5C D9 71 54 7F BF 72 31 5F 8E 58 4A E9 A4  ..\.qT..r1_.XJ..

Aug 15 14:46:09 raspi3 charon: 14[PTS]  224: B0 8E 3B 55 03 90 AD E1 C8 A0 C7 9C 83 13 DE 0F  ..;U............

Aug 15 14:46:09 raspi3 charon: 14[PTS]  240: 60 D8 A4 E2 4C CD E4 E2 A4 BA 11 BE 3D D4 A5 A7  `...L.......=...

</pre>

<pre>

Aug 15 14:46:09 raspi3 charon: 14[TNC] creating PA-TNC message with ID 0x2d059578

Aug 15 14:46:09 raspi3 charon: 14[TNC] creating PA-TNC attribute type 'TCG/Simple Component Evidence' 0x005597/0x00300000

Aug 15 14:46:09 raspi3 charon: 14[TNC] creating PA-TNC attribute type 'TCG/Simple Component Evidence' 0x005597/0x00300000

Aug 15 14:46:09 raspi3 charon: 14[TNC] creating PA-TNC attribute type 'TCG/Simple Component Evidence' 0x005597/0x00300000

Aug 15 14:46:09 raspi3 charon: 14[TNC] creating PA-TNC attribute type 'TCG/Simple Component Evidence' 0x005597/0x00300000

...

Aug 15 14:46:09 raspi3 charon: 14[TNC] creating PA-TNC attribute type 'TCG/Simple Component Evidence' 0x005597/0x00300000

Aug 15 14:46:09 raspi3 charon: 14[TNC] creating PA-TNC attribute type 'TCG/Simple Component Evidence' 0x005597/0x00300000

Aug 15 14:46:09 raspi3 charon: 14[TNC] creating PA-TNC attribute type 'TCG/Simple Evidence Final' 0x005597/0x00400000

Aug 15 14:46:09 raspi3 charon: 14[TNC] creating PB-PA message type 'TCG/PTS' 0x005597/0x00000001

</pre>

<pre>

Aug 15 14:46:09 raspi3 charon: 14[TNC] TNC server is handling outbound connection

Aug 15 14:46:09 raspi3 charon: 14[TNC] PB-TNC state transition from 'Server Working' to 'Client Working'

Aug 15 14:46:09 raspi3 charon: 14[TNC] creating PB-TNC SDATA batch

Aug 15 14:46:09 raspi3 charon: 14[TNC] adding IETF/PB-PA message

Aug 15 14:46:09 raspi3 charon: 14[TNC] sending PB-TNC SDATA batch (172 bytes) for Connection ID 2

Aug 15 14:46:09 raspi3 charon: 14[IKE] sending tunneled EAP-TTLS AVP [EAP/RES/PT]

Aug 15 14:46:09 raspi3 charon: 14[ENC] generating IKE_AUTH request 14 [ EAP/RES/TTLS ]

Aug 15 14:46:09 raspi3 charon: 14[NET] sending packet: from 10.10.1.39[4500] to 10.10.1.40[4500] (336 bytes)

</pre>

<pre>

Aug 15 14:46:09 raspi3 charon: 12[NET] received packet: from 10.10.1.40[4500] to 10.10.1.39[4500] (1072 bytes)

Aug 15 14:46:09 raspi3 charon: 12[ENC] parsed IKE_AUTH response 14 [ EAP/REQ/TTLS ]

Aug 15 14:46:09 raspi3 charon: 12[IKE] received tunneled EAP-TTLS AVP [EAP/REQ/PT]

Aug 15 14:46:09 raspi3 charon: 12[TNC] received TNCCS batch (902 bytes)

</pre>

<pre>

Aug 15 14:46:09 raspi3 charon: 12[TNC] TNC server is handling inbound connection

Aug 15 14:46:09 raspi3 charon: 12[TNC] processing PB-TNC CDATA batch for Connection ID 2

Aug 15 14:46:09 raspi3 charon: 12[TNC] PB-TNC state transition from 'Client Working' to 'Server Working'

Aug 15 14:46:09 raspi3 charon: 12[TNC] processing IETF/PB-PA message (894 bytes)

Aug 15 14:46:09 raspi3 charon: 12[TNC] handling PB-PA message type 'TCG/PTS' 0x005597/0x00000001

Aug 15 14:46:09 raspi3 charon: 12[IMV] IMV 1 "Attestation" received message for Connection ID 2 from IMC 2 to IMV 1

Aug 15 14:46:09 raspi3 charon: 12[TNC] processing PA-TNC message with ID 0x951e0284

Aug 15 14:46:09 raspi3 charon: 12[TNC] processing PA-TNC attribute type 'TCG/TPM Version Information' 0x005597/0x09000000

Aug 15 14:46:09 raspi3 charon: 12[TNC] processing PA-TNC attribute type 'TCG/Attestation Identity Key' 0x005597/0x0e000000

</pre>

h3. Receiving TPM Version Information

<pre>

Aug 15 14:46:09 raspi3 charon: 12[PTS] TPM Version Info: Chip Version: 1.2.133.32, Spec Level: 2, Errata Rev: 3, Vendor ID: IFX

</pre>

<pre>

Aug 15 14:46:09 raspi3 charon: 12[IMV] verifying AIK with keyid 76:28:72:c9:00:11:67:1e:f2:19:b6:a2:a0:c3:c7:dd:a8:75:b4:3c

Aug 15 14:46:09 raspi3 charon: 12[IMV] AIK public key is trusted

Aug 15 14:46:09 raspi3 charon: 12[CFG]   using trusted certificate "C=US, O=TNC Demo, CN=AIK CA"

Aug 15 14:46:09 raspi3 charon: 12[IMV] AIK certificate is trusted

</pre>

<pre>

Aug 15 14:46:09 raspi3 charon: 12[IMV] evidence request by

Aug 15 14:46:09 raspi3 charon: 12[PTS]   ITA-HSR functional component 'Linux IMA' [K.] 'Operating System'

Aug 15 14:46:09 raspi3 charon: 12[TNC] creating PA-TNC message with ID 0xc8f4500b

Aug 15 14:46:09 raspi3 charon: 12[TNC] creating PA-TNC attribute type 'TCG/Request Functional Component Evidence' 0x005597/0x00100000

Aug 15 14:46:09 raspi3 charon: 12[TNC] creating PA-TNC attribute type 'TCG/Generate Attestation Evidence' 0x005597/0x00200000

Aug 15 14:46:09 raspi3 charon: 12[TNC] creating PB-PA message type 'TCG/PTS' 0x005597/0x00000001

</pre>

<pre>

Aug 15 14:46:09 raspi3 charon: 12[TNC] TNC client is handling outbound connection

Aug 15 14:46:09 raspi3 charon: 12[TNC] PB-TNC state transition from 'Client Working' to 'Server Working'

Aug 15 14:46:09 raspi3 charon: 12[TNC] creating PB-TNC CDATA batch

Aug 15 14:46:09 raspi3 charon: 12[TNC] adding IETF/PB-PA message

Aug 15 14:46:09 raspi3 charon: 12[TNC] sending PB-TNC CDATA batch (47615 bytes) for Connection ID 1

Aug 15 14:46:09 raspi3 charon: 12[IKE] sending tunneled EAP-TTLS AVP [EAP/RES/PT]

Aug 15 14:46:09 raspi3 charon: 12[ENC] generating IKE_AUTH request 15 [ EAP/RES/TTLS ]

Aug 15 14:46:09 raspi3 charon: 12[NET] sending packet: from 10.10.1.39[4500] to 10.10.1.40[4500] (1104 bytes)

Aug 15 14:46:09 raspi3 charon: 13[NET] received packet: from 10.10.1.40[4500] to 10.10.1.39[4500] (80 bytes)

Aug 15 14:46:09 raspi3 charon: 13[ENC] parsed IKE_AUTH response 15 [ EAP/REQ/TTLS ]

Aug 15 14:46:09 raspi3 charon: 13[ENC] generating IKE_AUTH request 16 [ EAP/RES/TTLS ]

Aug 15 14:46:09 raspi3 charon: 13[NET] sending packet: from 10.10.1.39[4500] to 10.10.1.40[4500] (1104 bytes)

Aug 15 14:46:09 raspi3 charon: 15[NET] received packet: from 10.10.1.40[4500] to 10.10.1.39[4500] (80 bytes)

Aug 15 14:46:09 raspi3 charon: 15[ENC] parsed IKE_AUTH response 16 [ EAP/REQ/TTLS ]

Aug 15 14:46:09 raspi3 charon: 15[ENC] generating IKE_AUTH request 17 [ EAP/RES/TTLS ]

Aug 15 14:46:09 raspi3 charon: 15[NET] sending packet: from 10.10.1.39[4500] to 10.10.1.40[4500] (1104 bytes)

Aug 15 14:46:09 raspi3 charon: 16[NET] received packet: from 10.10.1.40[4500] to 10.10.1.39[4500] (80 bytes)

Aug 15 14:46:09 raspi3 charon: 16[ENC] parsed IKE_AUTH response 17 [ EAP/REQ/TTLS ]

Aug 15 14:46:09 raspi3 charon: 16[ENC] generating IKE_AUTH request 18 [ EAP/RES/TTLS ]

Aug 15 14:46:09 raspi3 charon: 16[NET] sending packet: from 10.10.1.39[4500] to 10.10.1.40[4500] (1104 bytes)

Aug 15 14:46:09 raspi3 charon: 14[NET] received packet: from 10.10.1.40[4500] to 10.10.1.39[4500] (80 bytes)

Aug 15 14:46:09 raspi3 charon: 14[ENC] parsed IKE_AUTH response 18 [ EAP/REQ/TTLS ]

...

Aug 15 14:46:10 raspi3 charon: 13[ENC] generating IKE_AUTH request 60 [ EAP/RES/TTLS ]

Aug 15 14:46:10 raspi3 charon: 13[NET] sending packet: from 10.10.1.39[4500] to 10.10.1.40[4500] (1104 bytes)

Aug 15 14:46:10 raspi3 charon: 15[NET] received packet: from 10.10.1.40[4500] to 10.10.1.39[4500] (80 bytes)

Aug 15 14:46:10 raspi3 charon: 15[ENC] parsed IKE_AUTH response 60 [ EAP/REQ/TTLS ]

Aug 15 14:46:10 raspi3 charon: 15[ENC] generating IKE_AUTH request 61 [ EAP/RES/TTLS ]

Aug 15 14:46:10 raspi3 charon: 15[NET] sending packet: from 10.10.1.39[4500] to 10.10.1.40[4500] (1104 bytes)

Aug 15 14:46:14 raspi3 charon: 13[IKE] retransmit 1 of request with message ID 61

Aug 15 14:46:14 raspi3 charon: 13[NET] sending packet: from 10.10.1.39[4500] to 10.10.1.40[4500] (1104 bytes)

</pre>

<pre>

Aug 15 14:46:16 raspi3 charon: 15[NET] received packet: from 10.10.1.40[4500] to 10.10.1.39[4500] (256 bytes)

Aug 15 14:46:16 raspi3 charon: 15[ENC] parsed IKE_AUTH response 61 [ EAP/REQ/TTLS ]

Aug 15 14:46:16 raspi3 charon: 15[IKE] received tunneled EAP-TTLS AVP [EAP/REQ/PT]

Aug 15 14:46:16 raspi3 charon: 15[TNC] received TNCCS batch (88 bytes)

</pre>

<pre>

Aug 15 14:46:16 raspi3 charon: 15[TNC] TNC client is handling inbound connection

Aug 15 14:46:16 raspi3 charon: 15[TNC] processing PB-TNC RESULT batch for Connection ID 1

Aug 15 14:46:16 raspi3 charon: 15[TNC] PB-TNC state transition from 'Server Working' to 'Decided'

Aug 15 14:46:16 raspi3 charon: 15[TNC] processing IETF/PB-PA message (48 bytes)

Aug 15 14:46:16 raspi3 charon: 15[TNC] processing IETF/PB-Assessment-Result message (16 bytes)

Aug 15 14:46:16 raspi3 charon: 15[TNC] processing IETF/PB-Access-Recommendation message (16 bytes)

Aug 15 14:46:16 raspi3 charon: 15[TNC] handling PB-PA message type 'TCG/PTS' 0x005597/0x00000001

Aug 15 14:46:16 raspi3 charon: 15[IMC] IMC 2 "Attestation" received message for Connection ID 1 from IMV 1

Aug 15 14:46:16 raspi3 charon: 15[TNC] processing PA-TNC message with ID 0x57254d62

Aug 15 14:46:16 raspi3 charon: 15[TNC] processing PA-TNC attribute type 'IETF/Assessment Result' 0x000000/0x00000009

</pre>

h3. Receiving Assessment Result

<pre>

Aug 15 14:46:16 raspi3 charon: 15[IMC] ***** assessment of IMC 2 "Attestation" from IMV 1 *****

Aug 15 14:46:16 raspi3 charon: 15[IMC] assessment result is 'compliant'

Aug 15 14:46:16 raspi3 charon: 15[IMC] ***** end of assessment *****

</pre>

<pre>

Aug 15 14:46:16 raspi3 charon: 15[TNC] PB-TNC assessment result is 'compliant'

Aug 15 14:46:16 raspi3 charon: 15[TNC] PB-TNC access recommendation is 'Access Allowed'

Aug 15 14:46:16 raspi3 charon: 15[IMC] IMC 1 "OS" changed state of Connection ID 1 to 'Allowed'

Aug 15 14:46:16 raspi3 charon: 15[IMC] IMC 2 "Attestation" changed state of Connection ID 1 to 'Allowed'

</pre>

<pre>

Aug 15 14:46:16 raspi3 charon: 15[TNC] TNC server is handling outbound connection

Aug 15 14:46:16 raspi3 charon: 15[TNC] PB-TNC state transition from 'Server Working' to 'Client Working'

Aug 15 14:46:16 raspi3 charon: 15[TNC] creating PB-TNC SDATA batch

Aug 15 14:46:16 raspi3 charon: 15[TNC] adding IETF/PB-PA message

Aug 15 14:46:16 raspi3 charon: 15[TNC] sending PB-TNC SDATA batch (80 bytes) for Connection ID 2

Aug 15 14:46:16 raspi3 charon: 15[IKE] sending tunneled EAP-TTLS AVP [EAP/RES/PT]

Aug 15 14:46:16 raspi3 charon: 15[ENC] generating IKE_AUTH request 62 [ EAP/RES/TTLS ]

Aug 15 14:46:16 raspi3 charon: 15[NET] sending packet: from 10.10.1.39[4500] to 10.10.1.40[4500] (256 bytes)

</pre>

<pre>

Aug 15 14:46:17 raspi3 charon: 16[NET] received packet: from 10.10.1.40[4500] to 10.10.1.39[4500] (1104 bytes)

Aug 15 14:46:17 raspi3 charon: 16[ENC] parsed IKE_AUTH response 62 [ EAP/REQ/TTLS ]

Aug 15 14:46:17 raspi3 charon: 16[ENC] generating IKE_AUTH request 63 [ EAP/RES/TTLS ]

Aug 15 14:46:17 raspi3 charon: 16[NET] sending packet: from 10.10.1.39[4500] to 10.10.1.40[4500] (80 bytes)

Aug 15 14:46:17 raspi3 charon: 14[NET] received packet: from 10.10.1.40[4500] to 10.10.1.39[4500] (1104 bytes)

Aug 15 14:46:17 raspi3 charon: 14[ENC] parsed IKE_AUTH response 63 [ EAP/REQ/TTLS ]

Aug 15 14:46:17 raspi3 charon: 14[ENC] generating IKE_AUTH request 64 [ EAP/RES/TTLS ]

Aug 15 14:46:17 raspi3 charon: 14[NET] sending packet: from 10.10.1.39[4500] to 10.10.1.40[4500] (80 bytes)

Aug 15 14:46:17 raspi3 charon: 09[NET] received packet: from 10.10.1.40[4500] to 10.10.1.39[4500] (1104 bytes)

Aug 15 14:46:17 raspi3 charon: 09[ENC] parsed IKE_AUTH response 64 [ EAP/REQ/TTLS ]

Aug 15 14:46:17 raspi3 charon: 09[ENC] generating IKE_AUTH request 65 [ EAP/RES/TTLS ]

Aug 15 14:46:17 raspi3 charon: 09[NET] sending packet: from 10.10.1.39[4500] to 10.10.1.40[4500] (80 bytes)

...

Aug 15 14:46:18 raspi3 charon: 08[NET] received packet: from 10.10.1.40[4500] to 10.10.1.39[4500] (1104 bytes)

Aug 15 14:46:18 raspi3 charon: 08[ENC] parsed IKE_AUTH response 109 [ EAP/REQ/TTLS ]

Aug 15 14:46:18 raspi3 charon: 08[ENC] generating IKE_AUTH request 110 [ EAP/RES/TTLS ]

Aug 15 14:46:18 raspi3 charon: 08[NET] sending packet: from 10.10.1.39[4500] to 10.10.1.40[4500] (80 bytes)

Aug 15 14:46:18 raspi3 charon: 07[NET] received packet: from 10.10.1.40[4500] to 10.10.1.39[4500] (1040 bytes)

Aug 15 14:46:18 raspi3 charon: 07[ENC] parsed IKE_AUTH response 110 [ EAP/REQ/TTLS ]

Aug 15 14:46:18 raspi3 charon: 07[IKE] need more AVP data

Aug 15 14:46:18 raspi3 charon: 07[IKE] received tunneled EAP-TTLS AVP [EAP/REQ/PT]

Aug 15 14:46:18 raspi3 charon: 07[TNC] received TNCCS batch (49524 bytes)

</pre>

<pre>

Aug 15 14:46:18 raspi3 charon: 07[TNC] TNC server is handling inbound connection

Aug 15 14:46:18 raspi3 charon: 07[TNC] processing PB-TNC CDATA batch for Connection ID 2

Aug 15 14:46:18 raspi3 charon: 07[TNC] PB-TNC state transition from 'Client Working' to 'Server Working'

Aug 15 14:46:18 raspi3 charon: 07[TNC] processing IETF/PB-PA message (49516 bytes)

Aug 15 14:46:18 raspi3 charon: 07[TNC] handling PB-PA message type 'TCG/PTS' 0x005597/0x00000001

Aug 15 14:46:18 raspi3 charon: 07[IMV] IMV 1 "Attestation" received message for Connection ID 2 from IMC 2 to IMV 1

Aug 15 14:46:18 raspi3 charon: 07[TNC] processing PA-TNC message with ID 0xed64f7ab

</pre>

h3. Responder Attestation Measurements

<pre>

Aug 15 14:46:18 raspi3 charon: 07[TNC] processing PA-TNC attribute type 'TCG/Simple Component Evidence' 0x005597/0x00300000

Aug 15 14:46:18 raspi3 charon: 07[PTS] ITA-HSR functional component 'Linux IMA' [K.] 'Operating System'

Aug 15 14:46:18 raspi3 charon: 07[PTS] measurement time: Jan 01 01:00:04 1970

Aug 15 14:46:18 raspi3 charon: 07[PTS] PCR 10 extended with: dd:ee:60:04:dc:3b:d4:ee:30:04:06:cd:93:18:1c:5a:21:87:b5:9b

Aug 15 14:46:18 raspi3 charon: 07[PTS] 'sha1:boot_aggregate'

Aug 15 14:46:18 raspi3 charon: 07[TNC] processing PA-TNC attribute type 'TCG/Simple Component Evidence' 0x005597/0x00300000

Aug 15 14:46:18 raspi3 charon: 07[PTS] ITA-HSR functional component 'Linux IMA' [K.] 'Operating System'

Aug 15 14:46:18 raspi3 charon: 07[PTS] measurement time: Jan 01 01:00:04 1970

Aug 15 14:46:18 raspi3 charon: 07[PTS] PCR 10 extended with: 65:ee:0c:a2:cd:ac:0d:67:f8:1a:fd:53:7b:96:75:6f:3b:b8:0f:82

Aug 15 14:46:18 raspi3 charon: 07[PTS] 'sha1:/init'

Aug 15 14:46:18 raspi3 charon: 07[TNC] processing PA-TNC attribute type 'TCG/Simple Component Evidence' 0x005597/0x00300000

Aug 15 14:46:18 raspi3 charon: 07[PTS] ITA-HSR functional component 'Linux IMA' [K.] 'Operating System'

Aug 15 14:46:18 raspi3 charon: 07[PTS] measurement time: Jan 01 01:00:04 1970

Aug 15 14:46:18 raspi3 charon: 07[PTS] PCR 10 extended with: 6b:a1:a0:58:89:a8:f2:57:53:42:b5:dc:5f:3e:de:54:89:8a:ee:29

Aug 15 14:46:18 raspi3 charon: 07[PTS] 'sha1:/bin/sh'

Aug 15 14:46:18 raspi3 charon: 07[TNC] processing PA-TNC attribute type 'TCG/Simple Component Evidence' 0x005597/0x00300000

Aug 15 14:46:18 raspi3 charon: 07[PTS] ITA-HSR functional component 'Linux IMA' [K.] 'Operating System'

Aug 15 14:46:18 raspi3 charon: 07[PTS] measurement time: Jan 01 01:00:04 1970

Aug 15 14:46:18 raspi3 charon: 07[PTS] PCR 10 extended with: 85:e6:6e:7a:96:98:8b:0a:af:c8:88:46:5d:7a:fe:b5:e9:d3:c2:3e

Aug 15 14:46:18 raspi3 charon: 07[PTS] 'sha1:/lib/klibc-sO6SifHCdmbehHGtm0y1yHu6vb0.so'

Aug 15 14:46:18 raspi3 charon: 07[TNC] processing PA-TNC attribute type 'TCG/Simple Component Evidence' 0x005597/0x00300000

Aug 15 14:46:18 raspi3 charon: 07[PTS] ITA-HSR functional component 'Linux IMA' [K.] 'Operating System'

Aug 15 14:46:18 raspi3 charon: 07[PTS] measurement time: Jan 01 01:00:04 1970

Aug 15 14:46:18 raspi3 charon: 07[PTS] PCR 10 extended with: 68:4a:c3:8d:48:55:be:e0:21:93:4f:52:a0:d2:3d:66:86:0c:b2:82

Aug 15 14:46:18 raspi3 charon: 07[PTS] 'sha1:/bin/mkdir'

...

Aug 15 14:46:18 raspi3 charon: 07[TNC] processing PA-TNC attribute type 'TCG/Simple Component Evidence' 0x005597/0x00300000

Aug 15 14:46:18 raspi3 charon: 07[PTS] ITA-HSR functional component 'Linux IMA' [K.] 'Operating System'

Aug 15 14:46:18 raspi3 charon: 07[PTS] measurement time: Jan 01 01:00:04 1970

Aug 15 14:46:18 raspi3 charon: 07[PTS] PCR 10 extended with: 55:f4:cd:fd:82:d2:99:e1:33:b6:82:67:95:e6:5d:03:5c:bb:d2:c2

Aug 15 14:46:18 raspi3 charon: 07[PTS] 'sha1:/usr/bin/clear_console'

Aug 15 14:46:18 raspi3 charon: 07[TNC] processing PA-TNC attribute type 'TCG/Simple Component Evidence' 0x005597/0x00300000

Aug 15 14:46:18 raspi3 charon: 07[PTS] ITA-HSR functional component 'Linux IMA' [K.] 'Operating System'

Aug 15 14:46:18 raspi3 charon: 07[PTS] measurement time: Jan 01 01:00:04 1970

Aug 15 14:46:18 raspi3 charon: 07[PTS] PCR 10 extended with: 7a:fc:49:eb:8f:e6:74:3f:ac:91:41:a2:c0:ac:92:28:33:fd:7b:33

Aug 15 14:46:18 raspi3 charon: 07[PTS] 'sha1:/usr/libexec/ipsec/stroke'

Aug 15 14:46:18 raspi3 charon: 07[TNC] processing PA-TNC attribute type 'TCG/Simple Evidence Final' 0x005597/0x00400000

Aug 15 14:46:18 raspi3 charon: 07[PTS] checking boot aggregate evidence measurement

</pre>

h3. Verifying Responder Attestation Measurements

<pre>

Aug 15 14:46:18 raspi3 charon: 07[PTS] 65:ee:0c:a2:cd:ac:0d:67:f8:1a:fd:53:7b:96:75:6f:3b:b8:0f:82 for '/init' not found

Aug 15 14:46:18 raspi3 charon: 07[PTS] 6b:a1:a0:58:89:a8:f2:57:53:42:b5:dc:5f:3e:de:54:89:8a:ee:29 for '/bin/sh' is ok

Aug 15 14:46:18 raspi3 charon: 07[PTS] 85:e6:6e:7a:96:98:8b:0a:af:c8:88:46:5d:7a:fe:b5:e9:d3:c2:3e for '/lib/klibc-sO6SifHCdmbehHGtm0y1yHu6vb0.so' is ok

Aug 15 14:46:18 raspi3 charon: 07[PTS] 68:4a:c3:8d:48:55:be:e0:21:93:4f:52:a0:d2:3d:66:86:0c:b2:82 for '/bin/mkdir' is ok

...

Aug 15 14:46:25 raspi3 charon: 07[PTS] 55:f4:cd:fd:82:d2:99:e1:33:b6:82:67:95:e6:5d:03:5c:bb:d2:c2 for '/usr/bin/clear_console' is ok

Aug 15 14:46:25 raspi3 charon: 07[PTS] 7a:fc:49:eb:8f:e6:74:3f:ac:91:41:a2:c0:ac:92:28:33:fd:7b:33 for '/usr/libexec/ipsec/stroke' is ok

</pre>

h3. Verfiying Responder TPM Quote Signature

<pre>

Aug 15 14:46:25 raspi3 charon: 07[PTS] constructed PCR Composite: => 29 bytes @ 0x125488

Aug 15 14:46:25 raspi3 charon: 07[PTS]    0: 00 03 00 04 00 00 00 00 14 7D C1 1B 87 CF 2E B8  .........}......

Aug 15 14:46:25 raspi3 charon: 07[PTS]   16: 5C 1B 52 99 B8 BD 11 D9 B9 8A 31 8E 61           \.R.......1.a

Aug 15 14:46:25 raspi3 charon: 07[PTS] constructed PCR Composite hash: c4:6a:f4:fa:82:39:a6:7a:80:fe:4e:d2:7e:a5:05:b3:1e:60:4f:ff

Aug 15 14:46:25 raspi3 charon: 07[PTS] constructed TPM Quote Info: => 52 bytes @ 0x1954c8

Aug 15 14:46:25 raspi3 charon: 07[PTS]    0: 00 36 51 55 54 32 B2 E0 AB DF 89 C5 1D B2 A3 51  .6QUT2.........Q

Aug 15 14:46:25 raspi3 charon: 07[PTS]   16: FD A9 C8 3B F8 7F 68 50 6C DE 00 03 00 04 00 01  ...;..hPl.......

Aug 15 14:46:25 raspi3 charon: 07[PTS]   32: C4 6A F4 FA 82 39 A6 7A 80 FE 4E D2 7E A5 05 B3  .j...9.z..N.~...

Aug 15 14:46:25 raspi3 charon: 07[PTS]   48: 1E 60 4F FF                                      .`O.

Aug 15 14:46:25 raspi3 charon: 07[IMV] received PCR Composite matches constructed one

Aug 15 14:46:25 raspi3 charon: 07[IMV] TPM Quote Info signature verification successful

</pre>

<pre>

Aug 15 14:46:25 raspi3 charon: 07[PTS] processed 450 IMA file evidence measurements: 385 ok, 65 unknown, 0 differ, 0 failed

</pre>

<pre>

Aug 15 14:46:25 raspi3 charon: 07[IMV] IMV 1 handled TPMRA workitem 18: allow - processed 450 IMA file evidence measurements: 385 ok, 65 unknown, 0 differ, 0 failed

Aug 15 14:46:25 raspi3 charon: 07[TNC] creating PA-TNC message with ID 0x4077e3ed

Aug 15 14:46:25 raspi3 charon: 07[TNC] creating PA-TNC attribute type 'IETF/Assessment Result' 0x000000/0x00000009

Aug 15 14:46:25 raspi3 charon: 07[TNC] creating PB-PA message type 'TCG/PTS' 0x005597/0x00000001

</pre>

h3. Sending Assessment Result

<pre>

Aug 15 14:46:25 raspi3 charon: 07[TNC] IMV 1 provides recommendation 'allow' and evaluation 'compliant'

</pre>

<pre>

Aug 15 14:46:25 raspi3 charon: 07[TNC] TNC server is handling outbound connection

Aug 15 14:46:25 raspi3 charon: 07[IMV] policy: recommendation for access requestor 10.10.1.40 is allow

Aug 15 14:46:25 raspi3 charon: 07[IMV] policy: imv_policy_manager stop successful

Aug 15 14:46:25 raspi3 charon: 07[IMV] IMV 1 "Attestation" changed state of Connection ID 2 to 'Allowed'

Aug 15 14:46:25 raspi3 charon: 07[TNC] PB-TNC state transition from 'Server Working' to 'Decided'

Aug 15 14:46:25 raspi3 charon: 07[TNC] creating PB-TNC RESULT batch

Aug 15 14:46:25 raspi3 charon: 07[TNC] adding IETF/PB-PA message

Aug 15 14:46:25 raspi3 charon: 07[TNC] adding IETF/PB-Assessment-Result message

Aug 15 14:46:25 raspi3 charon: 07[TNC] adding IETF/PB-Access-Recommendation message

Aug 15 14:46:25 raspi3 charon: 07[TNC] sending PB-TNC RESULT batch (88 bytes) for Connection ID 2

Aug 15 14:46:25 raspi3 charon: 07[IKE] sending tunneled EAP-TTLS AVP [EAP/RES/PT]

Aug 15 14:46:25 raspi3 charon: 07[ENC] generating IKE_AUTH request 111 [ EAP/RES/TTLS ]

Aug 15 14:46:25 raspi3 charon: 07[NET] sending packet: from 10.10.1.39[4500] to 10.10.1.40[4500] (256 bytes)

</pre>

<pre>

Aug 15 14:46:25 raspi3 charon: 11[NET] received packet: from 10.10.1.40[4500] to 10.10.1.39[4500] (176 bytes)

Aug 15 14:46:25 raspi3 charon: 11[ENC] parsed IKE_AUTH response 111 [ EAP/REQ/TTLS ]

Aug 15 14:46:25 raspi3 charon: 11[IKE] received tunneled EAP-TTLS AVP [EAP/REQ/PT]

Aug 15 14:46:25 raspi3 charon: 11[TNC] received TNCCS batch (8 bytes)

</pre>

<pre>

Aug 15 14:46:25 raspi3 charon: 11[TNC] TNC server is handling inbound connection

Aug 15 14:46:25 raspi3 charon: 11[TNC] processing PB-TNC CLOSE batch for Connection ID 2

Aug 15 14:46:25 raspi3 charon: 11[TNC] PB-TNC state transition from 'Decided' to 'End'

</pre>

<pre>

Aug 15 14:46:25 raspi3 charon: 11[TNC] TNC client is handling outbound connection

Aug 15 14:46:25 raspi3 charon: 11[TNC] PB-TNC state transition from 'Decided' to 'End'

Aug 15 14:46:25 raspi3 charon: 11[TNC] creating PB-TNC CLOSE batch

Aug 15 14:46:25 raspi3 charon: 11[TNC] sending PB-TNC CLOSE batch (8 bytes) for Connection ID 1

Aug 15 14:46:25 raspi3 charon: 11[IKE] sending tunneled EAP-TTLS AVP [EAP/RES/PT]

Aug 15 14:46:25 raspi3 charon: 11[ENC] generating IKE_AUTH request 112 [ EAP/RES/TTLS ]

Aug 15 14:46:25 raspi3 charon: 11[NET] sending packet: from 10.10.1.39[4500] to 10.10.1.40[4500] (176 bytes)

</pre>

<pre>

Aug 15 14:46:25 raspi3 charon: 05[NET] received packet: from 10.10.1.40[4500] to 10.10.1.39[4500] (80 bytes)

Aug 15 14:46:25 raspi3 charon: 05[ENC] parsed IKE_AUTH response 112 [ EAP/SUCC ]

Aug 15 14:46:25 raspi3 charon: 05[IKE] EAP method EAP_TTLS succeeded, MSK established

Aug 15 14:46:25 raspi3 charon: 05[IKE] authentication of 'raspi3.example.com' (myself) with EAP

Aug 15 14:46:25 raspi3 charon: 05[ENC] generating IKE_AUTH request 113 [ AUTH ]

Aug 15 14:46:25 raspi3 charon: 05[NET] sending packet: from 10.10.1.39[4500] to 10.10.1.40[4500] (112 bytes)

</pre>

<pre>

Aug 15 14:46:25 raspi3 charon: 12[NET] received packet: from 10.10.1.40[4500] to 10.10.1.39[4500] (240 bytes)

Aug 15 14:46:25 raspi3 charon: 12[ENC] parsed IKE_AUTH response 113 [ AUTH N(USE_TRANSP) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(NO_ADD_ADDR) ]

</pre>

<pre>

Aug 15 14:46:25 raspi3 charon: 12[IKE] authentication of 'raspi4.example.com' with EAP successful

</pre>

<pre>

Aug 15 14:46:25 raspi3 charon: 12[IMV] IMV 1 "Attestation" deleted the state of Connection ID 2

Aug 15 14:46:25 raspi3 charon: 12[TNC] removed TNCCS Connection ID 2

Aug 15 14:46:25 raspi3 charon: 12[IMC] IMC 1 "OS" deleted the state of Connection ID 1

Aug 15 14:46:25 raspi3 charon: 12[IMC] IMC 2 "Attestation" deleted the state of Connection ID 1

Aug 15 14:46:25 raspi3 charon: 12[TNC] removed TNCCS Connection ID 1

</pre>

<pre>

Aug 15 14:46:25 raspi3 charon: 12[IKE] IKE_SA peer[1] established between 10.10.1.39[raspi3.example.com]...10.10.1.40[raspi4.example.com]

Aug 15 14:46:25 raspi3 charon: 12[IKE] scheduling reauthentication in 10132s

Aug 15 14:46:25 raspi3 charon: 12[IKE] maximum IKE_SA lifetime 10672s

Aug 15 14:46:25 raspi3 charon: 12[IKE] CHILD_SA peer{1} established with SPIs c12c1aae_i ce21eedf_o and TS 10.10.1.39/32 === 10.10.1.40/32 

Aug 15 14:46:25 raspi3 charon: 12[IKE] received AUTH_LIFETIME of 10143s, scheduling reauthentication in 9603s

Aug 15 14:46:25 raspi3 charon: 12[IKE] peer supports MOBIKE

</pre>

h2. strongTNC Policy Manager

!tnc3.png!

This screenshot of the strongTNC policy manager running on *raspi3* shows that the attestation of *raspi4* has been successful.

h2. IPsec Connection established

The command

<pre>

raspi3# ipsec statusall

</pre>

shows that the IPsec transport connection between *raspi3* and *raspi4* has been successfully established.

<pre>

Status of IKE charon daemon (strongSwan 5.3.1, Linux 3.18.13-v7+, armv7l):

  uptime: 2 minutes, since Aug 15 14:45:56 2015

  malloc: sbrk 1961984, mmap 0, used 1441224, free 520760

  worker threads: 10 of 16 idle, 6/0/0/0 working, job queue: 0/0/0/0, scheduled: 3

  loaded plugins: charon random nonce x509 revocation constraints pkcs1 pkcs8 pem openssl pubkey tnc-imc tnc-imv tnc-tnccs tnccs-20 eap-identity eap-ttls eap-tnc sqlite curl kernel-netlink socket-default updown stroke

Listening IP addresses:

  10.10.1.39

Connections:

        peer:  10.10.1.39...10.10.1.40  IKEv2

        peer:   local:  [raspi3.example.com] uses EAP_TTLS authentication

        peer:    cert:  "C=US, O=TNC Demo, CN=raspi3.example.com"

        peer:   remote: [raspi4.example.com] uses any authentication

        peer:   child:  dynamic === dynamic TRANSPORT

Security Associations (1 up, 0 connecting):

        peer[1]: ESTABLISHED 2 minutes ago, 10.10.1.39[raspi3.example.com]...10.10.1.40[raspi4.example.com]

        peer[1]: IKEv2 SPIs: 168d780b16692776_i* 24a43cb75417ebe5_r, EAP reauthentication in 2 hours

        peer[1]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256

        peer{1}:  INSTALLED, TRANSPORT, reqid 1, ESP SPIs: c12c1aae_i ce21eedf_o

        peer{1}:  AES_CBC_128/HMAC_SHA2_256_128, 640 bytes_i (10 pkts, 36s ago), 640 bytes_o (10 pkts, 36s ago), rekeying in 43 minutes