strongSwan as a Policy Enforcement Point » History » Version 10
Andreas Steffen, 14.12.2010 21:49
| 1 | 1 | Andreas Steffen | h1. strongSwan as a Policy Enforcement Point |
|---|---|---|---|
| 2 | 2 | Andreas Steffen | |
| 3 | 7 | Andreas Steffen | h3. Configuration as a TNCCS 1.1 VPN Policy Enforcement Point with EAP-RADIUS Interface |
| 4 | 4 | Andreas Steffen | |
| 5 | 3 | Andreas Steffen | <pre> |
| 6 | 3 | Andreas Steffen | ./configure --prefix=/usr --sysconfdir =/etc --disable-pluto --enable-curl |
| 7 | 3 | Andreas Steffen | --enable-eap-radius |
| 8 | 3 | Andreas Steffen | </pre> |
| 9 | 1 | Andreas Steffen | |
| 10 | 3 | Andreas Steffen | /etc/strongswan.conf - strongSwan configuration file |
| 11 | 3 | Andreas Steffen | |
| 12 | 1 | Andreas Steffen | <pre> |
| 13 | 3 | Andreas Steffen | charon { |
| 14 | 3 | Andreas Steffen | plugins { |
| 15 | 3 | Andreas Steffen | eap-radius { |
| 16 | 3 | Andreas Steffen | secret = gv6URkSs |
| 17 | 3 | Andreas Steffen | server = 10.1.0.10 |
| 18 | 3 | Andreas Steffen | filter_id = yes |
| 19 | 3 | Andreas Steffen | } |
| 20 | 3 | Andreas Steffen | } |
| 21 | 3 | Andreas Steffen | } |
| 22 | 1 | Andreas Steffen | </pre> |
| 23 | 3 | Andreas Steffen | |
| 24 | 3 | Andreas Steffen | /etc/ipsec.secrets - strongSwan IPsec secrets file |
| 25 | 3 | Andreas Steffen | |
| 26 | 3 | Andreas Steffen | <pre> |
| 27 | 3 | Andreas Steffen | : RSA moonKey.pem |
| 28 | 3 | Andreas Steffen | </pre> |
| 29 | 3 | Andreas Steffen | |
| 30 | 3 | Andreas Steffen | /etc/ipsec.conf - strongSwan IPsec configuration file |
| 31 | 3 | Andreas Steffen | |
| 32 | 3 | Andreas Steffen | <pre> |
| 33 | 3 | Andreas Steffen | conn rw-allow |
| 34 | 3 | Andreas Steffen | rightgroups=allow |
| 35 | 3 | Andreas Steffen | leftsubnet=10.1.0.0/28 |
| 36 | 3 | Andreas Steffen | also=rw-eap |
| 37 | 3 | Andreas Steffen | auto=add |
| 38 | 3 | Andreas Steffen | |
| 39 | 3 | Andreas Steffen | conn rw-isolate |
| 40 | 3 | Andreas Steffen | rightgroups=isolate |
| 41 | 3 | Andreas Steffen | leftsubnet=10.1.0.16/28 |
| 42 | 3 | Andreas Steffen | also=rw-eap |
| 43 | 3 | Andreas Steffen | auto=add |
| 44 | 3 | Andreas Steffen | |
| 45 | 3 | Andreas Steffen | conn rw-eap |
| 46 | 3 | Andreas Steffen | leftcert=moonCert.pem |
| 47 | 3 | Andreas Steffen | leftid=@moon.strongswan.org |
| 48 | 3 | Andreas Steffen | leftauth=pubkey |
| 49 | 3 | Andreas Steffen | rightauth=eap-radius |
| 50 | 3 | Andreas Steffen | rightid=*@strongswan.org |
| 51 | 3 | Andreas Steffen | rightsendcert=never |
| 52 | 3 | Andreas Steffen | right=%any |
| 53 | 3 | Andreas Steffen | </pre> |
| 54 | 1 | Andreas Steffen | |
| 55 | 1 | Andreas Steffen | "PEP logfile":http://www.strongswan.org/uml/testresults/ikev2/rw-eap-tnc-radius/moon.daemon.log |
| 56 | 7 | Andreas Steffen | |
| 57 | 7 | Andreas Steffen | h3. Configuration of a FreeRADIUS Server with TNC@FHH plugin |
| 58 | 7 | Andreas Steffen | |
| 59 | 8 | Andreas Steffen | First build a "TNC@FHH":http://trust.inform.fh-hannover.de/joomla/index.php/projects/tncfhh Server based on FreeRADIUS with two inner authentication methods according to the following "HOWTO":http://trust.inform.fh-hannover.de/wiki/index.php/Howto_build_a_tnc%40fhh-Server_with_two_inner_authentication_methods. |
| 60 | 9 | Andreas Steffen | |
| 61 | 9 | Andreas Steffen | In order to interoperate with a strongSwan VPN Policy Enforcement Point the following FreeRADIUS configuration files are needed: |
| 62 | 9 | Andreas Steffen | |
| 63 | 9 | Andreas Steffen | /etc/raddb/clients.conf |
| 64 | 9 | Andreas Steffen | |
| 65 | 9 | Andreas Steffen | <pre> |
| 66 | 9 | Andreas Steffen | client 10.1.0.1 { |
| 67 | 9 | Andreas Steffen | secret = gv6URkSs |
| 68 | 9 | Andreas Steffen | shortname = moon |
| 69 | 9 | Andreas Steffen | } |
| 70 | 9 | Andreas Steffen | </pre> |
| 71 | 9 | Andreas Steffen | |
| 72 | 9 | Andreas Steffen | /etc/raddb/eap.conf |
| 73 | 9 | Andreas Steffen | |
| 74 | 9 | Andreas Steffen | <pre> |
| 75 | 9 | Andreas Steffen | eap { |
| 76 | 9 | Andreas Steffen | md5 { |
| 77 | 9 | Andreas Steffen | } |
| 78 | 9 | Andreas Steffen | default_eap_type = ttls |
| 79 | 9 | Andreas Steffen | tls { |
| 80 | 9 | Andreas Steffen | private_key_file = /etc/raddb/certs/aaaKey.pem |
| 81 | 9 | Andreas Steffen | certificate_file = /etc/raddb/certs/aaaCert.pem |
| 82 | 9 | Andreas Steffen | CA_file = /etc/raddb/certs/strongswanCert.pem |
| 83 | 9 | Andreas Steffen | cipher_list = "DEFAULT" |
| 84 | 9 | Andreas Steffen | dh_file = /etc/raddb/certs/dh |
| 85 | 9 | Andreas Steffen | random_file = /etc/raddb/certs/random |
| 86 | 9 | Andreas Steffen | } |
| 87 | 9 | Andreas Steffen | ttls { |
| 88 | 9 | Andreas Steffen | default_eap_type = md5 |
| 89 | 9 | Andreas Steffen | use_tunneled_reply = yes |
| 90 | 9 | Andreas Steffen | virtual_server = "inner-tunnel" |
| 91 | 9 | Andreas Steffen | tnc_virtual_server = "inner-tunnel-second" |
| 92 | 9 | Andreas Steffen | } |
| 93 | 9 | Andreas Steffen | } |
| 94 | 9 | Andreas Steffen | |
| 95 | 9 | Andreas Steffen | eap eap_tnc { |
| 96 | 9 | Andreas Steffen | default_eap_type = tnc |
| 97 | 9 | Andreas Steffen | tnc { |
| 98 | 9 | Andreas Steffen | } |
| 99 | 9 | Andreas Steffen | } |
| 100 | 9 | Andreas Steffen | </pre> |
| 101 | 9 | Andreas Steffen | |
| 102 | 9 | Andreas Steffen | /etc/raddb/proxy.conf |
| 103 | 9 | Andreas Steffen | |
| 104 | 9 | Andreas Steffen | <pre> |
| 105 | 9 | Andreas Steffen | realm strongswan.org { |
| 106 | 9 | Andreas Steffen | type = radius |
| 107 | 9 | Andreas Steffen | authhost = LOCAL |
| 108 | 9 | Andreas Steffen | accthost = LOCAL |
| 109 | 9 | Andreas Steffen | } |
| 110 | 9 | Andreas Steffen | </pre> |
| 111 | 9 | Andreas Steffen | |
| 112 | 9 | Andreas Steffen | /etc/raddb/users |
| 113 | 9 | Andreas Steffen | |
| 114 | 9 | Andreas Steffen | <pre> |
| 115 | 10 | Andreas Steffen | carol Cleartext-Password := "Ar3etTnp" |
| 116 | 10 | Andreas Steffen | dave Cleartext-Password := "W7R0g3do" |
| 117 | 10 | Andreas Steffen | </pre> |
| 118 | 10 | Andreas Steffen | |
| 119 | 10 | Andreas Steffen | /etc/raddb/sites-available/default |
| 120 | 10 | Andreas Steffen | |
| 121 | 10 | Andreas Steffen | <pre> |
| 122 | 10 | Andreas Steffen | authorize { |
| 123 | 10 | Andreas Steffen | suffix |
| 124 | 10 | Andreas Steffen | eap { |
| 125 | 10 | Andreas Steffen | ok = return |
| 126 | 10 | Andreas Steffen | } |
| 127 | 10 | Andreas Steffen | files |
| 128 | 10 | Andreas Steffen | } |
| 129 | 10 | Andreas Steffen | |
| 130 | 10 | Andreas Steffen | authenticate { |
| 131 | 10 | Andreas Steffen | eap |
| 132 | 10 | Andreas Steffen | } |
| 133 | 10 | Andreas Steffen | |
| 134 | 10 | Andreas Steffen | preacct { |
| 135 | 10 | Andreas Steffen | preprocess |
| 136 | 10 | Andreas Steffen | acct_unique |
| 137 | 10 | Andreas Steffen | suffix |
| 138 | 10 | Andreas Steffen | files |
| 139 | 10 | Andreas Steffen | } |
| 140 | 10 | Andreas Steffen | |
| 141 | 10 | Andreas Steffen | accounting { |
| 142 | 10 | Andreas Steffen | detail |
| 143 | 10 | Andreas Steffen | unix |
| 144 | 10 | Andreas Steffen | radutmp |
| 145 | 10 | Andreas Steffen | attr_filter.accounting_response |
| 146 | 10 | Andreas Steffen | } |
| 147 | 10 | Andreas Steffen | |
| 148 | 10 | Andreas Steffen | session { |
| 149 | 10 | Andreas Steffen | radutmp |
| 150 | 10 | Andreas Steffen | } |
| 151 | 10 | Andreas Steffen | |
| 152 | 10 | Andreas Steffen | post-auth { |
| 153 | 10 | Andreas Steffen | exec |
| 154 | 10 | Andreas Steffen | Post-Auth-Type REJECT { |
| 155 | 10 | Andreas Steffen | attr_filter.access_reject |
| 156 | 10 | Andreas Steffen | } |
| 157 | 10 | Andreas Steffen | } |
| 158 | 10 | Andreas Steffen | |
| 159 | 10 | Andreas Steffen | pre-proxy { |
| 160 | 10 | Andreas Steffen | } |
| 161 | 10 | Andreas Steffen | |
| 162 | 10 | Andreas Steffen | post-proxy { |
| 163 | 10 | Andreas Steffen | eap |
| 164 | 10 | Andreas Steffen | } |
| 165 | 10 | Andreas Steffen | </pre> |
| 166 | 10 | Andreas Steffen | |
| 167 | 10 | Andreas Steffen | /etc/raddb/sites-available/inner-tunnel |
| 168 | 10 | Andreas Steffen | |
| 169 | 10 | Andreas Steffen | <pre> |
| 170 | 10 | Andreas Steffen | server inner-tunnel { |
| 171 | 10 | Andreas Steffen | |
| 172 | 10 | Andreas Steffen | authorize { |
| 173 | 10 | Andreas Steffen | suffix |
| 174 | 10 | Andreas Steffen | eap { |
| 175 | 10 | Andreas Steffen | ok = return |
| 176 | 10 | Andreas Steffen | } |
| 177 | 10 | Andreas Steffen | files |
| 178 | 10 | Andreas Steffen | } |
| 179 | 10 | Andreas Steffen | |
| 180 | 10 | Andreas Steffen | authenticate { |
| 181 | 10 | Andreas Steffen | eap |
| 182 | 10 | Andreas Steffen | } |
| 183 | 10 | Andreas Steffen | |
| 184 | 10 | Andreas Steffen | session { |
| 185 | 10 | Andreas Steffen | radutmp |
| 186 | 10 | Andreas Steffen | } |
| 187 | 10 | Andreas Steffen | |
| 188 | 10 | Andreas Steffen | post-auth { |
| 189 | 10 | Andreas Steffen | Post-Auth-Type REJECT { |
| 190 | 10 | Andreas Steffen | attr_filter.access_reject |
| 191 | 10 | Andreas Steffen | } |
| 192 | 10 | Andreas Steffen | } |
| 193 | 10 | Andreas Steffen | |
| 194 | 10 | Andreas Steffen | pre-proxy { |
| 195 | 10 | Andreas Steffen | } |
| 196 | 10 | Andreas Steffen | |
| 197 | 10 | Andreas Steffen | post-proxy { |
| 198 | 10 | Andreas Steffen | eap |
| 199 | 10 | Andreas Steffen | } |
| 200 | 10 | Andreas Steffen | |
| 201 | 10 | Andreas Steffen | } # inner-tunnel server block |
| 202 | 10 | Andreas Steffen | |
| 203 | 10 | Andreas Steffen | </pre> |
| 204 | 10 | Andreas Steffen | |
| 205 | 10 | Andreas Steffen | /etc/raddb/sites-available/inner-tunnel-second |
| 206 | 10 | Andreas Steffen | |
| 207 | 10 | Andreas Steffen | <pre> |
| 208 | 10 | Andreas Steffen | server inner-tunnel-second { |
| 209 | 10 | Andreas Steffen | |
| 210 | 10 | Andreas Steffen | authorize { |
| 211 | 10 | Andreas Steffen | eap_tnc { |
| 212 | 10 | Andreas Steffen | ok = return |
| 213 | 10 | Andreas Steffen | } |
| 214 | 10 | Andreas Steffen | } |
| 215 | 10 | Andreas Steffen | |
| 216 | 10 | Andreas Steffen | authenticate { |
| 217 | 10 | Andreas Steffen | eap_tnc |
| 218 | 10 | Andreas Steffen | } |
| 219 | 10 | Andreas Steffen | |
| 220 | 10 | Andreas Steffen | session { |
| 221 | 10 | Andreas Steffen | radutmp |
| 222 | 10 | Andreas Steffen | } |
| 223 | 10 | Andreas Steffen | |
| 224 | 10 | Andreas Steffen | post-auth { |
| 225 | 10 | Andreas Steffen | if (control:TNC-Status == "Access") { |
| 226 | 10 | Andreas Steffen | update reply { |
| 227 | 10 | Andreas Steffen | Tunnel-Type := ESP |
| 228 | 10 | Andreas Steffen | Filter-Id := "allow" |
| 229 | 10 | Andreas Steffen | } |
| 230 | 10 | Andreas Steffen | } |
| 231 | 10 | Andreas Steffen | elsif (control:TNC-Status == "Isolate") { |
| 232 | 10 | Andreas Steffen | update reply { |
| 233 | 10 | Andreas Steffen | Tunnel-Type := ESP |
| 234 | 10 | Andreas Steffen | Filter-Id := "isolate" |
| 235 | 10 | Andreas Steffen | } |
| 236 | 10 | Andreas Steffen | } |
| 237 | 10 | Andreas Steffen | |
| 238 | 10 | Andreas Steffen | Post-Auth-Type REJECT { |
| 239 | 10 | Andreas Steffen | attr_filter.access_reject |
| 240 | 10 | Andreas Steffen | } |
| 241 | 10 | Andreas Steffen | } |
| 242 | 10 | Andreas Steffen | |
| 243 | 10 | Andreas Steffen | } # inner-tunnel-second block |
| 244 | 9 | Andreas Steffen | </pre> |