strongSwan as a Policy Enforcement Point » History » Version 11
Version 10 (Andreas Steffen, 14.12.2010 21:49) → Version 11/13 (Andreas Steffen, 14.12.2010 21:51)
h1. strongSwan as a Policy Enforcement Point
h3. Configuration as a TNCCS 1.1 VPN Policy Enforcement Point with EAP-RADIUS Interface
<pre>
./configure --prefix=/usr --sysconfdir =/etc --disable-pluto --enable-curl
--enable-eap-radius
</pre>
/etc/strongswan.conf - strongSwan configuration file
<pre>
charon {
plugins {
eap-radius {
secret = gv6URkSs
server = 10.1.0.10
filter_id = yes
}
}
}
</pre>
/etc/ipsec.secrets - strongSwan IPsec secrets file
<pre>
: RSA moonKey.pem
</pre>
/etc/ipsec.conf - strongSwan IPsec configuration file
<pre>
conn rw-allow
rightgroups=allow
leftsubnet=10.1.0.0/28
also=rw-eap
auto=add
conn rw-isolate
rightgroups=isolate
leftsubnet=10.1.0.16/28
also=rw-eap
auto=add
conn rw-eap
leftcert=moonCert.pem
leftid=@moon.strongswan.org
leftauth=pubkey
rightauth=eap-radius
rightid=*@strongswan.org
rightsendcert=never
right=%any
</pre>
"PEP logfile":http://www.strongswan.org/uml/testresults/ikev2/rw-eap-tnc-radius/moon.daemon.log
h3. Configuration of a FreeRADIUS Server with TNC@FHH plugin
First build a "TNC@FHH":http://trust.inform.fh-hannover.de/joomla/index.php/projects/tncfhh Server based on FreeRADIUS with two inner authentication methods according to the following "HOWTO":http://trust.inform.fh-hannover.de/wiki/index.php/Howto_build_a_tnc%40fhh-Server_with_two_inner_authentication_methods.
In order to interoperate with a strongSwan VPN Policy Enforcement Point the following FreeRADIUS configuration files are needed:
/etc/raddb/clients.conf
<pre>
client 10.1.0.1 {
secret = gv6URkSs
shortname = moon
}
</pre>
/etc/raddb/eap.conf
<pre>
eap {
md5 {
}
default_eap_type = ttls
tls {
private_key_file = /etc/raddb/certs/aaaKey.pem
certificate_file = /etc/raddb/certs/aaaCert.pem
CA_file = /etc/raddb/certs/strongswanCert.pem
cipher_list = "DEFAULT"
dh_file = /etc/raddb/certs/dh
random_file = /etc/raddb/certs/random
}
ttls {
default_eap_type = md5
use_tunneled_reply = yes
virtual_server = "inner-tunnel"
tnc_virtual_server = "inner-tunnel-second"
}
}
eap eap_tnc {
default_eap_type = tnc
tnc {
}
}
</pre>
/etc/raddb/proxy.conf
<pre>
realm strongswan.org {
type = radius
authhost = LOCAL
accthost = LOCAL
}
</pre>
/etc/raddb/users
<pre>
carol Cleartext-Password := "Ar3etTnp"
dave Cleartext-Password := "W7R0g3do"
</pre>
/etc/raddb/sites-available/default
<pre>
authorize {
suffix
eap {
ok = return
}
files
}
authenticate {
eap
}
preacct {
preprocess
acct_unique
suffix
files
}
accounting {
detail
unix
radutmp
attr_filter.accounting_response
}
session {
radutmp
}
post-auth {
exec
Post-Auth-Type REJECT {
attr_filter.access_reject
}
}
pre-proxy {
}
post-proxy {
eap
}
</pre>
/etc/raddb/sites-available/inner-tunnel
<pre>
server inner-tunnel {
authorize {
suffix
eap {
ok = return
}
files
}
authenticate {
eap
}
session {
radutmp
}
post-auth {
Post-Auth-Type REJECT {
attr_filter.access_reject
}
}
pre-proxy {
}
post-proxy {
eap
}
} # inner-tunnel server block
</pre>
/etc/raddb/sites-available/inner-tunnel-second
<pre>
server inner-tunnel-second {
authorize {
eap_tnc {
ok = return
}
}
authenticate {
eap_tnc
}
session {
radutmp
}
post-auth {
if (control:TNC-Status == "Access") {
update reply {
Tunnel-Type := ESP
Filter-Id := "allow"
}
}
elsif (control:TNC-Status == "Isolate") {
update reply {
Tunnel-Type := ESP
Filter-Id := "isolate"
}
}
Post-Auth-Type REJECT {
attr_filter.access_reject
}
}
} # inner-tunnel-second block
</pre>
/etc/raddb/dictionary
<pre>
$INCLUDE /usr/share/freeradius/dictionary
$INCLUDE /etc/raddb/dictionary.tnc
</pre>
/etc/raddb/dictionary.tnc
<pre>
ATTRIBUTE TNC-Status 3001 integer
VALUE TNC-Status Access 0
VALUE TNC-Status Isolate 1
VALUE TNC-Status None 2
</pre>
h3. Configuration as a TNCCS 1.1 VPN Policy Enforcement Point with EAP-RADIUS Interface
<pre>
./configure --prefix=/usr --sysconfdir =/etc --disable-pluto --enable-curl
--enable-eap-radius
</pre>
/etc/strongswan.conf - strongSwan configuration file
<pre>
charon {
plugins {
eap-radius {
secret = gv6URkSs
server = 10.1.0.10
filter_id = yes
}
}
}
</pre>
/etc/ipsec.secrets - strongSwan IPsec secrets file
<pre>
: RSA moonKey.pem
</pre>
/etc/ipsec.conf - strongSwan IPsec configuration file
<pre>
conn rw-allow
rightgroups=allow
leftsubnet=10.1.0.0/28
also=rw-eap
auto=add
conn rw-isolate
rightgroups=isolate
leftsubnet=10.1.0.16/28
also=rw-eap
auto=add
conn rw-eap
leftcert=moonCert.pem
leftid=@moon.strongswan.org
leftauth=pubkey
rightauth=eap-radius
rightid=*@strongswan.org
rightsendcert=never
right=%any
</pre>
"PEP logfile":http://www.strongswan.org/uml/testresults/ikev2/rw-eap-tnc-radius/moon.daemon.log
h3. Configuration of a FreeRADIUS Server with TNC@FHH plugin
First build a "TNC@FHH":http://trust.inform.fh-hannover.de/joomla/index.php/projects/tncfhh Server based on FreeRADIUS with two inner authentication methods according to the following "HOWTO":http://trust.inform.fh-hannover.de/wiki/index.php/Howto_build_a_tnc%40fhh-Server_with_two_inner_authentication_methods.
In order to interoperate with a strongSwan VPN Policy Enforcement Point the following FreeRADIUS configuration files are needed:
/etc/raddb/clients.conf
<pre>
client 10.1.0.1 {
secret = gv6URkSs
shortname = moon
}
</pre>
/etc/raddb/eap.conf
<pre>
eap {
md5 {
}
default_eap_type = ttls
tls {
private_key_file = /etc/raddb/certs/aaaKey.pem
certificate_file = /etc/raddb/certs/aaaCert.pem
CA_file = /etc/raddb/certs/strongswanCert.pem
cipher_list = "DEFAULT"
dh_file = /etc/raddb/certs/dh
random_file = /etc/raddb/certs/random
}
ttls {
default_eap_type = md5
use_tunneled_reply = yes
virtual_server = "inner-tunnel"
tnc_virtual_server = "inner-tunnel-second"
}
}
eap eap_tnc {
default_eap_type = tnc
tnc {
}
}
</pre>
/etc/raddb/proxy.conf
<pre>
realm strongswan.org {
type = radius
authhost = LOCAL
accthost = LOCAL
}
</pre>
/etc/raddb/users
<pre>
carol Cleartext-Password := "Ar3etTnp"
dave Cleartext-Password := "W7R0g3do"
</pre>
/etc/raddb/sites-available/default
<pre>
authorize {
suffix
eap {
ok = return
}
files
}
authenticate {
eap
}
preacct {
preprocess
acct_unique
suffix
files
}
accounting {
detail
unix
radutmp
attr_filter.accounting_response
}
session {
radutmp
}
post-auth {
exec
Post-Auth-Type REJECT {
attr_filter.access_reject
}
}
pre-proxy {
}
post-proxy {
eap
}
</pre>
/etc/raddb/sites-available/inner-tunnel
<pre>
server inner-tunnel {
authorize {
suffix
eap {
ok = return
}
files
}
authenticate {
eap
}
session {
radutmp
}
post-auth {
Post-Auth-Type REJECT {
attr_filter.access_reject
}
}
pre-proxy {
}
post-proxy {
eap
}
} # inner-tunnel server block
</pre>
/etc/raddb/sites-available/inner-tunnel-second
<pre>
server inner-tunnel-second {
authorize {
eap_tnc {
ok = return
}
}
authenticate {
eap_tnc
}
session {
radutmp
}
post-auth {
if (control:TNC-Status == "Access") {
update reply {
Tunnel-Type := ESP
Filter-Id := "allow"
}
}
elsif (control:TNC-Status == "Isolate") {
update reply {
Tunnel-Type := ESP
Filter-Id := "isolate"
}
}
Post-Auth-Type REJECT {
attr_filter.access_reject
}
}
} # inner-tunnel-second block
</pre>
/etc/raddb/dictionary
<pre>
$INCLUDE /usr/share/freeradius/dictionary
$INCLUDE /etc/raddb/dictionary.tnc
</pre>
/etc/raddb/dictionary.tnc
<pre>
ATTRIBUTE TNC-Status 3001 integer
VALUE TNC-Status Access 0
VALUE TNC-Status Isolate 1
VALUE TNC-Status None 2
</pre>