strongSwan as a Policy Enforcement Point » History » Version 7
Version 6 (Andreas Steffen, 14.12.2010 21:23) → Version 7/13 (Andreas Steffen, 14.12.2010 21:33)
h1. strongSwan as a Policy Enforcement Point
h3. Configuration as a TNCCS 1.1 VPN Policy Enforcement Point with an EAP-RADIUS Interface interface
<pre>
./configure --prefix=/usr --sysconfdir =/etc --disable-pluto --enable-curl
--enable-eap-radius
</pre>
/etc/strongswan.conf - strongSwan configuration file
<pre>
charon {
plugins {
eap-radius {
secret = gv6URkSs
server = 10.1.0.10
filter_id = yes
}
}
}
</pre>
/etc/ipsec.secrets - strongSwan IPsec secrets file
<pre>
: RSA moonKey.pem
</pre>
/etc/ipsec.conf - strongSwan IPsec configuration file
<pre>
conn rw-allow
rightgroups=allow
leftsubnet=10.1.0.0/28
also=rw-eap
auto=add
conn rw-isolate
rightgroups=isolate
leftsubnet=10.1.0.16/28
also=rw-eap
auto=add
conn rw-eap
leftcert=moonCert.pem
leftid=@moon.strongswan.org
leftauth=pubkey
rightauth=eap-radius
rightid=*@strongswan.org
rightsendcert=never
right=%any
</pre>
"PEP logfile":http://www.strongswan.org/uml/testresults/ikev2/rw-eap-tnc-radius/moon.daemon.log
h3. Configuration of a FreeRADIUS Server with TNC@FHH plugin
First build a TNC@FHH-enabled FreeRADIUS Server with two inner authentication methods according to the following "HOWTO":http://trust.inform.fh-hannover.de/wiki/index.php/Howto_build_a_tnc%40fhh-Server_with_two_inner_authentication_methods.
h3. Configuration as a TNCCS 1.1 VPN Policy Enforcement Point with an EAP-RADIUS Interface interface
<pre>
./configure --prefix=/usr --sysconfdir =/etc --disable-pluto --enable-curl
--enable-eap-radius
</pre>
/etc/strongswan.conf - strongSwan configuration file
<pre>
charon {
plugins {
eap-radius {
secret = gv6URkSs
server = 10.1.0.10
filter_id = yes
}
}
}
</pre>
/etc/ipsec.secrets - strongSwan IPsec secrets file
<pre>
: RSA moonKey.pem
</pre>
/etc/ipsec.conf - strongSwan IPsec configuration file
<pre>
conn rw-allow
rightgroups=allow
leftsubnet=10.1.0.0/28
also=rw-eap
auto=add
conn rw-isolate
rightgroups=isolate
leftsubnet=10.1.0.16/28
also=rw-eap
auto=add
conn rw-eap
leftcert=moonCert.pem
leftid=@moon.strongswan.org
leftauth=pubkey
rightauth=eap-radius
rightid=*@strongswan.org
rightsendcert=never
right=%any
</pre>
"PEP logfile":http://www.strongswan.org/uml/testresults/ikev2/rw-eap-tnc-radius/moon.daemon.log
h3. Configuration of a FreeRADIUS Server with TNC@FHH plugin
First build a TNC@FHH-enabled FreeRADIUS Server with two inner authentication methods according to the following "HOWTO":http://trust.inform.fh-hannover.de/wiki/index.php/Howto_build_a_tnc%40fhh-Server_with_two_inner_authentication_methods.