Project

General

Profile

History

strongSwan User Documentation » Trusted Network Connect (TNC) HOWTO »

strongSwan as a Policy Enforcement Point » History » Version 9

« Previous - Version 9/13 (diff) - Next » - Current version
Andreas Steffen, 14.12.2010 21:42

strongSwan as a Policy Enforcement Point

Configuration as a TNCCS 1.1 VPN Policy Enforcement Point with EAP-RADIUS Interface

./configure --prefix=/usr --sysconfdir =/etc --disable-pluto --enable-curl
            --enable-eap-radius

/etc/strongswan.conf - strongSwan configuration file

charon {
  plugins {
    eap-radius {
      secret = gv6URkSs 
      server = 10.1.0.10
      filter_id = yes
    }
  }
}

/etc/ipsec.secrets - strongSwan IPsec secrets file

: RSA moonKey.pem

/etc/ipsec.conf - strongSwan IPsec configuration file

conn rw-allow
     rightgroups=allow
     leftsubnet=10.1.0.0/28
     also=rw-eap
     auto=add

conn rw-isolate
     rightgroups=isolate
     leftsubnet=10.1.0.16/28
     also=rw-eap
     auto=add

conn rw-eap
     leftcert=moonCert.pem
     leftid=@moon.strongswan.org
     leftauth=pubkey
     rightauth=eap-radius
     rightid=*@strongswan.org
     rightsendcert=never
     right=%any

PEP logfile

Configuration of a FreeRADIUS Server with TNC@FHH plugin

First build a TNC@FHH Server based on FreeRADIUS with two inner authentication methods according to the following HOWTO.

In order to interoperate with a strongSwan VPN Policy Enforcement Point the following FreeRADIUS configuration files are needed:

/etc/raddb/clients.conf

client 10.1.0.1 {
  secret    = gv6URkSs 
  shortname = moon
}

/etc/raddb/eap.conf

eap {
  md5 {
  }
  default_eap_type = ttls
  tls {
    private_key_file = /etc/raddb/certs/aaaKey.pem
    certificate_file = /etc/raddb/certs/aaaCert.pem
    CA_file = /etc/raddb/certs/strongswanCert.pem
    cipher_list = "DEFAULT" 
    dh_file = /etc/raddb/certs/dh
    random_file = /etc/raddb/certs/random
  }
  ttls {
    default_eap_type = md5
    use_tunneled_reply = yes
    virtual_server = "inner-tunnel" 
    tnc_virtual_server = "inner-tunnel-second" 
  }
}

eap eap_tnc {
      default_eap_type = tnc
      tnc {
      }
}

/etc/raddb/proxy.conf

realm strongswan.org {
  type     = radius
  authhost = LOCAL
  accthost = LOCAL
}

/etc/raddb/users

carol    Cleartext-Password := "Ar3etTnp" 
dave    Cleartext-Password := "W7R0g3do"