strongSwan as a Policy Enforcement Point » History » Version 9
Version 8 (Andreas Steffen, 14.12.2010 21:35) → Version 9/13 (Andreas Steffen, 14.12.2010 21:42)
h1. strongSwan as a Policy Enforcement Point
h3. Configuration as a TNCCS 1.1 VPN Policy Enforcement Point with EAP-RADIUS Interface
<pre>
./configure --prefix=/usr --sysconfdir =/etc --disable-pluto --enable-curl
--enable-eap-radius
</pre>
/etc/strongswan.conf - strongSwan configuration file
<pre>
charon {
plugins {
eap-radius {
secret = gv6URkSs
server = 10.1.0.10
filter_id = yes
}
}
}
</pre>
/etc/ipsec.secrets - strongSwan IPsec secrets file
<pre>
: RSA moonKey.pem
</pre>
/etc/ipsec.conf - strongSwan IPsec configuration file
<pre>
conn rw-allow
rightgroups=allow
leftsubnet=10.1.0.0/28
also=rw-eap
auto=add
conn rw-isolate
rightgroups=isolate
leftsubnet=10.1.0.16/28
also=rw-eap
auto=add
conn rw-eap
leftcert=moonCert.pem
leftid=@moon.strongswan.org
leftauth=pubkey
rightauth=eap-radius
rightid=*@strongswan.org
rightsendcert=never
right=%any
</pre>
"PEP logfile":http://www.strongswan.org/uml/testresults/ikev2/rw-eap-tnc-radius/moon.daemon.log
h3. Configuration of a FreeRADIUS Server with TNC@FHH plugin
First build a "TNC@FHH":http://trust.inform.fh-hannover.de/joomla/index.php/projects/tncfhh Server based on FreeRADIUS with two inner authentication methods according to the following "HOWTO":http://trust.inform.fh-hannover.de/wiki/index.php/Howto_build_a_tnc%40fhh-Server_with_two_inner_authentication_methods.
In order to interoperate with a strongSwan VPN Policy Enforcement Point the following FreeRADIUS configuration files are needed:
/etc/raddb/clients.conf
<pre>
client 10.1.0.1 {
secret = gv6URkSs
shortname = moon
}
</pre>
/etc/raddb/eap.conf
<pre>
eap {
md5 {
}
default_eap_type = ttls
tls {
private_key_file = /etc/raddb/certs/aaaKey.pem
certificate_file = /etc/raddb/certs/aaaCert.pem
CA_file = /etc/raddb/certs/strongswanCert.pem
cipher_list = "DEFAULT"
dh_file = /etc/raddb/certs/dh
random_file = /etc/raddb/certs/random
}
ttls {
default_eap_type = md5
use_tunneled_reply = yes
virtual_server = "inner-tunnel"
tnc_virtual_server = "inner-tunnel-second"
}
}
eap eap_tnc {
default_eap_type = tnc
tnc {
}
}
</pre>
/etc/raddb/proxy.conf
<pre>
realm strongswan.org {
type = radius
authhost = LOCAL
accthost = LOCAL
}
</pre>
/etc/raddb/users
<pre>
carol Cleartext-Password := "Ar3etTnp"
dave Cleartext-Password := "W7R0g3do"
</pre>
h3. Configuration as a TNCCS 1.1 VPN Policy Enforcement Point with EAP-RADIUS Interface
<pre>
./configure --prefix=/usr --sysconfdir =/etc --disable-pluto --enable-curl
--enable-eap-radius
</pre>
/etc/strongswan.conf - strongSwan configuration file
<pre>
charon {
plugins {
eap-radius {
secret = gv6URkSs
server = 10.1.0.10
filter_id = yes
}
}
}
</pre>
/etc/ipsec.secrets - strongSwan IPsec secrets file
<pre>
: RSA moonKey.pem
</pre>
/etc/ipsec.conf - strongSwan IPsec configuration file
<pre>
conn rw-allow
rightgroups=allow
leftsubnet=10.1.0.0/28
also=rw-eap
auto=add
conn rw-isolate
rightgroups=isolate
leftsubnet=10.1.0.16/28
also=rw-eap
auto=add
conn rw-eap
leftcert=moonCert.pem
leftid=@moon.strongswan.org
leftauth=pubkey
rightauth=eap-radius
rightid=*@strongswan.org
rightsendcert=never
right=%any
</pre>
"PEP logfile":http://www.strongswan.org/uml/testresults/ikev2/rw-eap-tnc-radius/moon.daemon.log
h3. Configuration of a FreeRADIUS Server with TNC@FHH plugin
First build a "TNC@FHH":http://trust.inform.fh-hannover.de/joomla/index.php/projects/tncfhh Server based on FreeRADIUS with two inner authentication methods according to the following "HOWTO":http://trust.inform.fh-hannover.de/wiki/index.php/Howto_build_a_tnc%40fhh-Server_with_two_inner_authentication_methods.
In order to interoperate with a strongSwan VPN Policy Enforcement Point the following FreeRADIUS configuration files are needed:
/etc/raddb/clients.conf
<pre>
client 10.1.0.1 {
secret = gv6URkSs
shortname = moon
}
</pre>
/etc/raddb/eap.conf
<pre>
eap {
md5 {
}
default_eap_type = ttls
tls {
private_key_file = /etc/raddb/certs/aaaKey.pem
certificate_file = /etc/raddb/certs/aaaCert.pem
CA_file = /etc/raddb/certs/strongswanCert.pem
cipher_list = "DEFAULT"
dh_file = /etc/raddb/certs/dh
random_file = /etc/raddb/certs/random
}
ttls {
default_eap_type = md5
use_tunneled_reply = yes
virtual_server = "inner-tunnel"
tnc_virtual_server = "inner-tunnel-second"
}
}
eap eap_tnc {
default_eap_type = tnc
tnc {
}
}
</pre>
/etc/raddb/proxy.conf
<pre>
realm strongswan.org {
type = radius
authhost = LOCAL
accthost = LOCAL
}
</pre>
/etc/raddb/users
<pre>
carol Cleartext-Password := "Ar3etTnp"
dave Cleartext-Password := "W7R0g3do"
</pre>