strongSwan

h1. Endpoint Compliance via PT-EAP Protocol

{{>toc}}

h2. Starting the strongSwan Policy Decision Point (PDP)

The strongSwan PDP starts and loads its server certificate and the client credentials

<pre>

00[DMN] Starting IKE charon daemon (strongSwan 5.2.1dr1, Linux 3.16.1, x86_64)

00[LIB] openssl FIPS mode(0) - disabled 

00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'

00[CFG]   loaded ca certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" from '/etc/ipsec.d/cacerts/strongswanCert.pem'

00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'

00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'

00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'

00[CFG] loading crls from '/etc/ipsec.d/crls'

00[CFG] loading secrets from '/etc/ipsec.secrets'

00[CFG]   loaded RSA private key from '/etc/ipsec.d/private/aaaKey.pem'

00[CFG]   loaded EAP secret for carol

00[CFG]   loaded EAP secret for dave 

</pre>

Next the OS and SWID IMVs are loaded

<pre>

00[TNC] TNC recommendation policy is 'default'

00[TNC] loading IMVs from '/etc/tnc_config'

00[TNC] added IETF attributes

00[TNC] added ITA-HSR attributes

00[TNC] added TCG attributes

00[LIB] libimcv initialized

00[IMV] IMV 1 "OS" initialized

00[TNC] IMV 1 supports 1 message type: 'IETF/Operating System' 0x000000/0x00000001

00[TNC] IMV 1 "OS" loaded from '/usr/local/lib/ipsec/imcvs/imv-os.so'

00[IMV] IMV 2 "SWID" initialized

00[TNC] IMV 2 supports 1 message type: 'TCG/SWID' 0x005597/0x00000003

O00[TNC] IMV 2 "SWID" loaded from '/usr/local/lib/ipsec/imcvs/imv-swid.so'

</pre>

The PDP loads all plugins needed to communicate via its EAP-RADIUS and PT-TLS interfaces and spawns 16 worker threads

<pre>

00[IKE] eap method EAP_TTLS selected

00[LIB] loaded plugins: charon aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac socket-default kernel-netlink stroke eap-identity eap-ttls eap-md5 eap-tnc tnc-pdp tnc-imv tnc-tnccs tnccs-20 sqlite

00[JOB] spawning 16 worker threads

09[CFG] received stroke: add connection 'aaa'

09[CFG] left nor right host is our side, assuming left=local

09[CFG]   loaded certificate "C=CH, O=Linux strongSwan, CN=aaa.strongswan.org" from 'aaaCert.pem'

09[CFG] added configuration 'aaa'

</pre>

h2. PT-EAP Connection by Access Requestor "dave" transported over EAP-RADIUS

<pre>

04[CFG] received RADIUS Access-Request from client '10.1.0.1'

04[CFG] created RADIUS connection for user 'dave' NAS 'strongSwan'

04[CFG] sending RADIUS Access-Challenge to client '10.1.0.1'

11[CFG] received RADIUS Access-Request from client '10.1.0.1'

11[CFG] found RADIUS connection for user 'dave' NAS 'strongSwan'

</pre>

Set up an EAP-TTLS connection between AR and PDP

<pre>

11[TLS] negotiated TLS 1.2 using suite TLS_DHE_RSA_WITH_AES_128_CBC_SHA

11[TLS] sending TLS server certificate 'C=CH, O=Linux strongSwan, CN=aaa.strongswan.org'

11[TLS] sending TLS cert request for 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA'

<pre>

11[CFG] sending RADIUS Access-Challenge to client '10.1.0.1'

12[CFG] received RADIUS Access-Request from client '10.1.0.1'

12[CFG] found RADIUS connection for user 'dave' NAS 'strongSwan'

12[CFG] sending RADIUS Access-Challenge to client '10.1.0.1'

13[CFG] received RADIUS Access-Request from client '10.1.0.1'

13[CFG] found RADIUS connection for user 'dave' NAS 'strongSwan'

13[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/ID]

13[CFG] sending RADIUS Access-Challenge to client '10.1.0.1'

14[CFG] received RADIUS Access-Request from client '10.1.0.1'

14[CFG] found RADIUS connection for user 'dave' NAS 'strongSwan'

</pre>

Received EAP-Identity of AR dave

<pre>

14[IKE] received tunneled EAP-TTLS AVP [EAP/RES/ID]

14[IKE] received EAP identity 'dave'

14[IKE] phase2 method EAP_MD5 selected

14[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/MD5]

</pre>

<pre>

14[CFG] sending RADIUS Access-Challenge to client '10.1.0.1'

03[CFG] received RADIUS Access-Request from client '10.1.0.1'

03[CFG] found RADIUS connection for user 'dave' NAS 'strongSwan'

</pre>

EAP-MD5 based authentication of AR dave

<pre>

03[IKE] received tunneled EAP-TTLS AVP [EAP/RES/MD5]

03[IKE] EAP_TTLS phase2 authentication of 'dave' with EAP_MD5 successful

03[IKE] phase2 method EAP_PT_EAP selected

03[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/PT]

</pre>

<pre>

03[CFG] sending RADIUS Access-Challenge to client '10.1.0.1'

15[CFG] received RADIUS Access-Request from client '10.1.0.1'

15[CFG] found RADIUS connection for user 'dave' NAS 'strongSwan'

</pre>

Upon reception of the first PB-TNC client batch open an IF-TNCCS 2.0 connection

<pre>

15[IKE] received tunneled EAP-TTLS AVP [EAP/RES/PT]

15[IMV] IMV 1 "OS" created a state for IF-TNCCS 2.0 Connection ID 1: +long +excl -soh

15[IMV]   over IF-T for Tunneled EAP 2.0 with maximum PA-TNC message size of 65490 bytes

15[IMV]   user AR identity 'dave' authenticated by password

15[IMV] IMV 2 "SWID" created a state for IF-TNCCS 2.0 Connection ID 1: +long +excl -soh

15[IMV]   over IF-T for Tunneled EAP 2.0 with maximum PA-TNC message size of 65490 bytes

15[IMV]   user AR identity 'dave' authenticated by password

15[IMV] IMV 1 "OS" changed state of Connection ID 1 to 'Handshake'

15[IMV] IMV 2 "SWID" changed state of Connection ID 1 to 'Handshake'

</pre>

<pre>

15[TNC] received TNCCS batch (91 bytes) for Connection ID 1

15[TNC] PB-TNC state transition from 'Init' to 'Server Working'

15[TNC] processing PB-TNC CDATA batch

15[TNC] processing IETF/PB-PA message (52 bytes)

15[TNC] setting language preference to 'en'

</pre>

Received an Attribute Size Request for the _TCG/SWID_ PA message subtype from the SWID IMC

<pre>

15[TNC] handling PB-PA message type 'TCG/SWID' 0x005597/0x00000003

15[IMV] IMV 2 "SWID" received message for Connection ID 1 from IMC 2

15[IMV] => 28 bytes @ 0x7a5490

15[IMV]    0: 01 00 00 00 26 4B C3 0A 00 00 55 97 00 00 00 21  ....&K....U....!

15[IMV]   16: 00 00 00 14 05 F5 E1 00 00 00 7F A6              ............

15[TNC] processing PA-TNC message with ID 0x264bc30a

15[TNC] processing PA-TNC attribute type 'TCG/Max Attribute Size Request' 0x005597/0x00000021

15[IMV] received a segmentation contract from IMC 2 for PA message type 'TCG/SWID' 0x005597/0x00000003

15[IMV]   maximum attribute size of 100'000'000 bytes with maximum segment size of 32678 bytes

</pre>

Sending an Attribute Size Response for the _TCG/SWID_ subtype back to the SWID IMC

<pre>

15[TNC] creating PA-TNC message with ID 0x45425ec5

15[TNC] creating PA-TNC attribute type 'TCG/Max Attribute Size Response' 0x005597/0x00000022

15[IMV] created PA-TNC message: => 28 bytes @ 0x7a5b00

15[IMV]    0: 01 00 00 00 45 42 5E C5 00 00 55 97 00 00 00 22  ....EB^...U...."

15[IMV]   16: 00 00 00 14 05 F5 E1 00 00 00 7F A6              ............

15[TNC] creating PB-PA message type 'TCG/SWID' 0x005597/0x00000003

</pre>

Sending an Attribute Size Request to any IMC subscribing to the IETF/Oper

15[IMV] IMV 1 requests a segmentation contract for PA message type 'IETF/Operating System' 0x000000/0x00000001

15[IMV]   maximum attribute size of 100000000 bytes with maximum segment size of 65446 bytes

Oct  6 20:49:27 alice charon: 15[TNC] creating PA-TNC message with ID 0x2ae6641f

Oct  6 20:49:27 alice charon: 15[TNC] creating PA-TNC attribute type 'TCG/Max Attribute Size Request' 0x005597/0x00000021

Oct  6 20:49:27 alice charon: 15[TNC] creating PA-TNC attribute type 'IETF/Attribute Request' 0x000000/0x00000001

Oct  6 20:49:27 alice charon: 15[IMV] created PA-TNC message: => 96 bytes @ 0x7a7ff0

Oct  6 20:49:27 alice charon: 15[IMV]    0: 01 00 00 00 2A E6 64 1F 00 00 55 97 00 00 00 21  ....*.d...U....!

Oct  6 20:49:27 alice charon: 15[IMV]   16: 00 00 00 14 05 F5 E1 00 00 00 FF A6 00 00 00 00  ................

Oct  6 20:49:27 alice charon: 15[IMV]   32: 00 00 00 01 00 00 00 44 00 00 00 00 00 00 00 02  .......D........

Oct  6 20:49:27 alice charon: 15[IMV]   48: 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 03  ................

Oct  6 20:49:27 alice charon: 15[IMV]   64: 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 0B  ................

Oct  6 20:49:27 alice charon: 15[IMV]   80: 00 00 00 00 00 00 00 0C 00 00 90 2A 00 00 00 08  ...........*....

Oct  6 20:49:27 alice charon: 15[TNC] creating PB-PA message type 'IETF/Operating System' 0x000000/0x00000001

Oct  6 20:49:27 alice charon: 15[TNC] PB-TNC state transition from 'Server Working' to 'Client Working'

Oct  6 20:49:27 alice charon: 15[TNC] creating PB-TNC SDATA batch

Oct  6 20:49:27 alice charon: 15[TNC] adding TCG/PB-PDP-Referral message

Oct  6 20:49:27 alice charon: 15[TNC] adding IETF/PB-PA message

Oct  6 20:49:27 alice charon: 15[TNC] adding IETF/PB-PA message

Oct  6 20:49:27 alice charon: 15[TNC] sending PB-TNC SDATA batch (222 bytes) for Connection ID 1

Oct  6 20:49:27 alice charon: 15[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/PT]