TNC Client with PTS-IMC » History » Version 1
Version 1/69
-
Next » -
Current version
Andreas Steffen, 29.11.2011 09:37
created PTS-IMC page
Platform Trust Service Integrity Measurement Collector (PTS-IMC)¶
With the command
ipsec start
the TNC-enabled IPsec client is started:
Nov 29 07:39:21 merthyr charon: 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.6.2dr1) Nov 29 07:39:21 merthyr charon: 00[KNL] listening on interfaces: Nov 29 07:39:21 merthyr charon: 00[KNL] wlan0 Nov 29 07:39:21 merthyr charon: 00[KNL] 10.35.167.97 Nov 29 07:39:21 merthyr charon: 00[KNL] fe80::221:6aff:fe06:cf4c Nov 29 07:39:21 merthyr charon: 00[KNL] umlbr0 Nov 29 07:39:21 merthyr charon: 00[KNL] 192.168.0.254 Nov 29 07:39:21 merthyr charon: 00[KNL] fe80::103c:e8ff:fec0:db34
The file /etc/tnc_config
IMC configuration file for strongSwan client IMC "Attestation" /usr/lib/ipsec/imcvs/imc-attestation.so
defines which IMCs are loaded by the TNC client:
Nov 29 07:39:21 merthyr charon: 00[TNC] loading IMCs from '/etc/tnc_config' Nov 29 07:39:21 merthyr charon: 00[PTS] mandatory PTS measurement algorithm HASH_SHA1[sha1] available Nov 29 07:39:21 merthyr charon: 00[PTS] mandatory PTS measurement algorithm HASH_SHA256[openssl] available Nov 29 07:39:21 merthyr charon: 00[PTS] optional PTS measurement algorithm HASH_SHA384[openssl] available Nov 29 07:39:21 merthyr charon: 00[PTS] optional PTS DH group MODP_2048[gmp] available Nov 29 07:39:21 merthyr charon: 00[PTS] optional PTS DH group MODP_1536[gmp] available Nov 29 07:39:21 merthyr charon: 00[PTS] optional PTS DH group MODP_1024[gmp] available Nov 29 07:39:21 merthyr charon: 00[PTS] mandatory PTS DH group ECP_256[openssl] available Nov 29 07:39:21 merthyr charon: 00[PTS] optional PTS DH group ECP_384[openssl] available Nov 29 07:39:21 merthyr charon: 00[TNC] added IETF attributes Nov 29 07:39:21 merthyr charon: 00[TNC] added ITA-HSR attributes Nov 29 07:39:21 merthyr charon: 00[LIB] libimcv initialized Nov 29 07:39:21 merthyr charon: 00[IMC] IMC 1 "Attestation" initialized Nov 29 07:39:21 merthyr charon: 00[TNC] added TCG attributes Nov 29 07:39:21 merthyr charon: 00[PTS] added TCG functional component namespace Nov 29 07:39:21 merthyr charon: 00[PTS] added ITA-HSR functional component namespace Nov 29 07:39:21 merthyr charon: 00[PTS] added ITA-HSR functional component 'Trusted GRUB Boot Loader' Nov 29 07:39:21 merthyr charon: 00[PTS] added ITA-HSR functional component 'Trusted Boot' Nov 29 07:39:21 merthyr charon: 00[PTS] added ITA-HSR functional component 'Linux IMA' Nov 29 07:39:21 merthyr charon: 00[LIB] libpts initialized Nov 29 07:39:21 merthyr charon: 00[IMC] IMC 1 "Attestation" provided with bind function Nov 29 07:39:21 merthyr charon: 00[TNC] IMC 1 supports 1 message type: 0x00559701 Nov 29 07:39:21 merthyr charon: 00[TNC] IMC 1 "Attestation" loaded from '/usr/lib/ipsec/imcvs/imc-attestation.so'
Next the IKEv2 credentials and all necessary plugins are loaded
Nov 29 07:39:21 merthyr charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts' Nov 29 07:39:21 merthyr charon: 00[CFG] loaded ca certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" from '/etc/ipsec.d/cacerts/strongswanCert.pem' Nov 29 07:39:21 merthyr charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts' Nov 29 07:39:21 merthyr charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts' Nov 29 07:39:21 merthyr charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts' Nov 29 07:39:21 merthyr charon: 00[CFG] loading crls from '/etc/ipsec.d/crls' Nov 29 07:39:21 merthyr charon: 00[CFG] loading secrets from '/etc/ipsec.secrets' Nov 29 07:39:21 merthyr charon: 00[CFG] loaded EAP secret for carol@strongswan.org Nov 29 07:39:21 merthyr charon: 00[DMN] loaded plugins: sha1 random gmp pkcs1 pem x509 pubkey openssl hmac revocation curl kernel-netlink socket-default eap-mschapv2 eap-md5 eap-tls eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 eap-identity resolve stroke Nov 29 07:39:21 merthyr charon: 00[JOB] spawning 16 worker threads
Now the IKEv2 negotiation automatically starts with the IKE_SA_INIT exchange
Nov 29 07:39:22 merthyr charon: 04[CFG] received stroke: add connection 'home' Nov 29 07:39:22 merthyr charon: 04[CFG] left nor right host is our side, assuming left=local Nov 29 07:39:22 merthyr charon: 04[CFG] added configuration 'home' Nov 29 07:39:22 merthyr charon: 04[CFG] received stroke: initiate 'home' Nov 29 07:39:22 merthyr charon: 04[IKE] initiating IKE_SA home[1] to 192.168.0.1 Nov 29 07:39:22 merthyr charon: 04[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] Nov 29 07:39:22 merthyr charon: 04[NET] sending packet: from 192.168.0.254[500] to 192.168.0.1[500] Nov 29 07:39:22 merthyr charon: 06[NET] received packet: from 192.168.0.1[500] to 192.168.0.254[500] Nov 29 07:39:22 merthyr charon: 06[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
followed by the IKE_AUTH exchange where the IKEv2 gateway proposes a mutual EAP-TTLS only authentication:
Nov 29 07:39:22 merthyr charon: 06[IKE] establishing CHILD_SA home Nov 29 07:39:22 merthyr charon: 06[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(EAP_ONLY) ] Nov 29 07:39:22 merthyr charon: 06[NET] sending packet: from 192.168.0.254[4500] to 192.168.0.1[4500] Nov 29 07:39:22 merthyr charon: 10[NET] received packet: from 192.168.0.1[4500] to 192.168.0.254[4500] Nov 29 07:39:22 merthyr charon: 10[ENC] parsed IKE_AUTH response 1 [ IDr EAP/REQ/TTLS ] Nov 29 07:39:22 merthyr charon: 10[IKE] server requested EAP_TTLS authentication (id 0xA8) Nov 29 07:39:22 merthyr charon: 10[TLS] EAP_TTLS version is v0 Nov 29 07:39:22 merthyr charon: 10[IKE] allow mutual EAP-only authentication
The IKEv2 EAP-TLS tunnel is set up with certificate-based server authentication
Nov 29 07:39:22 merthyr charon: 10[ENC] generating IKE_AUTH request 2 [ EAP/RES/TTLS ] Nov 29 07:39:22 merthyr charon: 10[NET] sending packet: from 192.168.0.254[4500] to 192.168.0.1[4500] Nov 29 07:39:22 merthyr charon: 05[NET] received packet: from 192.168.0.1[4500] to 192.168.0.254[4500] Nov 29 07:39:22 merthyr charon: 05[ENC] parsed IKE_AUTH response 2 [ EAP/REQ/TTLS ] Nov 29 07:39:22 merthyr charon: 05[ENC] generating IKE_AUTH request 3 [ EAP/RES/TTLS ] Nov 29 07:39:22 merthyr charon: 05[NET] sending packet: from 192.168.0.254[4500] to 192.168.0.1[4500] Nov 29 07:39:22 merthyr charon: 15[NET] received packet: from 192.168.0.1[4500] to 192.168.0.254[4500] Nov 29 07:39:22 merthyr charon: 15[ENC] parsed IKE_AUTH response 3 [ EAP/REQ/TTLS ] Nov 29 07:39:22 merthyr charon: 15[TLS] negotiated TLS version TLS 1.2 with suite TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA Nov 29 07:39:22 merthyr charon: 15[TLS] received TLS server certificate 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' Nov 29 07:39:22 merthyr charon: 15[CFG] using certificate "C=CH, O=Linux strongSwan, CN=moon.strongswan.org" Nov 29 07:39:22 merthyr charon: 15[CFG] using trusted ca certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" Nov 29 07:39:22 merthyr charon: 15[CFG] checking certificate status of "C=CH, O=Linux strongSwan, CN=moon.strongswan.org" Nov 29 07:39:22 merthyr charon: 15[CFG] fetching crl from 'http://crl.strongswan.org/strongswan.crl' ... Nov 29 07:39:22 merthyr charon: 15[CFG] using trusted certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" Nov 29 07:39:22 merthyr charon: 15[CFG] crl correctly signed by "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" Nov 29 07:39:22 merthyr charon: 15[CFG] crl is valid: until Dec 02 09:19:24 2011 Nov 29 07:39:22 merthyr charon: 15[CFG] certificate status is good Nov 29 07:39:22 merthyr charon: 15[CFG] reached self-signed root ca with a path length of 0 Nov 29 07:39:22 merthyr charon: 15[ENC] generating IKE_AUTH request 4 [ EAP/RES/TTLS ] Nov 29 07:39:22 merthyr charon: 15[NET] sending packet: from 192.168.0.254[4500] to 192.168.0.1[4500]