TNC Client with PTS-IMC » History » Version 1
Andreas Steffen, 29.11.2011 09:37
created PTS-IMC page
| 1 | 1 | Andreas Steffen | h1. Platform Trust Service Integrity Measurement Collector (PTS-IMC) |
|---|---|---|---|
| 2 | 1 | Andreas Steffen | |
| 3 | 1 | Andreas Steffen | With the command |
| 4 | 1 | Andreas Steffen | <pre> |
| 5 | 1 | Andreas Steffen | ipsec start |
| 6 | 1 | Andreas Steffen | </pre> |
| 7 | 1 | Andreas Steffen | |
| 8 | 1 | Andreas Steffen | the TNC-enabled IPsec client is started: |
| 9 | 1 | Andreas Steffen | <pre> |
| 10 | 1 | Andreas Steffen | Nov 29 07:39:21 merthyr charon: 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.6.2dr1) |
| 11 | 1 | Andreas Steffen | Nov 29 07:39:21 merthyr charon: 00[KNL] listening on interfaces: |
| 12 | 1 | Andreas Steffen | Nov 29 07:39:21 merthyr charon: 00[KNL] wlan0 |
| 13 | 1 | Andreas Steffen | Nov 29 07:39:21 merthyr charon: 00[KNL] 10.35.167.97 |
| 14 | 1 | Andreas Steffen | Nov 29 07:39:21 merthyr charon: 00[KNL] fe80::221:6aff:fe06:cf4c |
| 15 | 1 | Andreas Steffen | Nov 29 07:39:21 merthyr charon: 00[KNL] umlbr0 |
| 16 | 1 | Andreas Steffen | Nov 29 07:39:21 merthyr charon: 00[KNL] 192.168.0.254 |
| 17 | 1 | Andreas Steffen | Nov 29 07:39:21 merthyr charon: 00[KNL] fe80::103c:e8ff:fec0:db34 |
| 18 | 1 | Andreas Steffen | </pre> |
| 19 | 1 | Andreas Steffen | |
| 20 | 1 | Andreas Steffen | The file /etc/tnc_config |
| 21 | 1 | Andreas Steffen | <pre> |
| 22 | 1 | Andreas Steffen | IMC configuration file for strongSwan client |
| 23 | 1 | Andreas Steffen | |
| 24 | 1 | Andreas Steffen | IMC "Attestation" /usr/lib/ipsec/imcvs/imc-attestation.so |
| 25 | 1 | Andreas Steffen | </pre> |
| 26 | 1 | Andreas Steffen | |
| 27 | 1 | Andreas Steffen | defines which IMCs are loaded by the TNC client: |
| 28 | 1 | Andreas Steffen | <pre> |
| 29 | 1 | Andreas Steffen | Nov 29 07:39:21 merthyr charon: 00[TNC] loading IMCs from '/etc/tnc_config' |
| 30 | 1 | Andreas Steffen | Nov 29 07:39:21 merthyr charon: 00[PTS] mandatory PTS measurement algorithm HASH_SHA1[sha1] available |
| 31 | 1 | Andreas Steffen | Nov 29 07:39:21 merthyr charon: 00[PTS] mandatory PTS measurement algorithm HASH_SHA256[openssl] available |
| 32 | 1 | Andreas Steffen | Nov 29 07:39:21 merthyr charon: 00[PTS] optional PTS measurement algorithm HASH_SHA384[openssl] available |
| 33 | 1 | Andreas Steffen | Nov 29 07:39:21 merthyr charon: 00[PTS] optional PTS DH group MODP_2048[gmp] available |
| 34 | 1 | Andreas Steffen | Nov 29 07:39:21 merthyr charon: 00[PTS] optional PTS DH group MODP_1536[gmp] available |
| 35 | 1 | Andreas Steffen | Nov 29 07:39:21 merthyr charon: 00[PTS] optional PTS DH group MODP_1024[gmp] available |
| 36 | 1 | Andreas Steffen | Nov 29 07:39:21 merthyr charon: 00[PTS] mandatory PTS DH group ECP_256[openssl] available |
| 37 | 1 | Andreas Steffen | Nov 29 07:39:21 merthyr charon: 00[PTS] optional PTS DH group ECP_384[openssl] available |
| 38 | 1 | Andreas Steffen | Nov 29 07:39:21 merthyr charon: 00[TNC] added IETF attributes |
| 39 | 1 | Andreas Steffen | Nov 29 07:39:21 merthyr charon: 00[TNC] added ITA-HSR attributes |
| 40 | 1 | Andreas Steffen | Nov 29 07:39:21 merthyr charon: 00[LIB] libimcv initialized |
| 41 | 1 | Andreas Steffen | Nov 29 07:39:21 merthyr charon: 00[IMC] IMC 1 "Attestation" initialized |
| 42 | 1 | Andreas Steffen | Nov 29 07:39:21 merthyr charon: 00[TNC] added TCG attributes |
| 43 | 1 | Andreas Steffen | Nov 29 07:39:21 merthyr charon: 00[PTS] added TCG functional component namespace |
| 44 | 1 | Andreas Steffen | Nov 29 07:39:21 merthyr charon: 00[PTS] added ITA-HSR functional component namespace |
| 45 | 1 | Andreas Steffen | Nov 29 07:39:21 merthyr charon: 00[PTS] added ITA-HSR functional component 'Trusted GRUB Boot Loader' |
| 46 | 1 | Andreas Steffen | Nov 29 07:39:21 merthyr charon: 00[PTS] added ITA-HSR functional component 'Trusted Boot' |
| 47 | 1 | Andreas Steffen | Nov 29 07:39:21 merthyr charon: 00[PTS] added ITA-HSR functional component 'Linux IMA' |
| 48 | 1 | Andreas Steffen | Nov 29 07:39:21 merthyr charon: 00[LIB] libpts initialized |
| 49 | 1 | Andreas Steffen | Nov 29 07:39:21 merthyr charon: 00[IMC] IMC 1 "Attestation" provided with bind function |
| 50 | 1 | Andreas Steffen | Nov 29 07:39:21 merthyr charon: 00[TNC] IMC 1 supports 1 message type: 0x00559701 |
| 51 | 1 | Andreas Steffen | Nov 29 07:39:21 merthyr charon: 00[TNC] IMC 1 "Attestation" loaded from '/usr/lib/ipsec/imcvs/imc-attestation.so' |
| 52 | 1 | Andreas Steffen | </pre> |
| 53 | 1 | Andreas Steffen | |
| 54 | 1 | Andreas Steffen | Next the IKEv2 credentials and all necessary plugins are loaded |
| 55 | 1 | Andreas Steffen | <pre> |
| 56 | 1 | Andreas Steffen | Nov 29 07:39:21 merthyr charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts' |
| 57 | 1 | Andreas Steffen | Nov 29 07:39:21 merthyr charon: 00[CFG] loaded ca certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" from '/etc/ipsec.d/cacerts/strongswanCert.pem' |
| 58 | 1 | Andreas Steffen | Nov 29 07:39:21 merthyr charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts' |
| 59 | 1 | Andreas Steffen | Nov 29 07:39:21 merthyr charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts' |
| 60 | 1 | Andreas Steffen | Nov 29 07:39:21 merthyr charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts' |
| 61 | 1 | Andreas Steffen | Nov 29 07:39:21 merthyr charon: 00[CFG] loading crls from '/etc/ipsec.d/crls' |
| 62 | 1 | Andreas Steffen | Nov 29 07:39:21 merthyr charon: 00[CFG] loading secrets from '/etc/ipsec.secrets' |
| 63 | 1 | Andreas Steffen | Nov 29 07:39:21 merthyr charon: 00[CFG] loaded EAP secret for carol@strongswan.org |
| 64 | 1 | Andreas Steffen | Nov 29 07:39:21 merthyr charon: 00[DMN] loaded plugins: sha1 random gmp pkcs1 pem x509 pubkey openssl hmac revocation curl kernel-netlink socket-default eap-mschapv2 eap-md5 eap-tls eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 eap-identity resolve stroke |
| 65 | 1 | Andreas Steffen | Nov 29 07:39:21 merthyr charon: 00[JOB] spawning 16 worker threads |
| 66 | 1 | Andreas Steffen | </pre> |
| 67 | 1 | Andreas Steffen | |
| 68 | 1 | Andreas Steffen | Now the IKEv2 negotiation automatically starts with the IKE_SA_INIT exchange |
| 69 | 1 | Andreas Steffen | <pre> |
| 70 | 1 | Andreas Steffen | Nov 29 07:39:22 merthyr charon: 04[CFG] received stroke: add connection 'home' |
| 71 | 1 | Andreas Steffen | Nov 29 07:39:22 merthyr charon: 04[CFG] left nor right host is our side, assuming left=local |
| 72 | 1 | Andreas Steffen | Nov 29 07:39:22 merthyr charon: 04[CFG] added configuration 'home' |
| 73 | 1 | Andreas Steffen | Nov 29 07:39:22 merthyr charon: 04[CFG] received stroke: initiate 'home' |
| 74 | 1 | Andreas Steffen | Nov 29 07:39:22 merthyr charon: 04[IKE] initiating IKE_SA home[1] to 192.168.0.1 |
| 75 | 1 | Andreas Steffen | Nov 29 07:39:22 merthyr charon: 04[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] |
| 76 | 1 | Andreas Steffen | Nov 29 07:39:22 merthyr charon: 04[NET] sending packet: from 192.168.0.254[500] to 192.168.0.1[500] |
| 77 | 1 | Andreas Steffen | Nov 29 07:39:22 merthyr charon: 06[NET] received packet: from 192.168.0.1[500] to 192.168.0.254[500] |
| 78 | 1 | Andreas Steffen | Nov 29 07:39:22 merthyr charon: 06[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] |
| 79 | 1 | Andreas Steffen | </pre> |
| 80 | 1 | Andreas Steffen | |
| 81 | 1 | Andreas Steffen | followed by the IKE_AUTH exchange where the IKEv2 gateway proposes a mutual EAP-TTLS only authentication: |
| 82 | 1 | Andreas Steffen | <pre> |
| 83 | 1 | Andreas Steffen | Nov 29 07:39:22 merthyr charon: 06[IKE] establishing CHILD_SA home |
| 84 | 1 | Andreas Steffen | Nov 29 07:39:22 merthyr charon: 06[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(EAP_ONLY) ] |
| 85 | 1 | Andreas Steffen | Nov 29 07:39:22 merthyr charon: 06[NET] sending packet: from 192.168.0.254[4500] to 192.168.0.1[4500] |
| 86 | 1 | Andreas Steffen | Nov 29 07:39:22 merthyr charon: 10[NET] received packet: from 192.168.0.1[4500] to 192.168.0.254[4500] |
| 87 | 1 | Andreas Steffen | Nov 29 07:39:22 merthyr charon: 10[ENC] parsed IKE_AUTH response 1 [ IDr EAP/REQ/TTLS ] |
| 88 | 1 | Andreas Steffen | Nov 29 07:39:22 merthyr charon: 10[IKE] server requested EAP_TTLS authentication (id 0xA8) |
| 89 | 1 | Andreas Steffen | Nov 29 07:39:22 merthyr charon: 10[TLS] EAP_TTLS version is v0 |
| 90 | 1 | Andreas Steffen | Nov 29 07:39:22 merthyr charon: 10[IKE] allow mutual EAP-only authentication |
| 91 | 1 | Andreas Steffen | </pre> |
| 92 | 1 | Andreas Steffen | |
| 93 | 1 | Andreas Steffen | The IKEv2 EAP-TLS tunnel is set up with certificate-based server authentication |
| 94 | 1 | Andreas Steffen | <pre> |
| 95 | 1 | Andreas Steffen | Nov 29 07:39:22 merthyr charon: 10[ENC] generating IKE_AUTH request 2 [ EAP/RES/TTLS ] |
| 96 | 1 | Andreas Steffen | Nov 29 07:39:22 merthyr charon: 10[NET] sending packet: from 192.168.0.254[4500] to 192.168.0.1[4500] |
| 97 | 1 | Andreas Steffen | Nov 29 07:39:22 merthyr charon: 05[NET] received packet: from 192.168.0.1[4500] to 192.168.0.254[4500] |
| 98 | 1 | Andreas Steffen | Nov 29 07:39:22 merthyr charon: 05[ENC] parsed IKE_AUTH response 2 [ EAP/REQ/TTLS ] |
| 99 | 1 | Andreas Steffen | Nov 29 07:39:22 merthyr charon: 05[ENC] generating IKE_AUTH request 3 [ EAP/RES/TTLS ] |
| 100 | 1 | Andreas Steffen | Nov 29 07:39:22 merthyr charon: 05[NET] sending packet: from 192.168.0.254[4500] to 192.168.0.1[4500] |
| 101 | 1 | Andreas Steffen | Nov 29 07:39:22 merthyr charon: 15[NET] received packet: from 192.168.0.1[4500] to 192.168.0.254[4500] |
| 102 | 1 | Andreas Steffen | Nov 29 07:39:22 merthyr charon: 15[ENC] parsed IKE_AUTH response 3 [ EAP/REQ/TTLS ] |
| 103 | 1 | Andreas Steffen | Nov 29 07:39:22 merthyr charon: 15[TLS] negotiated TLS version TLS 1.2 with suite TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA |
| 104 | 1 | Andreas Steffen | Nov 29 07:39:22 merthyr charon: 15[TLS] received TLS server certificate 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' |
| 105 | 1 | Andreas Steffen | Nov 29 07:39:22 merthyr charon: 15[CFG] using certificate "C=CH, O=Linux strongSwan, CN=moon.strongswan.org" |
| 106 | 1 | Andreas Steffen | Nov 29 07:39:22 merthyr charon: 15[CFG] using trusted ca certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" |
| 107 | 1 | Andreas Steffen | Nov 29 07:39:22 merthyr charon: 15[CFG] checking certificate status of "C=CH, O=Linux strongSwan, CN=moon.strongswan.org" |
| 108 | 1 | Andreas Steffen | Nov 29 07:39:22 merthyr charon: 15[CFG] fetching crl from 'http://crl.strongswan.org/strongswan.crl' ... |
| 109 | 1 | Andreas Steffen | Nov 29 07:39:22 merthyr charon: 15[CFG] using trusted certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" |
| 110 | 1 | Andreas Steffen | Nov 29 07:39:22 merthyr charon: 15[CFG] crl correctly signed by "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" |
| 111 | 1 | Andreas Steffen | Nov 29 07:39:22 merthyr charon: 15[CFG] crl is valid: until Dec 02 09:19:24 2011 |
| 112 | 1 | Andreas Steffen | Nov 29 07:39:22 merthyr charon: 15[CFG] certificate status is good |
| 113 | 1 | Andreas Steffen | Nov 29 07:39:22 merthyr charon: 15[CFG] reached self-signed root ca with a path length of 0 |
| 114 | 1 | Andreas Steffen | Nov 29 07:39:22 merthyr charon: 15[ENC] generating IKE_AUTH request 4 [ EAP/RES/TTLS ] |
| 115 | 1 | Andreas Steffen | Nov 29 07:39:22 merthyr charon: 15[NET] sending packet: from 192.168.0.254[4500] to 192.168.0.1[4500] |
| 116 | 1 | Andreas Steffen | </pre> |