TNC Client with PTS-IMC » History » Version 2
« Previous -
Version 2/69
(diff) -
Next » -
Current version
Andreas Steffen, 29.11.2011 09:46
update PTS-IMC pages
Platform Trust Service Integrity Measurement Collector (PTS-IMC)¶
With the command
ipsec start
the TNC-enabled IPsec client is started:
Nov 29 07:39:21 merthyr charon: 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.6.2dr1) Nov 29 07:39:21 merthyr charon: 00[KNL] listening on interfaces: Nov 29 07:39:21 merthyr charon: 00[KNL] wlan0 Nov 29 07:39:21 merthyr charon: 00[KNL] 10.35.167.97 Nov 29 07:39:21 merthyr charon: 00[KNL] fe80::221:6aff:fe06:cf4c Nov 29 07:39:21 merthyr charon: 00[KNL] umlbr0 Nov 29 07:39:21 merthyr charon: 00[KNL] 192.168.0.254 Nov 29 07:39:21 merthyr charon: 00[KNL] fe80::103c:e8ff:fec0:db34
The file /etc/tnc_config
IMC configuration file for strongSwan client IMC "Attestation" /usr/lib/ipsec/imcvs/imc-attestation.so
defines which IMCs are loaded by the TNC client:
Nov 29 07:39:21 merthyr charon: 00[TNC] loading IMCs from '/etc/tnc_config' Nov 29 07:39:21 merthyr charon: 00[PTS] mandatory PTS measurement algorithm HASH_SHA1[sha1] available Nov 29 07:39:21 merthyr charon: 00[PTS] mandatory PTS measurement algorithm HASH_SHA256[openssl] available Nov 29 07:39:21 merthyr charon: 00[PTS] optional PTS measurement algorithm HASH_SHA384[openssl] available Nov 29 07:39:21 merthyr charon: 00[PTS] optional PTS DH group MODP_2048[gmp] available Nov 29 07:39:21 merthyr charon: 00[PTS] optional PTS DH group MODP_1536[gmp] available Nov 29 07:39:21 merthyr charon: 00[PTS] optional PTS DH group MODP_1024[gmp] available Nov 29 07:39:21 merthyr charon: 00[PTS] mandatory PTS DH group ECP_256[openssl] available Nov 29 07:39:21 merthyr charon: 00[PTS] optional PTS DH group ECP_384[openssl] available Nov 29 07:39:21 merthyr charon: 00[TNC] added IETF attributes Nov 29 07:39:21 merthyr charon: 00[TNC] added ITA-HSR attributes Nov 29 07:39:21 merthyr charon: 00[LIB] libimcv initialized Nov 29 07:39:21 merthyr charon: 00[IMC] IMC 1 "Attestation" initialized Nov 29 07:39:21 merthyr charon: 00[TNC] added TCG attributes Nov 29 07:39:21 merthyr charon: 00[PTS] added TCG functional component namespace Nov 29 07:39:21 merthyr charon: 00[PTS] added ITA-HSR functional component namespace Nov 29 07:39:21 merthyr charon: 00[PTS] added ITA-HSR functional component 'Trusted GRUB Boot Loader' Nov 29 07:39:21 merthyr charon: 00[PTS] added ITA-HSR functional component 'Trusted Boot' Nov 29 07:39:21 merthyr charon: 00[PTS] added ITA-HSR functional component 'Linux IMA' Nov 29 07:39:21 merthyr charon: 00[LIB] libpts initialized Nov 29 07:39:21 merthyr charon: 00[IMC] IMC 1 "Attestation" provided with bind function Nov 29 07:39:21 merthyr charon: 00[TNC] IMC 1 supports 1 message type: 0x00559701 Nov 29 07:39:21 merthyr charon: 00[TNC] IMC 1 "Attestation" loaded from '/usr/lib/ipsec/imcvs/imc-attestation.so'
Next the IKEv2 credentials and all necessary plugins are loaded
Nov 29 07:39:21 merthyr charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts' Nov 29 07:39:21 merthyr charon: 00[CFG] loaded ca certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" from '/etc/ipsec.d/cacerts/strongswanCert.pem' Nov 29 07:39:21 merthyr charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts' Nov 29 07:39:21 merthyr charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts' Nov 29 07:39:21 merthyr charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts' Nov 29 07:39:21 merthyr charon: 00[CFG] loading crls from '/etc/ipsec.d/crls' Nov 29 07:39:21 merthyr charon: 00[CFG] loading secrets from '/etc/ipsec.secrets' Nov 29 07:39:21 merthyr charon: 00[CFG] loaded EAP secret for carol@strongswan.org Nov 29 07:39:21 merthyr charon: 00[DMN] loaded plugins: sha1 random gmp pkcs1 pem x509 pubkey openssl hmac revocation curl kernel-netlink socket-default eap-mschapv2 eap-md5 eap-tls eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 eap-identity resolve stroke Nov 29 07:39:21 merthyr charon: 00[JOB] spawning 16 worker threads
Now the IKEv2 negotiation automatically starts with the IKE_SA_INIT exchange
Nov 29 07:39:22 merthyr charon: 04[CFG] received stroke: add connection 'home' Nov 29 07:39:22 merthyr charon: 04[CFG] left nor right host is our side, assuming left=local Nov 29 07:39:22 merthyr charon: 04[CFG] added configuration 'home' Nov 29 07:39:22 merthyr charon: 04[CFG] received stroke: initiate 'home' Nov 29 07:39:22 merthyr charon: 04[IKE] initiating IKE_SA home[1] to 192.168.0.1 Nov 29 07:39:22 merthyr charon: 04[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] Nov 29 07:39:22 merthyr charon: 04[NET] sending packet: from 192.168.0.254[500] to 192.168.0.1[500] Nov 29 07:39:22 merthyr charon: 06[NET] received packet: from 192.168.0.1[500] to 192.168.0.254[500] Nov 29 07:39:22 merthyr charon: 06[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
followed by the IKE_AUTH exchange where the IKEv2 gateway proposes a mutual EAP-TTLS only authentication:
Nov 29 07:39:22 merthyr charon: 06[IKE] establishing CHILD_SA home Nov 29 07:39:22 merthyr charon: 06[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(EAP_ONLY) ] Nov 29 07:39:22 merthyr charon: 06[NET] sending packet: from 192.168.0.254[4500] to 192.168.0.1[4500] Nov 29 07:39:22 merthyr charon: 10[NET] received packet: from 192.168.0.1[4500] to 192.168.0.254[4500] Nov 29 07:39:22 merthyr charon: 10[ENC] parsed IKE_AUTH response 1 [ IDr EAP/REQ/TTLS ] Nov 29 07:39:22 merthyr charon: 10[IKE] server requested EAP_TTLS authentication (id 0xA8) Nov 29 07:39:22 merthyr charon: 10[TLS] EAP_TTLS version is v0 Nov 29 07:39:22 merthyr charon: 10[IKE] allow mutual EAP-only authentication
The IKEv2 EAP-TLS tunnel is set up with certificate-based server authentication
Nov 29 07:39:22 merthyr charon: 10[ENC] generating IKE_AUTH request 2 [ EAP/RES/TTLS ] Nov 29 07:39:22 merthyr charon: 10[NET] sending packet: from 192.168.0.254[4500] to 192.168.0.1[4500] Nov 29 07:39:22 merthyr charon: 05[NET] received packet: from 192.168.0.1[4500] to 192.168.0.254[4500] Nov 29 07:39:22 merthyr charon: 05[ENC] parsed IKE_AUTH response 2 [ EAP/REQ/TTLS ] Nov 29 07:39:22 merthyr charon: 05[ENC] generating IKE_AUTH request 3 [ EAP/RES/TTLS ] Nov 29 07:39:22 merthyr charon: 05[NET] sending packet: from 192.168.0.254[4500] to 192.168.0.1[4500] Nov 29 07:39:22 merthyr charon: 15[NET] received packet: from 192.168.0.1[4500] to 192.168.0.254[4500] Nov 29 07:39:22 merthyr charon: 15[ENC] parsed IKE_AUTH response 3 [ EAP/REQ/TTLS ] Nov 29 07:39:22 merthyr charon: 15[TLS] negotiated TLS version TLS 1.2 with suite TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA Nov 29 07:39:22 merthyr charon: 15[TLS] received TLS server certificate 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' Nov 29 07:39:22 merthyr charon: 15[CFG] using certificate "C=CH, O=Linux strongSwan, CN=moon.strongswan.org" Nov 29 07:39:22 merthyr charon: 15[CFG] using trusted ca certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" Nov 29 07:39:22 merthyr charon: 15[CFG] checking certificate status of "C=CH, O=Linux strongSwan, CN=moon.strongswan.org" Nov 29 07:39:22 merthyr charon: 15[CFG] fetching crl from 'http://crl.strongswan.org/strongswan.crl' ... Nov 29 07:39:22 merthyr charon: 15[CFG] using trusted certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" Nov 29 07:39:22 merthyr charon: 15[CFG] crl correctly signed by "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" Nov 29 07:39:22 merthyr charon: 15[CFG] crl is valid: until Dec 02 09:19:24 2011 Nov 29 07:39:22 merthyr charon: 15[CFG] certificate status is good Nov 29 07:39:22 merthyr charon: 15[CFG] reached self-signed root ca with a path length of 0 Nov 29 07:39:22 merthyr charon: 15[ENC] generating IKE_AUTH request 4 [ EAP/RES/TTLS ] Nov 29 07:39:22 merthyr charon: 15[NET] sending packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
Via the IKEv2 EAP-TTLS tunnel the server requests the EAP client identity
Nov 29 07:39:23 merthyr charon: 14[NET] received packet: from 192.168.0.1[4500] to 192.168.0.254[4500] Nov 29 07:39:23 merthyr charon: 14[ENC] parsed IKE_AUTH response 4 [ EAP/REQ/TTLS ] Nov 29 07:39:23 merthyr charon: 14[IKE] received tunneled EAP-TTLS AVP [EAP/REQ/ID] Nov 29 07:39:23 merthyr charon: 14[IKE] server requested EAP_IDENTITY authentication (id 0x00) Nov 29 07:39:23 merthyr charon: 14[IKE] sending tunneled EAP-TTLS AVP [EAP/RES/ID] Nov 29 07:39:23 merthyr charon: 14[ENC] generating IKE_AUTH request 5 [ EAP/RES/TTLS ] Nov 29 07:39:23 merthyr charon: 14[NET] sending packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
followed by an EAP-MD5 client authentication
Nov 29 07:39:23 merthyr charon: 03[NET] received packet: from 192.168.0.1[4500] to 192.168.0.254[4500] Nov 29 07:39:23 merthyr charon: 03[ENC] parsed IKE_AUTH response 5 [ EAP/REQ/TTLS ] Nov 29 07:39:23 merthyr charon: 03[IKE] received tunneled EAP-TTLS AVP [EAP/REQ/MD5] Nov 29 07:39:23 merthyr charon: 03[IKE] server requested EAP_MD5 authentication (id 0x36) Nov 29 07:39:23 merthyr charon: 03[IKE] sending tunneled EAP-TTLS AVP [EAP/RES/MD5] Nov 29 07:39:23 merthyr charon: 03[ENC] generating IKE_AUTH request 6 [ EAP/RES/TTLS ] Nov 29 07:39:23 merthyr charon: 03[NET] sending packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
Now the EAP-TNC transport protocol connecting the TNC client with the TNC server is started:
Nov 29 07:39:23 merthyr charon: 02[NET] received packet: from 192.168.0.1[4500] to 192.168.0.254[4500] Nov 29 07:39:23 merthyr charon: 02[ENC] parsed IKE_AUTH response 6 [ EAP/REQ/TTLS ] Nov 29 07:39:23 merthyr charon: 02[IKE] received tunneled EAP-TTLS AVP [EAP/REQ/TNC] Nov 29 07:39:23 merthyr charon: 02[IKE] server requested EAP_TNC authentication (id 0x84) Nov 29 07:39:23 merthyr charon: 02[TLS] EAP_TNC version is v1 Nov 29 07:39:23 merthyr charon: 02[TNC] assigned TNCCS Connection ID 1
A first PB-TNC CDATA (IF-TNCCS 2.0 ClientData) batch is prepared
Nov 29 07:39:23 merthyr charon: 02[TNC] creating PB-TNC CDATA batch Nov 29 07:39:23 merthyr charon: 02[TNC] adding PB-Language-Preference message