TNC Server with PTS-IMV » History » Version 2

« Previous - Version 2/57 (diff) - Next » - Current version
Andreas Steffen, 30.11.2011 11:13

TNC Server with PTS-IMV¶

This HOWTO explains in a step-for-step fashion how a strongSwan IPsec gateway with integrated TNC server functionality and an attached Platform Trust Service Integrity Measurement Verifier (PTS-IMV) can verify remote attestation measurement data provided by a TNC client via the IKEv2 EAP-TTLS protocol.

Table of contents
TNC Server with PTS-IMV
- Installation and Configuration
- IKEv2 Negotiation
  - Startup and Initialization

Installation and Configuration¶

The following steps describe the installation of the strongSwan software

  wget http://download.strongswan.org/strongswan-4.6.2dr1.tar.bz2
  tar xjf strongswan-4.6.2dr1.tar.bz2
  cd strongswan-4.6.2dr1
  ./configure --prefix=/usr --sysconfdir=/etc --disable-pluto --enable-openssl --enable-curl
              --enable-eap --enable-eap-identity --enable-eap-md5 --enable-eap-ttls
              --enable-eap-tnc  --enable-tnccs-20 --enable-tnc-imv --enable-imv-attestation
  make
  [sudo] make install

The /etc/ipsec.conf file defines a remote access template:

# ipsec.conf - strongSwan IPsec configuration file

config setup
     charondebug="tnc 3, imc 3, pts 3" 

/* TODO */

IKEv2 Negotiation¶

Startup and Initialization¶

The command

ipsec start

starts the TNC-enabled IPsec gateway:

Nov 29 07:39:14 moon charon: 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.6.2dr1) 
Nov 29 07:39:15 moon charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts' 
Nov 29 07:39:15 moon charon: 00[CFG]   loaded ca certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" from '/etc/ipsec.d/cacerts/strongswanCert.pem' 
Nov 29 07:39:15 moon charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts' 
Nov 29 07:39:15 moon charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts' 
Nov 29 07:39:15 moon charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts' 
Nov 29 07:39:15 moon charon: 00[CFG] loading crls from '/etc/ipsec.d/crls' 
Nov 29 07:39:15 moon charon: 00[CFG] loading secrets from '/etc/ipsec.secrets' 
Nov 29 07:39:15 moon charon: 00[CFG]   loaded RSA private key from '/etc/ipsec.d/private/moonKey.pem' 
Nov 29 07:39:15 moon charon: 00[CFG]   loaded EAP secret for carol@strongswan.org 
Nov 29 07:39:15 moon charon: 00[CFG]   loaded EAP secret for dave@strongswan.org  
Nov 29 07:39:15 moon charon: 00[KNL] listening on interfaces: 
Nov 29 07:39:15 moon charon: 00[KNL]   eth0 
Nov 29 07:39:15 moon charon: 00[KNL]     192.168.0.1 
Nov 29 07:39:15 moon charon: 00[KNL]     fec0::1 
Nov 29 07:39:15 moon charon: 00[KNL]     fe80::fcfd:c0ff:fea8:1 
Nov 29 07:39:15 moon charon: 00[KNL]   eth1 
Nov 29 07:39:15 moon charon: 00[KNL]     10.1.0.1 
Nov 29 07:39:15 moon charon: 00[KNL]     fec1::1 
Nov 29 07:39:15 moon charon: 00[KNL]     fe80::fcfd:aff:fe01:1

The file /etc/tnc_config

IMC configuration file for strongSwan client 

IMV "Attestation" /usr/lib/ipsec/imcvs/imv-attestation.so

defines which IMVs are loaded by the TNC server:

Nov 29 07:39:15 moon charon: 00[TNC] TNC recommendation policy is 'default' 
Nov 29 07:39:15 moon charon: 00[TNC] loading IMVs from '/etc/tnc_config' 
Nov 29 07:39:15 moon charon: 00[PTS]   mandatory PTS measurement algorithm HASH_SHA1[sha1] available 
Nov 29 07:39:15 moon charon: 00[PTS]   mandatory PTS measurement algorithm HASH_SHA256[openssl] available 
Nov 29 07:39:15 moon charon: 00[PTS]   optional  PTS measurement algorithm HASH_SHA384[openssl] available 
Nov 29 07:39:15 moon charon: 00[PTS]   optional  PTS DH group MODP_2048[gmp] available 
Nov 29 07:39:15 moon charon: 00[PTS]   optional  PTS DH group MODP_1536[gmp] available 
Nov 29 07:39:15 moon charon: 00[PTS]   optional  PTS DH group MODP_1024[gmp] available 
Nov 29 07:39:15 moon charon: 00[PTS]   mandatory PTS DH group ECP_256[openssl] available 
Nov 29 07:39:15 moon charon: 00[PTS]   optional  PTS DH group ECP_384[openssl] available 
Nov 29 07:39:15 moon charon: 00[TNC] added IETF attributes 
Nov 29 07:39:15 moon charon: 00[TNC] added ITA-HSR attributes 
Nov 29 07:39:15 moon charon: 00[LIB] libimcv initialized 
Nov 29 07:39:15 moon charon: 00[IMV] IMV 1 "Attestation" initialized 
Nov 29 07:39:15 moon charon: 00[TNC] added TCG attributes 
Nov 29 07:39:15 moon charon: 00[PTS] added TCG functional component namespace 
Nov 29 07:39:15 moon charon: 00[PTS] added ITA-HSR functional component namespace 
Nov 29 07:39:15 moon charon: 00[PTS] added ITA-HSR functional component 'Trusted GRUB Boot Loader' 
Nov 29 07:39:15 moon charon: 00[PTS] added ITA-HSR functional component 'Trusted Boot' 
Nov 29 07:39:15 moon charon: 00[PTS] added ITA-HSR functional component 'Linux IMA' 
Nov 29 07:39:15 moon charon: 00[LIB] libpts initialized 
Nov 29 07:39:15 moon charon: 00[PTS] loading PTS ca certificates from '/etc/pts/cacerts' 
Nov 29 07:39:15 moon charon: 00[PTS]   loaded ca certificate "O=privacyca.com, CN=Privacy CA Root Certificate" from '/etc/pts/cacerts/privacy_ca_root.pem' 
Nov 29 07:39:15 moon charon: 00[PTS]   loaded ca certificate "O=privacyca.com, CN=Privacy CA Insecure/Unchecked AIK Certificate" from '/etc/pts/cacerts/privacy_ca_level_0.pem' 
Nov 29 07:39:15 moon charon: 00[PTS]   loaded ca certificate "O=privacyca.com, CN=Privacy CA EK-Cert-Checked AIK Certificate" from '/etc/pts/cacerts/privacy_ca_level_1.pem' 
Nov 29 07:39:15 moon charon: 00[PTS]   loaded ca certificate "O=privacyca.com, CN=Privacy CA EK+Platform-Cert-Checked AIK Certificate" from '/etc/pts/cacerts/privacy_ca_level_2.pem' 
Nov 29 07:39:15 moon charon: 00[IMV] IMV 1 "Attestation" provided with bind function 
Nov 29 07:39:15 moon charon: 00[TNC] IMV 1 supports 1 message type: 0x00559701 
Nov 29 07:39:15 moon charon: 00[TNC] IMV 1 "Attestation" loaded from '/usr/local/lib/ipsec/imcvs/imv-attestation.so'

Files (1)

Project

General

Profile

strongSwan

Documentation¶

Resources¶

Wiki