TNC Server with PTS-IMV » History » Version 4
« Previous -
Version 4/57
(diff) -
Next » -
Current version
Andreas Steffen, 30.11.2011 11:56
TNC Server with PTS-IMV¶
This HOWTO explains in a step-for-step fashion how a strongSwan IPsec gateway with integrated TNC server functionality and an attached Platform Trust Service Integrity Measurement Verifier (PTS-IMV) can verify remote attestation measurement data provided by a TNC client via the IKEv2 EAP-TTLS protocol.
- Table of contents
- TNC Server with PTS-IMV
Installation and Configuration¶
The following steps describe the installation of the strongSwan software
wget http://download.strongswan.org/strongswan-4.6.2dr1.tar.bz2
tar xjf strongswan-4.6.2dr1.tar.bz2
cd strongswan-4.6.2dr1
./configure --prefix=/usr --sysconfdir=/etc --disable-pluto --enable-openssl --enable-curl
--enable-eap --enable-eap-identity --enable-eap-md5 --enable-eap-ttls
--enable-eap-tnc --enable-tnccs-20 --enable-tnc-imv --enable-imv-attestation
make
[sudo] make install
The /etc/ipsec.conf file defines a remote access template:
# ipsec.conf - strongSwan IPsec configuration file
config setup
charondebug="tnc 3, imc 3, pts 3"
/* TODO */
IKEv2 Negotiation¶
Startup and Initialization¶
The command
ipsec start
starts the TNC-enabled IPsec gateway:
Nov 29 07:39:14 moon charon: 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.6.2dr1) Nov 29 07:39:15 moon charon: 00[KNL] listening on interfaces: Nov 29 07:39:15 moon charon: 00[KNL] eth0 Nov 29 07:39:15 moon charon: 00[KNL] 192.168.0.1 Nov 29 07:39:15 moon charon: 00[KNL] fec0::1 Nov 29 07:39:15 moon charon: 00[KNL] fe80::fcfd:c0ff:fea8:1 Nov 29 07:39:15 moon charon: 00[KNL] eth1 Nov 29 07:39:15 moon charon: 00[KNL] 10.1.0.1 Nov 29 07:39:15 moon charon: 00[KNL] fec1::1 Nov 29 07:39:15 moon charon: 00[KNL] fe80::fcfd:aff:fe01:1
The file /etc/tnc_config
IMV configuration file for strongSwan client IMV "Attestation" /usr/lib/ipsec/imcvs/imv-attestation.so
defines which IMVs are loaded by the TNC server:
Nov 29 07:39:15 moon charon: 00[TNC] TNC recommendation policy is 'default' Nov 29 07:39:15 moon charon: 00[TNC] loading IMVs from '/etc/tnc_config' Nov 29 07:39:15 moon charon: 00[PTS] mandatory PTS measurement algorithm HASH_SHA1[sha1] available Nov 29 07:39:15 moon charon: 00[PTS] mandatory PTS measurement algorithm HASH_SHA256[openssl] available Nov 29 07:39:15 moon charon: 00[PTS] optional PTS measurement algorithm HASH_SHA384[openssl] available Nov 29 07:39:15 moon charon: 00[PTS] optional PTS DH group MODP_2048[gmp] available Nov 29 07:39:15 moon charon: 00[PTS] optional PTS DH group MODP_1536[gmp] available Nov 29 07:39:15 moon charon: 00[PTS] optional PTS DH group MODP_1024[gmp] available Nov 29 07:39:15 moon charon: 00[PTS] mandatory PTS DH group ECP_256[openssl] available Nov 29 07:39:15 moon charon: 00[PTS] optional PTS DH group ECP_384[openssl] available Nov 29 07:39:15 moon charon: 00[TNC] added IETF attributes Nov 29 07:39:15 moon charon: 00[TNC] added ITA-HSR attributes Nov 29 07:39:15 moon charon: 00[LIB] libimcv initialized Nov 29 07:39:15 moon charon: 00[IMV] IMV 1 "Attestation" initialized Nov 29 07:39:15 moon charon: 00[TNC] added TCG attributes Nov 29 07:39:15 moon charon: 00[PTS] added TCG functional component namespace Nov 29 07:39:15 moon charon: 00[PTS] added ITA-HSR functional component namespace Nov 29 07:39:15 moon charon: 00[PTS] added ITA-HSR functional component 'Trusted GRUB Boot Loader' Nov 29 07:39:15 moon charon: 00[PTS] added ITA-HSR functional component 'Trusted Boot' Nov 29 07:39:15 moon charon: 00[PTS] added ITA-HSR functional component 'Linux IMA' Nov 29 07:39:15 moon charon: 00[LIB] libpts initialized Nov 29 07:39:15 moon charon: 00[PTS] loading PTS ca certificates from '/etc/pts/cacerts' Nov 29 07:39:15 moon charon: 00[PTS] loaded ca certificate "O=privacyca.com, CN=Privacy CA Root Certificate" from '/etc/pts/cacerts/privacy_ca_root.pem' Nov 29 07:39:15 moon charon: 00[PTS] loaded ca certificate "O=privacyca.com, CN=Privacy CA Insecure/Unchecked AIK Certificate" from '/etc/pts/cacerts/privacy_ca_level_0.pem' Nov 29 07:39:15 moon charon: 00[PTS] loaded ca certificate "O=privacyca.com, CN=Privacy CA EK-Cert-Checked AIK Certificate" from '/etc/pts/cacerts/privacy_ca_level_1.pem' Nov 29 07:39:15 moon charon: 00[PTS] loaded ca certificate "O=privacyca.com, CN=Privacy CA EK+Platform-Cert-Checked AIK Certificate" from '/etc/pts/cacerts/privacy_ca_level_2.pem' Nov 29 07:39:15 moon charon: 00[IMV] IMV 1 "Attestation" provided with bind function Nov 29 07:39:15 moon charon: 00[TNC] IMV 1 supports 1 message type: 0x00559701 Nov 29 07:39:15 moon charon: 00[TNC] IMV 1 "Attestation" loaded from '/usr/lib/ipsec/imcvs/imv-attestation.so'
Next the IKEv2 credentials, all necessary plugins and the IPsec connection definitions are loaded
Nov 29 07:39:15 moon charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts' Nov 29 07:39:15 moon charon: 00[CFG] loaded ca certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" from '/etc/ipsec.d/cacerts/strongswanCert.pem' Nov 29 07:39:15 moon charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts' Nov 29 07:39:15 moon charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts' Nov 29 07:39:15 moon charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts' Nov 29 07:39:15 moon charon: 00[CFG] loading crls from '/etc/ipsec.d/crls' Nov 29 07:39:15 moon charon: 00[CFG] loading secrets from '/etc/ipsec.secrets' Nov 29 07:39:15 moon charon: 00[CFG] loaded RSA private key from '/etc/ipsec.d/private/moonKey.pem' Nov 29 07:39:15 moon charon: 00[CFG] loaded EAP secret for carol@strongswan.org Nov 29 07:39:15 moon charon: 00[CFG] loaded EAP secret for dave@strongswan.org Nov 29 07:39:15 moon charon: 00[DMN] loaded plugins: curl sha1 pem pkcs1 gmp random pubkey x509 openssl revocation hmac kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnccs-20 sqlite tnc-imv stroke Nov 29 07:39:16 moon charon: 00[JOB] spawning 16 worker threads Nov 29 07:39:16 moon charon: 16[CFG] received stroke: add connection 'rw-allow' Nov 29 07:39:16 moon charon: 16[CFG] loaded certificate "C=CH, O=Linux strongSwan, CN=moon.strongswan.org" from 'moonCert.pem' Nov 29 07:39:16 moon charon: 16[CFG] added configuration 'rw-allow' Nov 29 07:39:16 moon charon: 16[CFG] received stroke: add connection 'rw-isolate' Nov 29 07:39:16 moon charon: 16[CFG] loaded certificate "C=CH, O=Linux strongSwan, CN=moon.strongswan.org" from 'moonCert.pem' Nov 29 07:39:16 moon charon: 16[CFG] added configuration 'rw-isolate'
IKEv2 Exchanges¶
The IPsec gateway moon is passively waiting for IPsec clients to initiate an IKEv2 negotiation starting with an IKE_SA_INIT exchange:
Nov 29 07:39:22 moon charon: 16[NET] received packet: from 192.168.0.254[500] to 192.168.0.1[500] Nov 29 07:39:22 moon charon: 16[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] Nov 29 07:39:22 moon charon: 16[IKE] 192.168.0.254 is initiating an IKE_SA Nov 29 07:39:22 moon charon: 16[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] Nov 29 07:39:22 moon charon: 16[NET] sending packet: from 192.168.0.1[500] to 192.168.0.254[500]
followed by the IKE_AUTH exchange where the IKEv2 gateway proposes a mutual IKEv2 EAP-TTLS only authentication:
Nov 29 07:39:22 moon charon: 08[NET] received packet: from 192.168.0.254[4500] to 192.168.0.1[4500] Nov 29 07:39:22 moon charon: 08[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(EAP_ONLY) ] Nov 29 07:39:22 moon charon: 08[CFG] looking for peer configs matching 192.168.0.1[moon.strongswan.org]...192.168.0.254[carol@strongswan.org] Nov 29 07:39:22 moon charon: 08[CFG] selected peer config 'rw-allow' Nov 29 07:39:22 moon charon: 08[IKE] initiating EAP_TTLS method (id 0xA8) Nov 29 07:39:22 moon charon: 08[IKE] peer supports MOBIKE Nov 29 07:39:22 moon charon: 08[ENC] generating IKE_AUTH response 1 [ IDr EAP/REQ/TTLS ] Nov 29 07:39:22 moon charon: 08[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.254[4500]