Software Inventory Message and Attributes for PA-TNC (SWIMA)¶
- Table of contents
- Software Inventory Message and Attributes for PA-TNC (SWIMA)
- Configuring a PT-TLS SWIMA Client
- Configuring a PT-TLS SWIMA Server
- Starting PT-TLS Server Daemon
- Accepting PT-TLS Client Connection
- Sending IETF SW Request Attribute
- Receiving IETF SW Identity Inventory Attribute
- Sending IETF [Targeted] SW Request Attribute
- Receiving IETF SW Inventory Attribute
- Terminating PT-TLS Client Connection
- Stopping PT-TLS Daemon
Configuring a PT-TLS SWIMA Client¶
The following HOWTO describes the installation and configuration of a PT-TLS-based SW Client on an Ubuntu 16.04 platform.
Configuring a PT-TLS SWIMA Server¶
The following HOWTO describes the installation and configuration of a PT-TLS-based Server Daemon on an Ubuntu 16.04 platform.
Starting PT-TLS Server Daemon¶
The PT-TLS server based on the strongSwan systemd daemon is usually started automatically at boot time with the command
systemctl start strongswan-swanctl
First all the PA-TNC attribute definitions from the IETF, TCG, ITA-HSR and PWG namespaces are loaded. The IMVs to by dynamically loaded are read from /etc/tnc_config.
Jun 22 12:31:28 koala systemd[1]: Starting strongSwan IPsec IKEv1/IKEv2 daemon using swanctl... Jun 22 12:31:28 koala charon-systemd[12088]: TNC recommendation policy is 'default' Jun 22 12:31:28 koala charon-systemd[12088]: loading IMVs from '/etc/tnc_config' Jun 22 12:31:28 koala charon-systemd[12088]: added IETF attributes Jun 22 12:31:28 koala charon-systemd[12088]: added ITA-HSR attributes Jun 22 12:31:28 koala charon-systemd[12088]: added PWG attributes Jun 22 12:31:28 koala charon-systemd[12088]: added TCG attributes Jun 22 12:31:28 koala charon-systemd[12088]: libimcv initialized
The OS IMV is loaded as a dynamic library and attached to the TNC server.
Jun 22 12:31:28 koala charon-systemd[12088]: IMV 1 "OS" initialized Jun 22 12:31:28 koala charon-systemd[12088]: IMV 1 supports 1 message type: 'IETF/Operating System' 0x000000/0x00000001 Jun 22 12:31:28 koala charon-systemd[12088]: IMV 1 "OS" loaded from '/usr/lib/ipsec/imcvs/imv-os.so'
The SWIMA IMV is loaded as a dynamic library and attached to the TNC server.
Jun 22 12:31:28 koala charon-systemd[12088]: IMV 2 "SWIMA" initialized Jun 22 12:31:28 koala charon-systemd[12088]: IMV 2 supports 1 message type: 'IETF/Software' 0x000000/0x00000009 Jun 22 12:31:28 koala charon-systemd[12088]: IMV 2 "SWIMA" loaded from '/usr/lib/ipsec/imcvs/imv-swima.so'
The strongSwan daemon loads all required plugins and goes into multi-threading mode so that multiple PT-TLS connections can be handled
Jun 22 12:31:28 koala charon-systemd[12088]: loaded plugins: charon-systemd charon-systemd random nonce x509 tpm openssl revocation constraints pubkey pkcs1 pkcs8 pkcs12 pem tnc-imv tnc-pdp tnc-tnccs tnccs-20 kernel-netlink socket-default sqlite curl vici Jun 22 12:31:28 koala charon-systemd[12088]: spawning 16 worker threads
Multiple PT-TLS server and CA certificates are loaded into the daemon
Jun 22 12:31:28 koala charon-systemd[12088]: loaded certificate 'C=CH, O=MSE, OU=TSM_ITSec, CN=mse2.strongswan.org' Jun 22 12:31:28 koala charon-systemd[12088]: loaded certificate 'C=CH, O=strongSec GmbH, CN=koala.strongsec.com' Jun 22 12:31:28 koala charon-systemd[12088]: loaded certificate 'C=CH, O=strongSec GmbH, CN=koala.strongsec.com' Jun 22 12:31:28 koala charon-systemd[12088]: loaded certificate 'C=CH, O=strongSec GmbH, CN=strongSec 2016 Root CA' Jun 22 12:31:28 koala charon-systemd[12088]: loaded certificate 'C=CH, O=MSE, OU=TSM_ITSec, CN=MSE CA'
The actual loading is done by the swanctl command line tool which transfers the certificates to the daemon via a Unix socket.
Jun 22 12:31:29 koala swanctl[12107]: loaded certificate from '/etc/swanctl/x509/MSE2_Cert.pem' Jun 22 12:31:29 koala swanctl[12107]: loaded certificate from '/etc/swanctl/x509/koala_AIK_ECC_Cert.pem' Jun 22 12:31:29 koala swanctl[12107]: loaded certificate from '/etc/swanctl/x509/koala_AIK_RSA_Cert.pem' Jun 22 12:31:29 koala swanctl[12107]: loaded certificate from '/etc/swanctl/x509ca/strongsecCaCert.pem' Jun 22 12:31:29 koala swanctl[12107]: loaded certificate from '/etc/swanctl/x509ca/MSE_CA_Cert.pem'
The first server certificate has a matching ECDSA private key loaded from file
Jun 22 12:31:28 koala charon-systemd[12088]: loaded ECDSA private key
The second server certificate has a matching ECDSA key protected by a TPM 2.0
Jun 22 12:31:28 koala charon-systemd[12088]: TPM 2.0 - algorithms: RSA SHA1 HMAC AES MGF1 KEYEDHASH XOR SHA256 RSASSA RSAES RSAPSS OAEP ECDSA ECDH SM2 ECMQV KDF1_SP800_108 ECC SYMCIPHER CTR OFB CBC CFB ECB Jun 22 12:31:28 koala charon-systemd[12088]: TPM 2.0 - ECC curves: NIST_P256 BN_P256 Jun 22 12:31:28 koala charon-systemd[12088]: TPM 2.0 via TSS2 available Jun 22 12:31:29 koala charon-systemd[12088]: AIK signature algorithm is ECDSA with SHA256 hash Jun 22 12:31:29 koala charon-systemd[12088]: loaded ECDSA private key from token
The third server certificate has a matching RSA key protected by a TPM 2.0
Jun 22 12:31:29 koala charon-systemd[12088]: TPM 2.0 - algorithms: RSA SHA1 HMAC AES MGF1 KEYEDHASH XOR SHA256 RSASSA RSAES RSAPSS OAEP ECDSA ECDH SM2 ECMQV KDF1_SP800_108 ECC SYMCIPHER CTR OFB CBC CFB ECB Jun 22 12:31:29 koala charon-systemd[12088]: TPM 2.0 - ECC curves: NIST_P256 BN_P256 Jun 22 12:31:29 koala charon-systemd[12088]: TPM 2.0 via TSS2 available Jun 22 12:31:29 koala charon-systemd[12088]: AIK signature algorithm is RSASSA with SHA256 hash Jun 22 12:31:29 koala charon-systemd[12088]: loaded RSA private key from token
Again it is the swanctl tool which loads the private keys or determines the IDs of keys residing on smartcard or TPM devices.
Jun 22 12:31:29 koala swanctl[12107]: loaded ecdsa key from '/etc/swanctl/ecdsa/MSE2_Key.pem' Jun 22 12:31:29 koala swanctl[12107]: loaded key token_ak_ecc from token [keyid: 8e70ca6665cd2e6c7893e407cb9a7cd6264d714f] Jun 22 12:31:29 koala swanctl[12107]: loaded key token_ak_rsa from token [keyid: ce431f647d549f759267422f4097c874e2eca547]
The PT-TLS server is now up and ready to accept connections on the default TCP port 271.
Jun 22 12:31:29 koala systemd[1]: Started strongSwan IPsec IKEv1/IKEv2 daemon using swanctl.
Accepting PT-TLS Client Connection¶
A PT-TLS client connects to the PT-TLS server and does a TLS 1.2 handshake to establish a secure socket
Jun 22 12:34:56 koala charon-systemd[12088]: accepting PT-TLS stream from 46.126.238.39 Jun 22 12:34:56 koala charon-systemd[12088]: entering PT-TLS negotiation phase Jun 22 12:34:56 koala charon-systemd[12088]: negotiated TLS 1.2 using suite TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 Jun 22 12:34:56 koala charon-systemd[12088]: sending TLS server certificate 'C=CH, O=MSE, OU=TSM_ITSec, CN=mse2.strongswan.org' Jun 22 12:34:56 koala charon-systemd[12088]: sending TLS cert request for 'C=CH, O=MSE, OU=TSM_ITSec, CN=MSE CA' Jun 22 12:34:56 koala charon-systemd[12088]: sending TLS cert request for 'C=CH, O=strongSec GmbH, CN=strongSec 2016 Root CA' Jun 22 12:34:56 koala charon-systemd[12088]: received TLS peer certificate 'C=CH, O=strongSec GmbH, CN=brisbane.strongsec.com' Jun 22 12:34:56 koala charon-systemd[12088]: using certificate "C=CH, O=strongSec GmbH, CN=brisbane.strongsec.com" Jun 22 12:34:56 koala charon-systemd[12088]: using trusted ca certificate "C=CH, O=strongSec GmbH, CN=strongSec 2016 Root CA" Jun 22 12:34:56 koala charon-systemd[12088]: checking certificate status of "C=CH, O=strongSec GmbH, CN=brisbane.strongsec.com" Jun 22 12:34:56 koala charon-systemd[12088]: using trusted certificate "C=CH, O=strongSec GmbH, CN=strongSec 2016 Root CA" Jun 22 12:34:56 koala charon-systemd[12088]: crl correctly signed by "C=CH, O=strongSec GmbH, CN=strongSec 2016 Root CA" Jun 22 12:34:56 koala charon-systemd[12088]: crl is valid: until Jun 25 10:00:01 2017 Jun 22 12:34:56 koala charon-systemd[12088]: using cached crl Jun 22 12:34:56 koala charon-systemd[12088]: using trusted certificate "C=CH, O=strongSec GmbH, CN=strongSec 2016 Root CA" Jun 22 12:34:56 koala charon-systemd[12088]: crl correctly signed by "C=CH, O=strongSec GmbH, CN=strongSec 2016 Root CA" Jun 22 12:34:56 koala charon-systemd[12088]: crl is valid: until Jun 23 10:00:01 2017 Jun 22 12:34:56 koala charon-systemd[12088]: using cached crl Jun 22 12:34:56 koala charon-systemd[12088]: certificate status is good Jun 22 12:34:56 koala charon-systemd[12088]: reached self-signed root ca with a path length of 0
The PT-TLS protocol is started skipping SASL-based client authentication because the client already authenticated itself during the TLS handshake.
Jun 22 12:34:56 koala charon-systemd[12088]: received PT-TLS message #0 of type 'Version Request' (20 bytes) Jun 22 12:34:56 koala charon-systemd[12088]: sending PT-TLS message #0 of type 'Version Response' (20 bytes) Jun 22 12:34:56 koala charon-systemd[12088]: negotiated PT-TLS version 1 Jun 22 12:34:56 koala charon-systemd[12088]: doing SASL client authentication Jun 22 12:34:56 koala charon-systemd[12088]: skipping SASL, client already authenticated by TLS certificate Jun 22 12:34:56 koala charon-systemd[12088]: sending PT-TLS message #1 of type 'SASL Mechanisms' (16 bytes)
The PT-TLS protocol switches to the data transport phase and a TNCCS (PB-TNC) connection is instantiated
Jun 22 12:34:56 koala charon-systemd[12088]: entering PT-TLS data transport phase Jun 22 12:34:57 koala charon-systemd[12088]: received PT-TLS message #1 of type 'PB-TNC Batch' (337 bytes) Jun 22 12:34:57 koala charon-systemd[12088]: assigned TNCCS Connection ID 1
An OS IMV instance is created for this PB-TNC connection
Jun 22 12:34:57 koala charon-systemd[12088]: IMV 1 "OS" created a state for IF-TNCCS 2.0 Connection ID 1: +long +excl -soh Jun 22 12:34:57 koala charon-systemd[12088]: over IF-T for TLS 2.0 with maximum PA-TNC message size of 131024 bytes Jun 22 12:34:57 koala charon-systemd[12088]: user AR identity 'C=CH, O=strongSec GmbH, CN=brisbane.strongsec.com' of type X.500 DN authenticated by certificate Jun 22 12:34:57 koala charon-systemd[12088]: machine AR identity '46.126.238.39' of type IPv4 address authenticated by unknown method
A SWIMA IMV instance is created for this PB-TNC connection
Jun 22 12:34:57 koala charon-systemd[12088]: IMV 2 "SWIMA" created a state for IF-TNCCS 2.0 Connection ID 1: +long +excl -soh Jun 22 12:34:57 koala charon-systemd[12088]: over IF-T for TLS 2.0 with maximum PA-TNC message size of 131024 bytes
The PB-TNC connection is now initialized and goes into Handshake mode
Jun 22 12:34:57 koala charon-systemd[12088]: IMV 1 "OS" changed state of Connection ID 1 to 'Handshake' Jun 22 12:34:57 koala charon-systemd[12088]: IMV 2 "SWIMA" changed state of Connection ID 1 to 'Handshake'
The first PB-TNC client batch is received containing two PA-TNC messages
Jun 22 12:34:57 koala charon-systemd[12088]: received TNCCS batch (321 bytes) Jun 22 12:34:57 koala charon-systemd[12088]: TNC server is handling inbound connection Jun 22 12:34:57 koala charon-systemd[12088]: processing PB-TNC CDATA batch for Connection ID 1 Jun 22 12:34:57 koala charon-systemd[12088]: PB-TNC state transition from 'Init' to 'Server Working' Jun 22 12:34:57 koala charon-systemd[12088]: processing IETF/PB-Language-Preference message (31 bytes) Jun 22 12:34:57 koala charon-systemd[12088]: processing IETF/PB-PA message (230 bytes) Jun 22 12:34:57 koala charon-systemd[12088]: processing IETF/PB-PA message (52 bytes) Jun 22 12:34:57 koala charon-systemd[12088]: setting language preference to 'en'
The first PA-TNC message is of type IETF / Operating System and contains some IETF standard attributes sent by the OS IMC
Jun 22 12:34:57 koala charon-systemd[12088]: handling PB-PA message type 'IETF/Operating System' 0x000000/0x00000001 Jun 22 12:34:57 koala charon-systemd[12088]: IMV 1 "OS" received message for Connection ID 1 from IMC 1 Jun 22 12:34:57 koala charon-systemd[12088]: => 206 bytes @ 0x7ff810004f10 0: 01 00 00 00 6F 69 67 01 00 00 00 00 00 00 00 02 ....oig......... 16: 00 00 00 17 00 71 32 00 00 55 62 75 6E 74 75 00 .....q2..Ubuntu. 32: 00 00 00 00 00 00 04 00 00 00 1B 0C 31 36 2E 30 ............16.0 48: 34 20 78 38 36 5F 36 34 00 00 00 00 00 00 00 00 4 x86_64........ 64: 00 03 00 00 00 1C 00 00 00 10 00 00 00 04 00 00 ................ 80: 00 00 00 00 00 00 00 00 00 00 00 00 00 05 00 00 ................ 96: 00 24 03 01 00 00 32 30 31 37 2D 30 36 2D 31 39 .$....2017-06-19 112: 54 31 34 3A 31 38 3A 33 35 5A 00 00 00 00 00 00 T14:18:35Z...... 128: 00 0B 00 00 00 10 00 00 00 01 00 00 00 00 00 00 ................ 144: 00 0C 00 00 00 10 00 00 00 00 00 00 90 2A 00 00 .............*.. 160: 00 08 00 00 00 34 35 64 39 35 30 32 31 33 39 36 .....45d95021396 176: 64 32 34 31 35 65 35 63 35 33 63 61 32 64 65 61 d2415e5c53ca2dea 192: 36 66 62 63 31 63 32 33 38 37 63 35 36 61 6fbc1c2387c56a Jun 22 12:34:57 koala charon-systemd[12088]: processing PA-TNC message with ID 0x6f696701 Jun 22 12:34:57 koala charon-systemd[12088]: processing PA-TNC attribute type 'IETF/Product Information' 0x000000/0x00000002 Jun 22 12:34:57 koala charon-systemd[12088]: processing PA-TNC attribute type 'IETF/String Version' 0x000000/0x00000004 Jun 22 12:34:57 koala charon-systemd[12088]: processing PA-TNC attribute type 'IETF/Numeric Version' 0x000000/0x00000003 Jun 22 12:34:57 koala charon-systemd[12088]: processing PA-TNC attribute type 'IETF/Operational Status' 0x000000/0x00000005 Jun 22 12:34:57 koala charon-systemd[12088]: processing PA-TNC attribute type 'IETF/Forwarding Enabled' 0x000000/0x0000000b Jun 22 12:34:57 koala charon-systemd[12088]: processing PA-TNC attribute type 'IETF/Factory Default Password Enabled' 0x000000/0x0000000c Jun 22 12:34:57 koala charon-systemd[12088]: processing PA-TNC attribute type 'ITA-HSR/Device ID' 0x00902a/0x00000008
This is the OS information contained in the PA-TNC attributes
Jun 22 12:34:57 koala charon-systemd[12088]: operating system name is 'Ubuntu' from vendor Canonical Jun 22 12:34:57 koala charon-systemd[12088]: operating system version is '16.04 x86_64' Jun 22 12:34:57 koala charon-systemd[12088]: operating system numeric version is 16.4 Jun 22 12:34:57 koala charon-systemd[12088]: operational status: operational, result: successful Jun 22 12:34:57 koala charon-systemd[12088]: last boot: Jun 19 14:18:35 UTC 2017 Jun 22 12:34:57 koala charon-systemd[12088]: IPv4 forwarding is enabled Jun 22 12:34:57 koala charon-systemd[12088]: factory default password is disabled Jun 22 12:34:57 koala charon-systemd[12088]: device ID is 5d95021396d2415e5c53ca2dea6fbc1c2387c56a
The second PA-TNC message is of type IETF / Software and contains a PA-TNC segmentation contract request
Jun 22 12:34:57 koala charon-systemd[12088]: handling PB-PA message type 'IETF/Software' 0x000000/0x00000009 Jun 22 12:34:57 koala charon-systemd[12088]: IMV 2 "SWIMA" received message for Connection ID 1 from IMC 2 Jun 22 12:34:57 koala charon-systemd[12088]: => 28 bytes @ 0x7ff810005860 0: 01 00 00 00 19 74 B7 4E 00 00 55 97 00 00 00 21 .....t.N..U....! 16: 00 00 00 14 00 98 96 80 00 01 FF B8 ............ Jun 22 12:34:57 koala charon-systemd[12088]: processing PA-TNC message with ID 0x1974b74e Jun 22 12:34:57 koala charon-systemd[12088]: processing PA-TNC attribute type 'TCG/Max Attribute Size Request' 0x005597/0x00000021
This is the decoded segmentation contract request
Jun 22 12:34:57 koala charon-systemd[12088]: IMV 2 received a segmentation contract request from IMC 2 for PA message type 'IETF/Software' 0x000000/0x00000009 maximum attribute size of 10000000 bytes with maximum segment size of 131000 bytes
Jun 22 12:34:57 koala charon-systemd[12088]: creating PA-TNC message with ID 0xa41e0787 Jun 22 12:34:57 koala charon-systemd[12088]: creating PA-TNC attribute type 'TCG/Max Attribute Size Response' 0x005597/0x00000022 Jun 22 12:34:57 koala charon-systemd[12088]: created PA-TNC message: => 28 bytes @ 0x7ff810000a00 0: 01 00 00 00 A4 1E 07 87 00 00 55 97 00 00 00 22 ..........U...." 16: 00 00 00 14 00 98 96 80 00 01 FF B8 ............ Jun 22 12:34:57 koala charon-systemd[12088]: creating PB-PA message type 'IETF/Software' 0x000000/0x00000009
The OS IMV also sends a segmentation contract request for PA message type IETF / Operating System
Jun 22 12:34:57 koala charon-systemd[12088]: IMV 1 requests a segmentation contract for PA message type 'IETF/Operating System' 0x000000/0x00000001 maximum attribute size of 100000000 bytes with maximum segment size of 131000 bytes
The strongTNC policy manager assigns a session ID and issues a single SWIDT workitem
Jun 22 12:34:57 koala charon-systemd[12088]: assigned session ID 2 to Connection ID 1 Jun 22 12:34:57 koala charon-systemd[12088]: running policy script: 2>&1 ipsec imv_policy_manager start 2 Jun 22 12:34:57 koala charon-systemd[12088]: policy: imv_policy_manager start successful Jun 22 12:34:57 koala charon-systemd[12088]: SWIDT workitem 9
The OS IMV has not been assigned any work items by the policy manager and therefore terminates gracefully
Jun 22 12:34:57 koala charon-systemd[12088]: IMV 1 has no workitems - no evaluation requested Jun 22 12:34:57 koala charon-systemd[12088]: creating PA-TNC message with ID 0x916d188f Jun 22 12:34:57 koala charon-systemd[12088]: creating PA-TNC attribute type 'IETF/Assessment Result' 0x000000/0x00000009 Jun 22 12:34:57 koala charon-systemd[12088]: creating PA-TNC attribute type 'IETF/Remediation Instructions' 0x000000/0x0000000a Jun 22 12:34:57 koala charon-systemd[12088]: created PA-TNC message: => 117 bytes @ 0x7ff810004f20 0: 01 00 00 00 91 6D 18 8F 00 00 00 00 00 00 00 09 .....m.......... 16: 00 00 00 10 00 00 00 04 00 00 00 00 00 00 00 0A ................ 32: 00 00 00 5D 00 00 00 00 00 00 00 02 00 00 00 42 ...]...........B 48: 49 50 20 50 61 63 6B 65 74 20 46 6F 72 77 61 72 IP Packet Forwar 64: 64 69 6E 67 0A 20 20 50 6C 65 61 73 65 20 64 69 ding. Please di 80: 73 61 62 6C 65 20 74 68 65 20 66 6F 72 77 61 72 sable the forwar 96: 64 69 6E 67 20 6F 66 20 49 50 20 70 61 63 6B 65 ding of IP packe 112: 74 73 02 65 6E ts.en Jun 22 12:34:57 koala charon-systemd[12088]: creating PB-PA message type 'IETF/Operating System' 0x000000/0x00000001 Jun 22 12:34:57 koala charon-systemd[12088]: IMV 1 provides recommendation 'allow' and evaluation 'don't know'
The SWIMA IMV sends a segmentation contract request for PA message type IETF / Software as well
Jun 22 12:34:57 koala charon-systemd[12088]: IMV 2 requests a segmentation contract for PA message type 'IETF/Software' 0x000000/0x00000009 maximum attribute size of 10000000 bytes with maximum segment size of 131000 bytes
Sending IETF SW Request Attribute¶
The SWIMA IMV is responsible for the SWIDT workitem and issues an IETF / SW Request attribute
Jun 22 12:34:57 koala charon-systemd[12088]: IMV 2 handles SWIDT workitem 9 Jun 22 12:34:57 koala charon-systemd[12088]: IMV 2 issues sw request 9 Jun 22 12:34:57 koala charon-systemd[12088]: creating PA-TNC message with ID 0xeaeacdc3 Jun 22 12:34:57 koala charon-systemd[12088]: creating PA-TNC attribute type 'TCG/Max Attribute Size Request' 0x005597/0x00000021 Jun 22 12:34:57 koala charon-systemd[12088]: creating PA-TNC attribute type 'IETF/SW Request' 0x000000/0x00000011 Jun 22 12:34:57 koala charon-systemd[12088]: created PA-TNC message: => 52 bytes @ 0x7ff810005550 0: 01 00 00 00 EA EA CD C3 00 00 55 97 00 00 00 21 ..........U....! 16: 00 00 00 14 00 98 96 80 00 01 FF B8 00 00 00 00 ................ 32: 00 00 00 11 00 00 00 18 20 00 00 00 00 00 00 09 ........ ....... 48: 00 00 00 00 .... Jun 22 12:34:57 koala charon-systemd[12088]: creating PB-PA message type 'IETF/Software' 0x000000/0x00000009
The first Server DATA batch is sent to the TNC Client
Jun 22 12:34:57 koala charon-systemd[12088]: TNC server is handling outbound connection Jun 22 12:34:57 koala charon-systemd[12088]: PB-TNC state transition from 'Server Working' to 'Client Working' Jun 22 12:34:57 koala charon-systemd[12088]: creating PB-TNC SDATA batch Jun 22 12:34:57 koala charon-systemd[12088]: adding IETF/PB-PA message Jun 22 12:34:57 koala charon-systemd[12088]: adding IETF/PB-PA message Jun 22 12:34:57 koala charon-systemd[12088]: adding IETF/PB-PA message Jun 22 12:34:57 koala charon-systemd[12088]: sending PB-TNC SDATA batch (277 bytes) for Connection ID 1 Jun 22 12:34:57 koala charon-systemd[12088]: sending PT-TLS message #2 of type 'PB-TNC Batch' (293 bytes)
Receiving IETF SW Identity Inventory Attribute¶
A Client DATA batch has been received
Jun 22 12:34:57 koala charon-systemd[12088]: received PT-TLS message #2 of type 'PB-TNC Batch' (131072 bytes) Jun 22 12:34:57 koala charon-systemd[12088]: received TNCCS batch (131056 bytes) Jun 22 12:34:57 koala charon-systemd[12088]: TNC server is handling inbound connection Jun 22 12:34:57 koala charon-systemd[12088]: processing PB-TNC CDATA batch for Connection ID 1 Jun 22 12:34:57 koala charon-systemd[12088]: PB-TNC state transition from 'Client Working' to 'Server Working' Jun 22 12:34:57 koala charon-systemd[12088]: processing IETF/PB-PA message (131048 bytes) Jun 22 12:34:57 koala charon-systemd[12088]: handling PB-PA message type 'IETF/Software' 0x000000/0x00000009 Jun 22 12:34:57 koala charon-systemd[12088]: IMV 2 "SWIMA" received message for Connection ID 1 from IMC 2 to IMV 2 Jun 22 12:34:57 koala charon-systemd[12088]: => 131024 bytes @ 0x7ff820090960 0: 01 00 00 00 AC 4D 42 7A 00 00 55 97 00 00 00 22 .....MBz..U...." 16: 00 00 00 14 00 98 96 80 00 01 FF B8 00 00 55 97 ..............U. 32: 00 00 00 23 00 01 FF B4 C0 00 00 01 00 00 00 00 ...#............ 48: 00 00 00 12 00 02 88 84 00 00 08 01 00 00 00 09 ................ 64: 3B 8A 77 A3 00 00 00 A1 00 00 0A CF 00 00 00 01 ;.w............. 80: 01 00 00 52 73 74 72 6F 6E 67 73 77 61 6E 2E 6F ...Rstrongswan.o 96: 72 67 5F 5F 55 62 75 6E 74 75 5F 31 36 2E 30 34 rg__Ubuntu_16.04 112: 2D 78 38 36 5F 36 34 2D 61 31 31 79 2D 70 72 6F -x86_64-a11y-pro 128: 66 69 6C 65 2D 6D 61 6E 61 67 65 72 2D 69 6E 64 file-manager-ind 144: 69 63 61 74 6F 72 2D 30 2E 31 2E 31 30 2D 30 75 icator-0.1.10-0u 160: 62 75 6E 74 75 33 00 00 00 00 0A D0 00 00 00 01 buntu3.......... 176: 01 00 00 58 73 74 72 6F 6E 67 73 77 61 6E 2E 6F ...Xstrongswan.o 192: 72 67 5F 5F 55 62 75 6E 74 75 5F 31 36 2E 30 34 rg__Ubuntu_16.04 208: 2D 78 38 36 5F 36 34 2D 61 63 63 6F 75 6E 74 2D -x86_64-account- 224: 70 6C 75 67 69 6E 2D 66 61 63 65 62 6F 6F 6B 2D plugin-facebook- 240: 30 2E 31 32 7E 31 36 2E 30 34 2E 32 30 31 36 30 0.12~16.04.20160 256: 31 32 36 2D 30 75 62 75 6E 74 75 31 00 00 00 00 126-0ubuntu1.... 272: 0A D1 00 00 00 01 01 00 00 56 73 74 72 6F 6E 67 .........Vstrong 288: 73 77 61 6E 2E 6F 72 67 5F 5F 55 62 75 6E 74 75 swan.org__Ubuntu 304: 5F 31 36 2E 30 34 2D 78 38 36 5F 36 34 2D 61 63 _16.04-x86_64-ac 320: 63 6F 75 6E 74 2D 70 6C 75 67 69 6E 2D 66 6C 69 count-plugin-fli 336: 63 6B 72 2D 30 2E 31 32 7E 31 36 2E 30 34 2E 32 ckr-0.12~16.04.2 352: 30 31 36 30 31 32 36 2D 30 75 62 75 6E 74 75 31 0160126-0ubuntu1 368: 00 00 00 00 0A D2 00 00 00 01 01 00 00 56 73 74 .............Vst 384: 72 6F 6E 67 73 77 61 6E 2E 6F 72 67 5F 5F 55 62 rongswan.org__Ub 400: 75 6E 74 75 5F 31 36 2E 30 34 2D 78 38 36 5F 36 untu_16.04-x86_6 416: 34 2D 61 63 63 6F 75 6E 74 2D 70 6C 75 67 69 6E 4-account-plugin 432: 2D 67 6F 6F 67 6C 65 2D 30 2E 31 32 7E 31 36 2E -google-0.12~16. 448: 30 34 2E 32 30 31 36 30 31 32 36 2D 30 75 62 75 04.20160126-0ubu 464: 6E 74 75 31 00 00 00 00 06 2E 00 00 00 01 01 00 ntu1............ ... 130656: 00 00 00 01 01 00 00 4A 73 74 72 6F 6E 67 73 77 .......Jstrongsw 130672: 61 6E 2E 6F 72 67 5F 5F 55 62 75 6E 74 75 5F 31 an.org__Ubuntu_1 130688: 36 2E 30 34 2D 78 38 36 5F 36 34 2D 70 72 69 6E 6.04-x86_64-prin 130704: 74 65 72 2D 64 72 69 76 65 72 2D 68 70 63 75 70 ter-driver-hpcup 130720: 73 2D 33 2E 31 36 2E 33 7E 72 65 70 61 63 6B 30 s-3.16.3~repack0 130736: 2D 31 00 00 00 00 0E D8 00 00 00 01 01 00 00 43 -1.............C 130752: 73 74 72 6F 6E 67 73 77 61 6E 2E 6F 72 67 5F 5F strongswan.org__ 130768: 55 62 75 6E 74 75 5F 31 36 2E 30 34 2D 78 38 36 Ubuntu_16.04-x86 130784: 5F 36 34 2D 70 72 69 6E 74 65 72 2D 64 72 69 76 _64-printer-driv 130800: 65 72 2D 6D 69 6E 31 32 78 78 77 2D 30 2E 30 2E er-min12xxw-0.0. 130816: 39 2D 39 00 00 00 00 0E D9 00 00 00 01 01 00 00 9-9............. 130832: 4F 73 74 72 6F 6E 67 73 77 61 6E 2E 6F 72 67 5F Ostrongswan.org_ 130848: 5F 55 62 75 6E 74 75 5F 31 36 2E 30 34 2D 78 38 _Ubuntu_16.04-x8 130864: 36 5F 36 34 2D 70 72 69 6E 74 65 72 2D 64 72 69 6_64-printer-dri 130880: 76 65 72 2D 70 6E 6D 32 70 70 61 2D 31 2E 31 33 ver-pnm2ppa-1.13 130896: 7E 6E 6F 6E 64 62 73 2D 30 75 62 75 6E 74 75 35 ~nondbs-0ubuntu5 130912: 00 00 00 00 0E DA 00 00 00 01 01 00 00 51 73 74 .............Qst 130928: 72 6F 6E 67 73 77 61 6E 2E 6F 72 67 5F 5F 55 62 rongswan.org__Ub 130944: 75 6E 74 75 5F 31 36 2E 30 34 2D 78 38 36 5F 36 untu_16.04-x86_6 130960: 34 2D 70 72 69 6E 74 65 72 2D 64 72 69 76 65 72 4-printer-driver 130976: 2D 70 6F 73 74 73 63 72 69 70 74 2D 68 70 2D 33 -postscript-hp-3 130992: 2E 31 36 2E 33 7E 72 65 70 61 63 6B 30 2D 31 00 .16.3~repack0-1. 131008: 00 00 00 0E DB 00 00 00 01 01 00 00 3F 73 74 72 ............?str Jun 22 12:34:57 koala charon-systemd[12088]: processing PA-TNC message with ID 0xac4d427a Jun 22 12:34:57 koala charon-systemd[12088]: processing PA-TNC attribute type 'TCG/Max Attribute Size Response' 0x005597/0x00000022 Jun 22 12:34:57 koala charon-systemd[12088]: processing PA-TNC attribute type 'TCG/Attribute Segment Envelope' 0x005597/0x00000023
The SWIMA IMC accepted the segmentation contract
Jun 22 12:34:57 koala charon-systemd[12088]: IMV 2 received a segmentation contract response from IMC 2 for PA message type 'IETF/Software' 0x000000/0x00000009 maximum attribute size of 10000000 bytes with maximum segment size of 131000 bytes
The first 128k segment of an IETF / Software message has been received
Jun 22 12:34:57 koala charon-systemd[12088]: received first segment for base attribute ID 1 (130980 bytes) Jun 22 12:34:57 koala charon-systemd[12088]: processing PA-TNC attribute type 'IETF/SW Identifier Inventory' 0x000000/0x00000012 Jun 22 12:34:57 koala charon-systemd[12088]: 3 bytes insufficient to parse 63 bytes of data
1646 complete software identifiers including their record ID were received in the first segment, 424 identifiers are to follow
Jun 22 12:34:57 koala charon-systemd[12088]: received software identity inventory with 1625 items for request 9 at eid 161 of epoch 0x3b8a77a3, 424 items to follow Jun 22 12:34:57 koala charon-systemd[12088]: 2767: strongswan.org__Ubuntu_16.04-x86_64-a11y-profile-manager-indicator-0.1.10-0ubuntu3 Jun 22 12:34:57 koala charon-systemd[12088]: 2768: strongswan.org__Ubuntu_16.04-x86_64-account-plugin-facebook-0.12~16.04.20160126-0ubuntu1 Jun 22 12:34:57 koala charon-systemd[12088]: 2769: strongswan.org__Ubuntu_16.04-x86_64-account-plugin-flickr-0.12~16.04.20160126-0ubuntu1 Jun 22 12:34:57 koala charon-systemd[12088]: 2770: strongswan.org__Ubuntu_16.04-x86_64-account-plugin-google-0.12~16.04.20160126-0ubuntu1 ... Jun 22 12:34:57 koala charon-systemd[12088]: 3799: strongswan.org__Ubuntu_16.04-x86_64-printer-driver-hpcups-3.16.3~repack0-1 Jun 22 12:34:57 koala charon-systemd[12088]: 3800: strongswan.org__Ubuntu_16.04-x86_64-printer-driver-min12xxw-0.0.9-9 Jun 22 12:34:57 koala charon-systemd[12088]: 3801: strongswan.org__Ubuntu_16.04-x86_64-printer-driver-pnm2ppa-1.13~nondbs-0ubuntu5 Jun 22 12:34:57 koala charon-systemd[12088]: 3802: strongswan.org__Ubuntu_16.04-x86_64-printer-driver-postscript-hp-3.16.3~repack0-1
The SWIMA IMV requests the next segment of the IETF / Software message
Jun 22 12:34:57 koala charon-systemd[12088]: creating PA-TNC message with ID 0x41ff7fe5 Jun 22 12:34:57 koala charon-systemd[12088]: creating PA-TNC attribute type 'TCG/Next Segment Request' 0x005597/0x00000024 Jun 22 12:34:57 koala charon-systemd[12088]: created PA-TNC message: => 24 bytes @ 0x7ff82015ae30 0: 01 00 00 00 41 FF 7F E5 00 00 55 97 00 00 00 24 ....A.....U....$ 16: 00 00 00 10 00 00 00 01 ........ Jun 22 12:34:57 koala charon-systemd[12088]: creating PB-PA message type 'IETF/Software' 0x000000/0x00000009 Jun 22 12:34:57 koala charon-systemd[12088]: TNC server is handling outbound connection Jun 22 12:34:57 koala charon-systemd[12088]: PB-TNC state transition from 'Server Working' to 'Client Working' Jun 22 12:34:57 koala charon-systemd[12088]: creating PB-TNC SDATA batch Jun 22 12:34:57 koala charon-systemd[12088]: adding IETF/PB-PA message Jun 22 12:34:57 koala charon-systemd[12088]: sending PB-TNC SDATA batch (56 bytes) for Connection ID 1 Jun 22 12:34:57 koala charon-systemd[12088]: sending PT-TLS message #3 of type 'PB-TNC Batch' (72 bytes)
The second and last segment of the IETF / Software message has been received
Jun 22 12:34:57 koala charon-systemd[12088]: received PT-TLS message #3 of type 'PB-TNC Batch' (35112 bytes) Jun 22 12:34:57 koala charon-systemd[12088]: received TNCCS batch (35096 bytes) Jun 22 12:34:57 koala charon-systemd[12088]: TNC server is handling inbound connection Jun 22 12:34:57 koala charon-systemd[12088]: processing PB-TNC CDATA batch for Connection ID 1 Jun 22 12:34:57 koala charon-systemd[12088]: PB-TNC state transition from 'Client Working' to 'Server Working' Jun 22 12:34:57 koala charon-systemd[12088]: processing IETF/PB-PA message (35088 bytes) Jun 22 12:34:57 koala charon-systemd[12088]: handling PB-PA message type 'IETF/Software' 0x000000/0x00000009 Jun 22 12:34:57 koala charon-systemd[12088]: IMV 2 "SWIMA" received message for Connection ID 1 from IMC 2 to IMV 2 Jun 22 12:34:57 koala charon-systemd[12088]: => 35064 bytes @ 0x7ff81802afa0 0: 01 00 00 00 C4 99 91 00 00 00 55 97 00 00 00 23 ..........U....# 16: 00 00 88 F0 00 00 00 01 6F 6E 67 73 77 61 6E 2E ........ongswan. 32: 6F 72 67 5F 5F 55 62 75 6E 74 75 5F 31 36 2E 30 org__Ubuntu_16.0 48: 34 2D 78 38 36 5F 36 34 2D 70 72 69 6E 74 65 72 4-x86_64-printer 64: 2D 64 72 69 76 65 72 2D 70 74 6F 75 63 68 2D 31 -driver-ptouch-1 80: 2E 34 2D 31 00 00 00 00 0E DC 00 00 00 01 01 00 .4-1............ 96: 00 46 73 74 72 6F 6E 67 73 77 61 6E 2E 6F 72 67 .Fstrongswan.org 112: 5F 5F 55 62 75 6E 74 75 5F 31 36 2E 30 34 2D 78 __Ubuntu_16.04-x 128: 38 36 5F 36 34 2D 70 72 69 6E 74 65 72 2D 64 72 86_64-printer-dr 144: 69 76 65 72 2D 70 78 6C 6A 72 2D 31 2E 34 7E 72 iver-pxljr-1.4~r 160: 65 70 61 63 6B 30 2D 34 00 00 00 00 0E DD 00 00 epack0-4........ 176: 00 01 01 00 00 47 73 74 72 6F 6E 67 73 77 61 6E .....Gstrongswan 192: 2E 6F 72 67 5F 5F 55 62 75 6E 74 75 5F 31 36 2E .org__Ubuntu_16. 208: 30 34 2D 78 38 36 5F 36 34 2D 70 72 69 6E 74 65 04-x86_64-printe 224: 72 2D 64 72 69 76 65 72 2D 73 61 67 2D 67 64 69 r-driver-sag-gdi 240: 2D 30 2E 31 2D 34 75 62 75 6E 74 75 31 00 00 00 -0.1-4ubuntu1... 256: 00 0E DE 00 00 00 01 01 00 00 50 73 74 72 6F 6E ..........Pstron 272: 67 73 77 61 6E 2E 6F 72 67 5F 5F 55 62 75 6E 74 gswan.org__Ubunt 288: 75 5F 31 36 2E 30 34 2D 78 38 36 5F 36 34 2D 70 u_16.04-x86_64-p 304: 72 69 6E 74 65 72 2D 64 72 69 76 65 72 2D 73 70 rinter-driver-sp 320: 6C 69 78 2D 32 2E 30 2E 30 7E 73 76 6E 33 31 35 lix-2.0.0~svn315 336: 2D 34 66 61 6B 65 73 79 6E 63 31 00 00 00 00 06 -4fakesync1..... ... 34688: 75 32 00 00 00 00 0F E0 00 00 00 01 01 00 00 43 u2.............C 34704: 73 74 72 6F 6E 67 73 77 61 6E 2E 6F 72 67 5F 5F strongswan.org__ 34720: 55 62 75 6E 74 75 5F 31 36 2E 30 34 2D 78 38 36 Ubuntu_16.04-x86 34736: 5F 36 34 2D 7A 65 6E 69 74 79 2D 63 6F 6D 6D 6F _64-zenity-commo 34752: 6E 2D 33 2E 31 38 2E 31 2E 31 2D 31 75 62 75 6E n-3.18.1.1-1ubun 34768: 74 75 32 00 00 00 00 0F E1 00 00 00 01 01 00 00 tu2............. 34784: 2E 73 74 72 6F 6E 67 73 77 61 6E 2E 6F 72 67 5F .strongswan.org_ 34800: 5F 55 62 75 6E 74 75 5F 31 36 2E 30 34 2D 78 38 _Ubuntu_16.04-x8 34816: 36 5F 36 34 2D 7A 69 70 2D 33 2E 30 2D 31 31 00 6_64-zip-3.0-11. 34832: 00 00 00 09 D2 00 00 00 01 01 00 00 42 73 74 72 ............Bstr 34848: 6F 6E 67 73 77 61 6E 2E 6F 72 67 5F 5F 55 62 75 ongswan.org__Ubu 34864: 6E 74 75 5F 31 36 2E 30 34 2D 78 38 36 5F 36 34 ntu_16.04-x86_64 34880: 2D 7A 6C 69 62 31 67 2D 31 7E 31 2E 32 2E 38 2E -zlib1g-1~1.2.8. 34896: 64 66 73 67 2D 32 75 62 75 6E 74 75 34 2E 31 00 dfsg-2ubuntu4.1. 34912: 00 00 00 09 D9 00 00 00 01 01 00 00 46 73 74 72 ............Fstr 34928: 6F 6E 67 73 77 61 6E 2E 6F 72 67 5F 5F 55 62 75 ongswan.org__Ubu 34944: 6E 74 75 5F 31 36 2E 30 34 2D 78 38 36 5F 36 34 ntu_16.04-x86_64 34960: 2D 7A 6C 69 62 31 67 2D 64 65 76 2D 31 7E 31 2E -zlib1g-dev-1~1. 34976: 32 2E 38 2E 64 66 73 67 2D 32 75 62 75 6E 74 75 2.8.dfsg-2ubuntu 34992: 34 2E 31 00 00 00 00 00 00 00 00 00 01 02 00 00 4.1............. 35008: 20 73 74 72 6F 6E 67 73 77 61 6E 2E 6F 72 67 5F strongswan.org_ 35024: 5F 73 74 72 6F 6E 67 53 77 61 6E 2D 35 2D 35 2D _strongSwan-5-5- 35040: 33 00 15 2F 75 73 72 2F 73 68 61 72 65 2F 73 74 3../usr/share/st 35056: 72 6F 6E 67 73 77 61 6E rongswan Jun 22 12:34:57 koala charon-systemd[12088]: processing PA-TNC message with ID 0xc4999100 Jun 22 12:34:57 koala charon-systemd[12088]: processing PA-TNC attribute type 'TCG/Attribute Segment Envelope' 0x005597/0x00000023 Jun 22 12:34:57 koala charon-systemd[12088]: received last segment for base attribute ID 1 (35040 bytes)
The remaining software identifiers have been received. The IETF / Software Identifier Inventory attribute is complete
Jun 22 12:34:57 koala charon-systemd[12088]: received software identity inventory with 424 items for request 9 at eid 161 of epoch 0x3b8a77a3, 0 items to follow Jun 22 12:34:57 koala charon-systemd[12088]: 3803: strongswan.org__Ubuntu_16.04-x86_64-printer-driver-ptouch-1.4-1 Jun 22 12:34:57 koala charon-systemd[12088]: 3804: strongswan.org__Ubuntu_16.04-x86_64-printer-driver-pxljr-1.4~repack0-4 Jun 22 12:34:57 koala charon-systemd[12088]: 3805: strongswan.org__Ubuntu_16.04-x86_64-printer-driver-sag-gdi-0.1-4ubuntu1 Jun 22 12:34:57 koala charon-systemd[12088]: 3806: strongswan.org__Ubuntu_16.04-x86_64-printer-driver-splix-2.0.0~svn315-4fakesync1 ... Jun 22 12:34:57 koala charon-systemd[12088]: 4064: strongswan.org__Ubuntu_16.04-x86_64-zenity-common-3.18.1.1-1ubuntu2 Jun 22 12:34:57 koala charon-systemd[12088]: 4065: strongswan.org__Ubuntu_16.04-x86_64-zip-3.0-11 Jun 22 12:34:57 koala charon-systemd[12088]: 2514: strongswan.org__Ubuntu_16.04-x86_64-zlib1g-1~1.2.8.dfsg-2ubuntu4.1 Jun 22 12:34:57 koala charon-systemd[12088]: 2521: strongswan.org__Ubuntu_16.04-x86_64-zlib1g-dev-1~1.2.8.dfsg-2ubuntu4.1 Jun 22 12:34:57 koala charon-systemd[12088]: 0: strongswan.org__strongSwan-5-5-3 @ /usr/share/strongswan
Sending IETF [Targeted] SW Request Attribute¶
All software identifiers are sent to the strongTNC policy manager via a REST-ful interface. The policy manager checks all software identifiers in its database and finds that it does not have a SWID tag for the strongSwan-5.5.3 software
Jun 22 12:34:57 koala charon-systemd[12088]: sending request to 'https://admin-user:xxxxxxxxxx!@tnc.strongswan.org/api/sessions/2/swid-measurement/'... Jun 22 12:34:57 koala charon-systemd[12088]: 1 SWID tag target Jun 22 12:34:57 koala charon-systemd[12088]: strongswan.org__strongSwan-5-5-3
A targeted IETF / SW Request attribute is sent in Server DATA batch
Jun 22 12:34:57 koala charon-systemd[12088]: creating PA-TNC message with ID 0x6d9f210a Jun 22 12:34:57 koala charon-systemd[12088]: creating PA-TNC attribute type 'IETF/SW Request' 0x000000/0x00000011 Jun 22 12:34:57 koala charon-systemd[12088]: created PA-TNC message: => 66 bytes @ 0x7ff8180036c0 0: 01 00 00 00 6D 9F 21 0A 00 00 00 00 00 00 00 11 ....m.!......... 16: 00 00 00 3A 00 00 00 01 00 00 00 09 00 00 00 00 ...:............ 32: 00 20 73 74 72 6F 6E 67 73 77 61 6E 2E 6F 72 67 . strongswan.org 48: 5F 5F 73 74 72 6F 6E 67 53 77 61 6E 2D 35 2D 35 __strongSwan-5-5 64: 2D 33 -3 Jun 22 12:34:57 koala charon-systemd[12088]: creating PB-PA message type 'IETF/Software' 0x000000/0x00000009 Jun 22 12:34:57 koala charon-systemd[12088]: TNC server is handling outbound connection Jun 22 12:34:57 koala charon-systemd[12088]: PB-TNC state transition from 'Server Working' to 'Client Working' Jun 22 12:34:57 koala charon-systemd[12088]: creating PB-TNC SDATA batch Jun 22 12:34:57 koala charon-systemd[12088]: adding IETF/PB-PA message Jun 22 12:34:57 koala charon-systemd[12088]: sending PB-TNC SDATA batch (98 bytes) for Connection ID 1 Jun 22 12:34:57 koala charon-systemd[12088]: sending PT-TLS message #4 of type 'PB-TNC Batch' (114 bytes)
Receiving IETF SW Inventory Attribute¶
Jun 22 12:34:58 koala charon-systemd[12088]: received PT-TLS message #4 of type 'PB-TNC Batch' (508 bytes) Jun 22 12:34:58 koala charon-systemd[12088]: received TNCCS batch (492 bytes) Jun 22 12:34:58 koala charon-systemd[12088]: TNC server is handling inbound connection Jun 22 12:34:58 koala charon-systemd[12088]: processing PB-TNC CDATA batch for Connection ID 1 Jun 22 12:34:58 koala charon-systemd[12088]: PB-TNC state transition from 'Client Working' to 'Server Working' Jun 22 12:34:58 koala charon-systemd[12088]: processing IETF/PB-PA message (484 bytes) Jun 22 12:34:58 koala charon-systemd[12088]: handling PB-PA message type 'IETF/Software' 0x000000/0x00000009 Jun 22 12:34:58 koala charon-systemd[12088]: IMV 2 "SWIMA" received message for Connection ID 1 from IMC 2 to IMV 2 Jun 22 12:34:58 koala charon-systemd[12088]: => 460 bytes @ 0x7ff83c003ef0 0: 01 00 00 00 9A 73 D4 63 00 00 00 00 00 00 00 14 .....s.c........ 16: 00 00 01 C4 00 00 00 01 00 00 00 09 11 22 33 44 ............."3D 32: 00 00 00 01 00 00 00 00 00 00 00 01 02 00 00 20 ............... 48: 73 74 72 6F 6E 67 73 77 61 6E 2E 6F 72 67 5F 5F strongswan.org__ 64: 73 74 72 6F 6E 67 53 77 61 6E 2D 35 2D 35 2D 33 strongSwan-5-5-3 80: 00 15 2F 75 73 72 2F 73 68 61 72 65 2F 73 74 72 ../usr/share/str 96: 6F 6E 67 73 77 61 6E 00 00 01 61 3C 3F 78 6D 6C ongswan...a<?xml 112: 20 76 65 72 73 69 6F 6E 3D 22 31 2E 30 22 20 65 version="1.0" e 128: 6E 63 6F 64 69 6E 67 3D 22 75 74 66 2D 38 22 3F ncoding="utf-8"? 144: 3E 0A 0A 3C 53 6F 66 74 77 61 72 65 49 64 65 6E >..<SoftwareIden 160: 74 69 74 79 0A 20 20 6E 61 6D 65 3D 22 73 74 72 tity. name="str 176: 6F 6E 67 53 77 61 6E 22 0A 20 20 74 61 67 49 64 ongSwan". tagId 192: 3D 22 73 74 72 6F 6E 67 53 77 61 6E 2D 35 2D 35 ="strongSwan-5-5 208: 2D 33 22 0A 20 20 76 65 72 73 69 6F 6E 3D 22 35 -3". version="5 224: 2E 35 2E 33 22 20 76 65 72 73 69 6F 6E 53 63 68 .5.3" versionSch 240: 65 6D 65 3D 22 61 6C 70 68 61 6E 75 6D 65 72 69 eme="alphanumeri 256: 63 22 0A 20 20 78 6D 6C 6E 73 3D 22 68 74 74 70 c". xmlns="http 272: 3A 2F 2F 73 74 61 6E 64 61 72 64 73 2E 69 73 6F ://standards.iso 288: 2E 6F 72 67 2F 69 73 6F 2F 31 39 37 37 30 2F 2D .org/iso/19770/- 304: 32 2F 32 30 31 35 2F 73 63 68 65 6D 61 2E 78 73 2/2015/schema.xs 320: 64 22 3E 0A 20 20 3C 45 6E 74 69 74 79 0A 20 20 d">. <Entity. 336: 20 20 6E 61 6D 65 3D 22 73 74 72 6F 6E 67 53 77 name="strongSw 352: 61 6E 20 50 72 6F 6A 65 63 74 22 0A 20 20 20 20 an Project". 368: 72 65 67 69 64 3D 22 73 74 72 6F 6E 67 73 77 61 regid="strongswa 384: 6E 2E 6F 72 67 22 0A 20 20 20 20 72 6F 6C 65 3D n.org". role= 400: 22 73 6F 66 74 77 61 72 65 43 72 65 61 74 6F 72 "softwareCreator 416: 20 6C 69 63 65 6E 73 6F 72 20 74 61 67 43 72 65 licensor tagCre 432: 61 74 6F 72 22 2F 3E 0A 3C 2F 53 6F 66 74 77 61 ator"/>.</Softwa 448: 72 65 49 64 65 6E 74 69 74 79 3E 0A reIdentity>. Jun 22 12:34:58 koala charon-systemd[12088]: processing PA-TNC message with ID 0x9a73d463 Jun 22 12:34:58 koala charon-systemd[12088]: processing PA-TNC attribute type 'IETF/SW Inventory' 0x000000/0x00000014 Jun 22 12:34:58 koala charon-systemd[12088]: received software inventory with 1 item for request 9 at eid 161 of epoch 0x3b8a77a3, 0 items to follow
The XML-encoded ISO-17770-2:2015 SWID tag for the strongswan-5-5-3 software
Jun 22 12:34:58 koala charon-systemd[12088]: <?xml version="1.0" encoding="utf-8"?> <SoftwareIdentity name="strongSwan" tagId="strongSwan-5-5-3" version="5.5.3" versionScheme="alphanumeric" xmlns="http://standards.iso.org/iso/19770/-2/2015/schema.xsd"> <Entity name="strongSwan Project" regid="strongswan.org" role="softwareCreator licensor tagCreator"/> </SoftwareIdentity>
The SWID tag is uploaded to the strongTNC policy manager via the REST-ful API. Then the complete software identifier inventory is reposted
Jun 22 12:34:58 koala charon-systemd[12088]: sending request to 'https://admin-user:xxxxxxxxxx!@tnc.strongswan.org/api/swid/add-tags/'... Jun 22 12:34:58 koala charon-systemd[12088]: sending request to 'https://admin-user:xxxxxxxxxx!@tnc.strongswan.org/api/sessions/2/swid-measurement/'...
Terminating PT-TLS Client Connection¶
The PT-TLS client session is terminated
Jun 22 12:34:58 koala charon-systemd[12088]: IMV 2 handled SWIDT workitem 9: allow - received inventory of 2049 SWID tag IDs and 1 SWID tag Jun 22 12:34:58 koala charon-systemd[12088]: creating PA-TNC message with ID 0xf63cbcf4 Jun 22 12:34:58 koala charon-systemd[12088]: creating PA-TNC attribute type 'IETF/Assessment Result' 0x000000/0x00000009 Jun 22 12:34:58 koala charon-systemd[12088]: created PA-TNC message: => 24 bytes @ 0x7ff83c000f50 0: 01 00 00 00 F6 3C BC F4 00 00 00 00 00 00 00 09 .....<.......... 16: 00 00 00 10 00 00 00 00 ........ Jun 22 12:34:58 koala charon-systemd[12088]: creating PB-PA message type 'IETF/Software' 0x000000/0x00000009 Jun 22 12:34:58 koala charon-systemd[12088]: IMV 2 provides recommendation 'allow' and evaluation 'compliant' Jun 22 12:34:58 koala charon-systemd[12088]: TNC server is handling outbound connection Jun 22 12:34:58 koala charon-systemd[12088]: running policy script: 2>&1 ipsec imv_policy_manager stop 2 Jun 22 12:34:58 koala charon-systemd[12088]: policy: recommendation for access requestor 46.126.238.39 is allow Jun 22 12:34:58 koala charon-systemd[12088]: policy: imv_policy_manager stop successful Jun 22 12:34:58 koala charon-systemd[12088]: IMV 1 "OS" changed state of Connection ID 1 to 'Allowed' Jun 22 12:34:58 koala charon-systemd[12088]: IMV 2 "SWIMA" changed state of Connection ID 1 to 'Allowed' Jun 22 12:34:58 koala charon-systemd[12088]: PB-TNC state transition from 'Server Working' to 'Decided' Jun 22 12:34:58 koala charon-systemd[12088]: creating PB-TNC RESULT batch Jun 22 12:34:58 koala charon-systemd[12088]: adding IETF/PB-PA message Jun 22 12:34:58 koala charon-systemd[12088]: adding IETF/PB-Assessment-Result message Jun 22 12:34:58 koala charon-systemd[12088]: adding IETF/PB-Access-Recommendation message Jun 22 12:34:58 koala charon-systemd[12088]: sending PB-TNC RESULT batch (88 bytes) for Connection ID 1 Jun 22 12:34:58 koala charon-systemd[12088]: sending PT-TLS message #5 of type 'PB-TNC Batch' (104 bytes) Jun 22 12:34:58 koala charon-systemd[12088]: received PT-TLS message #5 of type 'PB-TNC Batch' (24 bytes) Jun 22 12:34:58 koala charon-systemd[12088]: received TNCCS batch (8 bytes) Jun 22 12:34:58 koala charon-systemd[12088]: TNC server is handling inbound connection Jun 22 12:34:58 koala charon-systemd[12088]: processing PB-TNC CLOSE batch for Connection ID 1 Jun 22 12:34:58 koala charon-systemd[12088]: PB-TNC state transition from 'Decided' to 'End' Jun 22 12:34:58 koala charon-systemd[12088]: final recommendation is 'allow' and evaluation is 'compliant' Jun 22 12:34:58 koala charon-systemd[12088]: PT-TLS connection terminates Jun 22 12:34:58 koala charon-systemd[12088]: IMV 1 "OS" deleted the state of Connection ID 1 Jun 22 12:34:58 koala charon-systemd[12088]: IMV 2 "SWIMA" deleted the state of Connection ID 1 Jun 22 12:34:58 koala charon-systemd[12088]: removed TNCCS Connection ID 1 Jun 22 12:34:58 koala charon-systemd[12088]: sending TLS close notify
Stopping PT-TLS Daemon¶
The strongSwan PT-TLS server daemon can be stopped using the following systemd command
systemctl stop strongswan-swanctl
Jun 22 14:11:43 koala charon-systemd[12088]: SIGTERM received, shutting down Jun 22 14:11:43 koala systemd[1]: Stopping strongSwan IPsec IKEv1/IKEv2 daemon using swanctl... Jun 22 14:11:43 koala charon-systemd[12088]: IMV 2 "SWIMA" terminated Jun 22 14:11:43 koala charon-systemd[12088]: IMV 1 "OS" terminated Jun 22 14:11:43 koala charon-systemd[12088]: removed IETF attributes Jun 22 14:11:43 koala charon-systemd[12088]: removed ITA-HSR attributes Jun 22 14:11:43 koala charon-systemd[12088]: removed PWG attributes Jun 22 14:11:43 koala charon-systemd[12088]: removed TCG attributes Jun 22 14:11:43 koala charon-systemd[12088]: libimcv terminated Jun 22 14:11:43 koala systemd[1]: Stopped strongSwan IPsec IKEv1/IKEv2 daemon using swanctl.