Version 3 - History - PT-TLS SWIMA Server - strongSwan

PT-TLS SWIMA Server » History » Version 3

Andreas Steffen, 07.07.2017 17:21

-Andreas Steffen
+h1. PT-TLS SWIMA Server
 Andreas Steffen
-Andreas Steffen
+h2. Installing the strongSwan TNC Software
 Andreas Steffen
-Andreas Steffen
+First we have to install some additional Ubuntu packages needed for the strongSwan TNC build
-Andreas Steffen
+<pre>
-Andreas Steffen
+ sudo apt install libsystemd-dev libssl-dev libcurl4-openssl-dev sqlite3 libsqlite3-dev libjson0-dev
-Andreas Steffen
+</pre>
 Andreas Steffen
-Andreas Steffen
+Download the lastest strongSwan tarball
-Andreas Steffen
+<pre>
-Andreas Steffen
+wget https://download.strongswan.org/strongswan-5.6.0dr1.tar.bz2
-Andreas Steffen
+</pre>
 Andreas Steffen
-Andreas Steffen
+Unpack the tarball
-Andreas Steffen
+<pre>
-Andreas Steffen
+tar xf strongswan-5.6.0dr1.tar.bz2
-Andreas Steffen
+</pre>
 Andreas Steffen
-Andreas Steffen
+and change into the strongSwan build directory
-Andreas Steffen
+<pre>
-Andreas Steffen
+cd strongswan-5.6.0dr1
-Andreas Steffen
+</pre>
 Andreas Steffen
-Andreas Steffen
+Configure strongSwan with the following options
-Andreas Steffen
+<pre>
-Andreas Steffen
+./configure --prefix=/usr --sysconfdir=/etc --disable-gmp --enable-openssl --enable-tnc-imv --enable-tnc-pdp --enable-tnccs-20 --enable-imv-os --enable-imv-swima --enable-sqlite --enable-curl --disable-stroke --enable-swanctl --enable-systemd
-Andreas Steffen
+</pre>
 Andreas Steffen
-Andreas Steffen
+Build and install strongSwan with the commands
-Andreas Steffen
+<pre>
-Andreas Steffen
+make; sudo make install
-Andreas Steffen
+</pre>
 Andreas Steffen
-Andreas Steffen
+h2. Setting up a Certificate Authority using the strongSwan "pki" Tool
 Andreas Steffen
-Andreas Steffen
+The strongSwan *pki* tool is very powerful and easy to use. First we create a directory where
-Andreas Steffen
+all keys and certificates are going to be stored
-Andreas Steffen
+<pre>
-Andreas Steffen
+  sudo -s
-Andreas Steffen
+  mkdir /etc/pts
-Andreas Steffen
+  mkdir /etc/pts/pki
-Andreas Steffen
+  cd /etc/pts/pki
-Andreas Steffen
+</pre>
 Andreas Steffen
-Andreas Steffen
+Then we generate an ECC public key pair for the Root CA and a matching self-signed CA certificate
-Andreas Steffen
+<pre>
-Andreas Steffen
+pki --gen --type ecdsa --size 256 --outform pem > caKey.pem
-Andreas Steffen
+pki --self --ca --in caKey.pem --type ecdsa --dn "C=CZ, O=IETF, OU=SACM, CN=IETF 99 Prague Hackathon CA" --lifetime 3652 --outform pem > caCert.pem
-Andreas Steffen
+</pre>
 Andreas Steffen
-Andreas Steffen
+The CA certificate can be listed with the following command
-Andreas Steffen
+<pre>
-Andreas Steffen
+pki --print --in caCert.pem
-Andreas Steffen
+  subject:  "C=CZ, O=IETF, OU=SACM, CN=IETF 99 Prague Hackathon CA"
-Andreas Steffen
+  issuer:   "C=CZ, O=IETF, OU=SACM, CN=IETF 99 Prague Hackathon CA"
-Andreas Steffen
+  validity:  not before Jul 07 08:19:08 2017, ok
-Andreas Steffen
+             not after  Jul 07 08:19:08 2027, ok (expires in 3651 days)
-Andreas Steffen
+  serial:    3a:98:52:2e:75:a5:a5:8b
-Andreas Steffen
+  flags:     CA CRLSign self-signed
-Andreas Steffen
+  subjkeyId: 81:44:64:84:26:5f:f6:08:80:4a:c9:77:32:0e:b2:78:d0:8f:e5:84
-Andreas Steffen
+  pubkey:    ECDSA 256 bits
-Andreas Steffen
+  keyid:     85:94:42:42:d7:40:83:17:98:72:7f:d7:6b:4a:08:51:e8:5b:e0:63
-Andreas Steffen
+  subjkey:   81:44:64:84:26:5f:f6:08:80:4a:c9:77:32:0e:b2:78:d0:8f:e5:84
-Andreas Steffen
+</pre>

Project

General

Profile

strongSwan

PT-TLS SWIMA Server » History » Version 3