Project

General

Profile

strongSwan as TNC Client

Required Ubuntu Packages

If you are installing a strongSwan TNC client on an Ubuntu Linux OS then the following packages must be installed:

sudo apt-get install build-essential libcurl4-openssl-dev

If a security chip, i.e. a Trusted Platform Module (TPM) is present on the client hardware and you want to do remote attestation then three additional packages are required for TPM support:

sudo apt-get trousers tpm-tools libtspi-dev

Build strongSwan VPN client with TNC support

Download the latest strongSwan tarball from http://download.strongswan.org/strongswan.tar.bz2, unpack the tarball and change into the top-level strongswan source directory:

  wget http://download.strongswan.org/strongswan.tar.bz2
  tar xjf strongswan.tar.bz2
  cd strongswan-x.y.z

Next configure the following compilation options:

./configure --prefix=/usr --sysconfdir=/etc \
            --disable-gmp --disable-aes --disable-md5 \
            --disable-sha1 --disable-sha2 --disable-fips-prf \
            --enable-curl --enable-openssl --enable-eap-identity \
            --enable-eap-dynamic --enable-eap-md5 --enable-eap-mschapv2 --enable-tls \
            --enable-eap-ttls --enable-eap-tnc --enable-tnccs-20 --enable-tnc-imc \
            --enable-imc-os --enable-imc-attestation --enable-imc-scanner --enable-imc-swid

If a TPM is available and you intend to use it for attestation, add

            --with-tss=trousers

Build and install the strongSwan client with

make
sudo make install

Configuration of TNC Integrity Measurement Collectors

/etc/tnc_config - TNC configuration file for strongSwan client

IMC "OS"          /usr/lib/ipsec/imcvs/imc-os.so
IMC "Scanner"     /usr/lib/ipsec/imcvs/imc-scanner.so
IMC "Attestation" /usr/lib/ipsec/imcvs/imc-attestation.so
IMC "SWID"        /usr/lib/ipsec/imcvs/imc-swid.so

Configuration as a TNCCS 2.0 Client with EAP-MD5 password-based client authentication

/etc/strongswan.conf - strongSwan configuration file

charon {
  plugins {
    eap-ttls {
      max_message_count = 0
    }
    eap-tnc {
      protocol = tnccs-2.0
      max_message_count = 30
    }
    tnc-imc {
      preferred_language = en, de
    }
  }
}

/etc/ipsec.secrets - strongSwan IPsec secrets file

carol@strongswan.org : EAP "Ar3etTnp" 

/etc/ipsec.conf - strongSwan IPsec configuration file

conn home
     leftid=carol@strongswan.org
     leftauth=eap
     right=192.168.0.1
     rightid=@moon.strongswan.org
     rightsendcert=never
     rightsubnet=10.1.0.0/16
     auto=add

Client logfile

Configuration as a TNCCS 2.0 Client with EAP-TLS certicate-based client authentication

/etc/strongswan.conf - strongSwan configuration file

charon {
  plugins {
    eap-tnc {
      protocol = tnccs-2.0
    }
    tnc-imc {
      preferred_language = ru, fr, en
    }
  }
}

libimcv {
  plugins {
    imc-test {
      command = allow
    }
  }
}

/etc/ipsec.secrets - strongSwan IPsec secrets file

: RSA carolKey.pem "nH5ZQEWtku0RJEZ6" 

/etc/ipsec.conf - strongSwan IPsec configuration file

conn home
     leftcert=carolCert.pem
     leftid=carol@strongswan.org
     leftauth=eap
     right=192.168.0.1
     rightid=@moon.strongswan.org
     rightsendcert=never
     rightsubnet=10.1.0.0/16
     auto=add

Client logfile

Configuration as a TNCCS 1.1 Client where both VPN Gateway and AAA Server authenticate themselves

./configure --prefix=/usr --sysconfdir =/etc --disable-pluto --enable-curl
            --enable-eap-tls --enable-eap-ttls --enable-eap-identity --enable-eap-md5
            --enable-eap-tnc --enable-tnccs-11 --enable-tnc-imc
            --enable-imc-test --enable-imc-scanner

/etc/strongswan.conf - strongSwan configuration file

charon {
  plugins {
    eap-tnc {
      protocol = tnccs-1.1
    }
  }
}

libimcv {
  plugins {
    imc-test {
      command = allow
    }
  }
}

/etc/ipsec.secrets - strongSwan IPsec secrets file

carol@strongswan.org : EAP "Ar3etTnp" 

/etc/ipsec.conf - strongSwan IPsec configuration file

conn home
     leftid=carol@strongswan.org
     leftauth=eap
     right=192.168.0.1
     rightid=@moon.strongswan.org
     rightsubnet=10.1.0.0/16
     rightauth=pubkey
     aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org" 
     auto=add

Client logfile