Project

General

Profile

History

strongSwan User Documentation » Trusted Network Connect (TNC) HOWTO »

strongSwan as TNC Client » History » Version 17

« Previous - Version 17/22 (diff) - Next » - Current version
Andreas Steffen, 04.08.2011 07:13
Added tnc_config files and strongSwan IMCs

strongSwan as TNC Client

Configuration as a TNCCS 2.0 Client with EAP-MD5 password-based client authentication

./configure --prefix=/usr --sysconfdir=/etc --disable-pluto --enable-curl
            --enable-eap-tls --enable-eap-ttls --enable-eap-identity --enable-eap-md5
            --enable-eap-tnc --enable-tnccs-20 --enable-tnc-imc
            --enable-imc-test --enable-imc-scanner

/etc/tnc_config - TNC configuration file for strongSwan client 

IMC "Test"    /usr/local/lib/ipsec/imcvs/imc-test.so
IMC "Scanner" /usr/local/lib/ipsec/imcvs/imc-scanner.so

/etc/strongswan.conf - strongSwan configuration file

charon {
  plugins {
    eap-tnc {
      protocol = tnccs-2.0
    }
    tnc-imc {
      preferred_language = de, en
    }
  }
}

/etc/ipsec.secrets - strongSwan IPsec secrets file

carol@strongswan.org : EAP "Ar3etTnp"

/etc/ipsec.conf - strongSwan IPsec configuration file

conn home
     leftid=carol@strongswan.org
     leftauth=eap
     right=192.168.0.1
     rightid=@moon.strongswan.org
     rightsendcert=never
     rightsubnet=10.1.0.0/16
     auto=add

Client logfile

Configuration as a TNCCS 2.0 Client with EAP-TLS certicate-based client authentication

./configure --prefix=/usr --sysconfdir=/etc --disable-pluto --enable-curl
            --enable-eap-tls --enable-eap-ttls --enable-eap-identity
            --enable-eap-tnc --enable-tnccs-20 --enable-tnc-imc
            --enable-imc-test --enable-imc-scanner

/etc/tnc_config - TNC configuration file for strongSwan client 

IMC "Test"    /usr/local/lib/ipsec/imcvs/imc-test.so
IMC "Scanner" /usr/local/lib/ipsec/imcvs/imc-scanner.so

/etc/strongswan.conf - strongSwan configuration file

charon {
  plugins {
    eap-tnc {
      protocol = tnccs-2.0
    }
    tnc-imc {
      preferred_language = ru, fr, en
    }
  }
}

/etc/ipsec.secrets - strongSwan IPsec secrets file

: RSA carolKey.pem "nH5ZQEWtku0RJEZ6"

/etc/ipsec.conf - strongSwan IPsec configuration file

conn home
     leftcert=carolCert.pem
     leftid=carol@strongswan.org
     leftauth=eap
     right=192.168.0.1
     rightid=@moon.strongswan.org
     rightsendcert=never
     rightsubnet=10.1.0.0/16
     auto=add

Client logfile

Configuration as a TNCCS 1.1 Client where both VPN Gateway and AAA Server authenticate themselves

./configure --prefix=/usr --sysconfdir =/etc --disable-pluto --enable-curl
            --enable-eap-tls --enable-eap-ttls --enable-eap-identity --enable-eap-md5
            --enable-eap-tnc --enable-tnccs-11 --enable-tnc-imc
            --enable-imc-test --enable-imc-scanner

/etc/tnc_config - TNC configuration file for strongSwan client 

IMC "Test"    /usr/local/lib/ipsec/imcvs/imc-test.so
IMC "Scanner" /usr/local/lib/ipsec/imcvs/imc-scanner.so

/etc/strongswan.conf - strongSwan configuration file

charon {
  plugins {
    eap-tnc {
      protocol = tnccs-1.1
    }
  }
}

/etc/ipsec.secrets - strongSwan IPsec secrets file

carol@strongswan.org : EAP "Ar3etTnp"

/etc/ipsec.conf - strongSwan IPsec configuration file

conn home
     leftid=carol@strongswan.org
     leftauth=eap
     right=192.168.0.1
     rightid=@moon.strongswan.org
     rightsubnet=10.1.0.0/16
     rightauth=pubkey
     aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org" 
     auto=add

Client logfile