Project

General

Profile

History

strongSwan User Documentation » Trusted Network Connect (TNC) HOWTO »

strongSwan as TNC Client » History » Version 19

« Previous - Version 19/22 (diff) - Next » - Current version
Andreas Steffen, 29.03.2014 13:32
Started updatin

strongSwan as TNC Client

Required Ubuntu Packages

If you are installing a strongSwan TNC client on an Ubuntu Linux OS then the following packages must be installed:

sudo apt-get install build-essential libcurl4-openssl-dev

If a security chip, i.e. a Trusted Platform Module (TPM) is present on the client hardware and you want to do remote attestation then three additional packages are required for TPM support:

sudo apt-get trousers tpm-tools libtspi-dev

Build strongSwan VPN client with TNC support

Download the latest strongSwan tarball from http://download.strongswan.org/strongswan.tar.bz2, unpack the tarball and change into the top-level strongswan source directory:

  wget http://download.strongswan.org/strongswan.tar.bz2
  tar xjf strongswan.tar.bz2
  cd strongswan-x.y.z

Next configure the following compilation options:

./configure --prefix=/usr --sysconfdir=/etc \
            --disable-gmp --disable-aes --disable-md5 \
            --disable-sha1 --disable-sha2 --disable-fips-prf \
            --enable-curl --enable-openssl --enable-eap-identity \
            --enable-eap-dynamic --enable-eap-md5 --enable-eap-mschapv2 --enable-tls \
            --enable-eap-ttls --enable-eap-tnc --enable-tnccs-20 --enable-tnc-imc 
            --enable-imc-os --enable-imc-attestation --enable-imc-scanner --enable-imc-swid

If a TPM is available and you intend to use it for attestation, add

            --with-tss=trousers

Build and install the strongSwan client with

make
sudo make install

Configuration as a TNCCS 2.0 Client with EAP-MD5 password-based client authentication

/etc/tnc_config - TNC configuration file for strongSwan client 

IMC "Test"    /usr/local/lib/ipsec/imcvs/imc-test.so
IMC "Scanner" /usr/local/lib/ipsec/imcvs/imc-scanner.so

/etc/strongswan.conf - strongSwan configuration file

charon {
  plugins {
    eap-ttls {
      max_message_count = 0
    }
    eap-tnc {
      protocol = tnccs-2.0
      max_message_count = 30
    }
    tnc-imc {
      preferred_language = en, de
    }
  }
}

/etc/ipsec.secrets - strongSwan IPsec secrets file

carol@strongswan.org : EAP "Ar3etTnp"

/etc/ipsec.conf - strongSwan IPsec configuration file

conn home
     leftid=carol@strongswan.org
     leftauth=eap
     right=192.168.0.1
     rightid=@moon.strongswan.org
     rightsendcert=never
     rightsubnet=10.1.0.0/16
     auto=add

Client logfile

Configuration as a TNCCS 2.0 Client with EAP-TLS certicate-based client authentication

/etc/tnc_config - TNC configuration file for strongSwan client 

IMC "Test"    /usr/local/lib/ipsec/imcvs/imc-test.so
IMC "Scanner" /usr/local/lib/ipsec/imcvs/imc-scanner.so

/etc/strongswan.conf - strongSwan configuration file

charon {
  plugins {
    eap-tnc {
      protocol = tnccs-2.0
    }
    tnc-imc {
      preferred_language = ru, fr, en
    }
  }
}

libimcv {
  plugins {
    imc-test {
      command = allow
    }
  }
}

/etc/ipsec.secrets - strongSwan IPsec secrets file

: RSA carolKey.pem "nH5ZQEWtku0RJEZ6"

/etc/ipsec.conf - strongSwan IPsec configuration file

conn home
     leftcert=carolCert.pem
     leftid=carol@strongswan.org
     leftauth=eap
     right=192.168.0.1
     rightid=@moon.strongswan.org
     rightsendcert=never
     rightsubnet=10.1.0.0/16
     auto=add

Client logfile

Configuration as a TNCCS 1.1 Client where both VPN Gateway and AAA Server authenticate themselves

./configure --prefix=/usr --sysconfdir =/etc --disable-pluto --enable-curl
            --enable-eap-tls --enable-eap-ttls --enable-eap-identity --enable-eap-md5
            --enable-eap-tnc --enable-tnccs-11 --enable-tnc-imc
            --enable-imc-test --enable-imc-scanner

/etc/tnc_config - TNC configuration file for strongSwan client 

IMC "Test"    /usr/local/lib/ipsec/imcvs/imc-test.so
IMC "Scanner" /usr/local/lib/ipsec/imcvs/imc-scanner.so

/etc/strongswan.conf - strongSwan configuration file

charon {
  plugins {
    eap-tnc {
      protocol = tnccs-1.1
    }
  }
}

libimcv {
  plugins {
    imc-test {
      command = allow
    }
  }
}

/etc/ipsec.secrets - strongSwan IPsec secrets file

carol@strongswan.org : EAP "Ar3etTnp"

/etc/ipsec.conf - strongSwan IPsec configuration file

conn home
     leftid=carol@strongswan.org
     leftauth=eap
     right=192.168.0.1
     rightid=@moon.strongswan.org
     rightsubnet=10.1.0.0/16
     rightauth=pubkey
     aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org" 
     auto=add

Client logfile