strongSwan as TNC Client » History » Version 19
Version 18 (Andreas Steffen, 04.08.2011 07:30) → Version 19/22 (Andreas Steffen, 29.03.2014 13:32)
h1. strongSwan as TNC Client
h3. Required Ubuntu Packages
If you are installing Configuration as a strongSwan TNC TNCCS 2.0 Client with EAP-MD5 password-based client on an Ubuntu Linux OS then the following packages must be installed:
<pre>
sudo apt-get install build-essential libcurl4-openssl-dev
</pre> authentication
If a security chip, i.e. a Trusted Platform Module (TPM) is present on the client hardware and you want to do remote attestation then three additional packages are required for TPM support:
<pre>
sudo apt-get trousers tpm-tools libtspi-dev
</pre>
h3. Build strongSwan VPN client with TNC support
Download the latest strongSwan tarball from http://download.strongswan.org/strongswan.tar.bz2, unpack the tarball and change into the top-level strongswan source directory:
<pre>
wget http://download.strongswan.org/strongswan.tar.bz2
tar xjf strongswan.tar.bz2
cd strongswan-x.y.z
</pre>
Next configure the following compilation options:
<pre>
./configure --prefix=/usr --sysconfdir=/etc \ --disable-pluto --enable-curl
--disable-gmp --disable-aes --disable-md5 \
--disable-sha1 --disable-sha2 --disable-fips-prf \
--enable-curl --enable-openssl --enable-eap-tls --enable-eap-ttls --enable-eap-identity \
--enable-eap-dynamic --enable-eap-md5 --enable-eap-mschapv2 --enable-tls \
--enable-eap-ttls --enable-eap-tnc --enable-tnccs-20 --enable-tnc-imc
--enable-imc-os --enable-imc-attestation
--enable-imc-test --enable-imc-scanner --enable-imc-swid
</pre>
If a TPM is available and you intend to use it for attestation, add
<pre>
--with-tss=trousers
</pre>
Build and install the strongSwan client with
<pre>
make
sudo make install
</pre>
h3. Configuration as a TNCCS 2.0 Client with EAP-MD5 password-based client authentication
/etc/tnc_config - TNC configuration file for strongSwan client
<pre>
IMC "Test" /usr/local/lib/ipsec/imcvs/imc-test.so
IMC "Scanner" /usr/local/lib/ipsec/imcvs/imc-scanner.so
</pre>
/etc/strongswan.conf - strongSwan configuration file
<pre>
charon {
plugins {
eap-ttls eap-tnc {
max_message_count protocol = 0 tnccs-2.0
}
eap-tnc tnc-imc {
protocol preferred_language = tnccs-2.0
max_message_count = 30 de, en
}
}
}
libimcv {
plugins {
tnc-imc imc-test {
preferred_language command = en, de allow
}
}
}
</pre>
/etc/ipsec.secrets - strongSwan IPsec secrets file
<pre>
carol@strongswan.org : EAP "Ar3etTnp"
</pre>
/etc/ipsec.conf - strongSwan IPsec configuration file
<pre>
conn home
leftid=carol@strongswan.org
leftauth=eap
right=192.168.0.1
rightid=@moon.strongswan.org
rightsendcert=never
rightsubnet=10.1.0.0/16
auto=add
</pre>
"Client logfile":http://www.strongswan.org/uml/testresults/tnc/tnccs-20/carol.daemon.log
h3. Configuration as a TNCCS 2.0 Client with EAP-TLS certicate-based client authentication
<pre>
./configure --prefix=/usr --sysconfdir=/etc --disable-pluto --enable-curl
--enable-eap-tls --enable-eap-ttls --enable-eap-identity
--enable-eap-tnc --enable-tnccs-20 --enable-tnc-imc
--enable-imc-test --enable-imc-scanner
</pre>
/etc/tnc_config - TNC configuration file for strongSwan client
<pre>
IMC "Test" /usr/local/lib/ipsec/imcvs/imc-test.so
IMC "Scanner" /usr/local/lib/ipsec/imcvs/imc-scanner.so
</pre>
/etc/strongswan.conf - strongSwan configuration file
<pre>
charon {
plugins {
eap-tnc {
protocol = tnccs-2.0
}
tnc-imc {
preferred_language = ru, fr, en
}
}
}
libimcv {
plugins {
imc-test {
command = allow
}
}
}
</pre>
/etc/ipsec.secrets - strongSwan IPsec secrets file
<pre>
: RSA carolKey.pem "nH5ZQEWtku0RJEZ6"
</pre>
/etc/ipsec.conf - strongSwan IPsec configuration file
<pre>
conn home
leftcert=carolCert.pem
leftid=carol@strongswan.org
leftauth=eap
right=192.168.0.1
rightid=@moon.strongswan.org
rightsendcert=never
rightsubnet=10.1.0.0/16
auto=add
</pre>
"Client logfile":http://www.strongswan.org/uml/testresults/tnc/tnccs-20-tls/carol.daemon.log
h3. Configuration as a TNCCS 1.1 Client where both VPN Gateway and AAA Server authenticate themselves
<pre>
./configure --prefix=/usr --sysconfdir =/etc --disable-pluto --enable-curl
--enable-eap-tls --enable-eap-ttls --enable-eap-identity --enable-eap-md5
--enable-eap-tnc --enable-tnccs-11 --enable-tnc-imc
--enable-imc-test --enable-imc-scanner
</pre>
/etc/tnc_config - TNC configuration file for strongSwan client
<pre>
IMC "Test" /usr/local/lib/ipsec/imcvs/imc-test.so
IMC "Scanner" /usr/local/lib/ipsec/imcvs/imc-scanner.so
</pre>
/etc/strongswan.conf - strongSwan configuration file
<pre>
charon {
plugins {
eap-tnc {
protocol = tnccs-1.1
}
}
}
libimcv {
plugins {
imc-test {
command = allow
}
}
}
</pre>
/etc/ipsec.secrets - strongSwan IPsec secrets file
<pre>
carol@strongswan.org : EAP "Ar3etTnp"
</pre>
/etc/ipsec.conf - strongSwan IPsec configuration file
<pre>
conn home
leftid=carol@strongswan.org
leftauth=eap
right=192.168.0.1
rightid=@moon.strongswan.org
rightsubnet=10.1.0.0/16
rightauth=pubkey
aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
auto=add
</pre>
"Client logfile":http://www.strongswan.org/uml/testresults/tnc/tnccs-11-radius/carol.daemon.log
h3. Required Ubuntu Packages
If you are installing Configuration as a strongSwan TNC TNCCS 2.0 Client with EAP-MD5 password-based client on an Ubuntu Linux OS then the following packages must be installed:
<pre>
sudo apt-get install build-essential libcurl4-openssl-dev
</pre> authentication
If a security chip, i.e. a Trusted Platform Module (TPM) is present on the client hardware and you want to do remote attestation then three additional packages are required for TPM support:
<pre>
sudo apt-get trousers tpm-tools libtspi-dev
</pre>
h3. Build strongSwan VPN client with TNC support
Download the latest strongSwan tarball from http://download.strongswan.org/strongswan.tar.bz2, unpack the tarball and change into the top-level strongswan source directory:
<pre>
wget http://download.strongswan.org/strongswan.tar.bz2
tar xjf strongswan.tar.bz2
cd strongswan-x.y.z
</pre>
Next configure the following compilation options:
<pre>
./configure --prefix=/usr --sysconfdir=/etc \ --disable-pluto --enable-curl
--disable-gmp --disable-aes --disable-md5 \
--disable-sha1 --disable-sha2 --disable-fips-prf \
--enable-curl --enable-openssl --enable-eap-tls --enable-eap-ttls --enable-eap-identity \
--enable-eap-dynamic --enable-eap-md5 --enable-eap-mschapv2 --enable-tls \
--enable-eap-ttls --enable-eap-tnc --enable-tnccs-20 --enable-tnc-imc
--enable-imc-os --enable-imc-attestation
--enable-imc-test --enable-imc-scanner --enable-imc-swid
</pre>
If a TPM is available and you intend to use it for attestation, add
<pre>
--with-tss=trousers
</pre>
Build and install the strongSwan client with
<pre>
make
sudo make install
</pre>
h3. Configuration as a TNCCS 2.0 Client with EAP-MD5 password-based client authentication
/etc/tnc_config - TNC configuration file for strongSwan client
<pre>
IMC "Test" /usr/local/lib/ipsec/imcvs/imc-test.so
IMC "Scanner" /usr/local/lib/ipsec/imcvs/imc-scanner.so
</pre>
/etc/strongswan.conf - strongSwan configuration file
<pre>
charon {
plugins {
eap-ttls eap-tnc {
max_message_count protocol = 0 tnccs-2.0
}
eap-tnc tnc-imc {
protocol preferred_language = tnccs-2.0
max_message_count = 30 de, en
}
}
}
libimcv {
plugins {
tnc-imc imc-test {
preferred_language command = en, de allow
}
}
}
</pre>
/etc/ipsec.secrets - strongSwan IPsec secrets file
<pre>
carol@strongswan.org : EAP "Ar3etTnp"
</pre>
/etc/ipsec.conf - strongSwan IPsec configuration file
<pre>
conn home
leftid=carol@strongswan.org
leftauth=eap
right=192.168.0.1
rightid=@moon.strongswan.org
rightsendcert=never
rightsubnet=10.1.0.0/16
auto=add
</pre>
"Client logfile":http://www.strongswan.org/uml/testresults/tnc/tnccs-20/carol.daemon.log
h3. Configuration as a TNCCS 2.0 Client with EAP-TLS certicate-based client authentication
<pre>
./configure --prefix=/usr --sysconfdir=/etc --disable-pluto --enable-curl
--enable-eap-tls --enable-eap-ttls --enable-eap-identity
--enable-eap-tnc --enable-tnccs-20 --enable-tnc-imc
--enable-imc-test --enable-imc-scanner
</pre>
/etc/tnc_config - TNC configuration file for strongSwan client
<pre>
IMC "Test" /usr/local/lib/ipsec/imcvs/imc-test.so
IMC "Scanner" /usr/local/lib/ipsec/imcvs/imc-scanner.so
</pre>
/etc/strongswan.conf - strongSwan configuration file
<pre>
charon {
plugins {
eap-tnc {
protocol = tnccs-2.0
}
tnc-imc {
preferred_language = ru, fr, en
}
}
}
libimcv {
plugins {
imc-test {
command = allow
}
}
}
</pre>
/etc/ipsec.secrets - strongSwan IPsec secrets file
<pre>
: RSA carolKey.pem "nH5ZQEWtku0RJEZ6"
</pre>
/etc/ipsec.conf - strongSwan IPsec configuration file
<pre>
conn home
leftcert=carolCert.pem
leftid=carol@strongswan.org
leftauth=eap
right=192.168.0.1
rightid=@moon.strongswan.org
rightsendcert=never
rightsubnet=10.1.0.0/16
auto=add
</pre>
"Client logfile":http://www.strongswan.org/uml/testresults/tnc/tnccs-20-tls/carol.daemon.log
h3. Configuration as a TNCCS 1.1 Client where both VPN Gateway and AAA Server authenticate themselves
<pre>
./configure --prefix=/usr --sysconfdir =/etc --disable-pluto --enable-curl
--enable-eap-tls --enable-eap-ttls --enable-eap-identity --enable-eap-md5
--enable-eap-tnc --enable-tnccs-11 --enable-tnc-imc
--enable-imc-test --enable-imc-scanner
</pre>
/etc/tnc_config - TNC configuration file for strongSwan client
<pre>
IMC "Test" /usr/local/lib/ipsec/imcvs/imc-test.so
IMC "Scanner" /usr/local/lib/ipsec/imcvs/imc-scanner.so
</pre>
/etc/strongswan.conf - strongSwan configuration file
<pre>
charon {
plugins {
eap-tnc {
protocol = tnccs-1.1
}
}
}
libimcv {
plugins {
imc-test {
command = allow
}
}
}
</pre>
/etc/ipsec.secrets - strongSwan IPsec secrets file
<pre>
carol@strongswan.org : EAP "Ar3etTnp"
</pre>
/etc/ipsec.conf - strongSwan IPsec configuration file
<pre>
conn home
leftid=carol@strongswan.org
leftauth=eap
right=192.168.0.1
rightid=@moon.strongswan.org
rightsubnet=10.1.0.0/16
rightauth=pubkey
aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
auto=add
</pre>
"Client logfile":http://www.strongswan.org/uml/testresults/tnc/tnccs-11-radius/carol.daemon.log