strongSwan as TNC Client » History » Version 21
Version 20 (Andreas Steffen, 29.03.2014 13:33) → Version 21/22 (Andreas Steffen, 29.03.2014 13:38)
h1. strongSwan as TNC Client
h3. Required Ubuntu Packages
If you are installing a strongSwan TNC client on an Ubuntu Linux OS then the following packages must be installed:
<pre>
sudo apt-get install build-essential libcurl4-openssl-dev
</pre>
If a security chip, i.e. a Trusted Platform Module (TPM) is present on the client hardware and you want to do remote attestation then three additional packages are required for TPM support:
<pre>
sudo apt-get trousers tpm-tools libtspi-dev
</pre>
h3. Build strongSwan VPN client with TNC support
Download the latest strongSwan tarball from http://download.strongswan.org/strongswan.tar.bz2, unpack the tarball and change into the top-level strongswan source directory:
<pre>
wget http://download.strongswan.org/strongswan.tar.bz2
tar xjf strongswan.tar.bz2
cd strongswan-x.y.z
</pre>
Next configure the following compilation options:
<pre>
./configure --prefix=/usr --sysconfdir=/etc \
--disable-gmp --disable-aes --disable-md5 \
--disable-sha1 --disable-sha2 --disable-fips-prf \
--enable-curl --enable-openssl --enable-eap-identity \
--enable-eap-dynamic --enable-eap-md5 --enable-eap-mschapv2 --enable-tls \
--enable-eap-ttls --enable-eap-tnc --enable-tnccs-20 --enable-tnc-imc \
--enable-imc-os --enable-imc-attestation --enable-imc-scanner --enable-imc-swid
</pre>
If a TPM is available and you intend to use it for attestation, add
<pre>
--with-tss=trousers
</pre>
Build and install the strongSwan client with
<pre>
make
sudo make install
</pre>
h3. Configuration of TNC Integrity Measurement Collectors as a TNCCS 2.0 Client with EAP-MD5 password-based client authentication
/etc/tnc_config - TNC configuration file for strongSwan client
<pre>
IMC "OS" /usr/lib/ipsec/imcvs/imc-os.so "Test" /usr/local/lib/ipsec/imcvs/imc-test.so
IMC "Scanner" /usr/lib/ipsec/imcvs/imc-scanner.so /usr/local/lib/ipsec/imcvs/imc-scanner.so
IMC "Attestation" /usr/lib/ipsec/imcvs/imc-attestation.so
IMC "SWID" /usr/lib/ipsec./imcvs/imc-swid.so
</pre>
h3. Configuration as a TNCCS 2.0 Client with EAP-MD5 password-based client authentication
/etc/strongswan.conf - strongSwan configuration file
<pre>
charon {
plugins {
eap-ttls {
max_message_count = 0
}
eap-tnc {
protocol = tnccs-2.0
max_message_count = 30
}
tnc-imc {
preferred_language = en, de
}
}
}
</pre>
/etc/ipsec.secrets - strongSwan IPsec secrets file
<pre>
carol@strongswan.org : EAP "Ar3etTnp"
</pre>
/etc/ipsec.conf - strongSwan IPsec configuration file
<pre>
conn home
leftid=carol@strongswan.org
leftauth=eap
right=192.168.0.1
rightid=@moon.strongswan.org
rightsendcert=never
rightsubnet=10.1.0.0/16
auto=add
</pre>
"Client logfile":http://www.strongswan.org/uml/testresults/tnc/tnccs-20/carol.daemon.log
h3. Configuration as a TNCCS 2.0 Client with EAP-TLS certicate-based client authentication
/etc/tnc_config - TNC configuration file for strongSwan client
<pre>
IMC "Test" /usr/local/lib/ipsec/imcvs/imc-test.so
IMC "Scanner" /usr/local/lib/ipsec/imcvs/imc-scanner.so
</pre>
/etc/strongswan.conf - strongSwan configuration file
<pre>
charon {
plugins {
eap-tnc {
protocol = tnccs-2.0
}
tnc-imc {
preferred_language = ru, fr, en
}
}
}
libimcv {
plugins {
imc-test {
command = allow
}
}
}
</pre>
/etc/ipsec.secrets - strongSwan IPsec secrets file
<pre>
: RSA carolKey.pem "nH5ZQEWtku0RJEZ6"
</pre>
/etc/ipsec.conf - strongSwan IPsec configuration file
<pre>
conn home
leftcert=carolCert.pem
leftid=carol@strongswan.org
leftauth=eap
right=192.168.0.1
rightid=@moon.strongswan.org
rightsendcert=never
rightsubnet=10.1.0.0/16
auto=add
</pre>
"Client logfile":http://www.strongswan.org/uml/testresults/tnc/tnccs-20-tls/carol.daemon.log
h3. Configuration as a TNCCS 1.1 Client where both VPN Gateway and AAA Server authenticate themselves
<pre>
./configure --prefix=/usr --sysconfdir =/etc --disable-pluto --enable-curl
--enable-eap-tls --enable-eap-ttls --enable-eap-identity --enable-eap-md5
--enable-eap-tnc --enable-tnccs-11 --enable-tnc-imc
--enable-imc-test --enable-imc-scanner
</pre>
/etc/tnc_config - TNC configuration file for strongSwan client
<pre>
IMC "Test" /usr/local/lib/ipsec/imcvs/imc-test.so
IMC "Scanner" /usr/local/lib/ipsec/imcvs/imc-scanner.so
</pre>
/etc/strongswan.conf - strongSwan configuration file
<pre>
charon {
plugins {
eap-tnc {
protocol = tnccs-1.1
}
}
}
libimcv {
plugins {
imc-test {
command = allow
}
}
}
</pre>
/etc/ipsec.secrets - strongSwan IPsec secrets file
<pre>
carol@strongswan.org : EAP "Ar3etTnp"
</pre>
/etc/ipsec.conf - strongSwan IPsec configuration file
<pre>
conn home
leftid=carol@strongswan.org
leftauth=eap
right=192.168.0.1
rightid=@moon.strongswan.org
rightsubnet=10.1.0.0/16
rightauth=pubkey
aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
auto=add
</pre>
"Client logfile":http://www.strongswan.org/uml/testresults/tnc/tnccs-11-radius/carol.daemon.log
h3. Required Ubuntu Packages
If you are installing a strongSwan TNC client on an Ubuntu Linux OS then the following packages must be installed:
<pre>
sudo apt-get install build-essential libcurl4-openssl-dev
</pre>
If a security chip, i.e. a Trusted Platform Module (TPM) is present on the client hardware and you want to do remote attestation then three additional packages are required for TPM support:
<pre>
sudo apt-get trousers tpm-tools libtspi-dev
</pre>
h3. Build strongSwan VPN client with TNC support
Download the latest strongSwan tarball from http://download.strongswan.org/strongswan.tar.bz2, unpack the tarball and change into the top-level strongswan source directory:
<pre>
wget http://download.strongswan.org/strongswan.tar.bz2
tar xjf strongswan.tar.bz2
cd strongswan-x.y.z
</pre>
Next configure the following compilation options:
<pre>
./configure --prefix=/usr --sysconfdir=/etc \
--disable-gmp --disable-aes --disable-md5 \
--disable-sha1 --disable-sha2 --disable-fips-prf \
--enable-curl --enable-openssl --enable-eap-identity \
--enable-eap-dynamic --enable-eap-md5 --enable-eap-mschapv2 --enable-tls \
--enable-eap-ttls --enable-eap-tnc --enable-tnccs-20 --enable-tnc-imc \
--enable-imc-os --enable-imc-attestation --enable-imc-scanner --enable-imc-swid
</pre>
If a TPM is available and you intend to use it for attestation, add
<pre>
--with-tss=trousers
</pre>
Build and install the strongSwan client with
<pre>
make
sudo make install
</pre>
h3. Configuration of TNC Integrity Measurement Collectors as a TNCCS 2.0 Client with EAP-MD5 password-based client authentication
/etc/tnc_config - TNC configuration file for strongSwan client
<pre>
IMC "OS" /usr/lib/ipsec/imcvs/imc-os.so "Test" /usr/local/lib/ipsec/imcvs/imc-test.so
IMC "Scanner" /usr/lib/ipsec/imcvs/imc-scanner.so /usr/local/lib/ipsec/imcvs/imc-scanner.so
IMC "Attestation" /usr/lib/ipsec/imcvs/imc-attestation.so
IMC "SWID" /usr/lib/ipsec./imcvs/imc-swid.so
</pre>
h3. Configuration as a TNCCS 2.0 Client with EAP-MD5 password-based client authentication
/etc/strongswan.conf - strongSwan configuration file
<pre>
charon {
plugins {
eap-ttls {
max_message_count = 0
}
eap-tnc {
protocol = tnccs-2.0
max_message_count = 30
}
tnc-imc {
preferred_language = en, de
}
}
}
</pre>
/etc/ipsec.secrets - strongSwan IPsec secrets file
<pre>
carol@strongswan.org : EAP "Ar3etTnp"
</pre>
/etc/ipsec.conf - strongSwan IPsec configuration file
<pre>
conn home
leftid=carol@strongswan.org
leftauth=eap
right=192.168.0.1
rightid=@moon.strongswan.org
rightsendcert=never
rightsubnet=10.1.0.0/16
auto=add
</pre>
"Client logfile":http://www.strongswan.org/uml/testresults/tnc/tnccs-20/carol.daemon.log
h3. Configuration as a TNCCS 2.0 Client with EAP-TLS certicate-based client authentication
/etc/tnc_config - TNC configuration file for strongSwan client
<pre>
IMC "Test" /usr/local/lib/ipsec/imcvs/imc-test.so
IMC "Scanner" /usr/local/lib/ipsec/imcvs/imc-scanner.so
</pre>
/etc/strongswan.conf - strongSwan configuration file
<pre>
charon {
plugins {
eap-tnc {
protocol = tnccs-2.0
}
tnc-imc {
preferred_language = ru, fr, en
}
}
}
libimcv {
plugins {
imc-test {
command = allow
}
}
}
</pre>
/etc/ipsec.secrets - strongSwan IPsec secrets file
<pre>
: RSA carolKey.pem "nH5ZQEWtku0RJEZ6"
</pre>
/etc/ipsec.conf - strongSwan IPsec configuration file
<pre>
conn home
leftcert=carolCert.pem
leftid=carol@strongswan.org
leftauth=eap
right=192.168.0.1
rightid=@moon.strongswan.org
rightsendcert=never
rightsubnet=10.1.0.0/16
auto=add
</pre>
"Client logfile":http://www.strongswan.org/uml/testresults/tnc/tnccs-20-tls/carol.daemon.log
h3. Configuration as a TNCCS 1.1 Client where both VPN Gateway and AAA Server authenticate themselves
<pre>
./configure --prefix=/usr --sysconfdir =/etc --disable-pluto --enable-curl
--enable-eap-tls --enable-eap-ttls --enable-eap-identity --enable-eap-md5
--enable-eap-tnc --enable-tnccs-11 --enable-tnc-imc
--enable-imc-test --enable-imc-scanner
</pre>
/etc/tnc_config - TNC configuration file for strongSwan client
<pre>
IMC "Test" /usr/local/lib/ipsec/imcvs/imc-test.so
IMC "Scanner" /usr/local/lib/ipsec/imcvs/imc-scanner.so
</pre>
/etc/strongswan.conf - strongSwan configuration file
<pre>
charon {
plugins {
eap-tnc {
protocol = tnccs-1.1
}
}
}
libimcv {
plugins {
imc-test {
command = allow
}
}
}
</pre>
/etc/ipsec.secrets - strongSwan IPsec secrets file
<pre>
carol@strongswan.org : EAP "Ar3etTnp"
</pre>
/etc/ipsec.conf - strongSwan IPsec configuration file
<pre>
conn home
leftid=carol@strongswan.org
leftauth=eap
right=192.168.0.1
rightid=@moon.strongswan.org
rightsubnet=10.1.0.0/16
rightauth=pubkey
aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
auto=add
</pre>
"Client logfile":http://www.strongswan.org/uml/testresults/tnc/tnccs-11-radius/carol.daemon.log