strongSwan as TNC Server¶
Configuration as a TNCCS 2.0 Server with EAP-MD5 password-based client authentication¶
./configure --prefix=/usr --sysconfdir=/etc --disable-pluto --enable-eap-tls --enable-eap-ttls --enable-eap-identity --enable-eap-md5 --enable-eap-tnc --enable-tnccs-20 --enable-tnc-imv --enable-imv-test --enable-imv-scanner
/etc/tnc_config - TNC configuration file for strongSwan server
IMV "Test" /usr/lib/ipsec/imcvs/imv-test.so IMV "Scanner" /usr/lib/ipsec/imcvs/imv-scanner.so
/etc/strongswan.conf - strongSwan configuration file
charon { plugins { eap-ttls { phase2_method = md5 phase2_piggyback = yes phase2_tnc = yes } eap-tnc { protocol = tnccs-2.0 } tnc-imv { recommendation_policy = default } } } libimcv { plugins { imv-test { rounds = 1 } imv-scanner { closed_port_policy = yes udp_ports = 500 4500 tcp_ports = 22 } } }
/etc/ipsec.secrets - strongSwan IPsec secrets file
: RSA moonKey.pem carol@strongswan.org : EAP "Ar3etTnp" dave@strongswan.org : EAP "W7R0g3do"
/etc/ipsec.conf - strongSwan IPsec configuration file
conn rw-allow rightgroups=allow leftsubnet=10.1.0.0/28 also=rw-eap auto=add conn rw-isolate rightgroups=isolate leftsubnet=10.1.0.16/28 also=rw-eap auto=add conn rw-eap leftcert=moonCert.pem leftid=@moon.strongswan.org leftauth=eap-ttls rightauth=eap-ttls rightid=*@strongswan.org rightsendcert=never right=%any
Configuration as a TNCCS 2.0 Server with EAP-TLS certificate-based client authentication¶
./configure --prefix=/usr --sysconfdir=/etc --disable-pluto --enable-curl --enable-eap-tls --enable-eap-ttls --enable-eap-identity --enable-eap-tnc --enable-tnccs-20 --enable-tnc-imv --enable-imv-test --enable-imv-scanner
/etc/tnc_config - TNC configuration file for strongSwan server
IMV "Test" /usr/local/lib/ipsec/imcvs/imv-test.so IMV "Scanner" /usr/local/lib/ipsec/imcvs/imv-scanner.so
/etc/strongswan.conf - strongSwan configuration file
charon { plugins { eap-ttls { request_peer_auth = yes phase2_piggyback = yes phase2_tnc = yes } eap-tnc { protocol = tnccs-2.0 } tnc-imv { recommendation_policy = default } } } libimcv { plugins { imv-scanner { closed_port_policy = no tcp_ports = 80 443 udp_ports = } } }
/etc/ipsec.secrets - strongSwan IPsec secrets file
: RSA moonKey.pem
/etc/ipsec.conf - strongSwan IPsec configuration file
conn rw-allow rightgroups=allow leftsubnet=10.1.0.0/28 also=rw-eap auto=add conn rw-isolate rightgroups=isolate leftsubnet=10.1.0.16/28 also=rw-eap auto=add conn rw-eap leftcert=moonCert.pem leftid=@moon.strongswan.org leftauth=eap-ttls rightauth=eap-ttls rightid=*@strongswan.org rightsendcert=never right=%any
Configuration as a TNCCS 1.1/2.0 Server with dynamic IF-TNCCS protocol discovery¶
./configure --prefix=/usr --sysconfdir=/etc --disable-pluto --enable-eap-tls --enable-eap-ttls --enable-eap-identity --enable-eap-md5 --enable-eap-tnc --enable-tnccs-11 --enable-tnccs-20 --enable-tnccs-dynamic --enable-tnc-imv --enable-imv-test --enable-imv-scanner
/etc/tnc_config - TNC configuration file for strongSwan server
IMV "Test" /usr/local/lib/ipsec/imcvs/imv-test.so IMV "Scanner" /usr/local/lib/ipsec/imcvs/imv-scanner.so
/etc/strongswan.conf - strongSwan configuration file
charon { plugins { eap-ttls { phase2_method = md5 phase2_piggyback = yes phase2_tnc = yes } eap-tnc { protocol = tnccs-dynamic } tnc-imv { recommendation_policy = default } } } libimcv { plugins { imv-scanner { closed_port_policy = yes tcp_ports = 22 udp_ports = 500 4500 } } }
/etc/ipsec.secrets - strongSwan IPsec secrets file
: RSA moonKey.pem carol@strongswan.org : EAP "Ar3etTnp" dave@strongswan.org : EAP "W7R0g3do"
/etc/ipsec.conf - strongSwan IPsec configuration file
conn rw-allow rightgroups=allow leftsubnet=10.1.0.0/28 also=rw-eap auto=add conn rw-isolate rightgroups=isolate leftsubnet=10.1.0.16/28 also=rw-eap auto=add conn rw-eap leftcert=moonCert.pem leftid=@moon.strongswan.org leftauth=eap-ttls rightauth=eap-ttls rightid=*@strongswan.org rightsendcert=never right=%any