strongSwan as TNC Server¶
Configuration as a TNCCS 2.0 Server with EAP-MD5 password-based client authentication¶
./configure --prefix=/usr --sysconfdir=/etc --disable-pluto
--enable-eap-tls --enable-eap-ttls --enable-eap-identity --enable-eap-md5
--enable-eap-tnc --enable-tnccs-20 --enable-tnc-imv
--enable-imv-test --enable-imv-scanner
/etc/tnc_config - TNC configuration file for strongSwan server
IMV "Test" /usr/lib/ipsec/imcvs/imv-test.so IMV "Scanner" /usr/lib/ipsec/imcvs/imv-scanner.so
/etc/strongswan.conf - strongSwan configuration file
charon {
plugins {
eap-ttls {
phase2_method = md5
phase2_piggyback = yes
phase2_tnc = yes
}
eap-tnc {
protocol = tnccs-2.0
}
tnc-imv {
recommendation_policy = default
}
}
}
libimcv {
plugins {
imv-test {
rounds = 1
}
imv-scanner {
closed_port_policy = yes
udp_ports = 500 4500
tcp_ports = 22
}
}
}
/etc/ipsec.secrets - strongSwan IPsec secrets file
: RSA moonKey.pem carol@strongswan.org : EAP "Ar3etTnp" dave@strongswan.org : EAP "W7R0g3do"
/etc/ipsec.conf - strongSwan IPsec configuration file
conn rw-allow
rightgroups=allow
leftsubnet=10.1.0.0/28
also=rw-eap
auto=add
conn rw-isolate
rightgroups=isolate
leftsubnet=10.1.0.16/28
also=rw-eap
auto=add
conn rw-eap
leftcert=moonCert.pem
leftid=@moon.strongswan.org
leftauth=eap-ttls
rightauth=eap-ttls
rightid=*@strongswan.org
rightsendcert=never
right=%any
Configuration as a TNCCS 2.0 Server with EAP-TLS certificate-based client authentication¶
./configure --prefix=/usr --sysconfdir=/etc --disable-pluto --enable-curl
--enable-eap-tls --enable-eap-ttls --enable-eap-identity
--enable-eap-tnc --enable-tnccs-20 --enable-tnc-imv
--enable-imv-test --enable-imv-scanner
/etc/tnc_config - TNC configuration file for strongSwan server
IMV "Test" /usr/local/lib/ipsec/imcvs/imv-test.so IMV "Scanner" /usr/local/lib/ipsec/imcvs/imv-scanner.so
/etc/strongswan.conf - strongSwan configuration file
charon {
plugins {
eap-ttls {
request_peer_auth = yes
phase2_piggyback = yes
phase2_tnc = yes
}
eap-tnc {
protocol = tnccs-2.0
}
tnc-imv {
recommendation_policy = default
}
}
}
libimcv {
plugins {
imv-scanner {
closed_port_policy = no
tcp_ports = 80 443
udp_ports =
}
}
}
/etc/ipsec.secrets - strongSwan IPsec secrets file
: RSA moonKey.pem
/etc/ipsec.conf - strongSwan IPsec configuration file
conn rw-allow
rightgroups=allow
leftsubnet=10.1.0.0/28
also=rw-eap
auto=add
conn rw-isolate
rightgroups=isolate
leftsubnet=10.1.0.16/28
also=rw-eap
auto=add
conn rw-eap
leftcert=moonCert.pem
leftid=@moon.strongswan.org
leftauth=eap-ttls
rightauth=eap-ttls
rightid=*@strongswan.org
rightsendcert=never
right=%any
Configuration as a TNCCS 1.1/2.0 Server with dynamic IF-TNCCS protocol discovery¶
./configure --prefix=/usr --sysconfdir=/etc --disable-pluto
--enable-eap-tls --enable-eap-ttls --enable-eap-identity --enable-eap-md5
--enable-eap-tnc --enable-tnccs-11 --enable-tnccs-20 --enable-tnccs-dynamic
--enable-tnc-imv --enable-imv-test --enable-imv-scanner
/etc/tnc_config - TNC configuration file for strongSwan server
IMV "Test" /usr/local/lib/ipsec/imcvs/imv-test.so IMV "Scanner" /usr/local/lib/ipsec/imcvs/imv-scanner.so
/etc/strongswan.conf - strongSwan configuration file
charon {
plugins {
eap-ttls {
phase2_method = md5
phase2_piggyback = yes
phase2_tnc = yes
}
eap-tnc {
protocol = tnccs-dynamic
}
tnc-imv {
recommendation_policy = default
}
}
}
libimcv {
plugins {
imv-scanner {
closed_port_policy = yes
tcp_ports = 22
udp_ports = 500 4500
}
}
}
/etc/ipsec.secrets - strongSwan IPsec secrets file
: RSA moonKey.pem carol@strongswan.org : EAP "Ar3etTnp" dave@strongswan.org : EAP "W7R0g3do"
/etc/ipsec.conf - strongSwan IPsec configuration file
conn rw-allow
rightgroups=allow
leftsubnet=10.1.0.0/28
also=rw-eap
auto=add
conn rw-isolate
rightgroups=isolate
leftsubnet=10.1.0.16/28
also=rw-eap
auto=add
conn rw-eap
leftcert=moonCert.pem
leftid=@moon.strongswan.org
leftauth=eap-ttls
rightauth=eap-ttls
rightid=*@strongswan.org
rightsendcert=never
right=%any