Project

General

Profile

strongSwan as TNC Server

Configuration as a TNCCS 2.0 Server with EAP-MD5 password-based client authentication

./configure --prefix=/usr --sysconfdir=/etc --disable-pluto
            --enable-eap-tls --enable-eap-ttls --enable-eap-identity --enable-eap-md5
            --enable-eap-tnc --enable-tnccs-20 --enable-tnc-imv
            --enable-imv-test --enable-imv-scanner

/etc/tnc_config - TNC configuration file for strongSwan server

IMV "Test"    /usr/lib/ipsec/imcvs/imv-test.so
IMV "Scanner" /usr/lib/ipsec/imcvs/imv-scanner.so

/etc/strongswan.conf - strongSwan configuration file

charon {
  plugins {
    eap-ttls {
      phase2_method = md5
      phase2_piggyback = yes
      phase2_tnc = yes
    }
    eap-tnc {
      protocol = tnccs-2.0
    }
    tnc-imv {
      recommendation_policy = default
    }
  }
}

libimcv {
  plugins {
    imv-test {
      rounds = 1
    }
    imv-scanner {
      closed_port_policy = yes 
      udp_ports = 500 4500
      tcp_ports = 22
    }
  }
}

/etc/ipsec.secrets - strongSwan IPsec secrets file

: RSA moonKey.pem

carol@strongswan.org : EAP "Ar3etTnp" 
dave@strongswan.org  : EAP "W7R0g3do" 

/etc/ipsec.conf - strongSwan IPsec configuration file

conn rw-allow
     rightgroups=allow
     leftsubnet=10.1.0.0/28
     also=rw-eap
     auto=add

conn rw-isolate
     rightgroups=isolate
     leftsubnet=10.1.0.16/28
     also=rw-eap
     auto=add

conn rw-eap
     leftcert=moonCert.pem
     leftid=@moon.strongswan.org
     leftauth=eap-ttls
     rightauth=eap-ttls
     rightid=*@strongswan.org
     rightsendcert=never
     right=%any

Server logfile

Configuration as a TNCCS 2.0 Server with EAP-TLS certificate-based client authentication

./configure --prefix=/usr --sysconfdir=/etc --disable-pluto --enable-curl
            --enable-eap-tls --enable-eap-ttls --enable-eap-identity
            --enable-eap-tnc --enable-tnccs-20 --enable-tnc-imv
            --enable-imv-test --enable-imv-scanner

/etc/tnc_config - TNC configuration file for strongSwan server

IMV "Test"    /usr/local/lib/ipsec/imcvs/imv-test.so
IMV "Scanner" /usr/local/lib/ipsec/imcvs/imv-scanner.so

/etc/strongswan.conf - strongSwan configuration file

charon {
  plugins {
    eap-ttls {
      request_peer_auth = yes
      phase2_piggyback = yes
      phase2_tnc = yes
    }
    eap-tnc {
      protocol = tnccs-2.0
    }
    tnc-imv {
      recommendation_policy = default
    }
  }
}

libimcv {
  plugins {
    imv-scanner {
      closed_port_policy = no
      tcp_ports = 80 443
      udp_ports =
    }
  }
}

/etc/ipsec.secrets - strongSwan IPsec secrets file

: RSA moonKey.pem

/etc/ipsec.conf - strongSwan IPsec configuration file

conn rw-allow
     rightgroups=allow
     leftsubnet=10.1.0.0/28
     also=rw-eap
     auto=add

conn rw-isolate
     rightgroups=isolate
     leftsubnet=10.1.0.16/28
     also=rw-eap
     auto=add

conn rw-eap
     leftcert=moonCert.pem
     leftid=@moon.strongswan.org
     leftauth=eap-ttls
     rightauth=eap-ttls
     rightid=*@strongswan.org
     rightsendcert=never
     right=%any

Server logfile

Configuration as a TNCCS 1.1/2.0 Server with dynamic IF-TNCCS protocol discovery

./configure --prefix=/usr --sysconfdir=/etc --disable-pluto
            --enable-eap-tls --enable-eap-ttls --enable-eap-identity --enable-eap-md5
            --enable-eap-tnc --enable-tnccs-11 --enable-tnccs-20 --enable-tnccs-dynamic
            --enable-tnc-imv --enable-imv-test --enable-imv-scanner

/etc/tnc_config - TNC configuration file for strongSwan server

IMV "Test"    /usr/local/lib/ipsec/imcvs/imv-test.so
IMV "Scanner" /usr/local/lib/ipsec/imcvs/imv-scanner.so

/etc/strongswan.conf - strongSwan configuration file

charon {
  plugins {
    eap-ttls {
      phase2_method = md5
      phase2_piggyback = yes
      phase2_tnc = yes
    }
    eap-tnc {
      protocol = tnccs-dynamic
    }
    tnc-imv {
      recommendation_policy = default
    }
  }
}

libimcv {
  plugins {
    imv-scanner {
      closed_port_policy = yes 
      tcp_ports = 22 
      udp_ports = 500 4500
    }
  }
}

/etc/ipsec.secrets - strongSwan IPsec secrets file

: RSA moonKey.pem

carol@strongswan.org : EAP "Ar3etTnp" 
dave@strongswan.org  : EAP "W7R0g3do" 

/etc/ipsec.conf - strongSwan IPsec configuration file

conn rw-allow
     rightgroups=allow
     leftsubnet=10.1.0.0/28
     also=rw-eap
     auto=add

conn rw-isolate
     rightgroups=isolate
     leftsubnet=10.1.0.16/28
     also=rw-eap
     auto=add

conn rw-eap
     leftcert=moonCert.pem
     leftid=@moon.strongswan.org
     leftauth=eap-ttls
     rightauth=eap-ttls
     rightid=*@strongswan.org
     rightsendcert=never
     right=%any

Server logfile