<html xmlns="http://www.w3.org/1999/xhtml" xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office"><head><!--[if gte mso 9]><xml><o:OfficeDocumentSettings><o:AllowPNG/><o:PixelsPerInch>96</o:PixelsPerInch></o:OfficeDocumentSettings></xml><![endif]--></head><body><div style="color:#000; background-color:#fff; font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:12px"><div id="yui_3_16_0_ym19_1_1484692835702_4090"><span>Andreas,</span></div><div id="yui_3_16_0_ym19_1_1484692835702_4090"><span><br></span></div><div id="yui_3_16_0_ym19_1_1484692835702_4090" dir="ltr"><span id="yui_3_16_0_ym19_1_1484692835702_4247">Which strongswan.conf config is required to see the results shown in the Android BYOD guide <a href="https://wiki.strongswan.org/projects/strongswan/wiki/BYOD">https://wiki.strongswan.org/projects/strongswan/wiki/BYOD</a></span></div><div id="yui_3_16_0_ym19_1_1484692835702_4246"><br></div><div id="yui_3_16_0_ym19_1_1484692835702_4090" dir="ltr"><br></div><div id="yui_3_16_0_ym19_1_1484692835702_4090" dir="ltr">Thanks,</div> <div class="qtdSeparateBR"><br><br></div><div class="yahoo_quoted" style="display: block;"> <div style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 12px;"> <div style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 16px;"> <div dir="ltr"><font size="2" face="Arial"> On Tuesday, January 17, 2017 5:51 AM, Mark M <mark076h@yahoo.com> wrote:<br></font></div> <br><br> <div class="y_msg_container"><div id="yiv2505345270"><div><div style="color:#000;background-color:#fff;font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:12px;"><div id="yiv2505345270yui_3_16_0_ym19_1_1484650274924_3638"><span id="yiv2505345270yui_3_16_0_ym19_1_1484650274924_3740">Here is the log from the Android client;</span></div><div id="yiv2505345270yui_3_16_0_ym19_1_1484650274924_3638"><span><br clear="none"></span></div><pre id="yiv2505345270yui_3_16_0_ym19_1_1484650274924_3743" style="">Jan 17 05:18:01 00[DMN] Starting IKE charon daemon (strongSwan 5.5.1rc1, Linux 3.10.61-8352520, aarch64)
Jan 17 05:18:01 00[LIB] libimcv initialized
Jan 17 05:18:01 00[IMC] IMC 1 "Android" initialized
Jan 17 05:18:01 00[TNC] IMC 1 "Android" loaded
Jan 17 05:18:01 00[LIB] loaded plugins: androidbridge android-byod charon android-log openssl fips-prf random nonce pubkey chapoly curve25519 pkcs1 pkcs8 pem xcbc hmac socket-default eap-identity eap-mschapv2 eap-md5 eap-gtc eap-tls eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20
Jan 17 05:18:01 00[JOB] spawning 16 worker threads
Jan 17 05:18:01 07[IKE] initiating IKE_SA android[1] to 192.168.1.5
Jan 17 05:18:01 07[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Jan 17 05:18:01 07[NET] sending packet: from 192.168.1.11[38969] to 192.168.1.5[500] (744 bytes)
Jan 17 05:18:01 08[NET] received packet: from 192.168.1.5[500] to 192.168.1.11[38969] (38 bytes)
Jan 17 05:18:01 08[ENC] parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
Jan 17 05:18:01 08[IKE] peer didn't accept DH group ECP_256, it requested MODP_3072
Jan 17 05:18:01 08[IKE] initiating IKE_SA android[1] to 192.168.1.5
Jan 17 05:18:01 08[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Jan 17 05:18:01 08[NET] sending packet: from 192.168.1.11[38969] to 192.168.1.5[500] (1064 bytes)
Jan 17 05:18:01 11[NET] received packet: from 192.168.1.5[500] to 192.168.1.11[38969] (584 bytes)
Jan 17 05:18:01 11[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) ]
Jan 17 05:18:01 11[IKE] faking NAT situation to enforce UDP encapsulation
Jan 17 05:18:01 11[IKE] sending cert request for "C=US, ST=MD, L=TNC, O=TNC, OU=TNC, CN=192.168.1.5"
Jan 17 05:18:01 11[IKE] establishing CHILD_SA android
Jan 17 05:18:01 11[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(EAP_ONLY) ]
Jan 17 05:18:01 11[NET] sending packet: from 192.168.1.11[35898] to 192.168.1.5[4500] (544 bytes)
Jan 17 05:18:01 12[NET] received packet: from 192.168.1.5[4500] to 192.168.1.11[35898] (1236 bytes)
Jan 17 05:18:01 12[ENC] parsed IKE_AUTH response 1 [ EF(1/2) ]
Jan 17 05:18:01 12[ENC] received fragment #1 of 2, waiting for complete IKE message
Jan 17 05:18:01 12[NET] received packet: from 192.168.1.5[4500] to 192.168.1.11[35898] (148 bytes)
Jan 17 05:18:01 12[ENC] parsed IKE_AUTH response 1 [ EF(2/2) ]
Jan 17 05:18:01 12[ENC] received fragment #2 of 2, reassembling fragmented IKE message
Jan 17 05:18:01 12[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/TTLS ]
Jan 17 05:18:01 12[IKE] received end entity cert "C=US, ST=MD, L=TNC, OU=TNC, CN=192.168.1.5"
Jan 17 05:18:01 12[CFG] using certificate "C=US, ST=MD, L=TNC, OU=TNC, CN=192.168.1.5"
Jan 17 05:18:01 12[CFG] using trusted ca certificate "C=US, ST=MD, L=TNC, O=TNC, OU=TNC, CN=192.168.1.5"
Jan 17 05:18:01 12[CFG] reached self-signed root ca with a path length of 0
Jan 17 05:18:01 12[IKE] authentication of 'C=US, ST=MD, L=TNC, OU=TNC, CN=192.168.1.5' with RSA_EMSA_PKCS1_SHA2_256 successful
Jan 17 05:18:01 12[IKE] server requested EAP_TTLS authentication (id 0xBC)
Jan 17 05:18:01 12[TLS] EAP_TTLS version is v0
Jan 17 05:18:01 12[ENC] generating IKE_AUTH request 2 [ EAP/RES/TTLS ]
Jan 17 05:18:01 12[NET] sending packet: from 192.168.1.11[35898] to 192.168.1.5[4500] (240 bytes)
Jan 17 05:18:01 15[NET] received packet: from 192.168.1.5[4500] to 192.168.1.11[35898] (1104 bytes)
Jan 17 05:18:01 15[ENC] parsed IKE_AUTH response 2 [ EAP/REQ/TTLS ]
Jan 17 05:18:01 15[ENC] generating IKE_AUTH request 3 [ EAP/RES/TTLS ]
Jan 17 05:18:01 15[NET] sending packet: from 192.168.1.11[35898] to 192.168.1.5[4500] (80 bytes)
Jan 17 05:18:01 14[NET] received packet: from 192.168.1.5[4500] to 192.168.1.11[35898] (464 bytes)
Jan 17 05:18:01 14[ENC] parsed IKE_AUTH response 3 [ EAP/REQ/TTLS ]
Jan 17 05:18:01 14[TLS] negotiated TLS 1.2 using suite TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
Jan 17 05:18:01 14[TLS] received TLS server certificate 'C=US, ST=MD, L=TNC, OU=TNC, CN=192.168.1.5'
Jan 17 05:18:01 14[CFG] using certificate "C=US, ST=MD, L=TNC, OU=TNC, CN=192.168.1.5"
Jan 17 05:18:01 14[CFG] using trusted ca certificate "C=US, ST=MD, L=TNC, O=TNC, OU=TNC, CN=192.168.1.5"
Jan 17 05:18:01 14[CFG] reached self-signed root ca with a path length of 0
Jan 17 05:18:01 14[TLS] received TLS cert request for 'C=US, ST=MD, L=TNC, O=TNC, OU=TNC, CN=192.168.1.5
Jan 17 05:18:01 14[TLS] no TLS peer certificate found for 'carol@strongswan.org', skipping client authentication
Jan 17 05:18:01 14[ENC] generating IKE_AUTH request 4 [ EAP/RES/TTLS ]
Jan 17 05:18:01 14[NET] sending packet: from 192.168.1.11[35898] to 192.168.1.5[4500] (240 bytes)
Jan 17 05:18:01 07[NET] received packet: from 192.168.1.5[4500] to 192.168.1.11[35898] (224 bytes)
Jan 17 05:18:01 07[ENC] parsed IKE_AUTH response 4 [ EAP/REQ/TTLS ]
Jan 17 05:18:01 07[IKE] received tunneled EAP-TTLS AVP [EAP/REQ/ID]
Jan 17 05:18:01 07[IKE] server requested EAP_IDENTITY authentication (id 0x00)
Jan 17 05:18:01 07[IKE] sending tunneled EAP-TTLS AVP [EAP/RES/ID]
Jan 17 05:18:01 07[ENC] generating IKE_AUTH request 5 [ EAP/RES/TTLS ]
Jan 17 05:18:01 07[NET] sending packet: from 192.168.1.11[35898] to 192.168.1.5[4500] (176 bytes)
Jan 17 05:18:01 16[NET] received packet: from 192.168.1.5[4500] to 192.168.1.11[35898] (176 bytes)
Jan 17 05:18:01 16[ENC] parsed IKE_AUTH response 5 [ EAP/REQ/TTLS ]
Jan 17 05:18:01 16[IKE] received tunneled EAP-TTLS AVP [EAP/REQ/MD5]
Jan 17 05:18:01 16[IKE] server requested EAP_MD5 authentication (id 0xEE)
Jan 17 05:18:01 16[IKE] sending tunneled EAP-TTLS AVP [EAP/RES/MD5]
Jan 17 05:18:01 16[ENC] generating IKE_AUTH request 6 [ EAP/RES/TTLS ]
Jan 17 05:18:01 16[NET] sending packet: from 192.168.1.11[35898] to 192.168.1.5[4500] (176 bytes)
Jan 17 05:18:01 08[NET] received packet: from 192.168.1.5[4500] to 192.168.1.11[35898] (160 bytes)
Jan 17 05:18:01 08[ENC] parsed IKE_AUTH response 6 [ EAP/REQ/TTLS ]
Jan 17 05:18:01 08[IKE] received tunneled EAP-TTLS AVP [EAP/REQ/PT]
Jan 17 05:18:01 08[IKE] server requested EAP_PT_EAP authentication (id 0x34)
Jan 17 05:18:01 08[TLS] EAP_PT_EAP version is v1
Jan 17 05:18:01 08[TNC] assigned TNCCS Connection ID 1
Jan 17 05:18:01 08[TNC] creating PA-TNC message with ID 0xcf951a70
Jan 17 05:18:01 08[TNC] sending PB-TNC CDATA batch (163 bytes) for Connection ID 1
Jan 17 05:18:01 08[IKE] sending tunneled EAP-TTLS AVP [EAP/RES/PT]
Jan 17 05:18:01 08[ENC] generating IKE_AUTH request 7 [ EAP/RES/TTLS ]
Jan 17 05:18:01 08[NET] sending packet: from 192.168.1.11[35898] to 192.168.1.5[4500] (320 bytes)
Jan 17 05:18:01 10[NET] received packet: from 192.168.1.5[4500] to 192.168.1.11[35898] (304 bytes)
Jan 17 05:18:01 10[ENC] parsed IKE_AUTH response 7 [ EAP/REQ/TTLS ]
Jan 17 05:18:01 10[IKE] received tunneled EAP-TTLS AVP [EAP/REQ/PT]
Jan 17 05:18:01 10[TNC] received TNCCS batch (140 bytes)
Jan 17 05:18:01 10[TNC] processing PB-TNC SDATA batch for Connection ID 1
Jan 17 05:18:01 10[TNC] processing PA-TNC message with ID 0x5915d13d
Jan 17 05:18:01 10[IMC] received unsupported TCG attribute 'Max Attribute Size Request'
Jan 17 05:18:01 10[TNC] creating PA-TNC message with ID 0xd6eef0a3
Jan 17 05:18:01 10[TNC] sending PB-TNC CDATA batch (92 bytes) for Connection ID 1
Jan 17 05:18:01 10[IKE] sending tunneled EAP-TTLS AVP [EAP/RES/PT]
Jan 17 05:18:01 10[ENC] generating IKE_AUTH request 8 [ EAP/RES/TTLS ]
Jan 17 05:18:01 10[NET] sending packet: from 192.168.1.11[35898] to 192.168.1.5[4500] (256 bytes)
Jan 17 05:18:01 09[NET] received packet: from 192.168.1.5[4500] to 192.168.1.11[35898] (208 bytes)
Jan 17 05:18:01 09[ENC] parsed IKE_AUTH response 8 [ EAP/REQ/TTLS ]
Jan 17 05:18:01 09[IKE] received tunneled EAP-TTLS AVP [EAP/REQ/PT]
Jan 17 05:18:01 09[TNC] received TNCCS batch (56 bytes)
Jan 17 05:18:01 09[TNC] processing PB-TNC SDATA batch for Connection ID 1
Jan 17 05:18:01 09[TNC] processing PA-TNC message with ID 0x66018546
Jan 17 05:18:01 09[IMC] ***** assessment of IMC 1 "Android" from IMV 1 *****
Jan 17 05:18:01 09[IMC] assessment result is 'don't know'
Jan 17 05:18:01 09[IMC] ***** end of assessment *****
Jan 17 05:18:01 09[TNC] sending PB-TNC CDATA batch (8 bytes) for Connection ID 1
Jan 17 05:18:01 09[IKE] sending tunneled EAP-TTLS AVP [EAP/RES/PT]
Jan 17 05:18:01 09[ENC] generating IKE_AUTH request 9 [ EAP/RES/TTLS ]
Jan 17 05:18:01 09[NET] sending packet: from 192.168.1.11[35898] to 192.168.1.5[4500] (160 bytes)
Jan 17 05:18:01 11[NET] received packet: from 192.168.1.5[4500] to 192.168.1.11[35898] (272 bytes)
Jan 17 05:18:01 11[ENC] parsed IKE_AUTH response 9 [ EAP/REQ/TTLS ]
Jan 17 05:18:01 11[IKE] received tunneled EAP-TTLS AVP [EAP/REQ/PT]
Jan 17 05:18:01 11[TNC] received TNCCS batch (109 bytes)
Jan 17 05:18:01 11[TNC] processing PB-TNC RESULT batch for Connection ID 1
Jan 17 05:18:01 11[TNC] PB-TNC assessment result is 'don't know'
Jan 17 05:18:01 11[TNC] PB-TNC access recommendation is 'Access Allowed'
Jan 17 05:18:01 11[TNC] reason string is 'IMC Test was not configured with "command = allow"' [en]
Jan 17 05:18:01 11[TNC] sending PB-TNC CLOSE batch (8 bytes) for Connection ID 1
Jan 17 05:18:01 11[IKE] sending tunneled EAP-TTLS AVP [EAP/RES/PT]
Jan 17 05:18:01 11[ENC] generating IKE_AUTH request 10 [ EAP/RES/TTLS ]
Jan 17 05:18:01 11[NET] sending packet: from 192.168.1.11[35898] to 192.168.1.5[4500] (160 bytes)
Jan 17 05:18:01 13[NET] received packet: from 192.168.1.5[4500] to 192.168.1.11[35898] (80 bytes)
Jan 17 05:18:01 13[ENC] parsed IKE_AUTH response 10 [ EAP/SUCC ]
Jan 17 05:18:01 13[IKE] EAP method EAP_TTLS succeeded, MSK established
Jan 17 05:18:01 13[IKE] authentication of 'carol@strongswan.org' (myself) with EAP
Jan 17 05:18:01 13[ENC] generating IKE_AUTH request 11 [ AUTH ]
Jan 17 05:18:01 13[NET] sending packet: from 192.168.1.11[35898] to 192.168.1.5[4500] (112 bytes)
Jan 17 05:18:01 12[NET] received packet: from 192.168.1.5[4500] to 192.168.1.11[35898] (272 bytes)
Jan 17 05:18:01 12[ENC] parsed IKE_AUTH response 11 [ AUTH CPRP(ADDR) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_6_ADDR) ]
Jan 17 05:18:01 12[IKE] authentication of 'C=US, ST=MD, L=TNC, OU=TNC, CN=192.168.1.5' with EAP successful
Jan 17 05:18:01 12[TNC] removed TNCCS Connection ID 1
Jan 17 05:18:01 12[IKE] IKE_SA android[1] established between 192.168.1.11[carol@strongswan.org]...192.168.1.5[C=US, ST=MD, L=TNC, OU=TNC, CN=192.168.1.5]
Jan 17 05:18:01 12[IKE] scheduling rekeying in 35453s
Jan 17 05:18:01 12[IKE] maximum IKE_SA lifetime 36053s
Jan 17 05:18:01 12[IKE] installing new virtual IP 192.168.3.55
Jan 17 05:18:01 12[IKE] CHILD_SA android{1} established with SPIs a67a390d_i cce3b26b_o and TS 192.168.3.55/32 === 192.168.10.0/24
Jan 17 05:18:01 12[DMN] setting up TUN device for CHILD_SA android{1}
Jan 17 05:18:01 12[DMN] successfully created TUN device
Jan 17 05:18:02 12[IKE] received AUTH_LIFETIME of 10196s, scheduling reauthentication in 9596s
Jan 17 05:18:02 12[IKE] peer supports MOBIKE
Jan 17 05:18:02 14[IKE] sending address list update using MOBIKE
Jan 17 05:18:02 14[ENC] generating INFORMATIONAL request 12 [ N(NO_ADD_ADDR) ]
Jan 17 05:18:02 14[NET] sending packet: from 192.168.1.11[35898] to 192.168.1.5[4500] (80 bytes)
Jan 17 05:18:02 16[NET] received packet: from 192.168.1.5[4500] to 192.168.1.11[35898] (80 bytes)
Jan 17 05:18:02 16[ENC] parsed INFORMATIONAL response 12 [ ]</pre> <div class="yiv2505345270qtdSeparateBR"><br clear="none"><br clear="none"></div><div class="yiv2505345270yqt1679022174" id="yiv2505345270yqt80542"><div class="yiv2505345270yahoo_quoted" style="display:block;"> <div style="font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:12px;"> <div style="font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:16px;"> <div dir="ltr"><font size="2" face="Arial"> On Monday, January 16, 2017 8:08 PM, Mark M <mark076h@yahoo.com> wrote:<br clear="none"></font></div> <br clear="none"><br clear="none"> <div class="yiv2505345270y_msg_container"><div id="yiv2505345270"><div><div style="color:#000;background-color:#fff;font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:12px;"><div id="yiv2505345270"><div id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_20550"><div id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_20549" style="color:#000;background-color:#fff;font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:12px;"><div id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_8850"><span>Andreas,</span></div><div id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_8850"><span><br clear="none"></span></div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_8850"><span id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_20634">I had to change the password again with the "</span>manage.py setpassword" and now I can edit everything.</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_8850"><br clear="none"></div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_8850">So i finally got my device to start showing in the policy manager but it does not look like the scans are actually being performed on the device.</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_8850"><br clear="none"></div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_8850">Here is my config and log;</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_8850"><br clear="none"></div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_8850"><br clear="none"></div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_8850"><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_20697"> cat /etc/tnc_config</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_20698">IMV "Attestation" /usr/lib/ipsec/imcvs/imv-attestation.so</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_20699">IMV "Scanner" /usr/lib/ipsec/imcvs/imv-scanner.so</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_20700"><br clear="none" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_20701"></div></div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_8850"><br clear="none"></div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14297">ipsec.conf;</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14298"><br clear="none" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14299"></div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14300">conn rw-allow</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14301"> rightgroups=allow</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14302"> rightsourceip=192.168.3.55</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14303"> leftsubnet=192.168.10.0/24</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14304"> also=rw222</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14305"> auto=add</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14306"><br clear="none" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14307"></div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14308">conn rw-isolate</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14309"> rightgroups=isolate</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14310"> leftsubnet=10.1.0.16/28</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14311"> also=rw222</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14312"> auto=add</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14313"><br clear="none" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14314"></div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14315">conn rw222</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14316"> leftcert=tnc3.crt</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14317"> leftid=@192.168.1.5</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14318"> rightsourceip=192.168.3.55</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14319"> leftauth=pubkey</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14320"> rightauth=eap-ttls</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14321"> rightid=*@strongswan.org</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14322"> rightsendcert=never</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14323"> right=%any</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14324"><br clear="none" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14325"></div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14326">strongswan.conf;</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14327"><br clear="none" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14328"></div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14329">charon {</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14330"> multiple_authentication = no</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14331"><br clear="none" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14332"></div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14333"> filelog {</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14334"> /var/log/strongswan.log {</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14335"> append = no</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14336"> default = 1</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14337"> flush_line = yes</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14338"> }</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14339">}</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14340"> plugins {</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14341"> eap-ttls {</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14342"> phase2_method = md5</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14343"> phase2_piggyback = yes</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14344"> phase2_tnc = yes</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14345"> }</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14346"> eap-tnc {</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14347"> protocol = tnccs-2.0</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14348"> }</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14349"> tnc-imv {</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14350"> recommendation_policy = default</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14351"> }</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14352"> }</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14353">}</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14354"><br clear="none" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14355"></div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14356">libimcv {</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14357"> database= sqlite:///etc/pts/config.db</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14358"> policy_script = ipsec imv_policy_manager</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14359"> plugins {</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14360"> imv-test {</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14361"> rounds = 1</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14362"> }</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14363"> imv-scanner {</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14364"> closed_port_policy = yes</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14365"> udp_ports = 500 4500</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14366"> tcp_ports = 22</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14367"> }</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14368"> }</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14369">}</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14370"><br clear="none" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14371"></div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14372">00[DMN] Starting IKE charon daemon (strongSwan 5.5.1, Linux 4.8.0-22-generic, x86_64)</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14373">00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14374">00[CFG] loaded ca certificate "C=US, ST=MD, L=TNC, O=TNC, OU=TNC, CN=192.168.1.5" from '/etc/ipsec.d/cacerts/rootCA.crt'</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14375">00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14376">00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14377">00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14378">00[CFG] loading crls from '/etc/ipsec.d/crls'</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14379">00[CFG] loading secrets from '/etc/ipsec.secrets'</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14380">00[CFG] loaded RSA private key from '/etc/ipsec.d/private/tnc3.key'</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14381">00[CFG] loaded EAP secret for carol@strongswan.org</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14382">00[TNC] TNC recommendation policy is 'default'</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14383">00[TNC] loading IMVs from '/etc/tnc_config'</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14384">00[LIB] libimcv initialized</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14385">00[IMV] IMV 1 "Attestation" initialized</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14386">00[PTS] no PTS cacerts directory defined</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14387">00[TNC] IMV 1 "Attestation" loaded from '/usr/lib/ipsec/imcvs/imv-attestation.so'</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14388">00[IMV] IMV 2 "Scanner" initialized</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14389">00[TNC] IMV 2 "Scanner" loaded from '/usr/lib/ipsec/imcvs/imv-scanner.so'</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14390">00[LIB] loaded plugins: charon des rc2 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl xcbc cmac hmac curl sqlite attr kernel-netlink resolve socket-default stroke vici updown eap-identity eap-md5 eap-mschapv2 eap-dynamic eap-ttls eap-tnc xauth-generic tnc-imv tnc-tnccs tnccs-20</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14391">00[JOB] spawning 16 worker threads</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14392">04[CFG] received stroke: add connection 'rw-allow'</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14393">04[CFG] adding virtual IP address pool 192.168.3.55</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14394">04[CFG] loaded certificate "C=US, ST=MD, L=TNC, OU=TNC, CN=192.168.1.5" from 'tnc3.crt'</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14395">04[CFG] id '192.168.1.5' not confirmed by certificate, defaulting to 'C=US, ST=MD, L=TNC, OU=TNC, CN=192.168.1.5'</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14396">04[CFG] added configuration 'rw-allow'</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14397">14[CFG] received stroke: add connection 'rw-isolate'</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14398">14[CFG] reusing virtual IP address pool 192.168.3.55</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14399">14[CFG] loaded certificate "C=US, ST=MD, L=TNC, OU=TNC, CN=192.168.1.5" from 'tnc3.crt'</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14400">14[CFG] id '192.168.1.5' not confirmed by certificate, defaulting to 'C=US, ST=MD, L=TNC, OU=TNC, CN=192.168.1.5'</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14401">14[CFG] added configuration 'rw-isolate'</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14402">04[NET] received packet: from 192.168.1.11[40384] to 192.168.1.5[500] (732 bytes)</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14403">04[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14404">04[IKE] 192.168.1.11 is initiating an IKE_SA</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14405">04[IKE] remote host is behind NAT</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14406">04[IKE] DH group ECP_256 inacceptable, requesting MODP_3072</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14407">04[ENC] generating IKE_SA_INIT response 0 [ N(INVAL_KE) ]</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14408">04[NET] sending packet: from 192.168.1.5[500] to 192.168.1.11[40384] (38 bytes)</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14409">11[NET] received packet: from 192.168.1.11[40384] to 192.168.1.5[500] (1052 bytes)</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14410">11[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14411">11[IKE] 192.168.1.11 is initiating an IKE_SA</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14412">11[IKE] remote host is behind NAT</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14413">11[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) ]</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14414">11[NET] sending packet: from 192.168.1.5[500] to 192.168.1.11[40384] (584 bytes)</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14415">09[NET] received packet: from 192.168.1.11[35458] to 192.168.1.5[4500] (528 bytes)</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14416">09[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(EAP_ONLY) ]</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14417">09[IKE] received cert request for "C=US, ST=MD, L=TNC, O=TNC, OU=TNC, CN=192.168.1.5"</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14418">09[CFG] looking for peer configs matching 192.168.1.5[%any]...192.168.1.11[carol@strongswan.org]</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14419">09[CFG] selected peer config 'rw-allow'</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14420">09[IKE] initiating EAP_TTLS method (id 0xA0)</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14421">09[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14422">09[IKE] peer supports MOBIKE</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14423">09[IKE] authentication of 'C=US, ST=MD, L=TNC, OU=TNC, CN=192.168.1.5' (myself) with RSA_EMSA_PKCS1_SHA2_256 successful</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14424">09[IKE] sending end entity cert "C=US, ST=MD, L=TNC, OU=TNC, CN=192.168.1.5"</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14425">09[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/TTLS ]</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14426">09[ENC] splitting IKE message with length of 1312 bytes into 2 fragments</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14427">09[ENC] generating IKE_AUTH response 1 [ EF(1/2) ]</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14428">09[ENC] generating IKE_AUTH response 1 [ EF(2/2) ]</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14429">09[NET] sending packet: from 192.168.1.5[4500] to 192.168.1.11[35458] (1236 bytes)</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14430">09[NET] sending packet: from 192.168.1.5[4500] to 192.168.1.11[35458] (148 bytes)</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14431">08[NET] received packet: from 192.168.1.11[35458] to 192.168.1.5[4500] (240 bytes)</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14432">08[ENC] parsed IKE_AUTH request 2 [ EAP/RES/TTLS ]</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14433">08[TLS] negotiated TLS 1.2 using suite TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14434">08[TLS] sending TLS server certificate 'C=US, ST=MD, L=TNC, OU=TNC, CN=192.168.1.5'</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14435">08[TLS] sending TLS cert request for 'C=US, ST=MD, L=TNC, O=TNC, OU=TNC, CN=192.168.1.5'</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14436">08[ENC] generating IKE_AUTH response 2 [ EAP/REQ/TTLS ]</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14437">08[NET] sending packet: from 192.168.1.5[4500] to 192.168.1.11[35458] (1104 bytes)</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14438">12[NET] received packet: from 192.168.1.11[35458] to 192.168.1.5[4500] (80 bytes)</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14439">12[ENC] parsed IKE_AUTH request 3 [ EAP/RES/TTLS ]</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14440">12[ENC] generating IKE_AUTH response 3 [ EAP/REQ/TTLS ]</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14441">12[NET] sending packet: from 192.168.1.5[4500] to 192.168.1.11[35458] (464 bytes)</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14442">10[NET] received packet: from 192.168.1.11[35458] to 192.168.1.5[4500] (240 bytes)</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14443">10[ENC] parsed IKE_AUTH request 4 [ EAP/RES/TTLS ]</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14444">10[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/ID]</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14445">10[ENC] generating IKE_AUTH response 4 [ EAP/REQ/TTLS ]</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14446">10[NET] sending packet: from 192.168.1.5[4500] to 192.168.1.11[35458] (224 bytes)</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14447">07[NET] received packet: from 192.168.1.11[35458] to 192.168.1.5[4500] (176 bytes)</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14448">07[ENC] parsed IKE_AUTH request 5 [ EAP/RES/TTLS ]</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14449">07[IKE] received tunneled EAP-TTLS AVP [EAP/RES/ID]</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14450">07[IKE] received EAP identity 'carol@strongswan.org'</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14451">07[IKE] phase2 method EAP_MD5 selected</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14452">07[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/MD5]</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14453">07[ENC] generating IKE_AUTH response 5 [ EAP/REQ/TTLS ]</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14454">07[NET] sending packet: from 192.168.1.5[4500] to 192.168.1.11[35458] (176 bytes)</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14455">06[NET] received packet: from 192.168.1.11[35458] to 192.168.1.5[4500] (176 bytes)</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14456">06[ENC] parsed IKE_AUTH request 6 [ EAP/RES/TTLS ]</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14457">06[IKE] received tunneled EAP-TTLS AVP [EAP/RES/MD5]</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14458">06[IKE] EAP_TTLS phase2 authentication of 'carol@strongswan.org' with EAP_MD5 successful</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14459">06[IKE] phase2 method EAP_PT_EAP selected</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14460">06[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/PT]</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14461">06[ENC] generating IKE_AUTH response 6 [ EAP/REQ/TTLS ]</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14462">06[NET] sending packet: from 192.168.1.5[4500] to 192.168.1.11[35458] (160 bytes)</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14463">10[NET] received packet: from 192.168.1.11[35458] to 192.168.1.5[4500] (320 bytes)</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14464">10[ENC] parsed IKE_AUTH request 7 [ EAP/RES/TTLS ]</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14465">10[IKE] received tunneled EAP-TTLS AVP [EAP/RES/PT]</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14466">10[TNC] assigned TNCCS Connection ID 1</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14467">10[TNC] received TNCCS batch (163 bytes)</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14468">10[TNC] processing PB-TNC CDATA batch for Connection ID 1</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14469">10[TNC] processing PA-TNC message with ID 0x83c807ae</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14470">10[IMV] operating system name is 'Android' from vendor Google</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14471">10[IMV] operating system version is '6.0.1'</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14472">10[IMV] device ID is 89f393cd9abad0d1</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14473">10[IMV] policy: imv_policy_manager start successful</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14474">10[TNC] creating PA-TNC message with ID 0x847f8ac7</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14475">10[TNC] creating PA-TNC message with ID 0x39ef8f2b</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14476">10[TNC] sending PB-TNC SDATA batch (144 bytes) for Connection ID 1</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14477">10[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/PT]</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14478">10[ENC] generating IKE_AUTH response 7 [ EAP/REQ/TTLS ]</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14479">10[NET] sending packet: from 192.168.1.5[4500] to 192.168.1.11[35458] (304 bytes)</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14480">14[NET] received packet: from 192.168.1.11[35458] to 192.168.1.5[4500] (256 bytes)</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14481">14[ENC] parsed IKE_AUTH request 8 [ EAP/RES/TTLS ]</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14482">14[IKE] received tunneled EAP-TTLS AVP [EAP/RES/PT]</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14483">14[TNC] received TNCCS batch (92 bytes)</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14484">14[TNC] processing PB-TNC CDATA batch for Connection ID 1</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14485">14[TNC] processing PA-TNC message with ID 0x0db51e10</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14486">14[TNC] creating PA-TNC message with ID 0x90c233ba</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14487">14[TNC] sending PB-TNC SDATA batch (56 bytes) for Connection ID 1</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14488">14[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/PT]</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14489">14[ENC] generating IKE_AUTH response 8 [ EAP/REQ/TTLS ]</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14490">14[NET] sending packet: from 192.168.1.5[4500] to 192.168.1.11[35458] (208 bytes)</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14491">14[NET] received packet: from 192.168.1.11[35458] to 192.168.1.5[4500] (160 bytes)</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14492">14[ENC] parsed IKE_AUTH request 9 [ EAP/RES/TTLS ]</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14493">14[IKE] received tunneled EAP-TTLS AVP [EAP/RES/PT]</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14494">14[TNC] received TNCCS batch (8 bytes)</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14495">14[TNC] processing PB-TNC CDATA batch for Connection ID 1</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14496">14[IMV] policy: recommendation for access requestor 192.168.1.11 is allow</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14497">14[IMV] policy: imv_policy_manager stop successful</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14498">14[TNC] sending PB-TNC RESULT batch (40 bytes) for Connection ID 1</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14499">14[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/PT]</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14500">14[ENC] generating IKE_AUTH response 9 [ EAP/REQ/TTLS ]</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14501">14[NET] sending packet: from 192.168.1.5[4500] to 192.168.1.11[35458] (192 bytes)</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14502">04[NET] received packet: from 192.168.1.11[35458] to 192.168.1.5[4500] (160 bytes)</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14503">04[ENC] parsed IKE_AUTH request 10 [ EAP/RES/TTLS ]</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14504">04[IKE] received tunneled EAP-TTLS AVP [EAP/RES/PT]</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14505">04[TNC] received TNCCS batch (8 bytes)</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14506">04[TNC] processing PB-TNC CLOSE batch for Connection ID 1</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14507">04[TNC] final recommendation is 'allow' and evaluation is 'don't know'</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14508">04[TNC] policy enforced on peer 'carol@strongswan.org' is 'allow'</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14509">04[TNC] policy enforcement point added group membership 'allow'</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14510">04[IKE] EAP_TTLS phase2 authentication of 'carol@strongswan.org' with EAP_PT_EAP successful</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14511">04[TNC] removed TNCCS Connection ID 1</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14512">04[IKE] EAP method EAP_TTLS succeeded, MSK established</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14513">04[ENC] generating IKE_AUTH response 10 [ EAP/SUCC ]</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14514">04[NET] sending packet: from 192.168.1.5[4500] to 192.168.1.11[35458] (80 bytes)</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14515">04[NET] received packet: from 192.168.1.11[35458] to 192.168.1.5[4500] (112 bytes)</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14516">04[ENC] parsed IKE_AUTH request 11 [ AUTH ]</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14517">04[IKE] authentication of 'carol@strongswan.org' with EAP successful</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14518">04[IKE] authentication of 'C=US, ST=MD, L=TNC, OU=TNC, CN=192.168.1.5' (myself) with EAP</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14519">04[IKE] IKE_SA rw-allow[2] established between 192.168.1.5[C=US, ST=MD, L=TNC, OU=TNC, CN=192.168.1.5]...192.168.1.11[carol@strongswan.org]</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14520">04[IKE] scheduling reauthentication in 10214s</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14521">04[IKE] maximum IKE_SA lifetime 10754s</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14522">04[IKE] peer requested virtual IP %any</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14523">04[CFG] assigning new lease to 'carol@strongswan.org'</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14524">04[IKE] assigning virtual IP 192.168.3.55 to peer 'carol@strongswan.org'</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14525">04[IKE] peer requested virtual IP %any6</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14526">04[IKE] no virtual IP found for %any6 requested by 'carol@strongswan.org'</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14527">04[IKE] CHILD_SA rw-allow{1} established with SPIs cd745417_i 57dd2792_o and TS 192.168.10.0/24 === 192.168.3.55/32</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14528">04[ENC] generating IKE_AUTH response 11 [ AUTH CPRP(ADDR) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_6_ADDR) ]</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14529">04[NET] sending packet: from 192.168.1.5[4500] to 192.168.1.11[35458] (272 bytes)</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14530">07[NET] received packet: from 192.168.1.11[35458] to 192.168.1.5[4500] (80 bytes)</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14531">07[ENC] parsed INFORMATIONAL request 12 [ N(NO_ADD_ADDR) ]</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14532">07[ENC] generating INFORMATIONAL response 12 [ ]</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14533">07[NET] sending packet: from 192.168.1.5[4500] to 192.168.1.11[35458] (80 bytes)</div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14534"><br clear="none" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_14535"></div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_8850"><br clear="none"></div><div dir="ltr" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_8850"><br clear="none"></div><div id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_8850"><span><br clear="none"></span></div> <div class="yiv2505345270qtdSeparateBR" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_22345"><br clear="none" id="yiv2505345270yui_3_16_0_ym19_1_1484614297233_22370"><br clear="none"></div><div class="yiv2505345270yqt4612753479" id="yiv2505345270yqt97536"></div></div></div></div><div class="yiv2505345270yqt6103150521" id="yiv2505345270yqt44659"><div> <div style="font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:12px;"> <div style="font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:16px;"> <div dir="ltr"><font size="2" face="Arial"> On Monday, January 16, 2017 7:46 PM, Andreas Steffen <andreas.steffen@strongswan.org> wrote:<br clear="none"></font></div> <br clear="none"><br clear="none"> <div class="yiv2505345270y_msg_container">Hi Mark,<br clear="none"><br clear="none">did you exactly follow the instructions on how to initialize the<br clear="none">PTS database?<br clear="none"><br clear="none"><a rel="nofollow" shape="rect" target="_blank" href="https://wiki.strongswan.org/projects/strongswan/wiki/StrongTnc#Initialize-PTS-Database">https://wiki.strongswan.org/projects/strongswan/wiki/StrongTnc#Initialize-PTS-Database</a><br clear="none"><br clear="none">Is the path to config.db set correctly in /etc/strongTNC/settings.ini?<br clear="none"><br clear="none"><a rel="nofollow" shape="rect" target="_blank" href="https://wiki.strongswan.org/projects/strongswan/wiki/StrongTnc#Initialize-PTS-Database">https://wiki.strongswan.org/projects/strongswan/wiki/StrongTnc#Initialize-PTS-Database</a><br clear="none"><br clear="none"> From my experience it seems that setting DEBUG=1 might help.<br clear="none"><br clear="none">Regards<br clear="none"><br clear="none">Andreas<br clear="none"><br clear="none">On 16.01.2017 20:24, Mark M wrote:<br clear="none">> Andreas,<br clear="none">><br clear="none">> I finally got the policy manager installed. However, I am not seeing the<br clear="none">> device when I form the connection and the android device disconnects.<br clear="none">><br clear="none">> Any ideas on what could be wrong?<br clear="none">><br clear="none">> This is what the stats page in the policy manager looks like -<br clear="none">> <a rel="nofollow" shape="rect" target="_blank" href="https://i.imgur.com/9M0sMa8.jpg">https://i.imgur.com/9M0sMa8.jpg</a><br clear="none">><br clear="none">> Also the add groups button does not work and there are no entries under<br clear="none">> the policies and enforcement's? Hard to say if everything is working<br clear="none">> correctly.<br clear="none">><br clear="none">><br clear="none">> 00[DMN] Starting IKE charon daemon (strongSwan 5.5.1, Linux<br clear="none">> 4.8.0-22-generic, x86_64)<br clear="none">> 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'<br clear="none">> 00[CFG] loaded ca certificate "C=US, ST=MD, L=TNC, O=TNC, OU=TNC,<br clear="none">> CN=192.168.1.5" from '/etc/ipsec.d/cacerts/rootCA.crt'<br clear="none">> 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'<br clear="none">> 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'<br clear="none">> 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'<br clear="none">> 00[CFG] loading crls from '/etc/ipsec.d/crls'<br clear="none">> 00[CFG] loading secrets from '/etc/ipsec.secrets'<br clear="none">> 00[CFG] loaded RSA private key from '/etc/ipsec.d/private/tnc2.key'<br clear="none">> 00[CFG] loaded EAP secret for <a rel="nofollow" shape="rect" ymailto="mailto:carol@strongswan.org" target="_blank" href="mailto:carol@strongswan.org">carol@strongswan.org</a><br clear="none">> 00[TNC] TNC recommendation policy is 'default'<br clear="none">> 00[TNC] loading IMVs from '/etc/tnc_config'<br clear="none">> 00[LIB] libimcv initialized<br clear="none">> 00[IMV] IMV 1 "Attestation" initialized<br clear="none">> 00[PTS] no PTS cacerts directory defined<br clear="none">> 00[TNC] IMV 1 "Attestation" loaded from<br clear="none">> '/usr/lib/ipsec/imcvs/imv-attestation.so'<br clear="none">> 00[IMV] IMV 2 "Scanner" initialized<br clear="none">> 00[TNC] IMV 2 "Scanner" loaded from '/usr/lib/ipsec/imcvs/imv-scanner.so'<br clear="none">> 00[LIB] loaded plugins: charon des rc2 random nonce x509 revocation<br clear="none">> constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem<br clear="none">> openssl xcbc cmac hmac curl sqlite attr kernel-netlink resolve<br clear="none">> socket-default stroke vici updown eap-identity eap-md5 eap-mschapv2<br clear="none">> eap-dynamic eap-ttls eap-tnc xauth-generic tnc-imv tnc-tnccs tnccs-20<br clear="none">> 00[JOB] spawning 16 worker threads<br clear="none">> 16[CFG] received stroke: add connection 'rw-allow'<br clear="none">> 16[CFG] adding virtual IP address pool 192.168.3.55<br clear="none">> 16[CFG] loaded certificate "C=US, ST=MD, L=TNC, O=TNC, OU=TNC,<br clear="none">> CN=192.168.1.5" from 'tncserver.crt'<br clear="none">> 16[CFG] id '192.168.1.5' not confirmed by certificate, defaulting to<br clear="none">> 'C=US, ST=MD, L=TNC, O=TNC, OU=TNC, CN=192.168.1.5'<br clear="none">> 16[CFG] added configuration 'rw-allow'<br clear="none">> 06[CFG] received stroke: add connection 'rw-isolate'<br clear="none">> 06[CFG] adding virtual IP address pool 192.168.4.0/24<br clear="none">> 06[CFG] loaded certificate "C=US, ST=MD, L=TNC, O=TNC, OU=TNC,<br clear="none">> CN=192.168.1.5" from 'tncserver.crt'<br clear="none">> 06[CFG] id '192.168.1.5' not confirmed by certificate, defaulting to<br clear="none">> 'C=US, ST=MD, L=TNC, O=TNC, OU=TNC, CN=192.168.1.5'<br clear="none">> 06[CFG] added configuration 'rw-isolate'<br clear="none">> 07[NET] received packet: from 192.168.1.11[51631] to 192.168.1.5[500]<br clear="none">> (732 bytes)<br clear="none">> 07[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)<br clear="none">> N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]<br clear="none">> 07[IKE] 192.168.1.11 is initiating an IKE_SA<br clear="none">> 07[IKE] remote host is behind NAT<br clear="none">> 07[IKE] DH group ECP_256 inacceptable, requesting MODP_3072<br clear="none">> 07[ENC] generating IKE_SA_INIT response 0 [ N(INVAL_KE) ]<br clear="none">> 07[NET] sending packet: from 192.168.1.5[500] to 192.168.1.11[51631] (38<br clear="none">> bytes)<br clear="none">> 05[NET] received packet: from 192.168.1.11[51631] to 192.168.1.5[500]<br clear="none">> (1052 bytes)<br clear="none">> 05[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)<br clear="none">> N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]<br clear="none">> 05[IKE] 192.168.1.11 is initiating an IKE_SA<br clear="none">> 05[IKE] remote host is behind NAT<br clear="none">> 05[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)<br clear="none">> N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]<br clear="none">> 05[NET] sending packet: from 192.168.1.5[500] to 192.168.1.11[51631]<br clear="none">> (592 bytes)<br clear="none">> 16[NET] received packet: from 192.168.1.11[33660] to 192.168.1.5[4500]<br clear="none">> (544 bytes)<br clear="none">> 16[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ<br clear="none">> CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP)<br clear="none">> N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]<br clear="none">> 16[IKE] received cert request for "C=US, ST=MD, L=TNC, O=TNC, OU=TNC,<br clear="none">> CN=192.168.1.5"<br clear="none">> 16[CFG] looking for peer configs matching<br clear="none">> 192.168.1.5[%any]...192.168.1.11[<a rel="nofollow" shape="rect" ymailto="mailto:carol@strongswan.org" target="_blank" href="mailto:carol@strongswan.org">carol@strongswan.org</a>]<br clear="none">> 16[CFG] selected peer config 'rw-allow'<br clear="none">> 16[IKE] initiating EAP_TTLS method (id 0x4F)<br clear="none">> 16[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding<br clear="none">> 16[IKE] peer supports MOBIKE<br clear="none">> 16[ENC] generating IKE_AUTH response 1 [ IDr EAP/REQ/TTLS ]<br clear="none">> 16[NET] sending packet: from 192.168.1.5[4500] to 192.168.1.11[33660]<br clear="none">> (176 bytes)<br clear="none">> 12[NET] received packet: from 192.168.1.11[33660] to 192.168.1.5[4500]<br clear="none">> (240 bytes)<br clear="none">> 12[ENC] parsed IKE_AUTH request 2 [ EAP/RES/TTLS ]<br clear="none">> 12[TLS] negotiated TLS 1.2 using suite TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA<br clear="none">> 12[TLS] sending TLS server certificate 'C=US, ST=MD, L=TNC, O=TNC,<br clear="none">> OU=TNC, CN=192.168.1.5'<br clear="none">> 12[TLS] sending TLS cert request for 'C=US, ST=MD, L=TNC, O=TNC, OU=TNC,<br clear="none">> CN=192.168.1.5'<br clear="none">> 12[ENC] generating IKE_AUTH response 2 [ EAP/REQ/TTLS ]<br clear="none">> 12[NET] sending packet: from 192.168.1.5[4500] to 192.168.1.11[33660]<br clear="none">> (1104 bytes)<br clear="none">> 06[NET] received packet: from 192.168.1.11[33660] to 192.168.1.5[4500]<br clear="none">> (80 bytes)<br clear="none">> 06[ENC] parsed IKE_AUTH request 3 [ EAP/RES/TTLS ]<br clear="none">> 06[ENC] generating IKE_AUTH response 3 [ EAP/REQ/TTLS ]<br clear="none">> 06[NET] sending packet: from 192.168.1.5[4500] to 192.168.1.11[33660]<br clear="none">> (432 bytes)<br clear="none">> 09[NET] received packet: from 192.168.1.11[33660] to 192.168.1.5[4500]<br clear="none">> (240 bytes)<br clear="none">> 09[ENC] parsed IKE_AUTH request 4 [ EAP/RES/TTLS ]<br clear="none">> 09[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/ID]<br clear="none">> 09[ENC] generating IKE_AUTH response 4 [ EAP/REQ/TTLS ]<br clear="none">> 09[NET] sending packet: from 192.168.1.5[4500] to 192.168.1.11[33660]<br clear="none">> (224 bytes)<br clear="none">> 12[NET] received packet: from 192.168.1.11[33660] to 192.168.1.5[4500]<br clear="none">> (176 bytes)<br clear="none">> 12[ENC] parsed IKE_AUTH request 5 [ EAP/RES/TTLS ]<br clear="none">> 12[IKE] received tunneled EAP-TTLS AVP [EAP/RES/ID]<br clear="none">> 12[IKE] received EAP identity '<a rel="nofollow" shape="rect" ymailto="mailto:carol@strongswan.org" target="_blank" href="mailto:carol@strongswan.org">carol@strongswan.org</a>'<br clear="none">> 12[IKE] phase2 method EAP_MD5 selected<br clear="none">> 12[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/MD5]<br clear="none">> 12[ENC] generating IKE_AUTH response 5 [ EAP/REQ/TTLS ]<br clear="none">> 12[NET] sending packet: from 192.168.1.5[4500] to 192.168.1.11[33660]<br clear="none">> (176 bytes)<br clear="none">> 16[NET] received packet: from 192.168.1.11[33660] to 192.168.1.5[4500]<br clear="none">> (176 bytes)<br clear="none">> 16[ENC] parsed IKE_AUTH request 6 [ EAP/RES/TTLS ]<br clear="none">> 16[IKE] received tunneled EAP-TTLS AVP [EAP/RES/MD5]<br clear="none">> 16[IKE] EAP_TTLS phase2 authentication of '<a rel="nofollow" shape="rect" ymailto="mailto:carol@strongswan.org" target="_blank" href="mailto:carol@strongswan.org">carol@strongswan.org</a>' with<br clear="none">> EAP_MD5 successful<br clear="none">> 16[IKE] phase2 method EAP_PT_EAP selected<br clear="none">> 16[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/PT]<br clear="none">> 16[ENC] generating IKE_AUTH response 6 [ EAP/REQ/TTLS ]<br clear="none">> 16[NET] sending packet: from 192.168.1.5[4500] to 192.168.1.11[33660]<br clear="none">> (160 bytes)<br clear="none">> 11[NET] received packet: from 192.168.1.11[33660] to 192.168.1.5[4500]<br clear="none">> (320 bytes)<br clear="none">> 11[ENC] parsed IKE_AUTH request 7 [ EAP/RES/TTLS ]<br clear="none">> 11[IKE] received tunneled EAP-TTLS AVP [EAP/RES/PT]<br clear="none">> 11[TNC] assigned TNCCS Connection ID 1<br clear="none">> 11[TNC] received TNCCS batch (163 bytes)<br clear="none">> 11[TNC] processing PB-TNC CDATA batch for Connection ID 1<br clear="none">> 11[TNC] processing PA-TNC message with ID 0xdf457588<br clear="none">> 11[IMV] operating system name is 'Android' from vendor Google<br clear="none">> 11[IMV] operating system version is '6.0.1'<br clear="none">> 11[IMV] device ID is 89f393cd96b7d8d1<br clear="none">> 11[IMV] policy: imv_policy_manager start successful<br clear="none">> 11[TNC] creating PA-TNC message with ID 0x58b417d9<br clear="none">> 11[TNC] creating PA-TNC message with ID 0xec8c6991<br clear="none">> 11[TNC] sending PB-TNC SDATA batch (144 bytes) for Connection ID 1<br clear="none">> 11[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/PT]<br clear="none">> 11[ENC] generating IKE_AUTH response 7 [ EAP/REQ/TTLS ]<br clear="none">> 11[NET] sending packet: from 192.168.1.5[4500] to 192.168.1.11[33660]<br clear="none">> (304 bytes)<br clear="none">> 07[NET] received packet: from 192.168.1.11[33660] to 192.168.1.5[4500]<br clear="none">> (256 bytes)<br clear="none">> 07[ENC] parsed IKE_AUTH request 8 [ EAP/RES/TTLS ]<br clear="none">> 07[IKE] received tunneled EAP-TTLS AVP [EAP/RES/PT]<br clear="none">> 07[TNC] received TNCCS batch (92 bytes)<br clear="none">> 07[TNC] processing PB-TNC CDATA batch for Connection ID 1<br clear="none">> 07[TNC] processing PA-TNC message with ID 0x1bd50ae6<br clear="none">> 07[TNC] creating PA-TNC message with ID 0x8aa751ea<br clear="none">> 07[TNC] sending PB-TNC SDATA batch (56 bytes) for Connection ID 1<br clear="none">> 07[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/PT]<br clear="none">> 07[ENC] generating IKE_AUTH response 8 [ EAP/REQ/TTLS ]<br clear="none">> 07[NET] sending packet: from 192.168.1.5[4500] to 192.168.1.11[33660]<br clear="none">> (208 bytes)<br clear="none">> 07[NET] received packet: from 192.168.1.11[33660] to 192.168.1.5[4500]<br clear="none">> (160 bytes)<br clear="none">> 07[ENC] parsed IKE_AUTH request 9 [ EAP/RES/TTLS ]<br clear="none">> 07[IKE] received tunneled EAP-TTLS AVP [EAP/RES/PT]<br clear="none">> 07[TNC] received TNCCS batch (8 bytes)<br clear="none">> 07[TNC] processing PB-TNC CDATA batch for Connection ID 1<br clear="none">> 07[IMV] policy: recommendation for access requestor 192.168.1.11 is allow<br clear="none">> 07[IMV] policy: imv_policy_manager stop successful<br clear="none">> 07[TNC] sending PB-TNC RESULT batch (40 bytes) for Connection ID 1<br clear="none">> 07[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/PT]<br clear="none">> 07[ENC] generating IKE_AUTH response 9 [ EAP/REQ/TTLS ]<br clear="none">> 07[NET] sending packet: from 192.168.1.5[4500] to 192.168.1.11[33660]<br clear="none">> (192 bytes)<br clear="none">> 08[NET] received packet: from 192.168.1.11[33660] to 192.168.1.5[4500]<br clear="none">> (160 bytes)<br clear="none">> 08[ENC] parsed IKE_AUTH request 10 [ EAP/RES/TTLS ]<br clear="none">> 08[IKE] received tunneled EAP-TTLS AVP [EAP/RES/PT]<br clear="none">> 08[TNC] received TNCCS batch (8 bytes)<br clear="none">> 08[TNC] processing PB-TNC CLOSE batch for Connection ID 1<br clear="none">> 08[TNC] final recommendation is 'allow' and evaluation is 'don't know'<br clear="none">> 08[TNC] policy enforced on peer '<a rel="nofollow" shape="rect" ymailto="mailto:carol@strongswan.org" target="_blank" href="mailto:carol@strongswan.org">carol@strongswan.org</a>' is 'allow'<br clear="none">> 08[TNC] policy enforcement point added group membership 'allow'<br clear="none">> 08[IKE] EAP_TTLS phase2 authentication of '<a rel="nofollow" shape="rect" ymailto="mailto:carol@strongswan.org" target="_blank" href="mailto:carol@strongswan.org">carol@strongswan.org</a>' with<br clear="none">> EAP_PT_EAP successful<br clear="none">> 08[TNC] removed TNCCS Connection ID 1<br clear="none">> 08[IKE] EAP method EAP_TTLS succeeded, MSK established<br clear="none">> 08[ENC] generating IKE_AUTH response 10 [ EAP/SUCC ]<br clear="none">> 08[NET] sending packet: from 192.168.1.5[4500] to 192.168.1.11[33660]<br clear="none">> (80 bytes)<br clear="none">> 08[NET] received packet: from 192.168.1.11[33660] to 192.168.1.5[4500]<br clear="none">> (112 bytes)<br clear="none">> 08[ENC] parsed IKE_AUTH request 11 [ AUTH ]<br clear="none">> 08[IKE] authentication of '<a rel="nofollow" shape="rect" ymailto="mailto:carol@strongswan.org" target="_blank" href="mailto:carol@strongswan.org">carol@strongswan.org</a>' with EAP successful<br clear="none">> 08[IKE] authentication of 'C=US, ST=MD, L=TNC, O=TNC, OU=TNC,<br clear="none">> CN=192.168.1.5' (myself) with EAP<br clear="none">> 08[IKE] IKE_SA rw-allow[2] established between 192.168.1.5[C=US, ST=MD,<br clear="none">> L=TNC, O=TNC, OU=TNC, CN=192.168.1.5]...192.168.1.11[<a rel="nofollow" shape="rect" ymailto="mailto:carol@strongswan.org" target="_blank" href="mailto:carol@strongswan.org">carol@strongswan.org</a>]<br clear="none">> 08[IKE] scheduling reauthentication in 9896s<br clear="none">> 08[IKE] maximum IKE_SA lifetime 10436s<br clear="none">> 08[IKE] peer requested virtual IP %any<br clear="none">> 08[CFG] assigning new lease to '<a rel="nofollow" shape="rect" ymailto="mailto:carol@strongswan.org" target="_blank" href="mailto:carol@strongswan.org">carol@strongswan.org</a>'<br clear="none">> 08[IKE] assigning virtual IP 192.168.3.55 to peer '<a rel="nofollow" shape="rect" ymailto="mailto:carol@strongswan.org" target="_blank" href="mailto:carol@strongswan.org">carol@strongswan.org</a>'<br clear="none">> 08[IKE] peer requested virtual IP %any6<br clear="none">> 08[IKE] no virtual IP found for %any6 requested by '<a rel="nofollow" shape="rect" ymailto="mailto:carol@strongswan.org" target="_blank" href="mailto:carol@strongswan.org">carol@strongswan.org</a>'<br clear="none">> 08[IKE] CHILD_SA rw-allow{1} established with SPIs cfa1ff42_i ccd4b585_o<br clear="none">> and TS 192.168.10.0/24 === 192.168.3.55/32<br clear="none">> 08[ENC] generating IKE_AUTH response 11 [ AUTH CPRP(ADDR) SA TSi TSr<br clear="none">> N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_6_ADDR) ]<br clear="none">> 08[NET] sending packet: from 192.168.1.5[4500] to 192.168.1.11[33660]<br clear="none">> (272 bytes)<br clear="none">> 11[NET] received packet: from 192.168.1.11[33660] to 192.168.1.5[4500]<br clear="none">> (80 bytes)<br clear="none">> 11[ENC] parsed INFORMATIONAL request 12 [ N(AUTH_FAILED) ]<br clear="none">> 11[IKE] received DELETE for IKE_SA rw-allow[2]<br clear="none">> 11[IKE] deleting IKE_SA rw-allow[2] between 192.168.1.5[C=US, ST=MD,<br clear="none">> L=TNC, O=TNC, OU=TNC, CN=192.168.1.5]...192.168.1.11[<a rel="nofollow" shape="rect" ymailto="mailto:carol@strongswan.org" target="_blank" href="mailto:carol@strongswan.org">carol@strongswan.org</a>]<br clear="none">> 11[IKE] IKE_SA deleted<br clear="none">> 11[ENC] generating INFORMATIONAL response 12 [ ]<br clear="none">> 11[NET] sending packet: from 192.168.1.5[4500] to 192.168.1.11[33660]<br clear="none">> (80 bytes)<br clear="none">> 11[CFG] lease 192.168.3.55 by '<a rel="nofollow" shape="rect" ymailto="mailto:carol@strongswan.org" target="_blank" href="mailto:carol@strongswan.org">carol@strongswan.org</a>' went offline<br clear="none">><br clear="none">><br clear="none">> Thanks,<br clear="none">><br clear="none">> Mark<br clear="none">><br clear="none">><br clear="none">><br clear="none">> On Saturday, January 14, 2017 7:49 PM, Andreas Steffen<br clear="none">> <<a rel="nofollow" shape="rect" ymailto="mailto:andreas.steffen@strongswan.org" target="_blank" href="mailto:andreas.steffen@strongswan.org">andreas.steffen@strongswan.org</a>> wrote:<br clear="none">><br clear="none">><br clear="none">> Hi Mark,<br clear="none">><br clear="none">> the strongTNC guide tells you how to create the config.db database:<br clear="none">><br clear="none">> <a rel="nofollow" shape="rect" target="_blank" href="https://wiki.strongswan.org/projects/strongswan/wiki/StrongTnc#Initialize-PTS-Database">https://wiki.strongswan.org/projects/strongswan/wiki/StrongTnc#Initialize-PTS-Database</a><br clear="none">><br clear="none">> Andreas<br clear="none">><br clear="none">> On 15.01.2017 04:15, Mark M wrote:<br clear="none">> > Andreas,<br clear="none">> ><br clear="none">> > The guides that I follow do not create the /etc/pts/config.db database?<br clear="none">> ><br clear="none">> > Thanks,<br clear="none">> ><br clear="none">> > Mark<br clear="none">> ><br clear="none">> ><br clear="none">> > On Thursday, January 12, 2017 2:26 PM, Mark M <<a rel="nofollow" shape="rect" ymailto="mailto:mark076h@yahoo.com" target="_blank" href="mailto:mark076h@yahoo.com">mark076h@yahoo.com</a><br clear="none">> <mailto:<a rel="nofollow" shape="rect" ymailto="mailto:mark076h@yahoo.com" target="_blank" href="mailto:mark076h@yahoo.com">mark076h@yahoo.com</a>>> wrote:<br clear="none">> ><br clear="none">> ><br clear="none">> > Andreas,<br clear="none">> ><br clear="none">> > Thank you for the info,<br clear="none">> ><br clear="none">> > Now when I follow the guide to install the policy manager I only get the<br clear="none">> > default apache page.<br clear="none">> ><br clear="none">> > I am following this guide -<br clear="none">> > <a rel="nofollow" shape="rect" target="_blank" href="https://wiki.strongswan.org/projects/strongswan/wiki/StrongTNC">https://wiki.strongswan.org/projects/strongswan/wiki/StrongTNC</a><br clear="none">> ><br clear="none">> > Thanks,<br clear="none">> ><br clear="none">> > Mark<br clear="none">> ><br clear="none">> ><br clear="none">> > On Thursday, January 12, 2017 6:09 AM, Andreas Steffen<br clear="none">> > <<a rel="nofollow" shape="rect" ymailto="mailto:andreas.steffen@strongswan.org" target="_blank" href="mailto:andreas.steffen@strongswan.org">andreas.steffen@strongswan.org</a><br clear="none">> <mailto:<a rel="nofollow" shape="rect" ymailto="mailto:andreas.steffen@strongswan.org" target="_blank" href="mailto:andreas.steffen@strongswan.org">andreas.steffen@strongswan.org</a>>> wrote:<br clear="none">> ><br clear="none">> ><br clear="none">> > Hi Mark,<br clear="none">> ><br clear="none">> > you can find a [little-outdated] TNC server configuration HOWTO<br clear="none">> > under the following link:<br clear="none">> ><br clear="none">> > <a rel="nofollow" shape="rect" target="_blank" href="https://wiki.strongswan.org/projects/strongswan/wiki/TNCS">https://wiki.strongswan.org/projects/strongswan/wiki/TNCS</a><br clear="none">> ><br clear="none">> > In the meantime the TNC measurement policies are not hard-coded<br clear="none">> > any more in /etc/strongswan.conf but can be configured via the<br clear="none">> > strongTNC policy manager available from the strongSwan gitHub<br clear="none">> > repository<br clear="none">> ><br clear="none">> > <a rel="nofollow" shape="rect" target="_blank" href="https://wiki.strongswan.org/projects/strongswan/wiki/StrongTnc">https://wiki.strongswan.org/projects/strongswan/wiki/StrongTnc</a><br clear="none">> ><br clear="none">> > The IMVs on the strongTNC server must now connect to the strongTNC<br clear="none">> > /etc/pts/config.db database. A sample configuration can be found here<br clear="none">> ><br clear="none">> ><br clear="none">> ><br clear="none">> <a rel="nofollow" shape="rect" target="_blank" href="https://wiki.strongswan.org/projects/strongswan/wiki/IMA#Set-up-the-Attestation-Server">https://wiki.strongswan.org/projects/strongswan/wiki/IMA#Set-up-the-Attestation-Server</a><br clear="none">> ><br clear="none">> > Hope this helps!<br clear="none">> ><br clear="none">> > Andreas<br clear="none">> ><br clear="none">> > On 11.01.2017 10:43, Mark M wrote:<br clear="none">> > > Hi,<br clear="none">> > ><br clear="none">> > > I would like to setup a basic demo of the android client using TNC<br clear="none">> > > connecting to a strongSwan server as show in in this guide -<br clear="none">> > > <a rel="nofollow" shape="rect" target="_blank" href="https://wiki.strongswan.org/projects/strongswan/wiki/BYOD">https://wiki.strongswan.org/projects/strongswan/wiki/BYOD</a><br clear="none">> > ><br clear="none">> > > Is there a guide I can follow for a basic strongSwan server setup to<br clear="none">> > > test out TNC with the android client? And is there anything<br clear="none">> special that<br clear="none">> > > needs to be configured on the android client or does the android<br clear="none">> client<br clear="none">> > > support TNC by default?<br clear="none">> > ><br clear="none">> > > Thanks,<br clear="none">> > ><br clear="none">> > > Mark<br clear="none">> ><br clear="none">> ><br clear="none">> > ======================================================================<br clear="none">> > Andreas Steffen <a rel="nofollow" shape="rect" ymailto="mailto:andreas.steffen@strongswan.org" target="_blank" href="mailto:andreas.steffen@strongswan.org">andreas.steffen@strongswan.org</a><br clear="none">> <mailto:<a rel="nofollow" shape="rect" ymailto="mailto:andreas.steffen@strongswan.org" target="_blank" href="mailto:andreas.steffen@strongswan.org">andreas.steffen@strongswan.org</a>><br clear="none">> > <mailto:<a rel="nofollow" shape="rect" ymailto="mailto:andreas.steffen@strongswan.org" target="_blank" href="mailto:andreas.steffen@strongswan.org">andreas.steffen@strongswan.org</a><br clear="none">> <mailto:<a rel="nofollow" shape="rect" ymailto="mailto:andreas.steffen@strongswan.org" target="_blank" href="mailto:andreas.steffen@strongswan.org">andreas.steffen@strongswan.org</a>>><br clear="none">> > strongSwan - the Open Source VPN Solution! www.strongswan.org<br clear="none">> > Institute for Internet Technologies and Applications<br clear="none">> > University of Applied Sciences Rapperswil<br clear="none">> > CH-8640 Rapperswil (Switzerland)<br clear="none">> > ===========================================================[ITA-HSR]==<div class="yiv2505345270yqt0210041035" id="yiv2505345270yqtfd76298"><br clear="none">><br clear="none">> ><br clear="none">> ><br clear="none">> ><br clear="none">> ><br clear="none">> ><br clear="none">><br clear="none">> --<br clear="none">> ======================================================================<br clear="none">> Andreas Steffen <a rel="nofollow" shape="rect" ymailto="mailto:andreas.steffen@strongswan.org" target="_blank" href="mailto:andreas.steffen@strongswan.org">andreas.steffen@strongswan.org</a><br clear="none">> <mailto:<a rel="nofollow" shape="rect" ymailto="mailto:andreas.steffen@strongswan.org" target="_blank" href="mailto:andreas.steffen@strongswan.org">andreas.steffen@strongswan.org</a>><br clear="none">> strongSwan - the Open Source VPN Solution! www.strongswan.org<br clear="none">> Institute for Internet Technologies and Applications<br clear="none">> University of Applied Sciences Rapperswil<br clear="none">> CH-8640 Rapperswil (Switzerland)<br clear="none">> ===========================================================[ITA-HSR]==<br clear="none">><br clear="none">><br clear="none"><br clear="none">-- <br clear="none">======================================================================<br clear="none">Andreas Steffen <a rel="nofollow" shape="rect" ymailto="mailto:andreas.steffen@strongswan.org" target="_blank" href="mailto:andreas.steffen@strongswan.org">andreas.steffen@strongswan.org</a><br clear="none">strongSwan - the Open Source VPN Solution! www.strongswan.org<br clear="none">Institute for Internet Technologies and Applications<br clear="none">University of Applied Sciences Rapperswil<br clear="none">CH-8640 Rapperswil (Switzerland)<br clear="none">===========================================================[ITA-HSR]==<br clear="none"></div><br clear="none"><br clear="none"></div> </div> </div> </div></div></div></div></div><br clear="none"><br clear="none"></div> </div> </div> </div></div></div></div></div><br><br></div> </div> </div> </div></div></body></html>