[strongSwan] Android TNC server basic setup

Mark M mark076h at yahoo.com
Mon Jan 16 13:24:25 CET 2017


Andreas,
I finally got the policy manager installed. However, I am not seeing the device when I form the connection and the android device disconnects. 
Any ideas on what could be wrong?
This is what the stats page in the policy manager looks like - https://i.imgur.com/9M0sMa8.jpg
Also the add groups button does not work and there are no entries under the policies and enforcement's? Hard to say if everything is working correctly.

 00[DMN] Starting IKE charon daemon (strongSwan 5.5.1, Linux 4.8.0-22-generic, x86_64)00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'00[CFG]   loaded ca certificate "C=US, ST=MD, L=TNC, O=TNC, OU=TNC, CN=192.168.1.5" from '/etc/ipsec.d/cacerts/rootCA.crt'00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'00[CFG] loading crls from '/etc/ipsec.d/crls'00[CFG] loading secrets from '/etc/ipsec.secrets'00[CFG]   loaded RSA private key from '/etc/ipsec.d/private/tnc2.key'00[CFG]   loaded EAP secret for carol at strongswan.org00[TNC] TNC recommendation policy is 'default'00[TNC] loading IMVs from '/etc/tnc_config'00[LIB] libimcv initialized00[IMV] IMV 1 "Attestation" initialized00[PTS] no PTS cacerts directory defined00[TNC] IMV 1 "Attestation" loaded from '/usr/lib/ipsec/imcvs/imv-attestation.so'00[IMV] IMV 2 "Scanner" initialized00[TNC] IMV 2 "Scanner" loaded from '/usr/lib/ipsec/imcvs/imv-scanner.so'00[LIB] loaded plugins: charon des rc2 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl xcbc cmac hmac curl sqlite attr kernel-netlink resolve socket-default stroke vici updown eap-identity eap-md5 eap-mschapv2 eap-dynamic eap-ttls eap-tnc xauth-generic tnc-imv tnc-tnccs tnccs-2000[JOB] spawning 16 worker threads16[CFG] received stroke: add connection 'rw-allow'16[CFG] adding virtual IP address pool 192.168.3.5516[CFG]   loaded certificate "C=US, ST=MD, L=TNC, O=TNC, OU=TNC, CN=192.168.1.5" from 'tncserver.crt'16[CFG]   id '192.168.1.5' not confirmed by certificate, defaulting to 'C=US, ST=MD, L=TNC, O=TNC, OU=TNC, CN=192.168.1.5'16[CFG] added configuration 'rw-allow'06[CFG] received stroke: add connection 'rw-isolate'06[CFG] adding virtual IP address pool 192.168.4.0/2406[CFG]   loaded certificate "C=US, ST=MD, L=TNC, O=TNC, OU=TNC, CN=192.168.1.5" from 'tncserver.crt'06[CFG]   id '192.168.1.5' not confirmed by certificate, defaulting to 'C=US, ST=MD, L=TNC, O=TNC, OU=TNC, CN=192.168.1.5'06[CFG] added configuration 'rw-isolate'07[NET] received packet: from 192.168.1.11[51631] to 192.168.1.5[500] (732 bytes)07[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]07[IKE] 192.168.1.11 is initiating an IKE_SA07[IKE] remote host is behind NAT07[IKE] DH group ECP_256 inacceptable, requesting MODP_307207[ENC] generating IKE_SA_INIT response 0 [ N(INVAL_KE) ]07[NET] sending packet: from 192.168.1.5[500] to 192.168.1.11[51631] (38 bytes)05[NET] received packet: from 192.168.1.11[51631] to 192.168.1.5[500] (1052 bytes)05[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]05[IKE] 192.168.1.11 is initiating an IKE_SA05[IKE] remote host is behind NAT05[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]05[NET] sending packet: from 192.168.1.5[500] to 192.168.1.11[51631] (592 bytes)16[NET] received packet: from 192.168.1.11[33660] to 192.168.1.5[4500] (544 bytes)16[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]16[IKE] received cert request for "C=US, ST=MD, L=TNC, O=TNC, OU=TNC, CN=192.168.1.5"16[CFG] looking for peer configs matching 192.168.1.5[%any]...192.168.1.11[carol at strongswan.org]16[CFG] selected peer config 'rw-allow'16[IKE] initiating EAP_TTLS method (id 0x4F)16[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding16[IKE] peer supports MOBIKE16[ENC] generating IKE_AUTH response 1 [ IDr EAP/REQ/TTLS ]16[NET] sending packet: from 192.168.1.5[4500] to 192.168.1.11[33660] (176 bytes)12[NET] received packet: from 192.168.1.11[33660] to 192.168.1.5[4500] (240 bytes)12[ENC] parsed IKE_AUTH request 2 [ EAP/RES/TTLS ]12[TLS] negotiated TLS 1.2 using suite TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA12[TLS] sending TLS server certificate 'C=US, ST=MD, L=TNC, O=TNC, OU=TNC, CN=192.168.1.5'12[TLS] sending TLS cert request for 'C=US, ST=MD, L=TNC, O=TNC, OU=TNC, CN=192.168.1.5'12[ENC] generating IKE_AUTH response 2 [ EAP/REQ/TTLS ]12[NET] sending packet: from 192.168.1.5[4500] to 192.168.1.11[33660] (1104 bytes)06[NET] received packet: from 192.168.1.11[33660] to 192.168.1.5[4500] (80 bytes)06[ENC] parsed IKE_AUTH request 3 [ EAP/RES/TTLS ]06[ENC] generating IKE_AUTH response 3 [ EAP/REQ/TTLS ]06[NET] sending packet: from 192.168.1.5[4500] to 192.168.1.11[33660] (432 bytes)09[NET] received packet: from 192.168.1.11[33660] to 192.168.1.5[4500] (240 bytes)09[ENC] parsed IKE_AUTH request 4 [ EAP/RES/TTLS ]09[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/ID]09[ENC] generating IKE_AUTH response 4 [ EAP/REQ/TTLS ]09[NET] sending packet: from 192.168.1.5[4500] to 192.168.1.11[33660] (224 bytes)12[NET] received packet: from 192.168.1.11[33660] to 192.168.1.5[4500] (176 bytes)12[ENC] parsed IKE_AUTH request 5 [ EAP/RES/TTLS ]12[IKE] received tunneled EAP-TTLS AVP [EAP/RES/ID]12[IKE] received EAP identity 'carol at strongswan.org'12[IKE] phase2 method EAP_MD5 selected12[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/MD5]12[ENC] generating IKE_AUTH response 5 [ EAP/REQ/TTLS ]12[NET] sending packet: from 192.168.1.5[4500] to 192.168.1.11[33660] (176 bytes)16[NET] received packet: from 192.168.1.11[33660] to 192.168.1.5[4500] (176 bytes)16[ENC] parsed IKE_AUTH request 6 [ EAP/RES/TTLS ]16[IKE] received tunneled EAP-TTLS AVP [EAP/RES/MD5]16[IKE] EAP_TTLS phase2 authentication of 'carol at strongswan.org' with EAP_MD5 successful16[IKE] phase2 method EAP_PT_EAP selected16[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/PT]16[ENC] generating IKE_AUTH response 6 [ EAP/REQ/TTLS ]16[NET] sending packet: from 192.168.1.5[4500] to 192.168.1.11[33660] (160 bytes)11[NET] received packet: from 192.168.1.11[33660] to 192.168.1.5[4500] (320 bytes)11[ENC] parsed IKE_AUTH request 7 [ EAP/RES/TTLS ]11[IKE] received tunneled EAP-TTLS AVP [EAP/RES/PT]11[TNC] assigned TNCCS Connection ID 111[TNC] received TNCCS batch (163 bytes)11[TNC] processing PB-TNC CDATA batch for Connection ID 111[TNC] processing PA-TNC message with ID 0xdf45758811[IMV] operating system name is 'Android' from vendor Google11[IMV] operating system version is '6.0.1'11[IMV] device ID is 89f393cd96b7d8d111[IMV] policy: imv_policy_manager start successful11[TNC] creating PA-TNC message with ID 0x58b417d911[TNC] creating PA-TNC message with ID 0xec8c699111[TNC] sending PB-TNC SDATA batch (144 bytes) for Connection ID 111[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/PT]11[ENC] generating IKE_AUTH response 7 [ EAP/REQ/TTLS ]11[NET] sending packet: from 192.168.1.5[4500] to 192.168.1.11[33660] (304 bytes)07[NET] received packet: from 192.168.1.11[33660] to 192.168.1.5[4500] (256 bytes)07[ENC] parsed IKE_AUTH request 8 [ EAP/RES/TTLS ]07[IKE] received tunneled EAP-TTLS AVP [EAP/RES/PT]07[TNC] received TNCCS batch (92 bytes)07[TNC] processing PB-TNC CDATA batch for Connection ID 107[TNC] processing PA-TNC message with ID 0x1bd50ae607[TNC] creating PA-TNC message with ID 0x8aa751ea07[TNC] sending PB-TNC SDATA batch (56 bytes) for Connection ID 107[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/PT]07[ENC] generating IKE_AUTH response 8 [ EAP/REQ/TTLS ]07[NET] sending packet: from 192.168.1.5[4500] to 192.168.1.11[33660] (208 bytes)07[NET] received packet: from 192.168.1.11[33660] to 192.168.1.5[4500] (160 bytes)07[ENC] parsed IKE_AUTH request 9 [ EAP/RES/TTLS ]07[IKE] received tunneled EAP-TTLS AVP [EAP/RES/PT]07[TNC] received TNCCS batch (8 bytes)07[TNC] processing PB-TNC CDATA batch for Connection ID 107[IMV] policy: recommendation for access requestor 192.168.1.11 is allow07[IMV] policy: imv_policy_manager stop successful07[TNC] sending PB-TNC RESULT batch (40 bytes) for Connection ID 107[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/PT]07[ENC] generating IKE_AUTH response 9 [ EAP/REQ/TTLS ]07[NET] sending packet: from 192.168.1.5[4500] to 192.168.1.11[33660] (192 bytes)08[NET] received packet: from 192.168.1.11[33660] to 192.168.1.5[4500] (160 bytes)08[ENC] parsed IKE_AUTH request 10 [ EAP/RES/TTLS ]08[IKE] received tunneled EAP-TTLS AVP [EAP/RES/PT]08[TNC] received TNCCS batch (8 bytes)08[TNC] processing PB-TNC CLOSE batch for Connection ID 108[TNC] final recommendation is 'allow' and evaluation is 'don't know'08[TNC] policy enforced on peer 'carol at strongswan.org' is 'allow'08[TNC] policy enforcement point added group membership 'allow'08[IKE] EAP_TTLS phase2 authentication of 'carol at strongswan.org' with EAP_PT_EAP successful08[TNC] removed TNCCS Connection ID 108[IKE] EAP method EAP_TTLS succeeded, MSK established08[ENC] generating IKE_AUTH response 10 [ EAP/SUCC ]08[NET] sending packet: from 192.168.1.5[4500] to 192.168.1.11[33660] (80 bytes)08[NET] received packet: from 192.168.1.11[33660] to 192.168.1.5[4500] (112 bytes)08[ENC] parsed IKE_AUTH request 11 [ AUTH ]08[IKE] authentication of 'carol at strongswan.org' with EAP successful08[IKE] authentication of 'C=US, ST=MD, L=TNC, O=TNC, OU=TNC, CN=192.168.1.5' (myself) with EAP08[IKE] IKE_SA rw-allow[2] established between 192.168.1.5[C=US, ST=MD, L=TNC, O=TNC, OU=TNC, CN=192.168.1.5]...192.168.1.11[carol at strongswan.org]08[IKE] scheduling reauthentication in 9896s08[IKE] maximum IKE_SA lifetime 10436s08[IKE] peer requested virtual IP %any08[CFG] assigning new lease to 'carol at strongswan.org'08[IKE] assigning virtual IP 192.168.3.55 to peer 'carol at strongswan.org'08[IKE] peer requested virtual IP %any608[IKE] no virtual IP found for %any6 requested by 'carol at strongswan.org'08[IKE] CHILD_SA rw-allow{1} established with SPIs cfa1ff42_i ccd4b585_o and TS 192.168.10.0/24 === 192.168.3.55/3208[ENC] generating IKE_AUTH response 11 [ AUTH CPRP(ADDR) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_6_ADDR) ]08[NET] sending packet: from 192.168.1.5[4500] to 192.168.1.11[33660] (272 bytes)11[NET] received packet: from 192.168.1.11[33660] to 192.168.1.5[4500] (80 bytes)11[ENC] parsed INFORMATIONAL request 12 [ N(AUTH_FAILED) ]11[IKE] received DELETE for IKE_SA rw-allow[2]11[IKE] deleting IKE_SA rw-allow[2] between 192.168.1.5[C=US, ST=MD, L=TNC, O=TNC, OU=TNC, CN=192.168.1.5]...192.168.1.11[carol at strongswan.org]11[IKE] IKE_SA deleted11[ENC] generating INFORMATIONAL response 12 [ ]11[NET] sending packet: from 192.168.1.5[4500] to 192.168.1.11[33660] (80 bytes)11[CFG] lease 192.168.3.55 by 'carol at strongswan.org' went offline

Thanks,
Mark


    On Saturday, January 14, 2017 7:49 PM, Andreas Steffen <andreas.steffen at strongswan.org> wrote:
 

 Hi Mark,

the strongTNC guide tells you how to create the config.db database:

https://wiki.strongswan.org/projects/strongswan/wiki/StrongTnc#Initialize-PTS-Database

Andreas

On 15.01.2017 04:15, Mark M wrote:
> Andreas,
>
> The guides that I follow do not create the /etc/pts/config.db database?
>
> Thanks,
>
> Mark
>
>
> On Thursday, January 12, 2017 2:26 PM, Mark M <mark076h at yahoo.com> wrote:
>
>
> Andreas,
>
> Thank you for the info,
>
> Now when I follow the guide to install the policy manager I only get the
> default apache page.
>
> I am following this guide -
> https://wiki.strongswan.org/projects/strongswan/wiki/StrongTNC
>
> Thanks,
>
> Mark
>
>
> On Thursday, January 12, 2017 6:09 AM, Andreas Steffen
> <andreas.steffen at strongswan.org> wrote:
>
>
> Hi Mark,
>
> you can find a [little-outdated] TNC server configuration HOWTO
> under the following link:
>
> https://wiki.strongswan.org/projects/strongswan/wiki/TNCS
>
> In the meantime the TNC measurement policies are not hard-coded
> any more in /etc/strongswan.conf but can be configured via the
> strongTNC policy manager available from the strongSwan gitHub
> repository
>
> https://wiki.strongswan.org/projects/strongswan/wiki/StrongTnc
>
> The IMVs on the strongTNC server must now connect to the strongTNC
> /etc/pts/config.db database. A sample configuration can be found here
>
>
> https://wiki.strongswan.org/projects/strongswan/wiki/IMA#Set-up-the-Attestation-Server
>
> Hope this helps!
>
> Andreas
>
> On 11.01.2017 10:43, Mark M wrote:
>  > Hi,
>  >
>  > I would like to setup a basic demo of the android client using TNC
>  > connecting to a strongSwan server as show in in this guide -
>  > https://wiki.strongswan.org/projects/strongswan/wiki/BYOD
>  >
>  > Is there a guide I can follow for a basic strongSwan server setup to
>  > test out TNC with the android client? And is there anything special that
>  > needs to be configured on the android client or does the android client
>  > support TNC by default?
>  >
>  > Thanks,
>  >
>  > Mark
>
>
> ======================================================================
> Andreas Steffen andreas.steffen at strongswan.org
> <mailto:andreas.steffen at strongswan.org>
> strongSwan - the Open Source VPN Solution!          www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
>
>
>
>
>

-- 
======================================================================
Andreas Steffen                        andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution!          www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==


   
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170116/a639c6c4/attachment-0001.html>


More information about the Users mailing list