[strongSwan] Android TNC server basic setup

Andreas Steffen andreas.steffen at strongswan.org
Tue Jan 17 01:45:48 CET 2017


Hi Mark,

did you exactly follow the instructions on how to initialize the
PTS database?

https://wiki.strongswan.org/projects/strongswan/wiki/StrongTnc#Initialize-PTS-Database

Is the path to config.db set correctly in /etc/strongTNC/settings.ini?

https://wiki.strongswan.org/projects/strongswan/wiki/StrongTnc#Initialize-PTS-Database

 From my experience it seems that setting DEBUG=1 might help.

Regards

Andreas

On 16.01.2017 20:24, Mark M wrote:
> Andreas,
>
> I finally got the policy manager installed. However, I am not seeing the
> device when I form the connection and the android device disconnects.
>
> Any ideas on what could be wrong?
>
> This is what the stats page in the policy manager looks like -
> https://i.imgur.com/9M0sMa8.jpg
>
> Also the add groups button does not work and there are no entries under
> the policies and enforcement's? Hard to say if everything is working
> correctly.
>
>
> 00[DMN] Starting IKE charon daemon (strongSwan 5.5.1, Linux
> 4.8.0-22-generic, x86_64)
> 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
> 00[CFG]   loaded ca certificate "C=US, ST=MD, L=TNC, O=TNC, OU=TNC,
> CN=192.168.1.5" from '/etc/ipsec.d/cacerts/rootCA.crt'
> 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
> 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
> 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
> 00[CFG] loading crls from '/etc/ipsec.d/crls'
> 00[CFG] loading secrets from '/etc/ipsec.secrets'
> 00[CFG]   loaded RSA private key from '/etc/ipsec.d/private/tnc2.key'
> 00[CFG]   loaded EAP secret for carol at strongswan.org
> 00[TNC] TNC recommendation policy is 'default'
> 00[TNC] loading IMVs from '/etc/tnc_config'
> 00[LIB] libimcv initialized
> 00[IMV] IMV 1 "Attestation" initialized
> 00[PTS] no PTS cacerts directory defined
> 00[TNC] IMV 1 "Attestation" loaded from
> '/usr/lib/ipsec/imcvs/imv-attestation.so'
> 00[IMV] IMV 2 "Scanner" initialized
> 00[TNC] IMV 2 "Scanner" loaded from '/usr/lib/ipsec/imcvs/imv-scanner.so'
> 00[LIB] loaded plugins: charon des rc2 random nonce x509 revocation
> constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem
> openssl xcbc cmac hmac curl sqlite attr kernel-netlink resolve
> socket-default stroke vici updown eap-identity eap-md5 eap-mschapv2
> eap-dynamic eap-ttls eap-tnc xauth-generic tnc-imv tnc-tnccs tnccs-20
> 00[JOB] spawning 16 worker threads
> 16[CFG] received stroke: add connection 'rw-allow'
> 16[CFG] adding virtual IP address pool 192.168.3.55
> 16[CFG]   loaded certificate "C=US, ST=MD, L=TNC, O=TNC, OU=TNC,
> CN=192.168.1.5" from 'tncserver.crt'
> 16[CFG]   id '192.168.1.5' not confirmed by certificate, defaulting to
> 'C=US, ST=MD, L=TNC, O=TNC, OU=TNC, CN=192.168.1.5'
> 16[CFG] added configuration 'rw-allow'
> 06[CFG] received stroke: add connection 'rw-isolate'
> 06[CFG] adding virtual IP address pool 192.168.4.0/24
> 06[CFG]   loaded certificate "C=US, ST=MD, L=TNC, O=TNC, OU=TNC,
> CN=192.168.1.5" from 'tncserver.crt'
> 06[CFG]   id '192.168.1.5' not confirmed by certificate, defaulting to
> 'C=US, ST=MD, L=TNC, O=TNC, OU=TNC, CN=192.168.1.5'
> 06[CFG] added configuration 'rw-isolate'
> 07[NET] received packet: from 192.168.1.11[51631] to 192.168.1.5[500]
> (732 bytes)
> 07[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
> N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
> 07[IKE] 192.168.1.11 is initiating an IKE_SA
> 07[IKE] remote host is behind NAT
> 07[IKE] DH group ECP_256 inacceptable, requesting MODP_3072
> 07[ENC] generating IKE_SA_INIT response 0 [ N(INVAL_KE) ]
> 07[NET] sending packet: from 192.168.1.5[500] to 192.168.1.11[51631] (38
> bytes)
> 05[NET] received packet: from 192.168.1.11[51631] to 192.168.1.5[500]
> (1052 bytes)
> 05[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
> N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
> 05[IKE] 192.168.1.11 is initiating an IKE_SA
> 05[IKE] remote host is behind NAT
> 05[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
> N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
> 05[NET] sending packet: from 192.168.1.5[500] to 192.168.1.11[51631]
> (592 bytes)
> 16[NET] received packet: from 192.168.1.11[33660] to 192.168.1.5[4500]
> (544 bytes)
> 16[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ
> CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP)
> N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
> 16[IKE] received cert request for "C=US, ST=MD, L=TNC, O=TNC, OU=TNC,
> CN=192.168.1.5"
> 16[CFG] looking for peer configs matching
> 192.168.1.5[%any]...192.168.1.11[carol at strongswan.org]
> 16[CFG] selected peer config 'rw-allow'
> 16[IKE] initiating EAP_TTLS method (id 0x4F)
> 16[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
> 16[IKE] peer supports MOBIKE
> 16[ENC] generating IKE_AUTH response 1 [ IDr EAP/REQ/TTLS ]
> 16[NET] sending packet: from 192.168.1.5[4500] to 192.168.1.11[33660]
> (176 bytes)
> 12[NET] received packet: from 192.168.1.11[33660] to 192.168.1.5[4500]
> (240 bytes)
> 12[ENC] parsed IKE_AUTH request 2 [ EAP/RES/TTLS ]
> 12[TLS] negotiated TLS 1.2 using suite TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
> 12[TLS] sending TLS server certificate 'C=US, ST=MD, L=TNC, O=TNC,
> OU=TNC, CN=192.168.1.5'
> 12[TLS] sending TLS cert request for 'C=US, ST=MD, L=TNC, O=TNC, OU=TNC,
> CN=192.168.1.5'
> 12[ENC] generating IKE_AUTH response 2 [ EAP/REQ/TTLS ]
> 12[NET] sending packet: from 192.168.1.5[4500] to 192.168.1.11[33660]
> (1104 bytes)
> 06[NET] received packet: from 192.168.1.11[33660] to 192.168.1.5[4500]
> (80 bytes)
> 06[ENC] parsed IKE_AUTH request 3 [ EAP/RES/TTLS ]
> 06[ENC] generating IKE_AUTH response 3 [ EAP/REQ/TTLS ]
> 06[NET] sending packet: from 192.168.1.5[4500] to 192.168.1.11[33660]
> (432 bytes)
> 09[NET] received packet: from 192.168.1.11[33660] to 192.168.1.5[4500]
> (240 bytes)
> 09[ENC] parsed IKE_AUTH request 4 [ EAP/RES/TTLS ]
> 09[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/ID]
> 09[ENC] generating IKE_AUTH response 4 [ EAP/REQ/TTLS ]
> 09[NET] sending packet: from 192.168.1.5[4500] to 192.168.1.11[33660]
> (224 bytes)
> 12[NET] received packet: from 192.168.1.11[33660] to 192.168.1.5[4500]
> (176 bytes)
> 12[ENC] parsed IKE_AUTH request 5 [ EAP/RES/TTLS ]
> 12[IKE] received tunneled EAP-TTLS AVP [EAP/RES/ID]
> 12[IKE] received EAP identity 'carol at strongswan.org'
> 12[IKE] phase2 method EAP_MD5 selected
> 12[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/MD5]
> 12[ENC] generating IKE_AUTH response 5 [ EAP/REQ/TTLS ]
> 12[NET] sending packet: from 192.168.1.5[4500] to 192.168.1.11[33660]
> (176 bytes)
> 16[NET] received packet: from 192.168.1.11[33660] to 192.168.1.5[4500]
> (176 bytes)
> 16[ENC] parsed IKE_AUTH request 6 [ EAP/RES/TTLS ]
> 16[IKE] received tunneled EAP-TTLS AVP [EAP/RES/MD5]
> 16[IKE] EAP_TTLS phase2 authentication of 'carol at strongswan.org' with
> EAP_MD5 successful
> 16[IKE] phase2 method EAP_PT_EAP selected
> 16[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/PT]
> 16[ENC] generating IKE_AUTH response 6 [ EAP/REQ/TTLS ]
> 16[NET] sending packet: from 192.168.1.5[4500] to 192.168.1.11[33660]
> (160 bytes)
> 11[NET] received packet: from 192.168.1.11[33660] to 192.168.1.5[4500]
> (320 bytes)
> 11[ENC] parsed IKE_AUTH request 7 [ EAP/RES/TTLS ]
> 11[IKE] received tunneled EAP-TTLS AVP [EAP/RES/PT]
> 11[TNC] assigned TNCCS Connection ID 1
> 11[TNC] received TNCCS batch (163 bytes)
> 11[TNC] processing PB-TNC CDATA batch for Connection ID 1
> 11[TNC] processing PA-TNC message with ID 0xdf457588
> 11[IMV] operating system name is 'Android' from vendor Google
> 11[IMV] operating system version is '6.0.1'
> 11[IMV] device ID is 89f393cd96b7d8d1
> 11[IMV] policy: imv_policy_manager start successful
> 11[TNC] creating PA-TNC message with ID 0x58b417d9
> 11[TNC] creating PA-TNC message with ID 0xec8c6991
> 11[TNC] sending PB-TNC SDATA batch (144 bytes) for Connection ID 1
> 11[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/PT]
> 11[ENC] generating IKE_AUTH response 7 [ EAP/REQ/TTLS ]
> 11[NET] sending packet: from 192.168.1.5[4500] to 192.168.1.11[33660]
> (304 bytes)
> 07[NET] received packet: from 192.168.1.11[33660] to 192.168.1.5[4500]
> (256 bytes)
> 07[ENC] parsed IKE_AUTH request 8 [ EAP/RES/TTLS ]
> 07[IKE] received tunneled EAP-TTLS AVP [EAP/RES/PT]
> 07[TNC] received TNCCS batch (92 bytes)
> 07[TNC] processing PB-TNC CDATA batch for Connection ID 1
> 07[TNC] processing PA-TNC message with ID 0x1bd50ae6
> 07[TNC] creating PA-TNC message with ID 0x8aa751ea
> 07[TNC] sending PB-TNC SDATA batch (56 bytes) for Connection ID 1
> 07[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/PT]
> 07[ENC] generating IKE_AUTH response 8 [ EAP/REQ/TTLS ]
> 07[NET] sending packet: from 192.168.1.5[4500] to 192.168.1.11[33660]
> (208 bytes)
> 07[NET] received packet: from 192.168.1.11[33660] to 192.168.1.5[4500]
> (160 bytes)
> 07[ENC] parsed IKE_AUTH request 9 [ EAP/RES/TTLS ]
> 07[IKE] received tunneled EAP-TTLS AVP [EAP/RES/PT]
> 07[TNC] received TNCCS batch (8 bytes)
> 07[TNC] processing PB-TNC CDATA batch for Connection ID 1
> 07[IMV] policy: recommendation for access requestor 192.168.1.11 is allow
> 07[IMV] policy: imv_policy_manager stop successful
> 07[TNC] sending PB-TNC RESULT batch (40 bytes) for Connection ID 1
> 07[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/PT]
> 07[ENC] generating IKE_AUTH response 9 [ EAP/REQ/TTLS ]
> 07[NET] sending packet: from 192.168.1.5[4500] to 192.168.1.11[33660]
> (192 bytes)
> 08[NET] received packet: from 192.168.1.11[33660] to 192.168.1.5[4500]
> (160 bytes)
> 08[ENC] parsed IKE_AUTH request 10 [ EAP/RES/TTLS ]
> 08[IKE] received tunneled EAP-TTLS AVP [EAP/RES/PT]
> 08[TNC] received TNCCS batch (8 bytes)
> 08[TNC] processing PB-TNC CLOSE batch for Connection ID 1
> 08[TNC] final recommendation is 'allow' and evaluation is 'don't know'
> 08[TNC] policy enforced on peer 'carol at strongswan.org' is 'allow'
> 08[TNC] policy enforcement point added group membership 'allow'
> 08[IKE] EAP_TTLS phase2 authentication of 'carol at strongswan.org' with
> EAP_PT_EAP successful
> 08[TNC] removed TNCCS Connection ID 1
> 08[IKE] EAP method EAP_TTLS succeeded, MSK established
> 08[ENC] generating IKE_AUTH response 10 [ EAP/SUCC ]
> 08[NET] sending packet: from 192.168.1.5[4500] to 192.168.1.11[33660]
> (80 bytes)
> 08[NET] received packet: from 192.168.1.11[33660] to 192.168.1.5[4500]
> (112 bytes)
> 08[ENC] parsed IKE_AUTH request 11 [ AUTH ]
> 08[IKE] authentication of 'carol at strongswan.org' with EAP successful
> 08[IKE] authentication of 'C=US, ST=MD, L=TNC, O=TNC, OU=TNC,
> CN=192.168.1.5' (myself) with EAP
> 08[IKE] IKE_SA rw-allow[2] established between 192.168.1.5[C=US, ST=MD,
> L=TNC, O=TNC, OU=TNC, CN=192.168.1.5]...192.168.1.11[carol at strongswan.org]
> 08[IKE] scheduling reauthentication in 9896s
> 08[IKE] maximum IKE_SA lifetime 10436s
> 08[IKE] peer requested virtual IP %any
> 08[CFG] assigning new lease to 'carol at strongswan.org'
> 08[IKE] assigning virtual IP 192.168.3.55 to peer 'carol at strongswan.org'
> 08[IKE] peer requested virtual IP %any6
> 08[IKE] no virtual IP found for %any6 requested by 'carol at strongswan.org'
> 08[IKE] CHILD_SA rw-allow{1} established with SPIs cfa1ff42_i ccd4b585_o
> and TS 192.168.10.0/24 === 192.168.3.55/32
> 08[ENC] generating IKE_AUTH response 11 [ AUTH CPRP(ADDR) SA TSi TSr
> N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_6_ADDR) ]
> 08[NET] sending packet: from 192.168.1.5[4500] to 192.168.1.11[33660]
> (272 bytes)
> 11[NET] received packet: from 192.168.1.11[33660] to 192.168.1.5[4500]
> (80 bytes)
> 11[ENC] parsed INFORMATIONAL request 12 [ N(AUTH_FAILED) ]
> 11[IKE] received DELETE for IKE_SA rw-allow[2]
> 11[IKE] deleting IKE_SA rw-allow[2] between 192.168.1.5[C=US, ST=MD,
> L=TNC, O=TNC, OU=TNC, CN=192.168.1.5]...192.168.1.11[carol at strongswan.org]
> 11[IKE] IKE_SA deleted
> 11[ENC] generating INFORMATIONAL response 12 [ ]
> 11[NET] sending packet: from 192.168.1.5[4500] to 192.168.1.11[33660]
> (80 bytes)
> 11[CFG] lease 192.168.3.55 by 'carol at strongswan.org' went offline
>
>
> Thanks,
>
> Mark
>
>
>
> On Saturday, January 14, 2017 7:49 PM, Andreas Steffen
> <andreas.steffen at strongswan.org> wrote:
>
>
> Hi Mark,
>
> the strongTNC guide tells you how to create the config.db database:
>
> https://wiki.strongswan.org/projects/strongswan/wiki/StrongTnc#Initialize-PTS-Database
>
> Andreas
>
> On 15.01.2017 04:15, Mark M wrote:
>  > Andreas,
>  >
>  > The guides that I follow do not create the /etc/pts/config.db database?
>  >
>  > Thanks,
>  >
>  > Mark
>  >
>  >
>  > On Thursday, January 12, 2017 2:26 PM, Mark M <mark076h at yahoo.com
> <mailto:mark076h at yahoo.com>> wrote:
>  >
>  >
>  > Andreas,
>  >
>  > Thank you for the info,
>  >
>  > Now when I follow the guide to install the policy manager I only get the
>  > default apache page.
>  >
>  > I am following this guide -
>  > https://wiki.strongswan.org/projects/strongswan/wiki/StrongTNC
>  >
>  > Thanks,
>  >
>  > Mark
>  >
>  >
>  > On Thursday, January 12, 2017 6:09 AM, Andreas Steffen
>  > <andreas.steffen at strongswan.org
> <mailto:andreas.steffen at strongswan.org>> wrote:
>  >
>  >
>  > Hi Mark,
>  >
>  > you can find a [little-outdated] TNC server configuration HOWTO
>  > under the following link:
>  >
>  > https://wiki.strongswan.org/projects/strongswan/wiki/TNCS
>  >
>  > In the meantime the TNC measurement policies are not hard-coded
>  > any more in /etc/strongswan.conf but can be configured via the
>  > strongTNC policy manager available from the strongSwan gitHub
>  > repository
>  >
>  > https://wiki.strongswan.org/projects/strongswan/wiki/StrongTnc
>  >
>  > The IMVs on the strongTNC server must now connect to the strongTNC
>  > /etc/pts/config.db database. A sample configuration can be found here
>  >
>  >
>  >
> https://wiki.strongswan.org/projects/strongswan/wiki/IMA#Set-up-the-Attestation-Server
>  >
>  > Hope this helps!
>  >
>  > Andreas
>  >
>  > On 11.01.2017 10:43, Mark M wrote:
>  >  > Hi,
>  >  >
>  >  > I would like to setup a basic demo of the android client using TNC
>  >  > connecting to a strongSwan server as show in in this guide -
>  >  > https://wiki.strongswan.org/projects/strongswan/wiki/BYOD
>  >  >
>  >  > Is there a guide I can follow for a basic strongSwan server setup to
>  >  > test out TNC with the android client? And is there anything
> special that
>  >  > needs to be configured on the android client or does the android
> client
>  >  > support TNC by default?
>  >  >
>  >  > Thanks,
>  >  >
>  >  > Mark
>  >
>  >
>  > ======================================================================
>  > Andreas Steffen andreas.steffen at strongswan.org
> <mailto:andreas.steffen at strongswan.org>
>  > <mailto:andreas.steffen at strongswan.org
> <mailto:andreas.steffen at strongswan.org>>
>  > strongSwan - the Open Source VPN Solution!          www.strongswan.org
>  > Institute for Internet Technologies and Applications
>  > University of Applied Sciences Rapperswil
>  > CH-8640 Rapperswil (Switzerland)
>  > ===========================================================[ITA-HSR]==
>
>  >
>  >
>  >
>  >
>  >
>
> --
> ======================================================================
> Andreas Steffen andreas.steffen at strongswan.org
> <mailto:andreas.steffen at strongswan.org>
> strongSwan - the Open Source VPN Solution!          www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
>
>

-- 
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution!          www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3859 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170117/3431d0b2/attachment.bin>


More information about the Users mailing list