[strongSwan] Android TNC server basic setup
Mark M
mark076h at yahoo.com
Tue Jan 17 02:08:16 CET 2017
Andreas,
I had to change the password again with the "manage.py setpassword" and now I can edit everything.
So i finally got my device to start showing in the policy manager but it does not look like the scans are actually being performed on the device.
Here is my config and log;
cat /etc/tnc_configIMV "Attestation" /usr/lib/ipsec/imcvs/imv-attestation.soIMV "Scanner" /usr/lib/ipsec/imcvs/imv-scanner.so
ipsec.conf;
conn rw-allow rightgroups=allow rightsourceip=192.168.3.55 leftsubnet=192.168.10.0/24 also=rw222 auto=add
conn rw-isolate rightgroups=isolate leftsubnet=10.1.0.16/28 also=rw222 auto=add
conn rw222 leftcert=tnc3.crt leftid=@192.168.1.5 rightsourceip=192.168.3.55 leftauth=pubkey rightauth=eap-ttls rightid=*@strongswan.org rightsendcert=never right=%any
strongswan.conf;
charon { multiple_authentication = no
filelog { /var/log/strongswan.log { append = no default = 1 flush_line = yes }} plugins { eap-ttls { phase2_method = md5 phase2_piggyback = yes phase2_tnc = yes } eap-tnc { protocol = tnccs-2.0 } tnc-imv { recommendation_policy = default } }}
libimcv { database= sqlite:///etc/pts/config.db policy_script = ipsec imv_policy_manager plugins { imv-test { rounds = 1 } imv-scanner { closed_port_policy = yes udp_ports = 500 4500 tcp_ports = 22 } }}
00[DMN] Starting IKE charon daemon (strongSwan 5.5.1, Linux 4.8.0-22-generic, x86_64)00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'00[CFG] loaded ca certificate "C=US, ST=MD, L=TNC, O=TNC, OU=TNC, CN=192.168.1.5" from '/etc/ipsec.d/cacerts/rootCA.crt'00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'00[CFG] loading crls from '/etc/ipsec.d/crls'00[CFG] loading secrets from '/etc/ipsec.secrets'00[CFG] loaded RSA private key from '/etc/ipsec.d/private/tnc3.key'00[CFG] loaded EAP secret for carol at strongswan.org00[TNC] TNC recommendation policy is 'default'00[TNC] loading IMVs from '/etc/tnc_config'00[LIB] libimcv initialized00[IMV] IMV 1 "Attestation" initialized00[PTS] no PTS cacerts directory defined00[TNC] IMV 1 "Attestation" loaded from '/usr/lib/ipsec/imcvs/imv-attestation.so'00[IMV] IMV 2 "Scanner" initialized00[TNC] IMV 2 "Scanner" loaded from '/usr/lib/ipsec/imcvs/imv-scanner.so'00[LIB] loaded plugins: charon des rc2 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl xcbc cmac hmac curl sqlite attr kernel-netlink resolve socket-default stroke vici updown eap-identity eap-md5 eap-mschapv2 eap-dynamic eap-ttls eap-tnc xauth-generic tnc-imv tnc-tnccs tnccs-2000[JOB] spawning 16 worker threads04[CFG] received stroke: add connection 'rw-allow'04[CFG] adding virtual IP address pool 192.168.3.5504[CFG] loaded certificate "C=US, ST=MD, L=TNC, OU=TNC, CN=192.168.1.5" from 'tnc3.crt'04[CFG] id '192.168.1.5' not confirmed by certificate, defaulting to 'C=US, ST=MD, L=TNC, OU=TNC, CN=192.168.1.5'04[CFG] added configuration 'rw-allow'14[CFG] received stroke: add connection 'rw-isolate'14[CFG] reusing virtual IP address pool 192.168.3.5514[CFG] loaded certificate "C=US, ST=MD, L=TNC, OU=TNC, CN=192.168.1.5" from 'tnc3.crt'14[CFG] id '192.168.1.5' not confirmed by certificate, defaulting to 'C=US, ST=MD, L=TNC, OU=TNC, CN=192.168.1.5'14[CFG] added configuration 'rw-isolate'04[NET] received packet: from 192.168.1.11[40384] to 192.168.1.5[500] (732 bytes)04[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]04[IKE] 192.168.1.11 is initiating an IKE_SA04[IKE] remote host is behind NAT04[IKE] DH group ECP_256 inacceptable, requesting MODP_307204[ENC] generating IKE_SA_INIT response 0 [ N(INVAL_KE) ]04[NET] sending packet: from 192.168.1.5[500] to 192.168.1.11[40384] (38 bytes)11[NET] received packet: from 192.168.1.11[40384] to 192.168.1.5[500] (1052 bytes)11[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]11[IKE] 192.168.1.11 is initiating an IKE_SA11[IKE] remote host is behind NAT11[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) ]11[NET] sending packet: from 192.168.1.5[500] to 192.168.1.11[40384] (584 bytes)09[NET] received packet: from 192.168.1.11[35458] to 192.168.1.5[4500] (528 bytes)09[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(EAP_ONLY) ]09[IKE] received cert request for "C=US, ST=MD, L=TNC, O=TNC, OU=TNC, CN=192.168.1.5"09[CFG] looking for peer configs matching 192.168.1.5[%any]...192.168.1.11[carol at strongswan.org]09[CFG] selected peer config 'rw-allow'09[IKE] initiating EAP_TTLS method (id 0xA0)09[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding09[IKE] peer supports MOBIKE09[IKE] authentication of 'C=US, ST=MD, L=TNC, OU=TNC, CN=192.168.1.5' (myself) with RSA_EMSA_PKCS1_SHA2_256 successful09[IKE] sending end entity cert "C=US, ST=MD, L=TNC, OU=TNC, CN=192.168.1.5"09[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/TTLS ]09[ENC] splitting IKE message with length of 1312 bytes into 2 fragments09[ENC] generating IKE_AUTH response 1 [ EF(1/2) ]09[ENC] generating IKE_AUTH response 1 [ EF(2/2) ]09[NET] sending packet: from 192.168.1.5[4500] to 192.168.1.11[35458] (1236 bytes)09[NET] sending packet: from 192.168.1.5[4500] to 192.168.1.11[35458] (148 bytes)08[NET] received packet: from 192.168.1.11[35458] to 192.168.1.5[4500] (240 bytes)08[ENC] parsed IKE_AUTH request 2 [ EAP/RES/TTLS ]08[TLS] negotiated TLS 1.2 using suite TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA08[TLS] sending TLS server certificate 'C=US, ST=MD, L=TNC, OU=TNC, CN=192.168.1.5'08[TLS] sending TLS cert request for 'C=US, ST=MD, L=TNC, O=TNC, OU=TNC, CN=192.168.1.5'08[ENC] generating IKE_AUTH response 2 [ EAP/REQ/TTLS ]08[NET] sending packet: from 192.168.1.5[4500] to 192.168.1.11[35458] (1104 bytes)12[NET] received packet: from 192.168.1.11[35458] to 192.168.1.5[4500] (80 bytes)12[ENC] parsed IKE_AUTH request 3 [ EAP/RES/TTLS ]12[ENC] generating IKE_AUTH response 3 [ EAP/REQ/TTLS ]12[NET] sending packet: from 192.168.1.5[4500] to 192.168.1.11[35458] (464 bytes)10[NET] received packet: from 192.168.1.11[35458] to 192.168.1.5[4500] (240 bytes)10[ENC] parsed IKE_AUTH request 4 [ EAP/RES/TTLS ]10[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/ID]10[ENC] generating IKE_AUTH response 4 [ EAP/REQ/TTLS ]10[NET] sending packet: from 192.168.1.5[4500] to 192.168.1.11[35458] (224 bytes)07[NET] received packet: from 192.168.1.11[35458] to 192.168.1.5[4500] (176 bytes)07[ENC] parsed IKE_AUTH request 5 [ EAP/RES/TTLS ]07[IKE] received tunneled EAP-TTLS AVP [EAP/RES/ID]07[IKE] received EAP identity 'carol at strongswan.org'07[IKE] phase2 method EAP_MD5 selected07[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/MD5]07[ENC] generating IKE_AUTH response 5 [ EAP/REQ/TTLS ]07[NET] sending packet: from 192.168.1.5[4500] to 192.168.1.11[35458] (176 bytes)06[NET] received packet: from 192.168.1.11[35458] to 192.168.1.5[4500] (176 bytes)06[ENC] parsed IKE_AUTH request 6 [ EAP/RES/TTLS ]06[IKE] received tunneled EAP-TTLS AVP [EAP/RES/MD5]06[IKE] EAP_TTLS phase2 authentication of 'carol at strongswan.org' with EAP_MD5 successful06[IKE] phase2 method EAP_PT_EAP selected06[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/PT]06[ENC] generating IKE_AUTH response 6 [ EAP/REQ/TTLS ]06[NET] sending packet: from 192.168.1.5[4500] to 192.168.1.11[35458] (160 bytes)10[NET] received packet: from 192.168.1.11[35458] to 192.168.1.5[4500] (320 bytes)10[ENC] parsed IKE_AUTH request 7 [ EAP/RES/TTLS ]10[IKE] received tunneled EAP-TTLS AVP [EAP/RES/PT]10[TNC] assigned TNCCS Connection ID 110[TNC] received TNCCS batch (163 bytes)10[TNC] processing PB-TNC CDATA batch for Connection ID 110[TNC] processing PA-TNC message with ID 0x83c807ae10[IMV] operating system name is 'Android' from vendor Google10[IMV] operating system version is '6.0.1'10[IMV] device ID is 89f393cd9abad0d110[IMV] policy: imv_policy_manager start successful10[TNC] creating PA-TNC message with ID 0x847f8ac710[TNC] creating PA-TNC message with ID 0x39ef8f2b10[TNC] sending PB-TNC SDATA batch (144 bytes) for Connection ID 110[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/PT]10[ENC] generating IKE_AUTH response 7 [ EAP/REQ/TTLS ]10[NET] sending packet: from 192.168.1.5[4500] to 192.168.1.11[35458] (304 bytes)14[NET] received packet: from 192.168.1.11[35458] to 192.168.1.5[4500] (256 bytes)14[ENC] parsed IKE_AUTH request 8 [ EAP/RES/TTLS ]14[IKE] received tunneled EAP-TTLS AVP [EAP/RES/PT]14[TNC] received TNCCS batch (92 bytes)14[TNC] processing PB-TNC CDATA batch for Connection ID 114[TNC] processing PA-TNC message with ID 0x0db51e1014[TNC] creating PA-TNC message with ID 0x90c233ba14[TNC] sending PB-TNC SDATA batch (56 bytes) for Connection ID 114[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/PT]14[ENC] generating IKE_AUTH response 8 [ EAP/REQ/TTLS ]14[NET] sending packet: from 192.168.1.5[4500] to 192.168.1.11[35458] (208 bytes)14[NET] received packet: from 192.168.1.11[35458] to 192.168.1.5[4500] (160 bytes)14[ENC] parsed IKE_AUTH request 9 [ EAP/RES/TTLS ]14[IKE] received tunneled EAP-TTLS AVP [EAP/RES/PT]14[TNC] received TNCCS batch (8 bytes)14[TNC] processing PB-TNC CDATA batch for Connection ID 114[IMV] policy: recommendation for access requestor 192.168.1.11 is allow14[IMV] policy: imv_policy_manager stop successful14[TNC] sending PB-TNC RESULT batch (40 bytes) for Connection ID 114[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/PT]14[ENC] generating IKE_AUTH response 9 [ EAP/REQ/TTLS ]14[NET] sending packet: from 192.168.1.5[4500] to 192.168.1.11[35458] (192 bytes)04[NET] received packet: from 192.168.1.11[35458] to 192.168.1.5[4500] (160 bytes)04[ENC] parsed IKE_AUTH request 10 [ EAP/RES/TTLS ]04[IKE] received tunneled EAP-TTLS AVP [EAP/RES/PT]04[TNC] received TNCCS batch (8 bytes)04[TNC] processing PB-TNC CLOSE batch for Connection ID 104[TNC] final recommendation is 'allow' and evaluation is 'don't know'04[TNC] policy enforced on peer 'carol at strongswan.org' is 'allow'04[TNC] policy enforcement point added group membership 'allow'04[IKE] EAP_TTLS phase2 authentication of 'carol at strongswan.org' with EAP_PT_EAP successful04[TNC] removed TNCCS Connection ID 104[IKE] EAP method EAP_TTLS succeeded, MSK established04[ENC] generating IKE_AUTH response 10 [ EAP/SUCC ]04[NET] sending packet: from 192.168.1.5[4500] to 192.168.1.11[35458] (80 bytes)04[NET] received packet: from 192.168.1.11[35458] to 192.168.1.5[4500] (112 bytes)04[ENC] parsed IKE_AUTH request 11 [ AUTH ]04[IKE] authentication of 'carol at strongswan.org' with EAP successful04[IKE] authentication of 'C=US, ST=MD, L=TNC, OU=TNC, CN=192.168.1.5' (myself) with EAP04[IKE] IKE_SA rw-allow[2] established between 192.168.1.5[C=US, ST=MD, L=TNC, OU=TNC, CN=192.168.1.5]...192.168.1.11[carol at strongswan.org]04[IKE] scheduling reauthentication in 10214s04[IKE] maximum IKE_SA lifetime 10754s04[IKE] peer requested virtual IP %any04[CFG] assigning new lease to 'carol at strongswan.org'04[IKE] assigning virtual IP 192.168.3.55 to peer 'carol at strongswan.org'04[IKE] peer requested virtual IP %any604[IKE] no virtual IP found for %any6 requested by 'carol at strongswan.org'04[IKE] CHILD_SA rw-allow{1} established with SPIs cd745417_i 57dd2792_o and TS 192.168.10.0/24 === 192.168.3.55/3204[ENC] generating IKE_AUTH response 11 [ AUTH CPRP(ADDR) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_6_ADDR) ]04[NET] sending packet: from 192.168.1.5[4500] to 192.168.1.11[35458] (272 bytes)07[NET] received packet: from 192.168.1.11[35458] to 192.168.1.5[4500] (80 bytes)07[ENC] parsed INFORMATIONAL request 12 [ N(NO_ADD_ADDR) ]07[ENC] generating INFORMATIONAL response 12 [ ]07[NET] sending packet: from 192.168.1.5[4500] to 192.168.1.11[35458] (80 bytes)
On Monday, January 16, 2017 7:46 PM, Andreas Steffen <andreas.steffen at strongswan.org> wrote:
Hi Mark,
did you exactly follow the instructions on how to initialize the
PTS database?
https://wiki.strongswan.org/projects/strongswan/wiki/StrongTnc#Initialize-PTS-Database
Is the path to config.db set correctly in /etc/strongTNC/settings.ini?
https://wiki.strongswan.org/projects/strongswan/wiki/StrongTnc#Initialize-PTS-Database
From my experience it seems that setting DEBUG=1 might help.
Regards
Andreas
On 16.01.2017 20:24, Mark M wrote:
> Andreas,
>
> I finally got the policy manager installed. However, I am not seeing the
> device when I form the connection and the android device disconnects.
>
> Any ideas on what could be wrong?
>
> This is what the stats page in the policy manager looks like -
> https://i.imgur.com/9M0sMa8.jpg
>
> Also the add groups button does not work and there are no entries under
> the policies and enforcement's? Hard to say if everything is working
> correctly.
>
>
> 00[DMN] Starting IKE charon daemon (strongSwan 5.5.1, Linux
> 4.8.0-22-generic, x86_64)
> 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
> 00[CFG] loaded ca certificate "C=US, ST=MD, L=TNC, O=TNC, OU=TNC,
> CN=192.168.1.5" from '/etc/ipsec.d/cacerts/rootCA.crt'
> 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
> 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
> 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
> 00[CFG] loading crls from '/etc/ipsec.d/crls'
> 00[CFG] loading secrets from '/etc/ipsec.secrets'
> 00[CFG] loaded RSA private key from '/etc/ipsec.d/private/tnc2.key'
> 00[CFG] loaded EAP secret for carol at strongswan.org
> 00[TNC] TNC recommendation policy is 'default'
> 00[TNC] loading IMVs from '/etc/tnc_config'
> 00[LIB] libimcv initialized
> 00[IMV] IMV 1 "Attestation" initialized
> 00[PTS] no PTS cacerts directory defined
> 00[TNC] IMV 1 "Attestation" loaded from
> '/usr/lib/ipsec/imcvs/imv-attestation.so'
> 00[IMV] IMV 2 "Scanner" initialized
> 00[TNC] IMV 2 "Scanner" loaded from '/usr/lib/ipsec/imcvs/imv-scanner.so'
> 00[LIB] loaded plugins: charon des rc2 random nonce x509 revocation
> constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem
> openssl xcbc cmac hmac curl sqlite attr kernel-netlink resolve
> socket-default stroke vici updown eap-identity eap-md5 eap-mschapv2
> eap-dynamic eap-ttls eap-tnc xauth-generic tnc-imv tnc-tnccs tnccs-20
> 00[JOB] spawning 16 worker threads
> 16[CFG] received stroke: add connection 'rw-allow'
> 16[CFG] adding virtual IP address pool 192.168.3.55
> 16[CFG] loaded certificate "C=US, ST=MD, L=TNC, O=TNC, OU=TNC,
> CN=192.168.1.5" from 'tncserver.crt'
> 16[CFG] id '192.168.1.5' not confirmed by certificate, defaulting to
> 'C=US, ST=MD, L=TNC, O=TNC, OU=TNC, CN=192.168.1.5'
> 16[CFG] added configuration 'rw-allow'
> 06[CFG] received stroke: add connection 'rw-isolate'
> 06[CFG] adding virtual IP address pool 192.168.4.0/24
> 06[CFG] loaded certificate "C=US, ST=MD, L=TNC, O=TNC, OU=TNC,
> CN=192.168.1.5" from 'tncserver.crt'
> 06[CFG] id '192.168.1.5' not confirmed by certificate, defaulting to
> 'C=US, ST=MD, L=TNC, O=TNC, OU=TNC, CN=192.168.1.5'
> 06[CFG] added configuration 'rw-isolate'
> 07[NET] received packet: from 192.168.1.11[51631] to 192.168.1.5[500]
> (732 bytes)
> 07[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
> N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
> 07[IKE] 192.168.1.11 is initiating an IKE_SA
> 07[IKE] remote host is behind NAT
> 07[IKE] DH group ECP_256 inacceptable, requesting MODP_3072
> 07[ENC] generating IKE_SA_INIT response 0 [ N(INVAL_KE) ]
> 07[NET] sending packet: from 192.168.1.5[500] to 192.168.1.11[51631] (38
> bytes)
> 05[NET] received packet: from 192.168.1.11[51631] to 192.168.1.5[500]
> (1052 bytes)
> 05[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
> N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
> 05[IKE] 192.168.1.11 is initiating an IKE_SA
> 05[IKE] remote host is behind NAT
> 05[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
> N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
> 05[NET] sending packet: from 192.168.1.5[500] to 192.168.1.11[51631]
> (592 bytes)
> 16[NET] received packet: from 192.168.1.11[33660] to 192.168.1.5[4500]
> (544 bytes)
> 16[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ
> CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP)
> N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
> 16[IKE] received cert request for "C=US, ST=MD, L=TNC, O=TNC, OU=TNC,
> CN=192.168.1.5"
> 16[CFG] looking for peer configs matching
> 192.168.1.5[%any]...192.168.1.11[carol at strongswan.org]
> 16[CFG] selected peer config 'rw-allow'
> 16[IKE] initiating EAP_TTLS method (id 0x4F)
> 16[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
> 16[IKE] peer supports MOBIKE
> 16[ENC] generating IKE_AUTH response 1 [ IDr EAP/REQ/TTLS ]
> 16[NET] sending packet: from 192.168.1.5[4500] to 192.168.1.11[33660]
> (176 bytes)
> 12[NET] received packet: from 192.168.1.11[33660] to 192.168.1.5[4500]
> (240 bytes)
> 12[ENC] parsed IKE_AUTH request 2 [ EAP/RES/TTLS ]
> 12[TLS] negotiated TLS 1.2 using suite TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
> 12[TLS] sending TLS server certificate 'C=US, ST=MD, L=TNC, O=TNC,
> OU=TNC, CN=192.168.1.5'
> 12[TLS] sending TLS cert request for 'C=US, ST=MD, L=TNC, O=TNC, OU=TNC,
> CN=192.168.1.5'
> 12[ENC] generating IKE_AUTH response 2 [ EAP/REQ/TTLS ]
> 12[NET] sending packet: from 192.168.1.5[4500] to 192.168.1.11[33660]
> (1104 bytes)
> 06[NET] received packet: from 192.168.1.11[33660] to 192.168.1.5[4500]
> (80 bytes)
> 06[ENC] parsed IKE_AUTH request 3 [ EAP/RES/TTLS ]
> 06[ENC] generating IKE_AUTH response 3 [ EAP/REQ/TTLS ]
> 06[NET] sending packet: from 192.168.1.5[4500] to 192.168.1.11[33660]
> (432 bytes)
> 09[NET] received packet: from 192.168.1.11[33660] to 192.168.1.5[4500]
> (240 bytes)
> 09[ENC] parsed IKE_AUTH request 4 [ EAP/RES/TTLS ]
> 09[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/ID]
> 09[ENC] generating IKE_AUTH response 4 [ EAP/REQ/TTLS ]
> 09[NET] sending packet: from 192.168.1.5[4500] to 192.168.1.11[33660]
> (224 bytes)
> 12[NET] received packet: from 192.168.1.11[33660] to 192.168.1.5[4500]
> (176 bytes)
> 12[ENC] parsed IKE_AUTH request 5 [ EAP/RES/TTLS ]
> 12[IKE] received tunneled EAP-TTLS AVP [EAP/RES/ID]
> 12[IKE] received EAP identity 'carol at strongswan.org'
> 12[IKE] phase2 method EAP_MD5 selected
> 12[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/MD5]
> 12[ENC] generating IKE_AUTH response 5 [ EAP/REQ/TTLS ]
> 12[NET] sending packet: from 192.168.1.5[4500] to 192.168.1.11[33660]
> (176 bytes)
> 16[NET] received packet: from 192.168.1.11[33660] to 192.168.1.5[4500]
> (176 bytes)
> 16[ENC] parsed IKE_AUTH request 6 [ EAP/RES/TTLS ]
> 16[IKE] received tunneled EAP-TTLS AVP [EAP/RES/MD5]
> 16[IKE] EAP_TTLS phase2 authentication of 'carol at strongswan.org' with
> EAP_MD5 successful
> 16[IKE] phase2 method EAP_PT_EAP selected
> 16[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/PT]
> 16[ENC] generating IKE_AUTH response 6 [ EAP/REQ/TTLS ]
> 16[NET] sending packet: from 192.168.1.5[4500] to 192.168.1.11[33660]
> (160 bytes)
> 11[NET] received packet: from 192.168.1.11[33660] to 192.168.1.5[4500]
> (320 bytes)
> 11[ENC] parsed IKE_AUTH request 7 [ EAP/RES/TTLS ]
> 11[IKE] received tunneled EAP-TTLS AVP [EAP/RES/PT]
> 11[TNC] assigned TNCCS Connection ID 1
> 11[TNC] received TNCCS batch (163 bytes)
> 11[TNC] processing PB-TNC CDATA batch for Connection ID 1
> 11[TNC] processing PA-TNC message with ID 0xdf457588
> 11[IMV] operating system name is 'Android' from vendor Google
> 11[IMV] operating system version is '6.0.1'
> 11[IMV] device ID is 89f393cd96b7d8d1
> 11[IMV] policy: imv_policy_manager start successful
> 11[TNC] creating PA-TNC message with ID 0x58b417d9
> 11[TNC] creating PA-TNC message with ID 0xec8c6991
> 11[TNC] sending PB-TNC SDATA batch (144 bytes) for Connection ID 1
> 11[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/PT]
> 11[ENC] generating IKE_AUTH response 7 [ EAP/REQ/TTLS ]
> 11[NET] sending packet: from 192.168.1.5[4500] to 192.168.1.11[33660]
> (304 bytes)
> 07[NET] received packet: from 192.168.1.11[33660] to 192.168.1.5[4500]
> (256 bytes)
> 07[ENC] parsed IKE_AUTH request 8 [ EAP/RES/TTLS ]
> 07[IKE] received tunneled EAP-TTLS AVP [EAP/RES/PT]
> 07[TNC] received TNCCS batch (92 bytes)
> 07[TNC] processing PB-TNC CDATA batch for Connection ID 1
> 07[TNC] processing PA-TNC message with ID 0x1bd50ae6
> 07[TNC] creating PA-TNC message with ID 0x8aa751ea
> 07[TNC] sending PB-TNC SDATA batch (56 bytes) for Connection ID 1
> 07[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/PT]
> 07[ENC] generating IKE_AUTH response 8 [ EAP/REQ/TTLS ]
> 07[NET] sending packet: from 192.168.1.5[4500] to 192.168.1.11[33660]
> (208 bytes)
> 07[NET] received packet: from 192.168.1.11[33660] to 192.168.1.5[4500]
> (160 bytes)
> 07[ENC] parsed IKE_AUTH request 9 [ EAP/RES/TTLS ]
> 07[IKE] received tunneled EAP-TTLS AVP [EAP/RES/PT]
> 07[TNC] received TNCCS batch (8 bytes)
> 07[TNC] processing PB-TNC CDATA batch for Connection ID 1
> 07[IMV] policy: recommendation for access requestor 192.168.1.11 is allow
> 07[IMV] policy: imv_policy_manager stop successful
> 07[TNC] sending PB-TNC RESULT batch (40 bytes) for Connection ID 1
> 07[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/PT]
> 07[ENC] generating IKE_AUTH response 9 [ EAP/REQ/TTLS ]
> 07[NET] sending packet: from 192.168.1.5[4500] to 192.168.1.11[33660]
> (192 bytes)
> 08[NET] received packet: from 192.168.1.11[33660] to 192.168.1.5[4500]
> (160 bytes)
> 08[ENC] parsed IKE_AUTH request 10 [ EAP/RES/TTLS ]
> 08[IKE] received tunneled EAP-TTLS AVP [EAP/RES/PT]
> 08[TNC] received TNCCS batch (8 bytes)
> 08[TNC] processing PB-TNC CLOSE batch for Connection ID 1
> 08[TNC] final recommendation is 'allow' and evaluation is 'don't know'
> 08[TNC] policy enforced on peer 'carol at strongswan.org' is 'allow'
> 08[TNC] policy enforcement point added group membership 'allow'
> 08[IKE] EAP_TTLS phase2 authentication of 'carol at strongswan.org' with
> EAP_PT_EAP successful
> 08[TNC] removed TNCCS Connection ID 1
> 08[IKE] EAP method EAP_TTLS succeeded, MSK established
> 08[ENC] generating IKE_AUTH response 10 [ EAP/SUCC ]
> 08[NET] sending packet: from 192.168.1.5[4500] to 192.168.1.11[33660]
> (80 bytes)
> 08[NET] received packet: from 192.168.1.11[33660] to 192.168.1.5[4500]
> (112 bytes)
> 08[ENC] parsed IKE_AUTH request 11 [ AUTH ]
> 08[IKE] authentication of 'carol at strongswan.org' with EAP successful
> 08[IKE] authentication of 'C=US, ST=MD, L=TNC, O=TNC, OU=TNC,
> CN=192.168.1.5' (myself) with EAP
> 08[IKE] IKE_SA rw-allow[2] established between 192.168.1.5[C=US, ST=MD,
> L=TNC, O=TNC, OU=TNC, CN=192.168.1.5]...192.168.1.11[carol at strongswan.org]
> 08[IKE] scheduling reauthentication in 9896s
> 08[IKE] maximum IKE_SA lifetime 10436s
> 08[IKE] peer requested virtual IP %any
> 08[CFG] assigning new lease to 'carol at strongswan.org'
> 08[IKE] assigning virtual IP 192.168.3.55 to peer 'carol at strongswan.org'
> 08[IKE] peer requested virtual IP %any6
> 08[IKE] no virtual IP found for %any6 requested by 'carol at strongswan.org'
> 08[IKE] CHILD_SA rw-allow{1} established with SPIs cfa1ff42_i ccd4b585_o
> and TS 192.168.10.0/24 === 192.168.3.55/32
> 08[ENC] generating IKE_AUTH response 11 [ AUTH CPRP(ADDR) SA TSi TSr
> N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_6_ADDR) ]
> 08[NET] sending packet: from 192.168.1.5[4500] to 192.168.1.11[33660]
> (272 bytes)
> 11[NET] received packet: from 192.168.1.11[33660] to 192.168.1.5[4500]
> (80 bytes)
> 11[ENC] parsed INFORMATIONAL request 12 [ N(AUTH_FAILED) ]
> 11[IKE] received DELETE for IKE_SA rw-allow[2]
> 11[IKE] deleting IKE_SA rw-allow[2] between 192.168.1.5[C=US, ST=MD,
> L=TNC, O=TNC, OU=TNC, CN=192.168.1.5]...192.168.1.11[carol at strongswan.org]
> 11[IKE] IKE_SA deleted
> 11[ENC] generating INFORMATIONAL response 12 [ ]
> 11[NET] sending packet: from 192.168.1.5[4500] to 192.168.1.11[33660]
> (80 bytes)
> 11[CFG] lease 192.168.3.55 by 'carol at strongswan.org' went offline
>
>
> Thanks,
>
> Mark
>
>
>
> On Saturday, January 14, 2017 7:49 PM, Andreas Steffen
> <andreas.steffen at strongswan.org> wrote:
>
>
> Hi Mark,
>
> the strongTNC guide tells you how to create the config.db database:
>
> https://wiki.strongswan.org/projects/strongswan/wiki/StrongTnc#Initialize-PTS-Database
>
> Andreas
>
> On 15.01.2017 04:15, Mark M wrote:
> > Andreas,
> >
> > The guides that I follow do not create the /etc/pts/config.db database?
> >
> > Thanks,
> >
> > Mark
> >
> >
> > On Thursday, January 12, 2017 2:26 PM, Mark M <mark076h at yahoo.com
> <mailto:mark076h at yahoo.com>> wrote:
> >
> >
> > Andreas,
> >
> > Thank you for the info,
> >
> > Now when I follow the guide to install the policy manager I only get the
> > default apache page.
> >
> > I am following this guide -
> > https://wiki.strongswan.org/projects/strongswan/wiki/StrongTNC
> >
> > Thanks,
> >
> > Mark
> >
> >
> > On Thursday, January 12, 2017 6:09 AM, Andreas Steffen
> > <andreas.steffen at strongswan.org
> <mailto:andreas.steffen at strongswan.org>> wrote:
> >
> >
> > Hi Mark,
> >
> > you can find a [little-outdated] TNC server configuration HOWTO
> > under the following link:
> >
> > https://wiki.strongswan.org/projects/strongswan/wiki/TNCS
> >
> > In the meantime the TNC measurement policies are not hard-coded
> > any more in /etc/strongswan.conf but can be configured via the
> > strongTNC policy manager available from the strongSwan gitHub
> > repository
> >
> > https://wiki.strongswan.org/projects/strongswan/wiki/StrongTnc
> >
> > The IMVs on the strongTNC server must now connect to the strongTNC
> > /etc/pts/config.db database. A sample configuration can be found here
> >
> >
> >
> https://wiki.strongswan.org/projects/strongswan/wiki/IMA#Set-up-the-Attestation-Server
> >
> > Hope this helps!
> >
> > Andreas
> >
> > On 11.01.2017 10:43, Mark M wrote:
> > > Hi,
> > >
> > > I would like to setup a basic demo of the android client using TNC
> > > connecting to a strongSwan server as show in in this guide -
> > > https://wiki.strongswan.org/projects/strongswan/wiki/BYOD
> > >
> > > Is there a guide I can follow for a basic strongSwan server setup to
> > > test out TNC with the android client? And is there anything
> special that
> > > needs to be configured on the android client or does the android
> client
> > > support TNC by default?
> > >
> > > Thanks,
> > >
> > > Mark
> >
> >
> > ======================================================================
> > Andreas Steffen andreas.steffen at strongswan.org
> <mailto:andreas.steffen at strongswan.org>
> > <mailto:andreas.steffen at strongswan.org
> <mailto:andreas.steffen at strongswan.org>>
> > strongSwan - the Open Source VPN Solution! www.strongswan.org
> > Institute for Internet Technologies and Applications
> > University of Applied Sciences Rapperswil
> > CH-8640 Rapperswil (Switzerland)
> > ===========================================================[ITA-HSR]==
>
> >
> >
> >
> >
> >
>
> --
> ======================================================================
> Andreas Steffen andreas.steffen at strongswan.org
> <mailto:andreas.steffen at strongswan.org>
> strongSwan - the Open Source VPN Solution! www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
>
>
--
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170117/dff7d7d5/attachment-0001.html>
More information about the Users
mailing list