[strongSwan] Android TNC server basic setup
Mark M
mark076h at yahoo.com
Thu Jan 19 00:45:29 CET 2017
I tried the Ubuntu client setup as shown here - https://wiki.strongswan.org/projects/strongswan/wiki/TNCC
Similar results to the Android client, it does not looks like it actually does any scanning;
00[DMN] Starting IKE charon daemon (strongSwan 5.5.1, Linux 4.8.0-22-generic, x86_64)00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'00[CFG] loaded ca certificate "C=US, ST=MD, L=TNC, O=TNC, OU=TNC, CN=192.168.1.5" from '/etc/ipsec.d/cacerts/rootCA.crt'00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'00[CFG] loading crls from '/etc/ipsec.d/crls'00[CFG] loading secrets from '/etc/ipsec.secrets'00[CFG] loaded EAP secret for carol at strongswan.org00[TNC] loading IMCs from '/etc/tnc_config'00[LIB] libimcv initialized00[IMC] IMC 1 "OS" initialized00[IMC] processing "/etc/lsb-release" file00[IMC] operating system name is 'Ubuntu'00[IMC] operating system version is '16.10 x86_64'00[TNC] IMC 1 "OS" loaded from '/usr/lib/ipsec/imcvs/imc-os.so'00[IMC] IMC 2 "Scanner" initialized00[TNC] IMC 2 "Scanner" loaded from '/usr/lib/ipsec/imcvs/imc-scanner.so'00[IMC] IMC 3 "Attestation" initialized00[TNC] IMC 3 "Attestation" loaded from '/usr/lib/ipsec/imcvs/imc-attestation.so'00[IMC] IMC 4 "SWID" initialized00[TNC] IMC 4 "SWID" loaded from '/usr/lib/ipsec/imcvs/imc-swid.so'00[LIB] loaded plugins: charon des rc2 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl xcbc cmac hmac curl attr kernel-netlink resolve socket-default stroke vici updown eap-identity eap-md5 eap-mschapv2 eap-dynamic eap-ttls eap-tnc xauth-generic tnc-imc tnc-tnccs tnccs-2000[JOB] spawning 16 worker threads04[CFG] received stroke: add connection 'home'04[CFG] added configuration 'home'11[CFG] received stroke: initiate 'home'14[IKE] initiating IKE_SA home[1] to 192.168.1.514[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]14[NET] sending packet: from 192.168.1.6[500] to 192.168.1.5[500] (1156 bytes)07[NET] received packet: from 192.168.1.5[500] to 192.168.1.6[500] (592 bytes)07[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]07[IKE] establishing CHILD_SA home07[ENC] generating IKE_AUTH request 1 [ IDi SA TSi TSr N(MOBIKE_SUP) N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]07[NET] sending packet: from 192.168.1.6[4500] to 192.168.1.5[4500] (368 bytes)13[NET] received packet: from 192.168.1.5[4500] to 192.168.1.6[4500] (96 bytes)13[ENC] parsed IKE_AUTH response 1 [ IDr EAP/REQ/TTLS ]13[IKE] server requested EAP_TTLS authentication (id 0xD6)13[TLS] EAP_TTLS version is v013[IKE] allow mutual EAP-only authentication13[ENC] generating IKE_AUTH request 2 [ EAP/RES/TTLS ]13[NET] sending packet: from 192.168.1.6[4500] to 192.168.1.5[4500] (256 bytes)10[NET] received packet: from 192.168.1.5[4500] to 192.168.1.6[4500] (1104 bytes)10[ENC] parsed IKE_AUTH response 2 [ EAP/REQ/TTLS ]10[ENC] generating IKE_AUTH request 3 [ EAP/RES/TTLS ]10[NET] sending packet: from 192.168.1.6[4500] to 192.168.1.5[4500] (80 bytes)14[NET] received packet: from 192.168.1.5[4500] to 192.168.1.6[4500] (464 bytes)14[ENC] parsed IKE_AUTH response 3 [ EAP/REQ/TTLS ]14[TLS] negotiated TLS 1.2 using suite TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA14[TLS] received TLS server certificate 'C=US, ST=MD, L=TNC, OU=TNC, CN=192.168.1.5'14[CFG] using certificate "C=US, ST=MD, L=TNC, OU=TNC, CN=192.168.1.5"14[CFG] using trusted ca certificate "C=US, ST=MD, L=TNC, O=TNC, OU=TNC, CN=192.168.1.5"14[CFG] checking certificate status of "C=US, ST=MD, L=TNC, OU=TNC, CN=192.168.1.5"14[CFG] certificate status is not available14[CFG] reached self-signed root ca with a path length of 014[TLS] received TLS cert request for 'C=US, ST=MD, L=TNC, O=TNC, OU=TNC, CN=192.168.1.514[TLS] no TLS peer certificate found for 'carol at strongswan.org', skipping client authentication14[ENC] generating IKE_AUTH request 4 [ EAP/RES/TTLS ]14[NET] sending packet: from 192.168.1.6[4500] to 192.168.1.5[4500] (240 bytes)14[NET] received packet: from 192.168.1.5[4500] to 192.168.1.6[4500] (224 bytes)14[ENC] parsed IKE_AUTH response 4 [ EAP/REQ/TTLS ]14[IKE] received tunneled EAP-TTLS AVP [EAP/REQ/ID]14[IKE] server requested EAP_IDENTITY authentication (id 0x00)14[IKE] sending tunneled EAP-TTLS AVP [EAP/RES/ID]14[ENC] generating IKE_AUTH request 5 [ EAP/RES/TTLS ]14[NET] sending packet: from 192.168.1.6[4500] to 192.168.1.5[4500] (176 bytes)06[NET] received packet: from 192.168.1.5[4500] to 192.168.1.6[4500] (176 bytes)06[ENC] parsed IKE_AUTH response 5 [ EAP/REQ/TTLS ]06[IKE] received tunneled EAP-TTLS AVP [EAP/REQ/MD5]06[IKE] server requested EAP_MD5 authentication (id 0x1E)06[IKE] sending tunneled EAP-TTLS AVP [EAP/RES/MD5]06[ENC] generating IKE_AUTH request 6 [ EAP/RES/TTLS ]06[NET] sending packet: from 192.168.1.6[4500] to 192.168.1.5[4500] (176 bytes)04[NET] received packet: from 192.168.1.5[4500] to 192.168.1.6[4500] (160 bytes)04[ENC] parsed IKE_AUTH response 6 [ EAP/REQ/TTLS ]04[IKE] received tunneled EAP-TTLS AVP [EAP/REQ/PT]04[IKE] server requested EAP_PT_EAP authentication (id 0x01)04[TLS] EAP_PT_EAP version is v104[TNC] assigned TNCCS Connection ID 104[IMC] creating random EID epoch 0x2d7ccc9a04[IMC] operating system numeric version is 16.1004[IMC] last boot: Jan 18 22:59:34 UTC 2017, 2534 s ago04[IMC] IPv4 forwarding is disabled04[IMC] factory default password is disabled04[IMC] device ID is 43022fbef0e04f8f91ecd99a163d4c1c04[TNC] creating PA-TNC message with ID 0x65586bde04[TNC] creating PA-TNC message with ID 0x5a029eac04[TNC] creating PA-TNC message with ID 0x9b17498504[TNC] sending PB-TNC CDATA batch (393 bytes) for Connection ID 104[IKE] sending tunneled EAP-TTLS AVP [EAP/RES/PT]04[ENC] generating IKE_AUTH request 7 [ EAP/RES/TTLS ]04[NET] sending packet: from 192.168.1.6[4500] to 192.168.1.5[4500] (544 bytes)15[NET] received packet: from 192.168.1.5[4500] to 192.168.1.6[4500] (160 bytes)15[ENC] parsed IKE_AUTH response 7 [ EAP/REQ/TTLS ]15[IKE] received tunneled EAP-TTLS AVP [EAP/REQ/PT]15[TNC] received TNCCS batch (8 bytes)15[TNC] processing PB-TNC SDATA batch for Connection ID 115[TNC] sending PB-TNC CDATA batch (8 bytes) for Connection ID 115[IKE] sending tunneled EAP-TTLS AVP [EAP/RES/PT]15[ENC] generating IKE_AUTH request 8 [ EAP/RES/TTLS ]15[NET] sending packet: from 192.168.1.6[4500] to 192.168.1.5[4500] (160 bytes)04[NET] received packet: from 192.168.1.5[4500] to 192.168.1.6[4500] (192 bytes)04[ENC] parsed IKE_AUTH response 8 [ EAP/REQ/TTLS ]04[IKE] received tunneled EAP-TTLS AVP [EAP/REQ/PT]04[TNC] received TNCCS batch (40 bytes)04[TNC] processing PB-TNC RESULT batch for Connection ID 104[TNC] PB-TNC assessment result is 'don't know'04[TNC] PB-TNC access recommendation is 'Access Denied'04[TNC] sending PB-TNC CLOSE batch (8 bytes) for Connection ID 104[IKE] sending tunneled EAP-TTLS AVP [EAP/RES/PT]04[ENC] generating IKE_AUTH request 9 [ EAP/RES/TTLS ]04[NET] sending packet: from 192.168.1.6[4500] to 192.168.1.5[4500] (160 bytes)05[NET] received packet: from 192.168.1.5[4500] to 192.168.1.6[4500] (144 bytes)05[ENC] parsed IKE_AUTH response 9 [ EAP/REQ/TTLS ]05[TLS] received TLS close notify05[TLS] sending TLS close notify05[ENC] generating IKE_AUTH request 10 [ EAP/RES/TTLS ]05[NET] sending packet: from 192.168.1.6[4500] to 192.168.1.5[4500] (144 bytes)07[NET] received packet: from 192.168.1.5[4500] to 192.168.1.6[4500] (80 bytes)07[ENC] parsed IKE_AUTH response 10 [ EAP/FAIL ]07[IKE] received EAP_FAILURE, EAP authentication failed07[ENC] generating INFORMATIONAL request 11 [ N(AUTH_FAILED) ]07[NET] sending packet: from 192.168.1.6[4500] to 192.168.1.5[4500] (80 bytes)07[TNC] removed TNCCS Connection ID 1
On Tuesday, January 17, 2017 5:42 PM, Mark M <mark076h at yahoo.com> wrote:
Andreas,
Which strongswan.conf config is required to see the results shown in the Android BYOD guide https://wiki.strongswan.org/projects/strongswan/wiki/BYOD
Thanks,
On Tuesday, January 17, 2017 5:51 AM, Mark M <mark076h at yahoo.com> wrote:
Here is the log from the Android client;
Jan 17 05:18:01 00[DMN] Starting IKE charon daemon (strongSwan 5.5.1rc1, Linux 3.10.61-8352520, aarch64)
Jan 17 05:18:01 00[LIB] libimcv initialized
Jan 17 05:18:01 00[IMC] IMC 1 "Android" initialized
Jan 17 05:18:01 00[TNC] IMC 1 "Android" loaded
Jan 17 05:18:01 00[LIB] loaded plugins: androidbridge android-byod charon android-log openssl fips-prf random nonce pubkey chapoly curve25519 pkcs1 pkcs8 pem xcbc hmac socket-default eap-identity eap-mschapv2 eap-md5 eap-gtc eap-tls eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20
Jan 17 05:18:01 00[JOB] spawning 16 worker threads
Jan 17 05:18:01 07[IKE] initiating IKE_SA android[1] to 192.168.1.5
Jan 17 05:18:01 07[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Jan 17 05:18:01 07[NET] sending packet: from 192.168.1.11[38969] to 192.168.1.5[500] (744 bytes)
Jan 17 05:18:01 08[NET] received packet: from 192.168.1.5[500] to 192.168.1.11[38969] (38 bytes)
Jan 17 05:18:01 08[ENC] parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
Jan 17 05:18:01 08[IKE] peer didn't accept DH group ECP_256, it requested MODP_3072
Jan 17 05:18:01 08[IKE] initiating IKE_SA android[1] to 192.168.1.5
Jan 17 05:18:01 08[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Jan 17 05:18:01 08[NET] sending packet: from 192.168.1.11[38969] to 192.168.1.5[500] (1064 bytes)
Jan 17 05:18:01 11[NET] received packet: from 192.168.1.5[500] to 192.168.1.11[38969] (584 bytes)
Jan 17 05:18:01 11[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) ]
Jan 17 05:18:01 11[IKE] faking NAT situation to enforce UDP encapsulation
Jan 17 05:18:01 11[IKE] sending cert request for "C=US, ST=MD, L=TNC, O=TNC, OU=TNC, CN=192.168.1.5"
Jan 17 05:18:01 11[IKE] establishing CHILD_SA android
Jan 17 05:18:01 11[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(EAP_ONLY) ]
Jan 17 05:18:01 11[NET] sending packet: from 192.168.1.11[35898] to 192.168.1.5[4500] (544 bytes)
Jan 17 05:18:01 12[NET] received packet: from 192.168.1.5[4500] to 192.168.1.11[35898] (1236 bytes)
Jan 17 05:18:01 12[ENC] parsed IKE_AUTH response 1 [ EF(1/2) ]
Jan 17 05:18:01 12[ENC] received fragment #1 of 2, waiting for complete IKE message
Jan 17 05:18:01 12[NET] received packet: from 192.168.1.5[4500] to 192.168.1.11[35898] (148 bytes)
Jan 17 05:18:01 12[ENC] parsed IKE_AUTH response 1 [ EF(2/2) ]
Jan 17 05:18:01 12[ENC] received fragment #2 of 2, reassembling fragmented IKE message
Jan 17 05:18:01 12[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/TTLS ]
Jan 17 05:18:01 12[IKE] received end entity cert "C=US, ST=MD, L=TNC, OU=TNC, CN=192.168.1.5"
Jan 17 05:18:01 12[CFG] using certificate "C=US, ST=MD, L=TNC, OU=TNC, CN=192.168.1.5"
Jan 17 05:18:01 12[CFG] using trusted ca certificate "C=US, ST=MD, L=TNC, O=TNC, OU=TNC, CN=192.168.1.5"
Jan 17 05:18:01 12[CFG] reached self-signed root ca with a path length of 0
Jan 17 05:18:01 12[IKE] authentication of 'C=US, ST=MD, L=TNC, OU=TNC, CN=192.168.1.5' with RSA_EMSA_PKCS1_SHA2_256 successful
Jan 17 05:18:01 12[IKE] server requested EAP_TTLS authentication (id 0xBC)
Jan 17 05:18:01 12[TLS] EAP_TTLS version is v0
Jan 17 05:18:01 12[ENC] generating IKE_AUTH request 2 [ EAP/RES/TTLS ]
Jan 17 05:18:01 12[NET] sending packet: from 192.168.1.11[35898] to 192.168.1.5[4500] (240 bytes)
Jan 17 05:18:01 15[NET] received packet: from 192.168.1.5[4500] to 192.168.1.11[35898] (1104 bytes)
Jan 17 05:18:01 15[ENC] parsed IKE_AUTH response 2 [ EAP/REQ/TTLS ]
Jan 17 05:18:01 15[ENC] generating IKE_AUTH request 3 [ EAP/RES/TTLS ]
Jan 17 05:18:01 15[NET] sending packet: from 192.168.1.11[35898] to 192.168.1.5[4500] (80 bytes)
Jan 17 05:18:01 14[NET] received packet: from 192.168.1.5[4500] to 192.168.1.11[35898] (464 bytes)
Jan 17 05:18:01 14[ENC] parsed IKE_AUTH response 3 [ EAP/REQ/TTLS ]
Jan 17 05:18:01 14[TLS] negotiated TLS 1.2 using suite TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
Jan 17 05:18:01 14[TLS] received TLS server certificate 'C=US, ST=MD, L=TNC, OU=TNC, CN=192.168.1.5'
Jan 17 05:18:01 14[CFG] using certificate "C=US, ST=MD, L=TNC, OU=TNC, CN=192.168.1.5"
Jan 17 05:18:01 14[CFG] using trusted ca certificate "C=US, ST=MD, L=TNC, O=TNC, OU=TNC, CN=192.168.1.5"
Jan 17 05:18:01 14[CFG] reached self-signed root ca with a path length of 0
Jan 17 05:18:01 14[TLS] received TLS cert request for 'C=US, ST=MD, L=TNC, O=TNC, OU=TNC, CN=192.168.1.5
Jan 17 05:18:01 14[TLS] no TLS peer certificate found for 'carol at strongswan.org', skipping client authentication
Jan 17 05:18:01 14[ENC] generating IKE_AUTH request 4 [ EAP/RES/TTLS ]
Jan 17 05:18:01 14[NET] sending packet: from 192.168.1.11[35898] to 192.168.1.5[4500] (240 bytes)
Jan 17 05:18:01 07[NET] received packet: from 192.168.1.5[4500] to 192.168.1.11[35898] (224 bytes)
Jan 17 05:18:01 07[ENC] parsed IKE_AUTH response 4 [ EAP/REQ/TTLS ]
Jan 17 05:18:01 07[IKE] received tunneled EAP-TTLS AVP [EAP/REQ/ID]
Jan 17 05:18:01 07[IKE] server requested EAP_IDENTITY authentication (id 0x00)
Jan 17 05:18:01 07[IKE] sending tunneled EAP-TTLS AVP [EAP/RES/ID]
Jan 17 05:18:01 07[ENC] generating IKE_AUTH request 5 [ EAP/RES/TTLS ]
Jan 17 05:18:01 07[NET] sending packet: from 192.168.1.11[35898] to 192.168.1.5[4500] (176 bytes)
Jan 17 05:18:01 16[NET] received packet: from 192.168.1.5[4500] to 192.168.1.11[35898] (176 bytes)
Jan 17 05:18:01 16[ENC] parsed IKE_AUTH response 5 [ EAP/REQ/TTLS ]
Jan 17 05:18:01 16[IKE] received tunneled EAP-TTLS AVP [EAP/REQ/MD5]
Jan 17 05:18:01 16[IKE] server requested EAP_MD5 authentication (id 0xEE)
Jan 17 05:18:01 16[IKE] sending tunneled EAP-TTLS AVP [EAP/RES/MD5]
Jan 17 05:18:01 16[ENC] generating IKE_AUTH request 6 [ EAP/RES/TTLS ]
Jan 17 05:18:01 16[NET] sending packet: from 192.168.1.11[35898] to 192.168.1.5[4500] (176 bytes)
Jan 17 05:18:01 08[NET] received packet: from 192.168.1.5[4500] to 192.168.1.11[35898] (160 bytes)
Jan 17 05:18:01 08[ENC] parsed IKE_AUTH response 6 [ EAP/REQ/TTLS ]
Jan 17 05:18:01 08[IKE] received tunneled EAP-TTLS AVP [EAP/REQ/PT]
Jan 17 05:18:01 08[IKE] server requested EAP_PT_EAP authentication (id 0x34)
Jan 17 05:18:01 08[TLS] EAP_PT_EAP version is v1
Jan 17 05:18:01 08[TNC] assigned TNCCS Connection ID 1
Jan 17 05:18:01 08[TNC] creating PA-TNC message with ID 0xcf951a70
Jan 17 05:18:01 08[TNC] sending PB-TNC CDATA batch (163 bytes) for Connection ID 1
Jan 17 05:18:01 08[IKE] sending tunneled EAP-TTLS AVP [EAP/RES/PT]
Jan 17 05:18:01 08[ENC] generating IKE_AUTH request 7 [ EAP/RES/TTLS ]
Jan 17 05:18:01 08[NET] sending packet: from 192.168.1.11[35898] to 192.168.1.5[4500] (320 bytes)
Jan 17 05:18:01 10[NET] received packet: from 192.168.1.5[4500] to 192.168.1.11[35898] (304 bytes)
Jan 17 05:18:01 10[ENC] parsed IKE_AUTH response 7 [ EAP/REQ/TTLS ]
Jan 17 05:18:01 10[IKE] received tunneled EAP-TTLS AVP [EAP/REQ/PT]
Jan 17 05:18:01 10[TNC] received TNCCS batch (140 bytes)
Jan 17 05:18:01 10[TNC] processing PB-TNC SDATA batch for Connection ID 1
Jan 17 05:18:01 10[TNC] processing PA-TNC message with ID 0x5915d13d
Jan 17 05:18:01 10[IMC] received unsupported TCG attribute 'Max Attribute Size Request'
Jan 17 05:18:01 10[TNC] creating PA-TNC message with ID 0xd6eef0a3
Jan 17 05:18:01 10[TNC] sending PB-TNC CDATA batch (92 bytes) for Connection ID 1
Jan 17 05:18:01 10[IKE] sending tunneled EAP-TTLS AVP [EAP/RES/PT]
Jan 17 05:18:01 10[ENC] generating IKE_AUTH request 8 [ EAP/RES/TTLS ]
Jan 17 05:18:01 10[NET] sending packet: from 192.168.1.11[35898] to 192.168.1.5[4500] (256 bytes)
Jan 17 05:18:01 09[NET] received packet: from 192.168.1.5[4500] to 192.168.1.11[35898] (208 bytes)
Jan 17 05:18:01 09[ENC] parsed IKE_AUTH response 8 [ EAP/REQ/TTLS ]
Jan 17 05:18:01 09[IKE] received tunneled EAP-TTLS AVP [EAP/REQ/PT]
Jan 17 05:18:01 09[TNC] received TNCCS batch (56 bytes)
Jan 17 05:18:01 09[TNC] processing PB-TNC SDATA batch for Connection ID 1
Jan 17 05:18:01 09[TNC] processing PA-TNC message with ID 0x66018546
Jan 17 05:18:01 09[IMC] ***** assessment of IMC 1 "Android" from IMV 1 *****
Jan 17 05:18:01 09[IMC] assessment result is 'don't know'
Jan 17 05:18:01 09[IMC] ***** end of assessment *****
Jan 17 05:18:01 09[TNC] sending PB-TNC CDATA batch (8 bytes) for Connection ID 1
Jan 17 05:18:01 09[IKE] sending tunneled EAP-TTLS AVP [EAP/RES/PT]
Jan 17 05:18:01 09[ENC] generating IKE_AUTH request 9 [ EAP/RES/TTLS ]
Jan 17 05:18:01 09[NET] sending packet: from 192.168.1.11[35898] to 192.168.1.5[4500] (160 bytes)
Jan 17 05:18:01 11[NET] received packet: from 192.168.1.5[4500] to 192.168.1.11[35898] (272 bytes)
Jan 17 05:18:01 11[ENC] parsed IKE_AUTH response 9 [ EAP/REQ/TTLS ]
Jan 17 05:18:01 11[IKE] received tunneled EAP-TTLS AVP [EAP/REQ/PT]
Jan 17 05:18:01 11[TNC] received TNCCS batch (109 bytes)
Jan 17 05:18:01 11[TNC] processing PB-TNC RESULT batch for Connection ID 1
Jan 17 05:18:01 11[TNC] PB-TNC assessment result is 'don't know'
Jan 17 05:18:01 11[TNC] PB-TNC access recommendation is 'Access Allowed'
Jan 17 05:18:01 11[TNC] reason string is 'IMC Test was not configured with "command = allow"' [en]
Jan 17 05:18:01 11[TNC] sending PB-TNC CLOSE batch (8 bytes) for Connection ID 1
Jan 17 05:18:01 11[IKE] sending tunneled EAP-TTLS AVP [EAP/RES/PT]
Jan 17 05:18:01 11[ENC] generating IKE_AUTH request 10 [ EAP/RES/TTLS ]
Jan 17 05:18:01 11[NET] sending packet: from 192.168.1.11[35898] to 192.168.1.5[4500] (160 bytes)
Jan 17 05:18:01 13[NET] received packet: from 192.168.1.5[4500] to 192.168.1.11[35898] (80 bytes)
Jan 17 05:18:01 13[ENC] parsed IKE_AUTH response 10 [ EAP/SUCC ]
Jan 17 05:18:01 13[IKE] EAP method EAP_TTLS succeeded, MSK established
Jan 17 05:18:01 13[IKE] authentication of 'carol at strongswan.org' (myself) with EAP
Jan 17 05:18:01 13[ENC] generating IKE_AUTH request 11 [ AUTH ]
Jan 17 05:18:01 13[NET] sending packet: from 192.168.1.11[35898] to 192.168.1.5[4500] (112 bytes)
Jan 17 05:18:01 12[NET] received packet: from 192.168.1.5[4500] to 192.168.1.11[35898] (272 bytes)
Jan 17 05:18:01 12[ENC] parsed IKE_AUTH response 11 [ AUTH CPRP(ADDR) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_6_ADDR) ]
Jan 17 05:18:01 12[IKE] authentication of 'C=US, ST=MD, L=TNC, OU=TNC, CN=192.168.1.5' with EAP successful
Jan 17 05:18:01 12[TNC] removed TNCCS Connection ID 1
Jan 17 05:18:01 12[IKE] IKE_SA android[1] established between 192.168.1.11[carol at strongswan.org]...192.168.1.5[C=US, ST=MD, L=TNC, OU=TNC, CN=192.168.1.5]
Jan 17 05:18:01 12[IKE] scheduling rekeying in 35453s
Jan 17 05:18:01 12[IKE] maximum IKE_SA lifetime 36053s
Jan 17 05:18:01 12[IKE] installing new virtual IP 192.168.3.55
Jan 17 05:18:01 12[IKE] CHILD_SA android{1} established with SPIs a67a390d_i cce3b26b_o and TS 192.168.3.55/32 === 192.168.10.0/24
Jan 17 05:18:01 12[DMN] setting up TUN device for CHILD_SA android{1}
Jan 17 05:18:01 12[DMN] successfully created TUN device
Jan 17 05:18:02 12[IKE] received AUTH_LIFETIME of 10196s, scheduling reauthentication in 9596s
Jan 17 05:18:02 12[IKE] peer supports MOBIKE
Jan 17 05:18:02 14[IKE] sending address list update using MOBIKE
Jan 17 05:18:02 14[ENC] generating INFORMATIONAL request 12 [ N(NO_ADD_ADDR) ]
Jan 17 05:18:02 14[NET] sending packet: from 192.168.1.11[35898] to 192.168.1.5[4500] (80 bytes)
Jan 17 05:18:02 16[NET] received packet: from 192.168.1.5[4500] to 192.168.1.11[35898] (80 bytes)
Jan 17 05:18:02 16[ENC] parsed INFORMATIONAL response 12 [ ]
On Monday, January 16, 2017 8:08 PM, Mark M <mark076h at yahoo.com> wrote:
Andreas,
I had to change the password again with the "manage.py setpassword" and now I can edit everything.
So i finally got my device to start showing in the policy manager but it does not look like the scans are actually being performed on the device.
Here is my config and log;
cat /etc/tnc_configIMV "Attestation" /usr/lib/ipsec/imcvs/imv-attestation.soIMV "Scanner" /usr/lib/ipsec/imcvs/imv-scanner.so
ipsec.conf;
conn rw-allow rightgroups=allow rightsourceip=192.168.3.55 leftsubnet=192.168.10.0/24 also=rw222 auto=add
conn rw-isolate rightgroups=isolate leftsubnet=10.1.0.16/28 also=rw222 auto=add
conn rw222 leftcert=tnc3.crt leftid=@192.168.1.5 rightsourceip=192.168.3.55 leftauth=pubkey rightauth=eap-ttls rightid=*@strongswan.org rightsendcert=never right=%any
strongswan.conf;
charon { multiple_authentication = no
filelog { /var/log/strongswan.log { append = no default = 1 flush_line = yes }} plugins { eap-ttls { phase2_method = md5 phase2_piggyback = yes phase2_tnc = yes } eap-tnc { protocol = tnccs-2.0 } tnc-imv { recommendation_policy = default } }}
libimcv { database= sqlite:///etc/pts/config.db policy_script = ipsec imv_policy_manager plugins { imv-test { rounds = 1 } imv-scanner { closed_port_policy = yes udp_ports = 500 4500 tcp_ports = 22 } }}
00[DMN] Starting IKE charon daemon (strongSwan 5.5.1, Linux 4.8.0-22-generic, x86_64)00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'00[CFG] loaded ca certificate "C=US, ST=MD, L=TNC, O=TNC, OU=TNC, CN=192.168.1.5" from '/etc/ipsec.d/cacerts/rootCA.crt'00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'00[CFG] loading crls from '/etc/ipsec.d/crls'00[CFG] loading secrets from '/etc/ipsec.secrets'00[CFG] loaded RSA private key from '/etc/ipsec.d/private/tnc3.key'00[CFG] loaded EAP secret for carol at strongswan.org00[TNC] TNC recommendation policy is 'default'00[TNC] loading IMVs from '/etc/tnc_config'00[LIB] libimcv initialized00[IMV] IMV 1 "Attestation" initialized00[PTS] no PTS cacerts directory defined00[TNC] IMV 1 "Attestation" loaded from '/usr/lib/ipsec/imcvs/imv-attestation.so'00[IMV] IMV 2 "Scanner" initialized00[TNC] IMV 2 "Scanner" loaded from '/usr/lib/ipsec/imcvs/imv-scanner.so'00[LIB] loaded plugins: charon des rc2 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl xcbc cmac hmac curl sqlite attr kernel-netlink resolve socket-default stroke vici updown eap-identity eap-md5 eap-mschapv2 eap-dynamic eap-ttls eap-tnc xauth-generic tnc-imv tnc-tnccs tnccs-2000[JOB] spawning 16 worker threads04[CFG] received stroke: add connection 'rw-allow'04[CFG] adding virtual IP address pool 192.168.3.5504[CFG] loaded certificate "C=US, ST=MD, L=TNC, OU=TNC, CN=192.168.1.5" from 'tnc3.crt'04[CFG] id '192.168.1.5' not confirmed by certificate, defaulting to 'C=US, ST=MD, L=TNC, OU=TNC, CN=192.168.1.5'04[CFG] added configuration 'rw-allow'14[CFG] received stroke: add connection 'rw-isolate'14[CFG] reusing virtual IP address pool 192.168.3.5514[CFG] loaded certificate "C=US, ST=MD, L=TNC, OU=TNC, CN=192.168.1.5" from 'tnc3.crt'14[CFG] id '192.168.1.5' not confirmed by certificate, defaulting to 'C=US, ST=MD, L=TNC, OU=TNC, CN=192.168.1.5'14[CFG] added configuration 'rw-isolate'04[NET] received packet: from 192.168.1.11[40384] to 192.168.1.5[500] (732 bytes)04[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]04[IKE] 192.168.1.11 is initiating an IKE_SA04[IKE] remote host is behind NAT04[IKE] DH group ECP_256 inacceptable, requesting MODP_307204[ENC] generating IKE_SA_INIT response 0 [ N(INVAL_KE) ]04[NET] sending packet: from 192.168.1.5[500] to 192.168.1.11[40384] (38 bytes)11[NET] received packet: from 192.168.1.11[40384] to 192.168.1.5[500] (1052 bytes)11[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]11[IKE] 192.168.1.11 is initiating an IKE_SA11[IKE] remote host is behind NAT11[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) ]11[NET] sending packet: from 192.168.1.5[500] to 192.168.1.11[40384] (584 bytes)09[NET] received packet: from 192.168.1.11[35458] to 192.168.1.5[4500] (528 bytes)09[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(EAP_ONLY) ]09[IKE] received cert request for "C=US, ST=MD, L=TNC, O=TNC, OU=TNC, CN=192.168.1.5"09[CFG] looking for peer configs matching 192.168.1.5[%any]...192.168.1.11[carol at strongswan.org]09[CFG] selected peer config 'rw-allow'09[IKE] initiating EAP_TTLS method (id 0xA0)09[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding09[IKE] peer supports MOBIKE09[IKE] authentication of 'C=US, ST=MD, L=TNC, OU=TNC, CN=192.168.1.5' (myself) with RSA_EMSA_PKCS1_SHA2_256 successful09[IKE] sending end entity cert "C=US, ST=MD, L=TNC, OU=TNC, CN=192.168.1.5"09[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/TTLS ]09[ENC] splitting IKE message with length of 1312 bytes into 2 fragments09[ENC] generating IKE_AUTH response 1 [ EF(1/2) ]09[ENC] generating IKE_AUTH response 1 [ EF(2/2) ]09[NET] sending packet: from 192.168.1.5[4500] to 192.168.1.11[35458] (1236 bytes)09[NET] sending packet: from 192.168.1.5[4500] to 192.168.1.11[35458] (148 bytes)08[NET] received packet: from 192.168.1.11[35458] to 192.168.1.5[4500] (240 bytes)08[ENC] parsed IKE_AUTH request 2 [ EAP/RES/TTLS ]08[TLS] negotiated TLS 1.2 using suite TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA08[TLS] sending TLS server certificate 'C=US, ST=MD, L=TNC, OU=TNC, CN=192.168.1.5'08[TLS] sending TLS cert request for 'C=US, ST=MD, L=TNC, O=TNC, OU=TNC, CN=192.168.1.5'08[ENC] generating IKE_AUTH response 2 [ EAP/REQ/TTLS ]08[NET] sending packet: from 192.168.1.5[4500] to 192.168.1.11[35458] (1104 bytes)12[NET] received packet: from 192.168.1.11[35458] to 192.168.1.5[4500] (80 bytes)12[ENC] parsed IKE_AUTH request 3 [ EAP/RES/TTLS ]12[ENC] generating IKE_AUTH response 3 [ EAP/REQ/TTLS ]12[NET] sending packet: from 192.168.1.5[4500] to 192.168.1.11[35458] (464 bytes)10[NET] received packet: from 192.168.1.11[35458] to 192.168.1.5[4500] (240 bytes)10[ENC] parsed IKE_AUTH request 4 [ EAP/RES/TTLS ]10[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/ID]10[ENC] generating IKE_AUTH response 4 [ EAP/REQ/TTLS ]10[NET] sending packet: from 192.168.1.5[4500] to 192.168.1.11[35458] (224 bytes)07[NET] received packet: from 192.168.1.11[35458] to 192.168.1.5[4500] (176 bytes)07[ENC] parsed IKE_AUTH request 5 [ EAP/RES/TTLS ]07[IKE] received tunneled EAP-TTLS AVP [EAP/RES/ID]07[IKE] received EAP identity 'carol at strongswan.org'07[IKE] phase2 method EAP_MD5 selected07[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/MD5]07[ENC] generating IKE_AUTH response 5 [ EAP/REQ/TTLS ]07[NET] sending packet: from 192.168.1.5[4500] to 192.168.1.11[35458] (176 bytes)06[NET] received packet: from 192.168.1.11[35458] to 192.168.1.5[4500] (176 bytes)06[ENC] parsed IKE_AUTH request 6 [ EAP/RES/TTLS ]06[IKE] received tunneled EAP-TTLS AVP [EAP/RES/MD5]06[IKE] EAP_TTLS phase2 authentication of 'carol at strongswan.org' with EAP_MD5 successful06[IKE] phase2 method EAP_PT_EAP selected06[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/PT]06[ENC] generating IKE_AUTH response 6 [ EAP/REQ/TTLS ]06[NET] sending packet: from 192.168.1.5[4500] to 192.168.1.11[35458] (160 bytes)10[NET] received packet: from 192.168.1.11[35458] to 192.168.1.5[4500] (320 bytes)10[ENC] parsed IKE_AUTH request 7 [ EAP/RES/TTLS ]10[IKE] received tunneled EAP-TTLS AVP [EAP/RES/PT]10[TNC] assigned TNCCS Connection ID 110[TNC] received TNCCS batch (163 bytes)10[TNC] processing PB-TNC CDATA batch for Connection ID 110[TNC] processing PA-TNC message with ID 0x83c807ae10[IMV] operating system name is 'Android' from vendor Google10[IMV] operating system version is '6.0.1'10[IMV] device ID is 89f393cd9abad0d110[IMV] policy: imv_policy_manager start successful10[TNC] creating PA-TNC message with ID 0x847f8ac710[TNC] creating PA-TNC message with ID 0x39ef8f2b10[TNC] sending PB-TNC SDATA batch (144 bytes) for Connection ID 110[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/PT]10[ENC] generating IKE_AUTH response 7 [ EAP/REQ/TTLS ]10[NET] sending packet: from 192.168.1.5[4500] to 192.168.1.11[35458] (304 bytes)14[NET] received packet: from 192.168.1.11[35458] to 192.168.1.5[4500] (256 bytes)14[ENC] parsed IKE_AUTH request 8 [ EAP/RES/TTLS ]14[IKE] received tunneled EAP-TTLS AVP [EAP/RES/PT]14[TNC] received TNCCS batch (92 bytes)14[TNC] processing PB-TNC CDATA batch for Connection ID 114[TNC] processing PA-TNC message with ID 0x0db51e1014[TNC] creating PA-TNC message with ID 0x90c233ba14[TNC] sending PB-TNC SDATA batch (56 bytes) for Connection ID 114[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/PT]14[ENC] generating IKE_AUTH response 8 [ EAP/REQ/TTLS ]14[NET] sending packet: from 192.168.1.5[4500] to 192.168.1.11[35458] (208 bytes)14[NET] received packet: from 192.168.1.11[35458] to 192.168.1.5[4500] (160 bytes)14[ENC] parsed IKE_AUTH request 9 [ EAP/RES/TTLS ]14[IKE] received tunneled EAP-TTLS AVP [EAP/RES/PT]14[TNC] received TNCCS batch (8 bytes)14[TNC] processing PB-TNC CDATA batch for Connection ID 114[IMV] policy: recommendation for access requestor 192.168.1.11 is allow14[IMV] policy: imv_policy_manager stop successful14[TNC] sending PB-TNC RESULT batch (40 bytes) for Connection ID 114[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/PT]14[ENC] generating IKE_AUTH response 9 [ EAP/REQ/TTLS ]14[NET] sending packet: from 192.168.1.5[4500] to 192.168.1.11[35458] (192 bytes)04[NET] received packet: from 192.168.1.11[35458] to 192.168.1.5[4500] (160 bytes)04[ENC] parsed IKE_AUTH request 10 [ EAP/RES/TTLS ]04[IKE] received tunneled EAP-TTLS AVP [EAP/RES/PT]04[TNC] received TNCCS batch (8 bytes)04[TNC] processing PB-TNC CLOSE batch for Connection ID 104[TNC] final recommendation is 'allow' and evaluation is 'don't know'04[TNC] policy enforced on peer 'carol at strongswan.org' is 'allow'04[TNC] policy enforcement point added group membership 'allow'04[IKE] EAP_TTLS phase2 authentication of 'carol at strongswan.org' with EAP_PT_EAP successful04[TNC] removed TNCCS Connection ID 104[IKE] EAP method EAP_TTLS succeeded, MSK established04[ENC] generating IKE_AUTH response 10 [ EAP/SUCC ]04[NET] sending packet: from 192.168.1.5[4500] to 192.168.1.11[35458] (80 bytes)04[NET] received packet: from 192.168.1.11[35458] to 192.168.1.5[4500] (112 bytes)04[ENC] parsed IKE_AUTH request 11 [ AUTH ]04[IKE] authentication of 'carol at strongswan.org' with EAP successful04[IKE] authentication of 'C=US, ST=MD, L=TNC, OU=TNC, CN=192.168.1.5' (myself) with EAP04[IKE] IKE_SA rw-allow[2] established between 192.168.1.5[C=US, ST=MD, L=TNC, OU=TNC, CN=192.168.1.5]...192.168.1.11[carol at strongswan.org]04[IKE] scheduling reauthentication in 10214s04[IKE] maximum IKE_SA lifetime 10754s04[IKE] peer requested virtual IP %any04[CFG] assigning new lease to 'carol at strongswan.org'04[IKE] assigning virtual IP 192.168.3.55 to peer 'carol at strongswan.org'04[IKE] peer requested virtual IP %any604[IKE] no virtual IP found for %any6 requested by 'carol at strongswan.org'04[IKE] CHILD_SA rw-allow{1} established with SPIs cd745417_i 57dd2792_o and TS 192.168.10.0/24 === 192.168.3.55/3204[ENC] generating IKE_AUTH response 11 [ AUTH CPRP(ADDR) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_6_ADDR) ]04[NET] sending packet: from 192.168.1.5[4500] to 192.168.1.11[35458] (272 bytes)07[NET] received packet: from 192.168.1.11[35458] to 192.168.1.5[4500] (80 bytes)07[ENC] parsed INFORMATIONAL request 12 [ N(NO_ADD_ADDR) ]07[ENC] generating INFORMATIONAL response 12 [ ]07[NET] sending packet: from 192.168.1.5[4500] to 192.168.1.11[35458] (80 bytes)
On Monday, January 16, 2017 7:46 PM, Andreas Steffen <andreas.steffen at strongswan.org> wrote:
Hi Mark,
did you exactly follow the instructions on how to initialize the
PTS database?
https://wiki.strongswan.org/projects/strongswan/wiki/StrongTnc#Initialize-PTS-Database
Is the path to config.db set correctly in /etc/strongTNC/settings.ini?
https://wiki.strongswan.org/projects/strongswan/wiki/StrongTnc#Initialize-PTS-Database
From my experience it seems that setting DEBUG=1 might help.
Regards
Andreas
On 16.01.2017 20:24, Mark M wrote:
> Andreas,
>
> I finally got the policy manager installed. However, I am not seeing the
> device when I form the connection and the android device disconnects.
>
> Any ideas on what could be wrong?
>
> This is what the stats page in the policy manager looks like -
> https://i.imgur.com/9M0sMa8.jpg
>
> Also the add groups button does not work and there are no entries under
> the policies and enforcement's? Hard to say if everything is working
> correctly.
>
>
> 00[DMN] Starting IKE charon daemon (strongSwan 5.5.1, Linux
> 4.8.0-22-generic, x86_64)
> 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
> 00[CFG] loaded ca certificate "C=US, ST=MD, L=TNC, O=TNC, OU=TNC,
> CN=192.168.1.5" from '/etc/ipsec.d/cacerts/rootCA.crt'
> 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
> 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
> 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
> 00[CFG] loading crls from '/etc/ipsec.d/crls'
> 00[CFG] loading secrets from '/etc/ipsec.secrets'
> 00[CFG] loaded RSA private key from '/etc/ipsec.d/private/tnc2.key'
> 00[CFG] loaded EAP secret for carol at strongswan.org
> 00[TNC] TNC recommendation policy is 'default'
> 00[TNC] loading IMVs from '/etc/tnc_config'
> 00[LIB] libimcv initialized
> 00[IMV] IMV 1 "Attestation" initialized
> 00[PTS] no PTS cacerts directory defined
> 00[TNC] IMV 1 "Attestation" loaded from
> '/usr/lib/ipsec/imcvs/imv-attestation.so'
> 00[IMV] IMV 2 "Scanner" initialized
> 00[TNC] IMV 2 "Scanner" loaded from '/usr/lib/ipsec/imcvs/imv-scanner.so'
> 00[LIB] loaded plugins: charon des rc2 random nonce x509 revocation
> constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem
> openssl xcbc cmac hmac curl sqlite attr kernel-netlink resolve
> socket-default stroke vici updown eap-identity eap-md5 eap-mschapv2
> eap-dynamic eap-ttls eap-tnc xauth-generic tnc-imv tnc-tnccs tnccs-20
> 00[JOB] spawning 16 worker threads
> 16[CFG] received stroke: add connection 'rw-allow'
> 16[CFG] adding virtual IP address pool 192.168.3.55
> 16[CFG] loaded certificate "C=US, ST=MD, L=TNC, O=TNC, OU=TNC,
> CN=192.168.1.5" from 'tncserver.crt'
> 16[CFG] id '192.168.1.5' not confirmed by certificate, defaulting to
> 'C=US, ST=MD, L=TNC, O=TNC, OU=TNC, CN=192.168.1.5'
> 16[CFG] added configuration 'rw-allow'
> 06[CFG] received stroke: add connection 'rw-isolate'
> 06[CFG] adding virtual IP address pool 192.168.4.0/24
> 06[CFG] loaded certificate "C=US, ST=MD, L=TNC, O=TNC, OU=TNC,
> CN=192.168.1.5" from 'tncserver.crt'
> 06[CFG] id '192.168.1.5' not confirmed by certificate, defaulting to
> 'C=US, ST=MD, L=TNC, O=TNC, OU=TNC, CN=192.168.1.5'
> 06[CFG] added configuration 'rw-isolate'
> 07[NET] received packet: from 192.168.1.11[51631] to 192.168.1.5[500]
> (732 bytes)
> 07[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
> N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
> 07[IKE] 192.168.1.11 is initiating an IKE_SA
> 07[IKE] remote host is behind NAT
> 07[IKE] DH group ECP_256 inacceptable, requesting MODP_3072
> 07[ENC] generating IKE_SA_INIT response 0 [ N(INVAL_KE) ]
> 07[NET] sending packet: from 192.168.1.5[500] to 192.168.1.11[51631] (38
> bytes)
> 05[NET] received packet: from 192.168.1.11[51631] to 192.168.1.5[500]
> (1052 bytes)
> 05[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
> N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
> 05[IKE] 192.168.1.11 is initiating an IKE_SA
> 05[IKE] remote host is behind NAT
> 05[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
> N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
> 05[NET] sending packet: from 192.168.1.5[500] to 192.168.1.11[51631]
> (592 bytes)
> 16[NET] received packet: from 192.168.1.11[33660] to 192.168.1.5[4500]
> (544 bytes)
> 16[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ
> CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP)
> N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
> 16[IKE] received cert request for "C=US, ST=MD, L=TNC, O=TNC, OU=TNC,
> CN=192.168.1.5"
> 16[CFG] looking for peer configs matching
> 192.168.1.5[%any]...192.168.1.11[carol at strongswan.org]
> 16[CFG] selected peer config 'rw-allow'
> 16[IKE] initiating EAP_TTLS method (id 0x4F)
> 16[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
> 16[IKE] peer supports MOBIKE
> 16[ENC] generating IKE_AUTH response 1 [ IDr EAP/REQ/TTLS ]
> 16[NET] sending packet: from 192.168.1.5[4500] to 192.168.1.11[33660]
> (176 bytes)
> 12[NET] received packet: from 192.168.1.11[33660] to 192.168.1.5[4500]
> (240 bytes)
> 12[ENC] parsed IKE_AUTH request 2 [ EAP/RES/TTLS ]
> 12[TLS] negotiated TLS 1.2 using suite TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
> 12[TLS] sending TLS server certificate 'C=US, ST=MD, L=TNC, O=TNC,
> OU=TNC, CN=192.168.1.5'
> 12[TLS] sending TLS cert request for 'C=US, ST=MD, L=TNC, O=TNC, OU=TNC,
> CN=192.168.1.5'
> 12[ENC] generating IKE_AUTH response 2 [ EAP/REQ/TTLS ]
> 12[NET] sending packet: from 192.168.1.5[4500] to 192.168.1.11[33660]
> (1104 bytes)
> 06[NET] received packet: from 192.168.1.11[33660] to 192.168.1.5[4500]
> (80 bytes)
> 06[ENC] parsed IKE_AUTH request 3 [ EAP/RES/TTLS ]
> 06[ENC] generating IKE_AUTH response 3 [ EAP/REQ/TTLS ]
> 06[NET] sending packet: from 192.168.1.5[4500] to 192.168.1.11[33660]
> (432 bytes)
> 09[NET] received packet: from 192.168.1.11[33660] to 192.168.1.5[4500]
> (240 bytes)
> 09[ENC] parsed IKE_AUTH request 4 [ EAP/RES/TTLS ]
> 09[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/ID]
> 09[ENC] generating IKE_AUTH response 4 [ EAP/REQ/TTLS ]
> 09[NET] sending packet: from 192.168.1.5[4500] to 192.168.1.11[33660]
> (224 bytes)
> 12[NET] received packet: from 192.168.1.11[33660] to 192.168.1.5[4500]
> (176 bytes)
> 12[ENC] parsed IKE_AUTH request 5 [ EAP/RES/TTLS ]
> 12[IKE] received tunneled EAP-TTLS AVP [EAP/RES/ID]
> 12[IKE] received EAP identity 'carol at strongswan.org'
> 12[IKE] phase2 method EAP_MD5 selected
> 12[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/MD5]
> 12[ENC] generating IKE_AUTH response 5 [ EAP/REQ/TTLS ]
> 12[NET] sending packet: from 192.168.1.5[4500] to 192.168.1.11[33660]
> (176 bytes)
> 16[NET] received packet: from 192.168.1.11[33660] to 192.168.1.5[4500]
> (176 bytes)
> 16[ENC] parsed IKE_AUTH request 6 [ EAP/RES/TTLS ]
> 16[IKE] received tunneled EAP-TTLS AVP [EAP/RES/MD5]
> 16[IKE] EAP_TTLS phase2 authentication of 'carol at strongswan.org' with
> EAP_MD5 successful
> 16[IKE] phase2 method EAP_PT_EAP selected
> 16[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/PT]
> 16[ENC] generating IKE_AUTH response 6 [ EAP/REQ/TTLS ]
> 16[NET] sending packet: from 192.168.1.5[4500] to 192.168.1.11[33660]
> (160 bytes)
> 11[NET] received packet: from 192.168.1.11[33660] to 192.168.1.5[4500]
> (320 bytes)
> 11[ENC] parsed IKE_AUTH request 7 [ EAP/RES/TTLS ]
> 11[IKE] received tunneled EAP-TTLS AVP [EAP/RES/PT]
> 11[TNC] assigned TNCCS Connection ID 1
> 11[TNC] received TNCCS batch (163 bytes)
> 11[TNC] processing PB-TNC CDATA batch for Connection ID 1
> 11[TNC] processing PA-TNC message with ID 0xdf457588
> 11[IMV] operating system name is 'Android' from vendor Google
> 11[IMV] operating system version is '6.0.1'
> 11[IMV] device ID is 89f393cd96b7d8d1
> 11[IMV] policy: imv_policy_manager start successful
> 11[TNC] creating PA-TNC message with ID 0x58b417d9
> 11[TNC] creating PA-TNC message with ID 0xec8c6991
> 11[TNC] sending PB-TNC SDATA batch (144 bytes) for Connection ID 1
> 11[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/PT]
> 11[ENC] generating IKE_AUTH response 7 [ EAP/REQ/TTLS ]
> 11[NET] sending packet: from 192.168.1.5[4500] to 192.168.1.11[33660]
> (304 bytes)
> 07[NET] received packet: from 192.168.1.11[33660] to 192.168.1.5[4500]
> (256 bytes)
> 07[ENC] parsed IKE_AUTH request 8 [ EAP/RES/TTLS ]
> 07[IKE] received tunneled EAP-TTLS AVP [EAP/RES/PT]
> 07[TNC] received TNCCS batch (92 bytes)
> 07[TNC] processing PB-TNC CDATA batch for Connection ID 1
> 07[TNC] processing PA-TNC message with ID 0x1bd50ae6
> 07[TNC] creating PA-TNC message with ID 0x8aa751ea
> 07[TNC] sending PB-TNC SDATA batch (56 bytes) for Connection ID 1
> 07[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/PT]
> 07[ENC] generating IKE_AUTH response 8 [ EAP/REQ/TTLS ]
> 07[NET] sending packet: from 192.168.1.5[4500] to 192.168.1.11[33660]
> (208 bytes)
> 07[NET] received packet: from 192.168.1.11[33660] to 192.168.1.5[4500]
> (160 bytes)
> 07[ENC] parsed IKE_AUTH request 9 [ EAP/RES/TTLS ]
> 07[IKE] received tunneled EAP-TTLS AVP [EAP/RES/PT]
> 07[TNC] received TNCCS batch (8 bytes)
> 07[TNC] processing PB-TNC CDATA batch for Connection ID 1
> 07[IMV] policy: recommendation for access requestor 192.168.1.11 is allow
> 07[IMV] policy: imv_policy_manager stop successful
> 07[TNC] sending PB-TNC RESULT batch (40 bytes) for Connection ID 1
> 07[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/PT]
> 07[ENC] generating IKE_AUTH response 9 [ EAP/REQ/TTLS ]
> 07[NET] sending packet: from 192.168.1.5[4500] to 192.168.1.11[33660]
> (192 bytes)
> 08[NET] received packet: from 192.168.1.11[33660] to 192.168.1.5[4500]
> (160 bytes)
> 08[ENC] parsed IKE_AUTH request 10 [ EAP/RES/TTLS ]
> 08[IKE] received tunneled EAP-TTLS AVP [EAP/RES/PT]
> 08[TNC] received TNCCS batch (8 bytes)
> 08[TNC] processing PB-TNC CLOSE batch for Connection ID 1
> 08[TNC] final recommendation is 'allow' and evaluation is 'don't know'
> 08[TNC] policy enforced on peer 'carol at strongswan.org' is 'allow'
> 08[TNC] policy enforcement point added group membership 'allow'
> 08[IKE] EAP_TTLS phase2 authentication of 'carol at strongswan.org' with
> EAP_PT_EAP successful
> 08[TNC] removed TNCCS Connection ID 1
> 08[IKE] EAP method EAP_TTLS succeeded, MSK established
> 08[ENC] generating IKE_AUTH response 10 [ EAP/SUCC ]
> 08[NET] sending packet: from 192.168.1.5[4500] to 192.168.1.11[33660]
> (80 bytes)
> 08[NET] received packet: from 192.168.1.11[33660] to 192.168.1.5[4500]
> (112 bytes)
> 08[ENC] parsed IKE_AUTH request 11 [ AUTH ]
> 08[IKE] authentication of 'carol at strongswan.org' with EAP successful
> 08[IKE] authentication of 'C=US, ST=MD, L=TNC, O=TNC, OU=TNC,
> CN=192.168.1.5' (myself) with EAP
> 08[IKE] IKE_SA rw-allow[2] established between 192.168.1.5[C=US, ST=MD,
> L=TNC, O=TNC, OU=TNC, CN=192.168.1.5]...192.168.1.11[carol at strongswan.org]
> 08[IKE] scheduling reauthentication in 9896s
> 08[IKE] maximum IKE_SA lifetime 10436s
> 08[IKE] peer requested virtual IP %any
> 08[CFG] assigning new lease to 'carol at strongswan.org'
> 08[IKE] assigning virtual IP 192.168.3.55 to peer 'carol at strongswan.org'
> 08[IKE] peer requested virtual IP %any6
> 08[IKE] no virtual IP found for %any6 requested by 'carol at strongswan.org'
> 08[IKE] CHILD_SA rw-allow{1} established with SPIs cfa1ff42_i ccd4b585_o
> and TS 192.168.10.0/24 === 192.168.3.55/32
> 08[ENC] generating IKE_AUTH response 11 [ AUTH CPRP(ADDR) SA TSi TSr
> N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_6_ADDR) ]
> 08[NET] sending packet: from 192.168.1.5[4500] to 192.168.1.11[33660]
> (272 bytes)
> 11[NET] received packet: from 192.168.1.11[33660] to 192.168.1.5[4500]
> (80 bytes)
> 11[ENC] parsed INFORMATIONAL request 12 [ N(AUTH_FAILED) ]
> 11[IKE] received DELETE for IKE_SA rw-allow[2]
> 11[IKE] deleting IKE_SA rw-allow[2] between 192.168.1.5[C=US, ST=MD,
> L=TNC, O=TNC, OU=TNC, CN=192.168.1.5]...192.168.1.11[carol at strongswan.org]
> 11[IKE] IKE_SA deleted
> 11[ENC] generating INFORMATIONAL response 12 [ ]
> 11[NET] sending packet: from 192.168.1.5[4500] to 192.168.1.11[33660]
> (80 bytes)
> 11[CFG] lease 192.168.3.55 by 'carol at strongswan.org' went offline
>
>
> Thanks,
>
> Mark
>
>
>
> On Saturday, January 14, 2017 7:49 PM, Andreas Steffen
> <andreas.steffen at strongswan.org> wrote:
>
>
> Hi Mark,
>
> the strongTNC guide tells you how to create the config.db database:
>
> https://wiki.strongswan.org/projects/strongswan/wiki/StrongTnc#Initialize-PTS-Database
>
> Andreas
>
> On 15.01.2017 04:15, Mark M wrote:
> > Andreas,
> >
> > The guides that I follow do not create the /etc/pts/config.db database?
> >
> > Thanks,
> >
> > Mark
> >
> >
> > On Thursday, January 12, 2017 2:26 PM, Mark M <mark076h at yahoo.com
> <mailto:mark076h at yahoo.com>> wrote:
> >
> >
> > Andreas,
> >
> > Thank you for the info,
> >
> > Now when I follow the guide to install the policy manager I only get the
> > default apache page.
> >
> > I am following this guide -
> > https://wiki.strongswan.org/projects/strongswan/wiki/StrongTNC
> >
> > Thanks,
> >
> > Mark
> >
> >
> > On Thursday, January 12, 2017 6:09 AM, Andreas Steffen
> > <andreas.steffen at strongswan.org
> <mailto:andreas.steffen at strongswan.org>> wrote:
> >
> >
> > Hi Mark,
> >
> > you can find a [little-outdated] TNC server configuration HOWTO
> > under the following link:
> >
> > https://wiki.strongswan.org/projects/strongswan/wiki/TNCS
> >
> > In the meantime the TNC measurement policies are not hard-coded
> > any more in /etc/strongswan.conf but can be configured via the
> > strongTNC policy manager available from the strongSwan gitHub
> > repository
> >
> > https://wiki.strongswan.org/projects/strongswan/wiki/StrongTnc
> >
> > The IMVs on the strongTNC server must now connect to the strongTNC
> > /etc/pts/config.db database. A sample configuration can be found here
> >
> >
> >
> https://wiki.strongswan.org/projects/strongswan/wiki/IMA#Set-up-the-Attestation-Server
> >
> > Hope this helps!
> >
> > Andreas
> >
> > On 11.01.2017 10:43, Mark M wrote:
> > > Hi,
> > >
> > > I would like to setup a basic demo of the android client using TNC
> > > connecting to a strongSwan server as show in in this guide -
> > > https://wiki.strongswan.org/projects/strongswan/wiki/BYOD
> > >
> > > Is there a guide I can follow for a basic strongSwan server setup to
> > > test out TNC with the android client? And is there anything
> special that
> > > needs to be configured on the android client or does the android
> client
> > > support TNC by default?
> > >
> > > Thanks,
> > >
> > > Mark
> >
> >
> > ======================================================================
> > Andreas Steffen andreas.steffen at strongswan.org
> <mailto:andreas.steffen at strongswan.org>
> > <mailto:andreas.steffen at strongswan.org
> <mailto:andreas.steffen at strongswan.org>>
> > strongSwan - the Open Source VPN Solution! www.strongswan.org
> > Institute for Internet Technologies and Applications
> > University of Applied Sciences Rapperswil
> > CH-8640 Rapperswil (Switzerland)
> > ===========================================================[ITA-HSR]==
>
> >
> >
> >
> >
> >
>
> --
> ======================================================================
> Andreas Steffen andreas.steffen at strongswan.org
> <mailto:andreas.steffen at strongswan.org>
> strongSwan - the Open Source VPN Solution! www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
>
>
--
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170118/5129b452/attachment-0001.html>
More information about the Users
mailing list