[strongSwan] Remote Attestation through Cisco ASA

Mario Maldonado mario.aj.maldonado at gmail.com
Wed Nov 15 23:22:22 CET 2017

Hi all,

I wish to use StrongSwan for remote attestation through a Cisco ASA, eg:
StrongSwan gateway ==== ASA ==== Device

With no ASA I have successfully configured StrongSwan with remote
attestation using the EAP-TTLS plugin. I have also managed to configure a
StrongSwan connection to the ASA, giving me access to the
subnet. I am then unable to bring up the attestation connection. I was
hoping it would setup a tunnel within the ASA tunnel but from what I
understand IKE traffic is exempt from the negotiated tunnel (preventing
nested tunnels) and then blocked by the ASA.

Is there a way around this / a nice way of achieving such a connection?

Can I use StrongSwan for TNC integrity measurement without the tls tunnel?
This way the TPM and IMA measurements can be sent through the ASA tunnel
with no issues. From looking around the docs it looks like the only way of
performing remote attestation is with the EAP-TTLS plugin? This would also
be ideal as the traffic only has to be decrypted once by the device.

Many thanks,

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20171115/98857a3b/attachment.html>

More information about the Users mailing list