[strongSwan] Remote Attestation through Cisco ASA

Andreas Steffen andreas.steffen at strongswan.org
Thu Nov 16 08:25:14 CET 2017


Hi Mario,

if the Cisco ASA does not tunnel the strongSwan IKE traffic then just
do remote attestation via the PT-TLS protocol. On the client side you
can use the strongSwan pt-tls-client and on the server side add the
tnc-pdp plugin listening on the PT-TLS TCP port 271 to the strongSwan
charon daemon.

Regards

Andreas

On 15.11.2017 23:22, Mario Maldonado wrote:
> Hi all,
>
> I wish to use StrongSwan for remote attestation through a Cisco ASA, eg:
> StrongSwan gateway ====192.168.0.0/24==== <http://192.168.0.0/24====>
> ASA ====192.168.1.0/24==== <http://192.168.1.0/24====> Device
>
> With no ASA I have successfully configured StrongSwan with remote
> attestation using the EAP-TTLS plugin. I have also managed to configure
> a StrongSwan connection to the ASA, giving me access to the
> 192.168.0.0/24 <http://192.168.0.0/24> subnet. I am then unable to bring
> up the attestation connection. I was hoping it would setup a tunnel
> within the ASA tunnel but from what I understand IKE traffic is exempt
> from the negotiated tunnel (preventing nested tunnels) and then blocked
> by the ASA.
>
> Is there a way around this / a nice way of achieving such a connection?
>
> Can I use StrongSwan for TNC integrity measurement without the tls
> tunnel? This way the TPM and IMA measurements can be sent through the
> ASA tunnel with no issues. From looking around the docs it looks like
> the only way of performing remote attestation is with the EAP-TTLS
> plugin? This would also be ideal as the traffic only has to be decrypted
> once by the device.
>
> Many thanks,
>
> Mario

-- 
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution!          www.strongswan.org
Institute for Networked Solutions
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[INS-HSR]==

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4150 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20171116/628c072f/attachment-0001.bin>


More information about the Users mailing list