[strongSwan] Remote Attestation through Cisco ASA

Mario Maldonado mario.aj.maldonado at gmail.com
Fri Nov 17 00:18:21 CET 2017

Andreas, many thanks for your email.

I have now managed to get that working, performing attestation through the
ASA using the PT-TLS protocol!

Does it have to be kicked off using the command line utility pt-tls-client?

I couldn't find any documentation for the tnc-pdp plugin. Can I use it to
setup a gateway, deciding to allow the device onto a network if it passes
(like that of your IMA wiki example) with an ipsec.conf file, or is it just
geared around receiving the pt-tls-client request and performing the
integrity measurement verification? I can see the measurement pass or fail
but I'm struggling to see how I can set something up to periodically ask
for that measurement and if not successful, not allow the device onto my



On Thu, Nov 16, 2017 at 7:25 AM, Andreas Steffen <
andreas.steffen at strongswan.org> wrote:

> Hi Mario,
> if the Cisco ASA does not tunnel the strongSwan IKE traffic then just
> do remote attestation via the PT-TLS protocol. On the client side you
> can use the strongSwan pt-tls-client and on the server side add the
> tnc-pdp plugin listening on the PT-TLS TCP port 271 to the strongSwan
> charon daemon.
> Regards
> Andreas
> On 15.11.2017 23:22, Mario Maldonado wrote:
>> Hi all,
>> I wish to use StrongSwan for remote attestation through a Cisco ASA, eg:
>> StrongSwan gateway ==== <>
>> ASA ==== <> Device
>> With no ASA I have successfully configured StrongSwan with remote
>> attestation using the EAP-TTLS plugin. I have also managed to configure
>> a StrongSwan connection to the ASA, giving me access to the
>> <> subnet. I am then unable to bring
>> up the attestation connection. I was hoping it would setup a tunnel
>> within the ASA tunnel but from what I understand IKE traffic is exempt
>> from the negotiated tunnel (preventing nested tunnels) and then blocked
>> by the ASA.
>> Is there a way around this / a nice way of achieving such a connection?
>> Can I use StrongSwan for TNC integrity measurement without the tls
>> tunnel? This way the TPM and IMA measurements can be sent through the
>> ASA tunnel with no issues. From looking around the docs it looks like
>> the only way of performing remote attestation is with the EAP-TTLS
>> plugin? This would also be ideal as the traffic only has to be decrypted
>> once by the device.
>> Many thanks,
>> Mario
> --
> ======================================================================
> Andreas Steffen                         andreas.steffen at strongswan.org
> strongSwan - the Open Source VPN Solution!          www.strongswan.org
> Institute for Networked Solutions
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[INS-HSR]==
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20171116/8c3fa308/attachment.html>

More information about the Users mailing list