[strongSwan] PT-TLS Protocol: Help with using pt-tls-client and tnc-pdp plugin

Mario Maldonado mario.aj.maldonado at gmail.com
Tue Jan 2 19:46:21 CET 2018


Any help with using the pt-tls-client and tnc-pdp plugin in a usable
situation would be greatly appreciated.

I am using StrongSwan through a Cisco ASA like the following and I wish to
use it to perform remote attestation:
Inside network --- StrongSwan gateway ==== ASA ==== Device

I have configured the StrongSwan connection between the device and the ASA,
such that connecting out to the device from the inside network will
automatically bring up the StrongSwan tunnel between the device and ASA and
the connection established.

IKE traffic is exempt from the negotiated tunnel (preventing nested
tunnels) and then blocked by the ASA. This prevents me from then setting up
another connection from the gateway to the device using EAP-TTLS with
remote attestation and an allow / isolate behaviour (like that of this
example https://wiki.strongswan.org/projects/strongswan/wiki/IMA).

The only way I have been able to get attesation measurements from the
device to the gateway is by using the PT-TLS protocol with the pt-tls-client
on the device and the tnc-pdp plugin listening on the PT-TLS TCP port 271
of the StrongSwan gateway. This goes through the negtioated tunnel between
the device and the ASA with no issues.

At present I am running the pt-tls-client command on the device but I have
two problems:

   - The device (pt-tls-client command) needs to have knowledge of the IP
   address of the StrongSwan gateway.
   - The result will then appear in the attesation database on the StrongSwan
   gateway but a decision will not be made to allow or isolate the device.

I can not see how this can be used when connecting out to a device from the
inside network, then perform attesatation to allow or block the connection
based upon the measurements. Is this kind of thing possible? How can I get
attestation to occur using the PT-TLS Protocol when connecting to the
device from the inside network where the device doesn't have knowledge of
the StrongSwan gateway's IP address?

I hope this is clear, I am happy to provide more information.

Kind regards,

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180102/1941c2ac/attachment-0001.html>

More information about the Users mailing list