added the ikev2/rw-eap-tnc-20 scenario based on the RFC 5792 PA-TNC protocol
This commit is contained in:
parent
510f37abd4
commit
83348c80e4
|
@ -217,6 +217,16 @@ then
|
||||||
echo -n " --enable-tnccs-dynamic" >> $INSTALLSHELL
|
echo -n " --enable-tnccs-dynamic" >> $INSTALLSHELL
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
if [ "$USE_IMC_TEST" = "yes" ]
|
||||||
|
then
|
||||||
|
echo -n " --enable-imc-test" >> $INSTALLSHELL
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ "$USE_IMV_TEST" = "yes" ]
|
||||||
|
then
|
||||||
|
echo -n " --enable-imv-test" >> $INSTALLSHELL
|
||||||
|
fi
|
||||||
|
|
||||||
if [ "$USE_SQL" = "yes" ]
|
if [ "$USE_SQL" = "yes" ]
|
||||||
then
|
then
|
||||||
echo -n " --enable-sql --enable-sqlite" >> $INSTALLSHELL
|
echo -n " --enable-sql --enable-sqlite" >> $INSTALLSHELL
|
||||||
|
|
|
@ -19,7 +19,7 @@ UMLTESTDIR=~/strongswan-testing
|
||||||
|
|
||||||
# Bzipped kernel sources
|
# Bzipped kernel sources
|
||||||
# (file extension .tar.bz2 required)
|
# (file extension .tar.bz2 required)
|
||||||
KERNEL=$UMLTESTDIR/linux-2.6.38.tar.bz2
|
KERNEL=$UMLTESTDIR/linux-2.6.38.5.tar.bz2
|
||||||
|
|
||||||
# Extract kernel version
|
# Extract kernel version
|
||||||
KERNELVERSION=`basename $KERNEL .tar.bz2 | sed -e 's/linux-//'`
|
KERNELVERSION=`basename $KERNEL .tar.bz2 | sed -e 's/linux-//'`
|
||||||
|
@ -51,6 +51,8 @@ USE_TNC_IMV="yes"
|
||||||
USE_TNCCS_11="yes"
|
USE_TNCCS_11="yes"
|
||||||
USE_TNCCS_20="yes"
|
USE_TNCCS_20="yes"
|
||||||
USE_TNCCS_DYNAMIC="yes"
|
USE_TNCCS_DYNAMIC="yes"
|
||||||
|
USE_IMC_TEST="yes"
|
||||||
|
USE_IMV_TEST="yes"
|
||||||
USE_SQL="yes"
|
USE_SQL="yes"
|
||||||
USE_MEDIATION="yes"
|
USE_MEDIATION="yes"
|
||||||
USE_OPENSSL="yes"
|
USE_OPENSSL="yes"
|
||||||
|
|
|
@ -3,7 +3,8 @@ using EAP-TTLS authentication only with the gateway presenting a server certific
|
||||||
the clients doing EAP-MD5 password-based authentication.
|
the clients doing EAP-MD5 password-based authentication.
|
||||||
In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the
|
In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the
|
||||||
health of <b>carol</b> and <b>dave</b> via the <b>TNCCS 2.0 </b> client-server interface
|
health of <b>carol</b> and <b>dave</b> via the <b>TNCCS 2.0 </b> client-server interface
|
||||||
compliant with <b>RFC 5793 PB-TNC</b>.
|
compliant with <b>RFC 5793 PB-TNC</b>. The IMC and IMV communicate using the <b>RFC 5792 PA-TNC</b>
|
||||||
|
protocol.
|
||||||
<p>
|
<p>
|
||||||
<b>carol</b> passes the health test and <b>dave</b> fails. Based on these measurements the
|
<b>carol</b> passes the health test and <b>dave</b> fails. Based on these measurements the
|
||||||
clients are connected by gateway <b>moon</b> to the "rw-allow" and "rw-isolate" subnets,
|
clients are connected by gateway <b>moon</b> to the "rw-allow" and "rw-isolate" subnets,
|
||||||
|
|
|
@ -6,11 +6,9 @@ dave::cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YE
|
||||||
dave::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
|
dave::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
|
||||||
dave::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
|
dave::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
|
||||||
dave::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
|
dave::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
|
||||||
moon::cat /var/log/auth.log::policy enforced on peer 'carol@strongswan.org' is 'allow'::YES
|
moon::cat /var/log/daemon.log::added group membership 'allow'::YES
|
||||||
moon::cat /var/log/daemon.log::policy enforcement point added group membership 'allow'::YES
|
|
||||||
moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
|
moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
|
||||||
moon::cat /var/log/auth.log::policy enforced on peer 'dave@strongswan.org' is 'isolate'::YES
|
moon::cat /var/log/daemon.log::added group membership 'isolate'::YES
|
||||||
moon::cat /var/log/daemon.log::policy enforcement point added group membership 'isolate'::YES
|
|
||||||
moon::cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
|
moon::cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
|
||||||
moon::ipsec statusall::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
|
moon::ipsec statusall::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
|
||||||
moon::ipsec statusall::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
|
moon::ipsec statusall::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
|
||||||
|
|
|
@ -2,7 +2,7 @@
|
||||||
|
|
||||||
config setup
|
config setup
|
||||||
plutostart=no
|
plutostart=no
|
||||||
charondebug="tls 2, tnc 3"
|
charondebug="tnc 3, imc 2"
|
||||||
|
|
||||||
conn %default
|
conn %default
|
||||||
ikelifetime=60m
|
ikelifetime=60m
|
||||||
|
|
|
@ -9,3 +9,7 @@ charon {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
imc-test {
|
||||||
|
command = allow
|
||||||
|
}
|
||||||
|
|
|
@ -1,4 +1,3 @@
|
||||||
#IMC configuration file for strongSwan client
|
#IMC configuration file for strongSwan client
|
||||||
|
|
||||||
IMC "Dummy" /usr/local/lib/libdummyimc.so
|
IMC "Test" /usr/local/libexec/ipsec/plugins/libstrongswan-imc-test.so
|
||||||
#IMC "HostScanner" /usr/local/lib/libhostscannerimc.so
|
|
||||||
|
|
|
@ -2,7 +2,7 @@
|
||||||
|
|
||||||
config setup
|
config setup
|
||||||
plutostart=no
|
plutostart=no
|
||||||
charondebug="tls 2, tnc 3"
|
charondebug="tnc 3, imc 2"
|
||||||
|
|
||||||
conn %default
|
conn %default
|
||||||
ikelifetime=60m
|
ikelifetime=60m
|
||||||
|
|
|
@ -9,3 +9,7 @@ charon {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
imc-test {
|
||||||
|
command = isolate
|
||||||
|
}
|
||||||
|
|
|
@ -1,4 +1,3 @@
|
||||||
#IMC configuration file for strongSwan client
|
#IMC configuration file for strongSwan client
|
||||||
|
|
||||||
IMC "Dummy" /usr/local/lib/libdummyimc.so
|
IMC "Test" /usr/local/libexec/ipsec/plugins/libstrongswan-imc-test.so
|
||||||
#IMC "HostScanner" /usr/local/lib/libhostscannerimc.so
|
|
||||||
|
|
|
@ -3,7 +3,7 @@
|
||||||
config setup
|
config setup
|
||||||
strictcrlpolicy=no
|
strictcrlpolicy=no
|
||||||
plutostart=no
|
plutostart=no
|
||||||
charondebug="tls 2, tnc 3"
|
charondebug="tnc 3, imv 2"
|
||||||
|
|
||||||
conn %default
|
conn %default
|
||||||
ikelifetime=60m
|
ikelifetime=60m
|
||||||
|
|
|
@ -14,3 +14,7 @@ charon {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
imv-test {
|
||||||
|
rounds = 1
|
||||||
|
}
|
||||||
|
|
|
@ -1,4 +1,3 @@
|
||||||
#IMV configuration file for strongSwan server
|
#IMV configuration file for strongSwan server
|
||||||
|
|
||||||
IMV "Dummy" /usr/local/lib/libdummyimv.so
|
IMV "Test" /usr/local/libexec/ipsec/plugins/libstrongswan-imv-test.so
|
||||||
#IMV "HostScanner" /usr/local/lib/libhostscannerimv.so
|
|
||||||
|
|
Loading…
Reference in New Issue