Andreas Steffen
5 years ago
parent
a31f9b7691
commit
ce4b8f65d6
@ -1,9 +0,0 @@ |
||||
The PT-TLS (RFC 6876) clients <b>carol</b> and <b>dave</b> set up a connection each to the policy decision |
||||
point (PDP) <b>alice</b>. Endpoint <b>carol</b> uses password-based SASL PLAIN client authentication during the |
||||
<b>PT-TLS negotiation phase</b> whereas endpoint <b>dave</b> uses certificate-based TLS client authentication |
||||
during the <b>TLS setup phase</b>. |
||||
<p/> |
||||
During the ensuing <b>PT-TLS data transport phase</b> the <b>OS</b> and <b>SWIMA</b> IMC/IMV pairs |
||||
loaded by the PT-TLS clients and PDP, respectively, exchange PA-TNC (RFC 5792) messages |
||||
embedded in PB-TNC (RFC 5793) batches. The <b>SWIMA</b> IMC on <b>carol</b> is requested to deliver |
||||
a concise <b>Software ID Inventory</b> whereas <b>dave</b> must send a full <b>Software Inventory</b>. |
||||
@ -1,25 +0,0 @@ |
||||
dave:: cat /var/log/auth.log::sending TLS CertificateVerify handshake::YES |
||||
dave:: cat /var/log/auth.log::collected ... SW records::YES |
||||
carol::cat /var/log/auth.log::received SASL Success result::YES |
||||
carol::cat /var/log/auth.log::collected ... SW ID records::YES |
||||
carol::cat /var/log/auth.log::strongswan.org__strongSwan.*swidtag::YES |
||||
carol::cat /var/log/auth.log::collected 1 SW record::YES |
||||
alice::cat /var/log/daemon.log::accepting PT-TLS stream from PH_IP_DAVE::YES |
||||
alice::cat /var/log/daemon.log::checking certificate status of.*C=CH, O=Linux strongSwan, OU=Accounting, CN=dave@strongswan.org::YES |
||||
alice::cat /var/log/daemon.log::certificate status is good::YES |
||||
alice::cat /var/log/daemon.log::skipping SASL, client already authenticated by TLS certificate::YES |
||||
alice::cat /var/log/daemon.log::user AR identity.*C=CH, O=Linux strongSwan, OU=Accounting, CN=dave@strongswan.org.*authenticated by certificate::YES |
||||
alice::cat /var/log/daemon.log::received software inventory with ... items for request 3 at last eid 1 of epoch::YES |
||||
alice::cat /var/log/daemon.log::successful system command: ssh root@moon.*logger -t charon-systemd -p auth.alert.*host with IP address 192.168.0.200 is blocked::YES |
||||
moon:: cat /var/log/auth.log::host with IP address 192.168.0.200 is blocked::YES |
||||
alice::cat /var/log/daemon.log::accepting PT-TLS stream from PH_IP_CAROL::YES |
||||
alice::cat /var/log/daemon.log::SASL PLAIN authentication successful::YES |
||||
alice::cat /var/log/daemon.log::SASL client identity is.*carol::YES |
||||
alice::cat /var/log/daemon.log::user AR identity.*carol.*authenticated by password::YES |
||||
alice::cat /var/log/daemon.log::failed to collect SW ID events, fallback to SW ID inventory::YES |
||||
alice::cat /var/log/daemon.log::received software ID inventory with ... items for request 9 at last eid 1 of epoch::YES |
||||
alice::cat /var/log/daemon.log::1 SWID tag target::YES |
||||
alice::cat /var/log/daemon.log::received software inventory with 1 item for request 9 at last eid 1 of epoch::YES |
||||
alice::cat /var/log/daemon.log::strongswan.org__strongSwan.*@ /usr/local/share/strongswan::YES |
||||
alice::cat /var/log/daemon.log::successful system command: ssh root@moon.*logger -t charon-systemd -p auth.alert.*host with IP address 192.168.0.100 is allowed::YES |
||||
moon::cat /var/log/auth.log::host with IP address 192.168.0.100 is allowed::YES |
||||
@ -1,31 +0,0 @@ |
||||
WSGIPythonPath /var/www/tnc |
||||
|
||||
<VirtualHost *:80> |
||||
ServerName tnc.strongswan.org |
||||
ServerAlias tnc |
||||
ServerAdmin webmaster@localhost |
||||
|
||||
DocumentRoot /var/www/tnc |
||||
|
||||
<Directory /var/www/tnc/config> |
||||
<Files wsgi.py> |
||||
<IfModule mod_authz_core.c> |
||||
Require all granted |
||||
</IfModule> |
||||
<IfModule !mod_authz_core.c> |
||||
Order deny,allow |
||||
Allow from all |
||||
</IfModule> |
||||
</Files> |
||||
</Directory> |
||||
|
||||
WSGIScriptAlias / /var/www/tnc/config/wsgi.py |
||||
WSGIApplicationGroup %{GLOBAL} |
||||
WSGIPassAuthorization On |
||||
|
||||
Alias /static/ /var/www/tnc/static/ |
||||
|
||||
ErrorLog ${APACHE_LOG_DIR}/tnc/error.log |
||||
LogLevel warn |
||||
CustomLog ${APACHE_LOG_DIR}/tnc/access.log combined |
||||
</VirtualHost> |
||||
@ -1 +0,0 @@ |
||||
Include sites-available/000-default.conf |
||||
@ -1,28 +0,0 @@ |
||||
*filter |
||||
|
||||
# default policy is DROP |
||||
-P INPUT DROP |
||||
-P OUTPUT DROP |
||||
-P FORWARD DROP |
||||
|
||||
# open loopback interface |
||||
-A INPUT -i lo -j ACCEPT |
||||
-A OUTPUT -o lo -j ACCEPT |
||||
|
||||
# allow PT-TLS |
||||
-A INPUT -i eth0 -p tcp --dport 271 -j ACCEPT |
||||
-A OUTPUT -o eth0 -p tcp --sport 271 -j ACCEPT |
||||
|
||||
# allow inbound ssh |
||||
-A INPUT -p tcp --dport 22 -j ACCEPT |
||||
-A OUTPUT -p tcp --sport 22 -j ACCEPT |
||||
|
||||
# allow outbound ssh |
||||
-A OUTPUT -p tcp --dport 22 -j ACCEPT |
||||
-A INPUT -p tcp --sport 22 -j ACCEPT |
||||
|
||||
# allow crl fetch from winnetou |
||||
-A INPUT -i eth0 -p tcp --sport 80 -s 192.168.0.150 -j ACCEPT |
||||
-A OUTPUT -o eth0 -p tcp --dport 80 -d 192.168.0.150 -j ACCEPT |
||||
|
||||
COMMIT |
||||
@ -1,61 +0,0 @@ |
||||
/* Devices */ |
||||
|
||||
INSERT INTO devices ( /* 1 */ |
||||
value, product, created |
||||
) |
||||
SELECT 'aabbccddeeff11223344556677889900', id, 1372330615 |
||||
FROM products WHERE name = 'Debian DEBIAN_VERSION x86_64'; |
||||
|
||||
/* Groups Members */ |
||||
|
||||
INSERT INTO groups_members ( |
||||
group_id, device_id |
||||
) VALUES ( |
||||
10, 1 |
||||
); |
||||
|
||||
/* Identities */ |
||||
|
||||
INSERT INTO identities ( |
||||
type, value |
||||
) VALUES ( /* dave@strongswan.org */ |
||||
4, X'64617665407374726f6e677377616e2e6f7267' |
||||
); |
||||
|
||||
/* Sessions */ |
||||
|
||||
INSERT INTO sessions ( |
||||
time, connection, identity, device, product, rec |
||||
) |
||||
SELECT NOW, 1, 1, 1, id, 0 |
||||
FROM products WHERE name = 'Debian DEBIAN_VERSION x86_64'; |
||||
|
||||
/* Results */ |
||||
|
||||
INSERT INTO results ( |
||||
session, policy, rec, result |
||||
) VALUES ( |
||||
1, 1, 0, 'processed 355 packages: 0 not updated, 0 blacklisted, 4 ok, 351 not found' |
||||
); |
||||
|
||||
/* Enforcements */ |
||||
|
||||
INSERT INTO enforcements ( |
||||
policy, group_id, max_age, rec_fail, rec_noresult |
||||
) VALUES ( |
||||
3, 10, 0, 2, 2 |
||||
); |
||||
|
||||
INSERT INTO enforcements ( |
||||
policy, group_id, max_age |
||||
) VALUES ( |
||||
17, 2, 86400 |
||||
); |
||||
|
||||
INSERT INTO enforcements ( |
||||
policy, group_id, max_age |
||||
) VALUES ( |
||||
18, 10, 86400 |
||||
); |
||||
|
||||
DELETE FROM enforcements WHERE id = 1; |
||||
@ -1,19 +0,0 @@ |
||||
[debug] |
||||
DEBUG=0 |
||||
TEMPLATE_DEBUG=0 |
||||
DEBUG_TOOLBAR=0 |
||||
|
||||
[db] |
||||
DJANGO_DB_URL=sqlite:////var/www/tnc/django.db |
||||
STRONGTNC_DB_URL = sqlite:////etc/db.d/config.db |
||||
|
||||
[localization] |
||||
LANGUAGE_CODE=en-us |
||||
TIME_ZONE=Europe/Zurich |
||||
|
||||
[admins] |
||||
Your Name: alice@strongswan.org |
||||
|
||||
[security] |
||||
SECRET_KEY=strongSwan |
||||
ALLOWED_HOSTS=127.0.0.1,10.1.0.10,tnc.strongswan.org,tnc |
||||
@ -1,46 +0,0 @@ |
||||
# /etc/strongswan.conf - strongSwan configuration file |
||||
|
||||
charon-systemd { |
||||
load = random nonce pem pkcs1 x509 openssl revocation constraints curl vici socket-default kernel-netlink tnc-pdp tnc-imv tnc-tnccs tnccs-20 sqlite |
||||
|
||||
syslog { |
||||
daemon { |
||||
tls = 2 |
||||
tnc = 2 |
||||
imv = 3 |
||||
} |
||||
} |
||||
plugins { |
||||
tnc-pdp { |
||||
server = aaa.strongswan.org |
||||
radius { |
||||
secret = gv6URkSs |
||||
} |
||||
} |
||||
tnc-imv { |
||||
dlclose = no |
||||
} |
||||
} |
||||
} |
||||
|
||||
libtls { |
||||
suites = TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 |
||||
} |
||||
|
||||
libimcv { |
||||
database = sqlite:///etc/db.d/config.db |
||||
policy_script = /usr/local/libexec/ipsec/imv_policy_manager |
||||
|
||||
plugins { |
||||
imv-swima { |
||||
rest_api { |
||||
uri = http://admin-user:strongSwan@tnc.strongswan.org/api/ |
||||
} |
||||
} |
||||
} |
||||
} |
||||
|
||||
imv_policy_manager { |
||||
command_allow = ssh root@moon 'logger -t charon-systemd -p auth.alert "\"host with IP address %s is allowed\""' |
||||
command_block = ssh root@moon 'logger -t charon-systemd -p auth.alert "\"host with IP address %s is blocked\""' |
||||
} |
||||
@ -1,27 +0,0 @@ |
||||
-----BEGIN RSA PRIVATE KEY----- |
||||
MIIEpQIBAAKCAQEAtxfP0jM8wZqtJvNmYar+WmB5GkzZbm431C5YWpSc/4vjCMXl |
||||
h/7VuGPkOeuEqU4KOKL3l0OQt1Exh77ii9ekg0X//4n132fI/hg0sKVRPCK8HC8l |
||||
0LdwnLLNI7uO5ObYY1KtAVnDeI/cfFbLV0z38/X7GWCpKi7ocmVMNalpD5w7c/9a |
||||
VgpO70O9NPr+OPhs1Lp9uJQQbQzQlhydhK3SLA1bJEcyXYMqOamJud+EcM1Hjq3S |
||||
W5JpKhuroDSxGzMntRF0TgrGXf8ctNfz/52repoUh2GrFfOhkpXrKUErf46NNtnD |
||||
e4FXvyprZNQO4wJBWKCSS3p16UWEL+1LFwiDPQIDAQABAoIBAQCNeNG0+rA0bF7k |
||||
nOf8CZL1pFuOzdin8nQi+Bh/DRvufVlU+wyrM2ZSTqUXd/sOkuVk889ZyvQ0IYGj |
||||
AQStx1cvs9Pl0OTx1ZDBfVShNWv6imBNasTObB+QhLvro037Yr/KpyRUydY2/vn/ |
||||
/VSrRSbGE8gMyNqNZKdpVQo44Ij0bJXxx7kVJ7CfftB65bujkRSK5u7eGjFVyHGs |
||||
P9v4n72Pt0mVdC8yeiMjJAmmKLWaDf7U2SUoaxf0IRjRNPdVBuPjbYjfnJ0sGlxF |
||||
sCQtu+3JQ4b7vyxrAyUtImbTLwvFqQHTGIahZUvhGd/1aO0Zmls1mvuZ+VhUIsek |
||||
uBJh54jFAoGBAN7M08mBkA8oUns0IzzG+A0JYDmdbvOWbKtyQDRl7LkXOq/PckIj |
||||
PoliI/5aNZe9+Q8kq8xnvLVcsup7EX6Ovaqc6S3ODNEjy4XEqGMM9tkrz4R4N5f5 |
||||
hLayOg3MfdJiPOn3HF+cVvHp0Vwpt8K5TgVmOWkVSKTa+6eX4mhQUuKjAoGBANJg |
||||
Rmka90zo+7PPze4oo5ePeqwZrwQ3/6OeD/G1lqMFPOgk3MLGuv9HvtQA5gyyAH7+ |
||||
Qy/t+rdPSC7PZi29s8/cERmWTdbZ1ocuKa6xxSvktl7Ibv51d0sW1n+kfVin7cLL |
||||
SskoK8BRXjXsZg7jjZjE5f6iqdHq+JPA2JWM10CfAoGAOXTvJScxhIcshjNS5wiU |
||||
zZ/eXd1Y0J65VZl4L0sdujngW5iO6bl3FizmBWE0Mva99QbK+0LBarAGP+wO/elH |
||||
xmkCxVo++exWPyARIMImIqlmsc3i4GFrtUXPLOHQjOHivZ+JhKqnzWk0IaVsi14I |
||||
XeIX6h6gBkum3HiR3b7hMSsCgYEAtq7ftbmy8liG6hgTzTIBDUWM0xHihxlRpnVF |
||||
hzGWw61yvGv2QDVugOt+bH7zRib0g1KsaVyQkMoJ9ownQKUxFdkWCFAa++1iezS9 |
||||
AXRhscIEE76dk93RX6VPUrw2FNyOfM8n/BIkG/cMhmroHRnBBd5Fkp8SNLWEclnO |
||||
Od95tCUCgYEAgvohkyZAAKMRUFYEvHgwyxeXHifHVPIoK9UN022DJmIEJE2ISGtH |
||||
yHnBKgF52tlYhC9ijKwMG43C9IvycydRUtViOxDV8AiE4BV1tXuQHLl0jD2R7yq5 |
||||
9pNtnYgXW+ZKlx9705ltHj8hhKl6r2I8oXdR9KFGO83wq8fr6tyjqHc= |
||||
-----END RSA PRIVATE KEY----- |
||||
@ -1,7 +0,0 @@ |
||||
secrets { |
||||
|
||||
eap-carol { |
||||
id = carol |
||||
secret = "Ar3etTnp" |
||||
} |
||||
} |
||||
@ -1,25 +0,0 @@ |
||||
-----BEGIN CERTIFICATE----- |
||||
MIIEIDCCAwigAwIBAgIBMzANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ |
||||
MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS |
||||
b290IENBMB4XDTE1MDgwNDE0NTUzMVoXDTE5MDkwNjE0NTUzMVowRTELMAkGA1UE |
||||
BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEmFhYS5z |
||||
dHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALcX |
||||
z9IzPMGarSbzZmGq/lpgeRpM2W5uN9QuWFqUnP+L4wjF5Yf+1bhj5DnrhKlOCjii |
||||
95dDkLdRMYe+4ovXpINF//+J9d9nyP4YNLClUTwivBwvJdC3cJyyzSO7juTm2GNS |
||||
rQFZw3iP3HxWy1dM9/P1+xlgqSou6HJlTDWpaQ+cO3P/WlYKTu9DvTT6/jj4bNS6 |
||||
fbiUEG0M0JYcnYSt0iwNWyRHMl2DKjmpibnfhHDNR46t0luSaSobq6A0sRszJ7UR |
||||
dE4Kxl3/HLTX8/+dq3qaFIdhqxXzoZKV6ylBK3+OjTbZw3uBV78qa2TUDuMCQVig |
||||
kkt6delFhC/tSxcIgz0CAwEAAaOCARkwggEVMAkGA1UdEwQCMAAwCwYDVR0PBAQD |
||||
AgOoMB0GA1UdDgQWBBRFNnP26ELy5j7KMOO+a8dh5pLe6DBtBgNVHSMEZjBkgBRd |
||||
p91wBlEyfue2bbO15eBg6i5N76FJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoT |
||||
EExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIB |
||||
ADAdBgNVHREEFjAUghJhYWEuc3Ryb25nc3dhbi5vcmcwEwYDVR0lBAwwCgYIKwYB |
||||
BQUHAwEwOQYDVR0fBDIwMDAuoCygKoYoaHR0cDovL2NybC5zdHJvbmdzd2FuLm9y |
||||
Zy9zdHJvbmdzd2FuLmNybDANBgkqhkiG9w0BAQsFAAOCAQEAsncNPDCCDd4mzIHs |
||||
nHY7b6H1tVQtFSbAQntV06D4D7vOp6Y+M5S8ta50hJu4f4GEeH5c7/hm8gbRdHt/ |
||||
TcjlV/UWBfhU3c/hNJo2LpmmtdmYUABLA3rdZ+FzOnAHX9H8eI988G7eHpI9T7L2 |
||||
FY2YEnWhIUVjFrojtH2+NbuA/Ori1QwSBiVhvJQgvUPjhKkjUtC+8zIdaCmJFErQ |
||||
GGObpAMtnTcQ74md9BQ791RPMp77tDe1fgm7m8QWIsoIyYEhvzyfk2VTBn1VlWyH |
||||
sbT0Vb3X9ubt0KXn2Xr491WTCpc5rzDWj9CNUYUgW7RaPxgw5cj2HK6oiLnGpO73 |
||||
xyr/Qw== |
||||
-----END CERTIFICATE----- |
||||
@ -1,4 +0,0 @@ |
||||
#IMV configuration file for strongSwan client |
||||
|
||||
IMV "OS" /usr/local/lib/ipsec/imcvs/imv-os.so |
||||
IMV "SWIMA" /usr/local/lib/ipsec/imcvs/imv-swima.so |
||||
@ -1,4 +0,0 @@ |
||||
/* strongSwan SQLite database */ |
||||
|
||||
/* configuration is read from the command line */ |
||||
/* credentials are read from the command line */ |
||||
@ -1,20 +0,0 @@ |
||||
*filter |
||||
|
||||
# default policy is DROP |
||||
-P INPUT DROP |
||||
-P OUTPUT DROP |
||||
-P FORWARD DROP |
||||
|
||||
# allow PT-TLS |
||||
-A INPUT -i eth0 -s 10.1.0.10 -p tcp --sport 271 -j ACCEPT |
||||
-A OUTPUT -o eth0 -d 10.1.0.10 -p tcp --dport 271 -j ACCEPT |
||||
|
||||
# allow ssh |
||||
-A INPUT -p tcp --dport 22 -j ACCEPT |
||||
-A OUTPUT -p tcp --sport 22 -j ACCEPT |
||||
|
||||
# allow crl fetch from winnetou |
||||
-A INPUT -i eth0 -p tcp --sport 80 -s 192.168.0.150 -j ACCEPT |
||||
-A OUTPUT -o eth0 -p tcp --dport 80 -d 192.168.0.150 -j ACCEPT |
||||
|
||||
COMMIT |
||||
@ -1,6 +0,0 @@ |
||||
--connect aaa.strongswan.org |
||||
--client carol |
||||
--secret "Ar3etTnp" |
||||
--cert /etc/swanctl/x509ca/strongswanCert.pem |
||||
--quiet |
||||
--debug 2 |
||||
@ -1,18 +0,0 @@ |
||||
# /etc/strongswan.conf - strongSwan configuration file |
||||
|
||||
libtls { |
||||
suites = TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 |
||||
} |
||||
|
||||
libimcv { |
||||
swid_gen { |
||||
tag_creator { |
||||
name = Debian Project |
||||
regid = debian.org |
||||
} |
||||
} |
||||
} |
||||
|
||||
pt-tls-client { |
||||
load = revocation constraints pem openssl curl nonce tnc-tnccs tnc-imc tnccs-20 |
||||
} |
||||
@ -1 +0,0 @@ |
||||
# the PT-TLS client reads its configuration and secrets via the command line |
||||
@ -1,4 +0,0 @@ |
||||
#IMC configuration file for strongSwan client |
||||
|
||||
IMC "OS" /usr/local/lib/ipsec/imcvs/imc-os.so |
||||
IMC "SWIMA" /usr/local/lib/ipsec/imcvs/imc-swima.so |
||||
@ -1,4 +0,0 @@ |
||||
/* strongSwan SQLite database */ |
||||
|
||||
/* configuration is read from the command line */ |
||||
/* credentials are read from the command line */ |
||||
@ -1,20 +0,0 @@ |
||||
*filter |
||||
|
||||
# default policy is DROP |
||||
-P INPUT DROP |
||||
-P OUTPUT DROP |
||||
-P FORWARD DROP |
||||
|
||||
# allow PT-TLS |
||||
-A INPUT -i eth0 -s 10.1.0.10 -p tcp --sport 271 -j ACCEPT |
||||
-A OUTPUT -o eth0 -d 10.1.0.10 -p tcp --dport 271 -j ACCEPT |
||||
|
||||
# allow ssh |
||||
-A INPUT -p tcp --dport 22 -j ACCEPT |
||||
-A OUTPUT -p tcp --sport 22 -j ACCEPT |
||||
|
||||
# allow crl fetch from winnetou |
||||
-A INPUT -i eth0 -p tcp --sport 80 -s 192.168.0.150 -j ACCEPT |
||||
-A OUTPUT -o eth0 -p tcp --dport 80 -d 192.168.0.150 -j ACCEPT |
||||
|
||||
COMMIT |
||||
@ -1,7 +0,0 @@ |
||||
--connect aaa.strongswan.org |
||||
--client dave@strongswan.org |
||||
--key /etc/swanctl/rsa/daveKey.pem |
||||
--cert /etc/swanctl/x509/daveCert.pem |
||||
--cert /etc/swanctl/x509ca/strongswanCert.pem |
||||
--quiet |
||||
--debug 2 |
||||
@ -1,27 +0,0 @@ |
||||
# /etc/strongswan.conf - strongSwan configuration file |
||||
|
||||
libimcv { |
||||
swid_gen { |
||||
tag_creator { |
||||
name = Debian Project |
||||
regid = debian.org |
||||
} |
||||
} |
||||
plugins { |
||||
imc-os { |
||||
push_info = no |
||||
} |
||||
imc-swima { |
||||
swid_directory = /usr/share |
||||
swid_pretty = yes |
||||
} |
||||
} |
||||
} |
||||
|
||||
libtls { |
||||
suites = TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 |
||||
} |
||||
|
||||
pt-tls-client { |
||||
load = revocation constraints pem openssl curl nonce tnc-tnccs tnc-imc tnccs-20 |
||||
} |
||||
@ -1 +0,0 @@ |
||||
# the PT-TLS client reads its configuration and secrets via the command line |
||||
@ -1,4 +0,0 @@ |
||||
#IMC configuration file for strongSwan client |
||||
|
||||
IMC "OS" /usr/local/lib/ipsec/imcvs/imc-os.so |
||||
IMC "SWIMA" /usr/local/lib/ipsec/imcvs/imc-swima.so |
||||
@ -1,3 +0,0 @@ |
||||
# /etc/strongswan.conf - strongSwan configuration file |
||||
|
||||
# this file is not used in this scenario |
||||
@ -1 +0,0 @@ |
||||
# this file is not used in this scenario |
||||
@ -1,10 +0,0 @@ |
||||
carol::ip route del 10.1.0.0/16 via 192.168.0.1 |
||||
dave::ip route del 10.1.0.0/16 via 192.168.0.1 |
||||
winnetou::ip route del 10.1.0.0/16 via 192.168.0.1 |
||||
alice::systemctl stop strongswan-swanctl |
||||
alice::systemctl stop apache2 |
||||
alice::rm /etc/swanctl/rsa/aaaKey.pem |
||||
alice::rm /etc/swanctl/x509/aaaCert.pem |
||||
alice::iptables-restore < /etc/iptables.flush |
||||
carol::iptables-restore < /etc/iptables.flush |
||||
dave::iptables-restore < /etc/iptables.flush |
||||
@ -1,25 +0,0 @@ |
||||
alice::iptables-restore < /etc/iptables.rules |
||||
carol::iptables-restore < /etc/iptables.rules |
||||
dave::iptables-restore < /etc/iptables.rules |
||||
alice::cat /etc/tnc_config |
||||
carol::cat /etc/tnc_config |
||||
carol::echo 0 > /proc/sys/net/ipv4/ip_forward |
||||
dave::echo aabbccddeeff11223344556677889900 > /var/lib/dbus/machine-id |
||||
dave::cat /etc/tnc_config |
||||
alice::sed -i "s/NOW/`date +%s`/g" /etc/pts/data1.sql |
||||
alice::sed -i "s:DEBIAN_VERSION:\`cat /etc/debian_version\`:" /etc/pts/data1.sql |
||||
alice::cd /usr/local/share/strongswan/templates/database/imv; cat tables.sql data.sql /etc/pts/data1.sql | sqlite3 /etc/db.d/config.db |
||||
alice::chgrp -R www-data /etc/db.d/config.db; chmod -R g+w /etc/db.d/config.db |
||||
alice::/usr/local/bin/init_tnc |
||||
alice::rm /etc/swanctl/x509/aliceCert.pem |
||||
alice::rm /etc/swanctl/rsa/aliceKey.pem |
||||
alice::systemctl start apache2 |
||||
alice::systemctl start strongswan-swanctl |
||||
alice::swanctl --load-creds |
||||
winnetou::ip route add 10.1.0.0/16 via 192.168.0.1 |
||||
dave::ip route add 10.1.0.0/16 via 192.168.0.1 |
||||
dave::cat /etc/pts/options |
||||
dave::/usr/local/bin/pt-tls-client --optionsfrom /etc/pts/options |
||||
carol::ip route add 10.1.0.0/16 via 192.168.0.1 |
||||
carol::cat /etc/pts/options |
||||
carol::/usr/local/bin/pt-tls-client --optionsfrom /etc/pts/options |
||||
@ -1,29 +0,0 @@ |
||||
#!/bin/bash |
||||
# |
||||
# This configuration file provides information on the |
||||
# guest instances used for this test |
||||
|
||||
# All guest instances that are required for this test |
||||
# |
||||
VIRTHOSTS="alice moon carol winnetou dave" |
||||
|
||||
# Corresponding block diagram |
||||
# |
||||
DIAGRAM="a-m-c-w-d.png" |
||||
|
||||
# Guest instances on which tcpdump is to be started |
||||
# |
||||
TCPDUMPHOSTS="moon" |
||||
|
||||
# Guest instances on which IPsec is started |
||||
# Used for IPsec logging purposes |
||||
# |
||||
IPSECHOSTS="carol moon dave alice" |
||||
|
||||
# Guest instances on which databases are used |
||||
# |
||||
DBHOSTS="alice" |
||||
|
||||
# charon controlled by swanctl |
||||
# |
||||
SWANCTL=1 |
||||
@ -1,4 +1,4 @@ |
||||
#IMV configuration file for strongSwan client |
||||
#IMV configuration file for strongSwan client |
||||
|
||||
IMV "OS" /usr/local/lib/ipsec/imcvs/imv-os.so |
||||
IMV "SWID" /usr/local/lib/ipsec/imcvs/imv-swid.so |
||||
IMV "SWIMA" /usr/local/lib/ipsec/imcvs/imv-swima.so |
||||
|
||||
@ -1,4 +1,4 @@ |
||||
#IMC configuration file for strongSwan client |
||||
#IMC configuration file for strongSwan client |
||||
|
||||
IMC "OS" /usr/local/lib/ipsec/imcvs/imc-os.so |
||||
IMC "SWID" /usr/local/lib/ipsec/imcvs/imc-swid.so |
||||
IMC "SWIMA" /usr/local/lib/ipsec/imcvs/imc-swima.so |
||||
|
||||
@ -1,4 +1,4 @@ |
||||
#IMC configuration file for strongSwan client |
||||
#IMC configuration file for strongSwan client |
||||
|
||||
IMC "OS" /usr/local/lib/ipsec/imcvs/imc-os.so |
||||
IMC "SWID" /usr/local/lib/ipsec/imcvs/imc-swid.so |
||||
IMC "SWIMA" /usr/local/lib/ipsec/imcvs/imc-swima.so |
||||
|
||||
@ -1,9 +1,9 @@ |
||||
The PT-TLS (RFC 6876) clients <b>carol</b> and <b>dave</b> set up a connection each to the policy decision |
||||
point (PDP) <b>alice</b>. <b>carol</b> uses password-based SASL PLAIN client authentication during the |
||||
<b>PT-TLS negotiation phase</b> and <b>dave</b> uses certificate-based TLS client authentication during the |
||||
<b>TLS setup phase</b>. |
||||
point (PDP) <b>alice</b>. Endpoint <b>carol</b> uses password-based SASL PLAIN client authentication during the |
||||
<b>PT-TLS negotiation phase</b> whereas endpoint <b>dave</b> uses certificate-based TLS client authentication |
||||
during the <b>TLS setup phase</b>. |
||||
<p/> |
||||
During the ensuing <b>PT-TLS data transport phase</b> the <b>OS</b> and <b>SWID</b> IMC/IMV pairs |
||||
During the ensuing <b>PT-TLS data transport phase</b> the <b>OS</b> and <b>SWIMA</b> IMC/IMV pairs |
||||
loaded by the PT-TLS clients and PDP, respectively, exchange PA-TNC (RFC 5792) messages |
||||
embedded in PB-TNC (RFC 5793) batches. The <b>SWID</b> IMC on <b>carol</b> is requested to deliver |
||||
a concise <b>SWID Tag ID Inventory</b> whereas <b>dave</b> must send a full <b>SWID Tag Inventory</b>. |
||||
embedded in PB-TNC (RFC 5793) batches. The <b>SWIMA</b> IMC on <b>carol</b> is requested to deliver |
||||
a concise <b>Software ID Inventory</b> whereas <b>dave</b> must send a full <b>Software Inventory</b>. |
||||
|
||||
@ -1,23 +1,25 @@ |
||||
dave:: cat /var/log/auth.log::sending TLS CertificateVerify handshake::YES |
||||
dave:: cat /var/log/auth.log::collected ... SWID tags::YES |
||||
dave:: cat /var/log/auth.log::collected ... SW records::YES |
||||
carol::cat /var/log/auth.log::received SASL Success result::YES |
||||
carol::cat /var/log/auth.log::collected ... SWID tag IDs::YES |
||||
carol::cat /var/log/auth.log::collected 1 SWID tag::YES |
||||
carol::cat /var/log/auth.log::collected ... SW ID records::YES |
||||
carol::cat /var/log/auth.log::strongswan.org__strongSwan.*swidtag::YES |
||||
carol::cat /var/log/auth.log::collected 1 SW record::YES |
||||
alice::cat /var/log/daemon.log::accepting PT-TLS stream from PH_IP_DAVE::YES |
||||
alice::cat /var/log/daemon.log::checking certificate status of.*C=CH, O=Linux strongSwan, OU=Accounting, CN=dave@strongswan.org::YES |
||||
alice::cat /var/log/daemon.log::certificate status is good::YES |
||||
alice::cat /var/log/daemon.log::skipping SASL, client already authenticated by TLS certificate::YES |
||||
alice::cat /var/log/daemon.log::user AR identity.*C=CH, O=Linux strongSwan, OU=Accounting, CN=dave@strongswan.org.*authenticated by certificate::YES |
||||
alice::cat /var/log/daemon.log::received SWID tag inventory with ... items for request 3 at eid 1 of epoch::YES |
||||
alice::cat /var/log/daemon.log::received software inventory with ... items for request 3 at last eid 1 of epoch::YES |
||||
alice::cat /var/log/daemon.log::successful system command: ssh root@moon.*logger -t charon-systemd -p auth.alert.*host with IP address 192.168.0.200 is blocked::YES |
||||
moon:: cat /var/log/auth.log::host with IP address 192.168.0.200 is blocked::YES |
||||
alice::cat /var/log/daemon.log::accepting PT-TLS stream from PH_IP_CAROL::YES |
||||
alice::cat /var/log/daemon.log::SASL PLAIN authentication successful::YES |
||||
alice::cat /var/log/daemon.log::SASL client identity is.*carol::YES |
||||
alice::cat /var/log/daemon.log::user AR identity.*carol.*authenticated by password::YES |
||||
alice::cat /var/log/daemon.log::received SWID tag ID inventory with ... items for request 9 at eid 1 of epoch::YES |
||||
alice::cat /var/log/daemon.log::failed to collect SW ID events, fallback to SW ID inventory::YES |
||||
alice::cat /var/log/daemon.log::received software ID inventory with ... items for request 9 at last eid 1 of epoch::YES |
||||
alice::cat /var/log/daemon.log::1 SWID tag target::YES |
||||
alice::cat /var/log/daemon.log::received SWID tag inventory with 1 item for request 9 at eid 1 of epoch::YES |
||||
alice::cat /var/log/daemon.log::strongswan.org__strongSwan-::YES |
||||
alice::cat /var/log/daemon.log::received software inventory with 1 item for request 9 at last eid 1 of epoch::YES |
||||
alice::cat /var/log/daemon.log::strongswan.org__strongSwan.*@ /usr/local/share/strongswan::YES |
||||
alice::cat /var/log/daemon.log::successful system command: ssh root@moon.*logger -t charon-systemd -p auth.alert.*host with IP address 192.168.0.100 is allowed::YES |
||||
moon::cat /var/log/auth.log::host with IP address 192.168.0.100 is allowed::YES |
||||
|
||||
@ -1,4 +1,4 @@ |
||||
#IMV configuration file for strongSwan client |
||||
|
||||
IMV "OS" /usr/local/lib/ipsec/imcvs/imv-os.so |
||||
IMV "SWID" /usr/local/lib/ipsec/imcvs/imv-swid.so |
||||
IMV "SWIMA" /usr/local/lib/ipsec/imcvs/imv-swima.so |
||||
|
||||
@ -1,4 +1,4 @@ |
||||
#IMC configuration file for strongSwan client |
||||
|
||||
IMC "OS" /usr/local/lib/ipsec/imcvs/imc-os.so |
||||
IMC "SWID" /usr/local/lib/ipsec/imcvs/imc-swid.so |
||||
IMC "SWIMA" /usr/local/lib/ipsec/imcvs/imc-swima.so |
||||
|
||||
@ -1,4 +1,4 @@ |
||||
#IMC configuration file for strongSwan client |
||||
|
||||
IMC "OS" /usr/local/lib/ipsec/imcvs/imc-os.so |
||||
IMC "SWID" /usr/local/lib/ipsec/imcvs/imc-swid.so |
||||
IMC "SWIMA" /usr/local/lib/ipsec/imcvs/imc-swima.so |
||||
|
||||
Loading…
Reference in new issue