testing: Removed TCG SWID IMC/IMV scenarios
This commit is contained in:
parent
a31f9b7691
commit
ce4b8f65d6
|
@ -1,9 +0,0 @@
|
||||||
The PT-TLS (RFC 6876) clients <b>carol</b> and <b>dave</b> set up a connection each to the policy decision
|
|
||||||
point (PDP) <b>alice</b>. Endpoint <b>carol</b> uses password-based SASL PLAIN client authentication during the
|
|
||||||
<b>PT-TLS negotiation phase</b> whereas endpoint <b>dave</b> uses certificate-based TLS client authentication
|
|
||||||
during the <b>TLS setup phase</b>.
|
|
||||||
<p/>
|
|
||||||
During the ensuing <b>PT-TLS data transport phase</b> the <b>OS</b> and <b>SWIMA</b> IMC/IMV pairs
|
|
||||||
loaded by the PT-TLS clients and PDP, respectively, exchange PA-TNC (RFC 5792) messages
|
|
||||||
embedded in PB-TNC (RFC 5793) batches. The <b>SWIMA</b> IMC on <b>carol</b> is requested to deliver
|
|
||||||
a concise <b>Software ID Inventory</b> whereas <b>dave</b> must send a full <b>Software Inventory</b>.
|
|
|
@ -1,25 +0,0 @@
|
||||||
dave:: cat /var/log/auth.log::sending TLS CertificateVerify handshake::YES
|
|
||||||
dave:: cat /var/log/auth.log::collected ... SW records::YES
|
|
||||||
carol::cat /var/log/auth.log::received SASL Success result::YES
|
|
||||||
carol::cat /var/log/auth.log::collected ... SW ID records::YES
|
|
||||||
carol::cat /var/log/auth.log::strongswan.org__strongSwan.*swidtag::YES
|
|
||||||
carol::cat /var/log/auth.log::collected 1 SW record::YES
|
|
||||||
alice::cat /var/log/daemon.log::accepting PT-TLS stream from PH_IP_DAVE::YES
|
|
||||||
alice::cat /var/log/daemon.log::checking certificate status of.*C=CH, O=Linux strongSwan, OU=Accounting, CN=dave@strongswan.org::YES
|
|
||||||
alice::cat /var/log/daemon.log::certificate status is good::YES
|
|
||||||
alice::cat /var/log/daemon.log::skipping SASL, client already authenticated by TLS certificate::YES
|
|
||||||
alice::cat /var/log/daemon.log::user AR identity.*C=CH, O=Linux strongSwan, OU=Accounting, CN=dave@strongswan.org.*authenticated by certificate::YES
|
|
||||||
alice::cat /var/log/daemon.log::received software inventory with ... items for request 3 at last eid 1 of epoch::YES
|
|
||||||
alice::cat /var/log/daemon.log::successful system command: ssh root@moon.*logger -t charon-systemd -p auth.alert.*host with IP address 192.168.0.200 is blocked::YES
|
|
||||||
moon:: cat /var/log/auth.log::host with IP address 192.168.0.200 is blocked::YES
|
|
||||||
alice::cat /var/log/daemon.log::accepting PT-TLS stream from PH_IP_CAROL::YES
|
|
||||||
alice::cat /var/log/daemon.log::SASL PLAIN authentication successful::YES
|
|
||||||
alice::cat /var/log/daemon.log::SASL client identity is.*carol::YES
|
|
||||||
alice::cat /var/log/daemon.log::user AR identity.*carol.*authenticated by password::YES
|
|
||||||
alice::cat /var/log/daemon.log::failed to collect SW ID events, fallback to SW ID inventory::YES
|
|
||||||
alice::cat /var/log/daemon.log::received software ID inventory with ... items for request 9 at last eid 1 of epoch::YES
|
|
||||||
alice::cat /var/log/daemon.log::1 SWID tag target::YES
|
|
||||||
alice::cat /var/log/daemon.log::received software inventory with 1 item for request 9 at last eid 1 of epoch::YES
|
|
||||||
alice::cat /var/log/daemon.log::strongswan.org__strongSwan.*@ /usr/local/share/strongswan::YES
|
|
||||||
alice::cat /var/log/daemon.log::successful system command: ssh root@moon.*logger -t charon-systemd -p auth.alert.*host with IP address 192.168.0.100 is allowed::YES
|
|
||||||
moon::cat /var/log/auth.log::host with IP address 192.168.0.100 is allowed::YES
|
|
|
@ -1,31 +0,0 @@
|
||||||
WSGIPythonPath /var/www/tnc
|
|
||||||
|
|
||||||
<VirtualHost *:80>
|
|
||||||
ServerName tnc.strongswan.org
|
|
||||||
ServerAlias tnc
|
|
||||||
ServerAdmin webmaster@localhost
|
|
||||||
|
|
||||||
DocumentRoot /var/www/tnc
|
|
||||||
|
|
||||||
<Directory /var/www/tnc/config>
|
|
||||||
<Files wsgi.py>
|
|
||||||
<IfModule mod_authz_core.c>
|
|
||||||
Require all granted
|
|
||||||
</IfModule>
|
|
||||||
<IfModule !mod_authz_core.c>
|
|
||||||
Order deny,allow
|
|
||||||
Allow from all
|
|
||||||
</IfModule>
|
|
||||||
</Files>
|
|
||||||
</Directory>
|
|
||||||
|
|
||||||
WSGIScriptAlias / /var/www/tnc/config/wsgi.py
|
|
||||||
WSGIApplicationGroup %{GLOBAL}
|
|
||||||
WSGIPassAuthorization On
|
|
||||||
|
|
||||||
Alias /static/ /var/www/tnc/static/
|
|
||||||
|
|
||||||
ErrorLog ${APACHE_LOG_DIR}/tnc/error.log
|
|
||||||
LogLevel warn
|
|
||||||
CustomLog ${APACHE_LOG_DIR}/tnc/access.log combined
|
|
||||||
</VirtualHost>
|
|
|
@ -1 +0,0 @@
|
||||||
Include sites-available/000-default.conf
|
|
|
@ -1,28 +0,0 @@
|
||||||
*filter
|
|
||||||
|
|
||||||
# default policy is DROP
|
|
||||||
-P INPUT DROP
|
|
||||||
-P OUTPUT DROP
|
|
||||||
-P FORWARD DROP
|
|
||||||
|
|
||||||
# open loopback interface
|
|
||||||
-A INPUT -i lo -j ACCEPT
|
|
||||||
-A OUTPUT -o lo -j ACCEPT
|
|
||||||
|
|
||||||
# allow PT-TLS
|
|
||||||
-A INPUT -i eth0 -p tcp --dport 271 -j ACCEPT
|
|
||||||
-A OUTPUT -o eth0 -p tcp --sport 271 -j ACCEPT
|
|
||||||
|
|
||||||
# allow inbound ssh
|
|
||||||
-A INPUT -p tcp --dport 22 -j ACCEPT
|
|
||||||
-A OUTPUT -p tcp --sport 22 -j ACCEPT
|
|
||||||
|
|
||||||
# allow outbound ssh
|
|
||||||
-A OUTPUT -p tcp --dport 22 -j ACCEPT
|
|
||||||
-A INPUT -p tcp --sport 22 -j ACCEPT
|
|
||||||
|
|
||||||
# allow crl fetch from winnetou
|
|
||||||
-A INPUT -i eth0 -p tcp --sport 80 -s 192.168.0.150 -j ACCEPT
|
|
||||||
-A OUTPUT -o eth0 -p tcp --dport 80 -d 192.168.0.150 -j ACCEPT
|
|
||||||
|
|
||||||
COMMIT
|
|
|
@ -1,61 +0,0 @@
|
||||||
/* Devices */
|
|
||||||
|
|
||||||
INSERT INTO devices ( /* 1 */
|
|
||||||
value, product, created
|
|
||||||
)
|
|
||||||
SELECT 'aabbccddeeff11223344556677889900', id, 1372330615
|
|
||||||
FROM products WHERE name = 'Debian DEBIAN_VERSION x86_64';
|
|
||||||
|
|
||||||
/* Groups Members */
|
|
||||||
|
|
||||||
INSERT INTO groups_members (
|
|
||||||
group_id, device_id
|
|
||||||
) VALUES (
|
|
||||||
10, 1
|
|
||||||
);
|
|
||||||
|
|
||||||
/* Identities */
|
|
||||||
|
|
||||||
INSERT INTO identities (
|
|
||||||
type, value
|
|
||||||
) VALUES ( /* dave@strongswan.org */
|
|
||||||
4, X'64617665407374726f6e677377616e2e6f7267'
|
|
||||||
);
|
|
||||||
|
|
||||||
/* Sessions */
|
|
||||||
|
|
||||||
INSERT INTO sessions (
|
|
||||||
time, connection, identity, device, product, rec
|
|
||||||
)
|
|
||||||
SELECT NOW, 1, 1, 1, id, 0
|
|
||||||
FROM products WHERE name = 'Debian DEBIAN_VERSION x86_64';
|
|
||||||
|
|
||||||
/* Results */
|
|
||||||
|
|
||||||
INSERT INTO results (
|
|
||||||
session, policy, rec, result
|
|
||||||
) VALUES (
|
|
||||||
1, 1, 0, 'processed 355 packages: 0 not updated, 0 blacklisted, 4 ok, 351 not found'
|
|
||||||
);
|
|
||||||
|
|
||||||
/* Enforcements */
|
|
||||||
|
|
||||||
INSERT INTO enforcements (
|
|
||||||
policy, group_id, max_age, rec_fail, rec_noresult
|
|
||||||
) VALUES (
|
|
||||||
3, 10, 0, 2, 2
|
|
||||||
);
|
|
||||||
|
|
||||||
INSERT INTO enforcements (
|
|
||||||
policy, group_id, max_age
|
|
||||||
) VALUES (
|
|
||||||
17, 2, 86400
|
|
||||||
);
|
|
||||||
|
|
||||||
INSERT INTO enforcements (
|
|
||||||
policy, group_id, max_age
|
|
||||||
) VALUES (
|
|
||||||
18, 10, 86400
|
|
||||||
);
|
|
||||||
|
|
||||||
DELETE FROM enforcements WHERE id = 1;
|
|
|
@ -1,19 +0,0 @@
|
||||||
[debug]
|
|
||||||
DEBUG=0
|
|
||||||
TEMPLATE_DEBUG=0
|
|
||||||
DEBUG_TOOLBAR=0
|
|
||||||
|
|
||||||
[db]
|
|
||||||
DJANGO_DB_URL=sqlite:////var/www/tnc/django.db
|
|
||||||
STRONGTNC_DB_URL = sqlite:////etc/db.d/config.db
|
|
||||||
|
|
||||||
[localization]
|
|
||||||
LANGUAGE_CODE=en-us
|
|
||||||
TIME_ZONE=Europe/Zurich
|
|
||||||
|
|
||||||
[admins]
|
|
||||||
Your Name: alice@strongswan.org
|
|
||||||
|
|
||||||
[security]
|
|
||||||
SECRET_KEY=strongSwan
|
|
||||||
ALLOWED_HOSTS=127.0.0.1,10.1.0.10,tnc.strongswan.org,tnc
|
|
|
@ -1,46 +0,0 @@
|
||||||
# /etc/strongswan.conf - strongSwan configuration file
|
|
||||||
|
|
||||||
charon-systemd {
|
|
||||||
load = random nonce pem pkcs1 x509 openssl revocation constraints curl vici socket-default kernel-netlink tnc-pdp tnc-imv tnc-tnccs tnccs-20 sqlite
|
|
||||||
|
|
||||||
syslog {
|
|
||||||
daemon {
|
|
||||||
tls = 2
|
|
||||||
tnc = 2
|
|
||||||
imv = 3
|
|
||||||
}
|
|
||||||
}
|
|
||||||
plugins {
|
|
||||||
tnc-pdp {
|
|
||||||
server = aaa.strongswan.org
|
|
||||||
radius {
|
|
||||||
secret = gv6URkSs
|
|
||||||
}
|
|
||||||
}
|
|
||||||
tnc-imv {
|
|
||||||
dlclose = no
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
libtls {
|
|
||||||
suites = TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
|
|
||||||
}
|
|
||||||
|
|
||||||
libimcv {
|
|
||||||
database = sqlite:///etc/db.d/config.db
|
|
||||||
policy_script = /usr/local/libexec/ipsec/imv_policy_manager
|
|
||||||
|
|
||||||
plugins {
|
|
||||||
imv-swima {
|
|
||||||
rest_api {
|
|
||||||
uri = http://admin-user:strongSwan@tnc.strongswan.org/api/
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
imv_policy_manager {
|
|
||||||
command_allow = ssh root@moon 'logger -t charon-systemd -p auth.alert "\"host with IP address %s is allowed\""'
|
|
||||||
command_block = ssh root@moon 'logger -t charon-systemd -p auth.alert "\"host with IP address %s is blocked\""'
|
|
||||||
}
|
|
|
@ -1,27 +0,0 @@
|
||||||
-----BEGIN RSA PRIVATE KEY-----
|
|
||||||
MIIEpQIBAAKCAQEAtxfP0jM8wZqtJvNmYar+WmB5GkzZbm431C5YWpSc/4vjCMXl
|
|
||||||
h/7VuGPkOeuEqU4KOKL3l0OQt1Exh77ii9ekg0X//4n132fI/hg0sKVRPCK8HC8l
|
|
||||||
0LdwnLLNI7uO5ObYY1KtAVnDeI/cfFbLV0z38/X7GWCpKi7ocmVMNalpD5w7c/9a
|
|
||||||
VgpO70O9NPr+OPhs1Lp9uJQQbQzQlhydhK3SLA1bJEcyXYMqOamJud+EcM1Hjq3S
|
|
||||||
W5JpKhuroDSxGzMntRF0TgrGXf8ctNfz/52repoUh2GrFfOhkpXrKUErf46NNtnD
|
|
||||||
e4FXvyprZNQO4wJBWKCSS3p16UWEL+1LFwiDPQIDAQABAoIBAQCNeNG0+rA0bF7k
|
|
||||||
nOf8CZL1pFuOzdin8nQi+Bh/DRvufVlU+wyrM2ZSTqUXd/sOkuVk889ZyvQ0IYGj
|
|
||||||
AQStx1cvs9Pl0OTx1ZDBfVShNWv6imBNasTObB+QhLvro037Yr/KpyRUydY2/vn/
|
|
||||||
/VSrRSbGE8gMyNqNZKdpVQo44Ij0bJXxx7kVJ7CfftB65bujkRSK5u7eGjFVyHGs
|
|
||||||
P9v4n72Pt0mVdC8yeiMjJAmmKLWaDf7U2SUoaxf0IRjRNPdVBuPjbYjfnJ0sGlxF
|
|
||||||
sCQtu+3JQ4b7vyxrAyUtImbTLwvFqQHTGIahZUvhGd/1aO0Zmls1mvuZ+VhUIsek
|
|
||||||
uBJh54jFAoGBAN7M08mBkA8oUns0IzzG+A0JYDmdbvOWbKtyQDRl7LkXOq/PckIj
|
|
||||||
PoliI/5aNZe9+Q8kq8xnvLVcsup7EX6Ovaqc6S3ODNEjy4XEqGMM9tkrz4R4N5f5
|
|
||||||
hLayOg3MfdJiPOn3HF+cVvHp0Vwpt8K5TgVmOWkVSKTa+6eX4mhQUuKjAoGBANJg
|
|
||||||
Rmka90zo+7PPze4oo5ePeqwZrwQ3/6OeD/G1lqMFPOgk3MLGuv9HvtQA5gyyAH7+
|
|
||||||
Qy/t+rdPSC7PZi29s8/cERmWTdbZ1ocuKa6xxSvktl7Ibv51d0sW1n+kfVin7cLL
|
|
||||||
SskoK8BRXjXsZg7jjZjE5f6iqdHq+JPA2JWM10CfAoGAOXTvJScxhIcshjNS5wiU
|
|
||||||
zZ/eXd1Y0J65VZl4L0sdujngW5iO6bl3FizmBWE0Mva99QbK+0LBarAGP+wO/elH
|
|
||||||
xmkCxVo++exWPyARIMImIqlmsc3i4GFrtUXPLOHQjOHivZ+JhKqnzWk0IaVsi14I
|
|
||||||
XeIX6h6gBkum3HiR3b7hMSsCgYEAtq7ftbmy8liG6hgTzTIBDUWM0xHihxlRpnVF
|
|
||||||
hzGWw61yvGv2QDVugOt+bH7zRib0g1KsaVyQkMoJ9ownQKUxFdkWCFAa++1iezS9
|
|
||||||
AXRhscIEE76dk93RX6VPUrw2FNyOfM8n/BIkG/cMhmroHRnBBd5Fkp8SNLWEclnO
|
|
||||||
Od95tCUCgYEAgvohkyZAAKMRUFYEvHgwyxeXHifHVPIoK9UN022DJmIEJE2ISGtH
|
|
||||||
yHnBKgF52tlYhC9ijKwMG43C9IvycydRUtViOxDV8AiE4BV1tXuQHLl0jD2R7yq5
|
|
||||||
9pNtnYgXW+ZKlx9705ltHj8hhKl6r2I8oXdR9KFGO83wq8fr6tyjqHc=
|
|
||||||
-----END RSA PRIVATE KEY-----
|
|
|
@ -1,7 +0,0 @@
|
||||||
secrets {
|
|
||||||
|
|
||||||
eap-carol {
|
|
||||||
id = carol
|
|
||||||
secret = "Ar3etTnp"
|
|
||||||
}
|
|
||||||
}
|
|
|
@ -1,25 +0,0 @@
|
||||||
-----BEGIN CERTIFICATE-----
|
|
||||||
MIIEIDCCAwigAwIBAgIBMzANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
|
|
||||||
MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
|
|
||||||
b290IENBMB4XDTE1MDgwNDE0NTUzMVoXDTE5MDkwNjE0NTUzMVowRTELMAkGA1UE
|
|
||||||
BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEmFhYS5z
|
|
||||||
dHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALcX
|
|
||||||
z9IzPMGarSbzZmGq/lpgeRpM2W5uN9QuWFqUnP+L4wjF5Yf+1bhj5DnrhKlOCjii
|
|
||||||
95dDkLdRMYe+4ovXpINF//+J9d9nyP4YNLClUTwivBwvJdC3cJyyzSO7juTm2GNS
|
|
||||||
rQFZw3iP3HxWy1dM9/P1+xlgqSou6HJlTDWpaQ+cO3P/WlYKTu9DvTT6/jj4bNS6
|
|
||||||
fbiUEG0M0JYcnYSt0iwNWyRHMl2DKjmpibnfhHDNR46t0luSaSobq6A0sRszJ7UR
|
|
||||||
dE4Kxl3/HLTX8/+dq3qaFIdhqxXzoZKV6ylBK3+OjTbZw3uBV78qa2TUDuMCQVig
|
|
||||||
kkt6delFhC/tSxcIgz0CAwEAAaOCARkwggEVMAkGA1UdEwQCMAAwCwYDVR0PBAQD
|
|
||||||
AgOoMB0GA1UdDgQWBBRFNnP26ELy5j7KMOO+a8dh5pLe6DBtBgNVHSMEZjBkgBRd
|
|
||||||
p91wBlEyfue2bbO15eBg6i5N76FJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoT
|
|
||||||
EExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIB
|
|
||||||
ADAdBgNVHREEFjAUghJhYWEuc3Ryb25nc3dhbi5vcmcwEwYDVR0lBAwwCgYIKwYB
|
|
||||||
BQUHAwEwOQYDVR0fBDIwMDAuoCygKoYoaHR0cDovL2NybC5zdHJvbmdzd2FuLm9y
|
|
||||||
Zy9zdHJvbmdzd2FuLmNybDANBgkqhkiG9w0BAQsFAAOCAQEAsncNPDCCDd4mzIHs
|
|
||||||
nHY7b6H1tVQtFSbAQntV06D4D7vOp6Y+M5S8ta50hJu4f4GEeH5c7/hm8gbRdHt/
|
|
||||||
TcjlV/UWBfhU3c/hNJo2LpmmtdmYUABLA3rdZ+FzOnAHX9H8eI988G7eHpI9T7L2
|
|
||||||
FY2YEnWhIUVjFrojtH2+NbuA/Ori1QwSBiVhvJQgvUPjhKkjUtC+8zIdaCmJFErQ
|
|
||||||
GGObpAMtnTcQ74md9BQ791RPMp77tDe1fgm7m8QWIsoIyYEhvzyfk2VTBn1VlWyH
|
|
||||||
sbT0Vb3X9ubt0KXn2Xr491WTCpc5rzDWj9CNUYUgW7RaPxgw5cj2HK6oiLnGpO73
|
|
||||||
xyr/Qw==
|
|
||||||
-----END CERTIFICATE-----
|
|
|
@ -1,4 +0,0 @@
|
||||||
#IMV configuration file for strongSwan client
|
|
||||||
|
|
||||||
IMV "OS" /usr/local/lib/ipsec/imcvs/imv-os.so
|
|
||||||
IMV "SWIMA" /usr/local/lib/ipsec/imcvs/imv-swima.so
|
|
|
@ -1,4 +0,0 @@
|
||||||
/* strongSwan SQLite database */
|
|
||||||
|
|
||||||
/* configuration is read from the command line */
|
|
||||||
/* credentials are read from the command line */
|
|
|
@ -1,20 +0,0 @@
|
||||||
*filter
|
|
||||||
|
|
||||||
# default policy is DROP
|
|
||||||
-P INPUT DROP
|
|
||||||
-P OUTPUT DROP
|
|
||||||
-P FORWARD DROP
|
|
||||||
|
|
||||||
# allow PT-TLS
|
|
||||||
-A INPUT -i eth0 -s 10.1.0.10 -p tcp --sport 271 -j ACCEPT
|
|
||||||
-A OUTPUT -o eth0 -d 10.1.0.10 -p tcp --dport 271 -j ACCEPT
|
|
||||||
|
|
||||||
# allow ssh
|
|
||||||
-A INPUT -p tcp --dport 22 -j ACCEPT
|
|
||||||
-A OUTPUT -p tcp --sport 22 -j ACCEPT
|
|
||||||
|
|
||||||
# allow crl fetch from winnetou
|
|
||||||
-A INPUT -i eth0 -p tcp --sport 80 -s 192.168.0.150 -j ACCEPT
|
|
||||||
-A OUTPUT -o eth0 -p tcp --dport 80 -d 192.168.0.150 -j ACCEPT
|
|
||||||
|
|
||||||
COMMIT
|
|
|
@ -1,6 +0,0 @@
|
||||||
--connect aaa.strongswan.org
|
|
||||||
--client carol
|
|
||||||
--secret "Ar3etTnp"
|
|
||||||
--cert /etc/swanctl/x509ca/strongswanCert.pem
|
|
||||||
--quiet
|
|
||||||
--debug 2
|
|
|
@ -1,18 +0,0 @@
|
||||||
# /etc/strongswan.conf - strongSwan configuration file
|
|
||||||
|
|
||||||
libtls {
|
|
||||||
suites = TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
|
|
||||||
}
|
|
||||||
|
|
||||||
libimcv {
|
|
||||||
swid_gen {
|
|
||||||
tag_creator {
|
|
||||||
name = Debian Project
|
|
||||||
regid = debian.org
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
pt-tls-client {
|
|
||||||
load = revocation constraints pem openssl curl nonce tnc-tnccs tnc-imc tnccs-20
|
|
||||||
}
|
|
|
@ -1 +0,0 @@
|
||||||
# the PT-TLS client reads its configuration and secrets via the command line
|
|
|
@ -1,4 +0,0 @@
|
||||||
#IMC configuration file for strongSwan client
|
|
||||||
|
|
||||||
IMC "OS" /usr/local/lib/ipsec/imcvs/imc-os.so
|
|
||||||
IMC "SWIMA" /usr/local/lib/ipsec/imcvs/imc-swima.so
|
|
|
@ -1,4 +0,0 @@
|
||||||
/* strongSwan SQLite database */
|
|
||||||
|
|
||||||
/* configuration is read from the command line */
|
|
||||||
/* credentials are read from the command line */
|
|
|
@ -1,20 +0,0 @@
|
||||||
*filter
|
|
||||||
|
|
||||||
# default policy is DROP
|
|
||||||
-P INPUT DROP
|
|
||||||
-P OUTPUT DROP
|
|
||||||
-P FORWARD DROP
|
|
||||||
|
|
||||||
# allow PT-TLS
|
|
||||||
-A INPUT -i eth0 -s 10.1.0.10 -p tcp --sport 271 -j ACCEPT
|
|
||||||
-A OUTPUT -o eth0 -d 10.1.0.10 -p tcp --dport 271 -j ACCEPT
|
|
||||||
|
|
||||||
# allow ssh
|
|
||||||
-A INPUT -p tcp --dport 22 -j ACCEPT
|
|
||||||
-A OUTPUT -p tcp --sport 22 -j ACCEPT
|
|
||||||
|
|
||||||
# allow crl fetch from winnetou
|
|
||||||
-A INPUT -i eth0 -p tcp --sport 80 -s 192.168.0.150 -j ACCEPT
|
|
||||||
-A OUTPUT -o eth0 -p tcp --dport 80 -d 192.168.0.150 -j ACCEPT
|
|
||||||
|
|
||||||
COMMIT
|
|
|
@ -1,7 +0,0 @@
|
||||||
--connect aaa.strongswan.org
|
|
||||||
--client dave@strongswan.org
|
|
||||||
--key /etc/swanctl/rsa/daveKey.pem
|
|
||||||
--cert /etc/swanctl/x509/daveCert.pem
|
|
||||||
--cert /etc/swanctl/x509ca/strongswanCert.pem
|
|
||||||
--quiet
|
|
||||||
--debug 2
|
|
|
@ -1,27 +0,0 @@
|
||||||
# /etc/strongswan.conf - strongSwan configuration file
|
|
||||||
|
|
||||||
libimcv {
|
|
||||||
swid_gen {
|
|
||||||
tag_creator {
|
|
||||||
name = Debian Project
|
|
||||||
regid = debian.org
|
|
||||||
}
|
|
||||||
}
|
|
||||||
plugins {
|
|
||||||
imc-os {
|
|
||||||
push_info = no
|
|
||||||
}
|
|
||||||
imc-swima {
|
|
||||||
swid_directory = /usr/share
|
|
||||||
swid_pretty = yes
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
libtls {
|
|
||||||
suites = TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
|
|
||||||
}
|
|
||||||
|
|
||||||
pt-tls-client {
|
|
||||||
load = revocation constraints pem openssl curl nonce tnc-tnccs tnc-imc tnccs-20
|
|
||||||
}
|
|
|
@ -1 +0,0 @@
|
||||||
# the PT-TLS client reads its configuration and secrets via the command line
|
|
|
@ -1,4 +0,0 @@
|
||||||
#IMC configuration file for strongSwan client
|
|
||||||
|
|
||||||
IMC "OS" /usr/local/lib/ipsec/imcvs/imc-os.so
|
|
||||||
IMC "SWIMA" /usr/local/lib/ipsec/imcvs/imc-swima.so
|
|
|
@ -1,3 +0,0 @@
|
||||||
# /etc/strongswan.conf - strongSwan configuration file
|
|
||||||
|
|
||||||
# this file is not used in this scenario
|
|
|
@ -1 +0,0 @@
|
||||||
# this file is not used in this scenario
|
|
|
@ -1,10 +0,0 @@
|
||||||
carol::ip route del 10.1.0.0/16 via 192.168.0.1
|
|
||||||
dave::ip route del 10.1.0.0/16 via 192.168.0.1
|
|
||||||
winnetou::ip route del 10.1.0.0/16 via 192.168.0.1
|
|
||||||
alice::systemctl stop strongswan-swanctl
|
|
||||||
alice::systemctl stop apache2
|
|
||||||
alice::rm /etc/swanctl/rsa/aaaKey.pem
|
|
||||||
alice::rm /etc/swanctl/x509/aaaCert.pem
|
|
||||||
alice::iptables-restore < /etc/iptables.flush
|
|
||||||
carol::iptables-restore < /etc/iptables.flush
|
|
||||||
dave::iptables-restore < /etc/iptables.flush
|
|
|
@ -1,25 +0,0 @@
|
||||||
alice::iptables-restore < /etc/iptables.rules
|
|
||||||
carol::iptables-restore < /etc/iptables.rules
|
|
||||||
dave::iptables-restore < /etc/iptables.rules
|
|
||||||
alice::cat /etc/tnc_config
|
|
||||||
carol::cat /etc/tnc_config
|
|
||||||
carol::echo 0 > /proc/sys/net/ipv4/ip_forward
|
|
||||||
dave::echo aabbccddeeff11223344556677889900 > /var/lib/dbus/machine-id
|
|
||||||
dave::cat /etc/tnc_config
|
|
||||||
alice::sed -i "s/NOW/`date +%s`/g" /etc/pts/data1.sql
|
|
||||||
alice::sed -i "s:DEBIAN_VERSION:\`cat /etc/debian_version\`:" /etc/pts/data1.sql
|
|
||||||
alice::cd /usr/local/share/strongswan/templates/database/imv; cat tables.sql data.sql /etc/pts/data1.sql | sqlite3 /etc/db.d/config.db
|
|
||||||
alice::chgrp -R www-data /etc/db.d/config.db; chmod -R g+w /etc/db.d/config.db
|
|
||||||
alice::/usr/local/bin/init_tnc
|
|
||||||
alice::rm /etc/swanctl/x509/aliceCert.pem
|
|
||||||
alice::rm /etc/swanctl/rsa/aliceKey.pem
|
|
||||||
alice::systemctl start apache2
|
|
||||||
alice::systemctl start strongswan-swanctl
|
|
||||||
alice::swanctl --load-creds
|
|
||||||
winnetou::ip route add 10.1.0.0/16 via 192.168.0.1
|
|
||||||
dave::ip route add 10.1.0.0/16 via 192.168.0.1
|
|
||||||
dave::cat /etc/pts/options
|
|
||||||
dave::/usr/local/bin/pt-tls-client --optionsfrom /etc/pts/options
|
|
||||||
carol::ip route add 10.1.0.0/16 via 192.168.0.1
|
|
||||||
carol::cat /etc/pts/options
|
|
||||||
carol::/usr/local/bin/pt-tls-client --optionsfrom /etc/pts/options
|
|
|
@ -1,29 +0,0 @@
|
||||||
#!/bin/bash
|
|
||||||
#
|
|
||||||
# This configuration file provides information on the
|
|
||||||
# guest instances used for this test
|
|
||||||
|
|
||||||
# All guest instances that are required for this test
|
|
||||||
#
|
|
||||||
VIRTHOSTS="alice moon carol winnetou dave"
|
|
||||||
|
|
||||||
# Corresponding block diagram
|
|
||||||
#
|
|
||||||
DIAGRAM="a-m-c-w-d.png"
|
|
||||||
|
|
||||||
# Guest instances on which tcpdump is to be started
|
|
||||||
#
|
|
||||||
TCPDUMPHOSTS="moon"
|
|
||||||
|
|
||||||
# Guest instances on which IPsec is started
|
|
||||||
# Used for IPsec logging purposes
|
|
||||||
#
|
|
||||||
IPSECHOSTS="carol moon dave alice"
|
|
||||||
|
|
||||||
# Guest instances on which databases are used
|
|
||||||
#
|
|
||||||
DBHOSTS="alice"
|
|
||||||
|
|
||||||
# charon controlled by swanctl
|
|
||||||
#
|
|
||||||
SWANCTL=1
|
|
|
@ -6,7 +6,9 @@ authenticated by an X.509 AAA certificate. The strong EAP-TTLS tunnel protects t
|
||||||
client authentication based on <b>EAP-MD5</b>. In a next step the EAP-TNC protocol is used within
|
client authentication based on <b>EAP-MD5</b>. In a next step the EAP-TNC protocol is used within
|
||||||
the EAP-TTLS tunnel to determine the health of <b>carol</b> and <b>dave</b> via the <b>IF-TNCCS 2.0</b>
|
the EAP-TTLS tunnel to determine the health of <b>carol</b> and <b>dave</b> via the <b>IF-TNCCS 2.0</b>
|
||||||
client-server interface defined by <b>RFC 5793 PB-TNC</b>. The communication between IMCs and IMVs
|
client-server interface defined by <b>RFC 5793 PB-TNC</b>. The communication between IMCs and IMVs
|
||||||
is based on the <b>IF-M</b> protocol defined by <b>RFC 5792 PA-TNC</b>.
|
is based on the <b>IF-M</b> protocol defined by <b>RFC 5792 PA-TNC</b>. The <b>SWIMA</b> IMC on <b>carol</b>
|
||||||
|
is requested to deliver a concise <b>Software ID Inventory</b> whereas <b>dave</b> must send a full
|
||||||
|
<b>Software Inventory</b>.
|
||||||
<p>
|
<p>
|
||||||
<b>carol</b> passes the health test and <b>dave</b> fails. Based on these measurements the clients
|
<b>carol</b> passes the health test and <b>dave</b> fails. Based on these measurements the clients
|
||||||
are connected by gateway <b>moon</b> to the "rw-allow" and "rw-isolate" subnets, respectively.
|
are connected by gateway <b>moon</b> to the "rw-allow" and "rw-isolate" subnets, respectively.
|
||||||
|
|
|
@ -1,18 +1,22 @@
|
||||||
dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
|
dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
|
||||||
dave:: cat /var/log/daemon.log::PDP server.*aaa.strongswan.org.*is listening on port 271::YES
|
dave:: cat /var/log/daemon.log::PDP server.*aaa.strongswan.org.*is listening on port 271::YES
|
||||||
dave:: cat /var/log/daemon.log::collected ... SWID tags::YES
|
dave:: cat /var/log/daemon.log::collected ... SW records::YES
|
||||||
dave:: cat /var/log/daemon.log::PB-TNC access recommendation is .*Quarantined::YES
|
dave:: cat /var/log/daemon.log::PB-TNC access recommendation is .*Quarantined::YES
|
||||||
dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
|
dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
|
||||||
carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
|
carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
|
||||||
carol::cat /var/log/daemon.log::PDP server.*aaa.strongswan.org.*is listening on port 271::YES
|
carol::cat /var/log/daemon.log::PDP server.*aaa.strongswan.org.*is listening on port 271::YES
|
||||||
carol::cat /var/log/daemon.log::collected ... SWID tag IDs::YES
|
carol::cat /var/log/daemon.log::collected ... SW ID records::YES
|
||||||
carol::cat /var/log/daemon.log::collected 1 SWID tag::YES
|
carol::cat /var/log/daemon.log::strongswan.org__strongSwan.*swidtag::YES
|
||||||
|
carol::cat /var/log/daemon.log::collected 1 SW record::YES
|
||||||
carol::cat /var/log/daemon.log::PB-TNC access recommendation is .*Access Allowed::YES
|
carol::cat /var/log/daemon.log::PB-TNC access recommendation is .*Access Allowed::YES
|
||||||
carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
|
carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
|
||||||
alice::cat /var/log/daemon.log::user AR identity.*dave.*authenticated by password::YES
|
alice::cat /var/log/daemon.log::user AR identity.*dave.*authenticated by password::YES
|
||||||
alice::cat /var/log/daemon.log::IMV 2 handled SWIDT workitem 3: allow - received inventory of 0 SWID tag IDs and ... SWID tags::YES
|
alice::cat /var/log/daemon.log::received software inventory with.*items for request 3 at last eid 1 of epoch::YES
|
||||||
alice::cat /var/log/daemon.log::user AR identity.*carol.*authenticated by password::YES
|
alice::cat /var/log/daemon.log::user AR identity.*carol.*authenticated by password::YES
|
||||||
alice::cat /var/log/daemon.log::IMV 2 handled SWIDT workitem 9: allow - received inventory of ... SWID tag IDs and 1 SWID tag::YES
|
alice::cat /var/log/daemon.log::failed to collect SW ID events, fallback to SW ID inventory::YES
|
||||||
|
alice::cat /var/log/daemon.log::received software ID inventory with.*items for request 9 at last eid 1 of epoch::YES
|
||||||
|
alice::cat /var/log/daemon.log::1 SWID tag target::YES
|
||||||
|
alice::cat /var/log/daemon.log::received software inventory with 1 item for request 9 at last eid 1 of epoch::YES
|
||||||
moon:: cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'isolate'::YES
|
moon:: cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'isolate'::YES
|
||||||
moon:: cat /var/log/daemon.log::RADIUS authentication of 'dave' successful::YES
|
moon:: cat /var/log/daemon.log::RADIUS authentication of 'dave' successful::YES
|
||||||
moon:: cat /var/log/daemon.log::authentication of '192.168.0.200' with EAP successful::YES
|
moon:: cat /var/log/daemon.log::authentication of '192.168.0.200' with EAP successful::YES
|
||||||
|
|
|
@ -34,8 +34,11 @@ libimcv {
|
||||||
policy_script = /usr/local/libexec/ipsec/imv_policy_manager
|
policy_script = /usr/local/libexec/ipsec/imv_policy_manager
|
||||||
|
|
||||||
plugins {
|
plugins {
|
||||||
imv-swid {
|
imv-swima {
|
||||||
rest_api_uri = http://admin-user:strongSwan@tnc.strongswan.org/api/
|
rest_api
|
||||||
|
{
|
||||||
|
uri = http://admin-user:strongSwan@tnc.strongswan.org/api/
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
#IMV configuration file for strongSwan client
|
#IMV configuration file for strongSwan client
|
||||||
|
|
||||||
IMV "OS" /usr/local/lib/ipsec/imcvs/imv-os.so
|
IMV "OS" /usr/local/lib/ipsec/imcvs/imv-os.so
|
||||||
IMV "SWID" /usr/local/lib/ipsec/imcvs/imv-swid.so
|
IMV "SWIMA" /usr/local/lib/ipsec/imcvs/imv-swima.so
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
#IMC configuration file for strongSwan client
|
#IMC configuration file for strongSwan client
|
||||||
|
|
||||||
IMC "OS" /usr/local/lib/ipsec/imcvs/imc-os.so
|
IMC "OS" /usr/local/lib/ipsec/imcvs/imc-os.so
|
||||||
IMC "SWID" /usr/local/lib/ipsec/imcvs/imc-swid.so
|
IMC "SWIMA" /usr/local/lib/ipsec/imcvs/imc-swima.so
|
||||||
|
|
|
@ -32,7 +32,7 @@ libimcv {
|
||||||
imc-os {
|
imc-os {
|
||||||
push_info = no
|
push_info = no
|
||||||
}
|
}
|
||||||
imc-swid {
|
imc-swima {
|
||||||
swid_directory = /usr/share
|
swid_directory = /usr/share
|
||||||
swid_pretty = no
|
swid_pretty = no
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
#IMC configuration file for strongSwan client
|
#IMC configuration file for strongSwan client
|
||||||
|
|
||||||
IMC "OS" /usr/local/lib/ipsec/imcvs/imc-os.so
|
IMC "OS" /usr/local/lib/ipsec/imcvs/imc-os.so
|
||||||
IMC "SWID" /usr/local/lib/ipsec/imcvs/imc-swid.so
|
IMC "SWIMA" /usr/local/lib/ipsec/imcvs/imc-swima.so
|
||||||
|
|
|
@ -1,9 +1,9 @@
|
||||||
The PT-TLS (RFC 6876) clients <b>carol</b> and <b>dave</b> set up a connection each to the policy decision
|
The PT-TLS (RFC 6876) clients <b>carol</b> and <b>dave</b> set up a connection each to the policy decision
|
||||||
point (PDP) <b>alice</b>. <b>carol</b> uses password-based SASL PLAIN client authentication during the
|
point (PDP) <b>alice</b>. Endpoint <b>carol</b> uses password-based SASL PLAIN client authentication during the
|
||||||
<b>PT-TLS negotiation phase</b> and <b>dave</b> uses certificate-based TLS client authentication during the
|
<b>PT-TLS negotiation phase</b> whereas endpoint <b>dave</b> uses certificate-based TLS client authentication
|
||||||
<b>TLS setup phase</b>.
|
during the <b>TLS setup phase</b>.
|
||||||
<p/>
|
<p/>
|
||||||
During the ensuing <b>PT-TLS data transport phase</b> the <b>OS</b> and <b>SWID</b> IMC/IMV pairs
|
During the ensuing <b>PT-TLS data transport phase</b> the <b>OS</b> and <b>SWIMA</b> IMC/IMV pairs
|
||||||
loaded by the PT-TLS clients and PDP, respectively, exchange PA-TNC (RFC 5792) messages
|
loaded by the PT-TLS clients and PDP, respectively, exchange PA-TNC (RFC 5792) messages
|
||||||
embedded in PB-TNC (RFC 5793) batches. The <b>SWID</b> IMC on <b>carol</b> is requested to deliver
|
embedded in PB-TNC (RFC 5793) batches. The <b>SWIMA</b> IMC on <b>carol</b> is requested to deliver
|
||||||
a concise <b>SWID Tag ID Inventory</b> whereas <b>dave</b> must send a full <b>SWID Tag Inventory</b>.
|
a concise <b>Software ID Inventory</b> whereas <b>dave</b> must send a full <b>Software Inventory</b>.
|
||||||
|
|
|
@ -1,23 +1,25 @@
|
||||||
dave:: cat /var/log/auth.log::sending TLS CertificateVerify handshake::YES
|
dave:: cat /var/log/auth.log::sending TLS CertificateVerify handshake::YES
|
||||||
dave:: cat /var/log/auth.log::collected ... SWID tags::YES
|
dave:: cat /var/log/auth.log::collected ... SW records::YES
|
||||||
carol::cat /var/log/auth.log::received SASL Success result::YES
|
carol::cat /var/log/auth.log::received SASL Success result::YES
|
||||||
carol::cat /var/log/auth.log::collected ... SWID tag IDs::YES
|
carol::cat /var/log/auth.log::collected ... SW ID records::YES
|
||||||
carol::cat /var/log/auth.log::collected 1 SWID tag::YES
|
carol::cat /var/log/auth.log::strongswan.org__strongSwan.*swidtag::YES
|
||||||
|
carol::cat /var/log/auth.log::collected 1 SW record::YES
|
||||||
alice::cat /var/log/daemon.log::accepting PT-TLS stream from PH_IP_DAVE::YES
|
alice::cat /var/log/daemon.log::accepting PT-TLS stream from PH_IP_DAVE::YES
|
||||||
alice::cat /var/log/daemon.log::checking certificate status of.*C=CH, O=Linux strongSwan, OU=Accounting, CN=dave@strongswan.org::YES
|
alice::cat /var/log/daemon.log::checking certificate status of.*C=CH, O=Linux strongSwan, OU=Accounting, CN=dave@strongswan.org::YES
|
||||||
alice::cat /var/log/daemon.log::certificate status is good::YES
|
alice::cat /var/log/daemon.log::certificate status is good::YES
|
||||||
alice::cat /var/log/daemon.log::skipping SASL, client already authenticated by TLS certificate::YES
|
alice::cat /var/log/daemon.log::skipping SASL, client already authenticated by TLS certificate::YES
|
||||||
alice::cat /var/log/daemon.log::user AR identity.*C=CH, O=Linux strongSwan, OU=Accounting, CN=dave@strongswan.org.*authenticated by certificate::YES
|
alice::cat /var/log/daemon.log::user AR identity.*C=CH, O=Linux strongSwan, OU=Accounting, CN=dave@strongswan.org.*authenticated by certificate::YES
|
||||||
alice::cat /var/log/daemon.log::received SWID tag inventory with ... items for request 3 at eid 1 of epoch::YES
|
alice::cat /var/log/daemon.log::received software inventory with ... items for request 3 at last eid 1 of epoch::YES
|
||||||
alice::cat /var/log/daemon.log::successful system command: ssh root@moon.*logger -t charon-systemd -p auth.alert.*host with IP address 192.168.0.200 is blocked::YES
|
alice::cat /var/log/daemon.log::successful system command: ssh root@moon.*logger -t charon-systemd -p auth.alert.*host with IP address 192.168.0.200 is blocked::YES
|
||||||
moon:: cat /var/log/auth.log::host with IP address 192.168.0.200 is blocked::YES
|
moon:: cat /var/log/auth.log::host with IP address 192.168.0.200 is blocked::YES
|
||||||
alice::cat /var/log/daemon.log::accepting PT-TLS stream from PH_IP_CAROL::YES
|
alice::cat /var/log/daemon.log::accepting PT-TLS stream from PH_IP_CAROL::YES
|
||||||
alice::cat /var/log/daemon.log::SASL PLAIN authentication successful::YES
|
alice::cat /var/log/daemon.log::SASL PLAIN authentication successful::YES
|
||||||
alice::cat /var/log/daemon.log::SASL client identity is.*carol::YES
|
alice::cat /var/log/daemon.log::SASL client identity is.*carol::YES
|
||||||
alice::cat /var/log/daemon.log::user AR identity.*carol.*authenticated by password::YES
|
alice::cat /var/log/daemon.log::user AR identity.*carol.*authenticated by password::YES
|
||||||
alice::cat /var/log/daemon.log::received SWID tag ID inventory with ... items for request 9 at eid 1 of epoch::YES
|
alice::cat /var/log/daemon.log::failed to collect SW ID events, fallback to SW ID inventory::YES
|
||||||
|
alice::cat /var/log/daemon.log::received software ID inventory with ... items for request 9 at last eid 1 of epoch::YES
|
||||||
alice::cat /var/log/daemon.log::1 SWID tag target::YES
|
alice::cat /var/log/daemon.log::1 SWID tag target::YES
|
||||||
alice::cat /var/log/daemon.log::received SWID tag inventory with 1 item for request 9 at eid 1 of epoch::YES
|
alice::cat /var/log/daemon.log::received software inventory with 1 item for request 9 at last eid 1 of epoch::YES
|
||||||
alice::cat /var/log/daemon.log::strongswan.org__strongSwan-::YES
|
alice::cat /var/log/daemon.log::strongswan.org__strongSwan.*@ /usr/local/share/strongswan::YES
|
||||||
alice::cat /var/log/daemon.log::successful system command: ssh root@moon.*logger -t charon-systemd -p auth.alert.*host with IP address 192.168.0.100 is allowed::YES
|
alice::cat /var/log/daemon.log::successful system command: ssh root@moon.*logger -t charon-systemd -p auth.alert.*host with IP address 192.168.0.100 is allowed::YES
|
||||||
moon::cat /var/log/auth.log::host with IP address 192.168.0.100 is allowed::YES
|
moon::cat /var/log/auth.log::host with IP address 192.168.0.100 is allowed::YES
|
||||||
|
|
|
@ -17,6 +17,9 @@ charon-systemd {
|
||||||
secret = gv6URkSs
|
secret = gv6URkSs
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
tnc-imv {
|
||||||
|
dlclose = no
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -29,8 +32,10 @@ libimcv {
|
||||||
policy_script = /usr/local/libexec/ipsec/imv_policy_manager
|
policy_script = /usr/local/libexec/ipsec/imv_policy_manager
|
||||||
|
|
||||||
plugins {
|
plugins {
|
||||||
imv-swid {
|
imv-swima {
|
||||||
rest_api_uri = http://admin-user:strongSwan@tnc.strongswan.org/api/
|
rest_api {
|
||||||
|
uri = http://admin-user:strongSwan@tnc.strongswan.org/api/
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
#IMV configuration file for strongSwan client
|
#IMV configuration file for strongSwan client
|
||||||
|
|
||||||
IMV "OS" /usr/local/lib/ipsec/imcvs/imv-os.so
|
IMV "OS" /usr/local/lib/ipsec/imcvs/imv-os.so
|
||||||
IMV "SWID" /usr/local/lib/ipsec/imcvs/imv-swid.so
|
IMV "SWIMA" /usr/local/lib/ipsec/imcvs/imv-swima.so
|
||||||
|
|
|
@ -4,6 +4,15 @@ libtls {
|
||||||
suites = TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
|
suites = TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
|
||||||
}
|
}
|
||||||
|
|
||||||
|
libimcv {
|
||||||
|
swid_gen {
|
||||||
|
tag_creator {
|
||||||
|
name = Debian Project
|
||||||
|
regid = debian.org
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
pt-tls-client {
|
pt-tls-client {
|
||||||
load = revocation constraints pem openssl curl nonce tnc-tnccs tnc-imc tnccs-20
|
load = revocation constraints pem openssl curl nonce tnc-tnccs tnc-imc tnccs-20
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
#IMC configuration file for strongSwan client
|
#IMC configuration file for strongSwan client
|
||||||
|
|
||||||
IMC "OS" /usr/local/lib/ipsec/imcvs/imc-os.so
|
IMC "OS" /usr/local/lib/ipsec/imcvs/imc-os.so
|
||||||
IMC "SWID" /usr/local/lib/ipsec/imcvs/imc-swid.so
|
IMC "SWIMA" /usr/local/lib/ipsec/imcvs/imc-swima.so
|
||||||
|
|
|
@ -1,11 +1,17 @@
|
||||||
# /etc/strongswan.conf - strongSwan configuration file
|
# /etc/strongswan.conf - strongSwan configuration file
|
||||||
|
|
||||||
libimcv {
|
libimcv {
|
||||||
|
swid_gen {
|
||||||
|
tag_creator {
|
||||||
|
name = Debian Project
|
||||||
|
regid = debian.org
|
||||||
|
}
|
||||||
|
}
|
||||||
plugins {
|
plugins {
|
||||||
imc-os {
|
imc-os {
|
||||||
push_info = no
|
push_info = no
|
||||||
}
|
}
|
||||||
imc-swid {
|
imc-swima {
|
||||||
swid_directory = /usr/share
|
swid_directory = /usr/share
|
||||||
swid_pretty = yes
|
swid_pretty = yes
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
#IMC configuration file for strongSwan client
|
#IMC configuration file for strongSwan client
|
||||||
|
|
||||||
IMC "OS" /usr/local/lib/ipsec/imcvs/imc-os.so
|
IMC "OS" /usr/local/lib/ipsec/imcvs/imc-os.so
|
||||||
IMC "SWID" /usr/local/lib/ipsec/imcvs/imc-swid.so
|
IMC "SWIMA" /usr/local/lib/ipsec/imcvs/imc-swima.so
|
||||||
|
|
Loading…
Reference in New Issue