testing: Delete accidentally committed test cases
This commit is contained in:
Tobias Brunner
parent
abe116cdf8
commit
d6f0372daf
|
|
@ -1,12 +0,0 @@
|
|||
The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to the policy enforcement
|
||||
point <b>moon</b>. At the outset the gateway authenticates itself to the clients by sending an IKEv2
|
||||
<b>RSA signature</b> accompanied by a certificate. <b>carol</b> and <b>dave</b> then set up an
|
||||
<b>EAP-TTLS</b> tunnel each via gateway <b>moon</b> to the policy decision point <b>alice</b>
|
||||
authenticated by an X.509 AAA certificate. The strong EAP-TTLS tunnel protects the ensuing weak
|
||||
client authentication based on <b>EAP-MD5</b>. In a next step the EAP-TNC protocol is used within
|
||||
the EAP-TTLS tunnel to determine the health of <b>carol</b> and <b>dave</b> via the <b>IF-TNCCS 2.0</b>
|
||||
client-server interface defined by <b>RFC 5793 PB-TNC</b>. The communication between IMCs and IMVs
|
||||
is based on the <b>IF-M</b> protocol defined by <b>RFC 5792 PA-TNC</b>.
|
||||
<p>
|
||||
<b>carol</b> passes the health test and <b>dave</b> fails. Based on these measurements the clients
|
||||
are connected by gateway <b>moon</b> to the "rw-allow" and "rw-isolate" subnets, respectively.
|
||||
|
|
@ -1,29 +0,0 @@
|
|||
dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
|
||||
dave:: cat /var/log/daemon.log::PDP server.*aaa.strongswan.org.*is listening on port 271::YES
|
||||
dave:: cat /var/log/daemon.log::collected 372 SWID tags::YES
|
||||
dave:: cat /var/log/daemon.log::PB-TNC access recommendation is .*Quarantined::YES
|
||||
dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
|
||||
dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
|
||||
carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
|
||||
carol::cat /var/log/daemon.log::PDP server.*aaa.strongswan.org.*is listening on port 271::YES
|
||||
carol::cat /var/log/daemon.log::collected 373 SWID tag IDs::YES
|
||||
carol::cat /var/log/daemon.log::collected 1 SWID tag::YES
|
||||
carol::cat /var/log/daemon.log::PB-TNC access recommendation is .*Access Allowed::YES
|
||||
carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
|
||||
carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
|
||||
alice::cat /var/log/daemon.log::user AR identity.*dave.*authenticated by password::YES
|
||||
alice::cat /var/log/daemon.log::IMV 2 handled SWIDT workitem 3: allow - received inventory of 0 SWID tag IDs and 372 SWID tags::YES
|
||||
alice::cat /var/log/daemon.log::user AR identity.*carol.*authenticated by password::YES
|
||||
alice::cat /var/log/daemon.log::IMV 2 handled SWIDT workitem 9: allow - received inventory of 373 SWID tag IDs and 1 SWID tag::YES
|
||||
moon:: cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'isolate'::YES
|
||||
moon:: cat /var/log/daemon.log::RADIUS authentication of 'dave' successful::YES
|
||||
moon:: cat /var/log/daemon.log::authentication of '192.168.0.200' with EAP successful::YES
|
||||
moon:: cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'allow'::YES
|
||||
moon:: cat /var/log/daemon.log::RADIUS authentication of 'carol' successful::YES
|
||||
moon:: cat /var/log/daemon.log::authentication of '192.168.0.100' with EAP successful::YES
|
||||
moon:: ipsec statusall 2>/dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
|
||||
moon:: ipsec statusall 2>/dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
|
||||
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
|
||||
carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO
|
||||
dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
|
||||
dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO
|
||||
|
|
@ -1,24 +0,0 @@
|
|||
WSGIPythonPath /var/www/tnc
|
||||
|
||||
<VirtualHost *:80>
|
||||
ServerName tnc.strongswan.org
|
||||
ServerAlias tnc
|
||||
ServerAdmin webmaster@localhost
|
||||
|
||||
DocumentRoot /var/www/tnc
|
||||
|
||||
<Directory /var/www/tnc/config>
|
||||
<Files wsgi.py>
|
||||
Order deny,allow
|
||||
Allow from all
|
||||
</Files>
|
||||
</Directory>
|
||||
|
||||
WSGIScriptAlias / /var/www/tnc/config/wsgi.py
|
||||
WSGIApplicationGroup %{GLOBAL}
|
||||
WSGIPassAuthorization On
|
||||
|
||||
ErrorLog ${APACHE_LOG_DIR}/tnc/error.log
|
||||
LogLevel warn
|
||||
CustomLog ${APACHE_LOG_DIR}/tnc/access.log combined
|
||||
</VirtualHost>
|
||||
|
|
@ -1,9 +0,0 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
config setup
|
||||
charondebug="tnc 2, imv 3"
|
||||
|
||||
conn aaa
|
||||
leftcert=aaaCert.pem
|
||||
leftid=aaa.strongswan.org
|
||||
auto=add
|
||||
|
|
@ -1,25 +0,0 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIEIDCCAwigAwIBAgIBIjANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
|
||||
MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
|
||||
b290IENBMB4XDTEwMDgwNDA4Mzg0MVoXDTE1MDgwMzA4Mzg0MVowRTELMAkGA1UE
|
||||
BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEmFhYS5z
|
||||
dHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK2R
|
||||
RcAYdZ/jOhHBSjrLDYT1OhRJ2mXjyuSbWyJQogF9c6sY8W2GhTC4e1gNThZM9+Pm
|
||||
Vzs0R39kzxsmOFhuTfwIhavMzvkWJ7945WDvTpuo2teK4fTtfix3iuyycVXywa7W
|
||||
Uum6vZb4uwNoFsZtlYSUFs+app/1VC3X8vEFvP9p//KW2fwbJ6PzR1XN/8AibxoF
|
||||
AnfqAXUenRQ1Xs/07/xF4bkZ5MUNTFTo5H+BAc49lAC16TarSTPnX1D925kIGxni
|
||||
wePHlIZrCYQTFr003+YNUehVvUxyv0NuIwlxFPokFPLDkQWk6SDvD87FW5IJ06cg
|
||||
EbrCFjcIR9/2vIepJd8CAwEAAaOCARkwggEVMAkGA1UdEwQCMAAwCwYDVR0PBAQD
|
||||
AgOoMB0GA1UdDgQWBBQS5lPpgsOE14sz7JGZimSmSbZOeDBtBgNVHSMEZjBkgBRd
|
||||
p91wBlEyfue2bbO15eBg6i5N76FJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoT
|
||||
EExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIB
|
||||
ADAdBgNVHREEFjAUghJhYWEuc3Ryb25nc3dhbi5vcmcwEwYDVR0lBAwwCgYIKwYB
|
||||
BQUHAwEwOQYDVR0fBDIwMDAuoCygKoYoaHR0cDovL2NybC5zdHJvbmdzd2FuLm9y
|
||||
Zy9zdHJvbmdzd2FuLmNybDANBgkqhkiG9w0BAQsFAAOCAQEAqM2eqrsJmAop2roa
|
||||
yNeJt8317sdAll8TvDf+s4EeCtcpDT0cIX5vCumpL6E7nV9NWWDazGCAOkwWDPpp
|
||||
iuq6R0Js8r0MbyIUbVgOe3xIOqLKd9YW0sb1IwfR/zvWcPUjnUHlqfRH7gdiR4G2
|
||||
bWIvKenl3hOQege/XnJNPUwzxeVX7k/qPivOk4I3pLnBjTRtFQdweHM95ex7Fk/d
|
||||
HoeWjw5q3MxS3ZwXpKQxZvWU5SDkkc2NJ0/0sm+wca8NC86cXkGqcLFEgJo2l3Dr
|
||||
EpZgxIhllub0M88PU7dQrDmy8OQ5j0fhayB1xpVO+REn3norclXZ2yrl4uz0eWR4
|
||||
v42sww==
|
||||
-----END CERTIFICATE-----
|
||||
|
|
@ -1,27 +0,0 @@
|
|||
-----BEGIN RSA PRIVATE KEY-----
|
||||
MIIEowIBAAKCAQEArZFFwBh1n+M6EcFKOssNhPU6FEnaZePK5JtbIlCiAX1zqxjx
|
||||
bYaFMLh7WA1OFkz34+ZXOzRHf2TPGyY4WG5N/AiFq8zO+RYnv3jlYO9Om6ja14rh
|
||||
9O1+LHeK7LJxVfLBrtZS6bq9lvi7A2gWxm2VhJQWz5qmn/VULdfy8QW8/2n/8pbZ
|
||||
/Bsno/NHVc3/wCJvGgUCd+oBdR6dFDVez/Tv/EXhuRnkxQ1MVOjkf4EBzj2UALXp
|
||||
NqtJM+dfUP3bmQgbGeLB48eUhmsJhBMWvTTf5g1R6FW9THK/Q24jCXEU+iQU8sOR
|
||||
BaTpIO8PzsVbkgnTpyARusIWNwhH3/a8h6kl3wIDAQABAoIBAQCJDzatQqNf5uds
|
||||
Ld6YHtBGNf/vFYLJAuCtNaD5sAK+enpkmgXMH3X9yzBbj+Yh5hW6eaJYtiffiZOi
|
||||
NMQ50KD0bSZhTBIE0GIC6Uz5BwBkGyr1Gk7kQsZoBt5Fm4O0A0a+8a/3secU2MWV
|
||||
IxUZDGANmYOJ3O3HUstuiCDoA0gDyDt44n0RWOhKrPQmTP6vTItd/14Zi1Pg9ez3
|
||||
Mej/ulDmVV1R474EwUXbLLPBjP3vk++SLukWn4iWUeeHgDHSn0b/T5csUcH0kQMI
|
||||
aYRU2FOoCPZpRxyTr9aZxcHhr5EhQSCg7zc8u0IjpTFm8kZ4uN+60777w1A/FH5X
|
||||
YHq+yqVBAoGBANy6zM0egvyWQaX4YeoML65393iXt9OXW3uedMbmWc9VJ0bH7qdq
|
||||
b4X5Xume8yY1/hF8nh7aC1npfVjdBuDse0iHJ/eBGfCJ2VoC6/ZoCzBD7q0Qn2If
|
||||
/Sr/cbtQNTDkROT75hAo6XbewPGt7RjynH8sNmtclsZ0yyXHx0ml90tlAoGBAMlN
|
||||
P4ObM0mgP2NMPeDFqUBnHVj/h/KGS9PKrqpsvFOUm5lxJNRIxbEBavWzonphRX1X
|
||||
V83RICgCiWDAnqUaPfHh9mVBlyHCTWxrrnu3M9qbr5vZMFTyYiMoLxSfTmW5Qk8t
|
||||
cArqBDowQbiaKJE9fHv+32Q0IYRhJFVcxZRdQXHzAoGALRBmJ6qHC5KRrJTdSK9c
|
||||
PL55Y8F14lkQcFiVdtYol8/GyQigjMWKJ0wWOJQfCDoVuPQ8RAg4MQ8ebDoT4W/m
|
||||
a5RMcJeG+Djsixf1nMT5I816uRKft6TYRyMH0To64dR4zFcxTTNNFtu7gJwFwAYo
|
||||
NT6NjbXFgpbtsrTq1vpvVpECgYA0ldlhp8leEl58sg34CaqNCGLCPP5mfG6ShP/b
|
||||
xUvtCYUcMFJOojQCaTxnsuVe0so0U/y750VfLkp029yVhKVp6n1TNi8kwn03NWn/
|
||||
J3yEPudA7xuRFUBNrtGdsX/pUtvfkx8RutAf4ztH3f1683Txb0MsCfI3gqjbI8D5
|
||||
YOMXwQKBgAJnMfPslZIg6jOpBCo6RjdwvjZyPXXyn4dcCyW//2+olPdWnuu+HRCZ
|
||||
SkAWB7lSRLSvDZARHb63k+gwSl8lmwrSM53nDwaRdTKjhK2BFWsAKJNOhrOUQqJu
|
||||
EXvH4R1NrqOkPqLoG5Iw3XFUh5lQGKvKkU28W6Weolj2saljbW2b
|
||||
-----END RSA PRIVATE KEY-----
|
||||
|
|
@ -1,6 +0,0 @@
|
|||
# /etc/ipsec.secrets - strongSwan IPsec secrets file
|
||||
|
||||
: RSA aaaKey.pem
|
||||
|
||||
carol : EAP "Ar3etTnp"
|
||||
dave : EAP "W7R0g3do"
|
||||
|
|
@ -1,61 +0,0 @@
|
|||
/* Devices */
|
||||
|
||||
INSERT INTO devices ( /* 1 */
|
||||
value, product, created
|
||||
) VALUES (
|
||||
'aabbccddeeff11223344556677889900', 42, 1372330615
|
||||
);
|
||||
|
||||
/* Groups Members */
|
||||
|
||||
INSERT INTO groups_members (
|
||||
group_id, device_id
|
||||
) VALUES (
|
||||
10, 1
|
||||
);
|
||||
|
||||
/* Identities */
|
||||
|
||||
INSERT INTO identities (
|
||||
type, value
|
||||
) VALUES ( /* dave@strongswan.org */
|
||||
5, X'64617665'
|
||||
);
|
||||
|
||||
/* Sessions */
|
||||
|
||||
INSERT INTO sessions (
|
||||
time, connection, identity, device, product, rec
|
||||
) VALUES (
|
||||
NOW, 1, 1, 1, 42, 0
|
||||
);
|
||||
|
||||
/* Results */
|
||||
|
||||
INSERT INTO results (
|
||||
session, policy, rec, result
|
||||
) VALUES (
|
||||
1, 1, 0, 'processed 355 packages: 0 not updated, 0 blacklisted, 4 ok, 351 not found'
|
||||
);
|
||||
|
||||
/* Enforcements */
|
||||
|
||||
INSERT INTO enforcements (
|
||||
policy, group_id, max_age, rec_fail, rec_noresult
|
||||
) VALUES (
|
||||
3, 10, 0, 2, 2
|
||||
);
|
||||
|
||||
INSERT INTO enforcements (
|
||||
policy, group_id, max_age
|
||||
) VALUES (
|
||||
17, 2, 86400
|
||||
);
|
||||
|
||||
INSERT INTO enforcements (
|
||||
policy, group_id, max_age
|
||||
) VALUES (
|
||||
18, 10, 86400
|
||||
);
|
||||
|
||||
DELETE FROM enforcements WHERE id = 1;
|
||||
Binary file not shown.
|
|
@ -1,19 +0,0 @@
|
|||
[debug]
|
||||
DEBUG=1
|
||||
TEMPLATE_DEBUG=1
|
||||
DEBUG_TOOLBAR=0
|
||||
|
||||
[db]
|
||||
DJANGO_DB_URL=sqlite:////etc/strongTNC/django.db
|
||||
STRONGTNC_DB_URL = sqlite:////etc/pts/config.db
|
||||
|
||||
[localization]
|
||||
LANGUAGE_CODE=en-us
|
||||
TIME_ZONE=Europe/Zurich
|
||||
|
||||
[admins]
|
||||
Your Name: alice@strongswan.org
|
||||
|
||||
[security]
|
||||
SECRET_KEY=strongSwan
|
||||
|
||||
|
|
@ -1,35 +0,0 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
charon {
|
||||
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac socket-default kernel-netlink stroke eap-identity eap-ttls eap-md5 eap-tnc tnc-pdp tnc-imv tnc-tnccs tnccs-20 sqlite
|
||||
|
||||
plugins {
|
||||
eap-ttls {
|
||||
phase2_method = md5
|
||||
phase2_piggyback = yes
|
||||
phase2_tnc = yes
|
||||
max_message_count = 0
|
||||
}
|
||||
eap-tnc {
|
||||
max_message_count = 0
|
||||
}
|
||||
tnc-pdp {
|
||||
server = aaa.strongswan.org
|
||||
radius {
|
||||
secret = gv6URkSs
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
libimcv {
|
||||
debug_level = 3
|
||||
database = sqlite:///etc/pts/config.db
|
||||
policy_script = ipsec imv_policy_manager
|
||||
|
||||
plugins {
|
||||
imv-swid {
|
||||
rest_api_uri = http://admin-user:strongSwan@tnc.strongswan.org/api/
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
@ -1,4 +0,0 @@
|
|||
#IMV configuration file for strongSwan client
|
||||
|
||||
IMV "OS" /usr/local/lib/ipsec/imcvs/imv-os.so
|
||||
IMV "SWID" /usr/local/lib/ipsec/imcvs/imv-swid.so
|
||||
|
|
@ -1,23 +0,0 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
config setup
|
||||
charondebug="tnc 2, imc 3"
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
keyexchange=ikev2
|
||||
|
||||
conn home
|
||||
left=PH_IP_CAROL
|
||||
leftauth=eap
|
||||
leftfirewall=yes
|
||||
right=PH_IP_MOON
|
||||
rightid=@moon.strongswan.org
|
||||
rightsubnet=10.1.0.0/16
|
||||
rightauth=pubkey
|
||||
eap_identity=carol
|
||||
aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
|
||||
auto=add
|
||||
|
|
@ -1,3 +0,0 @@
|
|||
# /etc/ipsec.secrets - strongSwan IPsec secrets file
|
||||
|
||||
carol : EAP "Ar3etTnp"
|
||||
|
|
@ -1,18 +0,0 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
charon {
|
||||
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
|
||||
|
||||
plugins {
|
||||
eap-ttls {
|
||||
max_message_count = 0
|
||||
}
|
||||
eap-tnc {
|
||||
max_message_count = 0
|
||||
}
|
||||
tnccs-20 {
|
||||
max_batch_size = 32754
|
||||
max_message_size = 32722
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
@ -1,4 +0,0 @@
|
|||
#IMC configuration file for strongSwan client
|
||||
|
||||
IMC "OS" /usr/local/lib/ipsec/imcvs/imc-os.so
|
||||
IMC "SWID" /usr/local/lib/ipsec/imcvs/imc-swid.so
|
||||
|
|
@ -1,23 +0,0 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
config setup
|
||||
charondebug="tnc 2, imc 3"
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
keyexchange=ikev2
|
||||
|
||||
conn home
|
||||
left=PH_IP_DAVE
|
||||
leftauth=eap
|
||||
leftfirewall=yes
|
||||
right=PH_IP_MOON
|
||||
rightid=@moon.strongswan.org
|
||||
rightsubnet=10.1.0.0/16
|
||||
rightauth=pubkey
|
||||
eap_identity=dave
|
||||
aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
|
||||
auto=add
|
||||
|
|
@ -1,3 +0,0 @@
|
|||
# /etc/ipsec.secrets - strongSwan IPsec secrets file
|
||||
|
||||
dave : EAP "W7R0g3do"
|
||||
|
|
@ -1,30 +0,0 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
charon {
|
||||
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
|
||||
|
||||
plugins {
|
||||
eap-ttls {
|
||||
max_message_count = 0
|
||||
}
|
||||
eap-tnc {
|
||||
max_message_count = 0
|
||||
}
|
||||
tnccs-20 {
|
||||
max_batch_size = 32754
|
||||
max_message_size = 32722
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
libimcv {
|
||||
plugins {
|
||||
imc-os {
|
||||
push_info = no
|
||||
}
|
||||
imc-swid {
|
||||
swid_directory = /usr/share
|
||||
swid_pretty = no
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
@ -1,4 +0,0 @@
|
|||
#IMC configuration file for strongSwan client
|
||||
|
||||
IMC "OS" /usr/local/lib/ipsec/imcvs/imc-os.so
|
||||
IMC "SWID" /usr/local/lib/ipsec/imcvs/imc-swid.so
|
||||
|
|
@ -1,33 +0,0 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
config setup
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
keyexchange=ikev2
|
||||
|
||||
conn rw-allow
|
||||
rightgroups=allow
|
||||
leftsubnet=10.1.0.0/28
|
||||
also=rw-eap
|
||||
auto=add
|
||||
|
||||
conn rw-isolate
|
||||
rightgroups=isolate
|
||||
leftsubnet=10.1.0.16/28
|
||||
also=rw-eap
|
||||
auto=add
|
||||
|
||||
conn rw-eap
|
||||
left=PH_IP_MOON
|
||||
leftcert=moonCert.pem
|
||||
leftid=@moon.strongswan.org
|
||||
leftauth=pubkey
|
||||
leftfirewall=yes
|
||||
rightauth=eap-radius
|
||||
rightsendcert=never
|
||||
right=%any
|
||||
eap_identity=%any
|
||||
|
|
@ -1,3 +0,0 @@
|
|||
# /etc/ipsec.secrets - strongSwan IPsec secrets file
|
||||
|
||||
: RSA moonKey.pem
|
||||
|
|
@ -1,32 +0,0 @@
|
|||
*filter
|
||||
|
||||
# default policy is DROP
|
||||
-P INPUT DROP
|
||||
-P OUTPUT DROP
|
||||
-P FORWARD DROP
|
||||
|
||||
# allow esp
|
||||
-A INPUT -i eth0 -p 50 -j ACCEPT
|
||||
-A OUTPUT -o eth0 -p 50 -j ACCEPT
|
||||
|
||||
# allow IKE
|
||||
-A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
|
||||
-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
|
||||
|
||||
# allow MobIKE
|
||||
-A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
|
||||
-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
|
||||
|
||||
# allow ssh
|
||||
-A INPUT -p tcp --dport 22 -j ACCEPT
|
||||
-A OUTPUT -p tcp --sport 22 -j ACCEPT
|
||||
|
||||
# allow crl fetch from winnetou
|
||||
-A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
|
||||
-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
|
||||
|
||||
# allow RADIUS protocol with alice
|
||||
-A INPUT -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
|
||||
-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
|
||||
|
||||
COMMIT
|
||||
|
|
@ -1,14 +0,0 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
charon {
|
||||
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-radius updown
|
||||
multiple_authentication=no
|
||||
plugins {
|
||||
eap-radius {
|
||||
secret = gv6URkSs
|
||||
#server = PH_IP6_ALICE
|
||||
server = PH_IP_ALICE
|
||||
filter_id = yes
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
@ -1,9 +0,0 @@
|
|||
moon::ipsec stop
|
||||
carol::ipsec stop
|
||||
dave::ipsec stop
|
||||
alice::ipsec stop
|
||||
alice::service apache2 stop
|
||||
alice::rm /etc/pts/config.db
|
||||
moon::iptables-restore < /etc/iptables.flush
|
||||
carol::iptables-restore < /etc/iptables.flush
|
||||
dave::iptables-restore < /etc/iptables.flush
|
||||
|
|
@ -1,20 +0,0 @@
|
|||
moon::iptables-restore < /etc/iptables.rules
|
||||
carol::iptables-restore < /etc/iptables.rules
|
||||
dave::iptables-restore < /etc/iptables.rules
|
||||
alice::cat /etc/tnc_config
|
||||
carol::cat /etc/tnc_config
|
||||
dave::cat /etc/tnc_config
|
||||
carol::echo 0 > /proc/sys/net/ipv4/ip_forward
|
||||
dave::echo aabbccddeeff11223344556677889900 > /var/lib/dbus/machine-id
|
||||
alice::sed -i "s/NOW/`date +%s`/g" /etc/pts/data1.sql
|
||||
alice::cd /usr/local/share/strongswan/templates/database/imv; cat tables.sql data.sql /etc/pts/data1.sql | sqlite3 /etc/pts/config.db
|
||||
alice::chgrp www-data /etc/pts/config.db; chmod g+w /etc/pts/config.db
|
||||
alice::service apache2 start
|
||||
alice::ipsec start
|
||||
moon::ipsec start
|
||||
dave::ipsec start
|
||||
carol::ipsec start
|
||||
carol::sleep 1
|
||||
dave::ipsec up home
|
||||
carol::ipsec up home
|
||||
carol::sleep 1
|
||||
|
|
@ -1,26 +0,0 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
# This configuration file provides information on the
|
||||
# guest instances used for this test
|
||||
|
||||
# All guest instances that are required for this test
|
||||
#
|
||||
VIRTHOSTS="alice venus moon carol winnetou dave"
|
||||
|
||||
# Corresponding block diagram
|
||||
#
|
||||
DIAGRAM="a-v-m-c-w-d.png"
|
||||
|
||||
# Guest instances on which tcpdump is to be started
|
||||
#
|
||||
TCPDUMPHOSTS="moon"
|
||||
|
||||
# Guest instances on which IPsec is started
|
||||
# Used for IPsec logging purposes
|
||||
#
|
||||
IPSECHOSTS="moon carol dave alice"
|
||||
|
||||
# Guest instances on which FreeRadius is started
|
||||
#
|
||||
RADIUSHOSTS=
|
||||
|
||||
|
|
@ -1,9 +0,0 @@
|
|||
The PT-TLS (RFC 6876) clients <b>carol</b> and <b>dave</b> set up a connection each to the policy decision
|
||||
point (PDP) <b>alice</b>. <b>carol</b> uses password-based SASL PLAIN client authentication during the
|
||||
<b>PT-TLS negotiation phase</b> and <b>dave</b> uses certificate-based TLS client authentication during the
|
||||
<b>TLS setup phase</b>.
|
||||
<p/>
|
||||
During the ensuing <b>PT-TLS data transport phase</b> the <b>OS</b> and <b>SWID</b> IMC/IMV pairs
|
||||
loaded by the PT-TLS clients and PDP, respectively, exchange PA-TNC (RFC 5792) messages
|
||||
embedded in PB-TNC (RFC 5793) batches. The <b>SWID</b> IMC on <b>carol</b> is requested to deliver
|
||||
a concise <b>SWID Tag ID Inventory</b> whereas <b>dave</b> must send a full <b>SWID Tag Inventory</b>.
|
||||
|
|
@ -1,19 +0,0 @@
|
|||
dave:: cat/var/log/auth.log::received SASL Success result::YES
|
||||
dave:: cat /var/log/auth.log::collected 372 SWID tags::YES
|
||||
carol::cat/var/log/auth.log::received SASL Success result::YES
|
||||
carol::cat /var/log/auth.log::collected 373 SWID tag IDs::YES
|
||||
carol::cat /var/log/auth.log::collected 1 SWID tag::YES
|
||||
alice::cat /var/log/daemon.log::accepting PT-TLS stream from PH_IP_DAVE::YES
|
||||
alice::cat /var/log/daemon.log::checking certificate status of.*C=CH, O=Linux strongSwan, OU=Accounting, CN=dave@strongswan.org::YES
|
||||
alice::cat /var/log/daemon.log::certificate status is good::YES
|
||||
alice::cat /var/log/daemon.log::skipping SASL, client already authenticated by TLS certificate::YES
|
||||
alice::cat /var/log/daemon.log::user AR identity.*C=CH, O=Linux strongSwan, OU=Accounting, CN=dave@strongswan.org.*authenticated by certificate::YES
|
||||
alice::cat /var/log/daemon.log::received SWID tag inventory with 372 items for request 3 at eid 1 of epoch::YES
|
||||
alice::cat /var/log/daemon.log::accepting PT-TLS stream from PH_IP_CAROL::YES
|
||||
alice::cat /var/log/daemon.log::SASL PLAIN authentication successful::YES
|
||||
alice::cat /var/log/daemon.log::SASL client identity is.*carol::YES
|
||||
alice::cat /var/log/daemon.log::user AR identity.*carol.*authenticated by password::YES
|
||||
alice::cat /var/log/daemon.log::received SWID tag ID inventory with 373 items for request 9 at eid 1 of epoch::YES
|
||||
alice::cat /var/log/daemon.log::1 SWID tag target::YES
|
||||
alice::cat /var/log/daemon.log::received SWID tag inventory with 1 item for request 9 at eid 1 of epoch::YES
|
||||
alice::cat /var/log/daemon.log::regid.2004-03.org.strongswan_strongSwan-::YES
|
||||
|
|
@ -1,24 +0,0 @@
|
|||
WSGIPythonPath /var/www/tnc
|
||||
|
||||
<VirtualHost *:80>
|
||||
ServerName tnc.strongswan.org
|
||||
ServerAlias tnc
|
||||
ServerAdmin webmaster@localhost
|
||||
|
||||
DocumentRoot /var/www/tnc
|
||||
|
||||
<Directory /var/www/tnc/config>
|
||||
<Files wsgi.py>
|
||||
Order deny,allow
|
||||
Allow from all
|
||||
</Files>
|
||||
</Directory>
|
||||
|
||||
WSGIScriptAlias / /var/www/tnc/config/wsgi.py
|
||||
WSGIApplicationGroup %{GLOBAL}
|
||||
WSGIPassAuthorization On
|
||||
|
||||
ErrorLog ${APACHE_LOG_DIR}/tnc/error.log
|
||||
LogLevel warn
|
||||
CustomLog ${APACHE_LOG_DIR}/tnc/access.log combined
|
||||
</VirtualHost>
|
||||
|
|
@ -1,9 +0,0 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
config setup
|
||||
charondebug="tls 2, tnc 2, imv 3"
|
||||
|
||||
conn aaa
|
||||
leftcert=aaaCert.pem
|
||||
leftid=aaa.strongswan.org
|
||||
auto=add
|
||||
|
|
@ -1,25 +0,0 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIEIDCCAwigAwIBAgIBIjANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
|
||||
MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
|
||||
b290IENBMB4XDTEwMDgwNDA4Mzg0MVoXDTE1MDgwMzA4Mzg0MVowRTELMAkGA1UE
|
||||
BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEmFhYS5z
|
||||
dHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK2R
|
||||
RcAYdZ/jOhHBSjrLDYT1OhRJ2mXjyuSbWyJQogF9c6sY8W2GhTC4e1gNThZM9+Pm
|
||||
Vzs0R39kzxsmOFhuTfwIhavMzvkWJ7945WDvTpuo2teK4fTtfix3iuyycVXywa7W
|
||||
Uum6vZb4uwNoFsZtlYSUFs+app/1VC3X8vEFvP9p//KW2fwbJ6PzR1XN/8AibxoF
|
||||
AnfqAXUenRQ1Xs/07/xF4bkZ5MUNTFTo5H+BAc49lAC16TarSTPnX1D925kIGxni
|
||||
wePHlIZrCYQTFr003+YNUehVvUxyv0NuIwlxFPokFPLDkQWk6SDvD87FW5IJ06cg
|
||||
EbrCFjcIR9/2vIepJd8CAwEAAaOCARkwggEVMAkGA1UdEwQCMAAwCwYDVR0PBAQD
|
||||
AgOoMB0GA1UdDgQWBBQS5lPpgsOE14sz7JGZimSmSbZOeDBtBgNVHSMEZjBkgBRd
|
||||
p91wBlEyfue2bbO15eBg6i5N76FJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoT
|
||||
EExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIB
|
||||
ADAdBgNVHREEFjAUghJhYWEuc3Ryb25nc3dhbi5vcmcwEwYDVR0lBAwwCgYIKwYB
|
||||
BQUHAwEwOQYDVR0fBDIwMDAuoCygKoYoaHR0cDovL2NybC5zdHJvbmdzd2FuLm9y
|
||||
Zy9zdHJvbmdzd2FuLmNybDANBgkqhkiG9w0BAQsFAAOCAQEAqM2eqrsJmAop2roa
|
||||
yNeJt8317sdAll8TvDf+s4EeCtcpDT0cIX5vCumpL6E7nV9NWWDazGCAOkwWDPpp
|
||||
iuq6R0Js8r0MbyIUbVgOe3xIOqLKd9YW0sb1IwfR/zvWcPUjnUHlqfRH7gdiR4G2
|
||||
bWIvKenl3hOQege/XnJNPUwzxeVX7k/qPivOk4I3pLnBjTRtFQdweHM95ex7Fk/d
|
||||
HoeWjw5q3MxS3ZwXpKQxZvWU5SDkkc2NJ0/0sm+wca8NC86cXkGqcLFEgJo2l3Dr
|
||||
EpZgxIhllub0M88PU7dQrDmy8OQ5j0fhayB1xpVO+REn3norclXZ2yrl4uz0eWR4
|
||||
v42sww==
|
||||
-----END CERTIFICATE-----
|
||||
|
|
@ -1,27 +0,0 @@
|
|||
-----BEGIN RSA PRIVATE KEY-----
|
||||
MIIEowIBAAKCAQEArZFFwBh1n+M6EcFKOssNhPU6FEnaZePK5JtbIlCiAX1zqxjx
|
||||
bYaFMLh7WA1OFkz34+ZXOzRHf2TPGyY4WG5N/AiFq8zO+RYnv3jlYO9Om6ja14rh
|
||||
9O1+LHeK7LJxVfLBrtZS6bq9lvi7A2gWxm2VhJQWz5qmn/VULdfy8QW8/2n/8pbZ
|
||||
/Bsno/NHVc3/wCJvGgUCd+oBdR6dFDVez/Tv/EXhuRnkxQ1MVOjkf4EBzj2UALXp
|
||||
NqtJM+dfUP3bmQgbGeLB48eUhmsJhBMWvTTf5g1R6FW9THK/Q24jCXEU+iQU8sOR
|
||||
BaTpIO8PzsVbkgnTpyARusIWNwhH3/a8h6kl3wIDAQABAoIBAQCJDzatQqNf5uds
|
||||
Ld6YHtBGNf/vFYLJAuCtNaD5sAK+enpkmgXMH3X9yzBbj+Yh5hW6eaJYtiffiZOi
|
||||
NMQ50KD0bSZhTBIE0GIC6Uz5BwBkGyr1Gk7kQsZoBt5Fm4O0A0a+8a/3secU2MWV
|
||||
IxUZDGANmYOJ3O3HUstuiCDoA0gDyDt44n0RWOhKrPQmTP6vTItd/14Zi1Pg9ez3
|
||||
Mej/ulDmVV1R474EwUXbLLPBjP3vk++SLukWn4iWUeeHgDHSn0b/T5csUcH0kQMI
|
||||
aYRU2FOoCPZpRxyTr9aZxcHhr5EhQSCg7zc8u0IjpTFm8kZ4uN+60777w1A/FH5X
|
||||
YHq+yqVBAoGBANy6zM0egvyWQaX4YeoML65393iXt9OXW3uedMbmWc9VJ0bH7qdq
|
||||
b4X5Xume8yY1/hF8nh7aC1npfVjdBuDse0iHJ/eBGfCJ2VoC6/ZoCzBD7q0Qn2If
|
||||
/Sr/cbtQNTDkROT75hAo6XbewPGt7RjynH8sNmtclsZ0yyXHx0ml90tlAoGBAMlN
|
||||
P4ObM0mgP2NMPeDFqUBnHVj/h/KGS9PKrqpsvFOUm5lxJNRIxbEBavWzonphRX1X
|
||||
V83RICgCiWDAnqUaPfHh9mVBlyHCTWxrrnu3M9qbr5vZMFTyYiMoLxSfTmW5Qk8t
|
||||
cArqBDowQbiaKJE9fHv+32Q0IYRhJFVcxZRdQXHzAoGALRBmJ6qHC5KRrJTdSK9c
|
||||
PL55Y8F14lkQcFiVdtYol8/GyQigjMWKJ0wWOJQfCDoVuPQ8RAg4MQ8ebDoT4W/m
|
||||
a5RMcJeG+Djsixf1nMT5I816uRKft6TYRyMH0To64dR4zFcxTTNNFtu7gJwFwAYo
|
||||
NT6NjbXFgpbtsrTq1vpvVpECgYA0ldlhp8leEl58sg34CaqNCGLCPP5mfG6ShP/b
|
||||
xUvtCYUcMFJOojQCaTxnsuVe0so0U/y750VfLkp029yVhKVp6n1TNi8kwn03NWn/
|
||||
J3yEPudA7xuRFUBNrtGdsX/pUtvfkx8RutAf4ztH3f1683Txb0MsCfI3gqjbI8D5
|
||||
YOMXwQKBgAJnMfPslZIg6jOpBCo6RjdwvjZyPXXyn4dcCyW//2+olPdWnuu+HRCZ
|
||||
SkAWB7lSRLSvDZARHb63k+gwSl8lmwrSM53nDwaRdTKjhK2BFWsAKJNOhrOUQqJu
|
||||
EXvH4R1NrqOkPqLoG5Iw3XFUh5lQGKvKkU28W6Weolj2saljbW2b
|
||||
-----END RSA PRIVATE KEY-----
|
||||
|
|
@ -1,6 +0,0 @@
|
|||
# /etc/ipsec.secrets - strongSwan IPsec secrets file
|
||||
|
||||
: RSA aaaKey.pem
|
||||
|
||||
carol : EAP "Ar3etTnp"
|
||||
dave : EAP "W7R0g3do"
|
||||
|
|
@ -1,24 +0,0 @@
|
|||
*filter
|
||||
|
||||
# default policy is DROP
|
||||
-P INPUT DROP
|
||||
-P OUTPUT DROP
|
||||
-P FORWARD DROP
|
||||
|
||||
# open loopback interface
|
||||
-A INPUT -i lo -j ACCEPT
|
||||
-A OUTPUT -o lo -j ACCEPT
|
||||
|
||||
# allow PT-TLS
|
||||
-A INPUT -i eth0 -p tcp --dport 271 -j ACCEPT
|
||||
-A OUTPUT -o eth0 -p tcp --sport 271 -j ACCEPT
|
||||
|
||||
# allow ssh
|
||||
-A INPUT -p tcp --dport 22 -j ACCEPT
|
||||
-A OUTPUT -p tcp --sport 22 -j ACCEPT
|
||||
|
||||
# allow crl fetch from winnetou
|
||||
-A INPUT -i eth0 -p tcp --sport 80 -s 192.168.0.150 -j ACCEPT
|
||||
-A OUTPUT -o eth0 -p tcp --dport 80 -d 192.168.0.150 -j ACCEPT
|
||||
|
||||
COMMIT
|
||||
|
|
@ -1,61 +0,0 @@
|
|||
/* Devices */
|
||||
|
||||
INSERT INTO devices ( /* 1 */
|
||||
value, product, created
|
||||
) VALUES (
|
||||
'aabbccddeeff11223344556677889900', 42, 1372330615
|
||||
);
|
||||
|
||||
/* Groups Members */
|
||||
|
||||
INSERT INTO groups_members (
|
||||
group_id, device_id
|
||||
) VALUES (
|
||||
10, 1
|
||||
);
|
||||
|
||||
/* Identities */
|
||||
|
||||
INSERT INTO identities (
|
||||
type, value
|
||||
) VALUES ( /* dave@strongswan.org */
|
||||
4, X'64617665407374726f6e677377616e2e6f7267'
|
||||
);
|
||||
|
||||
/* Sessions */
|
||||
|
||||
INSERT INTO sessions (
|
||||
time, connection, identity, device, product, rec
|
||||
) VALUES (
|
||||
NOW, 1, 1, 1, 42, 0
|
||||
);
|
||||
|
||||
/* Results */
|
||||
|
||||
INSERT INTO results (
|
||||
session, policy, rec, result
|
||||
) VALUES (
|
||||
1, 1, 0, 'processed 355 packages: 0 not updated, 0 blacklisted, 4 ok, 351 not found'
|
||||
);
|
||||
|
||||
/* Enforcements */
|
||||
|
||||
INSERT INTO enforcements (
|
||||
policy, group_id, max_age, rec_fail, rec_noresult
|
||||
) VALUES (
|
||||
3, 10, 0, 2, 2
|
||||
);
|
||||
|
||||
INSERT INTO enforcements (
|
||||
policy, group_id, max_age
|
||||
) VALUES (
|
||||
17, 2, 86400
|
||||
);
|
||||
|
||||
INSERT INTO enforcements (
|
||||
policy, group_id, max_age
|
||||
) VALUES (
|
||||
18, 10, 86400
|
||||
);
|
||||
|
||||
DELETE FROM enforcements WHERE id = 1;
|
||||
Binary file not shown.
|
|
@ -1,19 +0,0 @@
|
|||
[debug]
|
||||
DEBUG=1
|
||||
TEMPLATE_DEBUG=1
|
||||
DEBUG_TOOLBAR=0
|
||||
|
||||
[db]
|
||||
DJANGO_DB_URL=sqlite:////etc/strongTNC/django.db
|
||||
STRONGTNC_DB_URL = sqlite:////etc/pts/config.db
|
||||
|
||||
[localization]
|
||||
LANGUAGE_CODE=en-us
|
||||
TIME_ZONE=Europe/Zurich
|
||||
|
||||
[admins]
|
||||
Your Name: alice@strongswan.org
|
||||
|
||||
[security]
|
||||
SECRET_KEY=strongSwan
|
||||
|
||||
|
|
@ -1,29 +0,0 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
charon {
|
||||
load = curl pem pkcs1 nonce x509 revocation constraints openssl socket-default kernel-netlink stroke tnc-pdp tnc-imv tnc-tnccs tnccs-20 sqlite
|
||||
|
||||
plugins {
|
||||
tnc-pdp {
|
||||
server = aaa.strongswan.org
|
||||
radius {
|
||||
secret = gv6URkSs
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
libtls {
|
||||
suites = TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
|
||||
}
|
||||
|
||||
libimcv {
|
||||
database = sqlite:///etc/pts/config.db
|
||||
policy_script = ipsec imv_policy_manager
|
||||
|
||||
plugins {
|
||||
imv-swid {
|
||||
rest_api_uri = http://admin-user:strongSwan@tnc.strongswan.org/api/
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
@ -1,4 +0,0 @@
|
|||
#IMV configuration file for strongSwan client
|
||||
|
||||
IMV "OS" /usr/local/lib/ipsec/imcvs/imv-os.so
|
||||
IMV "SWID" /usr/local/lib/ipsec/imcvs/imv-swid.so
|
||||
|
|
@ -1,3 +0,0 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
# the PT-TLS client reads its configuration via the command line
|
||||
|
|
@ -1,3 +0,0 @@
|
|||
# /etc/ipsec.secrets - strongSwan IPsec secrets file
|
||||
|
||||
# the PT-TLS client loads its secrets via the command line
|
||||
|
|
@ -1,4 +0,0 @@
|
|||
/* strongSwan SQLite database */
|
||||
|
||||
/* configuration is read from the command line */
|
||||
/* credentials are read from the command line */
|
||||
|
|
@ -1,20 +0,0 @@
|
|||
*filter
|
||||
|
||||
# default policy is DROP
|
||||
-P INPUT DROP
|
||||
-P OUTPUT DROP
|
||||
-P FORWARD DROP
|
||||
|
||||
# allow PT-TLS
|
||||
-A INPUT -i eth0 -s 10.1.0.10 -p tcp --sport 271 -j ACCEPT
|
||||
-A OUTPUT -o eth0 -d 10.1.0.10 -p tcp --dport 271 -j ACCEPT
|
||||
|
||||
# allow ssh
|
||||
-A INPUT -p tcp --dport 22 -j ACCEPT
|
||||
-A OUTPUT -p tcp --sport 22 -j ACCEPT
|
||||
|
||||
# allow crl fetch from winnetou
|
||||
-A INPUT -i eth0 -p tcp --sport 80 -s 192.168.0.150 -j ACCEPT
|
||||
-A OUTPUT -o eth0 -p tcp --dport 80 -d 192.168.0.150 -j ACCEPT
|
||||
|
||||
COMMIT
|
||||
|
|
@ -1,6 +0,0 @@
|
|||
--connect aaa.strongswan.org
|
||||
--client carol
|
||||
--secret "Ar3etTnp"
|
||||
--cert /etc/ipsec.d/cacerts/strongswanCert.pem
|
||||
--quiet
|
||||
--debug 2
|
||||
|
|
@ -1,9 +0,0 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
libtls {
|
||||
suites = TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
|
||||
}
|
||||
|
||||
pt-tls-client {
|
||||
load = curl revocation constraints pem openssl nonce tnc-tnccs tnc-imc tnccs-20
|
||||
}
|
||||
|
|
@ -1,4 +0,0 @@
|
|||
#IMC configuration file for strongSwan client
|
||||
|
||||
IMC "OS" /usr/local/lib/ipsec/imcvs/imc-os.so
|
||||
IMC "SWID" /usr/local/lib/ipsec/imcvs/imc-swid.so
|
||||
|
|
@ -1,3 +0,0 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
# the PT-TLS client reads its configuration via the command line
|
||||
|
|
@ -1,3 +0,0 @@
|
|||
# /etc/ipsec.secrets - strongSwan IPsec secrets file
|
||||
|
||||
# the PT-TLS client loads its secrets via the command line
|
||||
|
|
@ -1,4 +0,0 @@
|
|||
/* strongSwan SQLite database */
|
||||
|
||||
/* configuration is read from the command line */
|
||||
/* credentials are read from the command line */
|
||||
|
|
@ -1,20 +0,0 @@
|
|||
*filter
|
||||
|
||||
# default policy is DROP
|
||||
-P INPUT DROP
|
||||
-P OUTPUT DROP
|
||||
-P FORWARD DROP
|
||||
|
||||
# allow PT-TLS
|
||||
-A INPUT -i eth0 -s 10.1.0.10 -p tcp --sport 271 -j ACCEPT
|
||||
-A OUTPUT -o eth0 -d 10.1.0.10 -p tcp --dport 271 -j ACCEPT
|
||||
|
||||
# allow ssh
|
||||
-A INPUT -p tcp --dport 22 -j ACCEPT
|
||||
-A OUTPUT -p tcp --sport 22 -j ACCEPT
|
||||
|
||||
# allow crl fetch from winnetou
|
||||
-A INPUT -i eth0 -p tcp --sport 80 -s 192.168.0.150 -j ACCEPT
|
||||
-A OUTPUT -o eth0 -p tcp --dport 80 -d 192.168.0.150 -j ACCEPT
|
||||
|
||||
COMMIT
|
||||
|
|
@ -1,7 +0,0 @@
|
|||
--connect aaa.strongswan.org
|
||||
--client dave@strongswan.org
|
||||
--key /etc/ipsec.d/private/daveKey.pem
|
||||
--cert /etc/ipsec.d/certs/daveCert.pem
|
||||
--cert /etc/ipsec.d/cacerts/strongswanCert.pem
|
||||
--quiet
|
||||
--debug 2
|
||||
|
|
@ -1,21 +0,0 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
libimcv {
|
||||
plugins {
|
||||
imc-os {
|
||||
push_info = no
|
||||
}
|
||||
imc-swid {
|
||||
swid_directory = /usr/share
|
||||
swid_pretty = yes
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
libtls {
|
||||
suites = TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
|
||||
}
|
||||
|
||||
pt-tls-client {
|
||||
load = curl revocation constraints pem openssl nonce tnc-tnccs tnc-imc tnccs-20
|
||||
}
|
||||
|
|
@ -1,4 +0,0 @@
|
|||
#IMC configuration file for strongSwan client
|
||||
|
||||
IMC "OS" /usr/local/lib/ipsec/imcvs/imc-os.so
|
||||
IMC "SWID" /usr/local/lib/ipsec/imcvs/imc-swid.so
|
||||
|
|
@ -1,9 +0,0 @@
|
|||
carol::ip route del 10.1.0.0/16 via 192.168.0.1
|
||||
dave::ip route del 10.1.0.0/16 via 192.168.0.1
|
||||
winnetou::ip route del 10.1.0.0/16 via 192.168.0.1
|
||||
alice::ipsec stop
|
||||
alice::service apache2 stop
|
||||
alice::rm /etc/pts/config.db
|
||||
alice::iptables-restore < /etc/iptables.flush
|
||||
carol::iptables-restore < /etc/iptables.flush
|
||||
dave::iptables-restore < /etc/iptables.flush
|
||||
|
|
@ -1,22 +0,0 @@
|
|||
alice::iptables-restore < /etc/iptables.rules
|
||||
carol::iptables-restore < /etc/iptables.rules
|
||||
dave::iptables-restore < /etc/iptables.rules
|
||||
alice::cat /etc/tnc_config
|
||||
carol::cat /etc/tnc_config
|
||||
carol::echo 0 > /proc/sys/net/ipv4/ip_forward
|
||||
dave::echo aabbccddeeff11223344556677889900 > /var/lib/dbus/machine-id
|
||||
dave::cat /etc/tnc_config
|
||||
alice::sed -i "s/NOW/`date +%s`/g" /etc/pts/data1.sql
|
||||
alice::cd /usr/local/share/strongswan/templates/database/imv; cat tables.sql data.sql /etc/pts/data1.sql | sqlite3 /etc/pts/config.db
|
||||
alice::chgrp www-data /etc/pts/config.db; chmod g+w /etc/pts/config.db
|
||||
alice::service apache2 start
|
||||
alice::ipsec start
|
||||
alice::sleep 1
|
||||
winnetou::ip route add 10.1.0.0/16 via 192.168.0.1
|
||||
dave::ip route add 10.1.0.0/16 via 192.168.0.1
|
||||
dave::cat /etc/pts/options
|
||||
dave::ipsec pt-tls-client --optionsfrom /etc/pts/options
|
||||
carol::ip route add 10.1.0.0/16 via 192.168.0.1
|
||||
carol::cat /etc/pts/options
|
||||
carol::ipsec pt-tls-client --optionsfrom /etc/pts/options
|
||||
carol::sleep 1
|
||||
|
|
@ -1,26 +0,0 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
# This configuration file provides information on the
|
||||
# guest instances used for this test
|
||||
|
||||
# All guest instances that are required for this test
|
||||
#
|
||||
VIRTHOSTS="alice moon carol winnetou dave"
|
||||
|
||||
# Corresponding block diagram
|
||||
#
|
||||
DIAGRAM="a-m-c-w-d.png"
|
||||
|
||||
# Guest instances on which tcpdump is to be started
|
||||
#
|
||||
TCPDUMPHOSTS="moon"
|
||||
|
||||
# Guest instances on which IPsec is started
|
||||
# Used for IPsec logging purposes
|
||||
#
|
||||
IPSECHOSTS="carol dave alice"
|
||||
|
||||
# Guest instances on which FreeRadius is started
|
||||
#
|
||||
RADIUSHOSTS=
|
||||
|
||||
Loading…
Reference in New Issue