+++ /dev/null
-The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>
-using EAP-TTLS authentication only with the gateway presenting a server certificate and
-the clients doing EAP-MD5 password-based authentication.
-<p/>
-In a next step the <b>RFC 7171 PT-EAP</b> transport protocol is used within the EAP-TTLS
-tunnel to determine the health of <b>carol</b> and <b>dave</b> via the <b>IF-TNCCS 2.0 </b>
-client-server interface compliant with <b>RFC 5793 PB-TNC</b>. The IMCs and IMVs exchange
-messages over the <b>IF-M</b> protocol defined by <b>RFC 5792 PA-TNC</b>.
-<p>
-The first time the TNC clients <b>carol</b> and <b>dave</b> send their measurements,
-TNC server <b>moon</b> requests a handshake retry. In the retry <b>carol</b> succeeds
-and <b>dave</b> fails. Thus based on this second round of measurements the clients are connected
-by gateway <b>moon</b> to the "rw-allow" and "rw-isolate" subnets, respectively.
-</p>
+++ /dev/null
-carol::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed'::YES
-carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
-carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-dave:: cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YES
-dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
-dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-moon:: cat /var/log/daemon.log::added group membership 'allow'::YES
-moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
-moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES
-moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
-carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/28]::YES
-dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.16/28]::YES
-moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-allow.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-allow.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/28] remote-ts=\[192.168.0.100/32]::YES
-moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw-isolate.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-isolate.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.16/28] remote-ts=\[192.168.0.200/32]::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_.eq=1::NO
-dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_.eq=1::YES
-dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::NO
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon-systemd {
- load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
-
- multiple_authentication = no
-
- syslog {
- daemon {
- tnc = 3
- imc = 2
- }
- }
-}
-
-libtls {
- suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
-}
-
-libimcv {
- plugins {
- imc-test {
- command = retry
- retry_command = allow
- }
- }
-}
+++ /dev/null
-connections {
-
- home {
- local_addrs = 192.168.0.100
- remote_addrs = 192.168.0.1
-
- local {
- auth = eap-ttls
- id = carol@strongswan.org
- }
- remote {
- auth = eap-ttls
- id = moon.strongswan.org
- }
- children {
- home {
- remote_ts = 10.1.0.0/16
-
- updown = /usr/local/libexec/ipsec/_updown iptables
- esp_proposals = aes128gcm16-modp3072
- }
- }
- version = 2
- send_certreq = no
- proposals = aes128-sha256-modp3072
- }
-}
-
-secrets {
-
- eap {
- id = carol@strongswan.org
- secret = "Ar3etTnp"
- }
-}
+++ /dev/null
-#IMC configuration file for strongSwan client
-
-IMC "Test" /usr/local/lib/ipsec/imcvs/imc-test.so
-IMC "Scanner" /usr/local/lib/ipsec/imcvs/imc-scanner.so
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon-systemd {
- load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
-
- multiple_authentication = no
-
- syslog {
- daemon {
- tnc = 3
- imc = 2
- }
- }
- plugins {
- tnc-imc {
- preferred_language = ru , de, en
- }
- }
-}
-
-libtls {
- suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
-}
-
-libimcv {
- plugins {
- imc-test {
- command = retry
- retry_command = isolate
- }
- imc-scanner {
- push_info = no
- }
- }
-}
+++ /dev/null
-connections {
-
- home {
- local_addrs = 192.168.0.200
- remote_addrs = 192.168.0.1
-
- local {
- auth = eap-ttls
- id = dave@strongswan.org
- }
- remote {
- auth = eap-ttls
- id = moon.strongswan.org
- }
- children {
- home {
- remote_ts = 10.1.0.0/16
-
- updown = /usr/local/libexec/ipsec/_updown iptables
- esp_proposals = aes128gcm16-modp3072
- }
- }
- version = 2
- send_certreq = no
- proposals = aes128-sha256-modp3072
- }
-}
-
-secrets {
-
- eap {
- id = dave@strongswan.org
- secret = "W7R0g3do"
- }
-}
+++ /dev/null
-#IMC configuration file for strongSwan client
-
-IMC "Test" /usr/local/lib/ipsec/imcvs/imc-test.so
-IMC "Scanner" /usr/local/lib/ipsec/imcvs/imc-scanner.so
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon-systemd {
- load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-20 tnc-imv updown
-
- multiple_authentication = no
-
- syslog {
- daemon {
- tnc = 3
- imv = 2
- }
- }
- plugins {
- eap-ttls {
- phase2_method = md5
- phase2_piggyback = yes
- phase2_tnc = yes
- }
- }
-}
-
-libtls {
- suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
-}
-
-libimcv {
- plugins {
- imv-test {
- rounds = 0
- }
- imv-scanner {
- closed_port_policy = yes
- tcp_ports = 22
- udp_ports = 500 4500
- }
- }
-}
+++ /dev/null
-connections {
-
- rw-allow {
- local_addrs = 192.168.0.1
-
- local {
- auth = eap-ttls
- id = moon.strongswan.org
- }
- remote {
- auth = eap-ttls
- id = *@strongswan.org
- groups = allow
- }
- children {
- rw-allow {
- local_ts = 10.1.0.0/28
-
- updown = /usr/local/libexec/ipsec/_updown iptables
- esp_proposals = aes128gcm16-modp3072
- }
- }
- version = 2
- send_certreq = no
- proposals = aes128-sha256-modp3072
- }
-
- rw-isolate {
- local_addrs = 192.168.0.1
-
- local {
- auth = eap-ttls
- id = moon.strongswan.org
- }
- remote {
- auth = eap-ttls
- id = *@strongswan.org
- groups = isolate
- }
- children {
- rw-isolate {
- local_ts = 10.1.0.16/28
-
- updown = /usr/local/libexec/ipsec/_updown iptables
- esp_proposals = aes128gcm16-modp3072
- }
- }
- version = 2
- send_certreq = no
- proposals = aes128-sha256-modp3072
- }
-}
-
-secrets {
-
- eap-carol {
- id = carol@strongswan.org
- secret = "Ar3etTnp"
- }
- eap-dave {
- id = dave@strongswan.org
- secret = "W7R0g3do"
- }
-}
+++ /dev/null
-#IMV configuration file for strongSwan client
-
-IMV "Test" /usr/local/lib/ipsec/imcvs/imv-test.so
-IMV "Scanner" /usr/local/lib/ipsec/imcvs/imv-scanner.so
+++ /dev/null
-carol::systemctl stop strongswan-swanctl
-dave::systemctl stop strongswan-swanctl
-moon::systemctl stop strongswan-swanctl
-moon::iptables-restore < /etc/iptables.flush
-carol::iptables-restore < /etc/iptables.flush
-dave::iptables-restore < /etc/iptables.flush
+++ /dev/null
-moon::iptables-restore < /etc/iptables.rules
-carol::iptables-restore < /etc/iptables.rules
-dave::iptables-restore < /etc/iptables.rules
-moon::cat /etc/tnc_config
-carol::cat /etc/tnc_config
-dave::cat /etc/tnc_config
-carol::rm /etc/swanctl/rsa/*
-dave::rm /etc/swanctl/rsa/*
-carol::rm /etc/swanctl/x509/*
-dave::rm /etc/swanctl/x509/*
-moon::systemctl start strongswan-swanctl
-carol::systemctl start strongswan-swanctl
-dave::systemctl start strongswan-swanctl
-moon::expect-connection rw-allow
-moon::expect-connection rw-isolate
-carol::expect-connection home
-carol::swanctl --initiate --child home 2> /dev/null
-dave::expect-connection home
-dave::swanctl --initiate --child home 2> /dev/null
+++ /dev/null
-#!/bin/bash
-#
-# This configuration file provides information on the
-# guest instances used for this test
-
-# All guest instances that are required for this test
-#
-VIRTHOSTS="alice venus moon carol winnetou dave"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-v-m-c-w-d.png"
-
-# Guest instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon"
-
-# Guest instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol dave"
-
-# Guest instances on which FreeRadius is started
-#
-RADIUSHOSTS=
-
-# charon controlled by swanctl
-#
-SWANCTL=1
projects / thirdparty / strongswan.git / commitdiff
