sharpetronics/strongswan
1
0
Fork 0
mirror of https://github.com/strongswan/strongswan.git synced 2025-10-05 00:00:45 -04:00
Code Issues Projects Releases Wiki Activity

added ikev2/rw-eap-tnc-dynamic scenario

Browse Source
This commit is contained in:
Andreas Steffen 2011-01-31 07:30:41 +01:00
parent 3ba4d12139
commit 3ba7616d8f
19 changed files with 232 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
testing/tests/ikev2/rw-eap-tnc-dynamic/description.txt Normal file
View File

@ -0,0 +1,12 @@
The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>
using EAP-TTLS authentication only with the gateway presenting a server certificate and
the clients doing EAP-MD5 password-based authentication.
In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the
health of TNC client <b>carol</b> via the <b>TNCCS 1.1 </b> client-server interface and of
TNC client <b>dave</b> via the <b>TNCCS 2.0 </b> client-server interface. TNC server
<b>moon</b> dynamically detects which version of the IF-TNCCS protocol is used.
<p>
<b>carol</b> passes the health test and <b>dave</b> fails. Based on these measurements the
clients are connected by gateway <b>moon</b> to the "rw-allow" and "rw-isolate" subnets,
respectively.
</p>

27
testing/tests/ikev2/rw-eap-tnc-dynamic/evaltest.dat Normal file
View File

@ -0,0 +1,27 @@
carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES
carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
dave::cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YES
dave::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
dave::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
dave::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
moon::cat /var/log/daemon.log::TNCCS 1.1 protocol detected dynamically::YES
moon::cat /var/log/daemon.log::assigned TNCCS Connection ID 1::YES
moon::cat /var/log/daemon.log::Final recommendation is 'allow' and evaluation is 'compliant'::YES
moon::cat /var/log/daemon.log::added group membership 'allow'::YES
moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
moon::cat /var/log/daemon.log::removed TNCCS Connection ID 1::YES
moon::cat /var/log/daemon.log::TNCCS 2.0 protocol detected dynamically::YES
moon::cat /var/log/daemon.log::assigned TNCCS Connection ID 2::YES
moon::cat /var/log/daemon.log::Final recommendation is 'isolate' and evaluation is 'non-compliant minor'::YES
moon::cat /var/log/daemon.log::added group membership 'isolate'::YES
moon::cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
moon::cat /var/log/daemon.log::removed TNCCS Connection ID 2::YES
moon::ipsec statusall::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
moon::ipsec statusall::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_seq=1::NO
dave::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_seq=1::NO

23
testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/carol/etc/ipsec.conf Executable file
View File

@ -0,0 +1,23 @@
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
plutostart=no
charondebug="tls 2, tnc 3"
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
conn home
left=PH_IP_CAROL
leftid=carol@strongswan.org
leftauth=eap
leftfirewall=yes
right=PH_IP_MOON
rightid=@moon.strongswan.org
rightsendcert=never
rightsubnet=10.1.0.0/16
auto=add

3
testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/carol/etc/ipsec.secrets Normal file
View File

@ -0,0 +1,3 @@
# /etc/ipsec.secrets - strongSwan IPsec secrets file
carol@strongswan.org : EAP "Ar3etTnp"

11
testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/carol/etc/strongswan.conf Normal file
View File

@ -0,0 +1,11 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-11 updown
multiple_authentication=no
plugins {
eap-tnc {
protocol = tnccs-1.1
}
}
}

1
testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/carol/etc/tnc/dummyimc.file Normal file
View File

@ -0,0 +1 @@
allow

4
testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/carol/etc/tnc_config Normal file
View File

@ -0,0 +1,4 @@
#IMC configuration file for strongSwan client
IMC "Dummy" /usr/local/lib/libdummyimc.so
IMC "HostScanner" /usr/local/lib/libhostscannerimc.so

23
testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/dave/etc/ipsec.conf Executable file
View File

@ -0,0 +1,23 @@
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
plutostart=no
charondebug="tls 2, tnc 3"
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
conn home
left=PH_IP_DAVE
leftid=dave@strongswan.org
leftauth=eap
leftfirewall=yes
right=PH_IP_MOON
rightid=@moon.strongswan.org
rightsendcert=never
rightsubnet=10.1.0.0/16
auto=add

3
testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/dave/etc/ipsec.secrets Normal file
View File

@ -0,0 +1,3 @@
# /etc/ipsec.secrets - strongSwan IPsec secrets file
dave@strongswan.org : EAP "W7R0g3do"

11
testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/dave/etc/strongswan.conf Normal file
View File

@ -0,0 +1,11 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-20 updown
multiple_authentication=no
plugins {
eap-tnc {
protocol = tnccs-2.0
}
}
}

1
testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/dave/etc/tnc/dummyimc.file Normal file
View File

@ -0,0 +1 @@
isolate

4
testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/dave/etc/tnc_config Normal file
View File

@ -0,0 +1,4 @@
#IMC configuration file for strongSwan client
IMC "Dummy" /usr/local/lib/libdummyimc.so
IMC "HostScanner" /usr/local/lib/libhostscannerimc.so

36
testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/moon/etc/ipsec.conf Executable file
View File

@ -0,0 +1,36 @@
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
strictcrlpolicy=no
plutostart=no
charondebug="tls 2, tnc 3"
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
conn rw-allow
rightgroups=allow
leftsubnet=10.1.0.0/28
also=rw-eap
auto=add
conn rw-isolate
rightgroups=isolate
leftsubnet=10.1.0.16/28
also=rw-eap
auto=add
conn rw-eap
left=PH_IP_MOON
leftcert=moonCert.pem
leftid=@moon.strongswan.org
leftauth=eap-ttls
leftfirewall=yes
rightauth=eap-ttls
rightid=*@strongswan.org
rightsendcert=never
right=%any

6
testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/moon/etc/ipsec.secrets Normal file
View File

@ -0,0 +1,6 @@
# /etc/ipsec.secrets - strongSwan IPsec secrets file
: RSA moonKey.pem
carol@strongswan.org : EAP "Ar3etTnp"
dave@strongswan.org : EAP "W7R0g3do"

16
testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/moon/etc/strongswan.conf Normal file
View File

@ -0,0 +1,16 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnccs-11 tnccs-20 tnccs-dynamic tnc-imv updown
multiple_authentication=no
plugins {
eap-ttls {
phase2_method = md5
phase2_piggyback = yes
phase2_tnc = yes
}
eap-tnc {
protocol = tnccs-dynamic
}
}
}

4
testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/moon/etc/tnc_config Normal file
View File

@ -0,0 +1,4 @@
#IMV configuration file for strongSwan server
IMV "Dummy" /usr/local/lib/libdummyimv.so
IMV "HostScanner" /usr/local/lib/libhostscannerimv.so

6
testing/tests/ikev2/rw-eap-tnc-dynamic/posttest.dat Normal file
View File

@ -0,0 +1,6 @@
moon::ipsec stop
carol::ipsec stop
dave::ipsec stop
moon::/etc/init.d/iptables stop 2> /dev/null
carol::/etc/init.d/iptables stop 2> /dev/null
dave::/etc/init.d/iptables stop 2> /dev/null

15
testing/tests/ikev2/rw-eap-tnc-dynamic/pretest.dat Normal file
View File

@ -0,0 +1,15 @@
moon::/etc/init.d/iptables start 2> /dev/null
carol::/etc/init.d/iptables start 2> /dev/null
dave::/etc/init.d/iptables start 2> /dev/null
moon::cat /etc/tnc_config
carol::cat /etc/tnc_config
dave::cat /etc/tnc_config
carol::cat /etc/tnc/dummyimc.file
dave::cat /etc/tnc/dummyimc.file
moon::ipsec start
carol::ipsec start
dave::ipsec start
carol::sleep 1
carol::ipsec up home
dave::ipsec up home
dave::sleep 1

26
testing/tests/ikev2/rw-eap-tnc-dynamic/test.conf Normal file
View File

@ -0,0 +1,26 @@
#!/bin/bash
#
# This configuration file provides information on the
# UML instances used for this test
# All UML instances that are required for this test
#
UMLHOSTS="alice venus moon carol winnetou dave"
# Corresponding block diagram
#
DIAGRAM="a-v-m-c-w-d.png"
# UML instances on which tcpdump is to be started
#
TCPDUMPHOSTS="moon"
# UML instances on which IPsec is started
# Used for IPsec logging purposes
#
IPSECHOSTS="moon carol dave"
# UML instances on which FreeRadius is started
#
RADIUSHOSTS=