renamed ikev2/rw-eap-tnc-20 scenario to rw-eap-tnc-20-fhh

testing/tests/ikev2/rw-eap-tnc-20-fhh/description.txt

@@ -0,0 +1,12 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>
+using EAP-TTLS authentication only with the gateway presenting a server certificate and
+the clients doing EAP-MD5 password-based authentication.
+In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the
+health of <b>carol</b> and <b>dave</b> via the <b>TNCCS 2.0 </b> client-server interface
+compliant with <b>RFC 5793 PB-TNC</b>. Th Dummy IMC and IMV from the TNC@FHH project is
+used which communicate with a proprietary protocol. 
+<p>
+<b>carol</b> passes the health test and <b>dave</b> fails. Based on these measurements the
+clients are connected by gateway <b>moon</b> to the "rw-allow" and "rw-isolate" subnets,
+respectively.
+</p>

testing/tests/ikev2/rw-eap-tnc-20-fhh/evaltest.dat

@@ -0,0 +1,19 @@
+carol::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed'::YES
+carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
+dave::cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YES
+dave::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
+dave::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+dave::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
+moon::cat /var/log/daemon.log::added group membership 'allow'::YES
+moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon::cat /var/log/daemon.log::added group membership 'isolate'::YES
+moon::cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
+moon::ipsec statusall::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
+moon::ipsec statusall::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_seq=1::NO
+dave::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
+dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_seq=1::NO
+

testing/tests/ikev2/rw-eap-tnc-20-fhh/hosts/carol/etc/ipsec.conf

@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutostart=no
+	charondebug="tnc 3, imc 2"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_CAROL
+	leftid=carol@strongswan.org
+	leftauth=eap
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsendcert=never
+	rightsubnet=10.1.0.0/16
+	auto=add

testing/tests/ikev2/rw-eap-tnc-20-fhh/hosts/carol/etc/ipsec.secrets

@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+carol@strongswan.org : EAP "Ar3etTnp"

testing/tests/ikev2/rw-eap-tnc-20-fhh/hosts/carol/etc/strongswan.conf

@@ -0,0 +1,15 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-20 updown
+  multiple_authentication=no
+  plugins {
+    eap-tnc {
+      protocol = tnccs-2.0
+    }
+  }
+}
+
+imc-test {
+  command = allow
+}

testing/tests/ikev2/rw-eap-tnc-20-fhh/hosts/carol/etc/tnc/dummyimc.file

@@ -0,0 +1 @@
+allow

testing/tests/ikev2/rw-eap-tnc-20-fhh/hosts/carol/etc/tnc/log4cxx.properties

@@ -0,0 +1,15 @@
+# Set root logger level to DEBUG and its appenders to A1 and A2.
+log4j.rootLogger=DEBUG, A1, A2
+
+# A1 is set to be a ConsoleAppender.
+log4j.appender.A1=org.apache.log4j.ConsoleAppender
+log4j.appender.A1.layout=org.apache.log4j.PatternLayout
+log4j.appender.A1.layout.ConversionPattern=--[IMC] %m%n
+
+# A2 is set to be a SyslogAppender
+log4j.appender.A2=org.apache.log4j.net.SyslogAppender
+log4j.appender.A2.Facility=DAEMON
+log4j.appender.A2.SyslogHost=localhost
+log4j.appender.A2.Threshold=DEBUG
+log4j.appender.A2.layout=org.apache.log4j.PatternLayout
+log4j.appender.A2.layout.ConversionPattern=--[IMC] %m%n

testing/tests/ikev2/rw-eap-tnc-20-fhh/hosts/carol/etc/tnc_config

@@ -0,0 +1,3 @@
+#IMC configuration file for strongSwan client 
+
+IMC "Dummy"	/usr/local/lib/libdummyimc.so

testing/tests/ikev2/rw-eap-tnc-20-fhh/hosts/dave/etc/ipsec.conf

@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutostart=no
+	charondebug="tnc 3, imc 2"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_DAVE
+	leftid=dave@strongswan.org
+	leftauth=eap
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsendcert=never
+	rightsubnet=10.1.0.0/16
+	auto=add

testing/tests/ikev2/rw-eap-tnc-20-fhh/hosts/dave/etc/ipsec.secrets

@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+dave@strongswan.org : EAP "W7R0g3do"

testing/tests/ikev2/rw-eap-tnc-20-fhh/hosts/dave/etc/strongswan.conf

@@ -0,0 +1,15 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-20 updown
+  multiple_authentication=no
+  plugins {
+    eap-tnc {
+      protocol = tnccs-2.0
+    }
+  }
+}
+
+imc-test {
+  command = isolate
+}

testing/tests/ikev2/rw-eap-tnc-20-fhh/hosts/dave/etc/tnc/dummyimc.file

@@ -0,0 +1 @@
+isolate

testing/tests/ikev2/rw-eap-tnc-20-fhh/hosts/dave/etc/tnc/log4cxx.properties

@@ -0,0 +1,15 @@
+# Set root logger level to DEBUG and its appenders to A1 and A2.
+log4j.rootLogger=DEBUG, A1, A2
+
+# A1 is set to be a ConsoleAppender.
+log4j.appender.A1=org.apache.log4j.ConsoleAppender
+log4j.appender.A1.layout=org.apache.log4j.PatternLayout
+log4j.appender.A1.layout.ConversionPattern=--[IMC] %m%n
+
+# A2 is set to be a SyslogAppender
+log4j.appender.A2=org.apache.log4j.net.SyslogAppender
+log4j.appender.A2.Facility=DAEMON
+log4j.appender.A2.SyslogHost=localhost
+log4j.appender.A2.Threshold=DEBUG
+log4j.appender.A2.layout=org.apache.log4j.PatternLayout
+log4j.appender.A2.layout.ConversionPattern=--[IMC] %m%n

testing/tests/ikev2/rw-eap-tnc-20-fhh/hosts/dave/etc/tnc_config

@@ -0,0 +1,3 @@
+#IMC configuration file for strongSwan client 
+
+IMC "Dummy"     /usr/local/lib/libdummyimc.so

testing/tests/ikev2/rw-eap-tnc-20-fhh/hosts/moon/etc/ipsec.conf

@@ -0,0 +1,36 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	strictcrlpolicy=no
+	plutostart=no
+	charondebug="tnc 3, imv 2"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn rw-allow
+	rightgroups=allow
+	leftsubnet=10.1.0.0/28
+	also=rw-eap
+	auto=add
+
+conn rw-isolate
+	rightgroups=isolate
+	leftsubnet=10.1.0.16/28
+	also=rw-eap
+	auto=add
+
+conn rw-eap
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftauth=eap-ttls
+	leftfirewall=yes
+	rightauth=eap-ttls
+	rightid=*@strongswan.org
+	rightsendcert=never
+	right=%any

testing/tests/ikev2/rw-eap-tnc-20-fhh/hosts/moon/etc/ipsec.secrets

@@ -0,0 +1,6 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA moonKey.pem
+
+carol@strongswan.org : EAP "Ar3etTnp"
+dave@strongswan.org  : EAP "W7R0g3do"

testing/tests/ikev2/rw-eap-tnc-20-fhh/hosts/moon/etc/strongswan.conf

@@ -0,0 +1,20 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnccs-20 tnc-imv updown
+  multiple_authentication=no
+  plugins {
+    eap-ttls {
+      phase2_method = md5
+      phase2_piggyback = yes
+      phase2_tnc = yes
+    }
+    eap-tnc {
+      protocol = tnccs-2.0
+    }
+  }
+}
+
+imv-test {
+  rounds = 1
+}

testing/tests/ikev2/rw-eap-tnc-20-fhh/hosts/moon/etc/tnc/dummyimv.policy

@@ -0,0 +1 @@
+1

testing/tests/ikev2/rw-eap-tnc-20-fhh/hosts/moon/etc/tnc/hostscannerimv.policy

@@ -0,0 +1,40 @@
+#FTP - File Transfer Protocol
+TCP 20 = whatever
+TCP 21 = close
+
+#SSH - Secure Shell
+TCP 22 = whatever
+
+#Telnet
+TCP 23 = close
+
+#E-Mail
+#
+#SMTP - Simple Mail Transfer Protocol
+TCP  25 = close
+TCP 587 = close
+#POP3 - Post Office Protocol version 3
+TCP 110 = close
+TCP 995 = close
+
+#DNS - Domain Name System
+UDP 53 = close
+TCP 53 = close
+
+#BOOTP/DHCP - Bootstrap Protocol /
+#Dynamic Host Configuration Protocol 
+UDP 67 = close
+#UDP 68 = open
+UDP 68 = whatever
+
+#www - World Wide Web
+#HTTP - Hypertext Transfer Protocol
+TCP  80 = close
+#HTTPS - Hypertext Transfer Protocol Secure
+TCP 443 = close
+
+#examples
+TCP 8080 = close
+TCP 5223 = whatever
+UDP 4444 = close
+UDP  631 = whatever

testing/tests/ikev2/rw-eap-tnc-20-fhh/hosts/moon/etc/tnc/log4cxx.properties

@@ -0,0 +1,15 @@
+# Set root logger level to DEBUG and its appenders to A1 and A2.
+log4j.rootLogger=DEBUG, A1, A2
+
+# A1 is set to be a ConsoleAppender.
+log4j.appender.A1=org.apache.log4j.ConsoleAppender
+log4j.appender.A1.layout=org.apache.log4j.PatternLayout
+log4j.appender.A1.layout.ConversionPattern=--[IMV] %m%n
+
+# A2 is set to be a SyslogAppender
+log4j.appender.A2=org.apache.log4j.net.SyslogAppender
+log4j.appender.A2.Facility=DAEMON
+log4j.appender.A2.SyslogHost=localhost
+log4j.appender.A2.Threshold=DEBUG
+log4j.appender.A2.layout=org.apache.log4j.PatternLayout
+log4j.appender.A2.layout.ConversionPattern=--[IMV] %m%n

testing/tests/ikev2/rw-eap-tnc-20-fhh/hosts/moon/etc/tnc_config

@@ -0,0 +1,3 @@
+#IMV configuration file for strongSwan server 
+
+IMV "Dummy"	/usr/local/lib/libdummyimv.so

testing/tests/ikev2/rw-eap-tnc-20-fhh/posttest.dat

@@ -0,0 +1,6 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+dave::/etc/init.d/iptables stop 2> /dev/null

testing/tests/ikev2/rw-eap-tnc-20-fhh/pretest.dat

@@ -0,0 +1,15 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+dave::/etc/init.d/iptables start 2> /dev/null
+moon::cat /etc/tnc_config
+carol::cat /etc/tnc_config
+dave::cat /etc/tnc_config
+carol::cat /etc/tnc/dummyimc.file
+dave::cat /etc/tnc/dummyimc.file
+moon::LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties ipsec start
+carol::LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties ipsec start 
+dave::LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties ipsec start 
+carol::sleep 1
+carol::ipsec up home
+dave::ipsec up home
+dave::sleep 1

testing/tests/ikev2/rw-eap-tnc-20-fhh/test.conf

@@ -0,0 +1,26 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice venus moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
+
+# UML instances on which FreeRadius is started
+#
+RADIUSHOSTS=
+