Re: [strongSwan] Remote Attestation through Cisco ASA

2017-11-16 Thread Mario Maldonado 
Andreas, many thanks for your email.

I have now managed to get that working, performing attestation through the
ASA using the PT-TLS protocol!

Does it have to be kicked off using the command line utility pt-tls-client?

I couldn't find any documentation for the tnc-pdp plugin. Can I use it to
setup a gateway, deciding to allow the device onto a network if it passes
(like that of your IMA wiki example) with an ipsec.conf file, or is it just
geared around receiving the pt-tls-client request and performing the
integrity measurement verification? I can see the measurement pass or fail
but I'm struggling to see how I can set something up to periodically ask
for that measurement and if not successful, not allow the device onto my
network.

Regards,

Chris

On Thu, Nov 16, 2017 at 7:25 AM, Andreas Steffen <
andreas.stef...@strongswan.org> wrote:

> Hi Mario,
>
> if the Cisco ASA does not tunnel the strongSwan IKE traffic then just
> do remote attestation via the PT-TLS protocol. On the client side you
> can use the strongSwan pt-tls-client and on the server side add the
> tnc-pdp plugin listening on the PT-TLS TCP port 271 to the strongSwan
> charon daemon.
>
> Regards
>
> Andreas
>
> On 15.11.2017 23:22, Mario Maldonado wrote:
>
>> Hi all,
>>
>> I wish to use StrongSwan for remote attestation through a Cisco ASA, eg:
>> StrongSwan gateway 192.168.0.0/24 
>> ASA 192.168.1.0/24  Device
>>
>> With no ASA I have successfully configured StrongSwan with remote
>> attestation using the EAP-TTLS plugin. I have also managed to configure
>> a StrongSwan connection to the ASA, giving me access to the
>> 192.168.0.0/24  subnet. I am then unable to bring
>> up the attestation connection. I was hoping it would setup a tunnel
>> within the ASA tunnel but from what I understand IKE traffic is exempt
>> from the negotiated tunnel (preventing nested tunnels) and then blocked
>> by the ASA.
>>
>> Is there a way around this / a nice way of achieving such a connection?
>>
>> Can I use StrongSwan for TNC integrity measurement without the tls
>> tunnel? This way the TPM and IMA measurements can be sent through the
>> ASA tunnel with no issues. From looking around the docs it looks like
>> the only way of performing remote attestation is with the EAP-TTLS
>> plugin? This would also be ideal as the traffic only has to be decrypted
>> once by the device.
>>
>> Many thanks,
>>
>> Mario
>>
>
> --
> ==
> Andreas Steffen andreas.stef...@strongswan.org
> strongSwan - the Open Source VPN Solution!  www.strongswan.org
> Institute for Networked Solutions
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===[INS-HSR]==
>
>

Re: [strongSwan] Remote Attestation through Cisco ASA

2017-11-15 Thread Andreas Steffen 

Hi Mario,

if the Cisco ASA does not tunnel the strongSwan IKE traffic then just
do remote attestation via the PT-TLS protocol. On the client side you
can use the strongSwan pt-tls-client and on the server side add the
tnc-pdp plugin listening on the PT-TLS TCP port 271 to the strongSwan
charon daemon.

Regards

Andreas

On 15.11.2017 23:22, Mario Maldonado wrote:

Hi all,

I wish to use StrongSwan for remote attestation through a Cisco ASA, eg:
StrongSwan gateway 192.168.0.0/24 
ASA 192.168.1.0/24  Device

With no ASA I have successfully configured StrongSwan with remote
attestation using the EAP-TTLS plugin. I have also managed to configure
a StrongSwan connection to the ASA, giving me access to the
192.168.0.0/24  subnet. I am then unable to bring
up the attestation connection. I was hoping it would setup a tunnel
within the ASA tunnel but from what I understand IKE traffic is exempt
from the negotiated tunnel (preventing nested tunnels) and then blocked
by the ASA.

Is there a way around this / a nice way of achieving such a connection?

Can I use StrongSwan for TNC integrity measurement without the tls
tunnel? This way the TPM and IMA measurements can be sent through the
ASA tunnel with no issues. From looking around the docs it looks like
the only way of performing remote attestation is with the EAP-TTLS
plugin? This would also be ideal as the traffic only has to be decrypted
once by the device.

Many thanks,

Mario


--
==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Open Source VPN Solution!  www.strongswan.org
Institute for Networked Solutions
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[INS-HSR]==



smime.p7s
Description: S/MIME Cryptographic Signature

[strongSwan] Remote Attestation through Cisco ASA

2017-11-15 Thread Mario Maldonado 
Hi all,

I wish to use StrongSwan for remote attestation through a Cisco ASA, eg:
StrongSwan gateway 192.168.0.0/24 ASA 192.168.1.0/24 Device

With no ASA I have successfully configured StrongSwan with remote
attestation using the EAP-TTLS plugin. I have also managed to configure a
StrongSwan connection to the ASA, giving me access to the 192.168.0.0/24
subnet. I am then unable to bring up the attestation connection. I was
hoping it would setup a tunnel within the ASA tunnel but from what I
understand IKE traffic is exempt from the negotiated tunnel (preventing
nested tunnels) and then blocked by the ASA.

Is there a way around this / a nice way of achieving such a connection?

Can I use StrongSwan for TNC integrity measurement without the tls tunnel?
This way the TPM and IMA measurements can be sent through the ASA tunnel
with no issues. From looking around the docs it looks like the only way of
performing remote attestation is with the EAP-TTLS plugin? This would also
be ideal as the traffic only has to be decrypted once by the device.

Many thanks,

Mario