[strongSwan] Multiple IKEv2 proposals

2019-07-01 Thread Graham Bartlett (grbartle)
Hi

Is it possible to send multiple IKEv2 proposals?

The use case being, one with combined mode ciphers and the other without.

Many thanks 


smime.p7s
Description: S/MIME cryptographic signature


Re: [strongSwan] IKEv2: how to set the DNS search attribute on the peer?

2019-07-01 Thread Tobias Brunner
Hi Harald,

>> Is a search domain actually required in your setup?  Because, as I said,
>> there is no standardized IKEv2 attribute for it at all.
>>
> 
> Yes, definitively. My colleages are used to openvpn and its NetworkManager
> plugin, supporting several "dhcp-options", including domain search list.

That doesn't answer the question whether it is actually required.  Just
because it's an option in some other tool, doesn't mean it is actually
used (are people really that lazy and don't type full domain names?
what about TLS?).

> IPsec configuration on a road warrior laptop appears to be more difficult.

Nobody forces you to use IPsec :-)

>  From an admin point of view, it would be much easier and less error-prone
> to define the search list at a central location on the gateway than in the
> Network Manager gui on every road warrior laptop.

Well, there is no separate attribute to exchange it, so...  I guess a
client that supports INTERNAL_DNS_DOMAIN attributes could install the
same as search domains (maybe optionally) but not sure if that's what
people expect or if that would have some side-effects (not sure if NM
does that already as it only has one option that takes multiple domain
names, maybe it uses them for both, or it only supports search domains).

Scripting/importing NM configs might also be an option to make local
configuration easier for users.

> What I meant is, would you agree that strongswan could define its own private
> extension for IKEv2, similar to Cisco's IKEv1 extension? Obviously strongswan
> can forward some DNS server IP addresses to the peer, using the remote
> resolvconf tool to setup /etc/resolv.conf. I thought it might be just a small
> step to push a domain search string to the peer as well.

I guess, but it's not a nice solution at all (identifiers from the
private use range are very problematic and require exchange vendor ID
payloads).  You could go the IETF route and write an Internet Draft that
defines such a configuration attribute if you really see a need for it.

> As indicated before, I wouldn't care about the documents and RFCs *not*
> specifying attributes. Strongswan is highly compliant by supporting the 
> standard
> features and attributes, but supporting some extra attributes wouldn't hurt,
> IMHO.

I don't agree with that at all.  But you are free to write your own
plugin that does whatever you want and deploy that to your clients.

Regards,
Tobias


Re: [strongSwan] Can strongswan tnc be used with TPM 2.0 ?

2019-07-01 Thread Andreas Steffen
Hi Benoit,

you can compile strongSwan with both options --enable-tss-trousers
and --enable-tss-tss2 and the libtpmtss library will automatically
detect wheter a TPM 1.2 or TPM 2.0 device is present, prefering
TPM 2.0 over TPM 1.2.

For TPM 1.2 support the libtspi trousers library is required
and for TPM 2.0 the libtss2 library. Have a look at  the folling
HOWTO on how to install the TPM2-TSS libraries and how to generate
TPM 2.0 attestation keys and certificates:

https://wiki.strongswan.org/projects/strongswan/wiki/TpmPlugin

Best regards

Andreas

On 15.06.19 15:18, Benoit wrote:
> Hi all,
> 
> I am interested to use the strongswan tnc, specifically the PTS
> (IMV/IMC) mode.
> I went to this following pages : 
> 
>    https://wiki.strongswan.org/projects/strongswan/wiki/IMA
>   
> https://wiki.strongswan.org/projects/strongswan/wiki/TrustedNetworkConnect
>    https://wiki.strongswan.org/projects/strongswan/wiki/PTS-IMV
>    https://wiki.strongswan.org/projects/strongswan/wiki/PTS-IMC
> 
> Pages are talking about TPM 1.2, but TPM 2.0 is never described.
> 
> I am mainly looking for a way to verify if a client is trusted or not.
> And what is described at
> https://wiki.strongswan.org/projects/strongswan/wiki/IMA can match my
> requirements.
> But I would like to have something compliant TPM 1.2 and TPM 2.0
> 
> Is strongswan TNC/PTS feature compliant with TPM 1.2 and TPM 2.0 ?
> 
> Thanks
> 
> 
> 
> 

-- 
==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Open Source VPN Solution!  www.strongswan.org
Institute for Networked Solutions
HSR University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[INS-HSR]==


Re: [strongSwan] IKEv2: how to set the DNS search attribute on the peer?

2019-07-01 Thread Tobias Brunner
Hi Harald,

> using IKEv2 and NetworkManager I wonder how the DNS domain search
> attribute is supposed to be added to /etc/resolv.conf?

There is no such attribute for IKEv2.

> My attr.conf on the IPsec gateway says
> 
> attr {
>  dns = 10.0.122.9, 10.0.96.123, 10.0.96.124
>  nbns = 10.0.98.253
>  28674 = ipsec.example.com ac.example.com vs.example.com ws.example.com 
> example.com
>  28675 = ipsec.example.com ac.example.com vs.example.com ws.example.com 
> example.com
>  load = yes
> 
> }

The (proprietary Cisco Unity) IKEv1 attributes you assigned have
different purposes.  The first sets the default search domain, the other
is for split-DNS.  For the latter there now actually is an RFC for IKEv2
(RFC 8598) but strongSwan currently doesn't support it.  Well, you can
assign the INTERNAL_DNS_DOMAIN attribute to clients using the same
numeric assignment (25 is the identifier), but no client plugin
currently requests or handles such attributes.  In particular, the NM
plugin currently has no support for such internal domains (no idea if
NM_VPN_PLUGIN_IP4/6_CONFIG_DOMAINS could be used for that, or if that
e.g. just sets multiple search domains).

> AFAICT NetworkManager would like to call resolvconf itself, but apparently
> it is missing the DNS domain.

Is a search domain actually required in your setup?  Because, as I said,
there is no standardized IKEv2 attribute for it at all.

> Of course the documentation states: "Cisco Unity extensions for IKEv1"
> but I don't see any reason why this shouldn't work for IKEv2 as well
> (except for not being listed in some document).

Why would configuration attributes for a proprietary IKEv1 extension,
with numbers from the private use range, work with IKEv2?  Granted,
since it's not possible to set an IKE version for custom attributes in
the attr plugin's configuration, it will just assign them as configured
to any client that requests a virtual IP.  But a client that handles
them would technically be non-compliant.  Anyway, strongSwan actually
doesn't handle these Unity attributes as client at all, not even for IKEv1.

Regards,
Tobias


[strongSwan] IKEv2: how to set the DNS search attribute on the peer?

2019-07-01 Thread Harald Dunkel

Hi folks,

using IKEv2 and NetworkManager I wonder how the DNS domain search
attribute is supposed to be added to /etc/resolv.conf?

My attr.conf on the IPsec gateway says

attr {
dns = 10.0.122.9, 10.0.96.123, 10.0.96.124
nbns = 10.0.98.253
28674 = ipsec.example.com ac.example.com vs.example.com ws.example.com 
example.com
28675 = ipsec.example.com ac.example.com vs.example.com ws.example.com 
example.com
load = yes

}

AFAICT NetworkManager would like to call resolvconf itself, but apparently
it is missing the DNS domain. syslog on my laptop tells me

Jul  1 08:25:19 ppcl001 NetworkManager[992]:   [1561962319.5404] audit: op="connection-activate" 
uuid="e3e13c44-f079-42d9-9d40-5156082f2914" name="ipsecgate IKEv2" pid=5931 uid=6502 
result="success"
Jul  1 08:25:19 ppcl001 NetworkManager[992]:   [1561962319.5435] 
vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate 
IKEv2",0]: Saw the service appear; activating connection
Jul  1 08:25:19 ppcl001 NetworkManager[992]:   [1561962319.5633] 
vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate 
IKEv2",0]: VPN connection: (ConnectInteractive) reply received
Jul  1 08:25:19 ppcl001 charon-nm: 05[CFG] received initiate for NetworkManager 
connection ipsecgate IKEv2
Jul  1 08:25:19 ppcl001 NetworkManager[992]:   [1561962319.6125] 
vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate 
IKEv2",0]: VPN plugin: state changed: starting (3)
Jul  1 08:25:26 ppcl001 NetworkManager[992]:   [1561962326.7119] 
vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate 
IKEv2",0]: VPN connection: (IP4 Config Get) reply received from old-style plugin
Jul  1 08:25:26 ppcl001 NetworkManager[992]:   [1561962326.7126] 
vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate 
IKEv2",0]: Data: VPN Gateway: 5.145.142.209
Jul  1 08:25:26 ppcl001 NetworkManager[992]:   [1561962326.7126] 
vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate 
IKEv2",0]: Data: Tunnel Device: (null)
Jul  1 08:25:26 ppcl001 NetworkManager[992]:   [1561962326.7126] 
vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate 
IKEv2",0]: Data: IPv4 configuration:
Jul  1 08:25:26 ppcl001 NetworkManager[992]:   [1561962326.7126] 
vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate 
IKEv2",0]: Data:   Internal Address: 10.0.122.66
Jul  1 08:25:26 ppcl001 NetworkManager[992]:   [1561962326.7126] 
vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate 
IKEv2",0]: Data:   Internal Prefix: 32
Jul  1 08:25:26 ppcl001 NetworkManager[992]:   [1561962326.7126] 
vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate 
IKEv2",0]: Data:   Internal Point-to-Point Address: 10.0.122.66
Jul  1 08:25:26 ppcl001 NetworkManager[992]:   [1561962326.7126] 
vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate 
IKEv2",0]: Data:   Maximum Segment Size (MSS): 0
Jul  1 08:25:26 ppcl001 NetworkManager[992]:   [1561962326.7127] 
vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate 
IKEv2",0]: Data:   Forbid Default Route: yes
Jul  1 08:25:26 ppcl001 NetworkManager[992]:   [1561962326.7127] 
vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate 
IKEv2",0]: Data:   Internal DNS: 10.0.122.9
Jul  1 08:25:26 ppcl001 NetworkManager[992]:   [1561962326.7127] 
vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate 
IKEv2",0]: Data:   Internal DNS: 10.0.96.123
Jul  1 08:25:26 ppcl001 NetworkManager[992]:   [1561962326.7127] 
vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate 
IKEv2",0]: Data:   Internal DNS: 10.0.96.124
Jul  1 08:25:26 ppcl001 NetworkManager[992]:   [1561962326.7127] 
vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate 
IKEv2",0]: Data:   Internal DNS: 127.0.0.1
Jul  1 08:25:26 ppcl001 NetworkManager[992]:   [1561962326.7127] 
vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate 
IKEv2",0]: Data:   DNS Domain: '(none)'
Jul  1 08:25:26 ppcl001 NetworkManager[992]:   [1561962326.7127] 
vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate 
IKEv2",0]: Data: No IPv6 configuration
Jul  1 08:25:26 ppcl001 NetworkManager[992]:   [1561962326.7134] 
vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate 
IKEv2",0]: VPN connection: (IP Config Get) complete
Jul  1 08:25:26 ppcl001 NetworkManager[992]:   [1561962326.7134] 
vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate 
IKEv2",0]: VPN plugin: state changed: started (4)
Jul  1 08:25:26 ppcl001 NetworkManager[992]:   [1561962326.7225] dns-mgr: 
Writing DNS information to /sbin/resolvconf

Of course the documentation states: "Cisco Unity extensions for IKEv1"
but I don't see any reason why this 

[strongSwan] IKEv2: how to set the DNS search attribute on the peer?

2019-07-01 Thread Harald Dunkel

Hi folks,

using IKEv2 and NetworkManager I wonder how the DNS domain search
attribute is supposed to be added to /etc/resolv.conf?

My attr.conf on the IPsec gateway says

attr {
dns = 10.0.122.9, 10.0.96.123, 10.0.96.124
nbns = 10.0.98.253
28674 = ipsec.example.com ac.example.com vs.example.com ws.example.com 
example.com
28675 = ipsec.example.com ac.example.com vs.example.com ws.example.com 
example.com
load = yes

}

AFAICT NetworkManager would like to call resolvconf itself, but apparently
it is missing the DNS domain. syslog on my laptop tells me

Jul  1 08:25:19 ppcl001 NetworkManager[992]:   [1561962319.5404] audit: op="connection-activate" 
uuid="e3e13c44-f079-42d9-9d40-5156082f2914" name="ipsecgate IKEv2" pid=5931 uid=6502 
result="success"
Jul  1 08:25:19 ppcl001 NetworkManager[992]:   [1561962319.5435] 
vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate 
IKEv2",0]: Saw the service appear; activating connection
Jul  1 08:25:19 ppcl001 NetworkManager[992]:   [1561962319.5633] 
vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate 
IKEv2",0]: VPN connection: (ConnectInteractive) reply received
Jul  1 08:25:19 ppcl001 charon-nm: 05[CFG] received initiate for NetworkManager 
connection ipsecgate IKEv2
Jul  1 08:25:19 ppcl001 NetworkManager[992]:   [1561962319.6125] 
vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate 
IKEv2",0]: VPN plugin: state changed: starting (3)
Jul  1 08:25:26 ppcl001 NetworkManager[992]:   [1561962326.7119] 
vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate 
IKEv2",0]: VPN connection: (IP4 Config Get) reply received from old-style plugin
Jul  1 08:25:26 ppcl001 NetworkManager[992]:   [1561962326.7126] 
vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate 
IKEv2",0]: Data: VPN Gateway: 5.145.142.209
Jul  1 08:25:26 ppcl001 NetworkManager[992]:   [1561962326.7126] 
vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate 
IKEv2",0]: Data: Tunnel Device: (null)
Jul  1 08:25:26 ppcl001 NetworkManager[992]:   [1561962326.7126] 
vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate 
IKEv2",0]: Data: IPv4 configuration:
Jul  1 08:25:26 ppcl001 NetworkManager[992]:   [1561962326.7126] 
vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate 
IKEv2",0]: Data:   Internal Address: 10.0.122.66
Jul  1 08:25:26 ppcl001 NetworkManager[992]:   [1561962326.7126] 
vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate 
IKEv2",0]: Data:   Internal Prefix: 32
Jul  1 08:25:26 ppcl001 NetworkManager[992]:   [1561962326.7126] 
vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate 
IKEv2",0]: Data:   Internal Point-to-Point Address: 10.0.122.66
Jul  1 08:25:26 ppcl001 NetworkManager[992]:   [1561962326.7126] 
vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate 
IKEv2",0]: Data:   Maximum Segment Size (MSS): 0
Jul  1 08:25:26 ppcl001 NetworkManager[992]:   [1561962326.7127] 
vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate 
IKEv2",0]: Data:   Forbid Default Route: yes
Jul  1 08:25:26 ppcl001 NetworkManager[992]:   [1561962326.7127] 
vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate 
IKEv2",0]: Data:   Internal DNS: 10.0.122.9
Jul  1 08:25:26 ppcl001 NetworkManager[992]:   [1561962326.7127] 
vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate 
IKEv2",0]: Data:   Internal DNS: 10.0.96.123
Jul  1 08:25:26 ppcl001 NetworkManager[992]:   [1561962326.7127] 
vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate 
IKEv2",0]: Data:   Internal DNS: 10.0.96.124
Jul  1 08:25:26 ppcl001 NetworkManager[992]:   [1561962326.7127] 
vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate 
IKEv2",0]: Data:   Internal DNS: 127.0.0.1
Jul  1 08:25:26 ppcl001 NetworkManager[992]:   [1561962326.7127] 
vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate 
IKEv2",0]: Data:   DNS Domain: '(none)'
Jul  1 08:25:26 ppcl001 NetworkManager[992]:   [1561962326.7127] 
vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate 
IKEv2",0]: Data: No IPv6 configuration
Jul  1 08:25:26 ppcl001 NetworkManager[992]:   [1561962326.7134] 
vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate 
IKEv2",0]: VPN connection: (IP Config Get) complete
Jul  1 08:25:26 ppcl001 NetworkManager[992]:   [1561962326.7134] 
vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate 
IKEv2",0]: VPN plugin: state changed: started (4)
Jul  1 08:25:26 ppcl001 NetworkManager[992]:   [1561962326.7225] dns-mgr: 
Writing DNS information to /sbin/resolvconf

Of course the documentation states: "Cisco Unity extensions for IKEv1"
but I don't see any reason why this 

[strongSwan] Shrew Soft iked config

2019-07-01 Thread Michael Ahrens
Hi @all,

I would like to move from my very old Shrew Soft iked to Strongswan. Can 
somebody give me some help to convert the config ?

Here is my Shrew Soft iced Config:

n:version:4
n:network-ike-port:500
n:network-mtu-size:1380
n:client-addr-auto:1
n:network-natt-port:4500
n:network-natt-rate:15
n:network-frag-size:540
n:network-dpd-enable:1
n:client-banner-enable:1
n:network-notify-enable:1
n:client-wins-used:0
n:client-wins-auto:1
n:client-dns-used:1
n:client-dns-auto:0
n:client-splitdns-used:0
n:client-splitdns-auto:0
n:phase1-dhgroup:2
n:phase1-life-secs:28800
n:phase1-life-kbytes:0
n:vendor-chkpt-enable:0
n:phase2-life-secs:28800
n:phase2-life-kbytes:0
n:policy-nailed:1
n:policy-list-auto:0
b:auth-mutual-psk:PSK
n:phase2-pfsgroup:2
s:client-saved-username:MYUSER
n:client-dns-suffix-auto:0
n:phase1-keylen:0
n:phase2-keylen:0
s:network-host:VPN-SERVER
s:client-auto-mode:pull
s:client-iface:virtual
s:network-natt-mode:enable
s:network-frag-mode:enable
s:client-dns-addr:DNS-SERVER1,DNS-SERVER2
s:client-dns-suffix:DOMAIN.local
s:auth-method:mutual-psk-xauth
s:ident-client-type:ufqdn
s:ident-client-data:MYUSER@DOMAIN
s:ident-server-type:address
s:ident-server-data:VPN-SERVER
s:phase1-exchange:aggressive
s:phase1-cipher:3des
s:phase1-hash:sha1
s:phase2-transform:esp-3des
s:phase2-hmac:sha1
s:ipcomp-transform:disabled
s:policy-level:require
s:policy-list-include:192.168.0.0 / 255.255.0.0





[strongSwan] left subnet stanza

2019-07-01 Thread Doug Tucker
All,


Looking for some help on the leftsubnet = stanza.  Is there a way to put 
mulitiple subnets on the same line?  I need to give access to 3 subnets on my 
side from 1 subnet on theirs.  I have tried:


leftsubnet = 10.10.10.0/24 10.10.11.0/24 (and tried putting a comma in between 
them but it doesn't like that)


using leftsubnet = 0.0.0.0/0 works, but that apparently opens it to any subnet 
on my side they have a mapping to on theirs...so I lose control.


Is there any way to have multiple subnets on my side on one line?


Doug Tucker
Sr. Director of Networking & Linux Operations

o: 817.975.5832  |  m: 817.975.5832

e: doug.tuc...@navigaglobal.com



[cid:image001.png@01D4FEC7.F32F3010]

[cid:image002.png@01D4FEC7.F32F3010]  
[cid:image003.png@01D4FEC7.F32F3010]    
[cid:image004.png@01D4FEC7.F32F3010] 




Newscycle Solutions is now Naviga. Learn more.

CONFIDENTIALITY NOTICE: The contents of this email message and any attachments 
are intended solely for the addressee(s) and may contain confidential and/or 
privileged information and may be legally protected from disclosure. If you are 
not the intended recipient of this message or their agent, or if this message 
has been addressed to you in error, please immediately alert the sender by 
reply email and then delete this message and any attachments. If you are not 
the intended recipient, you are hereby notified that any use, dissemination, 
copying, or storage of this message or its attachments is strictly prohibited.





[strongSwan] Can strongswan tnc be used with TPM 2.0 ?

2019-07-01 Thread Benoit
Hi all,

I am interested to use the strongswan tnc, specifically the PTS
(IMV/IMC) mode.
I went to this following pages : 

   https://wiki.strongswan.org/projects/strongswan/wiki/IMA
  
https://wiki.strongswan.org/projects/strongswan/wiki/TrustedNetworkConnect
   https://wiki.strongswan.org/projects/strongswan/wiki/PTS-IMV
   https://wiki.strongswan.org/projects/strongswan/wiki/PTS-IMC

Pages are talking about TPM 1.2, but TPM 2.0 is never described.

I am mainly looking for a way to verify if a client is trusted or not.
And what is described at
https://wiki.strongswan.org/projects/strongswan/wiki/IMA can match my
requirements.
But I would like to have something compliant TPM 1.2 and TPM 2.0

Is strongswan TNC/PTS feature compliant with TPM 1.2 and TPM 2.0 ?

Thanks






[strongSwan] Shrew Soft iked config

2019-07-01 Thread Michael Ahrens
Hi @all,

I would like to move from my very old Shrew Soft iked to Strongswan. Can 
somebody give me some help to convert the config ?

Here is my Shrew Soft iced Config:

n:version:4
n:network-ike-port:500
n:network-mtu-size:1380
n:client-addr-auto:1
n:network-natt-port:4500
n:network-natt-rate:15
n:network-frag-size:540
n:network-dpd-enable:1
n:client-banner-enable:1
n:network-notify-enable:1
n:client-wins-used:0
n:client-wins-auto:1
n:client-dns-used:1
n:client-dns-auto:0
n:client-splitdns-used:0
n:client-splitdns-auto:0
n:phase1-dhgroup:2
n:phase1-life-secs:28800
n:phase1-life-kbytes:0
n:vendor-chkpt-enable:0
n:phase2-life-secs:28800
n:phase2-life-kbytes:0
n:policy-nailed:1
n:policy-list-auto:0
b:auth-mutual-psk:PSK
n:phase2-pfsgroup:2
s:client-saved-username:MYUSER
n:client-dns-suffix-auto:0
n:phase1-keylen:0
n:phase2-keylen:0
s:network-host:VPN-SERVER
s:client-auto-mode:pull
s:client-iface:virtual
s:network-natt-mode:enable
s:network-frag-mode:enable
s:client-dns-addr:DNS-SERVER1,DNS-SERVER2
s:client-dns-suffix:DOMAIN.local
s:auth-method:mutual-psk-xauth
s:ident-client-type:ufqdn
s:ident-client-data:MYUSER@DOMAIN
s:ident-server-type:address
s:ident-server-data:VPN-SERVER
s:phase1-exchange:aggressive
s:phase1-cipher:3des
s:phase1-hash:sha1
s:phase2-transform:esp-3des
s:phase2-hmac:sha1
s:ipcomp-transform:disabled
s:policy-level:require
s:policy-list-include:192.168.0.0 / 255.255.0.0