[strongSwan] PT-TLS Protocol: Help with using pt-tls-client and tnc-pdp plugin
Hi, Any help with using the pt-tls-client and tnc-pdp plugin in a usable situation would be greatly appreciated. I am using StrongSwan through a Cisco ASA like the following and I wish to use it to perform remote attestation: Inside network --- StrongSwan gateway 192.168.0.0/24 ASA 192.168.1.0/24 Device I have configured the StrongSwan connection between the device and the ASA, such that connecting out to the device from the inside network will automatically bring up the StrongSwan tunnel between the device and ASA and the connection established. IKE traffic is exempt from the negotiated tunnel (preventing nested tunnels) and then blocked by the ASA. This prevents me from then setting up another connection from the gateway to the device using EAP-TTLS with remote attestation and an allow / isolate behaviour (like that of this example https://wiki.strongswan.org/projects/strongswan/wiki/IMA). The only way I have been able to get attesation measurements from the device to the gateway is by using the PT-TLS protocol with the pt-tls-client on the device and the tnc-pdp plugin listening on the PT-TLS TCP port 271 of the StrongSwan gateway. This goes through the negtioated tunnel between the device and the ASA with no issues. At present I am running the pt-tls-client command on the device but I have two problems: - The device (pt-tls-client command) needs to have knowledge of the IP address of the StrongSwan gateway. - The result will then appear in the attesation database on the StrongSwan gateway but a decision will not be made to allow or isolate the device. I can not see how this can be used when connecting out to a device from the inside network, then perform attesatation to allow or block the connection based upon the measurements. Is this kind of thing possible? How can I get attestation to occur using the PT-TLS Protocol when connecting to the device from the inside network where the device doesn't have knowledge of the StrongSwan gateway's IP address? I hope this is clear, I am happy to provide more information. Kind regards, Mario
Re: [strongSwan] Remote Attestation through Cisco ASA
Andreas, many thanks for your email. I have now managed to get that working, performing attestation through the ASA using the PT-TLS protocol! Does it have to be kicked off using the command line utility pt-tls-client? I couldn't find any documentation for the tnc-pdp plugin. Can I use it to setup a gateway, deciding to allow the device onto a network if it passes (like that of your IMA wiki example) with an ipsec.conf file, or is it just geared around receiving the pt-tls-client request and performing the integrity measurement verification? I can see the measurement pass or fail but I'm struggling to see how I can set something up to periodically ask for that measurement and if not successful, not allow the device onto my network. Regards, Chris On Thu, Nov 16, 2017 at 7:25 AM, Andreas Steffen < andreas.stef...@strongswan.org> wrote: > Hi Mario, > > if the Cisco ASA does not tunnel the strongSwan IKE traffic then just > do remote attestation via the PT-TLS protocol. On the client side you > can use the strongSwan pt-tls-client and on the server side add the > tnc-pdp plugin listening on the PT-TLS TCP port 271 to the strongSwan > charon daemon. > > Regards > > Andreas > > On 15.11.2017 23:22, Mario Maldonado wrote: > >> Hi all, >> >> I wish to use StrongSwan for remote attestation through a Cisco ASA, eg: >> StrongSwan gateway 192.168.0.0/24 <http://192.168.0.0/24> >> ASA 192.168.1.0/24 <http://192.168.1.0/24> Device >> >> With no ASA I have successfully configured StrongSwan with remote >> attestation using the EAP-TTLS plugin. I have also managed to configure >> a StrongSwan connection to the ASA, giving me access to the >> 192.168.0.0/24 <http://192.168.0.0/24> subnet. I am then unable to bring >> up the attestation connection. I was hoping it would setup a tunnel >> within the ASA tunnel but from what I understand IKE traffic is exempt >> from the negotiated tunnel (preventing nested tunnels) and then blocked >> by the ASA. >> >> Is there a way around this / a nice way of achieving such a connection? >> >> Can I use StrongSwan for TNC integrity measurement without the tls >> tunnel? This way the TPM and IMA measurements can be sent through the >> ASA tunnel with no issues. From looking around the docs it looks like >> the only way of performing remote attestation is with the EAP-TTLS >> plugin? This would also be ideal as the traffic only has to be decrypted >> once by the device. >> >> Many thanks, >> >> Mario >> > > -- > == > Andreas Steffen andreas.stef...@strongswan.org > strongSwan - the Open Source VPN Solution! www.strongswan.org > Institute for Networked Solutions > University of Applied Sciences Rapperswil > CH-8640 Rapperswil (Switzerland) > ===[INS-HSR]== > >
[strongSwan] Remote Attestation through Cisco ASA
Hi all, I wish to use StrongSwan for remote attestation through a Cisco ASA, eg: StrongSwan gateway 192.168.0.0/24 ASA 192.168.1.0/24 Device With no ASA I have successfully configured StrongSwan with remote attestation using the EAP-TTLS plugin. I have also managed to configure a StrongSwan connection to the ASA, giving me access to the 192.168.0.0/24 subnet. I am then unable to bring up the attestation connection. I was hoping it would setup a tunnel within the ASA tunnel but from what I understand IKE traffic is exempt from the negotiated tunnel (preventing nested tunnels) and then blocked by the ASA. Is there a way around this / a nice way of achieving such a connection? Can I use StrongSwan for TNC integrity measurement without the tls tunnel? This way the TPM and IMA measurements can be sent through the ASA tunnel with no issues. From looking around the docs it looks like the only way of performing remote attestation is with the EAP-TTLS plugin? This would also be ideal as the traffic only has to be decrypted once by the device. Many thanks, Mario
