Andreas, many thanks for your email. I have now managed to get that working, performing attestation through the ASA using the PT-TLS protocol!
Does it have to be kicked off using the command line utility pt-tls-client? I couldn't find any documentation for the tnc-pdp plugin. Can I use it to setup a gateway, deciding to allow the device onto a network if it passes (like that of your IMA wiki example) with an ipsec.conf file, or is it just geared around receiving the pt-tls-client request and performing the integrity measurement verification? I can see the measurement pass or fail but I'm struggling to see how I can set something up to periodically ask for that measurement and if not successful, not allow the device onto my network. Regards, Chris On Thu, Nov 16, 2017 at 7:25 AM, Andreas Steffen < [email protected]> wrote: > Hi Mario, > > if the Cisco ASA does not tunnel the strongSwan IKE traffic then just > do remote attestation via the PT-TLS protocol. On the client side you > can use the strongSwan pt-tls-client and on the server side add the > tnc-pdp plugin listening on the PT-TLS TCP port 271 to the strongSwan > charon daemon. > > Regards > > Andreas > > On 15.11.2017 23:22, Mario Maldonado wrote: > >> Hi all, >> >> I wish to use StrongSwan for remote attestation through a Cisco ASA, eg: >> StrongSwan gateway ====192.168.0.0/24==== <http://192.168.0.0/24====> >> ASA ====192.168.1.0/24==== <http://192.168.1.0/24====> Device >> >> With no ASA I have successfully configured StrongSwan with remote >> attestation using the EAP-TTLS plugin. I have also managed to configure >> a StrongSwan connection to the ASA, giving me access to the >> 192.168.0.0/24 <http://192.168.0.0/24> subnet. I am then unable to bring >> up the attestation connection. I was hoping it would setup a tunnel >> within the ASA tunnel but from what I understand IKE traffic is exempt >> from the negotiated tunnel (preventing nested tunnels) and then blocked >> by the ASA. >> >> Is there a way around this / a nice way of achieving such a connection? >> >> Can I use StrongSwan for TNC integrity measurement without the tls >> tunnel? This way the TPM and IMA measurements can be sent through the >> ASA tunnel with no issues. From looking around the docs it looks like >> the only way of performing remote attestation is with the EAP-TTLS >> plugin? This would also be ideal as the traffic only has to be decrypted >> once by the device. >> >> Many thanks, >> >> Mario >> > > -- > ====================================================================== > Andreas Steffen [email protected] > strongSwan - the Open Source VPN Solution! www.strongswan.org > Institute for Networked Solutions > University of Applied Sciences Rapperswil > CH-8640 Rapperswil (Switzerland) > ===========================================================[INS-HSR]== > >
