diff options
author | Andreas Steffen <andreas.steffen@strongswan.org> | 2015-07-26 11:57:39 +0200 |
---|---|---|
committer | Andreas Steffen <andreas.steffen@strongswan.org> | 2015-08-18 21:25:39 +0200 |
commit | ac28daac38e6353ce7268e3f159275c62530c151 (patch) | |
tree | 8f7c884cc2892a99131a348579213a691e45206a /testing/tests/tnc | |
parent | 18472ac21ca569608b45235a46bedff8ba51fbb3 (diff) | |
download | strongswan-ac28daac38e6353ce7268e3f159275c62530c151.tar.bz2 strongswan-ac28daac38e6353ce7268e3f159275c62530c151.tar.xz |
testing: Added tnc/tnccs-20-hcd-eap scenario
Diffstat (limited to 'testing/tests/tnc')
24 files changed, 674 insertions, 0 deletions
diff --git a/testing/tests/tnc/tnccs-20-hcd-eap/description.txt b/testing/tests/tnc/tnccs-20-hcd-eap/description.txt new file mode 100644 index 000000000..625f68b1e --- /dev/null +++ b/testing/tests/tnc/tnccs-20-hcd-eap/description.txt @@ -0,0 +1,11 @@ +The hardcopy devices <b>carol</b> and <b>dave</b> set up a connection each to the policy enforcement +point <b>moon</b>. At the outset the gateway authenticates itself to the devices by sending an IKEv2 +<b>RSA signature</b> accompanied by a certificate. <b>carol</b> and <b>dave</b> then set up an +<b>EAP-TTLS</b> tunnel each via gateway <b>moon</b> to the policy decision point <b>alice</b> +authenticated by an X.509 AAA certificate. In a next step the EAP-TNC protocol is used within +the EAP-TTLS tunnel to determine the health of <b>carol</b> and <b>dave</b> via the <b>IF-TNCCS 2.0</b> +client-server interface defined by <b>RFC 5793 PB-TNC</b>. The communication between IMCs and IMVs +is based on the <b>IF-M</b> protocol defined by <b>RFC 5792 PA-TNC</b>. +<p> +The HCD IMC on the hardcopy devices <b>carol</b> and <b>dave</b> sends printer attributes to the HCD IMV +located on the RADIUS server <b>alice</b>. Because some mandatory HCD attributes are missing, the hardcopy devices <b>carol</b> and <b>dave</b> are blocked from accessing the network behind gateway <b>moon</b>. diff --git a/testing/tests/tnc/tnccs-20-hcd-eap/evaltest.dat b/testing/tests/tnc/tnccs-20-hcd-eap/evaltest.dat new file mode 100644 index 000000000..ad23ee1e8 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-hcd-eap/evaltest.dat @@ -0,0 +1,16 @@ +dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES +dave:: cat /var/log/daemon.log::PDP server.*aaa.strongswan.org.*is listening on port 271::YES +dave:: cat /var/log/daemon.log::PB-TNC assessment result is.*don.*t know::YES +dave:: cat /var/log/daemon.log::PB-TNC access recommendation is .*Access Denied::YES +dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES +carol::cat /var/log/daemon.log::PDP server.*aaa.strongswan.org.*is listening on port 271::YES +carol:: cat /var/log/daemon.log::PB-TNC assessment result is.*don.*t know::YES +carol:: cat /var/log/daemon.log::PB-TNC access recommendation is .*Access Denied::YES +carol:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES +alice::cat /var/log/daemon.log::user AR identity.*dave.*authenticated by certificate::YES +alice::cat /var/log/daemon.log::user AR identity.*carol.*authenticated by certificate::YES +alice::cat /var/log/daemon.log::policy enforced on peer.*dave@strongswan.org.*is.*no access::YES +alice::cat /var/log/daemon.log::policy enforced on peer.*carol@strongswan.org.*is.*no access::YES +moon:: cat /var/log/daemon.log::RADIUS authentication of.*dave@strongswan.org.*failed::YES +moon:: cat /var/log/daemon.log::RADIUS authentication of.*dave@strongswan.org.*failed::YES diff --git a/testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/apache2/sites-available/default b/testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/apache2/sites-available/default new file mode 100644 index 000000000..626000612 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/apache2/sites-available/default @@ -0,0 +1,26 @@ +WSGIPythonPath /var/www/tnc + +<VirtualHost *:80> + ServerName tnc.strongswan.org + ServerAlias tnc + ServerAdmin webmaster@localhost + + DocumentRoot /var/www/tnc + + <Directory /var/www/tnc/config> + <Files wsgi.py> + Order deny,allow + Allow from all + </Files> + </Directory> + + WSGIScriptAlias / /var/www/tnc/config/wsgi.py + WSGIApplicationGroup %{GLOBAL} + WSGIPassAuthorization On + + Alias /static/ /var/www/tnc/static/ + + ErrorLog ${APACHE_LOG_DIR}/tnc/error.log + LogLevel warn + CustomLog ${APACHE_LOG_DIR}/tnc/access.log combined +</VirtualHost> diff --git a/testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/ipsec.conf new file mode 100644 index 000000000..f2e611952 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/ipsec.conf @@ -0,0 +1,9 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + charondebug="tnc 2, imv 3" + +conn aaa + leftcert=aaaCert.pem + leftid=aaa.strongswan.org + auto=add diff --git a/testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/ipsec.d/certs/aaaCert.pem b/testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/ipsec.d/certs/aaaCert.pem new file mode 100644 index 000000000..6aeb0c0b1 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/ipsec.d/certs/aaaCert.pem @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIEIDCCAwigAwIBAgIBIjANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTEwMDgwNDA4Mzg0MVoXDTE1MDgwMzA4Mzg0MVowRTELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEmFhYS5z +dHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK2R +RcAYdZ/jOhHBSjrLDYT1OhRJ2mXjyuSbWyJQogF9c6sY8W2GhTC4e1gNThZM9+Pm +Vzs0R39kzxsmOFhuTfwIhavMzvkWJ7945WDvTpuo2teK4fTtfix3iuyycVXywa7W +Uum6vZb4uwNoFsZtlYSUFs+app/1VC3X8vEFvP9p//KW2fwbJ6PzR1XN/8AibxoF +AnfqAXUenRQ1Xs/07/xF4bkZ5MUNTFTo5H+BAc49lAC16TarSTPnX1D925kIGxni +wePHlIZrCYQTFr003+YNUehVvUxyv0NuIwlxFPokFPLDkQWk6SDvD87FW5IJ06cg +EbrCFjcIR9/2vIepJd8CAwEAAaOCARkwggEVMAkGA1UdEwQCMAAwCwYDVR0PBAQD +AgOoMB0GA1UdDgQWBBQS5lPpgsOE14sz7JGZimSmSbZOeDBtBgNVHSMEZjBkgBRd +p91wBlEyfue2bbO15eBg6i5N76FJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoT +EExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIB +ADAdBgNVHREEFjAUghJhYWEuc3Ryb25nc3dhbi5vcmcwEwYDVR0lBAwwCgYIKwYB +BQUHAwEwOQYDVR0fBDIwMDAuoCygKoYoaHR0cDovL2NybC5zdHJvbmdzd2FuLm9y +Zy9zdHJvbmdzd2FuLmNybDANBgkqhkiG9w0BAQsFAAOCAQEAqM2eqrsJmAop2roa +yNeJt8317sdAll8TvDf+s4EeCtcpDT0cIX5vCumpL6E7nV9NWWDazGCAOkwWDPpp +iuq6R0Js8r0MbyIUbVgOe3xIOqLKd9YW0sb1IwfR/zvWcPUjnUHlqfRH7gdiR4G2 +bWIvKenl3hOQege/XnJNPUwzxeVX7k/qPivOk4I3pLnBjTRtFQdweHM95ex7Fk/d +HoeWjw5q3MxS3ZwXpKQxZvWU5SDkkc2NJ0/0sm+wca8NC86cXkGqcLFEgJo2l3Dr +EpZgxIhllub0M88PU7dQrDmy8OQ5j0fhayB1xpVO+REn3norclXZ2yrl4uz0eWR4 +v42sww== +-----END CERTIFICATE----- diff --git a/testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/ipsec.d/private/aaaKey.pem b/testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/ipsec.d/private/aaaKey.pem new file mode 100644 index 000000000..da8cdb051 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/ipsec.d/private/aaaKey.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEArZFFwBh1n+M6EcFKOssNhPU6FEnaZePK5JtbIlCiAX1zqxjx +bYaFMLh7WA1OFkz34+ZXOzRHf2TPGyY4WG5N/AiFq8zO+RYnv3jlYO9Om6ja14rh +9O1+LHeK7LJxVfLBrtZS6bq9lvi7A2gWxm2VhJQWz5qmn/VULdfy8QW8/2n/8pbZ +/Bsno/NHVc3/wCJvGgUCd+oBdR6dFDVez/Tv/EXhuRnkxQ1MVOjkf4EBzj2UALXp +NqtJM+dfUP3bmQgbGeLB48eUhmsJhBMWvTTf5g1R6FW9THK/Q24jCXEU+iQU8sOR +BaTpIO8PzsVbkgnTpyARusIWNwhH3/a8h6kl3wIDAQABAoIBAQCJDzatQqNf5uds +Ld6YHtBGNf/vFYLJAuCtNaD5sAK+enpkmgXMH3X9yzBbj+Yh5hW6eaJYtiffiZOi +NMQ50KD0bSZhTBIE0GIC6Uz5BwBkGyr1Gk7kQsZoBt5Fm4O0A0a+8a/3secU2MWV +IxUZDGANmYOJ3O3HUstuiCDoA0gDyDt44n0RWOhKrPQmTP6vTItd/14Zi1Pg9ez3 +Mej/ulDmVV1R474EwUXbLLPBjP3vk++SLukWn4iWUeeHgDHSn0b/T5csUcH0kQMI +aYRU2FOoCPZpRxyTr9aZxcHhr5EhQSCg7zc8u0IjpTFm8kZ4uN+60777w1A/FH5X +YHq+yqVBAoGBANy6zM0egvyWQaX4YeoML65393iXt9OXW3uedMbmWc9VJ0bH7qdq +b4X5Xume8yY1/hF8nh7aC1npfVjdBuDse0iHJ/eBGfCJ2VoC6/ZoCzBD7q0Qn2If +/Sr/cbtQNTDkROT75hAo6XbewPGt7RjynH8sNmtclsZ0yyXHx0ml90tlAoGBAMlN +P4ObM0mgP2NMPeDFqUBnHVj/h/KGS9PKrqpsvFOUm5lxJNRIxbEBavWzonphRX1X +V83RICgCiWDAnqUaPfHh9mVBlyHCTWxrrnu3M9qbr5vZMFTyYiMoLxSfTmW5Qk8t +cArqBDowQbiaKJE9fHv+32Q0IYRhJFVcxZRdQXHzAoGALRBmJ6qHC5KRrJTdSK9c +PL55Y8F14lkQcFiVdtYol8/GyQigjMWKJ0wWOJQfCDoVuPQ8RAg4MQ8ebDoT4W/m +a5RMcJeG+Djsixf1nMT5I816uRKft6TYRyMH0To64dR4zFcxTTNNFtu7gJwFwAYo +NT6NjbXFgpbtsrTq1vpvVpECgYA0ldlhp8leEl58sg34CaqNCGLCPP5mfG6ShP/b +xUvtCYUcMFJOojQCaTxnsuVe0so0U/y750VfLkp029yVhKVp6n1TNi8kwn03NWn/ +J3yEPudA7xuRFUBNrtGdsX/pUtvfkx8RutAf4ztH3f1683Txb0MsCfI3gqjbI8D5 +YOMXwQKBgAJnMfPslZIg6jOpBCo6RjdwvjZyPXXyn4dcCyW//2+olPdWnuu+HRCZ +SkAWB7lSRLSvDZARHb63k+gwSl8lmwrSM53nDwaRdTKjhK2BFWsAKJNOhrOUQqJu +EXvH4R1NrqOkPqLoG5Iw3XFUh5lQGKvKkU28W6Weolj2saljbW2b +-----END RSA PRIVATE KEY----- diff --git a/testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/ipsec.secrets new file mode 100644 index 000000000..606e184bd --- /dev/null +++ b/testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA aaaKey.pem diff --git a/testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/pts/data1.sql b/testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/pts/data1.sql new file mode 100644 index 000000000..d6a547bd1 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/pts/data1.sql @@ -0,0 +1,61 @@ +/* Devices */ + +INSERT INTO devices ( /* 1 */ + value, product, created +) +SELECT 'aabbccddeeff11223344556677889900', id, 1372330615 +FROM products WHERE name = 'Debian DEBIAN_VERSION x86_64'; + +/* Groups Members */ + +INSERT INTO groups_members ( + group_id, device_id +) VALUES ( + 10, 1 +); + +/* Identities */ + +INSERT INTO identities ( + type, value +) VALUES ( /* dave@strongswan.org */ + 5, X'64617665' +); + +/* Sessions */ + +INSERT INTO sessions ( + time, connection, identity, device, product, rec +) +SELECT NOW, 1, 1, 1, id, 0 +FROM products WHERE name = 'Debian DEBIAN_VERSION x86_64'; + +/* Results */ + +INSERT INTO results ( + session, policy, rec, result +) VALUES ( + 1, 1, 0, 'processed 355 packages: 0 not updated, 0 blacklisted, 4 ok, 351 not found' +); + +/* Enforcements */ + +INSERT INTO enforcements ( + policy, group_id, max_age, rec_fail, rec_noresult +) VALUES ( + 3, 10, 0, 2, 2 +); + +INSERT INTO enforcements ( + policy, group_id, max_age +) VALUES ( + 17, 2, 86400 +); + +INSERT INTO enforcements ( + policy, group_id, max_age +) VALUES ( + 18, 10, 86400 +); + +DELETE FROM enforcements WHERE id = 1; diff --git a/testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/strongTNC/settings.ini b/testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/strongTNC/settings.ini new file mode 100644 index 000000000..5e7b7b556 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/strongTNC/settings.ini @@ -0,0 +1,19 @@ +[debug] +DEBUG=0 +TEMPLATE_DEBUG=0 +DEBUG_TOOLBAR=0 + +[db] +DJANGO_DB_URL=sqlite:////var/www/tnc/django.db +STRONGTNC_DB_URL = sqlite:////etc/pts/config.db + +[localization] +LANGUAGE_CODE=en-us +TIME_ZONE=Europe/Zurich + +[admins] +Your Name: alice@strongswan.org + +[security] +SECRET_KEY=strongSwan +ALLOWED_HOSTS=127.0.0.1,10.10.0.1,tnc.strongswan.org,tnc diff --git a/testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/strongswan.conf new file mode 100644 index 000000000..d22a7e978 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/strongswan.conf @@ -0,0 +1,35 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac socket-default kernel-netlink stroke eap-identity eap-ttls eap-md5 eap-tnc tnc-pdp tnc-imv tnc-tnccs tnccs-20 sqlite + + plugins { + eap-ttls { + request_peer_auth = yes + phase2_piggyback = yes + phase2_tnc = yes + max_message_count = 0 + } + eap-tnc { + max_message_count = 0 + } + tnc-pdp { + server = aaa.strongswan.org + radius { + secret = gv6URkSs + } + } + } +} + +libimcv { + debug_level = 3 + database = sqlite:///etc/pts/config.db + policy_script = ipsec imv_policy_manager + + plugins { + imv-swid { + rest_api_uri = http://admin-user:strongSwan@tnc.strongswan.org/api/ + } + } +} diff --git a/testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/tnc_config b/testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/tnc_config new file mode 100644 index 000000000..5d74cc573 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/tnc_config @@ -0,0 +1,3 @@ +#IMV configuration file for strongSwan client + +IMV "HCD" /usr/local/lib/ipsec/imcvs/imv-hcd.so diff --git a/testing/tests/tnc/tnccs-20-hcd-eap/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-hcd-eap/hosts/carol/etc/ipsec.conf new file mode 100644 index 000000000..2cca42cd7 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-hcd-eap/hosts/carol/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + charondebug="tnc 2, imc 3" + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=PH_IP_CAROL + leftcert=carolCert.pem + leftid=carol@strongswan.org + leftauth=eap + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + rightauth=pubkey + aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org" + auto=add diff --git a/testing/tests/tnc/tnccs-20-hcd-eap/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-hcd-eap/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..d93235b6b --- /dev/null +++ b/testing/tests/tnc/tnccs-20-hcd-eap/hosts/carol/etc/strongswan.conf @@ -0,0 +1,138 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown + + plugins { + eap-ttls { + max_message_count = 0 + } + eap-tnc { + max_message_count = 0 + } + tnccs-20 { + max_batch_size = 16370 + max_message_size = 16338 + } + } +} + +libimcv { + os_info { + name = strongPrint OS + version = 1.0 + default_password_enabled = yes + } + + plugins { + imc-hcd { + push_info = no + subtypes { + system { + attributes_natural_language = en + machine_type_model = strongPrint Laser X.509a + vendor_name = ITA-HSR + vendor_smi_code = 36906 + pstn_fax_enabled = yes + time_source = 0.ch.pool.ntp.org + user_application_enabled = yes + user_application_persistence_enabled = no + + firmware { + fw-1 { + name = Firmware ABC + patches = "security patch 2014-05-08\nupgrade 2014-08-16\nsecurity patch 2015-3-22" + string_version = 1.0.7 + version = 00000001000000000000000700000000 + } + fw-2 { + name = Firmware UVW + string_version = 13.8.5 + version = 0000000D000000080000000500000000 + } + } + + resident_application { + resident-app-1 { + name = Resident App XYZ + patches = "xmas patch 2014-12-24\nservice patch 2015-05-22" + string_version = 2.5 + version = 00000002000000050000000000000000 + } + } + + user_application { + user-app-1 { + name = My Java Photo App + patches = + string_version = 5.2.3.8.1 + version = 00000005000000020000000300080001 + } + user-app-2 { + name = Print Your Dinosaur! + patches = + string_version = 1.0 + version = 00000001000000000000000000000000 + } + user-app-3 { + name = Label Everything App + patches = + string_version = 7.5.8.2.3 + version = 00000007000000050000000800020003 + } + } + + certification_state = 000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f + configuration_state = f0f1f2f3f4f5f6f7f8f9fafbfcfdfeffe0e1e2e3e4e5e6e7e8e9eaebecedeeefd0d1d2d3d4d5d6d7d8d9dadbdcdddedf + } + + console { + attributes_natural_language = ru + } + + marker { + attributes_natural_language = fr + } + + finisher { + attributes_natural_language = de + } + + interface { + attributes_natural_language = en + + resident_application { + resident-app-if { + name = Resident App Interface+ + patches = "service patch 2015-02-09" + string_version = 2.5 + version = 00000002000000050000000000000000 + } + } + } + + scanner { + attributes_natural_language = en + + firmware { + fw-scanner { + name = Scanner Firmware + patches = "security patch 2013-08-11\nsecurity patch 2015-5-30" + string_version = 2.5.3 + version = 00000002000000050000000300000000 + } + } + + user_application { + user-app-scanner { + name = EasyScan + patches = + string_version = 2.2.3.5.7 + version = 00000002000000020000000300050007 + } + } + } + } + } + } +} diff --git a/testing/tests/tnc/tnccs-20-hcd-eap/hosts/carol/etc/tnc_config b/testing/tests/tnc/tnccs-20-hcd-eap/hosts/carol/etc/tnc_config new file mode 100644 index 000000000..199d62c45 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-hcd-eap/hosts/carol/etc/tnc_config @@ -0,0 +1,4 @@ +#IMC configuration file for strongSwan client + +IMC "OS" /usr/local/lib/ipsec/imcvs/imc-os.so +IMC "HCD" /usr/local/lib/ipsec/imcvs/imc-hcd.so diff --git a/testing/tests/tnc/tnccs-20-hcd-eap/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-hcd-eap/hosts/dave/etc/ipsec.conf new file mode 100644 index 000000000..2707b2be9 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-hcd-eap/hosts/dave/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + charondebug="tnc 2, imc 3" + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=PH_IP_DAVE + leftauth=eap + leftcert=daveCert.pem + leftid=dave@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + rightauth=pubkey + aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org" + auto=add diff --git a/testing/tests/tnc/tnccs-20-hcd-eap/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-hcd-eap/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..2e99df063 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-hcd-eap/hosts/dave/etc/strongswan.conf @@ -0,0 +1,108 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown + + plugins { + eap-ttls { + max_message_count = 0 + } + eap-tnc { + max_message_count = 0 + } + tnccs-20 { + max_batch_size = 16370 + max_message_size = 16338 + } + } +} + +libimcv { + os_info { + name = strongPrint OS + version = 1.1 + default_password_enabled = no + } + + plugins { + imc-hcd { + push_info = no + subtypes { + system { + attributes_natural_language = en + machine_type_model = strongPrint Laser X.509a + vendor_name = ITA-HSR + vendor_smi_code = 36906 + pstn_fax_enabled = yes + time_source = 0.ch.pool.ntp.org + user_application_enabled = no + user_application_persistence_enabled = no + + firmware { + fw-1 { + name = Firmware ABC + patches = "security patch 2014-05-08\nupgrade 2014-08-16\nsecurity patch 2015-3-22" + string_version = 1.0.7 + version = 00000001000000000000000700000000 + } + fw-2 { + name = Firmware UVW + string_version = 13.8.5 + version = 0000000D000000080000000500000000 + } + } + + resident_application { + resident-app-1 { + name = Resident App XYZ + patches = "xmas patch 2014-12-24\nservice patch 2015-05-22" + string_version = 2.5 + version = 00000002000000050000000000000000 + } + } + + certification_state = 000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f + configuration_state = f0f1f2f3f4f5f6f7f8f9fafbfcfdfeffe0e1e2e3e4e5e6e7e8e9eaebecedeeefd0d1d2d3d4d5d6d7d8d9dadbdcdddedf + } + + console { + attributes_natural_language = ru + } + + marker { + attributes_natural_language = fr + } + + finisher { + attributes_natural_language = de + } + + interface { + attributes_natural_language = en + + resident_application { + resident-app-if { + name = Resident App Interface+ + patches = "service patch 2015-02-09" + string_version = 2.5 + version = 00000002000000050000000000000000 + } + } + } + + scanner { + attributes_natural_language = en + + firmware { + fw-scanner { + name = Scanner Firmware + patches = "security patch 2013-08-11\nsecurity patch 2015-5-30" + string_version = 2.5.3 + version = 00000002000000050000000300000000 + } + } + } + } + } + } +} diff --git a/testing/tests/tnc/tnccs-20-hcd-eap/hosts/dave/etc/tnc_config b/testing/tests/tnc/tnccs-20-hcd-eap/hosts/dave/etc/tnc_config new file mode 100644 index 000000000..199d62c45 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-hcd-eap/hosts/dave/etc/tnc_config @@ -0,0 +1,4 @@ +#IMC configuration file for strongSwan client + +IMC "OS" /usr/local/lib/ipsec/imcvs/imc-os.so +IMC "HCD" /usr/local/lib/ipsec/imcvs/imc-hcd.so diff --git a/testing/tests/tnc/tnccs-20-hcd-eap/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-hcd-eap/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..02ada5665 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-hcd-eap/hosts/moon/etc/ipsec.conf @@ -0,0 +1,33 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn rw-allow + rightgroups=allow + leftsubnet=10.1.0.0/28 + also=rw-eap + auto=add + +conn rw-isolate + rightgroups=isolate + leftsubnet=10.1.0.16/28 + also=rw-eap + auto=add + +conn rw-eap + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftauth=pubkey + leftfirewall=yes + rightauth=eap-radius + rightsendcert=never + right=%any + eap_identity=%any diff --git a/testing/tests/tnc/tnccs-20-hcd-eap/hosts/moon/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-hcd-eap/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..e86d6aa5c --- /dev/null +++ b/testing/tests/tnc/tnccs-20-hcd-eap/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA moonKey.pem diff --git a/testing/tests/tnc/tnccs-20-hcd-eap/hosts/moon/etc/iptables.rules b/testing/tests/tnc/tnccs-20-hcd-eap/hosts/moon/etc/iptables.rules new file mode 100644 index 000000000..3d878567f --- /dev/null +++ b/testing/tests/tnc/tnccs-20-hcd-eap/hosts/moon/etc/iptables.rules @@ -0,0 +1,36 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow esp +-A INPUT -i eth0 -p 50 -j ACCEPT +-A OUTPUT -o eth0 -p 50 -j ACCEPT + +# allow IKE +-A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + +# allow MobIKE +-A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT + +# allow ssh +-A INPUT -p tcp --dport 22 -j ACCEPT +-A OUTPUT -p tcp --sport 22 -j ACCEPT + +# allow crl fetch from winnetou +-A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT +-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + +# allow crl fetch from winnetou for AAA server alice +-A FORWARD -i eth0 -o eth1 -p tcp --sport 80 -s PH_IP_WINNETOU -d PH_IP_ALICE -j ACCEPT +-A FORWARD -o eth0 -i eth1 -p tcp --dport 80 -d PH_IP_WINNETOU -s PH_IP_ALICE -j ACCEPT + +# allow RADIUS protocol with alice +-A INPUT -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT +-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT + +COMMIT diff --git a/testing/tests/tnc/tnccs-20-hcd-eap/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-hcd-eap/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..fc647a079 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-hcd-eap/hosts/moon/etc/strongswan.conf @@ -0,0 +1,14 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-radius updown + multiple_authentication=no + plugins { + eap-radius { + secret = gv6URkSs + #server = PH_IP6_ALICE + server = PH_IP_ALICE + filter_id = yes + } + } +} diff --git a/testing/tests/tnc/tnccs-20-hcd-eap/posttest.dat b/testing/tests/tnc/tnccs-20-hcd-eap/posttest.dat new file mode 100644 index 000000000..369cfe86f --- /dev/null +++ b/testing/tests/tnc/tnccs-20-hcd-eap/posttest.dat @@ -0,0 +1,8 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +alice::ipsec stop +winnetou::ip route del 10.1.0.0/16 via 192.168.0.1 +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/tnc/tnccs-20-hcd-eap/pretest.dat b/testing/tests/tnc/tnccs-20-hcd-eap/pretest.dat new file mode 100644 index 000000000..913dd2190 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-hcd-eap/pretest.dat @@ -0,0 +1,17 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules +winnetou::ip route add 10.1.0.0/16 via 192.168.0.1 +alice::cat /etc/tnc_config +carol::cat /etc/tnc_config +dave::cat /etc/tnc_config +carol::echo 0 > /proc/sys/net/ipv4/ip_forward +dave::echo aabbccddeeff11223344556677889900 > /var/lib/dbus/machine-id +alice::ipsec start +moon::ipsec start +carol::ipsec start +dave::ipsec start +dave::sleep 1 +carol::ipsec up home +dave::ipsec up home +dave::sleep 1 diff --git a/testing/tests/tnc/tnccs-20-hcd-eap/test.conf b/testing/tests/tnc/tnccs-20-hcd-eap/test.conf new file mode 100644 index 000000000..c4ca1a19f --- /dev/null +++ b/testing/tests/tnc/tnccs-20-hcd-eap/test.conf @@ -0,0 +1,26 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice venus moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-v-m-c-w-d.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave alice" + +# Guest instances on which FreeRadius is started +# +RADIUSHOSTS= + |