### swanctl Install Policy Example
Source: https://docs.strongswan.org/docs/latest/swanctl/swanctl.html
Installs a trap or shunt policy using the swanctl tool.
```bash
swanctl --install
```
--------------------------------
### cert-enroll Installation Script Activation
Source: https://docs.strongswan.org/docs/latest/tools/cert-enroll.html
Example of activating installation scripts by creating symbolic links in the /etc/cert-enroll.d directory for specific services like Cockpit, Directory Server, and SSSD.
```bash
# cd /etc/cert-enroll.d
# ln -s cert-install-available/cert-install-cockpit cert-install.d
# ln -s cert-install-available/cert-install-dirsrv cert-install.d
# ln -s cert-install-available/cert-install-sssd cert-install.d
```
--------------------------------
### Show swanctl --install Help
Source: https://docs.strongswan.org/docs/latest/swanctl/swanctlInstall.html
Displays usage information for the swanctl --install command.
```bash
swanctl --install --help
```
--------------------------------
### Start the Testing Environment
Source: https://docs.strongswan.org/docs/latest/devs/testingEnvironment.html
Execute this script to start the KVM instances for the strongSwan testing environment.
```bash
testing/start-testing
```
--------------------------------
### Build and Install strongSwan
Source: https://docs.strongswan.org/docs/latest/install/install.html
Compile the strongSwan sources and install the binaries using make and sudo.
```bash
make
sudo make install
```
--------------------------------
### swanctl List Policies Example
Source: https://docs.strongswan.org/docs/latest/swanctl/swanctl.html
Lists currently installed policies using the swanctl tool.
```bash
swanctl --list-pols
```
--------------------------------
### vici.conf Plugin Configuration Example
Source: https://docs.strongswan.org/docs/latest/config/strongswanDir.html
Example configuration snippet for the vici plugin, demonstrating how to set the load status and socket path.
```strongswan
vici {
# Whether to load the plugin. Can also be an integer to increase the
# priority of this plugin.
load = yes
# Socket the vici plugin serves clients.
# socket = unix://${piddir}/charon.vici
}
```
--------------------------------
### Kernel Command Line Example
Source: https://docs.strongswan.org/docs/latest/tnc/pcrBootEvents.html
Example of a kernel command line string used during the boot process, including root device and IMA parameters.
```text
/boot/vmlinuz-5.13.0-44-generic
```
```text
kernel_cmdline: /boot/vmlinuz-5.13.0-44-generic root=UUID=956f1d5b-ce31-4ece-8c1f-90d0b11a02ee ro ima_tcb ima_hash=sha256 quiet splash vt.handoff=7
```
--------------------------------
### Example: Create and Configure VTI Devices
Source: https://docs.strongswan.org/docs/latest/features/routeBasedVpn.html
This example demonstrates the creation of two VTI devices (vti0 and ipsec0), disabling policy lookups, bringing them up, and adding static routes for specific subnets.
```bash
ip tunnel add vti0 local 192.168.0.1 remote 192.168.0.2 mode vti key 42
ip tunnel add ipsec0 local 192.168.0.1 remote 192.168.0.3 mode vti key 0x01000201
sysctl -w net.ipv4.conf.vti0.disable_policy=1
ip link set vti0 up
ip route add 10.1.0.0/16 dev vti0
sysctl -w net.ipv4.conf.ipsec0.disable_policy=1
ip link set ipsec0 up
ip route add 10.2.0.0/16 dev ipsec0
ip route add 10.3.0.0/16 dev ipsec0
```
--------------------------------
### Install strongSwan Package on FreeBSD
Source: https://docs.strongswan.org/docs/latest/os/freebsd.html
Use this command to install the strongSwan package using the pkg utility.
```bash
pkg install strongswan
```
--------------------------------
### Start cert-enroll Systemd Service for Initial Generation
Source: https://docs.strongswan.org/docs/latest/tools/cert-enroll.html
Use this command to manually start the cert-enroll service for the initial generation of the X.509 host certificate.
```bash
# systemctl start cert-enroll.service
```
--------------------------------
### SW-Collector Configuration Example
Source: https://docs.strongswan.org/docs/latest/tnc/sw-collector.html
Example configuration for the SW-Collector, specifying database, history log, first file, and REST API settings.
```strongswan.conf
sw-collector {
database = sqlite:///etc/pts/collector.db
history = /var/log/apt/history.log
first_file = /var/log/bootstrap.log
first_time = 2016-04-22T20:55:14Z
rest_api {
uri = https://admin-user:strongSwan@tnc.example.com/api/
timeout = 120
}
}
```
--------------------------------
### Start strongSwan Systemd Service
Source: https://docs.strongswan.org/docs/latest/daemons/charon-systemd.html
Manually start the strongSwan service using systemctl.
```bash
sudo systemctl start strongswan
```
--------------------------------
### swanctl Help Example
Source: https://docs.strongswan.org/docs/latest/swanctl/swanctl.html
Shows usage, version, and plugin information for the swanctl tool.
```bash
swanctl --help
```
--------------------------------
### swanctl Initiate Connection Example
Source: https://docs.strongswan.org/docs/latest/swanctl/swanctl.html
Initiates a connection using the swanctl tool.
```bash
swanctl --initiate
```
--------------------------------
### Example: Create and Configure XFRM Interface 'ipsec0'
Source: https://docs.strongswan.org/docs/latest/features/routeBasedVpn.html
This example demonstrates creating an XFRM interface named 'ipsec0' with ID 42 using both `iproute2` and `xfrmi`, activating it, and adding routes for specific subnets.
```bash
ip link add ipsec0 type xfrm if_id 42
# or if not supported by iproute2 yet:
/usr/local/libexec/ipsec/xfrmi --name ipsec0 --id 42
ip link set ipsec0 up
ip route add 10.1.0.0/16 dev ipsec0
ip route add 10.2.0.0/16 dev ipsec0
```
--------------------------------
### Install Dependencies for strongSwan NM Backend
Source: https://docs.strongswan.org/docs/latest/features/networkManager.html
Installs the required libraries for building the strongSwan NetworkManager backend. Use this command on Debian/Ubuntu-based systems.
```bash
apt-get install libssl-dev libnm-dev
```
--------------------------------
### Install charon-svc as a Windows Service
Source: https://docs.strongswan.org/docs/latest/daemons/charon-svc.html
Use the 'sc' utility to create and install the strongSwan IKE service on Windows. This command specifies the service name and the path to the executable.
```bash
sc create "strongSwan IKE service" binPath= C:\path\to\charon-svc.exe
```
--------------------------------
### Virtual IP Address Leases Output Example
Source: https://docs.strongswan.org/docs/latest/interop/windowsUserServerStatus.html
Example output showing assigned IPv4 and IPv6 virtual IP addresses, their status (online/offline), and the associated identity.
```text
ipv4 10.10.1.64 1 / 1 / 62
10.10.1.65 offline 'C=CH, O=strongSec GmbH, CN=mijas.strongsec.com'
10.10.1.66 online 'andreas.steffen@strongsec.net'
ipv6 2a02:168:4407:1:: 1 / 1 / 62
2a02:168:4407:1::1 offline 'C=CH, O=strongSec GmbH, CN=mijas.strongsec.com'
2a02:168:4407:1::2 online 'andreas.steffen@strongsec.net'
```
--------------------------------
### swanctl Version Example
Source: https://docs.strongswan.org/docs/latest/swanctl/swanctl.html
Shows version information for the swanctl tool.
```bash
swanctl --version
```
--------------------------------
### Actual Configuration Syntax Example
Source: https://docs.strongswan.org/docs/latest/swanctl/swanctlConf.html
Shows how the documented placeholder options translate into an actual configuration file syntax.
```plaintext
connections {
connection_a {
remote {
auth=...
}
children {
child_1 {
local_ts=...
}
}
}
}
```
--------------------------------
### EAP-TTLS Tunnel Setup Request
Source: https://docs.strongswan.org/docs/latest/tnc/tncClient.html
The server requests EAP-TTLS authentication, triggering the client to start a TLS handshake. This is part of the EAP-TTLS tunnel setup.
```log
09[NET] received packet: from 192.168.0.2[4500] to 192.168.0.3[4500] (80 bytes)
09[ENC] parsed IKE_AUTH response 2 [ EAP/REQ/TTLS ]
09[IKE] server requested EAP_TTLS authentication (id 0x45)
09[TLS] EAP_TTLS version is v0
09[ENC] generating IKE_AUTH request 3 [ EAP/RES/TTLS ]
09[NET] sending packet: from 192.168.0.3[4500] to 192.168.0.2[4500] (272 bytes)
```
--------------------------------
### Example Routing Entry
Source: https://docs.strongswan.org/docs/latest/howtos/introduction.html
This is an example of a routing entry that might be installed by the charon daemon. It specifies the destination subnet, the gateway, and the source IP address to be used for traffic to that subnet.
```text
10.1.0.0/24 via 10.2.0.1 src 10.2.0.2
```
--------------------------------
### Load or Reload All Credentials
Source: https://docs.strongswan.org/docs/latest/swanctl/swanctlLoadCreds.html
This example demonstrates loading all credentials, such as an RSA private key and X.509 certificates. It shows the typical output messages indicating successful loading of certificates and keys from specified file paths.
```bash
$ swanctl --load-creds
loaded certificate from '/etc/swanctl/x509/carolCert.pem'
loaded certificate from '/etc/swanctl/x509ca/strongswanCert.pem'
loaded RSA key from '/etc/swanctl/rsa/carolKey.pem'
```
--------------------------------
### sw-collector Log Output Example
Source: https://docs.strongswan.org/docs/latest/tnc/swimaClient.html
This snippet shows a typical log output from the sw-collector tool when processing apt history. It includes details about the operating system, log file parsing, and records of package installations, upgrades, and removals.
```log
# sw-collector
First-Date: 2021-02-17T01:05:01Z, eid = 1, epoch = 916780987
Last-Event: 2021-02-17T01:05:01Z, eid = 1, epoch = 916780987
processing "/etc/os-release" file
operating system type is 'Ubuntu'
operating system name is 'Ubuntu'
operating system version is '20.04 x86_64'
opened '/var/log/apt/history.log'
Warning: 2021-02-17T01:05:11Z of first entry on level 0 is newer
gzip: /var/log/apt/history.log.1.gz: No such file or directory
Start-Date: 2021-02-17T01:05:11Z, eid = 2
Start-Date: 2021-02-17T01:05:20Z, eid = 3
...
Start-Date: 2021-02-17T01:18:43Z, eid = 93
Start-Date: 2021-02-17T01:18:54Z, eid = 94
Upgrade:
apt (2.0.2, 2.0.4)
+strongswan.org__Ubuntu_20.04-x86_64-apt-2.0.4
-strongswan.org__Ubuntu_20.04-x86_64-apt-2.0.2
bash (5.0-6ubuntu1, 5.0-6ubuntu1.1)
+strongswan.org__Ubuntu_20.04-x86_64-bash-5.0-6ubuntu1.1
-strongswan.org__Ubuntu_20.04-x86_64-bash-5.0-6ubuntu1
base-files (11ubuntu5, 11ubuntu5.3)
+strongswan.org__Ubuntu_20.04-x86_64-base-files-11ubuntu5.3
-strongswan.org__Ubuntu_20.04-x86_64-base-files-11ubuntu5
...
Start-Date: 2022-05-11T07:31:09Z, eid = 95
Install:
libmpc3 (1.1.0-1)
+strongswan.org__Ubuntu_20.04-x86_64-libmpc3-1.1.0-1
...
tzdata (2022a-0ubuntu0.20.04)
+strongswan.org__Ubuntu_20.04-x86_64-tzdata-2022a-0ubuntu0.20.04
Upgrade:
gcc-10-base (10.2.0-5ubuntu1~20.04, 10.3.0-1ubuntu1~20.04)
+strongswan.org__Ubuntu_20.04-x86_64-gcc-10-base-10.3.0-1ubuntu1~20.04
-strongswan.org__Ubuntu_20.04-x86_64-gcc-10-base-10.2.0-5ubuntu1~20.04
libstdc++6 (10.2.0-5ubuntu1~20.04, 10.3.0-1ubuntu1~20.04)
+strongswan.org__Ubuntu_20.04-x86_64-libstdc~~6-10.3.0-1ubuntu1~20.04
-strongswan.org__Ubuntu_20.04-x86_64-libstdc~~6-10.2.0-5ubuntu1~20.04
Start-Date: 2022-05-11T09:33:27Z, eid = 96
Remove:
libsqlite3-dev (3.31.1-4ubuntu0.3)
-strongswan.org__Ubuntu_20.04-x86_64-libsqlite3-dev-3.31.1-4ubuntu0.3
...
dpkg-dev (1.19.7ubuntu3)
-strongswan.org__Ubuntu_20.04-x86_64-dpkg-dev-1.19.7ubuntu3
Start-Date: 2022-05-11T09:33:30Z, eid = 97
Remove:
libmpc3 (1.1.0-1)
-strongswan.org__Ubuntu_20.04-x86_64-libmpc3-1.1.0-1
...
tzdata (2022a-0ubuntu0.20.04)
-strongswan.org__Ubuntu_20.04-x86_64-tzdata-2022a-0ubuntu0.20.04
Merging:
merged 173 installed packages, 173 registered in database
```
--------------------------------
### GRUB Command Examples
Source: https://docs.strongswan.org/docs/latest/tnc/pcrBootEvents.html
Various GRUB commands used for setting parameters, saving environment variables, and loading modules.
```grub
set timeout_style=menu
```
```grub
[ 10 = 0 ]
```
```grub
menuentry UEFI Firmware Settings --id uefi-firmware {
fwsetup
}
```
```grub
[ -f (hd0,gpt5)/boot/grub/custom.cfg ]
```
```grub
[ -z (hd0,gpt5)/boot/grub -a -f (hd0,gpt5)/boot/grub/custom.cfg ]
```
```grub
setparams Ubuntu
```
```grub
recordfail
```
```grub
set recordfail=1
```
```grub
[ -n true ]
```
```grub
[ -z ]
```
```grub
save_env recordfail
```
```grub
load_video
```
```grub
[ xy = xy ]
```
```grub
insmod all_video
```
```grub
gfxmode keep
```
```grub
set gfxpayload=keep
```
```grub
[ keep = keep ]
```
```grub
set vt_handoff=vt.handoff=7
```
```grub
insmod gzio
```
```grub
[ xefi = xxen ]
```
```grub
insmod part_gpt
```
```grub
insmod ext2
```
```grub
[ xy = xy ]
```
```grub
search --no-floppy --fs-uuid --set=root 956f1d5b-ce31-4ece-8c1f-90d0b11a02ee
```
```grub
linux /boot/vmlinuz-5.13.0-44-generic root=UUID=956f1d5b-ce31-4ece-8c1f-90d0b11a02ee ro ima_tcb ima_hash=sha256 quiet splash vt.handoff=7
```
--------------------------------
### Example Software Identification (SWID) Tag
Source: https://docs.strongswan.org/docs/latest/tnc/swima.html
This XML snippet demonstrates the structure of a SWID tag, including software identity, entities, metadata, and payload with file details and SHA-256 hashes. It is useful for describing installed software packages and their integrity.
```xml
...
...
```
--------------------------------
### Configure On-Demand External Addresses for Load Testing
Source: https://docs.strongswan.org/docs/latest/plugins/load-tester.html
Define address pools for installing unique external tunnel addresses on interfaces. This simulates real-world scenarios where each IKE SA gets a distinct IP. Ensure unused network services are shut down to prevent system slowdowns during tests.
```strongswan
charon {
# ...
plugins {
load-tester {
# ...
addrs {
# install ~32K addresses on eth0
eth0 = 10.2.0.0/17
# and then ~32K addresses on eth1
eth1 = 10.2.128.0/17
}
# install all addresses with a /16 prefix
addrs_prefix = 16
}
}
}
```
--------------------------------
### Configure Options for Windows Monolithic Build
Source: https://docs.strongswan.org/docs/latest/os/windows.html
This example shows a comprehensive set of configure options for building a monolithic strongSwan version on Windows. It includes flags for debugging, optimization, warnings, disabling defaults, enabling specific plugins, and setting paths for OpenSSL and configuration files. Use this when building from source on Windows or cross-compiling.
```bash
CFLAGS="-g -O2 -Wall -Wno-pointer-sign -Wno-format-security \
-Wno-format -mno-ms-bitfields \
-I/c/path/to/openssl/include" \
LDFLAGS="-L/c/path/to/openssl/lib" \
./configure --disable-defaults --enable-monolithic --enable-static \
--enable-svc --enable-ikev2 --enable-ikev1 \
--enable-nonce --enable-pem --enable-pkcs1 \
--enable-x509 --enable-openssl --enable-socket-win \
--enable-kernel-wfp --enable-kernel-iph --enable-pubkey \
--enable-swanctl --with-swanctldir=swanctl \
--with-strongswan-conf=strongswan.conf
```
--------------------------------
### Install OpenSC
Source: https://docs.strongswan.org/docs/latest/howtos/smartcards.html
Install the OpenSC package, which provides PKCS#11 interface support for smart cards.
```bash
sudo apt-get install opensc
```
--------------------------------
### Install pcsc-tools and libccid
Source: https://docs.strongswan.org/docs/latest/howtos/smartcards.html
Install the necessary tools for smart card reader support on Debian-based systems.
```bash
sudo apt-get install pcsc-tools libccid
```
--------------------------------
### Basic Configuration Example
Source: https://docs.strongswan.org/docs/latest/config/strongswanConf.html
Illustrates a simple strongSwan configuration with nested sections and key-value pairs.
```plaintext
a = b
section-one {
somevalue = asdf
subsection {
othervalue = xxx
}
# yei, a comment
yetanother = zz
}
section-two {
x = 12
}
```
--------------------------------
### IMC Configuration Example
Source: https://docs.strongswan.org/docs/latest/tnc/pt-tls-client.html
Example configuration file for Integrity Measurement Collectors (IMCs) loaded by pt-tls-client.
```ini
#IMC-Configuration
IMC "OS" /usr/lib/ipsec/imcvs/imc-os.so
IMC "SWIMA" /usr/lib/ipsec/imcvs/imc-swima.so
IMC "ATTESTATION" /usr/lib/ipsec/imcvs/imc-attestation.so
```
--------------------------------
### Install Python/Django Dependencies
Source: https://docs.strongswan.org/docs/latest/tnc/strongTnc.html
Installs essential Python 3 packages and development libraries required for strongTNC on Ubuntu.
```bash
sudo apt install python3 python3-pip python3-dev libxml2-dev libxslt1-dev
```
--------------------------------
### Show Supported Software Products
Source: https://docs.strongswan.org/docs/latest/tnc/attest.html
Lists supported software products, selectable by file path or its primary key.
```bash
ipsec attest --products [--file |--fid ]
```
--------------------------------
### sec-updater Configuration Example
Source: https://docs.strongswan.org/docs/latest/tnc/sec-updater.html
Shows how to configure the sec-updater tool and its SWID generator settings in strongswan.conf.
```ini
sec-updater {
database = sqlite:///etc/pts/config.db
tnc_manage_command = /var/www/tnc/manage.py
tmp {
deb_file = /tmp/sec-updater.deb
tag_file = /tmp/sec-updater.tag
}
}
libimcv {
swid_gen {
command = /usr/local/bin/swid_generator
tag_creator {
name = strongSwan Project
regid = strongswan.org
}
}
}
```
--------------------------------
### Install Apache Web Server with WSGI
Source: https://docs.strongswan.org/docs/latest/tnc/strongTnc.html
Installs the Apache web server and the necessary WSGI module for strongTNC on Ubuntu.
```bash
sudo apt install apache2 libapache2-mod-wsgi
```
--------------------------------
### Display Help
Source: https://docs.strongswan.org/docs/latest/pki/pkiOcsp.html
Prints usage information and a short summary of the available options for the pki --ocsp command.
```bash
pki --ocsp --help
```
--------------------------------
### Install strongTNC Python Dependencies
Source: https://docs.strongswan.org/docs/latest/tnc/strongTnc.html
Installs the Python packages required by strongTNC, including updating Django if necessary, from the requirements.txt file.
```bash
sudo pip3 install -r requirements.txt
```
--------------------------------
### Configure Options for IMV Build
Source: https://docs.strongswan.org/docs/latest/tnc/attestationServer.html
Enable the OS IMV and Attestation IMV during the build process by using the --enable-imv-os and --enable-imv-attestation configure options.
```bash
--enable-imv-os --enable-imv-attestation
```
--------------------------------
### CSV Format Example
Source: https://docs.strongswan.org/docs/latest/plugins/certexpire.html
Example of the CSV format for trustchain expiration dates, including subject and intermediate CA expiration dates.
```text
subject,subjectExpiration,ImCa1Expiration,ImCa2Expiration,RootCaExpiration
```
--------------------------------
### Charon Daemon Startup and IMV Loading
Source: https://docs.strongswan.org/docs/latest/tnc/attestationServer.html
This log output shows the charon daemon starting up, loading IMVs from '/etc/tnc_config', and initializing both the 'OS' and 'Attestation' IMVs. It details the message types each IMV supports and their respective loaded paths.
```log
00[DMN] Starting IKE charon daemon (strongSwan 5.9.7, Linux 5.13.0-44-generic, x86_64)
00[TNC] TNC recommendation policy is 'default'
00[TNC] loading IMVs from '/etc/tnc_config'
00[TNC] added IETF attributes
00[TNC] added ITA-HSR attributes
00[TNC] added PWG attributes
00[TNC] added TCG attributes
00[PTS] added TCG functional component namespace
00[PTS] added ITA-HSR functional component namespace
00[PTS] added ITA-HSR functional component 'Trusted GRUB Boot Loader'
00[PTS] added ITA-HSR functional component 'Trusted Boot'
00[PTS] added ITA-HSR functional component 'Linux IMA'
00[LIB] libimcv initialized
00[IMV] IMV 1 "OS" initialized
00[TNC] IMV 1 supports 1 message type: 'IETF/Operating System' 0x000000/0x00000001
00[TNC] IMV 1 "OS" loaded from '/usr/lib/ipsec/imcvs/imv-os.so'
00[IMV] IMV 2 "Attestation" initialized
00[PTS] loading PTS ca certificates from '/etc/pts/cacerts'
00[PTS] mandatory PTS measurement algorithm HASH_SHA1[openssl] available
00[PTS] mandatory PTS measurement algorithm HASH_SHA2_256[openssl] available
00[PTS] optional PTS measurement algorithm HASH_SHA2_384[openssl] available
00[PTS] optional PTS measurement algorithm HASH_SHA2_512[openssl] available
00[PTS] optional PTS DH group MODP_2048[openssl] available
00[PTS] optional PTS DH group MODP_1536[openssl] available
00[PTS] optional PTS DH group MODP_1024[openssl] available
00[PTS] mandatory PTS DH group ECP_256[openssl] available
00[PTS] optional PTS DH group ECP_384[openssl] available
00[TNC] IMV 2 supports 2 message types: 'TCG/PTS' 0x005597/0x00000001 'IETF/Operating System' 0x000000/0x00000001
00[TNC] IMV 2 "ATTESTATION" loaded from '/usr/lib/ipsec/imcvs/imv-attestation.so'
```
--------------------------------
### Show Files by Product or Primary Key
Source: https://docs.strongswan.org/docs/latest/tnc/attest.html
Lists files associated with a software product name or its primary key. Use --product for name or --pid for ID.
```bash
ipsec attest --files [--product |--pid ]
```
--------------------------------
### EAP-TTLS Tunnel Setup - Initial Request
Source: https://docs.strongswan.org/docs/latest/tnc/tncClient.html
This snippet shows the initial EAP-TTLS request and response during the TLS handshake for tunnel setup.
```strongswan
14[NET] received packet: from 192.168.0.2[4500] to 192.168.0.3[4500] (80 bytes)
14[ENC] parsed IKE_AUTH response 2 [ EAP/REQ/TTLS ]
14[IKE] server requested EAP_TTLS authentication (id 0x86)
14[TLS] EAP_TTLS version is v0
14[ENC] generating IKE_AUTH request 3 [ EAP/RES/TTLS ]
14[NET] sending packet: from 192.168.0.3[4500] to 192.168.0.2[4500] (272 bytes)
```
--------------------------------
### Synopsis of swanctl --load-conns
Source: https://docs.strongswan.org/docs/latest/swanctl/swanctlLoadConns.html
Shows the basic syntax for loading connection configurations and how to access help.
```bash
swanctl --load-conns [--file]
swanctl --load-conns --help
```
--------------------------------
### Install CHILD SA Policy
Source: https://docs.strongswan.org/docs/latest/swanctl/swanctlInstall.html
Installs a trap, drop, or bypass policy for a specified CHILD SA. An optional IKE SA can be indicated.
```bash
swanctl --install --child [--ike ]
```
--------------------------------
### Install strongSwan via Homebrew
Source: https://docs.strongswan.org/docs/latest/os/macos.html
Use this command to install the latest release of strongSwan using Homebrew. This method is suitable for road-warrior access.
```bash
$ brew install strongswan
```
--------------------------------
### PB-TNC Connection Setup - Initial Data Batch
Source: https://docs.strongswan.org/docs/latest/tnc/tncServer.html
Logs detailing the TNC server receiving the initial PB-TNC Client Data batch, assigning a Connection ID, and creating states for OS and Scanner IMVs.
```log
08[NET] received packet: from 192.168.0.3[4500] to 192.168.0.2[4500] (448 bytes)
08[ENC] parsed IKE_AUTH request 7 [ EAP/RES/TTLS ]
08[IKE] received tunneled EAP-TTLS AVP [EAP/RES/PT]
08[TNC] assigned TNCCS Connection ID 2
08[IMV] IMV 1 "OS" created a state for IF-TNCCS 2.0 Connection ID 2: +long +excl -soh
08[IMV] over IF-T for Tunneled EAP 2.0 with maximum PA-TNC message size of 32722 bytes
08[IMV] user AR identity 'hacker' of type username authenticated by password
08[IMV] machine AR identity '192.168.0.3' of type IPv4 address authenticated by unknown method
08[IMV] IMV 2 "Scanner" created a state for IF-TNCCS 2.0 Connection ID 2: +long +excl -soh
08[IMV] over IF-T for Tunneled EAP 2.0 with maximum PA-TNC message size of 32722 bytes
08[IMV] IMV 1 "OS" changed state of Connection ID 2 to 'Handshake'
08[IMV] IMV 2 "Scanner" changed state of Connection ID 2 to 'Handshake'
```
--------------------------------
### Initialize TNC Database with strongSwan Template
Source: https://docs.strongswan.org/docs/latest/tnc/tncServer.html
Commands to create the TNC database directory and populate it using the strongSwan template SQL files. Requires 'sqlite3' to be available.
```bash
$ sudo -s
# mkdir /etc/pts
# cd /usr/share/strongswan/templates/database/imv
# cat tables.sql data.sql | sqlite3 /etc/pts/config.db
```
--------------------------------
### Disable Route Installation in strongSwan
Source: https://docs.strongswan.org/docs/latest/features/routeBasedVpn.html
Configure strongSwan to disable automatic route installation. This is necessary when using VTI devices for route-based VPNs.
```ini
charon.install_routes = 0
```
--------------------------------
### SWID Generator Configuration Example
Source: https://docs.strongswan.org/docs/latest/tnc/sw-collector.html
Example configuration for the SWID Generator within the libimcv section, defining the command and tag creator details.
```strongswan.conf
libimcv {
swid_gen {
command = /usr/local/bin/swid_generator
tag_creator {
name = strongSwan Project
regid = strongswan.org
}
}
}
```
--------------------------------
### EAP-TTLS Tunnel Setup - Server Certificate
Source: https://docs.strongswan.org/docs/latest/tnc/tncClient.html
This snippet details the reception of the TLS server certificate and CA information during the EAP-TTLS tunnel setup.
```strongswan
06[NET] received packet: from 192.168.0.2[4500] to 192.168.0.3[4500] (896 bytes)
06[ENC] parsed IKE_AUTH response 3 [ EAP/REQ/TTLS ]
06[TLS] negotiated TLS 1.2 using suite TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
06[TLS] received TLS server certificate 'C=CH, O=Cyber, CN=server.strongswan.org'
06[CFG] using certificate "C=CH, O=Cyber, CN=server.strongswan.org"
06[CFG] using trusted ca certificate "C=CH, O=Cyber, CN=Cyber Root CA"
06[CFG] reached self-signed root ca with a path length of 0
06[ENC] generating IKE_AUTH request 4 [ EAP/RES/TTLS ]
06[NET] sending packet: from 192.168.0.3[4500] to 192.168.0.2[4500] (240 bytes)
```
--------------------------------
### swanctl List Algorithms Example
Source: https://docs.strongswan.org/docs/latest/swanctl/swanctl.html
Lists loaded algorithms and their implementation details using the swanctl tool.
```bash
swanctl --list-algs
```
--------------------------------
### Build Android Source Tree
Source: https://docs.strongswan.org/docs/latest/os/android.html
Commands to set up the build environment and initiate the Android source tree build. Use '-j' to speed up compilation on multi-core machines.
```bash
cd /path/to/android/source
. build/envsetup.sh
lunch
make -j
```
--------------------------------
### strongSwan Daemon Start Warning
Source: https://docs.strongswan.org/docs/latest/plugins/save-keys.html
This log message indicates that the strongSwan daemon has started and is saving IKE and ESP keys to the specified directory for Wireshark.
```log
moon charon-systemd: 00[DMN] !!
moon charon-systemd: 00[DMN] !! WARNING: SAVING IKE AND ESP KEYS TO '/root/.config/wireshark'
moon charon-systemd: 00[DMN] !!
moon charon-systemd: 00[LIB] loaded plugins: charon-systemd random nonce openssl pem pkcs1 revocation curl kernel-netlink socket-default updown vici save-keys
```
--------------------------------
### PKI Tool Commands and Options
Source: https://docs.strongswan.org/docs/latest/pki/pki.html
Lists the available commands and global options for the pki tool. Use --help for command-specific options.
```bash
pki command [options]
commands:
--gen (-g) generate a new private key
--self (-s) create a self signed certificate
--issue (-i) issue a certificate using a CA certificate and key
--signcrl (-c) issue a CRL using a CA certificate and key
--acert (-z) issue an attribute certificate
--req (-r) create a PKCS#10 certificate request
--pkcs7 (-7) PKCS#7 wrap/unwrap functions
--pkcs12 (-u) PKCS#12 functions
--keyid (-k) calculate key identifiers of a key/certificate
--print (-a) print a credential in a human readable form
--dn (-d) extract the subject DN of an X.509 certificate
--pub (-p) extract the public key from a private key/certificate
--verify (-V) verify a certificate using the CA certificate
--scep (-S) Enroll an X.509 certificate with a SCEP server
--scepca (-C) Get CA [and RA] certificate[s] from a SCEP server
--est (-E) Enroll an X.509 certificate with an EST server
--estca (-e) Get CA certificate[s] from an EST server
--ocsp (-o) OCSP request parser and OCSP responder
--help (-h) show usage, version and plugin information
global options:
--debug (-v) set debug level, default: 1
--options (-+) read command line options from file
```
--------------------------------
### Issue an X.509 certificate using an options file
Source: https://docs.strongswan.org/docs/latest/pki/pkiIssue.html
Issue an X.509 certificate based on a PKCS#10 certificate request using an options file. This example specifies the options file, serial number, input type, and input file, outputting the generated certificate in DER format.
```bash
pki --issue --options pki.opt --serial 01 --type pkcs10 --in myReq.der > myCert.der
```
--------------------------------
### Process Installed Packages
Source: https://docs.strongswan.org/docs/latest/tnc/tncServer.html
Logs the processing of installed Ubuntu packages and indicates if they are found or not. This is part of the IMV's assessment of the client's software.
```log
10[IMV] processing installed 'Ubuntu 20.04 x86_64' packages
10[IMV] package 'adduser' (3.118ubuntu2) not found
10[IMV] package 'apt' (2.0.4) not found
10[IMV] package 'base-files' (11ubuntu5.3) not found
10[IMV] package 'base-passwd' (3.5.47) not found
...
10[IMV] package 'tar' (1.30+dfsg-7ubuntu0.20.04.1) not found
10[IMV] package 'ubuntu-keyring' (2020.02.11.2) not found
10[IMV] package 'util-linux' (2.34-0.1ubuntu9.1) not found
10[IMV] package 'zlib1g' (1:1.2.11.dfsg-2ubuntu1.2) not found
10[IMV] IMV 1 handled PCKGS workitem 1: allow - processed 112 packages: 0 vulnerable, 0 blacklisted, 0 ok, 112 unknown
```
--------------------------------
### Creating PA-TNC Message with Installed Packages
Source: https://docs.strongswan.org/docs/latest/tnc/tncClient.html
Logs detailing the creation of a PA-TNC message containing installed package information and a segmentation contract response.
```log
05[IMC] package 'adduser' (3.118ubuntu2)
05[IMC] package 'apt' (2.0.4)
05[IMC] package 'base-files' (11ubuntu5.3)
05[IMC] package 'base-passwd' (3.5.47)
...
05[IMC] package 'tar' (1.30+dfsg-7ubuntu0.20.04.1)
05[IMC] package 'ubuntu-keyring' (2020.02.11.2)
05[IMC] package 'util-linux' (2.34-0.1ubuntu9.1)
05[IMC] package 'zlib1g' (1:1.2.11.dfsg-2ubuntu1.2)
05[TNC] creating PA-TNC message with ID 0x6e31e351
05[TNC] creating PA-TNC attribute type 'TCG/Segmentation Contract Response' 0x005597/0x00000022
05[TNC] creating PA-TNC attribute type 'IETF/Installed Packages' 0x000000/0x00000007
05[TNC] creating PB-PA message type 'IETF/Operating System' 0x000000/0x00000001
```
--------------------------------
### Install Dependencies for NetworkManager strongSwan Plugin
Source: https://docs.strongswan.org/docs/latest/features/networkManager.html
Installs the required libraries for building the NetworkManager strongSwan GUI plugin. Use this command on Debian/Ubuntu-based systems.
```bash
apt-get install libnma-dev libgtk-3-dev libsecret-1-dev intltool
```
--------------------------------
### swanctl List Pools Example
Source: https://docs.strongswan.org/docs/latest/swanctl/swanctl.html
Lists loaded pool configurations using the swanctl tool.
```bash
swanctl --list-pools
```
--------------------------------
### Example swanctl.conf Connection Definition
Source: https://docs.strongswan.org/docs/latest/tnc/tncClient.html
An example output from 'swanctl --list-conns' showing a TNC connection with local and remote EAP_TTLS authentication configured.
```text
swanctl --list-conns
tnc: IKEv2, no reauthentication, rekeying every 14400s
local: %any
remote: 192.168.0.2
local EAP_TTLS authentication:
eap_id: hacker
remote EAP_TTLS authentication:
id: server.strongswan.org
tnc: TUNNEL, rekeying every 3600s
local: dynamic
remote: 10.1.0.0/16 192.168.0.2/32
```
--------------------------------
### Placeholder Notation Example
Source: https://docs.strongswan.org/docs/latest/swanctl/swanctlConf.html
Illustrates the dot-notation and generic placeholders used in documentation for configuration options.
```plaintext
connections..remote.auth=...
connections..children..local_ts=...
```