### swanctl Install Policy Example Source: https://docs.strongswan.org/docs/latest/swanctl/swanctl.html Installs a trap or shunt policy using the swanctl tool. ```bash swanctl --install ``` -------------------------------- ### cert-enroll Installation Script Activation Source: https://docs.strongswan.org/docs/latest/tools/cert-enroll.html Example of activating installation scripts by creating symbolic links in the /etc/cert-enroll.d directory for specific services like Cockpit, Directory Server, and SSSD. ```bash # cd /etc/cert-enroll.d # ln -s cert-install-available/cert-install-cockpit cert-install.d # ln -s cert-install-available/cert-install-dirsrv cert-install.d # ln -s cert-install-available/cert-install-sssd cert-install.d ``` -------------------------------- ### Show swanctl --install Help Source: https://docs.strongswan.org/docs/latest/swanctl/swanctlInstall.html Displays usage information for the swanctl --install command. ```bash swanctl --install --help ``` -------------------------------- ### Start the Testing Environment Source: https://docs.strongswan.org/docs/latest/devs/testingEnvironment.html Execute this script to start the KVM instances for the strongSwan testing environment. ```bash testing/start-testing ``` -------------------------------- ### Build and Install strongSwan Source: https://docs.strongswan.org/docs/latest/install/install.html Compile the strongSwan sources and install the binaries using make and sudo. ```bash make sudo make install ``` -------------------------------- ### swanctl List Policies Example Source: https://docs.strongswan.org/docs/latest/swanctl/swanctl.html Lists currently installed policies using the swanctl tool. ```bash swanctl --list-pols ``` -------------------------------- ### vici.conf Plugin Configuration Example Source: https://docs.strongswan.org/docs/latest/config/strongswanDir.html Example configuration snippet for the vici plugin, demonstrating how to set the load status and socket path. ```strongswan vici { # Whether to load the plugin. Can also be an integer to increase the # priority of this plugin. load = yes # Socket the vici plugin serves clients. # socket = unix://${piddir}/charon.vici } ``` -------------------------------- ### Kernel Command Line Example Source: https://docs.strongswan.org/docs/latest/tnc/pcrBootEvents.html Example of a kernel command line string used during the boot process, including root device and IMA parameters. ```text /boot/vmlinuz-5.13.0-44-generic ``` ```text kernel_cmdline: /boot/vmlinuz-5.13.0-44-generic root=UUID=956f1d5b-ce31-4ece-8c1f-90d0b11a02ee ro ima_tcb ima_hash=sha256 quiet splash vt.handoff=7 ``` -------------------------------- ### Example: Create and Configure VTI Devices Source: https://docs.strongswan.org/docs/latest/features/routeBasedVpn.html This example demonstrates the creation of two VTI devices (vti0 and ipsec0), disabling policy lookups, bringing them up, and adding static routes for specific subnets. ```bash ip tunnel add vti0 local 192.168.0.1 remote 192.168.0.2 mode vti key 42 ip tunnel add ipsec0 local 192.168.0.1 remote 192.168.0.3 mode vti key 0x01000201 sysctl -w net.ipv4.conf.vti0.disable_policy=1 ip link set vti0 up ip route add 10.1.0.0/16 dev vti0 sysctl -w net.ipv4.conf.ipsec0.disable_policy=1 ip link set ipsec0 up ip route add 10.2.0.0/16 dev ipsec0 ip route add 10.3.0.0/16 dev ipsec0 ``` -------------------------------- ### Install strongSwan Package on FreeBSD Source: https://docs.strongswan.org/docs/latest/os/freebsd.html Use this command to install the strongSwan package using the pkg utility. ```bash pkg install strongswan ``` -------------------------------- ### Start cert-enroll Systemd Service for Initial Generation Source: https://docs.strongswan.org/docs/latest/tools/cert-enroll.html Use this command to manually start the cert-enroll service for the initial generation of the X.509 host certificate. ```bash # systemctl start cert-enroll.service ``` -------------------------------- ### SW-Collector Configuration Example Source: https://docs.strongswan.org/docs/latest/tnc/sw-collector.html Example configuration for the SW-Collector, specifying database, history log, first file, and REST API settings. ```strongswan.conf sw-collector { database = sqlite:///etc/pts/collector.db history = /var/log/apt/history.log first_file = /var/log/bootstrap.log first_time = 2016-04-22T20:55:14Z rest_api { uri = https://admin-user:strongSwan@tnc.example.com/api/ timeout = 120 } } ``` -------------------------------- ### Start strongSwan Systemd Service Source: https://docs.strongswan.org/docs/latest/daemons/charon-systemd.html Manually start the strongSwan service using systemctl. ```bash sudo systemctl start strongswan ``` -------------------------------- ### swanctl Help Example Source: https://docs.strongswan.org/docs/latest/swanctl/swanctl.html Shows usage, version, and plugin information for the swanctl tool. ```bash swanctl --help ``` -------------------------------- ### swanctl Initiate Connection Example Source: https://docs.strongswan.org/docs/latest/swanctl/swanctl.html Initiates a connection using the swanctl tool. ```bash swanctl --initiate ``` -------------------------------- ### Example: Create and Configure XFRM Interface 'ipsec0' Source: https://docs.strongswan.org/docs/latest/features/routeBasedVpn.html This example demonstrates creating an XFRM interface named 'ipsec0' with ID 42 using both `iproute2` and `xfrmi`, activating it, and adding routes for specific subnets. ```bash ip link add ipsec0 type xfrm if_id 42 # or if not supported by iproute2 yet: /usr/local/libexec/ipsec/xfrmi --name ipsec0 --id 42 ip link set ipsec0 up ip route add 10.1.0.0/16 dev ipsec0 ip route add 10.2.0.0/16 dev ipsec0 ``` -------------------------------- ### Install Dependencies for strongSwan NM Backend Source: https://docs.strongswan.org/docs/latest/features/networkManager.html Installs the required libraries for building the strongSwan NetworkManager backend. Use this command on Debian/Ubuntu-based systems. ```bash apt-get install libssl-dev libnm-dev ``` -------------------------------- ### Install charon-svc as a Windows Service Source: https://docs.strongswan.org/docs/latest/daemons/charon-svc.html Use the 'sc' utility to create and install the strongSwan IKE service on Windows. This command specifies the service name and the path to the executable. ```bash sc create "strongSwan IKE service" binPath= C:\path\to\charon-svc.exe ``` -------------------------------- ### Virtual IP Address Leases Output Example Source: https://docs.strongswan.org/docs/latest/interop/windowsUserServerStatus.html Example output showing assigned IPv4 and IPv6 virtual IP addresses, their status (online/offline), and the associated identity. ```text ipv4 10.10.1.64 1 / 1 / 62 10.10.1.65 offline 'C=CH, O=strongSec GmbH, CN=mijas.strongsec.com' 10.10.1.66 online 'andreas.steffen@strongsec.net' ipv6 2a02:168:4407:1:: 1 / 1 / 62 2a02:168:4407:1::1 offline 'C=CH, O=strongSec GmbH, CN=mijas.strongsec.com' 2a02:168:4407:1::2 online 'andreas.steffen@strongsec.net' ``` -------------------------------- ### swanctl Version Example Source: https://docs.strongswan.org/docs/latest/swanctl/swanctl.html Shows version information for the swanctl tool. ```bash swanctl --version ``` -------------------------------- ### Actual Configuration Syntax Example Source: https://docs.strongswan.org/docs/latest/swanctl/swanctlConf.html Shows how the documented placeholder options translate into an actual configuration file syntax. ```plaintext connections { connection_a { remote { auth=... } children { child_1 { local_ts=... } } } } ``` -------------------------------- ### EAP-TTLS Tunnel Setup Request Source: https://docs.strongswan.org/docs/latest/tnc/tncClient.html The server requests EAP-TTLS authentication, triggering the client to start a TLS handshake. This is part of the EAP-TTLS tunnel setup. ```log 09[NET] received packet: from 192.168.0.2[4500] to 192.168.0.3[4500] (80 bytes) 09[ENC] parsed IKE_AUTH response 2 [ EAP/REQ/TTLS ] 09[IKE] server requested EAP_TTLS authentication (id 0x45) 09[TLS] EAP_TTLS version is v0 09[ENC] generating IKE_AUTH request 3 [ EAP/RES/TTLS ] 09[NET] sending packet: from 192.168.0.3[4500] to 192.168.0.2[4500] (272 bytes) ``` -------------------------------- ### Example Routing Entry Source: https://docs.strongswan.org/docs/latest/howtos/introduction.html This is an example of a routing entry that might be installed by the charon daemon. It specifies the destination subnet, the gateway, and the source IP address to be used for traffic to that subnet. ```text 10.1.0.0/24 via 10.2.0.1 src 10.2.0.2 ``` -------------------------------- ### Load or Reload All Credentials Source: https://docs.strongswan.org/docs/latest/swanctl/swanctlLoadCreds.html This example demonstrates loading all credentials, such as an RSA private key and X.509 certificates. It shows the typical output messages indicating successful loading of certificates and keys from specified file paths. ```bash $ swanctl --load-creds loaded certificate from '/etc/swanctl/x509/carolCert.pem' loaded certificate from '/etc/swanctl/x509ca/strongswanCert.pem' loaded RSA key from '/etc/swanctl/rsa/carolKey.pem' ``` -------------------------------- ### sw-collector Log Output Example Source: https://docs.strongswan.org/docs/latest/tnc/swimaClient.html This snippet shows a typical log output from the sw-collector tool when processing apt history. It includes details about the operating system, log file parsing, and records of package installations, upgrades, and removals. ```log # sw-collector First-Date: 2021-02-17T01:05:01Z, eid = 1, epoch = 916780987 Last-Event: 2021-02-17T01:05:01Z, eid = 1, epoch = 916780987 processing "/etc/os-release" file operating system type is 'Ubuntu' operating system name is 'Ubuntu' operating system version is '20.04 x86_64' opened '/var/log/apt/history.log' Warning: 2021-02-17T01:05:11Z of first entry on level 0 is newer gzip: /var/log/apt/history.log.1.gz: No such file or directory Start-Date: 2021-02-17T01:05:11Z, eid = 2 Start-Date: 2021-02-17T01:05:20Z, eid = 3 ... Start-Date: 2021-02-17T01:18:43Z, eid = 93 Start-Date: 2021-02-17T01:18:54Z, eid = 94 Upgrade: apt (2.0.2, 2.0.4) +strongswan.org__Ubuntu_20.04-x86_64-apt-2.0.4 -strongswan.org__Ubuntu_20.04-x86_64-apt-2.0.2 bash (5.0-6ubuntu1, 5.0-6ubuntu1.1) +strongswan.org__Ubuntu_20.04-x86_64-bash-5.0-6ubuntu1.1 -strongswan.org__Ubuntu_20.04-x86_64-bash-5.0-6ubuntu1 base-files (11ubuntu5, 11ubuntu5.3) +strongswan.org__Ubuntu_20.04-x86_64-base-files-11ubuntu5.3 -strongswan.org__Ubuntu_20.04-x86_64-base-files-11ubuntu5 ... Start-Date: 2022-05-11T07:31:09Z, eid = 95 Install: libmpc3 (1.1.0-1) +strongswan.org__Ubuntu_20.04-x86_64-libmpc3-1.1.0-1 ... tzdata (2022a-0ubuntu0.20.04) +strongswan.org__Ubuntu_20.04-x86_64-tzdata-2022a-0ubuntu0.20.04 Upgrade: gcc-10-base (10.2.0-5ubuntu1~20.04, 10.3.0-1ubuntu1~20.04) +strongswan.org__Ubuntu_20.04-x86_64-gcc-10-base-10.3.0-1ubuntu1~20.04 -strongswan.org__Ubuntu_20.04-x86_64-gcc-10-base-10.2.0-5ubuntu1~20.04 libstdc++6 (10.2.0-5ubuntu1~20.04, 10.3.0-1ubuntu1~20.04) +strongswan.org__Ubuntu_20.04-x86_64-libstdc~~6-10.3.0-1ubuntu1~20.04 -strongswan.org__Ubuntu_20.04-x86_64-libstdc~~6-10.2.0-5ubuntu1~20.04 Start-Date: 2022-05-11T09:33:27Z, eid = 96 Remove: libsqlite3-dev (3.31.1-4ubuntu0.3) -strongswan.org__Ubuntu_20.04-x86_64-libsqlite3-dev-3.31.1-4ubuntu0.3 ... dpkg-dev (1.19.7ubuntu3) -strongswan.org__Ubuntu_20.04-x86_64-dpkg-dev-1.19.7ubuntu3 Start-Date: 2022-05-11T09:33:30Z, eid = 97 Remove: libmpc3 (1.1.0-1) -strongswan.org__Ubuntu_20.04-x86_64-libmpc3-1.1.0-1 ... tzdata (2022a-0ubuntu0.20.04) -strongswan.org__Ubuntu_20.04-x86_64-tzdata-2022a-0ubuntu0.20.04 Merging: merged 173 installed packages, 173 registered in database ``` -------------------------------- ### GRUB Command Examples Source: https://docs.strongswan.org/docs/latest/tnc/pcrBootEvents.html Various GRUB commands used for setting parameters, saving environment variables, and loading modules. ```grub set timeout_style=menu ``` ```grub [ 10 = 0 ] ``` ```grub menuentry UEFI Firmware Settings --id uefi-firmware { fwsetup } ``` ```grub [ -f (hd0,gpt5)/boot/grub/custom.cfg ] ``` ```grub [ -z (hd0,gpt5)/boot/grub -a -f (hd0,gpt5)/boot/grub/custom.cfg ] ``` ```grub setparams Ubuntu ``` ```grub recordfail ``` ```grub set recordfail=1 ``` ```grub [ -n true ] ``` ```grub [ -z ] ``` ```grub save_env recordfail ``` ```grub load_video ``` ```grub [ xy = xy ] ``` ```grub insmod all_video ``` ```grub gfxmode keep ``` ```grub set gfxpayload=keep ``` ```grub [ keep = keep ] ``` ```grub set vt_handoff=vt.handoff=7 ``` ```grub insmod gzio ``` ```grub [ xefi = xxen ] ``` ```grub insmod part_gpt ``` ```grub insmod ext2 ``` ```grub [ xy = xy ] ``` ```grub search --no-floppy --fs-uuid --set=root 956f1d5b-ce31-4ece-8c1f-90d0b11a02ee ``` ```grub linux /boot/vmlinuz-5.13.0-44-generic root=UUID=956f1d5b-ce31-4ece-8c1f-90d0b11a02ee ro ima_tcb ima_hash=sha256 quiet splash vt.handoff=7 ``` -------------------------------- ### Example Software Identification (SWID) Tag Source: https://docs.strongswan.org/docs/latest/tnc/swima.html This XML snippet demonstrates the structure of a SWID tag, including software identity, entities, metadata, and payload with file details and SHA-256 hashes. It is useful for describing installed software packages and their integrity. ```xml ... ... ``` -------------------------------- ### Configure On-Demand External Addresses for Load Testing Source: https://docs.strongswan.org/docs/latest/plugins/load-tester.html Define address pools for installing unique external tunnel addresses on interfaces. This simulates real-world scenarios where each IKE SA gets a distinct IP. Ensure unused network services are shut down to prevent system slowdowns during tests. ```strongswan charon { # ... plugins { load-tester { # ... addrs { # install ~32K addresses on eth0 eth0 = 10.2.0.0/17 # and then ~32K addresses on eth1 eth1 = 10.2.128.0/17 } # install all addresses with a /16 prefix addrs_prefix = 16 } } } ``` -------------------------------- ### Configure Options for Windows Monolithic Build Source: https://docs.strongswan.org/docs/latest/os/windows.html This example shows a comprehensive set of configure options for building a monolithic strongSwan version on Windows. It includes flags for debugging, optimization, warnings, disabling defaults, enabling specific plugins, and setting paths for OpenSSL and configuration files. Use this when building from source on Windows or cross-compiling. ```bash CFLAGS="-g -O2 -Wall -Wno-pointer-sign -Wno-format-security \ -Wno-format -mno-ms-bitfields \ -I/c/path/to/openssl/include" \ LDFLAGS="-L/c/path/to/openssl/lib" \ ./configure --disable-defaults --enable-monolithic --enable-static \ --enable-svc --enable-ikev2 --enable-ikev1 \ --enable-nonce --enable-pem --enable-pkcs1 \ --enable-x509 --enable-openssl --enable-socket-win \ --enable-kernel-wfp --enable-kernel-iph --enable-pubkey \ --enable-swanctl --with-swanctldir=swanctl \ --with-strongswan-conf=strongswan.conf ``` -------------------------------- ### Install OpenSC Source: https://docs.strongswan.org/docs/latest/howtos/smartcards.html Install the OpenSC package, which provides PKCS#11 interface support for smart cards. ```bash sudo apt-get install opensc ``` -------------------------------- ### Install pcsc-tools and libccid Source: https://docs.strongswan.org/docs/latest/howtos/smartcards.html Install the necessary tools for smart card reader support on Debian-based systems. ```bash sudo apt-get install pcsc-tools libccid ``` -------------------------------- ### Basic Configuration Example Source: https://docs.strongswan.org/docs/latest/config/strongswanConf.html Illustrates a simple strongSwan configuration with nested sections and key-value pairs. ```plaintext a = b section-one { somevalue = asdf subsection { othervalue = xxx } # yei, a comment yetanother = zz } section-two { x = 12 } ``` -------------------------------- ### IMC Configuration Example Source: https://docs.strongswan.org/docs/latest/tnc/pt-tls-client.html Example configuration file for Integrity Measurement Collectors (IMCs) loaded by pt-tls-client. ```ini #IMC-Configuration IMC "OS" /usr/lib/ipsec/imcvs/imc-os.so IMC "SWIMA" /usr/lib/ipsec/imcvs/imc-swima.so IMC "ATTESTATION" /usr/lib/ipsec/imcvs/imc-attestation.so ``` -------------------------------- ### Install Python/Django Dependencies Source: https://docs.strongswan.org/docs/latest/tnc/strongTnc.html Installs essential Python 3 packages and development libraries required for strongTNC on Ubuntu. ```bash sudo apt install python3 python3-pip python3-dev libxml2-dev libxslt1-dev ``` -------------------------------- ### Show Supported Software Products Source: https://docs.strongswan.org/docs/latest/tnc/attest.html Lists supported software products, selectable by file path or its primary key. ```bash ipsec attest --products [--file |--fid ] ``` -------------------------------- ### sec-updater Configuration Example Source: https://docs.strongswan.org/docs/latest/tnc/sec-updater.html Shows how to configure the sec-updater tool and its SWID generator settings in strongswan.conf. ```ini sec-updater { database = sqlite:///etc/pts/config.db tnc_manage_command = /var/www/tnc/manage.py tmp { deb_file = /tmp/sec-updater.deb tag_file = /tmp/sec-updater.tag } } libimcv { swid_gen { command = /usr/local/bin/swid_generator tag_creator { name = strongSwan Project regid = strongswan.org } } } ``` -------------------------------- ### Install Apache Web Server with WSGI Source: https://docs.strongswan.org/docs/latest/tnc/strongTnc.html Installs the Apache web server and the necessary WSGI module for strongTNC on Ubuntu. ```bash sudo apt install apache2 libapache2-mod-wsgi ``` -------------------------------- ### Display Help Source: https://docs.strongswan.org/docs/latest/pki/pkiOcsp.html Prints usage information and a short summary of the available options for the pki --ocsp command. ```bash pki --ocsp --help ``` -------------------------------- ### Install strongTNC Python Dependencies Source: https://docs.strongswan.org/docs/latest/tnc/strongTnc.html Installs the Python packages required by strongTNC, including updating Django if necessary, from the requirements.txt file. ```bash sudo pip3 install -r requirements.txt ``` -------------------------------- ### Configure Options for IMV Build Source: https://docs.strongswan.org/docs/latest/tnc/attestationServer.html Enable the OS IMV and Attestation IMV during the build process by using the --enable-imv-os and --enable-imv-attestation configure options. ```bash --enable-imv-os --enable-imv-attestation ``` -------------------------------- ### CSV Format Example Source: https://docs.strongswan.org/docs/latest/plugins/certexpire.html Example of the CSV format for trustchain expiration dates, including subject and intermediate CA expiration dates. ```text subject,subjectExpiration,ImCa1Expiration,ImCa2Expiration,RootCaExpiration ``` -------------------------------- ### Charon Daemon Startup and IMV Loading Source: https://docs.strongswan.org/docs/latest/tnc/attestationServer.html This log output shows the charon daemon starting up, loading IMVs from '/etc/tnc_config', and initializing both the 'OS' and 'Attestation' IMVs. It details the message types each IMV supports and their respective loaded paths. ```log 00[DMN] Starting IKE charon daemon (strongSwan 5.9.7, Linux 5.13.0-44-generic, x86_64) 00[TNC] TNC recommendation policy is 'default' 00[TNC] loading IMVs from '/etc/tnc_config' 00[TNC] added IETF attributes 00[TNC] added ITA-HSR attributes 00[TNC] added PWG attributes 00[TNC] added TCG attributes 00[PTS] added TCG functional component namespace 00[PTS] added ITA-HSR functional component namespace 00[PTS] added ITA-HSR functional component 'Trusted GRUB Boot Loader' 00[PTS] added ITA-HSR functional component 'Trusted Boot' 00[PTS] added ITA-HSR functional component 'Linux IMA' 00[LIB] libimcv initialized 00[IMV] IMV 1 "OS" initialized 00[TNC] IMV 1 supports 1 message type: 'IETF/Operating System' 0x000000/0x00000001 00[TNC] IMV 1 "OS" loaded from '/usr/lib/ipsec/imcvs/imv-os.so' 00[IMV] IMV 2 "Attestation" initialized 00[PTS] loading PTS ca certificates from '/etc/pts/cacerts' 00[PTS] mandatory PTS measurement algorithm HASH_SHA1[openssl] available 00[PTS] mandatory PTS measurement algorithm HASH_SHA2_256[openssl] available 00[PTS] optional PTS measurement algorithm HASH_SHA2_384[openssl] available 00[PTS] optional PTS measurement algorithm HASH_SHA2_512[openssl] available 00[PTS] optional PTS DH group MODP_2048[openssl] available 00[PTS] optional PTS DH group MODP_1536[openssl] available 00[PTS] optional PTS DH group MODP_1024[openssl] available 00[PTS] mandatory PTS DH group ECP_256[openssl] available 00[PTS] optional PTS DH group ECP_384[openssl] available 00[TNC] IMV 2 supports 2 message types: 'TCG/PTS' 0x005597/0x00000001 'IETF/Operating System' 0x000000/0x00000001 00[TNC] IMV 2 "ATTESTATION" loaded from '/usr/lib/ipsec/imcvs/imv-attestation.so' ``` -------------------------------- ### Show Files by Product or Primary Key Source: https://docs.strongswan.org/docs/latest/tnc/attest.html Lists files associated with a software product name or its primary key. Use --product for name or --pid for ID. ```bash ipsec attest --files [--product |--pid ] ``` -------------------------------- ### EAP-TTLS Tunnel Setup - Initial Request Source: https://docs.strongswan.org/docs/latest/tnc/tncClient.html This snippet shows the initial EAP-TTLS request and response during the TLS handshake for tunnel setup. ```strongswan 14[NET] received packet: from 192.168.0.2[4500] to 192.168.0.3[4500] (80 bytes) 14[ENC] parsed IKE_AUTH response 2 [ EAP/REQ/TTLS ] 14[IKE] server requested EAP_TTLS authentication (id 0x86) 14[TLS] EAP_TTLS version is v0 14[ENC] generating IKE_AUTH request 3 [ EAP/RES/TTLS ] 14[NET] sending packet: from 192.168.0.3[4500] to 192.168.0.2[4500] (272 bytes) ``` -------------------------------- ### Synopsis of swanctl --load-conns Source: https://docs.strongswan.org/docs/latest/swanctl/swanctlLoadConns.html Shows the basic syntax for loading connection configurations and how to access help. ```bash swanctl --load-conns [--file] swanctl --load-conns --help ``` -------------------------------- ### Install CHILD SA Policy Source: https://docs.strongswan.org/docs/latest/swanctl/swanctlInstall.html Installs a trap, drop, or bypass policy for a specified CHILD SA. An optional IKE SA can be indicated. ```bash swanctl --install --child [--ike ] ``` -------------------------------- ### Install strongSwan via Homebrew Source: https://docs.strongswan.org/docs/latest/os/macos.html Use this command to install the latest release of strongSwan using Homebrew. This method is suitable for road-warrior access. ```bash $ brew install strongswan ``` -------------------------------- ### PB-TNC Connection Setup - Initial Data Batch Source: https://docs.strongswan.org/docs/latest/tnc/tncServer.html Logs detailing the TNC server receiving the initial PB-TNC Client Data batch, assigning a Connection ID, and creating states for OS and Scanner IMVs. ```log 08[NET] received packet: from 192.168.0.3[4500] to 192.168.0.2[4500] (448 bytes) 08[ENC] parsed IKE_AUTH request 7 [ EAP/RES/TTLS ] 08[IKE] received tunneled EAP-TTLS AVP [EAP/RES/PT] 08[TNC] assigned TNCCS Connection ID 2 08[IMV] IMV 1 "OS" created a state for IF-TNCCS 2.0 Connection ID 2: +long +excl -soh 08[IMV] over IF-T for Tunneled EAP 2.0 with maximum PA-TNC message size of 32722 bytes 08[IMV] user AR identity 'hacker' of type username authenticated by password 08[IMV] machine AR identity '192.168.0.3' of type IPv4 address authenticated by unknown method 08[IMV] IMV 2 "Scanner" created a state for IF-TNCCS 2.0 Connection ID 2: +long +excl -soh 08[IMV] over IF-T for Tunneled EAP 2.0 with maximum PA-TNC message size of 32722 bytes 08[IMV] IMV 1 "OS" changed state of Connection ID 2 to 'Handshake' 08[IMV] IMV 2 "Scanner" changed state of Connection ID 2 to 'Handshake' ``` -------------------------------- ### Initialize TNC Database with strongSwan Template Source: https://docs.strongswan.org/docs/latest/tnc/tncServer.html Commands to create the TNC database directory and populate it using the strongSwan template SQL files. Requires 'sqlite3' to be available. ```bash $ sudo -s # mkdir /etc/pts # cd /usr/share/strongswan/templates/database/imv # cat tables.sql data.sql | sqlite3 /etc/pts/config.db ``` -------------------------------- ### Disable Route Installation in strongSwan Source: https://docs.strongswan.org/docs/latest/features/routeBasedVpn.html Configure strongSwan to disable automatic route installation. This is necessary when using VTI devices for route-based VPNs. ```ini charon.install_routes = 0 ``` -------------------------------- ### SWID Generator Configuration Example Source: https://docs.strongswan.org/docs/latest/tnc/sw-collector.html Example configuration for the SWID Generator within the libimcv section, defining the command and tag creator details. ```strongswan.conf libimcv { swid_gen { command = /usr/local/bin/swid_generator tag_creator { name = strongSwan Project regid = strongswan.org } } } ``` -------------------------------- ### EAP-TTLS Tunnel Setup - Server Certificate Source: https://docs.strongswan.org/docs/latest/tnc/tncClient.html This snippet details the reception of the TLS server certificate and CA information during the EAP-TTLS tunnel setup. ```strongswan 06[NET] received packet: from 192.168.0.2[4500] to 192.168.0.3[4500] (896 bytes) 06[ENC] parsed IKE_AUTH response 3 [ EAP/REQ/TTLS ] 06[TLS] negotiated TLS 1.2 using suite TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 06[TLS] received TLS server certificate 'C=CH, O=Cyber, CN=server.strongswan.org' 06[CFG] using certificate "C=CH, O=Cyber, CN=server.strongswan.org" 06[CFG] using trusted ca certificate "C=CH, O=Cyber, CN=Cyber Root CA" 06[CFG] reached self-signed root ca with a path length of 0 06[ENC] generating IKE_AUTH request 4 [ EAP/RES/TTLS ] 06[NET] sending packet: from 192.168.0.3[4500] to 192.168.0.2[4500] (240 bytes) ``` -------------------------------- ### swanctl List Algorithms Example Source: https://docs.strongswan.org/docs/latest/swanctl/swanctl.html Lists loaded algorithms and their implementation details using the swanctl tool. ```bash swanctl --list-algs ``` -------------------------------- ### Build Android Source Tree Source: https://docs.strongswan.org/docs/latest/os/android.html Commands to set up the build environment and initiate the Android source tree build. Use '-j' to speed up compilation on multi-core machines. ```bash cd /path/to/android/source . build/envsetup.sh lunch make -j ``` -------------------------------- ### strongSwan Daemon Start Warning Source: https://docs.strongswan.org/docs/latest/plugins/save-keys.html This log message indicates that the strongSwan daemon has started and is saving IKE and ESP keys to the specified directory for Wireshark. ```log moon charon-systemd: 00[DMN] !! moon charon-systemd: 00[DMN] !! WARNING: SAVING IKE AND ESP KEYS TO '/root/.config/wireshark' moon charon-systemd: 00[DMN] !! moon charon-systemd: 00[LIB] loaded plugins: charon-systemd random nonce openssl pem pkcs1 revocation curl kernel-netlink socket-default updown vici save-keys ``` -------------------------------- ### PKI Tool Commands and Options Source: https://docs.strongswan.org/docs/latest/pki/pki.html Lists the available commands and global options for the pki tool. Use --help for command-specific options. ```bash pki command [options] commands: --gen (-g) generate a new private key --self (-s) create a self signed certificate --issue (-i) issue a certificate using a CA certificate and key --signcrl (-c) issue a CRL using a CA certificate and key --acert (-z) issue an attribute certificate --req (-r) create a PKCS#10 certificate request --pkcs7 (-7) PKCS#7 wrap/unwrap functions --pkcs12 (-u) PKCS#12 functions --keyid (-k) calculate key identifiers of a key/certificate --print (-a) print a credential in a human readable form --dn (-d) extract the subject DN of an X.509 certificate --pub (-p) extract the public key from a private key/certificate --verify (-V) verify a certificate using the CA certificate --scep (-S) Enroll an X.509 certificate with a SCEP server --scepca (-C) Get CA [and RA] certificate[s] from a SCEP server --est (-E) Enroll an X.509 certificate with an EST server --estca (-e) Get CA certificate[s] from an EST server --ocsp (-o) OCSP request parser and OCSP responder --help (-h) show usage, version and plugin information global options: --debug (-v) set debug level, default: 1 --options (-+) read command line options from file ``` -------------------------------- ### Issue an X.509 certificate using an options file Source: https://docs.strongswan.org/docs/latest/pki/pkiIssue.html Issue an X.509 certificate based on a PKCS#10 certificate request using an options file. This example specifies the options file, serial number, input type, and input file, outputting the generated certificate in DER format. ```bash pki --issue --options pki.opt --serial 01 --type pkcs10 --in myReq.der > myCert.der ``` -------------------------------- ### Process Installed Packages Source: https://docs.strongswan.org/docs/latest/tnc/tncServer.html Logs the processing of installed Ubuntu packages and indicates if they are found or not. This is part of the IMV's assessment of the client's software. ```log 10[IMV] processing installed 'Ubuntu 20.04 x86_64' packages 10[IMV] package 'adduser' (3.118ubuntu2) not found 10[IMV] package 'apt' (2.0.4) not found 10[IMV] package 'base-files' (11ubuntu5.3) not found 10[IMV] package 'base-passwd' (3.5.47) not found ... 10[IMV] package 'tar' (1.30+dfsg-7ubuntu0.20.04.1) not found 10[IMV] package 'ubuntu-keyring' (2020.02.11.2) not found 10[IMV] package 'util-linux' (2.34-0.1ubuntu9.1) not found 10[IMV] package 'zlib1g' (1:1.2.11.dfsg-2ubuntu1.2) not found 10[IMV] IMV 1 handled PCKGS workitem 1: allow - processed 112 packages: 0 vulnerable, 0 blacklisted, 0 ok, 112 unknown ``` -------------------------------- ### Creating PA-TNC Message with Installed Packages Source: https://docs.strongswan.org/docs/latest/tnc/tncClient.html Logs detailing the creation of a PA-TNC message containing installed package information and a segmentation contract response. ```log 05[IMC] package 'adduser' (3.118ubuntu2) 05[IMC] package 'apt' (2.0.4) 05[IMC] package 'base-files' (11ubuntu5.3) 05[IMC] package 'base-passwd' (3.5.47) ... 05[IMC] package 'tar' (1.30+dfsg-7ubuntu0.20.04.1) 05[IMC] package 'ubuntu-keyring' (2020.02.11.2) 05[IMC] package 'util-linux' (2.34-0.1ubuntu9.1) 05[IMC] package 'zlib1g' (1:1.2.11.dfsg-2ubuntu1.2) 05[TNC] creating PA-TNC message with ID 0x6e31e351 05[TNC] creating PA-TNC attribute type 'TCG/Segmentation Contract Response' 0x005597/0x00000022 05[TNC] creating PA-TNC attribute type 'IETF/Installed Packages' 0x000000/0x00000007 05[TNC] creating PB-PA message type 'IETF/Operating System' 0x000000/0x00000001 ``` -------------------------------- ### Install Dependencies for NetworkManager strongSwan Plugin Source: https://docs.strongswan.org/docs/latest/features/networkManager.html Installs the required libraries for building the NetworkManager strongSwan GUI plugin. Use this command on Debian/Ubuntu-based systems. ```bash apt-get install libnma-dev libgtk-3-dev libsecret-1-dev intltool ``` -------------------------------- ### swanctl List Pools Example Source: https://docs.strongswan.org/docs/latest/swanctl/swanctl.html Lists loaded pool configurations using the swanctl tool. ```bash swanctl --list-pools ``` -------------------------------- ### Example swanctl.conf Connection Definition Source: https://docs.strongswan.org/docs/latest/tnc/tncClient.html An example output from 'swanctl --list-conns' showing a TNC connection with local and remote EAP_TTLS authentication configured. ```text swanctl --list-conns tnc: IKEv2, no reauthentication, rekeying every 14400s local: %any remote: 192.168.0.2 local EAP_TTLS authentication: eap_id: hacker remote EAP_TTLS authentication: id: server.strongswan.org tnc: TUNNEL, rekeying every 3600s local: dynamic remote: 10.1.0.0/16 192.168.0.2/32 ``` -------------------------------- ### Placeholder Notation Example Source: https://docs.strongswan.org/docs/latest/swanctl/swanctlConf.html Illustrates the dot-notation and generic placeholders used in documentation for configuration options. ```plaintext connections..remote.auth=... connections..children..local_ts=... ```