Added tnc docker directory

Author: strongX509

README.md

@@ -2,8 +2,9 @@
 A collection of docker image build files:
 
 * [strongswan](strongswan): A strongSwan 5.x IKEv2 Daemon with a VICI interface
-* [pq-strongswan](pq-strongswan) A strongSwan 6.0dr Post-Quantum IKEv2 Daemon
+* [pq-strongswan](pq-strongswan): A strongSwan 6.0dr Post-Quantum IKEv2 Daemon
 * [tpm](tpm): Use the IBM TPM 2.0 simulator with the `tpm2-tools`
+* [tnc](tnc): A strongSwan TNC client and a TNC server
 
 Author:  [Andreas Steffen][AS] [CC BY 4.0][CC]
 

tnc/Dockerfile.client

@@ -0,0 +1,43 @@
+FROM ubuntu:20.04
+MAINTAINER Andreas Steffen <[email protected]>
+ENV VERSION="5.9.5"
+ENV TZ="Europe/Zurich"
+ENV TMPL="/usr/share/strongswan/templates/database/sw-collector"
+
+RUN \
+  # set timezone
+  ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && echo $TZ > /etc/timezone && \
+  # install packages
+  DEV_PACKAGES="wget make gcc libssl-dev libsqlite3-dev pkg-config libjson-c-dev" && \
+  apt-get -y update && \
+  apt-get -y install iproute2 iputils-ping nano sqlite3 libjson-c4 net-tools $DEV_PACKAGES && \
+  \
+  # download and build strongSwan IKEv2 daemon
+  mkdir /strongswan-build && \
+  cd /strongswan-build && \
+  wget https://download.strongswan.org/strongswan-$VERSION.tar.bz2 && \
+  tar xfj strongswan-$VERSION.tar.bz2 && \
+  cd strongswan-$VERSION && \
+  ./configure --prefix=/usr --sysconfdir=/etc --disable-defaults        \
+    --enable-charon --enable-ikev2 --enable-nonce --enable-random       \
+    --enable-openssl --enable-pkcs1 --enable-pkcs8 --enable-pkcs12      \
+    --enable-pem --enable-x509 --enable-pubkey --enable-constraints     \
+    --enable-pki --enable-socket-default --enable-kernel-netlink        \
+    --enable-eap-identity --enable-eap-md5 --enable-eap-ttls            \
+    --enable-eap-tnc --enable-updown --enable-vici --enable-drbg        \
+    --enable-swanctl --enable-resolve --enable-silent-rules             \
+    --enable-tnccs-20 --enable-tnc-imc --enable-sqlite                  \
+    --enable-imc-os --enable-imc-swima --enable-imc-scanner          && \
+   make all && make install && \
+   cd / && rm -R strongswan-build && \
+   ln -s /usr/libexec/ipsec/charon charon && mkdir /etc/pts && \
+   cat $TMPL/sw_collector_tables.sql | sqlite3 /etc/pts/collector.db && \ 
+   \
+   # clean up
+   apt-get -y remove $DEV_PACKAGES && \
+   apt-get -y autoremove && \
+   apt-get clean && \
+   rm -rf /var/lib/apt/lists/*
+
+# Expose IKE and NAT-T ports
+EXPOSE 500 4500

tnc/Dockerfile.server

@@ -0,0 +1,44 @@
+FROM ubuntu:20.04
+MAINTAINER Andreas Steffen <[email protected]>
+ENV VERSION="5.9.5"
+ENV TZ="Europe/Zurich"
+ENV TMPL="/usr/share/strongswan/templates/database/imv"
+
+RUN \
+  # set timezone
+  ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && echo $TZ > /etc/timezone && \
+  # install packages
+  DEV_PACKAGES="wget make gcc libssl-dev libsqlite3-dev pkg-config libjson-c-dev" && \
+  apt-get -y update && \
+  apt-get -y install iproute2 iputils-ping nano sqlite3 libjson-c4 $DEV_PACKAGES && \
+  \
+  # download and build strongSwan IKEv2 daemon
+  mkdir /strongswan-build && \
+  cd /strongswan-build && \
+  wget https://download.strongswan.org/strongswan-$VERSION.tar.bz2 && \
+  tar xfj strongswan-$VERSION.tar.bz2 && \
+  cd strongswan-$VERSION && \
+  ./configure --prefix=/usr --sysconfdir=/etc --disable-defaults        \
+    --enable-charon --enable-ikev2 --enable-nonce --enable-random       \
+    --enable-openssl --enable-pkcs1 --enable-pkcs8 --enable-pkcs12      \
+    --enable-pem --enable-x509 --enable-pubkey --enable-constraints     \
+    --enable-pki --enable-socket-default --enable-kernel-netlink        \
+    --enable-eap-identity --enable-eap-md5 --enable-eap-ttls            \
+    --enable-eap-tnc --enable-updown --enable-vici --enable-drbg        \
+    --enable-swanctl --enable-resolve --enable-silent-rules             \
+    --enable-tnccs-20 --enable-tnc-imv --enable-sqlite --enable-imv-os  \
+    --enable-imv-swima --enable-imv-scanner --enable-imv-attestation && \
+   make all && make install && \
+   cd / && rm -R strongswan-build && \
+   ln -s /usr/libexec/ipsec/charon charon && mkdir /etc/pts && \
+   TMPL="/usr/share/strongswan/templates/database/imv" && \
+   cat $TMPL/tables.sql $TMPL/data.sql | sqlite3 /etc/pts/config.db && \ 
+   \
+   # clean up
+   apt-get -y remove $DEV_PACKAGES && \
+   apt-get -y autoremove && \
+   apt-get clean && \
+   rm -rf /var/lib/apt/lists/*
+
+# Expose IKE and NAT-T ports
+EXPOSE 500 4500

tnc/README.md

@@ -0,0 +1,159 @@
+# tnc
+
+Build and run both a TNC Client and a TNC Server collocated with a [strongSwan][STRONGSWAN]
+IKEv2 Daemon managed via the Versatile IKE Control Interface (VICI).
+
+[STRONGSWAN]: https://www.strongswan.org
+
+## Pull Docker Images
+
+```
+$ docker pull strongx509/tnc-client
+$ docker pull strongX509/tnc-server
+```
+
+## Build Docker Image
+
+Alternatively the docker image can be built from scratch in the `tnc` directory with
+```console
+$ docker build -f Dockerfile.client -t strongx509/tnc-client .
+$ docker build -f Dockerfile.server -t strongx509/tnc-server .
+
+```
+The build rules are defined in [Dockerfile.client](Dockerfile.client) and
+[Dockerfile.server](Dockerfile.server), respectively.
+
+## Create Docker Containers and Local Networks
+
+
+```
+               +----------------+                        +----------------+
+  10.3.0.1 --- | VPN/TNC Client | === 192.168.0.0/24 === | VPN/TNC Server | --- 10.1.0.0/16
+ Virtual IP    +----------------+ .3     Internet     .2 +----------------+ .2    Intranet
+```
+The two docker containers `tnc-server` and  `tnc-client` as well as the local networks
+`strongswan_internet` and `strongswan_intranet` are created with the command
+```console
+$ docker-compose up
+Creating tnc-server ... done
+Creating tnc-client ... done
+Attaching to tnc-server, tnc-client
+
+```
+with the setup defined in [docker-compose.yml](docker-compose.yml).
+
+In an additional console window we open a `bash` shell to start and manage the strongSwan `charon` daemon in the `tnc-server` container
+```console
+server$ docker exec -ti tnc-server /bin/bash
+server# ./charon &
+# ./charon &
+00[DMN] Starting IKE charon daemon (strongSwan 5.9.5, Linux 5.13.0-35-generic, x86_64)
+00[TNC] TNC recommendation policy is 'default'
+00[TNC] loading IMVs from '/etc/tnc_config'
+00[TNC] added IETF attributes
+00[TNC] added ITA-HSR attributes
+00[TNC] added PWG attributes
+00[TNC] added TCG attributes
+00[LIB] libimcv initialized
+00[IMV] IMV 1 "OS" initialized
+00[TNC] IMV 1 supports 1 message type: 'IETF/Operating System' 0x000000/0x00000001
+00[TNC] IMV 1 "OS" loaded from '/usr/lib/ipsec/imcvs/imv-os.so'
+00[IMV] IMV 2 "Scanner" initialized
+00[TNC] IMV 2 supports 1 message type: 'IETF/Firewall' 0x000000/0x00000005
+00[TNC] IMV 2 "Scanner" loaded from '/usr/lib/ipsec/imcvs/imv-scanner.so'
+```
+The `OS` and `Scanner` Integrity Measurement Verifiers (`IMVs`) are loaded since
+they have been enabled in `/etc/tnc_config`.
+```console
+00[LIB] loaded plugins: charon random nonce x509 constraints pubkey pkcs1 pkcs8 pkcs12 pem openssl drbg sqlite kernel-netlink resolve socket-default vici updown eap-identity eap-md5 eap-ttls eap-tnc tnc-imv tnc-tnccs tnccs-20
+00[JOB] spawning 16 worker threads
+
+00[DMN] executing start script 'creds' (swanctl --load-creds)
+01[CFG] loaded certificate 'C=CH, O=Cyber, CN=server.strongswan.org'
+08[CFG] loaded certificate 'C=CH, O=Cyber, CN=Cyber Root CA'
+12[CFG] loaded ECDSA private key
+16[CFG] loaded EAP shared key with id 'eap-jane' for: 'jane'
+09[CFG] loaded EAP shared key with id 'eap-hacker' for: 'hacker'
+00[DMN] creds: loaded certificate from '/etc/swanctl/x509/serverCert.pem'
+00[DMN] creds: loaded certificate from '/etc/swanctl/x509ca/caCert.pem'
+00[DMN] creds: loaded ECDSA key from '/etc/swanctl/ecdsa/serverKey.pem'
+00[DMN] creds: loaded eap secret 'eap-jane'
+00[DMN] creds: loaded eap secret 'eap-hacker'
+
+00[DMN] executing start script 'conns' (swanctl --load-conns)
+07[CFG] added vici connection: tnc
+00[DMN] conns: loaded connection 'tnc'
+00[DMN] conns: successfully loaded 1 connections, 0 unloaded
+
+00[DMN] executing start script 'pools' (swanctl --load-pools)
+08[CFG] added vici pool rw_pool: 10.3.0.0, 254 entries
+00[DMN] pools: loaded pool 'rw_pool'
+00[DMN] pools: successfully loaded 1 pools, 0 unloaded
+```
+And in a third console window we open a `bash`shell to start and manage the strongSwan `charon` daemon in the `tnc-client` container
+```console
+client$ docker exec -ti tnc-client /bin/bash
+client# ./charon &
+00[DMN] Starting IKE charon daemon (strongSwan 5.9.5, Linux 5.13.0-35-generic, x86_64)
+00[TNC] loading IMCs from '/etc/tnc_config'
+00[TNC] added IETF attributes
+00[TNC] added ITA-HSR attributes
+00[TNC] added PWG attributes
+00[TNC] added TCG attributes
+00[LIB] libimcv initialized
+00[IMC] IMC 1 "OS" initialized
+00[IMC] processing "/etc/os-release" file
+00[IMC] operating system type is 'Ubuntu'
+00[IMC] operating system name is 'Ubuntu'
+00[IMC] operating system version is '20.04 x86_64'
+00[TNC] IMC 1 supports 1 message type: 'IETF/Operating System' 0x000000/0x00000001
+00[TNC] IMC 1 "OS" loaded from '/usr/lib/ipsec/imcvs/imc-os.so'
+00[IMC] IMC 2 "Scanner" initialized
+00[TNC] IMC 2 supports 1 message type: 'IETF/Firewall' 0x000000/0x00000005
+00[TNC] IMC 2 "Scanner" loaded from '/usr/lib/ipsec/imcvs/imc-scanner.so'
+```
+The `OS` and `Scanner` Integrity Measurement Collectors (`IMCs`) are loaded since
+they have been enabled in `/etc/tnc_config`.
+```console
+00[LIB] loaded plugins: charon random nonce x509 constraints pubkey pkcs1 pkcs8 pkcs12 pem openssl drbg sqlite kernel-netlink resolve socket-default vici updown eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20
+00[JOB] spawning 16 worker threads
+
+00[DMN] executing start script 'creds' (swanctl --load-creds)
+01[CFG] loaded certificate 'C=CH, O=Cyber, CN=client.strongswan.org'
+09[CFG] loaded certificate 'C=CH, O=Cyber, CN=Cyber Root CA'
+11[CFG] loaded ECDSA private key
+01[CFG] loaded EAP shared key with id 'eap-hacker' for: 'hacker'
+00[DMN] creds: loaded certificate from '/etc/swanctl/x509/clientCert.pem'
+00[DMN] creds: loaded certificate from '/etc/swanctl/x509ca/caCert.pem'
+00[DMN] creds: loaded ECDSA key from '/etc/swanctl/ecdsa/clientKey.pem'
+00[DMN] creds: loaded eap secret 'eap-hacker'
+
+00[DMN] executing start script 'conns' (swanctl --load-conns)
+05[CFG] added vici connection: tnc
+00[DMN] conns: loaded connection 'tnc'
+00[DMN] conns: successfully loaded 1 connections, 0 unloaded
+no pools found, 0 unloaded
+```
+The setup defines the EAP-TTLS-based configuration `tnc` .
+```console
+client# swanctl --list-conns
+```
+```console
+tnc: IKEv2, no reauthentication, rekeying every 14400s
+  local:  %any
+  remote: 192.168.0.2
+  local EAP_TTLS authentication:
+    eap_id: client.strongswan.org
+  remote EAP_TTLS authentication:
+    id: server.strongswan.org
+  tnc: TUNNEL, rekeying every 3600s
+    local:  dynamic
+    remote: 10.1.0.0/16 192.168.0.2/32
+
+```
+
+Author:  [Andreas Steffen][AS] [CC BY 4.0][CC]
+
+[AS]: mailto:[email protected]
+[CC]: http://creativecommons.org/licenses/by/4.0/
+

tnc/caKey.pem

@@ -0,0 +1,6 @@
+-----BEGIN EC PRIVATE KEY-----
+MIGkAgEBBDAjNX0721bMFzAxAkJBDgi0rZS42Z2f+ioWQL2gdVke1+/vuI6pvOs0
+ozsASY+GmOigBwYFK4EEACKhZANiAARpFOA0dr+prcP+aO8ev8Kvh/bQoeIbOVqs
+BeecOQNSdPv9gShYECiFiokU4565RzV2wiFdAU39VUs/4bJ/SlK7bvY3HuMDcjAR
+FXXZbtxXbdg1QlWk1alja3rVRaId6Hg=
+-----END EC PRIVATE KEY-----

tnc/client/ecdsa/clientKey.pem

@@ -0,0 +1,6 @@
+-----BEGIN EC PRIVATE KEY-----
+MIGkAgEBBDBMPJ2vR/MPIxvNxCtI4jwU+vEykd8OVbqF88h7kmwZg62Jszj0j06b
+7k3Tim2KKTigBwYFK4EEACKhZANiAATtv3hJtqlsOU1CciT03FFi0S+BMWhDCove
+OLlLBY2xE/Cic+s//fLn7g3UzEG2DPdB++7emFOMlnKBRnhg3sbxejiRFdnjwILZ
+xWo/htyKoB1zbU2ALmjdZV+rQLGZPec=
+-----END EC PRIVATE KEY-----

tnc/client/swanctl.conf

@@ -0,0 +1,36 @@
+connections {
+
+   tnc {
+      remote_addrs = 192.168.0.2
+      vips = 0.0.0.0
+
+      local {
+         auth = eap-ttls
+         # used with certificate-based EAP-TLS client authenticaton
+         eap_id = client.strongswan.org
+         # used with password-based EAP-MD5 client authentication
+         # eap_id = hacker
+      }
+      remote {
+         auth = eap-ttls
+         id = server.strongswan.org
+      }
+      children {
+         tnc {
+            remote_ts = 10.1.0.0/16,192.168.0.2
+            esp_proposals = aes256gcm128-x25519
+         }
+      }
+      version = 2
+      proposals = aes256-sha256-x25519
+      send_certreq = no
+   }
+}
+
+ secrets {
+
+   eap-hacker {
+      id = hacker
+      secret = K8FW9/N0VIAJ
+   }
+}

tnc/client/x509/clientCert.pem

@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIIB/zCCAYWgAwIBAgIICmApmnHxbpUwCgYIKoZIzj0EAwMwNTELMAkGA1UEBhMC
+Q0gxDjAMBgNVBAoTBUN5YmVyMRYwFAYDVQQDEw1DeWJlciBSb290IENBMB4XDTIw
+MDMwOTEzNTkwNloXDTI0MDMwOTEzNTkwNlowPTELMAkGA1UEBhMCQ0gxDjAMBgNV
+BAoTBUN5YmVyMR4wHAYDVQQDExVjbGllbnQuc3Ryb25nc3dhbi5vcmcwdjAQBgcq
+hkjOPQIBBgUrgQQAIgNiAATtv3hJtqlsOU1CciT03FFi0S+BMWhDCoveOLlLBY2x
+E/Cic+s//fLn7g3UzEG2DPdB++7emFOMlnKBRnhg3sbxejiRFdnjwILZxWo/htyK
+oB1zbU2ALmjdZV+rQLGZPeejWjBYMB8GA1UdIwQYMBaAFLjSYIqHz0jucV3YUSAj
+WsGq5feyMCAGA1UdEQQZMBeCFWNsaWVudC5zdHJvbmdzd2FuLm9yZzATBgNVHSUE
+DDAKBggrBgEFBQcDAjAKBggqhkjOPQQDAwNoADBlAjACrgXJrY3RoERgbfD++vvY
+8If1P9acT4JDbcTsLNDCgrqooCpU6nawP7Vp5eEbkyoCMQCr+VshJEge7smR6jkZ
+VAqo4N5Zm/GWqCgfJVsmtlie1o4m+cwhpiM2axUIA0osTP8=
+-----END CERTIFICATE-----

tnc/client/x509ca/caCert.pem

@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIIB3zCCAWWgAwIBAgIIWWpjqeLZ9K8wCgYIKoZIzj0EAwMwNTELMAkGA1UEBhMC
+Q0gxDjAMBgNVBAoTBUN5YmVyMRYwFAYDVQQDEw1DeWJlciBSb290IENBMB4XDTIw
+MDMwOTEyMDIwOVoXDTMwMDMwOTEyMDIwOVowNTELMAkGA1UEBhMCQ0gxDjAMBgNV
+BAoTBUN5YmVyMRYwFAYDVQQDEw1DeWJlciBSb290IENBMHYwEAYHKoZIzj0CAQYF
+K4EEACIDYgAEaRTgNHa/qa3D/mjvHr/Cr4f20KHiGzlarAXnnDkDUnT7/YEoWBAo
+hYqJFOOeuUc1dsIhXQFN/VVLP+Gyf0pSu272Nx7jA3IwERV12W7cV23YNUJVpNWp
+Y2t61UWiHeh4o0IwQDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAd
+BgNVHQ4EFgQUuNJgiofPSO5xXdhRICNawarl97IwCgYIKoZIzj0EAwMDaAAwZQIw
+PR1T8MHS+aV9qSueIE9QfPRgEVyvuaz2g4q7DN51SUfypjYoAX+B6BqiR7vfgY2Y
+AjEA65R8XZy0N6LEYgAEPPbQSyCdJudoa4MwidaomSwwgiVDePN356onk/lhURmE
+QBaZ
+-----END CERTIFICATE-----

tnc/docker-compose.yml

@@ -0,0 +1,51 @@
+version: "3"
+
+services:
+  vpn-server:
+    image: strongx509/tnc-server:5.9.5
+    container_name: tnc-server
+    cap_add:
+      - NET_ADMIN
+      - SYS_ADMIN
+      - SYS_MODULE
+    stdin_open: true
+    tty: true
+    volumes:
+      - ./server:/etc/swanctl
+      - ./strongswan.conf.server:/etc/strongswan.conf
+      - ./tnc_config.server:/etc/tnc_config
+    networks:
+      internet:
+         ipv4_address: 192.168.0.2
+      intranet:
+         ipv4_address: 10.1.0.2
+  vpn-client:
+    image: strongx509/tnc-client:5.9.5
+    container_name: tnc-client
+    depends_on:
+      - vpn-server
+    cap_add:
+      - NET_ADMIN
+      - SYS_ADMIN
+      - SYS_MODULE
+    stdin_open: true
+    tty: true
+    volumes:
+      - ./client:/etc/swanctl
+      - ./strongswan.conf.client:/etc/strongswan.conf
+      - ./tnc_config.client:/etc/tnc_config
+    networks:
+      internet:
+         ipv4_address: 192.168.0.3
+
+networks:
+  internet:
+    ipam:
+      driver: default 
+      config:
+        - subnet: 192.168.0.0/24
+  intranet:
+     ipam:
+        driver: default
+        config:
+          - subnet: 10.1.0.0/16