tnc-ifmap Plugin

Purpose

The tnc-ifmap plugin for libcharon enables a strongSwan VPN gateway to act as a Metadata Access Point (MAP) Client sending its Network Security Metadata via the SOAP 1.2 based TNC IF-MAP 2.2 interface to a MAP Server.

The plugin is disabled by default and can be enabled with the ./configure option

--enable-tnc-ifmap

Configuration

The tnc-ifmap plugin is configured using the options defined in the charon.plugins.tnc-ifmap section of strongswan.conf.

Key Default Description [Default]

Key	Default	Description [Default]
client_cert		Path to X.509 certificate file of IF-MAP client
client_key		Path to private key file of IF-MAP client
device_name		Unique name of strongSwan server as a PEP and/or PDP device
renew_session_interval	`150`	Interval in seconds between periodic IF-MAP RenewSession requests
server_cert		Path to X.509 certificate file of IF-MAP server
server_uri	[→]	URI of the form `[https://]servername[:port][/path]`. `[https://localhost:8444/imap]`
username_password		Credentials of IF-MAP client of the form `username:password`. If set, make sure to adjust the permissions of the config file accordingly

client_cert

Path to X.509 certificate file of IF-MAP client

client_key

Path to private key file of IF-MAP client

device_name

Unique name of strongSwan server as a PEP and/or PDP device

renew_session_interval

150

Interval in seconds between periodic IF-MAP RenewSession requests

server_cert

Path to X.509 certificate file of IF-MAP server

server_uri

[→]

URI of the form [https://]servername[:port][/path]. [https://localhost:8444/imap]

username_password

Credentials of IF-MAP client of the form username:password. If set, make sure to adjust the permissions of the config file accordingly

TLS Options

The tnc-ifmap plugin uses the strongSwan libtls library that can be configured and fine-tuned with the following TLS options.

Examples

MAP Client with Public Key Authentication

charon {
  plugins {
    tnc-ifmap {
      device_name = strongswan-gw
      server_uri = \https://localhost:8444/
      server_cert = /etc/swanctl/x509/server.pem
      client_cert = /etc/swanctl/x509/client.pem
      client_key  = /etc/swanctl/rsa/client_key_file.pem
    }
  }
}

MAP Client with HTTP Basic Authentication

charon {
  plugins {
    tnc-ifmap {
      device_name = strongswan-gw
      server_uri = \https://localhost:8443/
      server_cert = /etc/swanctl/x509/server.pem
      username_password = strongswan:strongswan
    }
  }
}

Metadata

Currently a strongSwan VPN gateway acting as a Police Enforcement Point (PEP) and additionally as a Policy Decision Point (PDP) provides the following metadata to a MAP server:

Metadata	Description
device-ip	All IPv4 and IPv6 network interfaces the IPsec PEP listens on
access-request-ip	The IPv4 or IPv6 address of the remote access peer
authenticated-as	Identity of the remote access peer
authenticated-by	Device name of the PDP authenticating the remote access peer
capability	Group memberships of the remote access peer (assigned by RADIUS or TNCS)
enforcement-report	Report failed authentication of a remote access peer

Metadata

Description

device-ip

All IPv4 and IPv6 network interfaces the IPsec PEP listens on

access-request-ip

The IPv4 or IPv6 address of the remote access peer

authenticated-as

Identity of the remote access peer

authenticated-by

Device name of the PDP authenticating the remote access peer

capability

Group memberships of the remote access peer (assigned by RADIUS or TNCS)

enforcement-report

Report failed authentication of a remote access peer

Visualization

The strongSwan MAP client sends its metadata via the TNC IF-MAP 2.2 interface to an irond MAP server. The irongui MAP client is attached to the irond MAP server and visualizes the collected metadata.