Hi Mario, if the Cisco ASA does not tunnel the strongSwan IKE traffic then just do remote attestation via the PT-TLS protocol. On the client side you can use the strongSwan pt-tls-client and on the server side add the tnc-pdp plugin listening on the PT-TLS TCP port 271 to the strongSwan charon daemon.
Regards Andreas On 15.11.2017 23:22, Mario Maldonado wrote:
Hi all, I wish to use StrongSwan for remote attestation through a Cisco ASA, eg: StrongSwan gateway ====192.168.0.0/24==== <http://192.168.0.0/24====> ASA ====192.168.1.0/24==== <http://192.168.1.0/24====> Device With no ASA I have successfully configured StrongSwan with remote attestation using the EAP-TTLS plugin. I have also managed to configure a StrongSwan connection to the ASA, giving me access to the 192.168.0.0/24 <http://192.168.0.0/24> subnet. I am then unable to bring up the attestation connection. I was hoping it would setup a tunnel within the ASA tunnel but from what I understand IKE traffic is exempt from the negotiated tunnel (preventing nested tunnels) and then blocked by the ASA. Is there a way around this / a nice way of achieving such a connection? Can I use StrongSwan for TNC integrity measurement without the tls tunnel? This way the TPM and IMA measurements can be sent through the ASA tunnel with no issues. From looking around the docs it looks like the only way of performing remote attestation is with the EAP-TTLS plugin? This would also be ideal as the traffic only has to be decrypted once by the device. Many thanks, Mario
-- ====================================================================== Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Open Source VPN Solution! www.strongswan.org Institute for Networked Solutions University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[INS-HSR]==
smime.p7s
Description: S/MIME Cryptographic Signature
