PRE-TEST

moon# iptables-restore < /etc/iptables.rules

carol# iptables-restore < /etc/iptables.rules

dave# iptables-restore < /etc/iptables.rules

winnetou# ip route add 10.1.0.0/16 via 192.168.0.1

alice# cat /etc/tnc_config
#IMV configuration file for strongSwan client 

IMV "HCD"	/usr/local/lib/ipsec/imcvs/imv-hcd.so

carol# cat /etc/tnc_config
#IMC configuration file for strongSwan client 

IMC "OS"	/usr/local/lib/ipsec/imcvs/imc-os.so
IMC "HCD"	/usr/local/lib/ipsec/imcvs/imc-hcd.so

dave# cat /etc/tnc_config
#IMC configuration file for strongSwan client 

IMC "OS"	/usr/local/lib/ipsec/imcvs/imc-os.so
IMC "HCD"	/usr/local/lib/ipsec/imcvs/imc-hcd.so

carol# echo 0 > /proc/sys/net/ipv4/ip_forward

dave# echo aabbccddeeff11223344556677889900 > /var/lib/dbus/machine-id

alice# rm /etc/swanctl/rsa/aliceKey.pem

alice# rm /etc/swanctl/x509/aliceCert.pem

alice# systemctl start strongswan

moon# systemctl start strongswan

carol# systemctl start strongswan

dave# systemctl start strongswan

moon# expect-connection rw-allow

moon# expect-connection rw-isolate

carol# expect-connection home

carol# swanctl --initiate --child home 2> /dev/null
[IKE] initiating IKE_SA home[1] to 192.168.0.1
[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
[NET] sending packet: from 192.168.0.100[500] to 192.168.0.1[500] (592 bytes)
[NET] received packet: from 192.168.0.1[500] to 192.168.0.100[500] (592 bytes)
[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) ]
[CFG] selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072
[IKE] sending cert request for "C=CH, O=strongSwan Project, CN=strongSwan Root CA"
[IKE] establishing CHILD_SA home{1}
[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr SA TSi TSr N(MOBIKE_SUP) N(ADD_6_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
[NET] sending packet: from 192.168.0.100[4500] to 192.168.0.1[4500] (288 bytes)
[NET] received packet: from 192.168.0.1[4500] to 192.168.0.100[4500] (1236 bytes)
[ENC] parsed IKE_AUTH response 1 [ EF(1/2) ]
[ENC] received fragment #1 of 2, waiting for complete IKE message
[NET] received packet: from 192.168.0.1[4500] to 192.168.0.100[4500] (516 bytes)
[ENC] parsed IKE_AUTH response 1 [ EF(2/2) ]
[ENC] received fragment #2 of 2, reassembled fragmented IKE message (1680 bytes)
[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/TTLS ]
[IKE] received end entity cert "C=CH, O=strongSwan Project, CN=moon.strongswan.org"
[CFG]   using certificate "C=CH, O=strongSwan Project, CN=moon.strongswan.org"
[CFG]   using trusted ca certificate "C=CH, O=strongSwan Project, CN=strongSwan Root CA"
[CFG]   reached self-signed root ca with a path length of 0
[CFG] checking certificate status of "C=CH, O=strongSwan Project, CN=moon.strongswan.org"
[CFG]   fetching crl from 'http://crl.strongswan.org/strongswan.crl' ...
[CFG]   using trusted certificate "C=CH, O=strongSwan Project, CN=strongSwan Root CA"
[CFG]   crl correctly signed by "C=CH, O=strongSwan Project, CN=strongSwan Root CA"
[CFG]   crl is valid: until Mar 25 18:47:43 2025
[CFG] certificate status is good
[IKE] authentication of 'moon.strongswan.org' with RSA_EMSA_PKCS1_SHA2_256 successful
[IKE] server requested EAP_TTLS authentication (id 0xED)
[TLS] EAP_TTLS version is v0
[ENC] generating IKE_AUTH request 2 [ EAP/RES/TTLS ]
[NET] sending packet: from 192.168.0.100[4500] to 192.168.0.1[4500] (256 bytes)
[NET] received packet: from 192.168.0.1[4500] to 192.168.0.100[4500] (1104 bytes)
[ENC] parsed IKE_AUTH response 2 [ EAP/REQ/TTLS ]
[ENC] generating IKE_AUTH request 3 [ EAP/RES/TTLS ]
[NET] sending packet: from 192.168.0.100[4500] to 192.168.0.1[4500] (80 bytes)
[NET] received packet: from 192.168.0.1[4500] to 192.168.0.100[4500] (1104 bytes)
[ENC] parsed IKE_AUTH response 3 [ EAP/REQ/TTLS ]
[ENC] generating IKE_AUTH request 4 [ EAP/RES/TTLS ]
[NET] sending packet: from 192.168.0.100[4500] to 192.168.0.1[4500] (80 bytes)
[NET] received packet: from 192.168.0.1[4500] to 192.168.0.100[4500] (592 bytes)
[ENC] parsed IKE_AUTH response 4 [ EAP/REQ/TTLS ]
[TLS] negotiated TLS 1.2 using suite TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
[TLS] received TLS server certificate 'C=CH, O=strongSwan Project, CN=aaa.strongswan.org'
[CFG]   using certificate "C=CH, O=strongSwan Project, CN=aaa.strongswan.org"
[CFG]   using trusted ca certificate "C=CH, O=strongSwan Project, CN=strongSwan Root CA"
[CFG]   reached self-signed root ca with a path length of 0
[CFG] checking certificate status of "C=CH, O=strongSwan Project, CN=aaa.strongswan.org"
[CFG]   using trusted certificate "C=CH, O=strongSwan Project, CN=strongSwan Root CA"
[CFG]   crl correctly signed by "C=CH, O=strongSwan Project, CN=strongSwan Root CA"
[CFG]   crl is valid: until Mar 25 18:47:43 2025
[CFG]   using cached crl
[CFG] certificate status is good
[TLS] received TLS cert request for 'C=CH, O=strongSwan Project, CN=strongSwan Root CA
[TLS] sending TLS client certificate 'C=CH, O=strongSwan Project, OU=Research, CN=carol@strongswan.org'
[TLS] created signature with RSA_PSS_RSAE_SHA256
[ENC] generating IKE_AUTH request 5 [ EAP/RES/TTLS ]
[NET] sending packet: from 192.168.0.100[4500] to 192.168.0.1[4500] (1104 bytes)
[NET] received packet: from 192.168.0.1[4500] to 192.168.0.100[4500] (80 bytes)
[ENC] parsed IKE_AUTH response 5 [ EAP/REQ/TTLS ]
[ENC] generating IKE_AUTH request 6 [ EAP/RES/TTLS ]
[NET] sending packet: from 192.168.0.100[4500] to 192.168.0.1[4500] (1104 bytes)
[NET] received packet: from 192.168.0.1[4500] to 192.168.0.100[4500] (80 bytes)
[ENC] parsed IKE_AUTH response 6 [ EAP/REQ/TTLS ]
[ENC] generating IKE_AUTH request 7 [ EAP/RES/TTLS ]
[NET] sending packet: from 192.168.0.100[4500] to 192.168.0.1[4500] (128 bytes)
[NET] received packet: from 192.168.0.1[4500] to 192.168.0.100[4500] (256 bytes)
[ENC] parsed IKE_AUTH response 7 [ EAP/REQ/TTLS ]
[IKE] received tunneled EAP-TTLS AVP [EAP/REQ/ID]
[IKE] server requested EAP_IDENTITY authentication (id 0x00)
[IKE] sending tunneled EAP-TTLS AVP [EAP/RES/ID]
[ENC] generating IKE_AUTH request 8 [ EAP/RES/TTLS ]
[NET] sending packet: from 192.168.0.100[4500] to 192.168.0.1[4500] (192 bytes)
[NET] received packet: from 192.168.0.1[4500] to 192.168.0.100[4500] (176 bytes)
[ENC] parsed IKE_AUTH response 8 [ EAP/REQ/TTLS ]
[IKE] received tunneled EAP-TTLS AVP [EAP/REQ/PT]
[IKE] server requested EAP_PT_EAP authentication (id 0xAB)
[TLS] EAP_PT_EAP version is v1
[TNC] assigned TNCCS Connection ID 1
[IMC] operating system numeric version is 1.0
[IMC] last boot: Mar 10 18:48:02 UTC 2025, 4320 s ago
[IMC] IPv4 forwarding is disabled
[IMC] factory default password is enabled
[IMC] device ID is 83d6a18fd8224225a4fdccfa268cc1bd
[TNC] creating PA-TNC message with ID 0x81c8755a
[TNC] creating PA-TNC message with ID 0xc8e13310
[TNC] creating PA-TNC message with ID 0xd4367f11
[TNC] creating PA-TNC message with ID 0xf690ddfa
[TNC] creating PA-TNC message with ID 0x3cfe7b0d
[TNC] creating PA-TNC message with ID 0xa81fa73d
[TNC] creating PA-TNC message with ID 0xc5618f1a
[TNC] sending PB-TNC CDATA batch (716 bytes) for Connection ID 1
[IKE] sending tunneled EAP-TTLS AVP [EAP/RES/PT]
[ENC] generating IKE_AUTH request 9 [ EAP/RES/TTLS ]
[NET] sending packet: from 192.168.0.100[4500] to 192.168.0.1[4500] (880 bytes)
[NET] received packet: from 192.168.0.1[4500] to 192.168.0.100[4500] (768 bytes)
[ENC] parsed IKE_AUTH response 9 [ EAP/REQ/TTLS ]
[IKE] received tunneled EAP-TTLS AVP [EAP/REQ/PT]
[TNC] received TNCCS batch (602 bytes)
[TNC] processing PB-TNC SDATA batch for Connection ID 1
[TNC] PDP server 'aaa.strongswan.org' is listening on port 271
[TNC] processing PA-TNC message with ID 0x14b364d6
[TNC] creating PA-TNC message with ID 0x5bbf7bf8
[TNC] creating PA-TNC message with ID 0xea4aa52c
[TNC] processing PA-TNC message with ID 0xce9d9431
[TNC] creating PA-TNC message with ID 0xf58cb962
[TNC] processing PA-TNC message with ID 0xe3cc3987
[TNC] creating PA-TNC message with ID 0xdd5d6167
[TNC] processing PA-TNC message with ID 0x9c963ef9
[TNC] creating PA-TNC message with ID 0x5c2da2d7
[TNC] processing PA-TNC message with ID 0xc5f7a59b
[TNC] creating PA-TNC message with ID 0x50615d7f
[TNC] processing PA-TNC message with ID 0xa7b2ba32
[TNC] creating PA-TNC message with ID 0xd8eb4136
[TNC] sending PB-TNC CDATA batch (1600 bytes) for Connection ID 1
[IKE] sending tunneled EAP-TTLS AVP [EAP/RES/PT]
[ENC] generating IKE_AUTH request 10 [ EAP/RES/TTLS ]
[NET] sending packet: from 192.168.0.100[4500] to 192.168.0.1[4500] (1104 bytes)
[NET] received packet: from 192.168.0.1[4500] to 192.168.0.100[4500] (80 bytes)
[ENC] parsed IKE_AUTH response 10 [ EAP/REQ/TTLS ]
[ENC] generating IKE_AUTH request 11 [ EAP/RES/TTLS ]
[NET] sending packet: from 192.168.0.100[4500] to 192.168.0.1[4500] (752 bytes)
[NET] received packet: from 192.168.0.1[4500] to 192.168.0.100[4500] (224 bytes)
[ENC] parsed IKE_AUTH response 11 [ EAP/REQ/TTLS ]
[IKE] received tunneled EAP-TTLS AVP [EAP/REQ/PT]
[TNC] received TNCCS batch (56 bytes)
[TNC] processing PB-TNC SDATA batch for Connection ID 1
[TNC] processing PA-TNC message with ID 0xb315da72
[TNC] creating PA-TNC message with ID 0x480414cc
[TNC] sending PB-TNC CDATA batch (779 bytes) for Connection ID 1
[IKE] sending tunneled EAP-TTLS AVP [EAP/RES/PT]
[ENC] generating IKE_AUTH request 12 [ EAP/RES/TTLS ]
[NET] sending packet: from 192.168.0.100[4500] to 192.168.0.1[4500] (944 bytes)
[NET] received packet: from 192.168.0.1[4500] to 192.168.0.100[4500] (176 bytes)
[ENC] parsed IKE_AUTH response 12 [ EAP/REQ/TTLS ]
[IKE] received tunneled EAP-TTLS AVP [EAP/REQ/PT]
[TNC] received TNCCS batch (8 bytes)
[TNC] processing PB-TNC SDATA batch for Connection ID 1
[TNC] sending PB-TNC CDATA batch (1600 bytes) for Connection ID 1
[IKE] sending tunneled EAP-TTLS AVP [EAP/RES/PT]
[ENC] generating IKE_AUTH request 13 [ EAP/RES/TTLS ]
[NET] sending packet: from 192.168.0.100[4500] to 192.168.0.1[4500] (1104 bytes)
[NET] received packet: from 192.168.0.1[4500] to 192.168.0.100[4500] (80 bytes)
[ENC] parsed IKE_AUTH response 13 [ EAP/REQ/TTLS ]
[ENC] generating IKE_AUTH request 14 [ EAP/RES/TTLS ]
[NET] sending packet: from 192.168.0.100[4500] to 192.168.0.1[4500] (752 bytes)
[NET] received packet: from 192.168.0.1[4500] to 192.168.0.100[4500] (224 bytes)
[ENC] parsed IKE_AUTH response 14 [ EAP/REQ/TTLS ]
[IKE] received tunneled EAP-TTLS AVP [EAP/REQ/PT]
[TNC] received TNCCS batch (56 bytes)
[TNC] processing PB-TNC SDATA batch for Connection ID 1
[TNC] processing PA-TNC message with ID 0x61644d29
[TNC] creating PA-TNC message with ID 0x9462d4e4
[TNC] sending PB-TNC CDATA batch (271 bytes) for Connection ID 1
[IKE] sending tunneled EAP-TTLS AVP [EAP/RES/PT]
[ENC] generating IKE_AUTH request 15 [ EAP/RES/TTLS ]
[NET] sending packet: from 192.168.0.100[4500] to 192.168.0.1[4500] (448 bytes)
[NET] received packet: from 192.168.0.1[4500] to 192.168.0.100[4500] (176 bytes)
[ENC] parsed IKE_AUTH response 15 [ EAP/REQ/TTLS ]
[IKE] received tunneled EAP-TTLS AVP [EAP/REQ/PT]
[TNC] received TNCCS batch (8 bytes)
[TNC] processing PB-TNC SDATA batch for Connection ID 1
[TNC] sending PB-TNC CDATA batch (8 bytes) for Connection ID 1
[IKE] sending tunneled EAP-TTLS AVP [EAP/RES/PT]
[ENC] generating IKE_AUTH request 16 [ EAP/RES/TTLS ]
[NET] sending packet: from 192.168.0.100[4500] to 192.168.0.1[4500] (176 bytes)
[NET] received packet: from 192.168.0.1[4500] to 192.168.0.100[4500] (272 bytes)
[ENC] parsed IKE_AUTH response 16 [ EAP/REQ/TTLS ]
[IKE] received tunneled EAP-TTLS AVP [EAP/REQ/PT]
[TNC] received TNCCS batch (95 bytes)
[TNC] processing PB-TNC RESULT batch for Connection ID 1
[TNC] PB-TNC assessment result is 'non-compliant major'
[TNC] PB-TNC access recommendation is 'Access Denied'
[TNC] reason string is 'Mandatory HCD attributes are missing' [en]
[TNC] sending PB-TNC CLOSE batch (8 bytes) for Connection ID 1
[IKE] sending tunneled EAP-TTLS AVP [EAP/RES/PT]
[ENC] generating IKE_AUTH request 17 [ EAP/RES/TTLS ]
[NET] sending packet: from 192.168.0.100[4500] to 192.168.0.1[4500] (176 bytes)
[NET] received packet: from 192.168.0.1[4500] to 192.168.0.100[4500] (160 bytes)
[ENC] parsed IKE_AUTH response 17 [ EAP/REQ/TTLS ]
[TLS] received TLS close notify
[TLS] sending TLS close notify
[ENC] generating IKE_AUTH request 18 [ EAP/RES/TTLS ]
[NET] sending packet: from 192.168.0.100[4500] to 192.168.0.1[4500] (160 bytes)
[NET] received packet: from 192.168.0.1[4500] to 192.168.0.100[4500] (80 bytes)
[ENC] parsed IKE_AUTH response 18 [ EAP/FAIL ]
[IKE] received EAP_FAILURE, EAP authentication failed
[ENC] generating INFORMATIONAL request 19 [ N(AUTH_FAILED) ]
[NET] sending packet: from 192.168.0.100[4500] to 192.168.0.1[4500] (80 bytes)
[TNC] removed TNCCS Connection ID 1

dave# expect-connection home

dave# swanctl --initiate --child home 2> /dev/null
[IKE] initiating IKE_SA home[1] to 192.168.0.1
[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
[NET] sending packet: from 192.168.0.200[500] to 192.168.0.1[500] (592 bytes)
[NET] received packet: from 192.168.0.1[500] to 192.168.0.200[500] (592 bytes)
[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) ]
[CFG] selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072
[IKE] sending cert request for "C=CH, O=strongSwan Project, CN=strongSwan Root CA"
[IKE] establishing CHILD_SA home{1}
[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr SA TSi TSr N(MOBIKE_SUP) N(ADD_6_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
[NET] sending packet: from 192.168.0.200[4500] to 192.168.0.1[4500] (288 bytes)
[NET] received packet: from 192.168.0.1[4500] to 192.168.0.200[4500] (1236 bytes)
[ENC] parsed IKE_AUTH response 1 [ EF(1/2) ]
[ENC] received fragment #1 of 2, waiting for complete IKE message
[NET] received packet: from 192.168.0.1[4500] to 192.168.0.200[4500] (516 bytes)
[ENC] parsed IKE_AUTH response 1 [ EF(2/2) ]
[ENC] received fragment #2 of 2, reassembled fragmented IKE message (1680 bytes)
[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/TTLS ]
[IKE] received end entity cert "C=CH, O=strongSwan Project, CN=moon.strongswan.org"
[CFG]   using certificate "C=CH, O=strongSwan Project, CN=moon.strongswan.org"
[CFG]   using trusted ca certificate "C=CH, O=strongSwan Project, CN=strongSwan Root CA"
[CFG]   reached self-signed root ca with a path length of 0
[CFG] checking certificate status of "C=CH, O=strongSwan Project, CN=moon.strongswan.org"
[CFG]   fetching crl from 'http://crl.strongswan.org/strongswan.crl' ...
[CFG]   using trusted certificate "C=CH, O=strongSwan Project, CN=strongSwan Root CA"
[CFG]   crl correctly signed by "C=CH, O=strongSwan Project, CN=strongSwan Root CA"
[CFG]   crl is valid: until Mar 25 18:47:43 2025
[CFG] certificate status is good
[IKE] authentication of 'moon.strongswan.org' with RSA_EMSA_PKCS1_SHA2_256 successful
[IKE] server requested EAP_TTLS authentication (id 0x3C)
[TLS] EAP_TTLS version is v0
[ENC] generating IKE_AUTH request 2 [ EAP/RES/TTLS ]
[NET] sending packet: from 192.168.0.200[4500] to 192.168.0.1[4500] (256 bytes)
[NET] received packet: from 192.168.0.1[4500] to 192.168.0.200[4500] (1104 bytes)
[ENC] parsed IKE_AUTH response 2 [ EAP/REQ/TTLS ]
[ENC] generating IKE_AUTH request 3 [ EAP/RES/TTLS ]
[NET] sending packet: from 192.168.0.200[4500] to 192.168.0.1[4500] (80 bytes)
[NET] received packet: from 192.168.0.1[4500] to 192.168.0.200[4500] (1104 bytes)
[ENC] parsed IKE_AUTH response 3 [ EAP/REQ/TTLS ]
[ENC] generating IKE_AUTH request 4 [ EAP/RES/TTLS ]
[NET] sending packet: from 192.168.0.200[4500] to 192.168.0.1[4500] (80 bytes)
[NET] received packet: from 192.168.0.1[4500] to 192.168.0.200[4500] (592 bytes)
[ENC] parsed IKE_AUTH response 4 [ EAP/REQ/TTLS ]
[TLS] negotiated TLS 1.2 using suite TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
[TLS] received TLS server certificate 'C=CH, O=strongSwan Project, CN=aaa.strongswan.org'
[CFG]   using certificate "C=CH, O=strongSwan Project, CN=aaa.strongswan.org"
[CFG]   using trusted ca certificate "C=CH, O=strongSwan Project, CN=strongSwan Root CA"
[CFG]   reached self-signed root ca with a path length of 0
[CFG] checking certificate status of "C=CH, O=strongSwan Project, CN=aaa.strongswan.org"
[CFG]   using trusted certificate "C=CH, O=strongSwan Project, CN=strongSwan Root CA"
[CFG]   crl correctly signed by "C=CH, O=strongSwan Project, CN=strongSwan Root CA"
[CFG]   crl is valid: until Mar 25 18:47:43 2025
[CFG]   using cached crl
[CFG] certificate status is good
[TLS] received TLS cert request for 'C=CH, O=strongSwan Project, CN=strongSwan Root CA
[TLS] sending TLS client certificate 'C=CH, O=strongSwan Project, OU=Accounting, CN=dave@strongswan.org'
[TLS] created signature with RSA_PSS_RSAE_SHA256
[ENC] generating IKE_AUTH request 5 [ EAP/RES/TTLS ]
[NET] sending packet: from 192.168.0.200[4500] to 192.168.0.1[4500] (1104 bytes)
[NET] received packet: from 192.168.0.1[4500] to 192.168.0.200[4500] (80 bytes)
[ENC] parsed IKE_AUTH response 5 [ EAP/REQ/TTLS ]
[ENC] generating IKE_AUTH request 6 [ EAP/RES/TTLS ]
[NET] sending packet: from 192.168.0.200[4500] to 192.168.0.1[4500] (1104 bytes)
[NET] received packet: from 192.168.0.1[4500] to 192.168.0.200[4500] (80 bytes)
[ENC] parsed IKE_AUTH response 6 [ EAP/REQ/TTLS ]
[ENC] generating IKE_AUTH request 7 [ EAP/RES/TTLS ]
[NET] sending packet: from 192.168.0.200[4500] to 192.168.0.1[4500] (128 bytes)
[NET] received packet: from 192.168.0.1[4500] to 192.168.0.200[4500] (256 bytes)
[ENC] parsed IKE_AUTH response 7 [ EAP/REQ/TTLS ]
[IKE] received tunneled EAP-TTLS AVP [EAP/REQ/ID]
[IKE] server requested EAP_IDENTITY authentication (id 0x00)
[IKE] sending tunneled EAP-TTLS AVP [EAP/RES/ID]
[ENC] generating IKE_AUTH request 8 [ EAP/RES/TTLS ]
[NET] sending packet: from 192.168.0.200[4500] to 192.168.0.1[4500] (192 bytes)
[NET] received packet: from 192.168.0.1[4500] to 192.168.0.200[4500] (176 bytes)
[ENC] parsed IKE_AUTH response 8 [ EAP/REQ/TTLS ]
[IKE] received tunneled EAP-TTLS AVP [EAP/REQ/PT]
[IKE] server requested EAP_PT_EAP authentication (id 0xA1)
[TLS] EAP_PT_EAP version is v1
[TNC] assigned TNCCS Connection ID 1
[IMC] operating system numeric version is 1.1
[IMC] last boot: Mar 10 18:48:04 UTC 2025, 4320 s ago
[IMC] IPv4 forwarding is enabled
[IMC] factory default password is disabled
[IMC] device ID is aabbccddeeff11223344556677889900
[TNC] creating PA-TNC message with ID 0x2cc55469
[TNC] creating PA-TNC message with ID 0x188e4577
[TNC] creating PA-TNC message with ID 0xc6124313
[TNC] creating PA-TNC message with ID 0x4fcedccb
[TNC] creating PA-TNC message with ID 0x3d39c386
[TNC] creating PA-TNC message with ID 0x472d6731
[TNC] creating PA-TNC message with ID 0x0c9706f8
[TNC] sending PB-TNC CDATA batch (716 bytes) for Connection ID 1
[IKE] sending tunneled EAP-TTLS AVP [EAP/RES/PT]
[ENC] generating IKE_AUTH request 9 [ EAP/RES/TTLS ]
[NET] sending packet: from 192.168.0.200[4500] to 192.168.0.1[4500] (880 bytes)
[NET] received packet: from 192.168.0.1[4500] to 192.168.0.200[4500] (720 bytes)
[ENC] parsed IKE_AUTH response 9 [ EAP/REQ/TTLS ]
[IKE] received tunneled EAP-TTLS AVP [EAP/REQ/PT]
[TNC] received TNCCS batch (554 bytes)
[TNC] processing PB-TNC SDATA batch for Connection ID 1
[TNC] PDP server 'aaa.strongswan.org' is listening on port 271
[TNC] processing PA-TNC message with ID 0x733b1a2b
[TNC] creating PA-TNC message with ID 0x9705d3a9
[TNC] processing PA-TNC message with ID 0x71a5b965
[TNC] creating PA-TNC message with ID 0xa9c63308
[TNC] processing PA-TNC message with ID 0xaeddd100
[TNC] creating PA-TNC message with ID 0x3e3be22a
[TNC] processing PA-TNC message with ID 0x9b2d0aa0
[TNC] creating PA-TNC message with ID 0x4f29c054
[TNC] processing PA-TNC message with ID 0x99949194
[TNC] creating PA-TNC message with ID 0xa842d4a2
[TNC] processing PA-TNC message with ID 0x92edcba4
[TNC] creating PA-TNC message with ID 0x770d8e40
[TNC] sending PB-TNC CDATA batch (1130 bytes) for Connection ID 1
[IKE] sending tunneled EAP-TTLS AVP [EAP/RES/PT]
[ENC] generating IKE_AUTH request 10 [ EAP/RES/TTLS ]
[NET] sending packet: from 192.168.0.200[4500] to 192.168.0.1[4500] (1104 bytes)
[NET] received packet: from 192.168.0.1[4500] to 192.168.0.200[4500] (80 bytes)
[ENC] parsed IKE_AUTH response 10 [ EAP/REQ/TTLS ]
[ENC] generating IKE_AUTH request 11 [ EAP/RES/TTLS ]
[NET] sending packet: from 192.168.0.200[4500] to 192.168.0.1[4500] (272 bytes)
[NET] received packet: from 192.168.0.1[4500] to 192.168.0.200[4500] (176 bytes)
[ENC] parsed IKE_AUTH response 11 [ EAP/REQ/TTLS ]
[IKE] received tunneled EAP-TTLS AVP [EAP/REQ/PT]
[TNC] received TNCCS batch (8 bytes)
[TNC] processing PB-TNC SDATA batch for Connection ID 1
[TNC] sending PB-TNC CDATA batch (8 bytes) for Connection ID 1
[IKE] sending tunneled EAP-TTLS AVP [EAP/RES/PT]
[ENC] generating IKE_AUTH request 12 [ EAP/RES/TTLS ]
[NET] sending packet: from 192.168.0.200[4500] to 192.168.0.1[4500] (176 bytes)
[NET] received packet: from 192.168.0.1[4500] to 192.168.0.200[4500] (272 bytes)
[ENC] parsed IKE_AUTH response 12 [ EAP/REQ/TTLS ]
[IKE] received tunneled EAP-TTLS AVP [EAP/REQ/PT]
[TNC] received TNCCS batch (95 bytes)
[TNC] processing PB-TNC RESULT batch for Connection ID 1
[TNC] PB-TNC assessment result is 'non-compliant major'
[TNC] PB-TNC access recommendation is 'Access Denied'
[TNC] reason string is 'Mandatory HCD attributes are missing' [en]
[TNC] sending PB-TNC CLOSE batch (8 bytes) for Connection ID 1
[IKE] sending tunneled EAP-TTLS AVP [EAP/RES/PT]
[ENC] generating IKE_AUTH request 13 [ EAP/RES/TTLS ]
[NET] sending packet: from 192.168.0.200[4500] to 192.168.0.1[4500] (176 bytes)
[NET] received packet: from 192.168.0.1[4500] to 192.168.0.200[4500] (160 bytes)
[ENC] parsed IKE_AUTH response 13 [ EAP/REQ/TTLS ]
[TLS] received TLS close notify
[TLS] sending TLS close notify
[ENC] generating IKE_AUTH request 14 [ EAP/RES/TTLS ]
[NET] sending packet: from 192.168.0.200[4500] to 192.168.0.1[4500] (160 bytes)
[NET] received packet: from 192.168.0.1[4500] to 192.168.0.200[4500] (80 bytes)
[ENC] parsed IKE_AUTH response 14 [ EAP/FAIL ]
[IKE] received EAP_FAILURE, EAP authentication failed
[ENC] generating INFORMATIONAL request 15 [ N(AUTH_FAILED) ]
[NET] sending packet: from 192.168.0.200[4500] to 192.168.0.1[4500] (80 bytes)
[TNC] removed TNCCS Connection ID 1


TEST

carol# cat /var/log/daemon.log | grep 'authentication of 'moon.strongswan.org' with RSA.* successful' [YES]
Mar 10 20:00:01 carol charon-systemd: 05[IKE] authentication of 'moon.strongswan.org' with RSA_EMSA_PKCS1_SHA2_256 successful

carol# cat /var/log/daemon.log | grep 'PDP server.*aaa.strongswan.org.*is listening on port 271' [YES]
Mar 10 20:00:03 carol charon-systemd: 07[TNC] PDP server 'aaa.strongswan.org' is listening on port 271

carol# cat /var/log/daemon.log | grep 'PB-TNC assessment result is.*non-compliant major' [YES]
Mar 10 20:00:03 carol charon-systemd: 14[TNC] PB-TNC assessment result is 'non-compliant major'

carol# cat /var/log/daemon.log | grep 'PB-TNC access recommendation is .*Access Denied' [YES]
Mar 10 20:00:03 carol charon-systemd: 14[TNC] PB-TNC access recommendation is 'Access Denied'

carol# cat /var/log/daemon.log | grep 'reason string is.*Mandatory HCD attributes are missing' [YES]
Mar 10 20:00:03 carol charon-systemd: 14[TNC] reason string is 'Mandatory HCD attributes are missing' [en]

carol# cat /var/log/daemon.log | grep 'received EAP_FAILURE, EAP authentication failed' [YES]
Mar 10 20:00:03 carol charon-systemd: 16[IKE] received EAP_FAILURE, EAP authentication failed

dave# cat /var/log/daemon.log | grep 'authentication of 'moon.strongswan.org' with RSA.* successful' [YES]
Mar 10 20:00:04 dave charon-systemd: 01[IKE] authentication of 'moon.strongswan.org' with RSA_EMSA_PKCS1_SHA2_256 successful

dave# cat /var/log/daemon.log | grep 'PDP server.*aaa.strongswan.org.*is listening on port 271' [YES]
Mar 10 20:00:04 dave charon-systemd: 14[TNC] PDP server 'aaa.strongswan.org' is listening on port 271

dave# cat /var/log/daemon.log | grep 'PB-TNC assessment result is.*non-compliant major' [YES]
Mar 10 20:00:04 dave charon-systemd: 15[TNC] PB-TNC assessment result is 'non-compliant major'

dave# cat /var/log/daemon.log | grep 'PB-TNC access recommendation is .*Access Denied' [YES]
Mar 10 20:00:04 dave charon-systemd: 15[TNC] PB-TNC access recommendation is 'Access Denied'

dave# cat /var/log/daemon.log | grep 'reason string is.*Mandatory HCD attributes are missing' [YES]
Mar 10 20:00:04 dave charon-systemd: 15[TNC] reason string is 'Mandatory HCD attributes are missing' [en]

dave# cat /var/log/daemon.log | grep 'received EAP_FAILURE, EAP authentication failed' [YES]
Mar 10 20:00:04 dave charon-systemd: 14[IKE] received EAP_FAILURE, EAP authentication failed

alice# cat /var/log/daemon.log | grep 'user AR identity.*dave.*authenticated by certificate' [YES]
Mar 10 20:00:04 alice charon-systemd: 05[IMV]   user AR identity 'dave@strongswan.org' of type email address authenticated by certificate

alice# cat /var/log/daemon.log | grep 'user AR identity.*carol.*authenticated by certificate' [YES]
Mar 10 20:00:02 alice charon-systemd: 07[IMV]   user AR identity 'carol@strongswan.org' of type email address authenticated by certificate

alice# cat /var/log/daemon.log | grep 'policy enforced on peer.*carol@strongswan.org.*is.*no access' [YES]
Mar 10 20:00:03 alice charon-systemd: 03[TNC] policy enforced on peer 'carol@strongswan.org' is 'no access'

alice# cat /var/log/daemon.log | grep 'policy enforced on peer.*dave@strongswan.org.*is.*no access' [YES]
Mar 10 20:00:04 alice charon-systemd: 04[TNC] policy enforced on peer 'dave@strongswan.org' is 'no access'

moon# cat /var/log/daemon.log | grep 'RADIUS authentication of.*dave@strongswan.org.*failed' [YES]
Mar 10 20:00:04 moon charon-systemd: 10[IKE] RADIUS authentication of 'dave@strongswan.org' failed

moon# cat /var/log/daemon.log | grep 'RADIUS authentication of.*dave@strongswan.org.*failed' [YES]
Mar 10 20:00:04 moon charon-systemd: 10[IKE] RADIUS authentication of 'dave@strongswan.org' failed


POST-TEST

carol# systemctl stop strongswan

dave# systemctl stop strongswan

moon# systemctl stop strongswan

alice# systemctl stop strongswan

alice# rm /etc/swanctl/rsa/aaaKey.pem

alice# rm /etc/swanctl/x509/aaaCert.pem

winnetou# ip route del 10.1.0.0/16 via 192.168.0.1

moon# iptables-restore < /etc/iptables.flush

carol# iptables-restore < /etc/iptables.flush

dave# iptables-restore < /etc/iptables.flush

moon# killall tcpdump