History

UserDocumentation »

« Previous - Version 7/34 (diff) - Next » - Current version
Martin Willi, 21.08.2008 18:21

= !NetworkManager =

[http://www.gnome.org/projects/NetworkManager/ NetworkManager] allows configuration and control of VPN daemons through a plugin interface. We provide such a plugin for !NetworkManager to configure road warrior clients for the most common setups.

!NetworkManager uses DBUS to communicate to a Plugin loaded in the IKEv2 daemon charon.

Dependencies

The extensions are written for !NetworkManager 0.7, you'll need at least SVN r3925. Compile it from source, or as a Ubuntu user, use the [https://launchpad.net/~network-manager/+archive available PPA]: {{{
echo "deb http://ppa.launchpad.net/network-manager/ubuntu hardy main" >> /etc/apt/sources.list
aptitude update
aptitude upgrade
aptitude install network-manager-dev libnm-util-dev libnm-glib-dev libgnomeui-dev # and everything I missed
}}}

Compilation

NM integration works only for IKEv2, but this allows us to kick out a lot of legacy stuff. On a desktop we will have OpenSSL installed anyway, we pick that for crypto:

{{{
  1. get strongswan SVN
    svn co http://www.strongswan.org/ikev2/trunk strongswan
    cd strongswan
  1. build charon with OpenSSL/NM Plugin
    ./autogen.sh
    ./configure --disable-aes --disable-des --disable-md5 --disable-sha1 --disable-sha2 \
    --disable-fips-prf --disable-gmp --disable-stroke --disable-pluto --disable-tools \
    --disable-updown --enable-openssl --enable-nm \
    --sysconfdir=/etc --prefix=/usr --libexecdir=/usr/lib
    make
    make install
  1. build NetworkManager's strongsSwan plugin
    cd src/charon/plugins/nm/gnome
    ./autogen.sh --sysconfdir=/etc --prefix=/usr --libexecdir=/usr/lib
    make
    make install

}}}

The NM plugin is designed to interoperate nicely with [wiki:EAP-GTC] authentication, which allows you to authenticate against a PAM service on your Gateway with username/password. This is more secure than PSK, as the Gateway has to prove his identity before the secrets are transmitted. To enable the module, add {{{
--enable-eap-gtc
}}}
to your strongSwan configure options.

Configuration * Click on nm-applet -> VPN Connections -> Confiugre VPN... * Add -> Ipsec/Ikev2 (strongswan) -> Create ... * Configure your client * Click on nm-applet -> VPN Connections -> Your Connection * Enter password Screenshots

Image(nm-strongswan-config.png, nolink)Image(nm-strongswan-auth.png, nolink)

nm-strongswan-auth.png (22.6 KB) Martin Willi, 20.08.2008 11:53

nm-strongswan-config.png (36 KB) Martin Willi, 18.02.2009 15:41