strongswan NetworkManager plugin: make the "normal" ipsec configuration usable
I configure Strongswan on my systems (including desktops/notbooks) via the "normal" configuration; i.e. /etc/ipsec.conf , /etc/ipsec.d , /etc/ipsec.secrets .
It would be great if this was exported automatically to NM and selectable in the applet GUI, thus not having to configure it there again (and maintaining both locations).
Of course there must be some thoughts spent on security.
It would be fatal, to simply export all connections defined system wide.
IMHO, the strongswan NM plugin should allow a user to use system wide defined connections only, if the user can read all the necessary files.
ipsec.conf is typically globally readable (it contains just the parameters anyway)... if that's the case... show the user the connection names/settings.
If a want's to connect though, then only if he has read access to the necessary credentials (either ipsec.secrets, or certificates files in /etc/ipsec.d/certs/ . Allowed users may be selected in the system, either via a special group that has read access, or via ACLs on the credential files.
Of course the CRLs, CACerts, etc. need also to be handled, as far as they touch NM.
Would be good as a follow up, if there was something like. /etc/ipsec.secrets.d ... where one can place files with passwords, readable by different users.