Project

General

Profile

NetworkManager » History » Version 11

« Previous - Version 11/45 (diff) - Next » - Current version
Martin Willi, 28.08.2008 08:48


TOC

= !NetworkManager =

[http://www.gnome.org/projects/NetworkManager/ NetworkManager] allows configuration and control of VPN daemons through a plugin interface. We provide such a plugin for !NetworkManager to configure road warrior clients for the most common setups.

!NetworkManager uses DBUS to communicate with a plugin loaded by the IKEv2 charon daemon.

While any password based EAP method is usable with !NetworkManager, we use [wiki:EAP-GTC] in this example setup. The NM plugin interoperates nicely with EAP-GTC authentication as it allows you to authenticate against a PAM service on your VPN gateway with username/password. Don't worry - this is still secure because the gateway has to prove its identity first, before the user credentials are transmitted.

Client

=== Dependencies ===

The strongSwan extensions are written for !NetworkManager 0.7. Therefore you will need at least SVN r3925. Compile it from source, or as a Ubuntu user, use the [https://launchpad.net/~network-manager/+archive available PPA]: {{{
echo "deb http://ppa.launchpad.net/network-manager/ubuntu hardy main" >> /etc/apt/sources.list
aptitude update
aptitude upgrade
}}}

=== Installation ===

There is also a Ubuntu PPA available for strongSwan. If you are not running Ubuntu Hardy, you have to build strongSwan from source.

==== Using strongSwan PPA ====

Add the [http://launchpad.net/~martinwilli/+archive strongSwan PPA] to your ''sources.list'' and install the packages: {{{
echo "deb http://ppa.launchpad.net/martinwilli/ubuntu hardy main" >> /etc/apt/sources.list
aptitude update
aptitude install network-manager-strongswan
}}}

==== Building from source ====

To build from source, you additionally need the PAM headers for EAP-GTC and NetworkManager headers for the plugin: {{{
aptitude install libpam0g-dev network-manager-dev libnm-util-dev libnm-glib-dev libgnomeui-dev gnome-common
}}}

NM integration works only for IKEv2, but this allows us to disable a lot of FreeS/WAN legacy stuff. Since on a desktop we have OpenSSL installed anyway, we are going to use libcrypto for all cryptographical operations.

{{{
  1. get strongswan SVN
    svn co http://www.strongswan.org/ikev2/trunk strongswan
    cd strongswan
  1. build charon with OpenSSL/NM Plugin
    ./autogen.sh
    ./configure --disable-aes --disable-des --disable-md5 --disable-sha1 --disable-sha2 \
    --disable-fips-prf --disable-gmp --disable-stroke --disable-pluto --disable-tools \
    --disable-updown --enable-openssl --enable-nm --enable-eap-gtc \
    --sysconfdir=/etc --prefix=/usr --libexecdir=/usr/lib
    make
    make install
  1. build NetworkManager's strongsSwan plugin
    cd src/charon/plugins/nm/gnome
    ./autogen.sh --sysconfdir=/etc --prefix=/usr --libexecdir=/usr/lib
    make
    make install

}}}

=== Configuration ===

  • Click on nm-applet -> VPN Connections -> Confiugre VPN...
  • Add -> Ipsec/IKEv2 (strongswan) -> Create ...
  • Configure your client
  • Click on nm-applet -> VPN Connections -> Your Connection
  • Enter password

As you can see, there is no subnet configuration for the tunnel. We let the gateway administration choose the subnet; the client always proposes 0.0.0.0/0 for the remote network and the gateway narrows that down to the configured subnet.

=== Screenshots ===

Image(nm-strongswan-config.png, nolink)Image(nm-strongswan-auth.png, nolink)

Gateway

=== Build ===

To allow EAP-GTC authentication discussed above, the gateway needs support for that module. You don't need the !NetworkManager module, but the EAP-GTC plugin:

{{{
./configure --disable-pluto --disable-tools --enable-eap-gtc \
--sysconfdir=/etc --prefix=/usr --libexecdir=/usr/lib
make
make install
}}}

=== Configuration ===

By default, the GTC module uses the PAM service ''login'' which should be available on most systems. But you may create your own service, e.g in ''/etc/pam.d/ipsec'': {{{
#%PAM-1.0
auth required /lib/security/pam_env.so
auth sufficient /lib/security/pam_unix.so likeauth nullok
auth required /lib/security/pam_deny.so
}}}
To use that service, set the ''pam_service'' option in ''/etc/strongswan.org'': {{{
charon {
plugins {
eap_gtc {
pam_service = ipsec
}
}
}
}}}

A gateway configuration in [wiki:IpsecConf ipsec.conf] might look like this: {{{
conn nm-clients # certificate handed out to client
leftcert=cert.pem
right=%any # subnet behind gateway to include in tunnel (optional)
rightsubnet=10.1.0.0/16 # IP address pool for clients requesting an virtual IP
rightsourceip=10.1.250.0/24 # clients use their e-mail address as username. We # handle every e-mail identity with this configuration.
rightid=*@strongswan.org # request GTC as EAP authentication method
eap=gtc
keyexchange=ikev2
auto=add
}}}

We use e-mail addresses as client identities here, the clients configure their full mail address. During PAM authentication, the GTC module automatically strips the domain, using only the username part to authenticate the client.