Project

General

Profile

NetworkManager » History » Version 11

Martin Willi, 28.08.2008 08:48

1 9 Martin Willi
[[TOC]]
2 9 Martin Willi
3 1 Martin Willi
= !NetworkManager =
4 1 Martin Willi
5 1 Martin Willi
[http://www.gnome.org/projects/NetworkManager/ NetworkManager] allows configuration and control of VPN daemons through a plugin interface. We provide such a plugin for !NetworkManager to configure road warrior clients for the most common setups.
6 1 Martin Willi
7 1 Martin Willi
!NetworkManager uses DBUS to communicate with a plugin loaded by the IKEv2 charon daemon.
8 1 Martin Willi
9 9 Martin Willi
While any password based EAP method is usable with !NetworkManager, we use [wiki:EAP-GTC] in this example setup. The NM plugin interoperates nicely with EAP-GTC authentication as it allows you to authenticate against a PAM service on your VPN gateway with username/password. Don't worry - this is still secure because the gateway has to prove its identity first, before the user credentials are transmitted. 
10 1 Martin Willi
11 9 Martin Willi
== Client ==
12 9 Martin Willi
13 9 Martin Willi
=== Dependencies ===
14 9 Martin Willi
15 1 Martin Willi
The strongSwan extensions are written for !NetworkManager 0.7. Therefore you will need at least SVN !r3925. Compile it from source, or as a Ubuntu user, use the [https://launchpad.net/~network-manager/+archive available PPA]:
16 3 Martin Willi
{{{
17 3 Martin Willi
echo "deb http://ppa.launchpad.net/network-manager/ubuntu hardy main" >> /etc/apt/sources.list
18 1 Martin Willi
aptitude update
19 1 Martin Willi
aptitude upgrade
20 1 Martin Willi
}}}
21 1 Martin Willi
22 10 Martin Willi
=== Installation ===
23 10 Martin Willi
24 10 Martin Willi
There is also a Ubuntu PPA available for strongSwan. If you are not running Ubuntu Hardy, you have to build strongSwan from source.
25 10 Martin Willi
26 10 Martin Willi
==== Using strongSwan PPA ====
27 10 Martin Willi
28 10 Martin Willi
Add the [http://launchpad.net/~martinwilli/+archive strongSwan PPA] to your ''sources.list'' and install the packages:
29 1 Martin Willi
{{{
30 10 Martin Willi
echo "deb http://ppa.launchpad.net/martinwilli/ubuntu hardy main" >> /etc/apt/sources.list
31 10 Martin Willi
aptitude update
32 10 Martin Willi
aptitude install network-manager-strongswan
33 1 Martin Willi
}}}
34 1 Martin Willi
35 10 Martin Willi
==== Building from source ====
36 10 Martin Willi
37 10 Martin Willi
To build from source, you additionally need the PAM headers for EAP-GTC and NetworkManager headers for the plugin:
38 10 Martin Willi
{{{
39 10 Martin Willi
aptitude install libpam0g-dev network-manager-dev libnm-util-dev libnm-glib-dev libgnomeui-dev gnome-common
40 10 Martin Willi
}}}
41 8 Martin Willi
42 9 Martin Willi
NM integration works only for IKEv2, but this allows us to disable a lot of FreeS/WAN legacy stuff. Since on a desktop we have OpenSSL installed anyway, we are going to use libcrypto for all cryptographical operations.
43 9 Martin Willi
44 1 Martin Willi
{{{
45 1 Martin Willi
# get strongswan SVN
46 1 Martin Willi
svn co http://www.strongswan.org/ikev2/trunk strongswan
47 1 Martin Willi
cd strongswan
48 1 Martin Willi
49 1 Martin Willi
# build charon with OpenSSL/NM Plugin
50 1 Martin Willi
./autogen.sh
51 1 Martin Willi
./configure --disable-aes --disable-des --disable-md5 --disable-sha1 --disable-sha2 \
52 1 Martin Willi
--disable-fips-prf --disable-gmp --disable-stroke --disable-pluto --disable-tools \
53 9 Martin Willi
--disable-updown --enable-openssl --enable-nm --enable-eap-gtc \
54 4 Martin Willi
--sysconfdir=/etc --prefix=/usr --libexecdir=/usr/lib
55 1 Martin Willi
make
56 1 Martin Willi
make install
57 1 Martin Willi
58 8 Martin Willi
# build NetworkManager's strongsSwan plugin
59 7 Martin Willi
cd src/charon/plugins/nm/gnome
60 1 Martin Willi
./autogen.sh --sysconfdir=/etc --prefix=/usr --libexecdir=/usr/lib
61 7 Martin Willi
make
62 7 Martin Willi
make install
63 1 Martin Willi
64 1 Martin Willi
}}}
65 1 Martin Willi
66 9 Martin Willi
=== Configuration ===
67 1 Martin Willi
68 1 Martin Willi
 * Click on nm-applet -> VPN Connections -> Confiugre VPN...
69 9 Martin Willi
 * Add -> Ipsec/IKEv2 (strongswan) -> Create ...
70 1 Martin Willi
 * Configure your client
71 1 Martin Willi
 * Click on nm-applet -> VPN Connections -> Your Connection
72 1 Martin Willi
 * Enter password
73 1 Martin Willi
74 11 Martin Willi
As you can see, there is no subnet configuration for the tunnel. We let the gateway administration choose the subnet; the client always proposes 0.0.0.0/0 for the remote network and the gateway narrows that down to the configured subnet. 
75 11 Martin Willi
76 9 Martin Willi
=== Screenshots ===
77 1 Martin Willi
78 1 Martin Willi
[[Image(nm-strongswan-config.png, nolink)]][[Image(nm-strongswan-auth.png, nolink)]]
79 9 Martin Willi
80 9 Martin Willi
== Gateway ==
81 9 Martin Willi
82 9 Martin Willi
=== Build ===
83 9 Martin Willi
84 9 Martin Willi
To allow EAP-GTC authentication discussed above, the gateway needs support for that module. You don't need the !NetworkManager module, but the EAP-GTC plugin:
85 9 Martin Willi
86 9 Martin Willi
{{{
87 9 Martin Willi
./configure --disable-pluto --disable-tools --enable-eap-gtc \
88 9 Martin Willi
--sysconfdir=/etc --prefix=/usr --libexecdir=/usr/lib
89 9 Martin Willi
make
90 9 Martin Willi
make install
91 9 Martin Willi
}}}
92 9 Martin Willi
93 9 Martin Willi
=== Configuration ===
94 9 Martin Willi
95 9 Martin Willi
By default, the GTC module uses the PAM service ''login'' which should be available on most systems. But you may create your own service, e.g in ''/etc/pam.d/ipsec'':
96 9 Martin Willi
{{{
97 9 Martin Willi
#%PAM-1.0
98 9 Martin Willi
auth        required      /lib/security/pam_env.so
99 9 Martin Willi
auth        sufficient    /lib/security/pam_unix.so likeauth nullok
100 9 Martin Willi
auth        required      /lib/security/pam_deny.so
101 9 Martin Willi
}}}
102 9 Martin Willi
To use that service, set the ''pam_service'' option in ''/etc/strongswan.org'':
103 9 Martin Willi
{{{
104 9 Martin Willi
charon {
105 9 Martin Willi
  plugins {
106 9 Martin Willi
    eap_gtc {
107 9 Martin Willi
      pam_service = ipsec
108 9 Martin Willi
    }
109 9 Martin Willi
  }
110 9 Martin Willi
}
111 9 Martin Willi
}}}
112 9 Martin Willi
113 9 Martin Willi
A gateway configuration in [wiki:IpsecConf ipsec.conf] might look like this:
114 9 Martin Willi
{{{
115 9 Martin Willi
conn nm-clients
116 9 Martin Willi
  # certificate handed out to client
117 9 Martin Willi
  leftcert=cert.pem
118 9 Martin Willi
  right=%any
119 11 Martin Willi
  # subnet behind gateway to include in tunnel (optional)
120 11 Martin Willi
  rightsubnet=10.1.0.0/16
121 1 Martin Willi
  # IP address pool for clients requesting an virtual IP
122 11 Martin Willi
  rightsourceip=10.1.250.0/24
123 9 Martin Willi
  # clients use their e-mail address as username. We
124 9 Martin Willi
  # handle every e-mail identity with this configuration.
125 9 Martin Willi
  rightid=*@strongswan.org
126 9 Martin Willi
  # request GTC as EAP authentication method
127 9 Martin Willi
  eap=gtc
128 9 Martin Willi
  keyexchange=ikev2
129 9 Martin Willi
  auto=add
130 9 Martin Willi
}}}
131 9 Martin Willi
132 9 Martin Willi
We use e-mail addresses as client identities here, the clients configure their full mail address. During PAM authentication, the GTC module automatically strips the domain, using only the username part to authenticate the client.