Project

General

Profile

NetworkManager » History » Version 14

Martin Willi, 12.09.2008 15:57

1 9 Martin Willi
[[TOC]]
2 9 Martin Willi
3 1 Martin Willi
= !NetworkManager =
4 1 Martin Willi
5 1 Martin Willi
[http://www.gnome.org/projects/NetworkManager/ NetworkManager] allows configuration and control of VPN daemons through a plugin interface. We provide such a plugin for !NetworkManager to configure road warrior clients for the most common setups.
6 1 Martin Willi
7 1 Martin Willi
!NetworkManager uses DBUS to communicate with a plugin loaded by the IKEv2 charon daemon.
8 1 Martin Willi
9 12 Martin Willi
The plugin uses a certificate for gateway authentication and supports EAP and RSA authentication for client authentication. PSK is not supported, as it is considered insecure if the secrets are not strong enough. 
10 12 Martin Willi
11 9 Martin Willi
While any password based EAP method is usable with !NetworkManager, we use [wiki:EAP-GTC] in this example setup. The NM plugin interoperates nicely with EAP-GTC authentication as it allows you to authenticate against a PAM service on your VPN gateway with username/password. Don't worry - this is still secure because the gateway has to prove its identity first, before the user credentials are transmitted. 
12 12 Martin Willi
Alternatively you can use private key authentication. The plugin passes signature operations to your ssh-agent, so you'll need a certificate with a public key matching to a private key loaded into your ssh-agent.
13 1 Martin Willi
14 9 Martin Willi
== Client ==
15 9 Martin Willi
16 9 Martin Willi
=== Dependencies ===
17 9 Martin Willi
18 14 Martin Willi
The strongSwan extensions are written for !NetworkManager 0.7. Therefore you will need at least SVN !r4053. Compile it from source, or as a Ubuntu user, use the [https://launchpad.net/~network-manager/+archive available PPA]:
19 3 Martin Willi
{{{
20 3 Martin Willi
echo "deb http://ppa.launchpad.net/network-manager/ubuntu hardy main" >> /etc/apt/sources.list
21 1 Martin Willi
aptitude update
22 1 Martin Willi
aptitude upgrade
23 1 Martin Willi
}}}
24 1 Martin Willi
25 10 Martin Willi
=== Installation ===
26 10 Martin Willi
27 10 Martin Willi
There is also a Ubuntu PPA available for strongSwan. If you are not running Ubuntu Hardy, you have to build strongSwan from source.
28 10 Martin Willi
29 10 Martin Willi
==== Using strongSwan PPA ====
30 10 Martin Willi
31 10 Martin Willi
Add the [http://launchpad.net/~martinwilli/+archive strongSwan PPA] to your ''sources.list'' and install the packages:
32 1 Martin Willi
{{{
33 10 Martin Willi
echo "deb http://ppa.launchpad.net/martinwilli/ubuntu hardy main" >> /etc/apt/sources.list
34 10 Martin Willi
aptitude update
35 10 Martin Willi
aptitude install network-manager-strongswan
36 1 Martin Willi
}}}
37 1 Martin Willi
38 10 Martin Willi
==== Building from source ====
39 10 Martin Willi
40 10 Martin Willi
To build from source, you additionally need the PAM headers for EAP-GTC and NetworkManager headers for the plugin:
41 10 Martin Willi
{{{
42 10 Martin Willi
aptitude install libpam0g-dev network-manager-dev libnm-util-dev libnm-glib-dev libgnomeui-dev gnome-common
43 8 Martin Willi
}}}
44 1 Martin Willi
45 12 Martin Willi
NM integration works only for IKEv2, but this allows us to disable a lot of FreeS/WAN legacy stuff. Since on a desktop we have OpenSSL installed anyway, we are going to use libcrypto for all cryptographical operations. ''--enable-eap-gtc'' builds the EAP-GTC plugin, ''--enable-agent'' the ssh-agent private key plugin.
46 9 Martin Willi
47 1 Martin Willi
{{{
48 1 Martin Willi
# get strongswan SVN
49 1 Martin Willi
svn co http://www.strongswan.org/ikev2/trunk strongswan
50 1 Martin Willi
cd strongswan
51 1 Martin Willi
52 1 Martin Willi
# build charon with OpenSSL/NM Plugin
53 1 Martin Willi
./autogen.sh
54 1 Martin Willi
./configure --disable-aes --disable-des --disable-md5 --disable-sha1 --disable-sha2 \
55 1 Martin Willi
--disable-fips-prf --disable-gmp --disable-stroke --disable-pluto --disable-tools \
56 12 Martin Willi
--disable-updown --enable-openssl --enable-nm --enable-eap-gtc --enable-agent \
57 4 Martin Willi
--sysconfdir=/etc --prefix=/usr --libexecdir=/usr/lib
58 1 Martin Willi
make
59 1 Martin Willi
make install
60 1 Martin Willi
61 8 Martin Willi
# build NetworkManager's strongsSwan plugin
62 7 Martin Willi
cd src/charon/plugins/nm/gnome
63 1 Martin Willi
./autogen.sh --sysconfdir=/etc --prefix=/usr --libexecdir=/usr/lib
64 7 Martin Willi
make
65 7 Martin Willi
make install
66 1 Martin Willi
67 1 Martin Willi
}}}
68 1 Martin Willi
69 9 Martin Willi
=== Configuration ===
70 1 Martin Willi
71 13 Martin Willi
 * Click on nm-applet -> VPN Connections -> Configure VPN...
72 9 Martin Willi
 * Add -> Ipsec/IKEv2 (strongswan) -> Create ...
73 1 Martin Willi
 * Configure your client
74 1 Martin Willi
 * Click on nm-applet -> VPN Connections -> Your Connection
75 1 Martin Willi
 * Enter password
76 1 Martin Willi
77 11 Martin Willi
As you can see, there is no subnet configuration for the tunnel. We let the gateway administration choose the subnet; the client always proposes 0.0.0.0/0 for the remote network and the gateway narrows that down to the configured subnet. 
78 11 Martin Willi
79 9 Martin Willi
=== Screenshots ===
80 1 Martin Willi
81 1 Martin Willi
[[Image(nm-strongswan-config.png, nolink)]][[Image(nm-strongswan-auth.png, nolink)]]
82 9 Martin Willi
83 9 Martin Willi
== Gateway ==
84 9 Martin Willi
85 9 Martin Willi
=== Build ===
86 9 Martin Willi
87 9 Martin Willi
To allow EAP-GTC authentication discussed above, the gateway needs support for that module. You don't need the !NetworkManager module, but the EAP-GTC plugin:
88 9 Martin Willi
89 9 Martin Willi
{{{
90 9 Martin Willi
./configure --disable-pluto --disable-tools --enable-eap-gtc \
91 9 Martin Willi
--sysconfdir=/etc --prefix=/usr --libexecdir=/usr/lib
92 9 Martin Willi
make
93 9 Martin Willi
make install
94 9 Martin Willi
}}}
95 9 Martin Willi
96 9 Martin Willi
=== Configuration ===
97 9 Martin Willi
98 9 Martin Willi
By default, the GTC module uses the PAM service ''login'' which should be available on most systems. But you may create your own service, e.g in ''/etc/pam.d/ipsec'':
99 9 Martin Willi
{{{
100 9 Martin Willi
#%PAM-1.0
101 9 Martin Willi
auth        required      /lib/security/pam_env.so
102 9 Martin Willi
auth        sufficient    /lib/security/pam_unix.so likeauth nullok
103 9 Martin Willi
auth        required      /lib/security/pam_deny.so
104 9 Martin Willi
}}}
105 9 Martin Willi
To use that service, set the ''pam_service'' option in ''/etc/strongswan.org'':
106 9 Martin Willi
{{{
107 9 Martin Willi
charon {
108 9 Martin Willi
  plugins {
109 9 Martin Willi
    eap_gtc {
110 9 Martin Willi
      pam_service = ipsec
111 9 Martin Willi
    }
112 9 Martin Willi
  }
113 9 Martin Willi
}
114 9 Martin Willi
}}}
115 9 Martin Willi
116 9 Martin Willi
A gateway configuration in [wiki:IpsecConf ipsec.conf] might look like this:
117 9 Martin Willi
{{{
118 9 Martin Willi
conn nm-clients
119 9 Martin Willi
  # certificate handed out to client
120 9 Martin Willi
  leftcert=cert.pem
121 9 Martin Willi
  right=%any
122 11 Martin Willi
  # subnet behind gateway to include in tunnel (optional)
123 11 Martin Willi
  rightsubnet=10.1.0.0/16
124 1 Martin Willi
  # IP address pool for clients requesting an virtual IP
125 11 Martin Willi
  rightsourceip=10.1.250.0/24
126 9 Martin Willi
  # clients use their e-mail address as username. We
127 9 Martin Willi
  # handle every e-mail identity with this configuration.
128 9 Martin Willi
  rightid=*@strongswan.org
129 9 Martin Willi
  # request GTC as EAP authentication method
130 9 Martin Willi
  eap=gtc
131 9 Martin Willi
  keyexchange=ikev2
132 9 Martin Willi
  auto=add
133 9 Martin Willi
}}}
134 9 Martin Willi
135 9 Martin Willi
We use e-mail addresses as client identities here, the clients configure their full mail address. During PAM authentication, the GTC module automatically strips the domain, using only the username part to authenticate the client.