Project

General

Profile

NetworkManager » History » Version 17

Martin Willi, 18.02.2009 15:45

1 9 Martin Willi
[[TOC]]
2 9 Martin Willi
3 1 Martin Willi
= !NetworkManager =
4 1 Martin Willi
5 1 Martin Willi
[http://www.gnome.org/projects/NetworkManager/ NetworkManager] allows configuration and control of VPN daemons through a plugin interface. We provide such a plugin for !NetworkManager to configure road warrior clients for the most common setups.
6 1 Martin Willi
7 1 Martin Willi
!NetworkManager uses DBUS to communicate with a plugin loaded by the IKEv2 charon daemon.
8 1 Martin Willi
9 12 Martin Willi
The plugin uses a certificate for gateway authentication and supports EAP and RSA authentication for client authentication. PSK is not supported, as it is considered insecure if the secrets are not strong enough. 
10 12 Martin Willi
11 9 Martin Willi
While any password based EAP method is usable with !NetworkManager, we use [wiki:EAP-GTC] in this example setup. The NM plugin interoperates nicely with EAP-GTC authentication as it allows you to authenticate against a PAM service on your VPN gateway with username/password. Don't worry - this is still secure because the gateway has to prove its identity first, before the user credentials are transmitted. 
12 12 Martin Willi
Alternatively you can use private key authentication. The plugin passes signature operations to your ssh-agent, so you'll need a certificate with a public key matching to a private key loaded into your ssh-agent.
13 1 Martin Willi
14 9 Martin Willi
== Client ==
15 9 Martin Willi
16 9 Martin Willi
=== Dependencies ===
17 9 Martin Willi
18 15 Martin Willi
The strongSwan extensions are written for !NetworkManager 0.7, you will need at least SVN !r4053. If your distributor does not provide recent packages, compile it from source (Ubuntu intrepid works fine).
19 1 Martin Willi
20 1 Martin Willi
=== Installation ===
21 1 Martin Willi
22 15 Martin Willi
We provide strongSwan packages for Ubuntu intrepid in our [https://launchpad.net/~strongswan/+archive/ppa PPA].
23 1 Martin Willi
24 15 Martin Willi
If you are not running Ubuntu/Debian, you have to build strongSwan from source.
25 15 Martin Willi
26 10 Martin Willi
==== Using strongSwan PPA ====
27 10 Martin Willi
28 15 Martin Willi
Add our [https://launchpad.net/~strongswan/+archive/ppa PPA] to your ''sources.list'' and install the packages:
29 1 Martin Willi
{{{
30 15 Martin Willi
echo "deb http://ppa.launchpad.net/strongswan/ppa/ubuntu intrepid main" >> /etc/apt/sources.list
31 10 Martin Willi
aptitude update
32 10 Martin Willi
aptitude install network-manager-strongswan
33 1 Martin Willi
}}}
34 1 Martin Willi
35 10 Martin Willi
==== Building from source ====
36 1 Martin Willi
37 1 Martin Willi
To build from source, you additionally need the PAM headers for EAP-GTC and NetworkManager headers for the plugin:
38 1 Martin Willi
{{{
39 10 Martin Willi
aptitude install libpam0g-dev network-manager-dev libnm-util-dev libnm-glib-dev libgnomeui-dev gnome-common
40 10 Martin Willi
}}}
41 1 Martin Willi
42 12 Martin Willi
NM integration works only for IKEv2, but this allows us to disable a lot of FreeS/WAN legacy stuff. Since on a desktop we have OpenSSL installed anyway, we are going to use libcrypto for all cryptographical operations. ''--enable-eap-gtc'' builds the EAP-GTC plugin, ''--enable-agent'' the ssh-agent private key plugin.
43 9 Martin Willi
44 1 Martin Willi
{{{
45 15 Martin Willi
# get a strongswan tarball
46 15 Martin Willi
wget http://download.strongswan.org/strongswan-4.2.11.tar.bz2
47 15 Martin Willi
tar jxvf strongswan-4.2.11.tar.bz2
48 15 Martin Willi
cd strongswan-4.2.11
49 1 Martin Willi
50 1 Martin Willi
# build charon with OpenSSL/NM Plugin
51 1 Martin Willi
./configure --disable-aes --disable-des --disable-md5 --disable-sha1 --disable-sha2 \
52 1 Martin Willi
--disable-fips-prf --disable-gmp --disable-stroke --disable-pluto --disable-tools \
53 12 Martin Willi
--disable-updown --enable-openssl --enable-nm --enable-eap-gtc --enable-agent \
54 4 Martin Willi
--sysconfdir=/etc --prefix=/usr --libexecdir=/usr/lib
55 1 Martin Willi
make
56 1 Martin Willi
make install
57 1 Martin Willi
58 8 Martin Willi
# build NetworkManager's strongsSwan plugin
59 15 Martin Willi
wget http://download.strongswan.org/NetworkManager/NetworkManager-strongswan-1.0.0.tar.bz2
60 15 Martin Willi
./autogen.sh --sysconfdir=/etc --prefix=/usr --libexecdir=/usr/lib --with-charon=/usr/lib/ipsec/charon
61 7 Martin Willi
make
62 7 Martin Willi
make install
63 1 Martin Willi
64 1 Martin Willi
}}}
65 1 Martin Willi
66 9 Martin Willi
=== Configuration ===
67 1 Martin Willi
68 13 Martin Willi
 * Click on nm-applet -> VPN Connections -> Configure VPN...
69 9 Martin Willi
 * Add -> Ipsec/IKEv2 (strongswan) -> Create ...
70 1 Martin Willi
 * Configure your client
71 1 Martin Willi
 * Click on nm-applet -> VPN Connections -> Your Connection
72 1 Martin Willi
 * Enter password
73 1 Martin Willi
74 11 Martin Willi
As you can see, there is no subnet configuration for the tunnel. We let the gateway administration choose the subnet; the client always proposes 0.0.0.0/0 for the remote network and the gateway narrows that down to the configured subnet. 
75 11 Martin Willi
76 9 Martin Willi
=== Screenshots ===
77 1 Martin Willi
78 1 Martin Willi
[[Image(nm-strongswan-config.png, nolink)]][[Image(nm-strongswan-auth.png, nolink)]]
79 9 Martin Willi
80 9 Martin Willi
== Gateway ==
81 9 Martin Willi
82 16 Martin Willi
To allow EAP-GTC authentication discussed above, the gateway needs support for that module. You don't need the !NetworkManager module, but the EAP-GTC plugin.
83 9 Martin Willi
84 16 Martin Willi
You can build strongSwan from source, or use the [https://launchpad.net/~strongswan/+archive/ppa PPA] mentioned above.
85 1 Martin Willi
86 16 Martin Willi
=== Build from source ===
87 16 Martin Willi
88 9 Martin Willi
{{{
89 9 Martin Willi
./configure --disable-pluto --disable-tools --enable-eap-gtc \
90 9 Martin Willi
--sysconfdir=/etc --prefix=/usr --libexecdir=/usr/lib
91 1 Martin Willi
make
92 1 Martin Willi
make install
93 16 Martin Willi
}}}
94 16 Martin Willi
95 16 Martin Willi
=== Install from PPA ===
96 16 Martin Willi
97 16 Martin Willi
{{{
98 16 Martin Willi
echo "deb http://ppa.launchpad.net/strongswan/ppa/ubuntu intrepid main" >> /etc/apt/sources.list
99 16 Martin Willi
aptitude update
100 16 Martin Willi
aptitude install strongswan-charon strongswan-stroke strongswan-eap-gtc
101 9 Martin Willi
}}}
102 9 Martin Willi
103 9 Martin Willi
=== Configuration ===
104 9 Martin Willi
105 9 Martin Willi
By default, the GTC module uses the PAM service ''login'' which should be available on most systems. But you may create your own service, e.g in ''/etc/pam.d/ipsec'':
106 9 Martin Willi
{{{
107 9 Martin Willi
#%PAM-1.0
108 9 Martin Willi
auth        required      /lib/security/pam_env.so
109 9 Martin Willi
auth        sufficient    /lib/security/pam_unix.so likeauth nullok
110 9 Martin Willi
auth        required      /lib/security/pam_deny.so
111 9 Martin Willi
}}}
112 9 Martin Willi
To use that service, set the ''pam_service'' option in ''/etc/strongswan.org'':
113 9 Martin Willi
{{{
114 9 Martin Willi
charon {
115 9 Martin Willi
  plugins {
116 9 Martin Willi
    eap_gtc {
117 9 Martin Willi
      pam_service = ipsec
118 9 Martin Willi
    }
119 9 Martin Willi
  }
120 9 Martin Willi
}
121 9 Martin Willi
}}}
122 9 Martin Willi
123 9 Martin Willi
A gateway configuration in [wiki:IpsecConf ipsec.conf] might look like this:
124 9 Martin Willi
{{{
125 9 Martin Willi
conn nm-clients
126 9 Martin Willi
  # certificate handed out to client
127 9 Martin Willi
  leftcert=cert.pem
128 9 Martin Willi
  right=%any
129 11 Martin Willi
  # subnet behind gateway to include in tunnel (optional)
130 11 Martin Willi
  rightsubnet=10.1.0.0/16
131 1 Martin Willi
  # IP address pool for clients requesting an virtual IP
132 11 Martin Willi
  rightsourceip=10.1.250.0/24
133 17 Martin Willi
  # clients use a KEY_ID identity with their username,
134 17 Martin Willi
  # handle all of them with this config
135 17 Martin Willi
  rightid=%any
136 9 Martin Willi
  # request GTC as EAP authentication method
137 9 Martin Willi
  eap=gtc
138 9 Martin Willi
  keyexchange=ikev2
139 9 Martin Willi
  auto=add
140 9 Martin Willi
}}}
141 9 Martin Willi
142 17 Martin Willi
IKEv2 does not provide an identity type for plain usernames. The client therefore encodes them as KEY_ID. This allows the GTC module to use a simple username during PAM authentication.