Project

General

Profile

NetworkManager » History » Version 18

Andreas Steffen, 19.02.2009 20:22
cosmetics

1 9 Martin Willi
[[TOC]]
2 9 Martin Willi
3 1 Martin Willi
= !NetworkManager =
4 1 Martin Willi
5 1 Martin Willi
[http://www.gnome.org/projects/NetworkManager/ NetworkManager] allows configuration and control of VPN daemons through a plugin interface. We provide such a plugin for !NetworkManager to configure road warrior clients for the most common setups.
6 1 Martin Willi
7 1 Martin Willi
!NetworkManager uses DBUS to communicate with a plugin loaded by the IKEv2 charon daemon.
8 1 Martin Willi
9 12 Martin Willi
The plugin uses a certificate for gateway authentication and supports EAP and RSA authentication for client authentication. PSK is not supported, as it is considered insecure if the secrets are not strong enough. 
10 12 Martin Willi
11 9 Martin Willi
While any password based EAP method is usable with !NetworkManager, we use [wiki:EAP-GTC] in this example setup. The NM plugin interoperates nicely with EAP-GTC authentication as it allows you to authenticate against a PAM service on your VPN gateway with username/password. Don't worry - this is still secure because the gateway has to prove its identity first, before the user credentials are transmitted. 
12 12 Martin Willi
Alternatively you can use private key authentication. The plugin passes signature operations to your ssh-agent, so you'll need a certificate with a public key matching to a private key loaded into your ssh-agent.
13 1 Martin Willi
14 9 Martin Willi
== Client ==
15 9 Martin Willi
16 9 Martin Willi
=== Dependencies ===
17 9 Martin Willi
18 15 Martin Willi
The strongSwan extensions are written for !NetworkManager 0.7, you will need at least SVN !r4053. If your distributor does not provide recent packages, compile it from source (Ubuntu intrepid works fine).
19 1 Martin Willi
20 1 Martin Willi
=== Installation ===
21 1 Martin Willi
22 15 Martin Willi
We provide strongSwan packages for Ubuntu intrepid in our [https://launchpad.net/~strongswan/+archive/ppa PPA].
23 1 Martin Willi
24 15 Martin Willi
If you are not running Ubuntu/Debian, you have to build strongSwan from source.
25 15 Martin Willi
26 10 Martin Willi
==== Using strongSwan PPA ====
27 10 Martin Willi
28 15 Martin Willi
Add our [https://launchpad.net/~strongswan/+archive/ppa PPA] to your ''sources.list'' and install the packages:
29 1 Martin Willi
{{{
30 15 Martin Willi
echo "deb http://ppa.launchpad.net/strongswan/ppa/ubuntu intrepid main" >> /etc/apt/sources.list
31 10 Martin Willi
aptitude update
32 10 Martin Willi
aptitude install network-manager-strongswan
33 1 Martin Willi
}}}
34 1 Martin Willi
35 10 Martin Willi
==== Building from source ====
36 1 Martin Willi
37 1 Martin Willi
To build from source, you additionally need the PAM headers for EAP-GTC and NetworkManager headers for the plugin:
38 1 Martin Willi
{{{
39 10 Martin Willi
aptitude install libpam0g-dev network-manager-dev libnm-util-dev libnm-glib-dev libgnomeui-dev gnome-common
40 10 Martin Willi
}}}
41 1 Martin Willi
42 12 Martin Willi
NM integration works only for IKEv2, but this allows us to disable a lot of FreeS/WAN legacy stuff. Since on a desktop we have OpenSSL installed anyway, we are going to use libcrypto for all cryptographical operations. ''--enable-eap-gtc'' builds the EAP-GTC plugin, ''--enable-agent'' the ssh-agent private key plugin.
43 9 Martin Willi
44 1 Martin Willi
{{{
45 18 Andreas Steffen
# get the strongSwan tarball
46 15 Martin Willi
wget http://download.strongswan.org/strongswan-4.2.11.tar.bz2
47 18 Andreas Steffen
tar xjf strongswan-4.2.11.tar.bz2
48 15 Martin Willi
cd strongswan-4.2.11
49 1 Martin Willi
50 1 Martin Willi
# build charon with OpenSSL/NM Plugin
51 18 Andreas Steffen
./configure --sysconfdir=/etc --prefix=/usr --libexecdir=/usr/lib \
52 18 Andreas Steffen
   --disable-aes --disable-des --disable-md5 --disable-sha1 --disable-sha2 \
53 18 Andreas Steffen
   --disable-fips-prf --disable-gmp --disable-stroke --disable-pluto --disable-tools \
54 18 Andreas Steffen
   --disable-updown --enable-openssl --enable-nm --enable-eap-gtc --enable-agent
55 1 Martin Willi
make
56 1 Martin Willi
make install
57 12 Martin Willi
58 18 Andreas Steffen
# get the NetworkManager strongsSwan plugin as a tarball
59 1 Martin Willi
wget http://download.strongswan.org/NetworkManager/NetworkManager-strongswan-1.0.0.tar.bz2
60 18 Andreas Steffen
tar xjf NetworkManager-strongswan-1.0.0.tar.bz2
61 18 Andreas Steffen
cd NetworkManager-strongswan-1.0.0
62 18 Andreas Steffen
63 18 Andreas Steffen
# build the NetworkManager strongsSwan plugin
64 18 Andreas Steffen
./configure --sysconfdir=/etc --prefix=/usr --libexecdir=/usr/lib --with-charon=/usr/lib/ipsec/charon
65 7 Martin Willi
make
66 7 Martin Willi
make install
67 1 Martin Willi
68 1 Martin Willi
}}}
69 1 Martin Willi
70 9 Martin Willi
=== Configuration ===
71 1 Martin Willi
72 13 Martin Willi
 * Click on nm-applet -> VPN Connections -> Configure VPN...
73 9 Martin Willi
 * Add -> Ipsec/IKEv2 (strongswan) -> Create ...
74 1 Martin Willi
 * Configure your client
75 1 Martin Willi
 * Click on nm-applet -> VPN Connections -> Your Connection
76 1 Martin Willi
 * Enter password
77 1 Martin Willi
78 11 Martin Willi
As you can see, there is no subnet configuration for the tunnel. We let the gateway administration choose the subnet; the client always proposes 0.0.0.0/0 for the remote network and the gateway narrows that down to the configured subnet. 
79 11 Martin Willi
80 9 Martin Willi
=== Screenshots ===
81 1 Martin Willi
82 1 Martin Willi
[[Image(nm-strongswan-config.png, nolink)]][[Image(nm-strongswan-auth.png, nolink)]]
83 9 Martin Willi
84 9 Martin Willi
== Gateway ==
85 9 Martin Willi
86 16 Martin Willi
To allow EAP-GTC authentication discussed above, the gateway needs support for that module. You don't need the !NetworkManager module, but the EAP-GTC plugin.
87 9 Martin Willi
88 16 Martin Willi
You can build strongSwan from source, or use the [https://launchpad.net/~strongswan/+archive/ppa PPA] mentioned above.
89 1 Martin Willi
90 16 Martin Willi
=== Build from source ===
91 16 Martin Willi
92 9 Martin Willi
{{{
93 9 Martin Willi
./configure --disable-pluto --disable-tools --enable-eap-gtc \
94 9 Martin Willi
--sysconfdir=/etc --prefix=/usr --libexecdir=/usr/lib
95 1 Martin Willi
make
96 1 Martin Willi
make install
97 16 Martin Willi
}}}
98 16 Martin Willi
99 16 Martin Willi
=== Install from PPA ===
100 16 Martin Willi
101 16 Martin Willi
{{{
102 16 Martin Willi
echo "deb http://ppa.launchpad.net/strongswan/ppa/ubuntu intrepid main" >> /etc/apt/sources.list
103 16 Martin Willi
aptitude update
104 16 Martin Willi
aptitude install strongswan-charon strongswan-stroke strongswan-eap-gtc
105 9 Martin Willi
}}}
106 9 Martin Willi
107 9 Martin Willi
=== Configuration ===
108 9 Martin Willi
109 9 Martin Willi
By default, the GTC module uses the PAM service ''login'' which should be available on most systems. But you may create your own service, e.g in ''/etc/pam.d/ipsec'':
110 9 Martin Willi
{{{
111 9 Martin Willi
#%PAM-1.0
112 9 Martin Willi
auth        required      /lib/security/pam_env.so
113 9 Martin Willi
auth        sufficient    /lib/security/pam_unix.so likeauth nullok
114 9 Martin Willi
auth        required      /lib/security/pam_deny.so
115 9 Martin Willi
}}}
116 9 Martin Willi
To use that service, set the ''pam_service'' option in ''/etc/strongswan.org'':
117 9 Martin Willi
{{{
118 9 Martin Willi
charon {
119 9 Martin Willi
  plugins {
120 9 Martin Willi
    eap_gtc {
121 9 Martin Willi
      pam_service = ipsec
122 9 Martin Willi
    }
123 9 Martin Willi
  }
124 9 Martin Willi
}
125 9 Martin Willi
}}}
126 9 Martin Willi
127 9 Martin Willi
A gateway configuration in [wiki:IpsecConf ipsec.conf] might look like this:
128 9 Martin Willi
{{{
129 9 Martin Willi
conn nm-clients
130 9 Martin Willi
  # certificate handed out to client
131 9 Martin Willi
  leftcert=cert.pem
132 9 Martin Willi
  right=%any
133 11 Martin Willi
  # subnet behind gateway to include in tunnel (optional)
134 11 Martin Willi
  rightsubnet=10.1.0.0/16
135 1 Martin Willi
  # IP address pool for clients requesting an virtual IP
136 11 Martin Willi
  rightsourceip=10.1.250.0/24
137 17 Martin Willi
  # clients use a KEY_ID identity with their username,
138 17 Martin Willi
  # handle all of them with this config
139 17 Martin Willi
  rightid=%any
140 9 Martin Willi
  # request GTC as EAP authentication method
141 9 Martin Willi
  eap=gtc
142 9 Martin Willi
  keyexchange=ikev2
143 9 Martin Willi
  auto=add
144 9 Martin Willi
}}}
145 9 Martin Willi
146 17 Martin Willi
IKEv2 does not provide an identity type for plain usernames. The client therefore encodes them as KEY_ID. This allows the GTC module to use a simple username during PAM authentication.