NetworkManager » History » Version 19
« Previous -
Version 19/45
(diff) -
Next » -
Current version
Andreas Steffen, 19.02.2009 20:22
cosmetics
NetworkManager¶
NetworkManager allows configuration and control of VPN daemons through a plugin interface. We provide such a plugin for NetworkManager to configure road warrior clients for the most common setups.
NetworkManager uses DBUS to communicate with a plugin loaded by the IKEv2 charon daemon.
The plugin uses a certificate for gateway authentication and supports EAP and RSA authentication for client authentication. PSK is not supported, as it is considered insecure if the secrets are not strong enough.
While any password based EAP method is usable with NetworkManager, we use EAP-GTC in this example setup. The NM plugin interoperates nicely with EAP-GTC authentication as it allows you to authenticate against a PAM service on your VPN gateway with username/password. Don't worry - this is still secure because the gateway has to prove its identity first, before the user credentials are transmitted.
Alternatively you can use private key authentication. The plugin passes signature operations to your ssh-agent, so you'll need a certificate with a public key matching to a private key loaded into your ssh-agent.
Client¶
Dependencies¶
The strongSwan extensions are written for NetworkManager 0.7, you will need at least SVN r4053. If your distributor does not provide recent packages, compile it from source (Ubuntu intrepid works fine).
Installation¶
We provide strongSwan packages for Ubuntu intrepid in our PPA.
If you are not running Ubuntu/Debian, you have to build strongSwan from source.
Using strongSwan PPA¶
Add our PPA to your sources.list and install the packages:
echo "deb http://ppa.launchpad.net/strongswan/ppa/ubuntu intrepid main" >> /etc/apt/sources.list aptitude update aptitude install network-manager-strongswan
Building from source¶
To build from source, you additionally need the PAM headers for EAP-GTC and NetworkManager headers for the plugin:
aptitude install libpam0g-dev network-manager-dev libnm-util-dev libnm-glib-dev libgnomeui-dev gnome-common
NM integration works only for IKEv2, but this allows us to disable a lot of FreeS/WAN legacy stuff. Since on a desktop we have OpenSSL installed anyway, we are going to use libcrypto for all cryptographical operations. --enable-eap-gtc builds the EAP-GTC plugin, --enable-agent the ssh-agent private key plugin.
# get the strongSwan tarball wget http://download.strongswan.org/strongswan-4.2.11.tar.bz2 tar xjf strongswan-4.2.11.tar.bz2 cd strongswan-4.2.11 # build charon with [[OpenSSL]]/NM Plugin ./configure --sysconfdir=/etc --prefix=/usr --libexecdir=/usr/lib \ --disable-aes --disable-des --disable-md5 --disable-sha1 --disable-sha2 \ --disable-fips-prf --disable-gmp --disable-stroke --disable-pluto --disable-tools \ --disable-updown --enable-openssl --enable-nm --enable-eap-gtc --enable-agent make make install # get the [[NetworkManager]] strongsSwan plugin as a tarball wget http://download.strongswan.org/NetworkManager/NetworkManager-strongswan-1.0.0.tar.bz2 tar xjf [[NetworkManager]]-strongswan-1.0.0.tar.bz2 cd [[NetworkManager]]-strongswan-1.0.0 # build the [[NetworkManager]] strongsSwan plugin ./configure --sysconfdir=/etc --prefix=/usr --libexecdir=/usr/lib --with-charon=/usr/lib/ipsec/charon make make install
Configuration¶
- Click on nm-applet -> VPN Connections -> Configure VPN...
- Add -> Ipsec/IKEv2 (strongswan) -> Create ...
- Configure your client
- Click on nm-applet -> VPN Connections -> Your Connection
- Enter password
As you can see, there is no subnet configuration for the tunnel. We let the gateway administration choose the subnet; the client always proposes 0.0.0.0/0 for the remote network and the gateway narrows that down to the configured subnet.
Screenshots¶
Image(nm-strongswan-config.png, nolink)Image(nm-strongswan-auth.png, nolink)
Gateway¶
To allow EAP-GTC authentication discussed above, the gateway needs support for that module. You don't need the NetworkManager module, but the EAP-GTC plugin.
You can build strongSwan from source, or use the PPA mentioned above.
Build from source¶
./configure --disable-pluto --disable-tools --enable-eap-gtc \ --sysconfdir=/etc --prefix=/usr --libexecdir=/usr/lib make make install
Install from PPA¶
echo "deb http://ppa.launchpad.net/strongswan/ppa/ubuntu intrepid main" >> /etc/apt/sources.list aptitude update aptitude install strongswan-charon strongswan-stroke strongswan-eap-gtc
Configuration¶
By default, the GTC module uses the PAM service login which should be available on most systems. But you may create your own service, e.g in /etc/pam.d/ipsec:
#%PAM-1.0 auth required /lib/security/pam_env.so auth sufficient /lib/security/pam_unix.so likeauth nullok auth required /lib/security/pam_deny.so
To use that service, set the pam_service option in /etc/strongswan.org:
charon { plugins { eap_gtc { pam_service = ipsec } } }
A gateway configuration in ipsecconf might look like this:
conn nm-clients # certificate handed out to client leftcert=cert.pem right=%any # subnet behind gateway to include in tunnel (optional) rightsubnet=10.1.0.0/16 # IP address pool for clients requesting an virtual IP rightsourceip=10.1.250.0/24 # clients use a KEY_ID identity with their username, # handle all of them with this config rightid=%any # request GTC as EAP authentication method eap=gtc keyexchange=ikev2 auto=add
IKEv2 does not provide an identity type for plain usernames. The client therefore encodes them as KEY_ID. This allows the GTC module to use a simple username during PAM authentication.