Project

General

Profile

NetworkManager » History » Version 19

Andreas Steffen, 19.02.2009 20:22
cosmetics

1 9 Martin Willi
[[TOC]]
2 9 Martin Willi
3 1 Martin Willi
4 19 Andreas Steffen
h1. NetworkManager
5 1 Martin Willi
6 1 Martin Willi
7 19 Andreas Steffen
"NetworkManager":http://www.gnome.org/projects/NetworkManager/ allows configuration and control of VPN daemons through a plugin interface. We provide such a plugin for NetworkManager to configure road warrior clients for the most common setups.
8 19 Andreas Steffen
9 19 Andreas Steffen
NetworkManager uses DBUS to communicate with a plugin loaded by the IKEv2 charon daemon.
10 19 Andreas Steffen
11 1 Martin Willi
The plugin uses a certificate for gateway authentication and supports EAP and RSA authentication for client authentication. PSK is not supported, as it is considered insecure if the secrets are not strong enough. 
12 12 Martin Willi
13 19 Andreas Steffen
While any password based EAP method is usable with NetworkManager, we use [[EAP-GTC]] in this example setup. The NM plugin interoperates nicely with EAP-GTC authentication as it allows you to authenticate against a PAM service on your VPN gateway with username/password. Don't worry - this is still secure because the gateway has to prove its identity first, before the user credentials are transmitted. 
14 1 Martin Willi
Alternatively you can use private key authentication. The plugin passes signature operations to your ssh-agent, so you'll need a certificate with a public key matching to a private key loaded into your ssh-agent.
15 1 Martin Willi
16 1 Martin Willi
17 19 Andreas Steffen
h2. Client
18 1 Martin Willi
19 1 Martin Willi
20 1 Martin Willi
21 19 Andreas Steffen
h3. Dependencies
22 1 Martin Willi
23 19 Andreas Steffen
24 19 Andreas Steffen
The strongSwan extensions are written for NetworkManager 0.7, you will need at least SVN !r4053. If your distributor does not provide recent packages, compile it from source (Ubuntu intrepid works fine).
25 19 Andreas Steffen
26 19 Andreas Steffen
27 19 Andreas Steffen
h3. Installation
28 19 Andreas Steffen
29 19 Andreas Steffen
30 19 Andreas Steffen
We provide strongSwan packages for Ubuntu intrepid in our "PPA":https://launchpad.net/~strongswan/+archive/ppa.
31 19 Andreas Steffen
32 1 Martin Willi
If you are not running Ubuntu/Debian, you have to build strongSwan from source.
33 1 Martin Willi
34 1 Martin Willi
35 19 Andreas Steffen
h4. Using strongSwan PPA
36 19 Andreas Steffen
37 19 Andreas Steffen
38 19 Andreas Steffen
Add our "PPA":https://launchpad.net/~strongswan/+archive/ppa to your _sources.list_ and install the packages:
39 19 Andreas Steffen
<pre>
40 1 Martin Willi
echo "deb http://ppa.launchpad.net/strongswan/ppa/ubuntu intrepid main" >> /etc/apt/sources.list
41 10 Martin Willi
aptitude update
42 1 Martin Willi
aptitude install network-manager-strongswan
43 19 Andreas Steffen
</pre>
44 1 Martin Willi
45 10 Martin Willi
46 19 Andreas Steffen
h4. Building from source
47 19 Andreas Steffen
48 19 Andreas Steffen
49 19 Andreas Steffen
To build from source, you additionally need the PAM headers for EAP-GTC and [[NetworkManager]] headers for the plugin:
50 19 Andreas Steffen
<pre>
51 1 Martin Willi
aptitude install libpam0g-dev network-manager-dev libnm-util-dev libnm-glib-dev libgnomeui-dev gnome-common
52 19 Andreas Steffen
</pre>
53 18 Andreas Steffen
54 19 Andreas Steffen
NM integration works only for IKEv2, but this allows us to disable a lot of FreeS/WAN legacy stuff. Since on a desktop we have [[OpenSSL]] installed anyway, we are going to use libcrypto for all cryptographical operations. _--enable-eap-gtc_ builds the EAP-GTC plugin, _--enable-agent_ the ssh-agent private key plugin.
55 1 Martin Willi
56 19 Andreas Steffen
<pre>
57 1 Martin Willi
# get the strongSwan tarball
58 1 Martin Willi
wget http://download.strongswan.org/strongswan-4.2.11.tar.bz2
59 1 Martin Willi
tar xjf strongswan-4.2.11.tar.bz2
60 1 Martin Willi
cd strongswan-4.2.11
61 18 Andreas Steffen
62 19 Andreas Steffen
# build charon with [[OpenSSL]]/NM Plugin
63 1 Martin Willi
./configure --sysconfdir=/etc --prefix=/usr --libexecdir=/usr/lib \
64 1 Martin Willi
   --disable-aes --disable-des --disable-md5 --disable-sha1 --disable-sha2 \
65 1 Martin Willi
   --disable-fips-prf --disable-gmp --disable-stroke --disable-pluto --disable-tools \
66 18 Andreas Steffen
   --disable-updown --enable-openssl --enable-nm --enable-eap-gtc --enable-agent
67 1 Martin Willi
make
68 1 Martin Willi
make install
69 1 Martin Willi
70 19 Andreas Steffen
# get the [[NetworkManager]] strongsSwan plugin as a tarball
71 1 Martin Willi
wget http://download.strongswan.org/NetworkManager/NetworkManager-strongswan-1.0.0.tar.bz2
72 19 Andreas Steffen
tar xjf [[NetworkManager]]-strongswan-1.0.0.tar.bz2
73 19 Andreas Steffen
cd [[NetworkManager]]-strongswan-1.0.0
74 1 Martin Willi
75 19 Andreas Steffen
# build the [[NetworkManager]] strongsSwan plugin
76 1 Martin Willi
./configure --sysconfdir=/etc --prefix=/usr --libexecdir=/usr/lib --with-charon=/usr/lib/ipsec/charon
77 9 Martin Willi
make
78 13 Martin Willi
make install
79 1 Martin Willi
80 19 Andreas Steffen
</pre>
81 1 Martin Willi
82 1 Martin Willi
83 19 Andreas Steffen
h3. Configuration
84 1 Martin Willi
85 19 Andreas Steffen
86 19 Andreas Steffen
* Click on nm-applet -> VPN Connections -> Configure VPN...
87 19 Andreas Steffen
* Add -> Ipsec/IKEv2 (strongswan) -> Create ...
88 19 Andreas Steffen
* Configure your client
89 19 Andreas Steffen
* Click on nm-applet -> VPN Connections -> Your Connection
90 19 Andreas Steffen
* Enter password
91 19 Andreas Steffen
92 1 Martin Willi
As you can see, there is no subnet configuration for the tunnel. We let the gateway administration choose the subnet; the client always proposes 0.0.0.0/0 for the remote network and the gateway narrows that down to the configured subnet. 
93 1 Martin Willi
94 1 Martin Willi
95 19 Andreas Steffen
h3. Screenshots
96 19 Andreas Steffen
97 19 Andreas Steffen
98 1 Martin Willi
[[Image(nm-strongswan-config.png, nolink)]][[Image(nm-strongswan-auth.png, nolink)]]
99 9 Martin Willi
100 9 Martin Willi
101 19 Andreas Steffen
h2. Gateway
102 1 Martin Willi
103 9 Martin Willi
104 19 Andreas Steffen
To allow EAP-GTC authentication discussed above, the gateway needs support for that module. You don't need the NetworkManager module, but the EAP-GTC plugin.
105 9 Martin Willi
106 19 Andreas Steffen
You can build strongSwan from source, or use the "PPA":https://launchpad.net/~strongswan/+archive/ppa mentioned above.
107 19 Andreas Steffen
108 19 Andreas Steffen
109 19 Andreas Steffen
h3. Build from source
110 19 Andreas Steffen
111 19 Andreas Steffen
112 19 Andreas Steffen
<pre>
113 1 Martin Willi
./configure --disable-pluto --disable-tools --enable-eap-gtc \
114 1 Martin Willi
--sysconfdir=/etc --prefix=/usr --libexecdir=/usr/lib
115 16 Martin Willi
make
116 16 Martin Willi
make install
117 19 Andreas Steffen
</pre>
118 16 Martin Willi
119 16 Martin Willi
120 19 Andreas Steffen
h3. Install from PPA
121 19 Andreas Steffen
122 19 Andreas Steffen
123 19 Andreas Steffen
<pre>
124 9 Martin Willi
echo "deb http://ppa.launchpad.net/strongswan/ppa/ubuntu intrepid main" >> /etc/apt/sources.list
125 9 Martin Willi
aptitude update
126 9 Martin Willi
aptitude install strongswan-charon strongswan-stroke strongswan-eap-gtc
127 19 Andreas Steffen
</pre>
128 9 Martin Willi
129 9 Martin Willi
130 19 Andreas Steffen
h3. Configuration
131 19 Andreas Steffen
132 19 Andreas Steffen
133 19 Andreas Steffen
By default, the GTC module uses the PAM service _login_ which should be available on most systems. But you may create your own service, e.g in _/etc/pam.d/ipsec_:
134 19 Andreas Steffen
<pre>
135 9 Martin Willi
#%PAM-1.0
136 9 Martin Willi
auth        required      /lib/security/pam_env.so
137 9 Martin Willi
auth        sufficient    /lib/security/pam_unix.so likeauth nullok
138 9 Martin Willi
auth        required      /lib/security/pam_deny.so
139 19 Andreas Steffen
</pre>
140 19 Andreas Steffen
To use that service, set the _pam_service_ option in _/etc/strongswan.org_:
141 19 Andreas Steffen
<pre>
142 9 Martin Willi
charon {
143 9 Martin Willi
  plugins {
144 9 Martin Willi
    eap_gtc {
145 9 Martin Willi
      pam_service = ipsec
146 9 Martin Willi
    }
147 9 Martin Willi
  }
148 9 Martin Willi
}
149 19 Andreas Steffen
</pre>
150 9 Martin Willi
151 19 Andreas Steffen
A gateway configuration in [[IpsecConf|ipsecconf]] might look like this:
152 19 Andreas Steffen
<pre>
153 11 Martin Willi
conn nm-clients
154 1 Martin Willi
  # certificate handed out to client
155 11 Martin Willi
  leftcert=cert.pem
156 17 Martin Willi
  right=%any
157 17 Martin Willi
  # subnet behind gateway to include in tunnel (optional)
158 17 Martin Willi
  rightsubnet=10.1.0.0/16
159 9 Martin Willi
  # IP address pool for clients requesting an virtual IP
160 9 Martin Willi
  rightsourceip=10.1.250.0/24
161 9 Martin Willi
  # clients use a KEY_ID identity with their username,
162 9 Martin Willi
  # handle all of them with this config
163 9 Martin Willi
  rightid=%any
164 9 Martin Willi
  # request GTC as EAP authentication method
165 17 Martin Willi
  eap=gtc
166 1 Martin Willi
  keyexchange=ikev2
167 1 Martin Willi
  auto=add
168 19 Andreas Steffen
</pre>
169 1 Martin Willi
170 1 Martin Willi
IKEv2 does not provide an identity type for plain usernames. The client therefore encodes them as KEY_ID. This allows the GTC module to use a simple username during PAM authentication.