Project

General

Profile

NetworkManager » History » Version 21

Martin Willi, 04.06.2009 13:45

1 19 Andreas Steffen
h1. NetworkManager
2 1 Martin Willi
3 19 Andreas Steffen
"NetworkManager":http://www.gnome.org/projects/NetworkManager/ allows configuration and control of VPN daemons through a plugin interface. We provide such a plugin for NetworkManager to configure road warrior clients for the most common setups.
4 19 Andreas Steffen
5 1 Martin Willi
NetworkManager uses DBUS to communicate with a plugin loaded by the IKEv2 charon daemon.
6 19 Andreas Steffen
7 1 Martin Willi
The plugin uses a certificate for gateway authentication and supports EAP and RSA authentication for client authentication. PSK is not supported, as it is considered insecure if the secrets are not strong enough. 
8 19 Andreas Steffen
9 20 Martin Willi
You can use any password based EAP method supported by strongSwan (MD5/GTC/MSCHAPv2) or private key authentication. Private keys are either stored in a file or accessed through your ready-to-use ssh-agent. You'll need a certificate matching that key.
10 12 Martin Willi
11 20 Martin Willi
If you configure the gateway certificate directly on the clients, there are no requirements to the certificate. If you deploy CA certificates (supported in 4.3.1+), the gateway certificate will need a subjectAltName including the Hostname of the gateway (the same you enter in the clients configuration).
12 1 Martin Willi
13 20 Martin Willi
h2. Dependencies
14 1 Martin Willi
15 20 Martin Willi
The strongSwan NM plugin and the NetworkManager VPN module are currently written against NetworkManager 7.1. It should be working with your distributors latest packages.
16 19 Andreas Steffen
17 20 Martin Willi
h2. Installation
18 19 Andreas Steffen
19 21 Martin Willi
In Debian, the package _network-manager-strongswan_ along with strongSwan core packages are in the _unstable_ distribution.
20 21 Martin Willi
For Ubuntu intrepid/jaunty, we provide packages in our "PPA":https://launchpad.net/~strongswan/+archive/ppa.
21 19 Andreas Steffen
22 19 Andreas Steffen
If you are not running Ubuntu/Debian, you have to build strongSwan from source.
23 1 Martin Willi
24 20 Martin Willi
h3. Using strongSwan PPA
25 1 Martin Willi
26 1 Martin Willi
Add our "PPA":https://launchpad.net/~strongswan/+archive/ppa to your _sources.list_ and install the packages:
27 19 Andreas Steffen
<pre>
28 1 Martin Willi
echo "deb http://ppa.launchpad.net/strongswan/ppa/ubuntu intrepid main" >> /etc/apt/sources.list
29 1 Martin Willi
aptitude update
30 19 Andreas Steffen
aptitude install network-manager-strongswan
31 19 Andreas Steffen
</pre>
32 1 Martin Willi
33 20 Martin Willi
h3. Building from source
34 1 Martin Willi
35 20 Martin Willi
To build from source, you additionally need the PAM headers for EAP-GTC and NetworkManager headers for the plugin:
36 19 Andreas Steffen
<pre>
37 1 Martin Willi
aptitude install libpam0g-dev network-manager-dev libnm-util-dev libnm-glib-dev libgnomeui-dev gnome-common
38 1 Martin Willi
</pre>
39 19 Andreas Steffen
40 20 Martin Willi
NM integration works only for IKEv2, but this allows us to disable a lot of IKEv1 legacy stuff. Since on a desktop we have OpenSSL installed anyway, we are going to use libcrypto for all cryptographical operations. --enable-agent builds the ssh-agent private key plugin, EAP plugins are enabled using --enable-eap-gtc --enable-eap-md5 --enable-eap-mschapv2. You may build only what you'll actually use.
41 19 Andreas Steffen
42 19 Andreas Steffen
<pre>
43 1 Martin Willi
# get the strongSwan tarball
44 20 Martin Willi
wget http://download.strongswan.org/strongswan-4.2.14.tar.bz2
45 20 Martin Willi
tar xjf strongswan-4.2.14.tar.bz2
46 20 Martin Willi
cd strongswan-4.2.14
47 1 Martin Willi
48 20 Martin Willi
# build charon with OpenSSL/NM Plugin
49 1 Martin Willi
./configure --sysconfdir=/etc --prefix=/usr --libexecdir=/usr/lib \
50 18 Andreas Steffen
   --disable-aes --disable-des --disable-md5 --disable-sha1 --disable-sha2 \
51 19 Andreas Steffen
   --disable-fips-prf --disable-gmp --disable-stroke --disable-pluto --disable-tools \
52 20 Martin Willi
   --disable-updown --enable-openssl --enable-nm --enable-agent \
53 20 Martin Willi
   --enable-eap-gtc --enable-eap-md5 --enable-eap-mschapv2
54 1 Martin Willi
make
55 18 Andreas Steffen
make install
56 1 Martin Willi
57 20 Martin Willi
# get the NetworkManager strongsSwan plugin as a tarball
58 20 Martin Willi
wget http://download.strongswan.org/NetworkManager/NetworkManager-strongswan-1.1.0.tar.bz2
59 20 Martin Willi
tar xjf NetworkManager-strongswan-1.1.0.tar.bz2
60 20 Martin Willi
cd NetworkManager-strongswan-1.1.0
61 9 Martin Willi
62 20 Martin Willi
# build the NetworkManager strongsSwan plugin
63 9 Martin Willi
./configure --sysconfdir=/etc --prefix=/usr --libexecdir=/usr/lib --with-charon=/usr/lib/ipsec/charon
64 19 Andreas Steffen
make
65 9 Martin Willi
make install
66 19 Andreas Steffen
</pre>
67 19 Andreas Steffen
68 20 Martin Willi
h2. Configuration
69 1 Martin Willi
70 11 Martin Willi
71 17 Martin Willi
* Click on nm-applet -> VPN Connections -> Configure VPN...
72 17 Martin Willi
* Add -> Ipsec/IKEv2 (strongswan) -> Create ...
73 17 Martin Willi
* Configure your client
74 9 Martin Willi
* Click on nm-applet -> VPN Connections -> Your Connection
75 9 Martin Willi
* Enter password
76 9 Martin Willi
77 9 Martin Willi
As you can see, there is no subnet configuration for the tunnel. We let the gateway administration choose the subnet; the client always proposes 0.0.0.0/0 for the remote network and the gateway narrows that down to the configured subnet. 
78 9 Martin Willi
79 20 Martin Willi
h2. Screenshots
80 17 Martin Willi
81 20 Martin Willi
!nm-strongswan-config.png! !nm-strongswan-auth.png!
82 1 Martin Willi
83 20 Martin Willi
h2. Server configuration
84 1 Martin Willi
85 20 Martin Willi
Depending on the used authentication methods, you can use gateway configurations very similar to Windows 7 ([[Win7MultipleConfig|Certificate]]/[[Win7EapMultipleConfig|MSCHAPv2]]), or use [[EapGtc|EAP-GTC]] to authenticate against PAM.