NetworkManager » History » Version 22

Version 21 (Martin Willi, 04.06.2009 13:45) → Version 22/45 (Andreas Steffen, 26.07.2009 08:10)

h1. NetworkManager

"NetworkManager": allows configuration and control of VPN daemons through a plugin interface. We provide such a plugin for NetworkManager to configure road warrior clients for the most common setups.

NetworkManager uses DBUS to communicate with a plugin loaded by the IKEv2 charon daemon.

The plugin uses a certificate for gateway authentication and supports EAP and RSA authentication for client authentication. PSK is not supported, as it is considered insecure if the secrets are not strong enough.

You can use any password based EAP method supported by strongSwan (MD5/GTC/MSCHAPv2) or private key authentication. Private keys are either stored in a file or accessed through your ready-to-use ssh-agent. You'll need a certificate matching that key.

If you configure the gateway certificate directly on the clients, there are no requirements to the certificate. If you deploy CA certificates (supported in 4.3.1+), the gateway certificate will need a subjectAltName including the Hostname of the gateway (the same you enter in the clients configuration).

h2. Dependencies

The strongSwan NM plugin and the NetworkManager VPN module are currently based on the written against NetworkManager 7.1 interface. 7.1. It should be working with your distributors latest packages.

h2. Installation

In Debian, the package _network-manager-strongswan_ along with strongSwan core packages are in the _unstable_ distribution.
For Ubuntu intrepid/jaunty, we provide packages in our "PPA":

If you are not running Ubuntu/Debian, you have to build strongSwan from source.

h3. Using strongSwan PPA

Add our "PPA": to your _sources.list_ and install the packages:
echo "deb intrepid main" >> /etc/apt/sources.list
aptitude update
aptitude install network-manager-strongswan

h3. Building from source

To build from source, you additionally need the PAM headers for EAP-GTC and NetworkManager headers for the plugin:
aptitude install libpam0g-dev network-manager-dev libnm-util-dev libnm-glib-dev libgnomeui-dev gnome-common

NM integration works only for IKEv2, but this allows us to disable a lot of IKEv1 legacy stuff. Since on a desktop we have OpenSSL installed anyway, we are going to use libcrypto for all cryptographical operations. --enable-agent builds the ssh-agent private key plugin, EAP plugins are enabled using --enable-eap-gtc --enable-eap-md5 --enable-eap-mschapv2. You may build only what you'll actually use.

# get the strongSwan tarball
tar xjf strongswan-4.2.14.tar.bz2
cd strongswan-4.2.14

# build charon with OpenSSL/NM Plugin
./configure --sysconfdir=/etc --prefix=/usr --libexecdir=/usr/lib \
--disable-aes --disable-des --disable-md5 --disable-sha1 --disable-sha2 \
--disable-fips-prf --disable-gmp --disable-stroke --disable-pluto --disable-tools \
--disable-updown --enable-openssl --enable-nm --enable-agent \
--enable-eap-gtc --enable-eap-md5 --enable-eap-mschapv2
make install

# get the NetworkManager strongsSwan plugin as a tarball
tar xjf NetworkManager-strongswan-1.1.0.tar.bz2
cd NetworkManager-strongswan-1.1.0

# build the NetworkManager strongsSwan plugin
./configure --sysconfdir=/etc --prefix=/usr --libexecdir=/usr/lib --with-charon=/usr/lib/ipsec/charon
make install

h2. Configuration

* Click on nm-applet -> VPN Connections -> Configure VPN...
* Add -> Ipsec/IKEv2 (strongswan) -> Create ...
* Configure your client
* Click on nm-applet -> VPN Connections -> Your Connection
* Enter password

As you can see, there is no subnet configuration for the tunnel. We let the gateway administration choose the subnet; the client always proposes for the remote network and the gateway narrows that down to the configured subnet.

h2. Screenshots

!nm-strongswan-config.png! !nm-strongswan-auth.png!

h2. Server configuration

Depending on the used authentication methods, you can use gateway configurations very similar to Windows 7 ([[Win7MultipleConfig|Certificate]]/[[Win7EapMultipleConfig|MSCHAPv2]]), or use [[EapGtc|EAP-GTC]] to authenticate against PAM.