Project

General

Profile

NetworkManager » History » Version 26

Andreas Steffen, 24.12.2009 11:55

1 19 Andreas Steffen
h1. NetworkManager
2 1 Martin Willi
3 19 Andreas Steffen
"NetworkManager":http://www.gnome.org/projects/NetworkManager/ allows configuration and control of VPN daemons through a plugin interface. We provide such a plugin for NetworkManager to configure road warrior clients for the most common setups.
4 19 Andreas Steffen
5 1 Martin Willi
NetworkManager uses DBUS to communicate with a plugin loaded by the IKEv2 charon daemon.
6 19 Andreas Steffen
7 1 Martin Willi
The plugin uses a certificate for gateway authentication and supports EAP and RSA authentication for client authentication. PSK is not supported, as it is considered insecure if the secrets are not strong enough. 
8 19 Andreas Steffen
9 20 Martin Willi
You can use any password based EAP method supported by strongSwan (MD5/GTC/MSCHAPv2) or private key authentication. Private keys are either stored in a file or accessed through your ready-to-use ssh-agent. You'll need a certificate matching that key.
10 12 Martin Willi
11 25 Martin Willi
If you configure the gateway certificate directly on the clients, there are no requirements to the certificate. If you deploy CA certificates (supported in 4.3.1+), the gateway certificate will need a subjectAltName including the Hostname of the gateway (the same you enter in the clients configuration). Starting with version 4.3.5, you can also use preinstalled root CA certificates of your distribution, using the --with-nm-ca-dir configure option. Just do not specify any gateway/CA certificate to use preinstalled root certificates.
12 26 Andreas Steffen
13 26 Andreas Steffen
h2. Screenshots
14 26 Andreas Steffen
15 26 Andreas Steffen
!nm-strongswan-config.png! !nm-strongswan-auth.png!
16 26 Andreas Steffen
17 1 Martin Willi
h2. Dependencies
18 1 Martin Willi
19 26 Andreas Steffen
The strongSwan NM plugin and the NetworkManager VPN module are currently based on the NetworkManager 7.1/7.99 interface. It should work out-of-the-box with the latest packages of your favorite Linux distribution.
20 19 Andreas Steffen
21 19 Andreas Steffen
h2. Installation
22 21 Martin Willi
23 24 Martin Willi
In Debian Testing and Ubuntu Karmic Koala, install the _network-manager-strongswan_ packages.
24 19 Andreas Steffen
25 1 Martin Willi
If you are not running Ubuntu/Debian, you have to build strongSwan from source.
26 1 Martin Willi
27 1 Martin Willi
h3. Building from source
28 19 Andreas Steffen
29 1 Martin Willi
To build from source, you additionally need the PAM headers for EAP-GTC and NetworkManager headers for the plugin:
30 20 Martin Willi
<pre>
31 1 Martin Willi
aptitude install libpam0g-dev network-manager-dev libnm-util-dev libnm-glib-dev libgnomeui-dev gnome-common
32 20 Martin Willi
</pre>
33 19 Andreas Steffen
34 1 Martin Willi
NM integration works only for IKEv2, but this allows us to disable a lot of IKEv1 legacy stuff. Since on a desktop we have OpenSSL installed anyway, we are going to use libcrypto for all cryptographical operations. --enable-agent builds the ssh-agent private key plugin, EAP plugins are enabled using --enable-eap-gtc --enable-eap-md5 --enable-eap-mschapv2. You may build only what you'll actually use.
35 19 Andreas Steffen
36 19 Andreas Steffen
<pre>
37 1 Martin Willi
# get the strongSwan tarball
38 24 Martin Willi
wget http://download.strongswan.org/strongswan-4.3.5.tar.bz2
39 24 Martin Willi
tar xjf strongswan-4.3.5.tar.bz2
40 24 Martin Willi
cd strongswan-4.3.5
41 1 Martin Willi
42 20 Martin Willi
# build charon with OpenSSL/NM Plugin
43 1 Martin Willi
./configure --sysconfdir=/etc --prefix=/usr --libexecdir=/usr/lib \
44 18 Andreas Steffen
   --disable-aes --disable-des --disable-md5 --disable-sha1 --disable-sha2 \
45 19 Andreas Steffen
   --disable-fips-prf --disable-gmp --disable-stroke --disable-pluto --disable-tools \
46 20 Martin Willi
   --disable-updown --enable-openssl --enable-nm --enable-agent \
47 20 Martin Willi
   --enable-eap-gtc --enable-eap-md5 --enable-eap-mschapv2
48 1 Martin Willi
make
49 18 Andreas Steffen
make install
50 1 Martin Willi
51 20 Martin Willi
# get the NetworkManager strongsSwan plugin as a tarball
52 23 Andreas Steffen
wget http://download.strongswan.org/NetworkManager/NetworkManager-strongswan-1.1.1.tar.bz2
53 23 Andreas Steffen
tar xjf NetworkManager-strongswan-1.1.1.tar.bz2
54 23 Andreas Steffen
cd NetworkManager-strongswan-1.1.1
55 9 Martin Willi
56 20 Martin Willi
# build the NetworkManager strongsSwan plugin
57 9 Martin Willi
./configure --sysconfdir=/etc --prefix=/usr --libexecdir=/usr/lib --with-charon=/usr/lib/ipsec/charon
58 19 Andreas Steffen
make
59 9 Martin Willi
make install
60 19 Andreas Steffen
</pre>
61 19 Andreas Steffen
62 20 Martin Willi
h2. Configuration
63 1 Martin Willi
64 11 Martin Willi
65 17 Martin Willi
* Click on nm-applet -> VPN Connections -> Configure VPN...
66 9 Martin Willi
* Add -> Ipsec/IKEv2 (strongswan) -> Create ...
67 9 Martin Willi
* Configure your client
68 9 Martin Willi
* Click on nm-applet -> VPN Connections -> Your Connection
69 20 Martin Willi
* Enter password
70 17 Martin Willi
71 20 Martin Willi
As you can see, there is no subnet configuration for the tunnel. We let the gateway administration choose the subnet; the client always proposes 0.0.0.0/0 for the remote network and the gateway narrows that down to the configured subnet. 
72 1 Martin Willi
73 20 Martin Willi
h2. Server configuration
74 1 Martin Willi
75 20 Martin Willi
Depending on the used authentication methods, you can use gateway configurations very similar to Windows 7 ([[Win7MultipleConfig|Certificate]]/[[Win7EapMultipleConfig|MSCHAPv2]]), or use [[EapGtc|EAP-GTC]] to authenticate against PAM.