NetworkManager » History » Version 33

« Previous - Version 33/45 (diff) - Next » - Current version
Tobias Brunner, 14.11.2011 16:19


NetworkManager allows configuration and control of VPN daemons through a plugin interface. We provide such a plugin for NetworkManager to configure road warrior clients for the most common setups.

NetworkManager uses DBUS to communicate with a plugin loaded by the IKEv2 charon daemon.

The plugin uses a certificate for gateway authentication and supports EAP and RSA authentication for client authentication. PSK is not supported, as it is considered insecure if the secrets are not strong enough.

You can use any password based EAP method supported by strongSwan (MD5/GTC/MSCHAPv2) or private key authentication. Private keys are either stored in a file or accessed through your ready-to-use ssh-agent. You'll need a certificate matching that key. Starting with strongSwan 4.5.0 / NetworkManager-strongswan 1.2.0, private keys and certificates on a smartcard can be used.

If you configure the gateway certificate directly on the clients, there are no requirements to the certificate. If you deploy CA certificates (supported since 4.3.1), the gateway certificate will need a subjectAltName including the Hostname of the gateway (the same you enter in the clients configuration). Starting with version 4.3.5, you can also use preinstalled root CA certificates of your distribution, using the --with-nm-ca-dir configure option. Just don't specify any gateway/CA certificate to use preinstalled root certificates. CA certificates on a smartcard are automatically used.



The strongSwan NM plugin and the NetworkManager VPN module are currently based on the NetworkManager 7.1/7.99 interface. It should work out-of-the-box with the latest packages of your favorite Linux distribution.


In Debian and Ubuntu, install the network-manager-strongswan packages.

If you are not running Ubuntu/Debian/Suse, you have to build strongSwan from source.

Building from source

To build from source, you additionally need the PAM headers for EAP-GTC and NetworkManager headers for the plugin:

aptitude install libssl-dev libpam0g-dev network-manager-dev libnm-util-dev libnm-glib-dev libgnomeui-dev gnome-common

NM integration works only for IKEv2, but this allows us to disable a lot of IKEv1 legacy stuff. Since on a desktop we have OpenSSL installed anyway, we are going to use libcrypto for all cryptographical operations. --enable-agent builds the ssh-agent private key plugin, EAP plugins are enabled using --enable-eap-gtc --enable-eap-md5 --enable-eap-mschapv2. For Smartcard support, --enable-pkcs11. You may omit options you don't need.

# get the strongSwan tarball
tar xjf strongswan-4.3.5.tar.bz2
cd strongswan-4.3.5

# build charon with OpenSSL/NM Plugin
./configure --sysconfdir=/etc --prefix=/usr --libexecdir=/usr/lib \
   --disable-aes --disable-des --disable-md5 --disable-sha1 --disable-sha2 \
   --disable-fips-prf --disable-gmp --disable-stroke --disable-pluto --disable-tools \
   --disable-updown --enable-openssl --enable-nm --enable-agent \
   --enable-eap-gtc --enable-eap-md5 --enable-eap-mschapv2
make install

# get the NetworkManager strongsSwan plugin as a tarball
tar xjf NetworkManager-strongswan-1.1.2.tar.bz2
cd NetworkManager-strongswan-1.1.2

# build the NetworkManager strongsSwan plugin
./configure --sysconfdir=/etc --prefix=/usr --libexecdir=/usr/lib --with-charon=/usr/lib/ipsec/charon
make install


  • Click on nm-applet -> VPN Connections -> Configure VPN...
  • Add -> Ipsec/IKEv2 (strongswan) -> Create ...
  • Configure your client
  • Click on nm-applet -> VPN Connections -> Your Connection
  • Enter password

As you can see, there is no subnet configuration for the tunnel. We let the gateway administration choose the subnet; the client always proposes for the remote network and the gateway narrows that down to the configured subnet.

Smart card requirements

The use of smart cards should be as simple as possible to the end user, which brings some restrictions. For instance, the daemon automatically selects the first certificate with a private key on any token in any slot.

First, you'll need to specify the PKCS#11 module in strongswan.conf. Please refer to the general description of smart card support with IKEv2 for details on how to do so.

You may define multiple modules, the daemon looks for the first certificate/private key in the specified module order.

The daemon uses the following mechanism to find a private key:
  • enumerate all certificates which have the TLS Client Auth Extended Key usage, but no CA constraint
  • for each certificate:
    • extract the subjectKeyIdentifier
    • enumerate all modules with all tokens
    • for each token:
      • look for a public key having the certificates subjectKeyIdentifier as ID
      • if found, log in to the smartcard using the supplied PIN
      • if logged in, load the associated private key

In short, the private key on the token must have a public key readable without login, and both objects must have an ID matching the certificates subjectKeyIdentifier (or the hash of the subjectPublicKey field of the public key). The certificate needs the TLS CLient Auth Extended Key usage flag.

The daemon uses the first subjectAltName of the selected certificate as IKEv2 identity, or uses the full DN if none found.

The SuisseID certificates from Swiss Post are known to work fine with such a setup.

Server configuration

Depending on the used authentication methods, you can use gateway configurations very similar to Windows 7 (Certificate/MSCHAPv2), or use EAP-GTC to authenticate against PAM.