NetworkManager » History » Version 37

Tobias Brunner, 14.08.2013 11:48

1 19 Andreas Steffen
h1. NetworkManager
2 1 Martin Willi
3 19 Andreas Steffen
"NetworkManager": allows configuration and control of VPN daemons through a plugin interface. We provide such a plugin for NetworkManager to configure road warrior clients for the most common setups.
4 19 Andreas Steffen
5 34 Tobias Brunner
NetworkManager uses DBUS to communicate with a special build of the charon IKE daemon (@charon-nm@). Before [[5.0.0]] NetworkManager communicated with a plugin in regular charon, which was prone to conflicts.
6 19 Andreas Steffen
7 1 Martin Willi
The plugin uses a certificate for gateway authentication and supports EAP and RSA authentication for client authentication. PSK is not supported, as it is considered insecure if the secrets are not strong enough. 
8 19 Andreas Steffen
9 31 Tobias Brunner
You can use any password based EAP method supported by strongSwan (MD5/GTC/MSCHAPv2) or private key authentication. Private keys are either stored in a file or accessed through your ready-to-use ssh-agent. You'll need a certificate matching that key. Starting with [[4.5.0|strongSwan 4.5.0]] / NetworkManager-strongswan 1.2.0, private keys and certificates on a smartcard can be used.
10 12 Martin Willi
11 34 Tobias Brunner
If you configure the gateway certificate directly on the clients, there are no requirements to the certificate. If you deploy CA certificates (supported since [[4.3.1]]), the gateway certificate will need a _subjectAltName_ including the host name of the gateway (the same you enter in the clients configuration). Starting with [[4.3.5|version 4.3.5]], you can also use preinstalled root CA certificates of your distribution, using the @--with-nm-ca-dir@ configure option. Just don't specify any gateway/CA certificate to use preinstalled root certificates. CA certificates on a smartcard are automatically used.
12 26 Andreas Steffen
13 37 Tobias Brunner
*Note:* Versions before [[5.0.3]] don't work well together with newer versions of NetworkManager (see #294). Please check the IP addresses of the loopback interface when encountering network problems after/during the connection. To restore:
14 35 Марк Коренберг
# ip addr flush dev lo
15 35 Марк Коренберг
# ip addr add dev lo
16 35 Марк Коренберг
# restore your default gateway 
17 35 Марк Коренберг
18 35 Марк Коренберг
19 26 Andreas Steffen
h2. Screenshots
20 26 Andreas Steffen
21 26 Andreas Steffen
!nm-strongswan-config.png! !nm-strongswan-auth.png!
22 26 Andreas Steffen
23 1 Martin Willi
h2. Dependencies
24 1 Martin Willi
25 34 Tobias Brunner
The strongSwan NM plugin and the NetworkManager VPN module are currently based on the NetworkManager 0.9 interface. It should work out-of-the-box with the latest packages of your favorite Linux distribution.
26 19 Andreas Steffen
27 19 Andreas Steffen
h2. Installation
28 21 Martin Willi
29 27 Martin Willi
In Debian and Ubuntu, install the _network-manager-strongswan_ packages.
30 19 Andreas Steffen
31 27 Martin Willi
If you are not running Ubuntu/Debian/Suse, you have to build strongSwan from source.
32 1 Martin Willi
33 1 Martin Willi
h3. Building from source
34 19 Andreas Steffen
35 34 Tobias Brunner
To build from source you additionally need the NetworkManager headers for the strongSwan NM backend:
36 20 Martin Willi
37 34 Tobias Brunner
apt-get install libssl-dev network-manager-dev libnm-util-dev libnm-glib-dev libgnomeui-dev gnome-common
38 20 Martin Willi
39 19 Andreas Steffen
40 34 Tobias Brunner
NM integration works only for IKEv2. Since on a desktop we have OpenSSL installed anyway, we are going to use libcrypto for all cryptographical operations. @--enable-agent@ builds the ssh-agent private key plugin, EAP plugins are enabled using @--enable-eap-gtc --enable-eap-md5 --enable-eap-mschapv2@. For Smartcard support, @--enable-pkcs11@. You may omit options you don't need.
41 19 Andreas Steffen
42 1 Martin Willi
43 24 Martin Willi
# get the strongSwan tarball
44 34 Tobias Brunner
45 34 Tobias Brunner
tar xjf strongswan-5.x.x.tar.bz2
46 34 Tobias Brunner
cd strongswan-5.x.x
47 20 Martin Willi
48 1 Martin Willi
# build charon with OpenSSL/NM Plugin
49 18 Andreas Steffen
./configure --sysconfdir=/etc --prefix=/usr --libexecdir=/usr/lib \
50 19 Andreas Steffen
   --disable-aes --disable-des --disable-md5 --disable-sha1 --disable-sha2 \
51 34 Tobias Brunner
   --disable-fips-prf --disable-gmp --enable-openssl --enable-nm --enable-agent \
52 20 Martin Willi
   --enable-eap-gtc --enable-eap-md5 --enable-eap-mschapv2
53 1 Martin Willi
54 18 Andreas Steffen
make install
55 1 Martin Willi
56 20 Martin Willi
# get the NetworkManager strongsSwan plugin as a tarball
57 34 Tobias Brunner
58 34 Tobias Brunner
tar xjf NetworkManager-strongswan-1.x.x.tar.bz2
59 34 Tobias Brunner
cd NetworkManager-strongswan-1.x.x
60 9 Martin Willi
61 20 Martin Willi
# build the NetworkManager strongsSwan plugin
62 34 Tobias Brunner
./configure --sysconfdir=/etc --prefix=/usr --libexecdir=/usr/lib --with-charon=/usr/lib/ipsec/charon-nm
63 9 Martin Willi
64 19 Andreas Steffen
make install
65 19 Andreas Steffen
66 20 Martin Willi
67 1 Martin Willi
h2. Configuration
68 1 Martin Willi
69 1 Martin Willi
* Click on nm-applet -> VPN Connections -> Configure VPN...
70 1 Martin Willi
* Add -> Ipsec/IKEv2 (strongswan) -> Create ...
71 1 Martin Willi
* Configure your client
72 1 Martin Willi
* Click on nm-applet -> VPN Connections -> Your Connection
73 1 Martin Willi
* Enter password
74 1 Martin Willi
75 1 Martin Willi
As you can see, there is no subnet configuration for the tunnel. We let the gateway administration choose the subnet; the client always proposes for the remote network and the gateway narrows that down to the configured subnet. 
76 27 Martin Willi
77 37 Tobias Brunner
If you use _Certificate/private_key_ authentication, please store your certificate and private key in separate files.
78 36 Марк Коренберг
79 29 Tobias Brunner
h2. Smart card requirements
80 27 Martin Willi
81 29 Tobias Brunner
The use of smart cards should be as simple as possible to the end user, which brings some restrictions. For instance, the daemon automatically selects the first certificate with a private key on any token in any slot.
82 27 Martin Willi
83 30 Tobias Brunner
First, you'll need to specify the PKCS#11 module in strongswan.conf. Please refer to the general description of [[SmartCardsIKEv2|smart card support with IKEv2]] for details on how to do so.
84 27 Martin Willi
85 29 Tobias Brunner
You may define multiple modules, the daemon looks for the first certificate/private key in the specified module order.
86 27 Martin Willi
87 29 Tobias Brunner
The daemon uses the following mechanism to find a private key:
88 27 Martin Willi
* enumerate all certificates which have the TLS Client Auth Extended Key usage, but no CA constraint
89 27 Martin Willi
* for each certificate:
90 1 Martin Willi
** extract the subjectKeyIdentifier
91 29 Tobias Brunner
** enumerate all modules with all tokens
92 29 Tobias Brunner
** for each token:
93 29 Tobias Brunner
*** look for a public key having the certificates subjectKeyIdentifier as ID
94 29 Tobias Brunner
*** if found, log in to the smartcard using the supplied PIN
95 29 Tobias Brunner
*** if logged in, load the associated private key
96 27 Martin Willi
97 27 Martin Willi
In short, the private key on the token must have a public key readable without login, and both objects must have an ID matching the certificates subjectKeyIdentifier (or the hash of the subjectPublicKey field of the public key). The certificate needs the TLS CLient Auth Extended Key usage flag.
98 27 Martin Willi
99 33 Tobias Brunner
The daemon uses the first subjectAltName of the selected certificate as IKEv2 identity, or uses the full DN if none found.
100 27 Martin Willi
101 27 Martin Willi
The "SuisseID": certificates from "Swiss Post": are known to work fine with such a setup.
102 1 Martin Willi
103 20 Martin Willi
h2. Server configuration
104 1 Martin Willi
105 34 Tobias Brunner
Depending on the used authentication methods, you can use gateway configurations very similar to Windows 7 ([[Win7MultipleConfig|Certificate]]/[[Win7EapMultipleConfig|MSCHAPv2]]), or use [[EapGtc|EAP-GTC]] and the [[XAuthPam|PAM XAuth backend]] to authenticate against PAM.