NetworkManager » History » Version 43

Raphael Geissert, 03.11.2016 17:30
mention the CKA_ID lookup change in 5.5.1

1 19 Andreas Steffen
h1. NetworkManager
2 1 Martin Willi
3 39 Martin Willi
"NetworkManager": allows configuration and control of VPN daemons through a plugin interface. We provide such a plugin for NetworkManager to configure road warrior clients for the most common setups. The plugin currently supports connections using the IKEv2 protocol only.
4 19 Andreas Steffen
5 42 Tobias Brunner
NetworkManager uses DBUS to communicate with a special build of the charon IKE daemon (_charon-nm_). Before version:5.0.0 NetworkManager communicated with a plugin in regular charon, which was prone to conflicts.
6 19 Andreas Steffen
7 40 Martin Willi
The plugin uses a certificate for gateway authentication and supports EAP and RSA authentication for client authentication. PSK is supported starting with NetworkManager-strongswan-1.3.1, but strong secrets are enforced.
8 19 Andreas Steffen
9 42 Tobias Brunner
You can use any password based EAP method supported by strongSwan (MD5/GTC/MSCHAPv2) or private key authentication. Private keys are either stored in a file or accessed through your ready-to-use ssh-agent. You'll need a certificate matching that key. Starting with strongSwan version:4.5.0 / NetworkManager-strongswan 1.2.0, private keys and certificates on a smartcard can be used.
10 12 Martin Willi
11 1 Martin Willi
If you configure the gateway certificate directly on the clients, there are no requirements to the certificate. If you deploy CA certificates (supported since [[4.3.1]]), the gateway certificate will need a _subjectAltName_ including the host name of the gateway (the same you enter in the clients configuration). Starting with [[4.3.5|version 4.3.5]], you can also use preinstalled root CA certificates of your distribution, using the @--with-nm-ca-dir@ configure option. Just don't specify any gateway/CA certificate to use preinstalled root certificates. CA certificates on a smartcard are automatically used.
12 34 Tobias Brunner
13 42 Tobias Brunner
14 42 Tobias Brunner
* Versions before version:5.0.3 don't work well together with some versions of NetworkManager (see #294). Please check the IP addresses of the loopback interface when encountering network problems after/during the connection. To restore:
15 42 Tobias Brunner
# @ip addr flush dev lo@
16 42 Tobias Brunner
# @ip addr add dev lo@
17 42 Tobias Brunner
# restore your default gateway
18 35 Марк Коренберг
19 42 Tobias Brunner
* Versions before NetworkManager-strongswan 1.4.0 / strongSwan version:5.5.1 don't work with NetworkManager 1.2 and newer (some patches may be applied to older strongSwan releases to use the updated NM plugin, refer to our "Download page":// for details).
20 35 Марк Коренберг
21 42 Tobias Brunner
22 26 Andreas Steffen
h2. Screenshots
23 26 Andreas Steffen
24 1 Martin Willi
!nm-strongswan-config.png! !nm-strongswan-auth.png!
25 1 Martin Willi
26 1 Martin Willi
h2. Dependencies
27 1 Martin Willi
28 42 Tobias Brunner
The original strongSwan NM plugin and the NetworkManager VPN module were based on the NetworkManager 0.9 interface. Version 1.4.0 of the plugin updated parts of it to the NetworkManager 1.2 interface (mostly related to the GUI, the plugin in _charon-nm_ is largely unchanged). It should work out-of-the-box with the latest packages of your favorite Linux distribution.
29 19 Andreas Steffen
30 1 Martin Willi
h2. Installation
31 27 Martin Willi
32 42 Tobias Brunner
Your distribution may provide a package (e.g. _network-manager-strongswan_ on Debian/Ubuntu).
33 19 Andreas Steffen
34 42 Tobias Brunner
Otherwise, you have to build strongSwan from source.
35 1 Martin Willi
36 1 Martin Willi
h3. Building from source
37 19 Andreas Steffen
38 34 Tobias Brunner
To build from source you additionally need the NetworkManager headers for the strongSwan NM backend:
39 20 Martin Willi
40 42 Tobias Brunner
apt-get install libssl-dev network-manager-dev libnm-glib-vpn-dev libnm-gtk-dev libnma-dev libgtk-3-dev libsecret-1-dev gnome-common 
41 20 Martin Willi
42 19 Andreas Steffen
43 42 Tobias Brunner
NM integration works only for IKEv2. Since on a desktop we have OpenSSL installed anyway, we are going to use libcrypto for all cryptographic operations. @--enable-agent@ builds the ssh-agent private key plugin, EAP plugins are enabled using @--enable-eap-gtc --enable-eap-md5 --enable-eap-mschapv2@. For Smartcard support, @--enable-pkcs11@. You may omit options you don't need.
44 19 Andreas Steffen
45 1 Martin Willi
46 24 Martin Willi
# get the strongSwan tarball
47 34 Tobias Brunner
48 34 Tobias Brunner
tar xjf strongswan-5.x.x.tar.bz2
49 34 Tobias Brunner
cd strongswan-5.x.x
50 18 Andreas Steffen
51 1 Martin Willi
# build charon with OpenSSL/NM Plugin
52 1 Martin Willi
./configure --sysconfdir=/etc --prefix=/usr --libexecdir=/usr/lib \
53 19 Andreas Steffen
   --disable-aes --disable-des --disable-md5 --disable-sha1 --disable-sha2 \
54 34 Tobias Brunner
   --disable-fips-prf --disable-gmp --enable-openssl --enable-nm --enable-agent \
55 41 Tobias Brunner
   --enable-eap-gtc --enable-eap-md5 --enable-eap-mschapv2 --enable-eap-identity
56 1 Martin Willi
57 18 Andreas Steffen
make install
58 1 Martin Willi
59 20 Martin Willi
# get the NetworkManager strongsSwan plugin as a tarball
60 34 Tobias Brunner
61 34 Tobias Brunner
tar xjf NetworkManager-strongswan-1.x.x.tar.bz2
62 34 Tobias Brunner
cd NetworkManager-strongswan-1.x.x
63 9 Martin Willi
64 42 Tobias Brunner
# build the NetworkManager strongsSwan plugin (if you changed prefix/libexecdir above, set --with-charon=/path/to/charon-nm)
65 42 Tobias Brunner
./configure --sysconfdir=/etc --prefix=/usr
66 9 Martin Willi
67 19 Andreas Steffen
make install
68 19 Andreas Steffen
69 20 Martin Willi
70 1 Martin Willi
h2. Configuration
71 1 Martin Willi
72 1 Martin Willi
* Click on nm-applet -> VPN Connections -> Configure VPN...
73 1 Martin Willi
* Add -> Ipsec/IKEv2 (strongswan) -> Create ...
74 1 Martin Willi
* Configure your client
75 1 Martin Willi
* Click on nm-applet -> VPN Connections -> Your Connection
76 1 Martin Willi
* Enter password
77 1 Martin Willi
78 1 Martin Willi
As you can see, there is no subnet configuration for the tunnel. We let the gateway administration choose the subnet; the client always proposes for the remote network and the gateway narrows that down to the configured subnet. 
79 27 Martin Willi
80 37 Tobias Brunner
If you use _Certificate/private_key_ authentication, please store your certificate and private key in separate files.
81 36 Марк Коренберг
82 29 Tobias Brunner
h2. Smart card requirements
83 27 Martin Willi
84 29 Tobias Brunner
The use of smart cards should be as simple as possible to the end user, which brings some restrictions. For instance, the daemon automatically selects the first certificate with a private key on any token in any slot.
85 27 Martin Willi
86 30 Tobias Brunner
First, you'll need to specify the PKCS#11 module in strongswan.conf. Please refer to the general description of [[SmartCardsIKEv2|smart card support with IKEv2]] for details on how to do so.
87 27 Martin Willi
88 29 Tobias Brunner
You may define multiple modules, the daemon looks for the first certificate/private key in the specified module order.
89 27 Martin Willi
90 29 Tobias Brunner
The daemon uses the following mechanism to find a private key:
91 27 Martin Willi
* enumerate all certificates which have the TLS Client Auth Extended Key usage, but no CA constraint
92 27 Martin Willi
* for each certificate:
93 1 Martin Willi
** extract the subjectKeyIdentifier
94 29 Tobias Brunner
** enumerate all modules with all tokens
95 29 Tobias Brunner
** for each token:
96 29 Tobias Brunner
*** look for a public key having the certificates subjectKeyIdentifier as ID
97 43 Raphael Geissert
*** if not found, enumerate all public keys and look for a certificate with a matching subjectKeyIdentifier and use its ID
98 43 Raphael Geissert
**** if found, log in to the smartcard using the supplied PIN
99 43 Raphael Geissert
**** if logged in, load the associated private key
100 1 Martin Willi
101 43 Raphael Geissert
In short, the private key on the token must have a public key readable without login, and both objects must have a matching ID. Before version:5.5.1 both objects had to have an ID matching the certificates subjectKeyIdentifier (or the hash of the subjectPublicKey field of the public key).
102 43 Raphael Geissert
103 43 Raphael Geissert
The certificate needs the TLS CLient Auth Extended Key usage flag.
104 27 Martin Willi
105 33 Tobias Brunner
The daemon uses the first subjectAltName of the selected certificate as IKEv2 identity, or uses the full DN if none found.
106 27 Martin Willi
107 27 Martin Willi
The "SuisseID": certificates from "Swiss Post": are known to work fine with such a setup.
108 1 Martin Willi
109 20 Martin Willi
h2. Server configuration
110 1 Martin Willi
111 34 Tobias Brunner
Depending on the used authentication methods, you can use gateway configurations very similar to Windows 7 ([[Win7MultipleConfig|Certificate]]/[[Win7EapMultipleConfig|MSCHAPv2]]), or use [[EapGtc|EAP-GTC]] and the [[XAuthPam|PAM XAuth backend]] to authenticate against PAM.