NetworkManager » History » Version 45

Tobias Brunner, 25.03.2020 12:13
Some updates for 5.8.3

1 19 Andreas Steffen
h1. NetworkManager
2 1 Martin Willi
3 45 Tobias Brunner
"NetworkManager": allows configuration and control of VPN daemons through a plugin interface. We provide such a plugin for NetworkManager to configure road warrior clients for the most common setups. The plugin supports connections using the IKEv2 protocol only.
4 19 Andreas Steffen
5 45 Tobias Brunner
NetworkManager uses D-Bus to communicate with a special build of the charon IKE daemon (_charon-nm_), which runs independent of the regular daemon (e.g. [[charon-systemd]]) to avoid conflicts.
6 19 Andreas Steffen
7 45 Tobias Brunner
The plugin uses a certificate for server authentication and supports EAP and public key authentication for client authentication (since version:5.8.3 / NetworkManager-strongswan 1.5.0 also EAP-TLS). PSK authentication is supported starting with version 1.3.1 of the plugin, but strong secrets (min. of 20 characters) are enforced.
8 42 Tobias Brunner
9 45 Tobias Brunner
You can use any password based EAP method supported by strongSwan (MD5/GTC/MSCHAPv2) or public key authentication. Private keys are either stored in a file or accessed through your ready-to-use _ssh-agent_. You'll need a certificate matching that key. Starting with strongSwan version:4.5.0 / NetworkManager-strongswan 1.2.0, private keys and certificates on a smart card can be used (see below for details).
10 42 Tobias Brunner
11 45 Tobias Brunner
If you configure the server certificate directly on the clients, there are no requirements to the certificate. If you deploy CA certificates (supported since version:4.3.1), the server certificate will need a _subjectAltName_ including the host name of the server (the same you enter in the client's configuration). Since version:5.8.3 / NetworkManager-strongswan 1.5.0 it's possible to configure the server identity explicitly. Starting with version:4.3.5, you can also use preinstalled root CA certificates of your distribution, using the @--with-nm-ca-dir@ configure option. Since version:5.5.1 this can also be modified with the _charon-nm.ca_dir_ setting. Just don't specify any server/CA certificate in the GUI to use preinstalled root certificates. CA certificates on a smart card are automatically used.
12 42 Tobias Brunner
13 26 Andreas Steffen
h2. Screenshots
14 26 Andreas Steffen
15 1 Martin Willi
!nm-strongswan-config.png! !nm-strongswan-auth.png!
16 1 Martin Willi
17 1 Martin Willi
h2. Dependencies
18 1 Martin Willi
19 42 Tobias Brunner
The original strongSwan NM plugin and the NetworkManager VPN module were based on the NetworkManager 0.9 interface. Version 1.4.0 of the plugin updated parts of it to the NetworkManager 1.2 interface (mostly related to the GUI, the plugin in _charon-nm_ is largely unchanged). It should work out-of-the-box with the latest packages of your favorite Linux distribution.
20 1 Martin Willi
21 19 Andreas Steffen
h2. Installation
22 1 Martin Willi
23 27 Martin Willi
Your distribution may provide a package (e.g. _network-manager-strongswan_ on Debian/Ubuntu).
24 42 Tobias Brunner
25 19 Andreas Steffen
Otherwise, you have to build strongSwan from source.
26 42 Tobias Brunner
27 1 Martin Willi
h3. Building from source
28 1 Martin Willi
29 34 Tobias Brunner
To build from source you additionally need the NetworkManager headers for the strongSwan NM backend:
30 20 Martin Willi
31 42 Tobias Brunner
apt-get install libssl-dev network-manager-dev libnm-glib-vpn-dev libnm-gtk-dev libnma-dev libgtk-3-dev libsecret-1-dev gnome-common 
32 20 Martin Willi
33 19 Andreas Steffen
34 45 Tobias Brunner
NM integration works only for IKEv2. Since on a desktop we have OpenSSL installed anyway, we are going to use libcrypto for all cryptographic operations. @--enable-agent@ builds the ssh-agent private key plugin, EAP plugins are enabled using @--enable-eap-gtc --enable-eap-md5 --enable-eap-mschapv2@. For smart card support, @--enable-pkcs11@. You may omit options you don't need.
35 19 Andreas Steffen
36 1 Martin Willi
37 24 Martin Willi
# get the strongSwan tarball
38 34 Tobias Brunner
39 34 Tobias Brunner
tar xjf strongswan-5.x.x.tar.bz2
40 34 Tobias Brunner
cd strongswan-5.x.x
41 18 Andreas Steffen
42 1 Martin Willi
# build charon with OpenSSL/NM Plugin
43 1 Martin Willi
./configure --sysconfdir=/etc --prefix=/usr --libexecdir=/usr/lib \
44 19 Andreas Steffen
   --disable-aes --disable-des --disable-md5 --disable-sha1 --disable-sha2 \
45 34 Tobias Brunner
   --disable-fips-prf --disable-gmp --enable-openssl --enable-nm --enable-agent \
46 41 Tobias Brunner
   --enable-eap-gtc --enable-eap-md5 --enable-eap-mschapv2 --enable-eap-identity
47 1 Martin Willi
48 1 Martin Willi
make install
49 1 Martin Willi
50 18 Andreas Steffen
# get the NetworkManager strongsSwan plugin as a tarball
51 1 Martin Willi
52 20 Martin Willi
tar xjf NetworkManager-strongswan-1.x.x.tar.bz2
53 34 Tobias Brunner
cd NetworkManager-strongswan-1.x.x
54 1 Martin Willi
55 34 Tobias Brunner
# build the NetworkManager strongsSwan plugin (if you changed prefix/libexecdir above, set --with-charon=/path/to/charon-nm)
56 1 Martin Willi
./configure --sysconfdir=/etc --prefix=/usr
57 42 Tobias Brunner
58 42 Tobias Brunner
make install
59 9 Martin Willi
60 1 Martin Willi
61 19 Andreas Steffen
h2. Configuration
62 1 Martin Willi
63 45 Tobias Brunner
* Click on nm-applet -> Edit Connections... (or VPN Connections -> Configure VPN... in older releases)
64 45 Tobias Brunner
* Add -> IPsec/IKEv2 (strongswan) -> Create...
65 1 Martin Willi
* Configure your client
66 1 Martin Willi
* Click on nm-applet -> VPN Connections -> Your Connection
67 1 Martin Willi
* Enter password
68 1 Martin Willi
69 45 Tobias Brunner
As you can see, there is no subnet configuration for the tunnel. We let the server administration choose the subnet(s); the client always proposes for the remote network and the server narrows that down to the configured subnet(s). 
70 1 Martin Willi
71 45 Tobias Brunner
If you use _Certificate/private key_ authentication, please store your certificate and private key in separate files.
72 37 Tobias Brunner
73 36 Марк Коренберг
h2. Smart card requirements
74 29 Tobias Brunner
75 27 Martin Willi
The use of smart cards should be as simple as possible to the end user, which brings some restrictions. For instance, the daemon automatically selects the first certificate with a private key on any token in any slot.
76 1 Martin Willi
77 45 Tobias Brunner
First, you'll need to specify the PKCS#11 module in [[strongswan.conf]]. Please refer to the general description of [[SmartCardsIKEv2|smart card support with IKEv2]] for details on how to do so (use the _charon-nm_ prefix to only load a module in the NM backend).
78 30 Tobias Brunner
79 1 Martin Willi
You may define multiple modules, the daemon looks for the first certificate/private key in the specified module order.
80 27 Martin Willi
81 29 Tobias Brunner
The daemon uses the following mechanism to find a private key:
82 27 Martin Willi
* enumerate all certificates which have the TLS Client Auth Extended Key usage, but no CA constraint
83 29 Tobias Brunner
* for each certificate:
84 27 Martin Willi
** extract the subjectKeyIdentifier
85 29 Tobias Brunner
** enumerate all modules with all tokens
86 29 Tobias Brunner
** for each token:
87 43 Raphael Geissert
*** look for a public key having the certificates subjectKeyIdentifier as ID
88 43 Raphael Geissert
*** if not found, enumerate all public keys and look for a certificate with a matching subjectKeyIdentifier and use its ID
89 45 Tobias Brunner
**** if found, log in to the smart card using the supplied PIN
90 43 Raphael Geissert
**** if logged in, load the associated private key
91 43 Raphael Geissert
92 43 Raphael Geissert
In short, the private key on the token must have a public key readable without login, and both objects must have a matching ID. Before version:5.5.1 both objects had to have an ID matching the certificates subjectKeyIdentifier (or the hash of the subjectPublicKey field of the public key).
93 27 Martin Willi
94 33 Tobias Brunner
The certificate needs the TLS CLient Auth Extended Key usage flag.
95 27 Martin Willi
96 45 Tobias Brunner
The daemon uses the first subjectAltName of the selected certificate as IKEv2 identity, or uses the full DN if none found. Since version:5.8.3 / NetworkManager-strongswan 1.5.0 the client identity may also be configured explicitly.
97 1 Martin Willi
98 20 Martin Willi
h2. Server configuration
99 1 Martin Willi
100 45 Tobias Brunner
Depending on the used authentication methods, you can use server configurations very similar to those for Windows clients ([[Win7MultipleConfig|Certificate]]/[[Win7EapMultipleConfig|MSCHAPv2]]), or e.g. use [[EapGtc|EAP-GTC]] and the [[XAuthPam|PAM XAuth backend]] to authenticate against PAM. Also see [[UsableExamples]] for more.