Project

General

Profile

NetworkManager » History » Version 8

« Previous - Version 8/45 (diff) - Next » - Current version
Martin Willi, 21.08.2008 23:09
cosmetics


= !NetworkManager =

[http://www.gnome.org/projects/NetworkManager/ NetworkManager] allows configuration and control of VPN daemons through a plugin interface. We provide such a plugin for !NetworkManager to configure road warrior clients for the most common setups.

!NetworkManager uses DBUS to communicate with a plugin loaded by the IKEv2 charon daemon.

Dependencies

The strongSwan extensions are written for !NetworkManager 0.7. Therefore you will need at least SVN r3925. Compile it from source, or as a Ubuntu user, use the [https://launchpad.net/~network-manager/+archive available PPA]: {{{
echo "deb http://ppa.launchpad.net/network-manager/ubuntu hardy main" >> /etc/apt/sources.list
aptitude update
aptitude upgrade
aptitude install network-manager-dev libnm-util-dev libnm-glib-dev libgnomeui-dev # and everything I missed
}}}

Compilation

NM integration works only for IKEv2, but this allows us to disable a lot of FreeS/WAN legacy stuff. Since on a desktop we have OpenSSL installed anyway, we are going to use libcrypto for all cryptographical operations:

{{{
  1. get strongswan SVN
    svn co http://www.strongswan.org/ikev2/trunk strongswan
    cd strongswan
  1. build charon with OpenSSL/NM Plugin
    ./autogen.sh
    ./configure --disable-aes --disable-des --disable-md5 --disable-sha1 --disable-sha2 \
    --disable-fips-prf --disable-gmp --disable-stroke --disable-pluto --disable-tools \
    --disable-updown --enable-openssl --enable-nm \
    --sysconfdir=/etc --prefix=/usr --libexecdir=/usr/lib
    make
    make install
  1. build NetworkManager's strongsSwan plugin
    cd src/charon/plugins/nm/gnome
    ./autogen.sh --sysconfdir=/etc --prefix=/usr --libexecdir=/usr/lib
    make
    make install

}}}

The NM plugin is designed to interoperate nicely with [wiki:EAP-GTC] authentication, which allows you to authenticate against a PAM service on your VPN gateway with username/password. Don't worry - this is still secure because the gateway has to prove its identity first, before the user credentials are transmitted. To enable the module, add {{{
--enable-eap-gtc
}}}
to your strongSwan configure options.

Configuration * Click on nm-applet -> VPN Connections -> Confiugre VPN... * Add -> Ipsec/Ikev2 (strongswan) -> Create ... * Configure your client * Click on nm-applet -> VPN Connections -> Your Connection * Enter password Screenshots

Image(nm-strongswan-config.png, nolink)Image(nm-strongswan-auth.png, nolink)