Project

General

Profile

NetworkManager » History » Version 9

Martin Willi, 25.08.2008 11:26

1 9 Martin Willi
[[TOC]]
2 9 Martin Willi
3 1 Martin Willi
= !NetworkManager =
4 1 Martin Willi
5 1 Martin Willi
[http://www.gnome.org/projects/NetworkManager/ NetworkManager] allows configuration and control of VPN daemons through a plugin interface. We provide such a plugin for !NetworkManager to configure road warrior clients for the most common setups.
6 1 Martin Willi
7 1 Martin Willi
!NetworkManager uses DBUS to communicate with a plugin loaded by the IKEv2 charon daemon.
8 1 Martin Willi
9 9 Martin Willi
While any password based EAP method is usable with !NetworkManager, we use [wiki:EAP-GTC] in this example setup. The NM plugin interoperates nicely with EAP-GTC authentication as it allows you to authenticate against a PAM service on your VPN gateway with username/password. Don't worry - this is still secure because the gateway has to prove its identity first, before the user credentials are transmitted. 
10 1 Martin Willi
11 9 Martin Willi
== Client ==
12 9 Martin Willi
13 9 Martin Willi
=== Dependencies ===
14 9 Martin Willi
15 1 Martin Willi
The strongSwan extensions are written for !NetworkManager 0.7. Therefore you will need at least SVN !r3925. Compile it from source, or as a Ubuntu user, use the [https://launchpad.net/~network-manager/+archive available PPA]:
16 3 Martin Willi
{{{
17 3 Martin Willi
echo "deb http://ppa.launchpad.net/network-manager/ubuntu hardy main" >> /etc/apt/sources.list
18 1 Martin Willi
aptitude update
19 1 Martin Willi
aptitude upgrade
20 9 Martin Willi
aptitude install network-manager-dev libnm-util-dev libnm-glib-dev libgnomeui-dev gnome-common
21 1 Martin Willi
}}}
22 1 Martin Willi
23 9 Martin Willi
For the EAP-GTC module, you additionally need the PAM headers:
24 9 Martin Willi
{{{
25 9 Martin Willi
aptitude install libpam0g-dev
26 9 Martin Willi
}}}
27 1 Martin Willi
28 9 Martin Willi
=== Build ===
29 8 Martin Willi
30 9 Martin Willi
NM integration works only for IKEv2, but this allows us to disable a lot of FreeS/WAN legacy stuff. Since on a desktop we have OpenSSL installed anyway, we are going to use libcrypto for all cryptographical operations.
31 9 Martin Willi
32 1 Martin Willi
{{{
33 1 Martin Willi
# get strongswan SVN
34 1 Martin Willi
svn co http://www.strongswan.org/ikev2/trunk strongswan
35 1 Martin Willi
cd strongswan
36 1 Martin Willi
37 1 Martin Willi
# build charon with OpenSSL/NM Plugin
38 1 Martin Willi
./autogen.sh
39 1 Martin Willi
./configure --disable-aes --disable-des --disable-md5 --disable-sha1 --disable-sha2 \
40 1 Martin Willi
--disable-fips-prf --disable-gmp --disable-stroke --disable-pluto --disable-tools \
41 9 Martin Willi
--disable-updown --enable-openssl --enable-nm --enable-eap-gtc \
42 4 Martin Willi
--sysconfdir=/etc --prefix=/usr --libexecdir=/usr/lib
43 1 Martin Willi
make
44 1 Martin Willi
make install
45 1 Martin Willi
46 8 Martin Willi
# build NetworkManager's strongsSwan plugin
47 7 Martin Willi
cd src/charon/plugins/nm/gnome
48 1 Martin Willi
./autogen.sh --sysconfdir=/etc --prefix=/usr --libexecdir=/usr/lib
49 7 Martin Willi
make
50 7 Martin Willi
make install
51 1 Martin Willi
52 1 Martin Willi
}}}
53 1 Martin Willi
54 9 Martin Willi
=== Configuration ===
55 1 Martin Willi
56 1 Martin Willi
 * Click on nm-applet -> VPN Connections -> Confiugre VPN...
57 9 Martin Willi
 * Add -> Ipsec/IKEv2 (strongswan) -> Create ...
58 1 Martin Willi
 * Configure your client
59 1 Martin Willi
 * Click on nm-applet -> VPN Connections -> Your Connection
60 1 Martin Willi
 * Enter password
61 1 Martin Willi
62 9 Martin Willi
=== Screenshots ===
63 1 Martin Willi
64 1 Martin Willi
[[Image(nm-strongswan-config.png, nolink)]][[Image(nm-strongswan-auth.png, nolink)]]
65 9 Martin Willi
66 9 Martin Willi
== Gateway ==
67 9 Martin Willi
68 9 Martin Willi
=== Build ===
69 9 Martin Willi
70 9 Martin Willi
To allow EAP-GTC authentication discussed above, the gateway needs support for that module. You don't need the !NetworkManager module, but the EAP-GTC plugin:
71 9 Martin Willi
72 9 Martin Willi
{{{
73 9 Martin Willi
./configure --disable-pluto --disable-tools --enable-eap-gtc \
74 9 Martin Willi
--sysconfdir=/etc --prefix=/usr --libexecdir=/usr/lib
75 9 Martin Willi
make
76 9 Martin Willi
make install
77 9 Martin Willi
}}}
78 9 Martin Willi
79 9 Martin Willi
=== Configuration ===
80 9 Martin Willi
81 9 Martin Willi
By default, the GTC module uses the PAM service ''login'' which should be available on most systems. But you may create your own service, e.g in ''/etc/pam.d/ipsec'':
82 9 Martin Willi
{{{
83 9 Martin Willi
#%PAM-1.0
84 9 Martin Willi
auth        required      /lib/security/pam_env.so
85 9 Martin Willi
auth        sufficient    /lib/security/pam_unix.so likeauth nullok
86 9 Martin Willi
auth        required      /lib/security/pam_deny.so
87 9 Martin Willi
}}}
88 9 Martin Willi
To use that service, set the ''pam_service'' option in ''/etc/strongswan.org'':
89 9 Martin Willi
{{{
90 9 Martin Willi
charon {
91 9 Martin Willi
  plugins {
92 9 Martin Willi
    eap_gtc {
93 9 Martin Willi
      pam_service = ipsec
94 9 Martin Willi
    }
95 9 Martin Willi
  }
96 9 Martin Willi
}
97 9 Martin Willi
}}}
98 9 Martin Willi
99 9 Martin Willi
A gateway configuration in [wiki:IpsecConf ipsec.conf] might look like this:
100 9 Martin Willi
{{{
101 9 Martin Willi
conn nm-clients
102 9 Martin Willi
  # certificate handed out to client
103 9 Martin Willi
  leftcert=cert.pem
104 9 Martin Willi
  right=%any
105 9 Martin Willi
  # IP address pool for clients requesting an virtual IP
106 9 Martin Willi
  rightsourceip=10.1.0.0/16
107 9 Martin Willi
  # clients use their e-mail address as username. We
108 9 Martin Willi
  # handle every e-mail identity with this configuration.
109 9 Martin Willi
  rightid=*@strongswan.org
110 9 Martin Willi
  # request GTC as EAP authentication method
111 9 Martin Willi
  eap=gtc
112 9 Martin Willi
  keyexchange=ikev2
113 9 Martin Willi
  auto=add
114 9 Martin Willi
}}}
115 9 Martin Willi
116 9 Martin Willi
We use e-mail addresses as client identities here, the clients configure their full mail address. During PAM authentication, the GTC module automatically strips the domain, using only the username part to authenticate the client.