| View previous topic :: View next topic |
| Author |
Message |
rickvernam
Guru
Joined: 09 Jul 2004
Posts: 313
|
 Posted: Wed Jun 08, 2016 7:34 pm Post subject: networkmanager-strongswan |
 |
|
This serves to chronicle my solution to getting certificate-based IKEv2 connection via NetworkManager to a strongswan VPN server without actually installing networkmanager-strongswan.
To start, I noticed that network manager already had an option to add IPSec based VPN (strongswan), and that the network manager configuration had all the pertinent things I needed: gateway server & certificate path, as well as cert & private key for authentication. My certs are not password protected, so I didn't need to bother with the private key password.
To be honest, I'm not entirely sure how that got to be there...but I know it was there before I installed strongswan...
So I emerged strongswan with the networkmanager useflag enabled in order to get charon-nm & configured the pertinent fields in the network manager connection editor.
However, when I tried to connect the VPN, I received an error: | Quote: | | The VPN service 'org.freedesktop.NetworkManager.strongswan' was not installed. |
I therefore assumed I would need to use networkmanager-strongswan. There is an ebuild in some overlay, but it doesn't build without tinkering and has a bunch of gnome dependencies...
I downloaded the source from strongswan site directly and looked at what files it would install, and found that two text files can be extracted and installed independent from the rest of the package:
/etc/NetworkManager/VPN/nm-strongswan-service.name
| Code: | [VPN Connection]
name=strongswan
service=org.freedesktop.NetworkManager.strongswan
program=/usr/libexec/ipsec/charon-nm
[GNOME]
auth-dialog=/usr/libexec/nm-strongswan-auth-dialog
properties=libnm-strongswan-properties
|
/etc/dbus-1/system.d/nm-strongswan-service.conf | Code: | <!DOCTYPE busconfig PUBLIC
"-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
"http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
<busconfig>
<policy user="root">
<allow own="org.freedesktop.NetworkManager.strongswan"/>
<allow send_destination="org.freedesktop.NetworkManager.strongswan"/>
<allow send_interface="org.freedesktop.NetworkManager.strongswan"/>
</policy>
<policy context="default">
<deny own="org.freedesktop.NetworkManager.strongswan"/>
<deny send_destination="org.freedesktop.NetworkManager.strongswan"/>
<deny send_interface="org.freedesktop.NetworkManager.strongswan"/>
</policy>
</busconfig>
|
The auth-dialog /usr/libexec/nm-strongswan-auth-dialog does not actually exist. Also, the fact that libnm-strongswan-properties does not exist either is, apparently, okay b/c network manager had the strongswan IPSec based VPN entry anyway.
I suppose that so long as NM doesn't have to prompt the user for auth to connect a VPN, it should work just fine.
So I created those two files manually, and it works great! |
|
| Back to top |
|
 |
erolmutlu
n00b
Joined: 16 Oct 2006
Posts: 29
|
| Posted: Tue Aug 16, 2016 10:31 am Post subject: Re: networkmanager-strongswan |
|
|
Waht version a NetworkManager and strongswan ??
can you explain litle thins ?
Thanx
| rickvernam wrote: | This serves to chronicle my solution to getting certificate-based IKEv2 connection via NetworkManager to a strongswan VPN server without actually installing networkmanager-strongswan.
To start, I noticed that network manager already had an option to add IPSec based VPN (strongswan), and that the network manager configuration had all the pertinent things I needed: gateway server & certificate path, as well as cert & private key for authentication. My certs are not password protected, so I didn't need to bother with the private key password.
To be honest, I'm not entirely sure how that got to be there...but I know it was there before I installed strongswan...
So I emerged strongswan with the networkmanager useflag enabled in order to get charon-nm & configured the pertinent fields in the network manager connection editor.
However, when I tried to connect the VPN, I received an error: | Quote: | | The VPN service 'org.freedesktop.NetworkManager.strongswan' was not installed. |
I therefore assumed I would need to use networkmanager-strongswan. There is an ebuild in some overlay, but it doesn't build without tinkering and has a bunch of gnome dependencies...
I downloaded the source from strongswan site directly and looked at what files it would install, and found that two text files can be extracted and installed independent from the rest of the package:
/etc/NetworkManager/VPN/nm-strongswan-service.name
| Code: | [VPN Connection]
name=strongswan
service=org.freedesktop.NetworkManager.strongswan
program=/usr/libexec/ipsec/charon-nm
[GNOME]
auth-dialog=/usr/libexec/nm-strongswan-auth-dialog
properties=libnm-strongswan-properties
|
/etc/dbus-1/system.d/nm-strongswan-service.conf | Code: | <!DOCTYPE busconfig PUBLIC
"-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
"http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
<busconfig>
<policy user="root">
<allow own="org.freedesktop.NetworkManager.strongswan"/>
<allow send_destination="org.freedesktop.NetworkManager.strongswan"/>
<allow send_interface="org.freedesktop.NetworkManager.strongswan"/>
</policy>
<policy context="default">
<deny own="org.freedesktop.NetworkManager.strongswan"/>
<deny send_destination="org.freedesktop.NetworkManager.strongswan"/>
<deny send_interface="org.freedesktop.NetworkManager.strongswan"/>
</policy>
</busconfig>
|
The auth-dialog /usr/libexec/nm-strongswan-auth-dialog does not actually exist. Also, the fact that libnm-strongswan-properties does not exist either is, apparently, okay b/c network manager had the strongswan IPSec based VPN entry anyway.
I suppose that so long as NM doesn't have to prompt the user for auth to connect a VPN, it should work just fine.
So I created those two files manually, and it works great! |
|
|
| Back to top |
|
|
rickvernam
Guru
Joined: 09 Jul 2004
Posts: 313
|
| Posted: Tue Aug 16, 2016 1:13 pm Post subject: |
|
|
| Code: | [ebuild R ] net-misc/networkmanager-1.0.12-r1::gentoo USE="bluetooth consolekit dhclient introspection nss ppp wifi zeroconf -connection-sharing -dhcpcd -gnutls -modemmanager -ncurses -resolvconf (-selinux) -systemd -teamd {-test} -vala -wext" 3,410 KiB
[ebuild R ] net-misc/strongswan-5.3.4::gentoo USE="caps constraints eap farp gcrypt gmp networkmanager non-root openssl strongswan_plugins_ccm strongswan_plugins_ctr strongswan_plugins_gcm strongswan_plugins_ipseckey strongswan_plugins_lookip strongswan_plugins_rdrand strongswan_plugins_systime-fix -curl -debug -dhcp -ldap -mysql -pam -pkcs11 (-selinux) -sqlite -strongswan_plugins_blowfish -strongswan_plugins_ha -strongswan_plugins_led -strongswan_plugins_ntru -strongswan_plugins_padlock -strongswan_plugins_unbound -strongswan_plugins_unity -strongswan_plugins_vici -strongswan_plugins_whitelist" 4,315 KiB |
I went through a few different things before I finally stumbled upon this, so I don't really have confidence that I truly know the little things.
Nonetheless, if you have have some questions I'd be more than happy to try helping... |
|
| Back to top |
|
|
RayDude
Advocate
Joined: 29 May 2004
Posts: 2062
Location: San Jose, CA
|
| Posted: Mon Apr 10, 2017 8:04 pm Post subject: |
|
|
Did anyone get this working? I need l2tp or strongswan to connect to my work and neither of them exist in portage.
_________________
Some day there will only be free software. |
|
| Back to top |
|
|
Unb0rn
n00b
Joined: 12 Jun 2012
Posts: 63
|
| Posted: Thu Apr 13, 2017 11:36 am Post subject: |
|
|
| RayDude wrote: | | Did anyone get this working? I need l2tp or strongswan to connect to my work and neither of them exist in portage. |
I have a problem with strong/libreswan too-these services just don get added to networmanager for me.
Also, shouldn't networkmanager-openswan be replaced with much newer networkmanager-libreswan? |
|
| Back to top |
|
|
RayDude
Advocate
Joined: 29 May 2004
Posts: 2062
Location: San Jose, CA
|
| Posted: Sat May 13, 2017 9:17 pm Post subject: |
|
|
That's my understanding.
I'm guessing the package is out of date and someone needs to update it. I'm not really good at that sort of thing...
_________________
Some day there will only be free software. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
