-
-
Notifications
You must be signed in to change notification settings - Fork 2.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Strongswan networkmanager plugin - Ubuntu 16.04 #263
Comments
I'm able to run |
Neither the n-m applet nor
There is no way to provide a custom cipher suite etc using the n-m plugin, which means negotiation fails with the default Algo server config. If you enable weak crypto ("Windows 10 support") in Algo it succeeds, but this isn't ideal. |
I just ran into this yesterday myself, and spent 20 minutes searching the web trying to figure out what was going on. As it stands, we can setup an Ubuntu 16.04 server with Algo, but we can't use Ubuntu 16.04 as a client, which is an unfortunately poor user experience. It is likely worth adding a line to the README/documentation somewhere noting that this is a known issue, and it should be fixed with the release of 17.04 (I believe). |
The README has been updated to note that Ubuntu 17.04 is the minimum version supported, but a little more info about why could be useful. |
I've taken a deeper look into this and unfortunately this does not work with 17.04 (beta) out of the box. While the network-manager-strongswan plugin is indeed updated to 1.4.1 which resolves the original issue noted here however; charon-nm attempts to establish the connection with the default ciphers as per This network-manager-strongswan issue which makes the plugin completely inoperable has been open for 6 months in 16.04 and marked as 'UNDECIDED' so I'm afraid it will be quite some time before we see anything anytime soon. I may provide patches or a PPA in the near future if necessary, though I'd prefer this just be pushed through official channels. |
Well, what's the highest cipher suite we can use? We can handle it like Windows and optionally weaken the config. |
See #372. |
@defunctio If you can provide the patches for libcharon that would be really helpful for me |
I've issued a PR to Strongswan strongswan/strongswan#67 for those who want to track this. @melizeche You can find patches for It's recommended to build packages in a container (LXC or docker) to avoid build-dep clutter on your production environments. For those interested in building strongswan to test the patch under Ubuntu 17.04;
To uninstall; |
The following PRs we have submitted to add support for proposal selection in the NM GUI have now been merged into master. This should resolve our issues above we should see the reflected changes in the next major release.
While we will never see these SRU'd to 16.04 I'll see if we can get them backported. |
I filed an issue about the missing .sswan import ability: https://wiki.strongswan.org/issues/2361 |
I actually began implementing this awhile ago, it's currently incomplete and therefor not functional. Primarily it's incomplete because I wanted to store PKCS12 data with libsecret and I ran into some issues with NM plugins though apparently their IPC for passing secrets is a forked process with stdin/stdout remapping communicating via an undocumented text protocol that can easily be broken by the contents of data stored secrets... https://github.com/defunctio/strongswan-import Writing glib nm plugins conforming to C90 is... well I'll get around to finishing it before too long. |
Wait, so I'm trying to install algo for use as a VPN, what do I have to do to run it on Linux? I see you guys talking about the issue but I still don't know what to do :P |
see: https://github.com/trailofbits/algo/blob/master/docs/client-linux.md |
The readme conflicts with the advice to use the ipsec cli:
Is no connection from network manager possible even with an updated/latest nm? |
I was keen on getting this to work with Fedora 26 however only version 1.4.0 of the NetworkManager Applet is provided in the repository. I have a working copy of 1.4.2 on copr (rsclarke/NetworkManager-strongswan) which you can enable and install the The IKE and ESP fields can be filled in with (for example), and assuming you opted for Windows/Linux client support when creating the server;
I found ending the lines/fields with The only additional thing is to ensure the Alternatively I came across this comment using |
@rsclarke I also built my own packages yet I ran into SELinux denial errors. Did you get this working in F26? Did you disable or change the SELinux policies? |
@Ramblurr Yes, I forgot about this. Initially there will be two denials for open and read on the keys and certificates you specify because they have the wrong file context. You can go through the loop twice and perform (as root);
as it indicated in the SELinux Troubleshooter. However thanks for your prompt, there is a better way using the file contexts. I removed the module with
This should remove the SELinux denial errors and assuming all else is configured correctly, enable it to connect. |
@rsclarke Do you not get dbus errors like this?
|
@Ramblurr My mistake, yes I am also seeing those errors now (not used in a while), despite it working when I posted 🤷♂️. I removed the reverted patch as I thought the updated strongswan 5.5.3 package was providing nm-strongswan-service.conf (as in the upstream repo). However this is not the case and the NetworkManager-strongswan must still provide it. I reintroduced a similar patch (https://github.com/rsclarke/NetworkManager-strongswan/commit/1889697769963732239de5ad30c97b0554bf514f) with a slight tweak to The copr repo has been updated with these changes as 1.4.2-2. I am no longer seeing those errors and can connect again. Hope this helps. |
Is there any cli alternative for Ubuntu instead of Strongswan networkmanager plugin? |
the documentation at https://github.com/trailofbits/algo/blob/master/docs/client-linux.md |
I tried on Fedora Workstation 27 and it works without the copr repo. Here's the command I ran:
But note that opening the VPN dialog in the NetworkManager GUI will remove the cipher options, and you have to run the command again. |
Am I right there is no way to use Ubuntu 16.04 as a client without any magic? |
Pretty much. Network-Manager is not at the quality or the right out of the box configuration that we want. I hope this changes in 18.04. You can always just setup strongswan directly with one of the client configs and that will work without much issue. |
It seems like for some linux box's may not be able to connect via strongswan directly with one of the client configs as there is an issue with some kernel version. As references here: #584 Any ideas how to resolve this issue? |
Nope, network-manager seems like a useless endeavor. As you mentioned, you probably want to use the included client configs and set up strongswan via the command line, or do the same with wireguard. |
Networkmanager has a UI plugin for strongswan, however the version of the package that ships with Ubuntu 16.04 does not function properly (does not appear in the menu). It has since been resolved in the source tree but the package for Ubuntu has not been updated.
https://wiki.strongswan.org/issues/1429
Fixed with version 1.4.0 of the plugin.
Another note is that nmcli does have the ability to import configs/profiles on some NM plugins (openvpn, etc); however this feature is not implemented in the strongswan module and last I checked there was no issue on the matter.
The text was updated successfully, but these errors were encountered: