Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Strongswan networkmanager plugin - Ubuntu 16.04 #263

Closed
defunctio opened this issue Mar 3, 2017 · 27 comments
Closed

Strongswan networkmanager plugin - Ubuntu 16.04 #263

defunctio opened this issue Mar 3, 2017 · 27 comments

Comments

@defunctio
Copy link
Contributor

Networkmanager has a UI plugin for strongswan, however the version of the package that ships with Ubuntu 16.04 does not function properly (does not appear in the menu). It has since been resolved in the source tree but the package for Ubuntu has not been updated.

https://wiki.strongswan.org/issues/1429
Fixed with version 1.4.0 of the plugin.

Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
Original-Maintainer: Harald Dunkel <harri@afaics.de>
Architecture: amd64
Version: 1.3.1-1ubuntu1

Another note is that nmcli does have the ability to import configs/profiles on some NM plugins (openvpn, etc); however this feature is not implemented in the strongswan module and last I checked there was no issue on the matter.

@dguido dguido added this to the 1.1 milestone Mar 26, 2017
@conorsch
Copy link

Another note is that nmcli does have the ability to import configs/profiles on some NM plugins (openvpn, etc)

I'm able to run nmcli con import type openvpn file <username>.ovpn just fine here, on nmcli v1.6.2 under Debian Stretch. The Ubuntu package may not provide this functionality, of course; haven't checked there.

@rufoa
Copy link

rufoa commented Apr 2, 2017

Neither the n-m applet nor nmcli supports importing strongswan configs fwiw (unlike the ovpn plugin):

$ nmcli con import type strongswan file rufo.sswan 
Error: failed to import 'rufo.sswan': the plugin does not support import capability.

There is no way to provide a custom cipher suite etc using the n-m plugin, which means negotiation fails with the default Algo server config. If you enable weak crypto ("Windows 10 support") in Algo it succeeds, but this isn't ideal.

@adworacz
Copy link
Contributor

adworacz commented Apr 3, 2017

I just ran into this yesterday myself, and spent 20 minutes searching the web trying to figure out what was going on.

As it stands, we can setup an Ubuntu 16.04 server with Algo, but we can't use Ubuntu 16.04 as a client, which is an unfortunately poor user experience.

It is likely worth adding a line to the README/documentation somewhere noting that this is a known issue, and it should be fixed with the release of 17.04 (I believe).

@roycewilliams
Copy link

The README has been updated to note that Ubuntu 17.04 is the minimum version supported, but a little more info about why could be useful.

@defunctio
Copy link
Contributor Author

I've taken a deeper look into this and unfortunately this does not work with 17.04 (beta) out of the box. While the network-manager-strongswan plugin is indeed updated to 1.4.1 which resolves the original issue noted here however; charon-nm attempts to establish the connection with the default ciphers as per proposal_create_default / proposal_create_default_aead in libcharon which do not include the ciphers we use in Algo resulting in connection failure. I have created and tested some patches I've made and confirmed they do work. This will still need cleaned up and approval of the implementation method before a PR is sent to strongswan though.

This network-manager-strongswan issue which makes the plugin completely inoperable has been open for 6 months in 16.04 and marked as 'UNDECIDED' so I'm afraid it will be quite some time before we see anything anytime soon.

I may provide patches or a PPA in the near future if necessary, though I'd prefer this just be pushed through official channels.

@dguido
Copy link
Member

dguido commented Apr 9, 2017

Well, what's the highest cipher suite we can use? We can handle it like Windows and optionally weaken the config.

@defunctio
Copy link
Contributor Author

defunctio commented Apr 9, 2017

See #372.
I would still like to see these ciphers as defaults in libcharon or at least updates to charon-nm and network-manager-strongswan to accept alternate ciphers.

@melizeche
Copy link
Contributor

@defunctio If you can provide the patches for libcharon that would be really helpful for me

@defunctio
Copy link
Contributor Author

defunctio commented Apr 24, 2017

I've issued a PR to Strongswan strongswan/strongswan#67 for those who want to track this.

@melizeche You can find patches for strongswan_5.5.1-1ubuntu3 for Ubuntu 17.04 here or branch for 5.5.2 here.

It's recommended to build packages in a container (LXC or docker) to avoid build-dep clutter on your production environments.

For those interested in building strongswan to test the patch under Ubuntu 17.04;

sudo apt purge \*strongswan* \*charon*
mkdir ~/src; cd src; apt source strongswan; cd strongswan-5.5.1
apt build-dep strongswan -yy
curl -s https://gist.githubusercontent.com/defunctio/a0a37ac41b7bc97fc815fa7695740259/raw/fcc627e6adad6ea1f3e1669fd607403ecebbcd64/libcharon-algo.patch | patch -p1
EDITOR=/bin/true dpkg-source -q --commit . algo.patch
DEB_BUILD_OPTIONS=nocheck dpkg-buildpackage -us -uc -b -j8
sudo dpkg -i ../*.deb
sudo apt install network-manager-strongswan

To uninstall; sudo apt purge \*strongswan* \*charon*

@defunctio
Copy link
Contributor Author

The following PRs we have submitted to add support for proposal selection in the NM GUI have now been merged into master. This should resolve our issues above we should see the reflected changes in the next major release.

While we will never see these SRU'd to 16.04 I'll see if we can get them backported.

@imgx64
Copy link

imgx64 commented Jun 12, 2017

I filed an issue about the missing .sswan import ability: https://wiki.strongswan.org/issues/2361

@defunctio
Copy link
Contributor Author

I actually began implementing this awhile ago, it's currently incomplete and therefor not functional. Primarily it's incomplete because I wanted to store PKCS12 data with libsecret and I ran into some issues with NM plugins though apparently their IPC for passing secrets is a forked process with stdin/stdout remapping communicating via an undocumented text protocol that can easily be broken by the contents of data stored secrets...

https://github.com/defunctio/strongswan-import
https://github.com/defunctio/strongswan/tree/strongswan-import

Writing glib nm plugins conforming to C90 is... well I'll get around to finishing it before too long.

@TafariD
Copy link

TafariD commented Jun 13, 2017

Wait, so I'm trying to install algo for use as a VPN, what do I have to do to run it on Linux? I see you guys talking about the issue but I still don't know what to do :P

@defunctio
Copy link
Contributor Author

see: https://github.com/trailofbits/algo/blob/master/docs/client-linux.md
You will need to use the ipsec cli for a client under linux for now.

@Ramblurr
Copy link

The readme conflicts with the advice to use the ipsec cli:

In order to support Linux Desktop clients, choose the "compatible" cryptography during the deploy process and use at least Network Manager 1.4.1.

Is no connection from network manager possible even with an updated/latest nm?

@rsclarke
Copy link

rsclarke commented Sep 7, 2017

I was keen on getting this to work with Fedora 26 however only version 1.4.0 of the NetworkManager Applet is provided in the repository.

I have a working copy of 1.4.2 on copr (rsclarke/NetworkManager-strongswan) which you can enable and install the NetworkManager-strongswan and NetworkManager-strongswan-gnome packages giving you @defunctio's extra cipher options fields (strongswan/strongswan#70).

The IKE and ESP fields can be filled in with (for example), and assuming you opted for Windows/Linux client support when creating the server;

  • IKE: aes128gcm16-prfsha512-ecp256,aes128-sha2_512-prfsha512-ecp256,aes128-sha2_384-prfsha384-ecp256
  • ESP: aes128gcm16-ecp256,aes128-sha2_512-prfsha512-ecp256

I found ending the lines/fields with ! raised charon-nm[14709]: 04[CFG] algorithm 'ecp256!' not recognized in journalctl.

The only additional thing is to ensure the strongswan package is at version 5.5.3, this is available from the updates repo.

Alternatively I came across this comment using nmcli instead to enable the proposals, though I have not tried this.

@Ramblurr
Copy link

Ramblurr commented Sep 8, 2017

@rsclarke I also built my own packages yet I ran into SELinux denial errors. Did you get this working in F26? Did you disable or change the SELinux policies?

@rsclarke
Copy link

rsclarke commented Sep 8, 2017

@Ramblurr Yes, I forgot about this. Initially there will be two denials for open and read on the keys and certificates you specify because they have the wrong file context. You can go through the loop twice and perform (as root);

# ausearch -c 'charon-nm' --raw | audit2allow -M my-charonnm
# semodule -X 300 -i my-charonnm.pp

as it indicated in the SELinux Troubleshooter.

However thanks for your prompt, there is a better way using the file contexts. I removed the module with sudo semodule -X 300 -r my-charonnm and set the appropriate file context on the keys and certificates (ipsec_key_file_t) instead. I keep these in a .algo folder in my home directory so I used the following to set the file context.

sudo semanage fcontext -a -t ipsec_key_file_t "/home/rc/.algo(/.*)?"
sudo restorecon -R -v /home/rc/.algo

This should remove the SELinux denial errors and assuming all else is configured correctly, enable it to connect.

@Ramblurr
Copy link

Ramblurr commented Oct 2, 2017

@rsclarke Do you not get dbus errors like this?

Oct 02 15:55:52 aquinas charon-nm[16895]: 00[LIB] openssl FIPS mode(2) - enabled
Oct 02 15:55:52 aquinas charon-nm[16895]: Failed to initialize VPN plugin: Connection ":1.170" is not allowed to own the service "org.freedesktop.NetworkManager.strongswan" due to security policies in the configuration file
Oct 02 15:55:52 aquinas charon-nm[16895]: object NMStrongswanPlugin 0x557169b1a170 finalized while still in-construction
Oct 02 15:55:52 aquinas charon-nm[16895]: 00[CFG] DBUS binding failed
Oct 02 15:55:52 aquinas charon-nm[16895]: Custom constructor for class NMStrongswanPlugin returned NULL (which is invalid). Please use GInitable instead.
Oct 02 15:55:52 aquinas charon-nm[16895]: 00[LIB] feature CUSTOM:NetworkManager backend in critical plugin 'nm-backend' failed to load
Oct 02 15:55:52 aquinas charon-nm[16895]: 00[LIB] failed to load 1 critical plugin feature
Oct 02 15:55:52 aquinas charon-nm[16895]: 00[DMN] initialization failed - aborting charon-nm

@rsclarke
Copy link

rsclarke commented Oct 3, 2017

@Ramblurr My mistake, yes I am also seeing those errors now (not used in a while), despite it working when I posted 🤷‍♂️.

I removed the reverted patch as I thought the updated strongswan 5.5.3 package was providing nm-strongswan-service.conf (as in the upstream repo). However this is not the case and the NetworkManager-strongswan must still provide it. I reintroduced a similar patch (https://github.com/rsclarke/NetworkManager-strongswan/commit/1889697769963732239de5ad30c97b0554bf514f) with a slight tweak to Makefile.am as the original was failing to apply.

The copr repo has been updated with these changes as 1.4.2-2. I am no longer seeing those errors and can connect again. Hope this helps.

@navid-taheri
Copy link

Is there any cli alternative for Ubuntu instead of Strongswan networkmanager plugin?

@ivanixgames
Copy link

ivanixgames commented Dec 23, 2017

the documentation at https://github.com/trailofbits/algo/blob/master/docs/client-linux.md
fails for ubuntu 16.04 because the command ansible-playbook does not exist on a standard install of Ubuntu desktop.

@imgx64
Copy link

imgx64 commented Jan 18, 2018

Alternatively I came across this comment using nmcli instead to enable the proposals, though I have not tried this.

I tried on Fedora Workstation 27 and it works without the copr repo.

Here's the command I ran:

nmcli c modify "your vpn name (tab completion works here)" +vpn.data 'proposal=yes' +vpn.data 'ike=aes128gcm16-prfsha512-ecp256;aes128-sha2_512-prfsha512-ecp256;aes128-sha2_384-prfsha384-ecp256' +vpn.data 'esp=aes128gcm16-ecp256;aes128-sha2_512-prfsha512-ecp256'

But note that opening the VPN dialog in the NetworkManager GUI will remove the cipher options, and you have to run the command again.

@in-in
Copy link
Contributor

in-in commented Apr 25, 2018

Am I right there is no way to use Ubuntu 16.04 as a client without any magic?

@dguido
Copy link
Member

dguido commented Apr 25, 2018

Pretty much. Network-Manager is not at the quality or the right out of the box configuration that we want. I hope this changes in 18.04.

You can always just setup strongswan directly with one of the client configs and that will work without much issue.

@gaviriar
Copy link

It seems like for some linux box's may not be able to connect via strongswan directly with one of the client configs as there is an issue with some kernel version.

As references here: #584

Any ideas how to resolve this issue?

@dguido
Copy link
Member

dguido commented Jul 23, 2018

Nope, network-manager seems like a useless endeavor. As you mentioned, you probably want to use the included client configs and set up strongswan via the command line, or do the same with wireguard.

@dguido dguido closed this as completed Jul 23, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests