From Fedora Project Wiki

Better NetworkManager IPSec Integration

Summary

IPSec usage is becoming more popular and the existing NetworkManager IPSec VPN plugin will be enhanced to better support these use-cases and fix known bugs.

Owner

Current status

  • Targeted release: Fedora 20
  • Last updated: 2013-03-12
  • Percentage of completion: 10%

Detailed Description

The existing VPN plugin uses the openswan IPSec package to provide IPSec functionality for NetworkManager users. Communication with openswan could be much more robust and secure by communicating directly with openswan's tools rather than writing secrets and other configuration out to temporary files like openswan current requires. Furthermore, NetworkManager should be enhanced to allow for route-based tunnel connections instead of requiring a TUN/TAP interface for each VPN connection.

Benefit to Fedora

More IPSec configurations will be supported and configuration and usage of IPSec tunnels will be more robust and more secure.

Scope

openswan needs some work to possibly turn some pieces of it's internal functionality into a library, eg "libwhack", which clients like network-manager-openswan would use to communicate directly with the openswan IPSec implementation rather than communicating through less-robust and less-secure on-disk temporary files. Second, NetworkManager's multi-concurrent-VPN support should be finished to allow for multiple tunnels/VPNs at one time. Third, NetworkManager should be enhanced to allow for interface-less, route-based VPNs like IPSec often provides.

How To Test

Users who currently cannot utilize NetworkManager's IPSec VPN plugin due to its limitations should see if the enhancements support their configuration. Users who currently use the IPSec plugin should ensure their existing functionality still works as expected.

User Experience

The user interface for configuring IPSec VPN connections will be expanded to allow for any additional capabilities that are added, but the fundamental process will not change. Users will find that configurations that previously did not work now work correctly.

Dependencies

The proposed work for network-manager-openswan will require changes in openswan. Applications that make use of NetworkManager's VPN D-Bus API need to be changed to allow for more than one active VPN connection; this does not require D-Bus API changes as NM's D-Bus API has always been flexible enough to express this, but UI tools (like nm-applet or GNOME Shell's indicator) have been hard-coded to only allow one active VPN due to this previous limitation in NetworkManager.

Contingency Plan

If the work cannot be completed, we will simply disable the new functionality.

Documentation

  • We will add a 'nm-openswan-service' manpage detailing the configuration file parameters that you'd see in /etc/NetworkManager/system-connections/ for a VPN service, and will also attempt to add some documentation via tooltips to the UI editor screens for nm-connection-editor.

Release Notes

  • The NetworkManager IPSec plugin has been enhanced to support more configurations and use-cases.

Comments and Discussion