Better NetworkManager IPSec Integration
IPSec usage is becoming more popular and the existing NetworkManager IPSec VPN plugin will be enhanced to better support these use-cases and fix known bugs.
- Name: Dan Williams
- Email: dcbw at redhat dot com
- Targeted release: Fedora 20
- Last updated: 2013-03-12
- Percentage of completion: 10%
The existing VPN plugin uses the openswan IPSec package to provide IPSec functionality for NetworkManager users. Communication with openswan could be much more robust and secure by communicating directly with openswan's tools rather than writing secrets and other configuration out to temporary files like openswan current requires. Furthermore, NetworkManager should be enhanced to allow for route-based tunnel connections instead of requiring a TUN/TAP interface for each VPN connection.
Benefit to Fedora
More IPSec configurations will be supported and configuration and usage of IPSec tunnels will be more robust and more secure.
openswan needs some work to possibly turn some pieces of it's internal functionality into a library, eg "libwhack", which clients like network-manager-openswan would use to communicate directly with the openswan IPSec implementation rather than communicating through less-robust and less-secure on-disk temporary files. Second, NetworkManager's multi-concurrent-VPN support should be finished to allow for multiple tunnels/VPNs at one time. Third, NetworkManager should be enhanced to allow for interface-less, route-based VPNs like IPSec often provides.
How To Test
Users who currently cannot utilize NetworkManager's IPSec VPN plugin due to its limitations should see if the enhancements support their configuration. Users who currently use the IPSec plugin should ensure their existing functionality still works as expected.
The user interface for configuring IPSec VPN connections will be expanded to allow for any additional capabilities that are added, but the fundamental process will not change. Users will find that configurations that previously did not work now work correctly.
The proposed work for network-manager-openswan will require changes in openswan. Applications that make use of NetworkManager's VPN D-Bus API need to be changed to allow for more than one active VPN connection; this does not require D-Bus API changes as NM's D-Bus API has always been flexible enough to express this, but UI tools (like nm-applet or GNOME Shell's indicator) have been hard-coded to only allow one active VPN due to this previous limitation in NetworkManager.
If the work cannot be completed, we will simply disable the new functionality.
- We will add a 'nm-openswan-service' manpage detailing the configuration file parameters that you'd see in /etc/NetworkManager/system-connections/ for a VPN service, and will also attempt to add some documentation via tooltips to the UI editor screens for nm-connection-editor.
- The NetworkManager IPSec plugin has been enhanced to support more configurations and use-cases.