Re: strongSwan IKEv2/IPsec VPN plugin

From: Dan Williams <dcbw redhat com>
To: Martin Willi <martin strongswan org>
Cc: networkmanager-list gnome org
Subject: Re: strongSwan IKEv2/IPsec VPN plugin
Date: Wed, 20 Aug 2008 12:14:12 -0400

On Wed, 2008-08-20 at 16:51 +0200, Martin Willi wrote:
> Hi,
> 
> I've created a VPN plugin for strongSwan, a complete IPsec solution for
> the native Linux IPsec stack.
> 
> It takes a slightly different approach than the other VPN daemons. The
> DBUS interface is integrated directly in our IKEv2 daemon through a
> plugin.

Excellent!  This looks very good.

> The plugins are not complete, but ready for broader testing. I've kept
> everything as simple as possible for the user:
> 
> - Certificate based Gateway authentication
> - PSK or EAP based user authentication
> - Password auth-dialog with keyring support
> 
> Planned features:
> 
> - Private key user authentication
> - Configuration Import/Export
> - Translation stuff
> 
> I've created a page [1] on the strongSwan Wiki about setup and
> configuration (including screenshots).
> 
> 
> Questions:
> 
> 1. The source is currently in the strongSwan SVN [2]. I think this makes
> sense for the strongSwan plugin with the DBUS interface, as it is more
> integrated in strongSwan than in NM. But it might make sense to push the
> configuration widget and auth-dialog [3] to the NM SVN, as they have no
> dependency to strongSwan. What do you think?
> I could create a proper patch for NM then.

Since the plugin itself and the UI bits are pretty intimately related
(because the plugin and UI both need to agree on how to interpret the
key/value pairs) they should probably stay in the same place.

And the plugin itself should probably stay in strongswan for the moment
until we (a) release NM 0.7 with a stable plugin API, or (b) you are
pretty certain that the strongswan plugin API won't change much in the
near future.

> 2. I've tried to use nm_vpn_plugin_failure() to notify NM about
> connection/authentication errors [4], but it ignores these messages.
> I've seen that the other daemons use direct DBUS method invocations to
> indicate errors. Is it possible/meant to use the nm_vpn_plugin class to
> signal error conditions?

Yeah, that needs to be handled better; NM itself doesn't handle that
very well at the moment.  The authentication right now is pretty much
one-shot, and if the auth fails NM doesn't do anything intelligent about
it.  I plan on looking into that quite soon, since the vpnc plugin has
some needs here as well.  More on that later.

Thanks again!
Dan

References:
- strongSwan IKEv2/IPsec VPN plugin
  - From: Martin Willi

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]