nm-openswan

From: steve <keyhman gmail com>
To: nmlist <networkmanager-list gnome org>
Subject: nm-openswan
Date: Wed, 07 Mar 2007 21:08:47 -0500

Greetings,

I love the simplicity of Network Manager. For a road warrior with alaptop, it's a must have. I currently use FC6 on my Laptop. The onlything NM doesn't do for me, that I'd like to see, is manage my IPsec vpnconnections I configured for OpenSwan.

First , I didn't like the way the secrets files were used by Openswan. Ihad a lot of inconsistency when trying to match secrets to the %anyidentifier, and found that the only reliable way to manage multiplesecrets for multiple IPsec connections was to regenerate the secretsfile everytime the network interface / IP address changed.

Requirement: /etc/ipsec.d is used to store per-connection information intwo files: conn.conf and conn.secrets

So I wrote a small patch to the openswan init scripts which come withthe FC6 distribution that adds some simple automation to the startupprocedure: Everytime /etc/init.d/ipsec start/stop/restart is called, itwill automatically detect which interface is being used to route theconnection, grab the IP address of the interface and then generate a1-to-1 match in the /etc/ipsec.secrets file, used by pluto, by pairingthat IP address with the secret and the connection target addresssourced from /etc/ipsec.d/conn.conf and /etc/init.d/conn.secrets.

The result was that by restarting IPsec services I created a/etc/ipsec.secrets file that always had a perfect match for anyconnection I wanted to initiate.

Once I had a reliable way to manage multiple IPsec connections, Ithought, why not make my IPsec connections manageable through NM?

So I grabbed the source, the source to nm-vpnc and nm-openvpn, andstarted reverse engineering how they manage those two services.


Obviously IPsec is different, but I got the basics from those source trees.

Now I'm writing my own "plugin" to network manager that will allow youto start / stop / create / delete IPsec connections for OpenSwan. Thecaveat is that it relys on the automation from my init script for nowbut that may change as I continue to develop my code.

Is anyone else working on a project like this? Does anyone have need forthis type of plugin, or is this software only useful for me?


Steve

Follow-Ups:
- Re: nm-openswan
  - From: Soren Hansen
- Re: [RFC] nm-openswan
  - From: jherm

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]