Re: nm-openswan development update

[Dan Williams <dcbw redhat com>]

On Tue, 2007-03-27 at 19:34 -0400, Darren Albers wrote:
> On 3/25/07, steve <keyhman gmail com> wrote:
> > Hi,
> >
> > It's been busy at work and hence development slows down accordingly, but
> > my weekends are free and I've made some big strides this weekend.
> >
> > I also wasted about 5 hours of my time today (not to mention the
> > frustration and head scratching for the past 3 weeks) at why the symbol
> > plugin for Anjuta (my IDE) wasn't working reliably: it sometimes
> > displayed correct data, then other times it wouldn't display that same
> > data at all.
> >
> > The 5 hours today went towards 3 efforts:
> >
> > 1. Try out eclipse (read the docs -- it doesn't support automake build
> > systems)
> > 2. Try out Kdevelop (well.. I'm not developing for KDE and it crashed
> > everytime I tried to import my project or create a new GTK+ project and
> > import my source
> > 3. Try to compile the latest source of the next rev of Anjuta: Too many
> > library version conflicts with my FC6 installation to make a sane build
> > enviornment feisable on my laptop.
> >
> > Then I stumbled across the reason for all my problems: I started with
> > the source to nm-vpnc (FC6 src rpm + redhat patches) and of course, just
> > like copying in school, you get the mistakes as well as the correct
> > answers.
> >
> > Moral of the Story: Don't copy verbatim if you can avoid it.
> >
> > After I fixed the problem ( which had to do with name/type conflicts on
> > typedef struct definitions ) the symbol browser in FC6's default
> > installation of Anjuta started working perfectly.
> >
> > Afterwards, I ran a build of the default vpc source (Just for kicks)
> > and  saw warnings about the same thing. Anyway, just wanted to save
> > people time if anyone else is writing a vpn plugin, and started with the
> > source an existing one for reference like I did.
> >
> > Development continues on nm-openswan and I hope to have a complete set
> > of working alpha code for all targets of the plugin in about 2 weeks. At
> > that point I'm going to setup some kind of CVS repository for the dist.
> >
> > There is still one big design question to be answered through testing.
> > If anyone knows openswan well, or cares to help me figure this one out,
> > feel free to offer advice. Here's my dilema:
> >
> > Call out to /usr/libexec/ipsec/whack to initiate/terminate an ipsec
> > connection
> >
> > -OR-
> >
> > integrate the code for whack into my project and link against it at
> > build time (so my code actually talks directly to pluto through a
> > socket). I don't like this idea as my code becomes dependant on a
> > specific version of openswan (it's hard to explain the why of that).
> > Each new major rev of openswan will require an update to my source and a
> > recompile to work again and introducing depenancies doesn't seem to fit
> > with the design goals of NetworkManager.
> >
> > All feedback welcome.
> >
> > I'll send another update once I've got this problem licked and the alpha
> > code compiles (without segfaults  at runtime ;)
> >
> > Steve.
> 
> Hi Steve!
> 
> Thank you for the update, so far it looks great.  Sorry for the late
> response I flagged your earlier email to respond to it but travel kept
> my from doing it.   I was looking at your earlier screenshot and I was
> curious if it was possible to set the password to prompt  for people
> with RSA tokens and what options were there for Xauth?   With the
> nortel client there is a group username and password and the
> connection properties dialog seemed to permit either a Pre-shared key
> or Certificate but not just X-auth, or am I misreading the dialog?
> 
> Regarding SVN, once the plugin reaches a somewhat usable state Dan
> might be willing to host it on the gnome svn with the other VPN
> plugins but I am not sure what his or gnome's requirements would be.
> 
> I haven't looked at the VPNC or OpenVPN plugin code in awhile but if I
> remember properly they just call vpnc or openvpn directly so it seems
> like calling openswan that way would be inline with the other plugins,
> however I have never used Openswan so I am not sure of any limitations
> or issues with that.

Openswan appears to be a bit different since there isn't really one
particular daemon that runs with each connection.  It uses internal
kernel support to set up IPSec connections with different hosts and
such, and there's apparently one daemon that handles everything.  From
my reads it looked pretty involved and unlike the current one-shot VPN
plugins that we've already got, since the connections are persistent and
don't terminate when the daemon terminates.

Dan

> Thank you again for taking this on!  I suspect that a lot of people
> will find your work useful!  I know I will if I can connect to my
> Nortel concentrator at work, it will allow me remove my XP VM that I
> use now!
> 
> Thanks!
> Darren
> _______________________________________________
> NetworkManager-list mailing list
> NetworkManager-list gnome org
> http://mail.gnome.org/mailman/listinfo/networkmanager-list