Re: nm-openswan development update

Dan Williams wrote:
On Tue, 2007-03-27 at 19:34 -0400, Darren Albers wrote:
On 3/25/07, steve <keyhman gmail com> wrote:

It's been busy at work and hence development slows down accordingly, but
my weekends are free and I've made some big strides this weekend.

I also wasted about 5 hours of my time today (not to mention the
frustration and head scratching for the past 3 weeks) at why the symbol
plugin for Anjuta (my IDE) wasn't working reliably: it sometimes
displayed correct data, then other times it wouldn't display that same
data at all.

The 5 hours today went towards 3 efforts:

1. Try out eclipse (read the docs -- it doesn't support automake build
2. Try out Kdevelop (well.. I'm not developing for KDE and it crashed
everytime I tried to import my project or create a new GTK+ project and
import my source
3. Try to compile the latest source of the next rev of Anjuta: Too many
library version conflicts with my FC6 installation to make a sane build
enviornment feisable on my laptop.

Then I stumbled across the reason for all my problems: I started with
the source to nm-vpnc (FC6 src rpm + redhat patches) and of course, just
like copying in school, you get the mistakes as well as the correct

Moral of the Story: Don't copy verbatim if you can avoid it.

After I fixed the problem ( which had to do with name/type conflicts on
typedef struct definitions ) the symbol browser in FC6's default
installation of Anjuta started working perfectly.

Afterwards, I ran a build of the default vpc source (Just for kicks)
and  saw warnings about the same thing. Anyway, just wanted to save
people time if anyone else is writing a vpn plugin, and started with the
source an existing one for reference like I did.

Development continues on nm-openswan and I hope to have a complete set
of working alpha code for all targets of the plugin in about 2 weeks. At
that point I'm going to setup some kind of CVS repository for the dist.

There is still one big design question to be answered through testing.
If anyone knows openswan well, or cares to help me figure this one out,
feel free to offer advice. Here's my dilema:

Call out to /usr/libexec/ipsec/whack to initiate/terminate an ipsec


integrate the code for whack into my project and link against it at
build time (so my code actually talks directly to pluto through a
socket). I don't like this idea as my code becomes dependant on a
specific version of openswan (it's hard to explain the why of that).
Each new major rev of openswan will require an update to my source and a
recompile to work again and introducing depenancies doesn't seem to fit
with the design goals of NetworkManager.

All feedback welcome.

I'll send another update once I've got this problem licked and the alpha
code compiles (without segfaults  at runtime ;)

Hi Steve!

Thank you for the update, so far it looks great.  Sorry for the late
response I flagged your earlier email to respond to it but travel kept
my from doing it.   I was looking at your earlier screenshot and I was
curious if it was possible to set the password to prompt  for people
with RSA tokens and what options were there for Xauth?   With the
nortel client there is a group username and password and the
connection properties dialog seemed to permit either a Pre-shared key
or Certificate but not just X-auth, or am I misreading the dialog?

Regarding SVN, once the plugin reaches a somewhat usable state Dan
might be willing to host it on the gnome svn with the other VPN
plugins but I am not sure what his or gnome's requirements would be.

I haven't looked at the VPNC or OpenVPN plugin code in awhile but if I
remember properly they just call vpnc or openvpn directly so it seems
like calling openswan that way would be inline with the other plugins,
however I have never used Openswan so I am not sure of any limitations
or issues with that.

Openswan appears to be a bit different since there isn't really one
particular daemon that runs with each connection.  It uses internal
kernel support to set up IPSec connections with different hosts and
such, and there's apparently one daemon that handles everything.  From
my reads it looked pretty involved and unlike the current one-shot VPN
plugins that we've already got, since the connections are persistent and
don't terminate when the daemon terminates.


Thank you again for taking this on!  I suspect that a lot of people
will find your work useful!  I know I will if I can connect to my
Nortel concentrator at work, it will allow me remove my XP VM that I
use now!

NetworkManager-list mailing list
NetworkManager-list gnome org

You're analysis is correct -- Openswan VPN is much more difficult that the other NM vpn plugins I've seen. I'm guessing that's why it hasn't been done yet. But I'm up for the challange, and if I can get help, we might just make it work.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]