Re: VPN interface for strongSwan



On Thu, 2007-04-26 at 14:49 +0200, Martin Willi wrote:
> Hi,
> 
> I'm a dev of the strongSwan project (an IPsec solution,
> www.strongswan.org). I'm trying to write an interface for our IKEv2
> keying daemon to NetworkManager.
> I've chosen a somewhat different approach than the existing plugins, as
> I want to integrate the DBUS interface directly into the daemon.

Sorry for the lag...

> I've read the source and studied the existing plugins, but it's not all
> clear to me yet.
> As I've understood so far, there are two things to handle at the
> in-daemon DBUS connection:
> 
> - handle startConnection(), stopConnection() methods
> - send notifications to NM (LoginFailed, IP4Config, StateChange, ...)
> 
> The prototype is almost working so far. I'm currently doing the
> following:
> 
> a. Set state to STOPPED (after daemon startup)
> b. Wait for StartConnection()
> c. Set state to STARTING, establish IPsec tunnel
> d. Send IP4Config signal
> e. Set state to STARTED
> f. Wait for StopConnection()
> g. Set state to STOPPING, tear down tunnel
> h. Set state to STOPPED
> 
> Ok, now I have some questions:
> 
> 1. Does the above look correct? Have I missed something important?

Looks more or less correct.  NM handles storing the configuration that
your VPN daemon needs, and pushing that configuration (including
secrets) to your daemon.

> 2. What are signalConfigError() and signalIP4Config() methods used for?
>    Are they used at all?

The VPN interface was originally designed for the mobile user use-case
for connections back to the company.  That means that the VPN-provided
IP address, routing information, and nameserver information replaces the
current settings.  That's no longer adequate though, and we'd like to
change it to support point-to-point VPN links too.

In any case, when the vpnc plugin gets the IP address, nameservers, and
routes from the VPN concentrator, it forwards those settings to
NetworkManager so that NM can can apply the IP address to the tunnel and
set up the routes and nameserver correctly in /etc/resolv.conf.

What are the normal use-cases for your VPN daemon?

> 3. It's currently unclear to me how to handle multiple connections at 
>    the same time. Is it possible at all to have two active connections?

It was planned but it wasn't implemented at the time.  We'd like to
change that though.

Dan

> Any feedback or some pointers to docs are welcome. Thanks...
> 
> 
> Best regards
> Martin Willi
> 
> _______________________________________________
> NetworkManager-list mailing list
> NetworkManager-list gnome org
> http://mail.gnome.org/mailman/listinfo/networkmanager-list




[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]