Re: Support for L2TP/IPsec

[Dan Williams <dcbw redhat com>]

On Thu, 2008-05-22 at 13:37 +0200, Vincent Bernat wrote:
> Hi!
> 
> LT2P/IPsec becomes a popular choice for setting up VPN. Security is greater
> than PPTP solutions and clients are included in Windows and Mac OS X.
> Unfortunately, this is quite difficult to setup on Linux. Having a plugin
> for network-manager will be great.

So we need a few things from openswan.  The first is to either accept
command-line arguments for configuration, or to accept configuration
from stdin and not from a file.  There's quite a few reasons why we
shouldn't be writing out a config file, and there's more reasons why we
shouldn't be pointing openswan at an existing config file.

> Here are the steps to configure an L2TP/IPsec connections (with OpenSWAN
> rather than racoon, implementation of OpenSWAN is easier):
>  - setup OpenSWAN for IPsec transport mode
> 
> version	2.0
> config setup
> 	nat_traversal=yes
> 	nhelpers=0
> conn L2TP
>    right="roadwarrior.example.com"
>    rightid= roadwarrior example com
>    authby=rsasig
>    pfs=no
>    rekey=yes
>    keyingtries=3
>    type=transport
>    left=%defaultroute
>    leftcert=XXXXXX.pem
>    leftrsasigkey=%cert
>    leftprotoport=17/1701
>    leftnexthop=%defaultroute
>    rightrsasigkey=%cert
>    rightca=%same
>    rightprotoport=17/1701
>    dpddelay=30
>    dpdtimeout=120
>    dpdaction=clear
> include /etc/ipsec.d/examples/no_oe.conf
> 
> To avoid to modify /etc/ipsec.conf, NetworkManager could require that you
> include /etc/ipsec.d/networkmanager which would be a symlink to some file
> generated by NetworkManager. The example above is for authentication with
> certificates. You should also setup private key with /etc/ipsec.secrets. I
> am not sure if it is possible to tell OpenSWAN to use another file.

We shouldn't be pointing it at config files; and authentication needs to
be interactive or one-shot using provided secrets, not a config file
like /etc/ipsec.secrets...

>  - enable IPsec tunnel with ipsec auto --up L2TP (this command returns on
> success)
>  - setup L2TP part with xl2tpd (which needs ppp)

Hmm, we'll need to control xl2tpd then too, but we'll need to be able to
tell it what options to pass to pppd, not give it a config file.  We
also need to be able to feed secrets to it over stdin or via a plugin if
possible.  This is what's done for pppd, since pppd allows plugins to
handle the authentication.

The problem with config files is that we'd be writing them out every
time we launch the daemon, because the VPN settings come from a variety
of sources.  They are pulled from the user's session store (GConf on
Gnome) or from system settings, they don't get stored in the native
daemons config files.

But this overview is good, thanks for posting it!  It does give me a
better idea about how to work things.

Dan

> xl2tpd.conf is like this :
> 
> [lac l2tp]
> lns = roadwarrior.example.com
> require chap = yes
> autodial = yes
> pppoptfile = /etc/ppp/options.roadwarrior.l2tpd
> length bit = yes
> name = XXXXXX
> 
> /etc/ppp/options.roadwarrior.l2tpd is like this:
> 
> ipcp-accept-local
> ipcp-accept-remote
> idle 1800
> debug
> mtu 1410
> mru 1410
> nodefaultroute
> require-mschap-v2
> refuse-chap
> refuse-mschap
> refuse-eap
> refuse-pap
> noccp
> noauth
> 
> And you need to setup /etc/ppp/chap-secrets (again, don't know if ppp is
> able to use another file)
> 
>  - launch xl2tpd -D -c config-file
>  - setup routes
> 
> The tricky part comparing with PPTP is that we need to handle two daemons
> (one for IPsec, one for L2TP).
> 
> Does somebody already work on implementing this kind of VPN in
> NetworkManager?
> 
> Thanks.
> 
> _______________________________________________
> NetworkManager-list mailing list
> NetworkManager-list gnome org
> http://mail.gnome.org/mailman/listinfo/networkmanager-list