Re: Support for L2TP/IPsec

[Dan Williams <dcbw redhat com>]

On Fri, 2008-05-23 at 21:23 +0200, Vincent Bernat wrote:
> OoO En  cette nuit  nuageuse du  vendredi 23 mai  2008, vers  00:20, Dan
> Williams <dcbw redhat com> disait:
> 
> >> LT2P/IPsec becomes a popular choice for setting up VPN. Security is greater
> >> than PPTP solutions and clients are included in Windows and Mac OS X.
> >> Unfortunately, this is quite difficult to setup on Linux. Having a plugin
> >> for network-manager will be great.
> 
> > So we need a few things from openswan.  The first is to either accept
> > command-line arguments for configuration, or to accept configuration
> > from stdin and not from a file.  There's quite a few reasons why we
> > shouldn't be writing out a config file, and there's more reasons why we
> > shouldn't be pointing openswan at an existing config file.
> 
> Well, this would be a bit difficult. There others IKE daemon that may be
> configured this way:
>  - isakmpd from OpenBSD accepts  to be enterily configured using a named
>    pipe
>  - iked from  Shrew Soft VPN client has an IKE  daemon that also accepts
>    to be configured in a similar way
> 
> I will test  if one of them  is able to establish a  proper IPsec tunnel
> suitable for L2TP/IPsec.
> 
> >> - setup L2TP part with xl2tpd (which needs ppp)
> 
> > Hmm, we'll need to control xl2tpd then too, but we'll need to be able to
> > tell it what options to pass to pppd, not give it a config file.  We
> > also need to be able to feed secrets to it over stdin or via a plugin if
> > possible.  This is what's done for pppd, since pppd allows plugins to
> > handle the authentication.
> 
> xl2tpd can either use a plugin for pppd and do the authentication itself
> or just  let pppd do the  authentication. So the actual  plugin for pppd
> will do the trick.  Concerning pppd options, unfortunately, xl2tpd seems
> to have no other options than to pass a file to pppd.

We might have to patch xl2tpd then; I understand why they did it, but
passing files around is just broken.

> > The problem with config files is that we'd be writing them out every
> > time we launch the daemon, because the VPN settings come from a variety
> > of sources.  They are pulled from the user's session store (GConf on
> > Gnome) or from system settings, they don't get stored in the native
> > daemons config files.
> 
> Can't we write temporary files? xl2tpd accepts to take any configuration
> file.

We _could_, but it's ugly.  You simply can't clean them up with any
certainty.  If you've every had to deal with .pid files, you know what I
mean.  You want to tie the configuration to the lifetime of the process
that's actually using that configuration, and have that configuration go
away when the process that's using it dies or quits.  If you write temp
files, you don't have that guarantee, and you end up with stale temp
files if something doesn't work right.  At least wit pppd, all the
options we care about can be passed on the pppd command line, so it
wouldn't be that hard to have xl2tpd handle those on it's command line
too.

Another issue with config files is password leakage.  If you write out a
config file that must contain the password (like a session-specific chap
secrets file), and something happens and NM or the process that's
responsible for cleaning that file up quits or segfaults without
cleaning it up, then you've got your password sitting around on the
disk.  Not cool.  Using stdin for config is the best way to handle this
because secrets don't get written out anywhere.

Dan