Re: VPN Plugin: concepts questions

From: Paul Wouters <paul xelerance com>
To: Steve Hillier <keyhman gmail com>
Cc: networkmanager-list gnome org
Subject: Re: VPN Plugin: concepts questions
Date: Sun, 12 Apr 2009 13:44:28 -0400 (EDT)

On Sun, 12 Apr 2009, Steve Hillier wrote:

I want to clarify the conceptual overview of how a VPN service plugin works; so
I'm looking for answers to some generic-type questions


I don't have answers, but I do have additional questions. Note, I am an Openwan
developer.

Does the VPN Service object have root privileges?


Something needs additional permissions somewhere, since all the IKE daemons
(for IPsec VPN's) require root permission to talk to.

Where is a user's VPN connection definition (a set of properties) is stored?


This is another issues that needs to be addressed. For exampe for Openswan
the connections live in /etc/ipsec.conf, but they can be added/removed using
the 'ipsec whack' command without needing the configuration file in most
cases, with the noted exception of how to load the X.509 certificates.

Any secrets or private keys live in /etc/ipsec.secrets. I don't see passing
private RSA keys as a good solution (though I would be fine with passing PSK's)

Is it acceptable for the VPNPlugin implementation to spin-off a helper process to
"watch" the vpn SA status or does NM just poll on an interval via DBUS? I'm thinking
about the case when the remote side terminates the connection - how does NM become
informed of this change of state?


Monitoring can be done in different ways. Note that you cannot be sure that the
remote end is gone unless you either send traffic, or when you use Dead Peer Detection.
If using DPD, then Openswan can signal this back via dbus, though it also has a setting
to restart on DPD failure (which does not work in all cases, eg if the remote initiated
and is behind NAT, but will work fine for cases where we are the client)
The other case is where the remote end hangs up. Again, this is clearly signaled and
openswan could send a message via DBUS.

Is is acceptable for there to exist a version dependency between a VPN service plugin
and the underlying VPN service it's abstracting (ie: nm-vpnc only works with version
X.Y.Z of vpnc client)?


That is inevidable, as the API's for the IPsec software will change over time.

I see the roadmap for NM talks about multiple devices active. Does that include VPN
connections? Does a VPN plugin have to support that feature?


If you support one, you might as well support more. The only catch here is that
some connections can be up alongside each other, but other connections (eg l2tp
based ones with default gw via vpn) can not.

Also, note that a VPN plugin for l2tp would depend on one part handling IPsec, one
part handling L2TP (xl2tpd for exampe) and one part handling pppd.

Paul

References:
- VPN Plugin: concepts questions
  - From: Steve Hillier

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]