Re: Generic IPSEC vpn plugin

From: Dan Williams <dcbw redhat com>
To: Paul Wouters <paul xelerance com>
Cc: networkmanager-list gnome org
Subject: Re: Generic IPSEC vpn plugin
Date: Fri, 24 Apr 2009 12:11:35 -0400

On Fri, 2009-04-24 at 11:50 -0400, Paul Wouters wrote:
> On Fri, 24 Apr 2009, Peter Robinson wrote:
> 
> >>>> Openswan has a GSoC project submission for this. One of the issues is
> 
> btw. that project got the go ahead and we have a student for this now.
> 
> >> The largest problem with IPSec is that since it's half-kernel and
> >> half-daemon, there isn't necessarily something there (AFAIK) to alert
> >> NetworkManager to the presence of a dropped connection or something like
> >> that.  If there is, that's great, lets use it and it'll be awesome.
> >
> > Well there's the ipsec-tools utilities but I suspect any NM support
> > will need something like what was done with wpa_supplicant where there
> > was patches needed.
> 
> ipsec-tools is not required for ipsec operation using openswan. If
> people want to get notifications in userland on tunnels failing, they
> should configure the ipsec tunnel to use Dead Peer Detection (RFC3706)

Ok, how does that actually show up in userspace?  What can we make the
NM vpn plugin daemon listen for?

> >> Oh come off it David.  It *is* a per-user thing if you're not talking
> >> about a multi-user system.  If I log into my work VPN, but then a
> >> house-guest asks to use the system, I'm going to fast-user-switch, and I
> >> certainly don't want that person to have access to my VPN.  Connections
> >> can be *both* per-user in a single-user system, or system-wide on any
> >> system.
> >
> > That comes back to the Site-to-Site vs Road-Warrior configuration. Its
> > the same argument that no doubt went on for the system wide ethernet
> > vs the login and then connect single user argument and support
> 
> I take it NM already has some kind of user-switching support that takes
> this difference into account, and can take down the tunnel. Though if
> I remember correcty, OSX gave you a preference option for this choice.
> (you might be transferring data from your vpn and give control to
> another user while expecting the vpn stas up)

Yeah there's support for this.  Basically, you have two classes of
connections: system and user.  Just like OS X actually.  User
connections credentials and details are stored in the user session and
do not survive fast-user-switch.  System connections are stored outside
of the user session, and thus are available before login and survive a
fast user switch.  So if you don't want your VPN to be avialable to
everyone, you keep it as a user connection.  If you don't care, you make
it a system connection and "available to all users" as the UI
checkbutton puts it.

Dan

Follow-Ups:
- Re: Generic IPSEC vpn plugin
  - From: Paul Wouters

References:
- Generic IPSEC vpn plugin
  - From: Peter Robinson
- Re: Generic IPSEC vpn plugin
  - From: Paul Wouters
- Re: Generic IPSEC vpn plugin
  - From: David Woodhouse
- Re: Generic IPSEC vpn plugin
  - From: Dan Williams
- Re: Generic IPSEC vpn plugin
  - From: Peter Robinson
- Re: Generic IPSEC vpn plugin
  - From: Paul Wouters

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]