NetworkManager-libreswan to replace NetworkManager-openswan
Hello everyone! For 1.2 series we're renaming NetworkManager-openswan VPN plugin to NetworkManager-libreswan. It seems that the user community has shifted its focus to libreswan for new deployments therefore we decided to rename the plugin to avoid confusion. Currently the plugin supports both libreswan and openswan as there are very few differences between the two when it comes to interfacing with the plugin. However, with openswan having been dropped from major Linux distributions (Fedora and Debian most prominently) it's getting more difficult for us to ensure that openswan remains well supported. NetworkManager-libreswan will remain be compatible with existing NetworkManager-openswan connections and the transition should be smooth. We'll release first version of NetworkManager-libreswan together with the release of NetworkManager 1.2. We're committed to maintain NetworkManager-openswan as long as NetworkManager 1.0 stable branch is maintained. Regards, Lubo ___ networkmanager-list mailing list networkmanager-list@gnome.org https://mail.gnome.org/mailman/listinfo/networkmanager-list
Installing Network-manager Openswan-plugin for ubuntu
Hi. Compiled and installed NetworkManager-openswan-0.9.8.0 (configure, make, make install) on ubuntu 13.04 and it doesn't seem to show up as an available VPN under the VPN Connections, Configure VPN, Add menu. Installed openswan itself in case I needed that as infrastructure, no change. Are there special --prefix options one needs with ubuntu? are there dependencies that don't relate to the compile? (I've obviously got all of those, since it did compile successfully) are there any special incantations to do on Network Manager to help it sense the presence of a new plugin? Is ubuntu unity incompatible with this plugin? ___ networkmanager-list mailing list networkmanager-list@gnome.org https://mail.gnome.org/mailman/listinfo/networkmanager-list
Re: Installing Network-manager Openswan-plugin for ubuntu
Hi Ray, I'm not extremely familiar with the OpenSwan VPN plugin, however a few thing you can try and wouldn't hurt: * A restart for NetworkManager to see if it helps anything. * Not sure about the location of things on Ubuntu, but make sure you have the library (.so) at the correct location as it will provide you with the GUI you're after. Cheers. On Sun, May 26, 2013 at 11:15 PM, Ray Klassen rayklas...@gmail.com wrote: Hi. Compiled and installed NetworkManager-openswan-0.9.8.0 (configure, make, make install) on ubuntu 13.04 and it doesn't seem to show up as an available VPN under the VPN Connections, Configure VPN, Add menu. Installed openswan itself in case I needed that as infrastructure, no change. Are there special --prefix options one needs with ubuntu? are there dependencies that don't relate to the compile? (I've obviously got all of those, since it did compile successfully) are there any special incantations to do on Network Manager to help it sense the presence of a new plugin? Is ubuntu unity incompatible with this plugin? ___ networkmanager-list mailing list networkmanager-list@gnome.org https://mail.gnome.org/mailman/listinfo/networkmanager-list ___ networkmanager-list mailing list networkmanager-list@gnome.org https://mail.gnome.org/mailman/listinfo/networkmanager-list
Re: nm-openswan - update
Quoting steve hillier [EMAIL PROTECTED]: So, first you need to get nm aware of the nm-openswan vpn service (see above). Being a Debian GNU/Linux developer, the first thing I did (after trying it 'your way' :) was to create a .deb package. All this works perfect. Got network manager to see the new service etc... You'll know it's working, when you can add the IPsec type of vpn connection through the vpn manager interface. Selecting this will start a wizard which eventually calls out to my shared library to configure the connection details. This is where it breaks. SOMETIMES (especially if I'm running with strace or gdb), i can briefly see a window pop up. But this is where it segfaults... If you're debugging the shared library, it's at this point, you're debugger will go active (when nm tries to load my library and call the factory method to instantiate the configuration window). This is where the library tries to build a GUI and crashes. Right.. I Just recently I realized that I may be creating my config window entirely wrong. I'm buidling a top-level window when I should be adding elements to the wizard window (I think). Seems resonable, because nm say: (nm-vpn-properties:20827): Gtk-WARNING **: Can't set a parent on a toplevel widget Unfortunatly, gdb doesn't catch the segfault so I can't get a back trace... And I can't get anjuta to recognize the project. And I'm as green as you when it comes to coding GUI's with GTK... ___ NetworkManager-list mailing list NetworkManager-list@gnome.org http://mail.gnome.org/mailman/listinfo/networkmanager-list
Re: nm-openswan - update
haha.. can't believe it took me this long to catch this oversight. I used glade to design the UI for configuring the connection, and it just defaults to a top-level window. I'm loading the glade ui file as a resource and I never really closely exampled the XML that glade-ui designer output. Oops. Gonna need to completely re-work my UI code to fix this. boo That's not trivial undertaking (for me). I'll start on it in the next few weeks, now that I know what the problem is. Thanks for the insight! On another note, and somewhat a shot in the dark, I hit a bug yesterday while testing my code that I never had before. I wanted to manually verify an IPsec connection before I tried my gui again, and I got an error messge error inserting padlock, no such device blahblahblah. I only get it when I try to start a connection that uses AES encryption. I'm using openswan as my IPsec implementation. Anyone else hit this? I'm using a dell laptop, so I don't think this is related to the VIA Bios issue I've read about on the 'net. Any help greatly appreciated. I'm not down with 3DES and all my test connections use AES encyption, so testing has become somewhat impossible until I find a fix for this. I know I can upgrade, but Fedora6 is rock-solid stable and I love my beryl-setup with all that eye-candy. Can't get it to work in FC7. All help appreciated. steve. Turbo Fredriksson wrote: Quoting steve hillier [EMAIL PROTECTED]: So, first you need to get nm aware of the nm-openswan vpn service (see above). Being a Debian GNU/Linux developer, the first thing I did (after trying it 'your way' :) was to create a .deb package. All this works perfect. Got network manager to see the new service etc... You'll know it's working, when you can add the IPsec type of vpn connection through the vpn manager interface. Selecting this will start a wizard which eventually calls out to my shared library to configure the connection details. This is where it breaks. SOMETIMES (especially if I'm running with strace or gdb), i can briefly see a window pop up. But this is where it segfaults... If you're debugging the shared library, it's at this point, you're debugger will go active (when nm tries to load my library and call the factory method to instantiate the configuration window). This is where the library tries to build a GUI and crashes. Right.. I Just recently I realized that I may be creating my config window entirely wrong. I'm buidling a top-level window when I should be adding elements to the wizard window (I think). Seems resonable, because nm say: (nm-vpn-properties:20827): Gtk-WARNING **: Can't set a parent on a toplevel widget Unfortunatly, gdb doesn't catch the segfault so I can't get a back trace... And I can't get anjuta to recognize the project. And I'm as green as you when it comes to coding GUI's with GTK... ___ NetworkManager-list mailing list NetworkManager-list@gnome.org http://mail.gnome.org/mailman/listinfo/networkmanager-list
Re: nm-openswan - update
Nice to hear others had use for the code (if it actually worked ;) ). When I started, I developed in Anjuta on fedora 6. I was mainly interested in the symbol browser and debugging features of Anjuta. Especially when I started experimenting with libwhack integration. It wasn't long into that experiment when I realized a problem that prevented me from proceeding down that path, and so I backed off those code mods and went back to calling whack from my app (see the version magic #define in libwhack.h from the openswan src tarball ). The problem, simply, was that it introduced a version dependancy between nm-os and openswan that I felt was unacceptable. It was then that I started re-factoring the code to clean up the mess and sort out some logic bugs. Once the logic was fixed my code compiled, and that's when I ran into the type-casting issues with my gui objects, and that problem stalled the entire project -- there's only so much GUI api doc u can read and with my new job, very little time to do any actual debugging. I eventually moved my dev environment to a new laptop, and it took some time before I could get NM-OS compiling again (Even though the laptop was also running fedora 6). My bad. This wasn't a dist code tar ball that would simply compile. this was a snapshot of my development workspace as it stood at that time. I've continued to work on the code in my limited spare time under anjuta with mixed results. I'm also new to GTK coding and I suck at it which is why is so slow going. Since starting my new job, I've been forced to learn Java, and specifically J2EE programming in a hurry. As with most Java coders, Eclipse is my IDE of choice for many reasons. In fact, I use Redhat developer studio beta2 (you can guess which j2ee server I'm learning). Now I just recently discovered that Eclipse has a plugin to support C/C++ development. I'm working on getting nm-openswan building under eclipse, and my reason is simple: it's got a killer debugger and awesome ide tools. the symbols browser alone chews anjuta. If I succeed, then I'll package up my workspace and mail that out. In the mean time, all I can say is keep plugging away at anjuta. Once I get back to code that actually runs (at least some of the time) I'll send another tarball out, one I'm not ashamed to put my name on. I haven't forgotten the project, other priorities just 'butted' in line. Sorry. Things to try under anjuta: - don't use anjuta to compile. I use it for editing and debugging only. I usually run make from the cmd line. - run `make clean make make install ` from the top-level of the src dir. - explore the src dir to /usr/local/src (that's the path I used to store my dev src). if you're not familiar with the inner workings of NetworkManager, get the source and start reading the code / api docs. Certain files have to be visible in specific locations for the NetworkManager to see the new vpn service. One in particular that comes to mind is in /etc/NetworkManager/vpn (or something to that effect). My install script settings place my service configuration file in /usr/local/etc/NetworkManager/vpn/blahbah. As of NetowrkManager0.6.x it didn't scan that folder automatically, so after 'make install' on a new system, I would have to symlink my file to /etc/NetworkManager/vpn/ before restarting NetworkManager daemon to have it pickup the service. The logs of the daemon will tell you if it knows about the new vpn service on a restart if you turn up the logging. Not sure if the same is true for the 0.7 code branch. Maybe in a few months (when things finally settle down at work), I'll port my code to 0.7 code base and get it compiling again. I know some of the stuff I wanted to do wasn't possible until planned changes to the vpn api were implemented (to manage multiple concurrent vpn connections, etc...). Maybe others on the list can update you on the status of that change. For now, I tinker with my debugger from time to time on Fedora 6, still using the old 0.6.x code base that I started with, just until I get the GUI bugs worked out. To debug in anjuta, there's a process to be followed. Remember, this is shared library, not a binary executable, that executable is Nm daemon itself which listens on the DBUS for vpn service request messages (amongst many other things). So, first you need to get nm aware of the nm-openswan vpn service (see above). You'll know it's working, when you can add the IPsec type of vpn connection through the vpn manager interface. Selecting this will start a wizard which eventually calls out to my shared library to configure the connection details. If you're debugging the shared library, it's at this point, you're debugger will go active (when nm tries to load my library and call the factory method to instantiate the configuration window). This is where the library tries to build a GUI and crashes. I Just recently I realized that I may
OpenSWAN
I need OpenSWAN support in NetworkManager, but only found 'work in progress' (no links to where/how to get it/set it up). It's not inte SVN trunk... Where can I get it so I can help? I can't (don't want to :) wait for 'steve' to get time to do it. If I can't get it NOW, then I'll just have to roll up my sleves and help :). ___ NetworkManager-list mailing list NetworkManager-list@gnome.org http://mail.gnome.org/mailman/listinfo/networkmanager-list
Re: OpenSWAN
On 7/22/07, Turbo Fredriksson [EMAIL PROTECTED] wrote: I need OpenSWAN support in NetworkManager, but only found 'work in progress' (no links to where/how to get it/set it up). It's not inte SVN trunk... Where can I get it so I can help? I can't (don't want to :) wait for 'steve' to get time to do it. If I can't get it NOW, then I'll just have to roll up my sleves and help :). I think you will probably need to roll up your sleeves ;-) Maybe Steve can put the code he has worked on somewhere for you to start hacking on it? ___ NetworkManager-list mailing list NetworkManager-list@gnome.org http://mail.gnome.org/mailman/listinfo/networkmanager-list
Re: nm-openswan is alive again!
Technically speaking, you should be able to run as many concurrent IPsec connections as you want. In reality, I've used openswan to run up to 4 seperate and independant concurrent IPsec tunnels, some with and without Virtual interfaces (for DHCP over IPsec). My goal is to make NM-Openswan capable of doing the same thing, but as we've discussed previously, the nm-VPN API's weren't really designed to handle the case of multiple concurrent vpn connections. I'm currently reviewing the proposed changes to the VPN API and comparing it to the over all design of my plugin to see how to find a working model that can be used for any VPN client (not just openswan). Ideally, I think NM should be able to handle any number of concurrent Point-to-Point vpn connections with split tunneling. Of course some vpn clients don't support split tunneling (Cisco vpn is one I think) which is more akin to the one-off style design of the current API. It all comes down to routing table modifications. For example, Pluto (the daemonized portion of Openswan) automatically handles routing table modifications, whereas others will recieve those modifcations and pass them back to nm for processing in: nm_vpn_ip4config(). given that vpnc, openswan, openvpn, and most other vpn clients are simply getting front-ends and DBUS integration, I'd like to allow the native clients to handle the requsite routing table mods and use nm to montior, control, and create / modify the parameters of the connection configs passed the the actual vpn client. To try and supplant that functionality within the nm-vpn plugin architecture will introduce dependencies between nm and specific versions of various vpn clients which is not what we want (IMHO). For example, if the internal API's of Openswan change, and my nm-openswan plugin replaces the functionality of parts of the openswan distribution, then there's a good chance my plugin will break on new subsequent releases of the openswan client. Whereas if I simply control the components of Openswan from my plugin, along with passing connection configs and status across DBUS for monitoring, I can expect that the user-end functionality of the openswan client to change very little, and *hopefully* my nm-openswan vpn plugin will work with new releases of openswan, regardless of any internal API changes to the openswan client. If I'm repeating someone else's ideas, it's because I'm still catching up on the mailing list. As always, all comments are welcome. Steve. NB: Thanks for all the replies, it's good to know so many are interested in this plugin. As a bonus, I've been given access to a variety of supposedly IPsec compliant gateways. I'll have lots of variety for my testing, and it should validate my initial testing results that showed OpenSwan as the ideal choice for standard IPsec vpn connections when I started writing the nm-vpn plugin. Dan Williams wrote: On Mon, 2007-06-11 at 23:34 +0200, Tomáš Hnyk wrote: On Sun, 10 Jun 2007 01:46:15 +0200, Dan Williams [EMAIL PROTECTED] wrote: On Sat, 2007-06-09 at 18:03 -0400, steve wrote: Hi, Just a quick post to inform anyone who cares, that I've finished my employment transition, re-created my development environment and I've re-started work on the openswan vpn plugin. I've made two design changes to allow for multiple concurrent vpn connections (in future releases) as it will be required for my new job. I'll post again when I've got a tar ball for others to test. Awesome! You might want to look at an email recently sent about a new API for VPNs to see if it would also work for openswan. Proposal for a new VPN DBUS interface - May 8th Dan If anyone feels inclined to help with the effort (which is mainly bug fixing at this point), feel free to contact me. Steve. Does this also mean that it will possible to use VPN even if the network connection is not managed through NM but is set to static as described here: https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/115750 - or is that only Ubuntu thing? NM by definition won't know (and therefore won't care) about connections that aren't know to NM. That's as it should be. On the other hand, the configuration information will soon be flexible enough to deal with most of the cases, but that's already mostly the case for VPNs. Dan ___ NetworkManager-list mailing list NetworkManager-list@gnome.org http://mail.gnome.org/mailman/listinfo/networkmanager-list
Re: nm-openswan is alive again!
Dan Williams wrote: On Sat, 2007-06-09 at 18:03 -0400, steve wrote: Hi, Just a quick post to inform anyone who cares, that I've finished my employment transition, re-created my development environment and I've re-started work on the openswan vpn plugin. I've made two design changes to allow for multiple concurrent vpn connections (in future releases) as it will be required for my new job. I'll post again when I've got a tar ball for others to test. Awesome! You might want to look at an email recently sent about a new API for VPNs to see if it would also work for openswan. Proposal for a new VPN DBUS interface - May 8th Dan If anyone feels inclined to help with the effort (which is mainly bug fixing at this point), feel free to contact me. Steve. Hi, This new API will make possible to have multiple VPN connections with openvpn plugin? This will be plugin side work, or the code we already have, will still work? Thanks. ___ NetworkManager-list mailing list NetworkManager-list@gnome.org http://mail.gnome.org/mailman/listinfo/networkmanager-list
Re: nm-openswan is alive again!
On Sun, 10 Jun 2007 01:46:15 +0200, Dan Williams [EMAIL PROTECTED] wrote: On Sat, 2007-06-09 at 18:03 -0400, steve wrote: Hi, Just a quick post to inform anyone who cares, that I've finished my employment transition, re-created my development environment and I've re-started work on the openswan vpn plugin. I've made two design changes to allow for multiple concurrent vpn connections (in future releases) as it will be required for my new job. I'll post again when I've got a tar ball for others to test. Awesome! You might want to look at an email recently sent about a new API for VPNs to see if it would also work for openswan. Proposal for a new VPN DBUS interface - May 8th Dan If anyone feels inclined to help with the effort (which is mainly bug fixing at this point), feel free to contact me. Steve. Does this also mean that it will possible to use VPN even if the network connection is not managed through NM but is set to static as described here: https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/115750 - or is that only Ubuntu thing? Tomas ___ NetworkManager-list mailing list NetworkManager-list@gnome.org http://mail.gnome.org/mailman/listinfo/networkmanager-list
Re: nm-openswan is alive again!
Tomas, that is an Ubuntu specific issue. On 6/11/07, Tomáš Hnyk [EMAIL PROTECTED] wrote: On Sun, 10 Jun 2007 01:46:15 +0200, Dan Williams [EMAIL PROTECTED] wrote: On Sat, 2007-06-09 at 18:03 -0400, steve wrote: Hi, Just a quick post to inform anyone who cares, that I've finished my employment transition, re-created my development environment and I've re-started work on the openswan vpn plugin. I've made two design changes to allow for multiple concurrent vpn connections (in future releases) as it will be required for my new job. I'll post again when I've got a tar ball for others to test. Awesome! You might want to look at an email recently sent about a new API for VPNs to see if it would also work for openswan. Proposal for a new VPN DBUS interface - May 8th Dan If anyone feels inclined to help with the effort (which is mainly bug fixing at this point), feel free to contact me. Steve. Does this also mean that it will possible to use VPN even if the network connection is not managed through NM but is set to static as described here: https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/115750 - or is that only Ubuntu thing? Tomas ___ NetworkManager-list mailing list NetworkManager-list@gnome.org http://mail.gnome.org/mailman/listinfo/networkmanager-list ___ NetworkManager-list mailing list NetworkManager-list@gnome.org http://mail.gnome.org/mailman/listinfo/networkmanager-list
Re: nm-openswan is alive again!
On Mon, 2007-06-11 at 23:34 +0200, Tomáš Hnyk wrote: On Sun, 10 Jun 2007 01:46:15 +0200, Dan Williams [EMAIL PROTECTED] wrote: On Sat, 2007-06-09 at 18:03 -0400, steve wrote: Hi, Just a quick post to inform anyone who cares, that I've finished my employment transition, re-created my development environment and I've re-started work on the openswan vpn plugin. I've made two design changes to allow for multiple concurrent vpn connections (in future releases) as it will be required for my new job. I'll post again when I've got a tar ball for others to test. Awesome! You might want to look at an email recently sent about a new API for VPNs to see if it would also work for openswan. Proposal for a new VPN DBUS interface - May 8th Dan If anyone feels inclined to help with the effort (which is mainly bug fixing at this point), feel free to contact me. Steve. Does this also mean that it will possible to use VPN even if the network connection is not managed through NM but is set to static as described here: https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/115750 - or is that only Ubuntu thing? NM by definition won't know (and therefore won't care) about connections that aren't know to NM. That's as it should be. On the other hand, the configuration information will soon be flexible enough to deal with most of the cases, but that's already mostly the case for VPNs. Dan ___ NetworkManager-list mailing list NetworkManager-list@gnome.org http://mail.gnome.org/mailman/listinfo/networkmanager-list
nm-openswan is alive again!
Hi, Just a quick post to inform anyone who cares, that I've finished my employment transition, re-created my development environment and I've re-started work on the openswan vpn plugin. I've made two design changes to allow for multiple concurrent vpn connections (in future releases) as it will be required for my new job. I'll post again when I've got a tar ball for others to test. If anyone feels inclined to help with the effort (which is mainly bug fixing at this point), feel free to contact me. Steve. ___ NetworkManager-list mailing list NetworkManager-list@gnome.org http://mail.gnome.org/mailman/listinfo/networkmanager-list
Re: nm-openswan is alive again!
On Sat, 2007-06-09 at 18:03 -0400, steve wrote: Hi, Just a quick post to inform anyone who cares, that I've finished my employment transition, re-created my development environment and I've re-started work on the openswan vpn plugin. I've made two design changes to allow for multiple concurrent vpn connections (in future releases) as it will be required for my new job. I'll post again when I've got a tar ball for others to test. Awesome! You might want to look at an email recently sent about a new API for VPNs to see if it would also work for openswan. Proposal for a new VPN DBUS interface - May 8th Dan If anyone feels inclined to help with the effort (which is mainly bug fixing at this point), feel free to contact me. Steve. ___ NetworkManager-list mailing list NetworkManager-list@gnome.org http://mail.gnome.org/mailman/listinfo/networkmanager-list ___ NetworkManager-list mailing list NetworkManager-list@gnome.org http://mail.gnome.org/mailman/listinfo/networkmanager-list
nm-openswan dev update - debugging properties library help needed
Hi all, Just thought I should post a quick update, and post a request for help at the same time. I'm almost at 0.1a code level. I have several major bugs to fix before I reach that milestone, but once reached, that will be first release. NM Registers my new DBUS path for the openswan service on startup and the nm-openswan-service handler appears to be stable (finally). My first and biggest problem has to do with debugging shared libraries with Anjuta/gdb: How do you do it? I wrote my library to implement the UI to configure a connection, but even though it builds no problem, it won't load for some reason... The situation is this: when nm-vpn-properties loads, it parses my service file (from /etc/NetworkManager/VPN) and then tries to load /usr/local/lib/libnm-os-properties.so but I get this nm_warning output: Cannot open module '/usr/local/lib/libnm-os-properties' -- yes I checked for type-o's and spelling mistakes ;) -- I ran 'strace nm-vpn-properties' to find out what's failing, and it does find the library and opens it succesfully: brk(0x9599000) = 0x9599000 open(/etc/NetworkManager/VPN/nm-openswan-service.name, O_RDONLY|O_LARGEFILE) = 14 fstat64(14, {st_mode=S_IFREG|0644, st_size=220, ...}) = 0 read(14, [VPN Connection]\nname=openswan\ns..., 4096) = 220 read(14, , 4096) = 0 close(14) = 0 stat64(/usr/local/lib/libnm-os-properties, 0xbfe45d4c) = -1 ENOENT (No such file or directory) stat64(/usr/local/lib/libnm-os-properties.so, {st_mode=S_IFREG|0755, st_size=84578, ...}) = 0 open(/usr/local/lib/libnm-os-properties.so, O_RDONLY) = 14 read(14, \177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\340 \0..., 512) = 512 fstat64(14, {st_mode=S_IFREG|0755, st_size=84578, ...}) = 0 mmap2(NULL, 29652, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 14, 0) = 0x4f6000 mmap2(0x4fd000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 14, 0x7) = 0x4fd000 ^- here's the problem I think... but that's as close as I can get. My instincts tell me this is a memory allocation error where I'm not initializing or declaring some var before I use it... but that would come back to being able to debug my shared lib. The mapped memory addresses seem kinda small to me compared with those of the openvpn and vpnc shared libs loaded in the same stack trace. Here's the rest of the relevant trace: close(14) = 0 mprotect(0x4f6000, 28672, PROT_READ|PROT_WRITE) = 0 munmap(0x4f6000, 29652) = 0 write(2, \n** (nm-vpn-properties:7763): WA..., 98 ** (nm-vpn-properties:7763): WARNING **: Cannot open module '/usr/local/lib/libnm-os-properties' ) = 98 So how can I debug my shared-lib and figure out why it's failing to load? All help appreciated as I've been banging my head against the key-board for days (soon time for a new one). I've got everything else for basic functionality coded, building and installing fine, but until I can define a connection, testing cannot proceed. If anyone has any suggestions, please send them asap before I go crazy with this one ;) Thanks, Steve. ___ NetworkManager-list mailing list [EMAIL PROTECTED] http://mail.gnome.org/mailman/listinfo/networkmanager-list
Re: nm-openswan development update
On Sun, 2007-03-25 at 20:05 -0400, steve wrote: Hi, It's been busy at work and hence development slows down accordingly, but my weekends are free and I've made some big strides this weekend. I also wasted about 5 hours of my time today (not to mention the frustration and head scratching for the past 3 weeks) at why the symbol plugin for Anjuta (my IDE) wasn't working reliably: it sometimes displayed correct data, then other times it wouldn't display that same data at all. The 5 hours today went towards 3 efforts: 1. Try out eclipse (read the docs -- it doesn't support automake build systems) 2. Try out Kdevelop (well.. I'm not developing for KDE and it crashed everytime I tried to import my project or create a new GTK+ project and import my source 3. Try to compile the latest source of the next rev of Anjuta: Too many library version conflicts with my FC6 installation to make a sane build enviornment feisable on my laptop. Then I stumbled across the reason for all my problems: I started with the source to nm-vpnc (FC6 src rpm + redhat patches) and of course, just like copying in school, you get the mistakes as well as the correct answers. Moral of the Story: Don't copy verbatim if you can avoid it. After I fixed the problem ( which had to do with name/type conflicts on typedef struct definitions ) the symbol browser in FC6's default installation of Anjuta started working perfectly. Afterwards, I ran a build of the default vpc source (Just for kicks) and saw warnings about the same thing. Anyway, just wanted to save people time if anyone else is writing a vpn plugin, and started with the source an existing one for reference like I did. Development continues on nm-openswan and I hope to have a complete set of working alpha code for all targets of the plugin in about 2 weeks. At that point I'm going to setup some kind of CVS repository for the dist. There is still one big design question to be answered through testing. If anyone knows openswan well, or cares to help me figure this one out, feel free to offer advice. Here's my dilema: Call out to /usr/libexec/ipsec/whack to initiate/terminate an ipsec connection What's involved in the whack code to initiate/terminate the connection? i.e. how complex is the code there? dan -OR- integrate the code for whack into my project and link against it at build time (so my code actually talks directly to pluto through a socket). I don't like this idea as my code becomes dependant on a specific version of openswan (it's hard to explain the why of that). Each new major rev of openswan will require an update to my source and a recompile to work again and introducing depenancies doesn't seem to fit with the design goals of NetworkManager. Hopefully not; is the whack/pluto interface considered internal API to the project? If so, that's pretty dumb because apparently the only public interface they offer is suboptimal CLI tools. We do not want to wrap CLI tools with GUI bits, we want the GUI gits to be capable of the full functionality for a variety of reasons. Dan All feedback welcome. I'll send another update once I've got this problem licked and the alpha code compiles (without segfaults at runtime ;) Steve. ___ NetworkManager-list mailing list NetworkManager-list@gnome.org http://mail.gnome.org/mailman/listinfo/networkmanager-list ___ NetworkManager-list mailing list NetworkManager-list@gnome.org http://mail.gnome.org/mailman/listinfo/networkmanager-list
Re: nm-openswan development update
Dan Williams wrote: On Tue, 2007-03-27 at 19:34 -0400, Darren Albers wrote: On 3/25/07, steve [EMAIL PROTECTED] wrote: Hi, It's been busy at work and hence development slows down accordingly, but my weekends are free and I've made some big strides this weekend. I also wasted about 5 hours of my time today (not to mention the frustration and head scratching for the past 3 weeks) at why the symbol plugin for Anjuta (my IDE) wasn't working reliably: it sometimes displayed correct data, then other times it wouldn't display that same data at all. The 5 hours today went towards 3 efforts: 1. Try out eclipse (read the docs -- it doesn't support automake build systems) 2. Try out Kdevelop (well.. I'm not developing for KDE and it crashed everytime I tried to import my project or create a new GTK+ project and import my source 3. Try to compile the latest source of the next rev of Anjuta: Too many library version conflicts with my FC6 installation to make a sane build enviornment feisable on my laptop. Then I stumbled across the reason for all my problems: I started with the source to nm-vpnc (FC6 src rpm + redhat patches) and of course, just like copying in school, you get the mistakes as well as the correct answers. Moral of the Story: Don't copy verbatim if you can avoid it. After I fixed the problem ( which had to do with name/type conflicts on typedef struct definitions ) the symbol browser in FC6's default installation of Anjuta started working perfectly. Afterwards, I ran a build of the default vpc source (Just for kicks) and saw warnings about the same thing. Anyway, just wanted to save people time if anyone else is writing a vpn plugin, and started with the source an existing one for reference like I did. Development continues on nm-openswan and I hope to have a complete set of working alpha code for all targets of the plugin in about 2 weeks. At that point I'm going to setup some kind of CVS repository for the dist. There is still one big design question to be answered through testing. If anyone knows openswan well, or cares to help me figure this one out, feel free to offer advice. Here's my dilema: Call out to /usr/libexec/ipsec/whack to initiate/terminate an ipsec connection -OR- integrate the code for whack into my project and link against it at build time (so my code actually talks directly to pluto through a socket). I don't like this idea as my code becomes dependant on a specific version of openswan (it's hard to explain the why of that). Each new major rev of openswan will require an update to my source and a recompile to work again and introducing depenancies doesn't seem to fit with the design goals of NetworkManager. All feedback welcome. I'll send another update once I've got this problem licked and the alpha code compiles (without segfaults at runtime ;) Steve. Hi Steve! Thank you for the update, so far it looks great. Sorry for the late response I flagged your earlier email to respond to it but travel kept my from doing it. I was looking at your earlier screenshot and I was curious if it was possible to set the password to prompt for people with RSA tokens and what options were there for Xauth? With the nortel client there is a group username and password and the connection properties dialog seemed to permit either a Pre-shared key or Certificate but not just X-auth, or am I misreading the dialog? Regarding SVN, once the plugin reaches a somewhat usable state Dan might be willing to host it on the gnome svn with the other VPN plugins but I am not sure what his or gnome's requirements would be. I haven't looked at the VPNC or OpenVPN plugin code in awhile but if I remember properly they just call vpnc or openvpn directly so it seems like calling openswan that way would be inline with the other plugins, however I have never used Openswan so I am not sure of any limitations or issues with that. Openswan appears to be a bit different since there isn't really one particular daemon that runs with each connection. It uses internal kernel support to set up IPSec connections with different hosts and such, and there's apparently one daemon that handles everything. From my reads it looked pretty involved and unlike the current one-shot VPN plugins that we've already got, since the connections are persistent and don't terminate when the daemon terminates. Dan Thank you again for taking this on! I suspect that a lot of people will find your work useful! I know I will if I can connect to my Nortel concentrator at work, it will allow me remove my XP VM that I use now! Thanks! Darren ___ NetworkManager-list mailing list NetworkManager-list@gnome.org http://mail.gnome.org/mailman/listinfo/networkmanager-list You're analysis is correct -- Openswan VPN is much more difficult that the other NM vpn plugins
Re: nm-openswan development update
On 3/25/07, steve [EMAIL PROTECTED] wrote: Hi, It's been busy at work and hence development slows down accordingly, but my weekends are free and I've made some big strides this weekend. I also wasted about 5 hours of my time today (not to mention the frustration and head scratching for the past 3 weeks) at why the symbol plugin for Anjuta (my IDE) wasn't working reliably: it sometimes displayed correct data, then other times it wouldn't display that same data at all. The 5 hours today went towards 3 efforts: 1. Try out eclipse (read the docs -- it doesn't support automake build systems) 2. Try out Kdevelop (well.. I'm not developing for KDE and it crashed everytime I tried to import my project or create a new GTK+ project and import my source 3. Try to compile the latest source of the next rev of Anjuta: Too many library version conflicts with my FC6 installation to make a sane build enviornment feisable on my laptop. Then I stumbled across the reason for all my problems: I started with the source to nm-vpnc (FC6 src rpm + redhat patches) and of course, just like copying in school, you get the mistakes as well as the correct answers. Moral of the Story: Don't copy verbatim if you can avoid it. After I fixed the problem ( which had to do with name/type conflicts on typedef struct definitions ) the symbol browser in FC6's default installation of Anjuta started working perfectly. Afterwards, I ran a build of the default vpc source (Just for kicks) and saw warnings about the same thing. Anyway, just wanted to save people time if anyone else is writing a vpn plugin, and started with the source an existing one for reference like I did. Development continues on nm-openswan and I hope to have a complete set of working alpha code for all targets of the plugin in about 2 weeks. At that point I'm going to setup some kind of CVS repository for the dist. There is still one big design question to be answered through testing. If anyone knows openswan well, or cares to help me figure this one out, feel free to offer advice. Here's my dilema: Call out to /usr/libexec/ipsec/whack to initiate/terminate an ipsec connection -OR- integrate the code for whack into my project and link against it at build time (so my code actually talks directly to pluto through a socket). I don't like this idea as my code becomes dependant on a specific version of openswan (it's hard to explain the why of that). Each new major rev of openswan will require an update to my source and a recompile to work again and introducing depenancies doesn't seem to fit with the design goals of NetworkManager. All feedback welcome. I'll send another update once I've got this problem licked and the alpha code compiles (without segfaults at runtime ;) Steve. Hi Steve! Thank you for the update, so far it looks great. Sorry for the late response I flagged your earlier email to respond to it but travel kept my from doing it. I was looking at your earlier screenshot and I was curious if it was possible to set the password to prompt for people with RSA tokens and what options were there for Xauth? With the nortel client there is a group username and password and the connection properties dialog seemed to permit either a Pre-shared key or Certificate but not just X-auth, or am I misreading the dialog? Regarding SVN, once the plugin reaches a somewhat usable state Dan might be willing to host it on the gnome svn with the other VPN plugins but I am not sure what his or gnome's requirements would be. I haven't looked at the VPNC or OpenVPN plugin code in awhile but if I remember properly they just call vpnc or openvpn directly so it seems like calling openswan that way would be inline with the other plugins, however I have never used Openswan so I am not sure of any limitations or issues with that. Thank you again for taking this on! I suspect that a lot of people will find your work useful! I know I will if I can connect to my Nortel concentrator at work, it will allow me remove my XP VM that I use now! Thanks! Darren ___ NetworkManager-list mailing list NetworkManager-list@gnome.org http://mail.gnome.org/mailman/listinfo/networkmanager-list
nm-openswan development update
Hi, It's been busy at work and hence development slows down accordingly, but my weekends are free and I've made some big strides this weekend. I also wasted about 5 hours of my time today (not to mention the frustration and head scratching for the past 3 weeks) at why the symbol plugin for Anjuta (my IDE) wasn't working reliably: it sometimes displayed correct data, then other times it wouldn't display that same data at all. The 5 hours today went towards 3 efforts: 1. Try out eclipse (read the docs -- it doesn't support automake build systems) 2. Try out Kdevelop (well.. I'm not developing for KDE and it crashed everytime I tried to import my project or create a new GTK+ project and import my source 3. Try to compile the latest source of the next rev of Anjuta: Too many library version conflicts with my FC6 installation to make a sane build enviornment feisable on my laptop. Then I stumbled across the reason for all my problems: I started with the source to nm-vpnc (FC6 src rpm + redhat patches) and of course, just like copying in school, you get the mistakes as well as the correct answers. Moral of the Story: Don't copy verbatim if you can avoid it. After I fixed the problem ( which had to do with name/type conflicts on typedef struct definitions ) the symbol browser in FC6's default installation of Anjuta started working perfectly. Afterwards, I ran a build of the default vpc source (Just for kicks) and saw warnings about the same thing. Anyway, just wanted to save people time if anyone else is writing a vpn plugin, and started with the source an existing one for reference like I did. Development continues on nm-openswan and I hope to have a complete set of working alpha code for all targets of the plugin in about 2 weeks. At that point I'm going to setup some kind of CVS repository for the dist. There is still one big design question to be answered through testing. If anyone knows openswan well, or cares to help me figure this one out, feel free to offer advice. Here's my dilema: Call out to /usr/libexec/ipsec/whack to initiate/terminate an ipsec connection -OR- integrate the code for whack into my project and link against it at build time (so my code actually talks directly to pluto through a socket). I don't like this idea as my code becomes dependant on a specific version of openswan (it's hard to explain the why of that). Each new major rev of openswan will require an update to my source and a recompile to work again and introducing depenancies doesn't seem to fit with the design goals of NetworkManager. All feedback welcome. I'll send another update once I've got this problem licked and the alpha code compiles (without segfaults at runtime ;) Steve. ___ NetworkManager-list mailing list NetworkManager-list@gnome.org http://mail.gnome.org/mailman/listinfo/networkmanager-list
Re: [RFC] nm-openswan
steve-210 wrote: Does anyone have need for this type of plugin, or is this software only useful for me? Yes, and no! I would absolutely love this. I am using Ubuntu Linux at the moment and I'm loving network-manager, now with VPN support. Unfortunately, I can't connect to my VPN at work using OpenVPN. OpenSwan only. If you could hack this into network-manager, I think it could be a huge time saver for a good amount of people. -- View this message in context: http://www.nabble.com/nm-openswan-tf3366858.html#a9483353 Sent from the Gnome - NetworkManager mailing list archive at Nabble.com. ___ NetworkManager-list mailing list NetworkManager-list@gnome.org http://mail.gnome.org/mailman/listinfo/networkmanager-list
re: More on nm-OpenSwan
On Sat, 2007-03-10 at 16:22 -0500, steve wrote: I'm trying to implement the ipsec connection startup command I'm using the function g_spawn_async_with_pipes to call the ipsec binary with the appropriate args. The process will terminate when successful. I want to pipe the output of the process (stdout) to a Status window (pop-up widget??) in real-time. For debugging? Otherwise it's better to send meaningful error messages along with the failure signals that the VPN daemon sends to NM. I'm thinking I need to use a GIOChannel to capture the output this way. Can anyone clarify? example: code GFILE *output = g_fopen(//dev//stdout, r); GIOChannel *connOutput = NULL; gchar * stdout_buffer; connOutput = g_io_channel_unix_new(output); while (g_io_channel_read_line(connOutput, stdout_buffer, NULL, NULL, error) != (G_IO_STATUS_EOF || G_IO_STATUS_ERROR)) { nm_status_update(%s, stdout_buffer); //pseudo function for now if (stdout_buffer == \n\n) { g_io_channel_close(connOutput); g_fclose(output); g_free(stdout_buffer); return 0: } } . /code Does that make any sense or am I going about this the wrong way? I think what you actually want to do is to spawn your process and specify your own file descriptors for stdout and stderr. See supplicant_exec() in src/nm-device-802-11-wireless.c of the NETWORKMANAGER_0_6_0_RELEASE branch. Dan ___ NetworkManager-list mailing list NetworkManager-list@gnome.org http://mail.gnome.org/mailman/listinfo/networkmanager-list
More on nm-OpenSwan
Hi, I'm working on this in my spare time so I apologize if this update seems delayed. First, because nm-openswan depends on it for now, I'll explain and post my changes to the openswan init script. In FC6, by convention, custom IPsec definitions are stored on a per-connection basis in files named conn.conf in /etc/ipsec.d I've extended that same convention by adding the need for a corresponding conn.secrets file which consists of the following formatted data: WhiteSpaceRemoteGateway: TypeIdentifierWhiteSpaceKey Example: vpn.mydomain.org: PSK MyFirstPreSharedKey! I will add support for certificates later (I don't use them myself). here's my patch to the init script, diff'd from the distro default: code --- ipsec2007-03-10 12:04:08.0 -0500 +++ ipsec.new2007-03-10 12:08:41.0 -0500 @@ -39,7 +39,6 @@ # Check that we are root ... so non-root users stop here [ `id -u` = 0 ] || exit 1 - me='ipsec setup'# for messages syslog () @@ -138,6 +137,33 @@ prog=IPsec + +gen_secrets() +{ +# generate /etc/ipsec.secrets from /etc/ipsec.d/*.secrets + +filter=`ip route show |grep default |cut -f 3 -d ' '|cut -d '.' -f 1,2,3`; +if_ip=`/sbin/ifconfig -a |grep $filter |cut -d ':' -f 2 |cut -f 1 -d ' '`; + +for i in /etc/ipsec.d/*.secrets; +do ( +echo -n $if_ip /etc/ipsec.secrets; +cat $i /etc/ipsec.secrets; +) +done; +return 0; +} + +reset_secrets() +{ +rm -f /etc/ipsec.secrets; +echo # DO NOT EDIT THIS FILE /etc/ipsec.secrets; +echo # This file is re-generated everytime the IPsec subsystem restarts. /etc/ipsec.secrets; +echo # Secrets should be stored in /etc/ipsec.d/*.secrets /etc/ipsec.secrets; + +return 0; +} + # do it start_it() { @@ -153,12 +179,15 @@ case $1 in start|--start|_autostart) +reset_secrets; +gen_secrets; start_it $1; RETVAL=$?; ;; stop|--stop|_autostop) stop_it $1; +reset_secrets; RETVAL=$?; ;; @@ -174,6 +203,8 @@ restart|--restart|force-reload) stop_it stop +reset_secrets; +gen_secrets; start_it start RETVAL=$? ;; /code This is a simple automation that fixed a problem I had with reliably running multiple ipsec tunnels at the same time. Now on to nm-openswan. I started with the nm-vpc code base as a guide to how the plugin is written and needs to function. I've re-written the Properties GUI to be suitable to configuring IPsec connections, and currently need to finish coding the callback handlers. Here's how I'm approaching this plugin development thus far (feel free to correct / advise me): nm-openswan will depend on a working installation of openswan and all it's dependancies. |- I've modified the init script for openswan that comes with FC6 to automate the startup procedure: reason: matching with %any isn't reliable in my experience. auto-generating 1-to-1 matches using the IP of the nic that's assigned to %defaultroute proved much more reliable (100%) when managing multiple IPsec connections. Everytime the default interface changes, the ipsec service needs to be refreshed, which means nm-openswan needs to restart the ipsec service: /etc/init.d/ipsec restart Everytime a new IPsec connection is defined, the ipsec service needs to be refreshed to pickup the new connection: /etc/init.d/ipsec restart nm-openswan will need to be able to start the openswan service if it's not running, restart it if a new connection has been added, or one has been deleted, or one has been modified (to refresh the configs). The Service CANNOT be started before a network connection has been established (ie: %defaultroute exists) Once the service is up, the connections defined in /etc/ipsec.d should be listed by name under the VPN Connections sub-menu, perhaps with the identifier IPsec: preceeding it for clarity. The Disconnect VPN functionality may have to change somewhat to accomidate multiple, simultaneous IPsec tunnels. A chooser to allow the selection of which connection to bring down is too much in my mind and deviates from the simplistic nature of the NetworkManager UI. Instead I was thinking of a toggle widget next to the Connection Name, allowing it to be toggled On/Off. At the moment, I'm working on understanding and Coding up the functions for controlling the ipsec service and eventually, up-ing/down-ing individual connections. I'm having a hard time finding a good explaination on the concepts of how the seperate nm components use DBus. I could use a good explaination or pointer to some docs on how it all comes together conceptually. Some specific questions I have: How can I display the status of an SA negotiation in progress? on the command line, I type: ipsec auto --up connectionname ENTER and the output is streamed to the console as it negotiates the connection. I believe I need to capture this output and parse as it streams in, grep'ing
re: More on nm-OpenSwan
I'm trying to implement the ipsec connection startup command I'm using the function g_spawn_async_with_pipes to call the ipsec binary with the appropriate args. The process will terminate when successful. I want to pipe the output of the process (stdout) to a Status window (pop-up widget??) in real-time. I'm thinking I need to use a GIOChannel to capture the output this way. Can anyone clarify? example: code GFILE *output = g_fopen(//dev//stdout, r); GIOChannel *connOutput = NULL; gchar * stdout_buffer; connOutput = g_io_channel_unix_new(output); while (g_io_channel_read_line(connOutput, stdout_buffer, NULL, NULL, error) != (G_IO_STATUS_EOF || G_IO_STATUS_ERROR)) { nm_status_update(%s, stdout_buffer); //pseudo function for now if (stdout_buffer == \n\n) { g_io_channel_close(connOutput); g_fclose(output); g_free(stdout_buffer); return 0: } } . /code Does that make any sense or am I going about this the wrong way? Thanks for any help. Steve. ___ NetworkManager-list mailing list NetworkManager-list@gnome.org http://mail.gnome.org/mailman/listinfo/networkmanager-list
Re: nm-openswan
On Thu, 2007-03-08 at 08:32 +0100, Soren Hansen wrote: On Wed, Mar 07, 2007 at 09:08:47PM -0500, steve wrote: Does anyone have need for this type of plugin, or is this software only useful for me? It could definitely be useful, please share it! +1 Dan ___ NetworkManager-list mailing list NetworkManager-list@gnome.org http://mail.gnome.org/mailman/listinfo/networkmanager-list