Strongswan networkmanager plugin - Ubuntu 16.04

[defunctio]

Networkmanager has a UI plugin for strongswan, however the version of the package that ships with Ubuntu 16.04 does not function properly (does not appear in the menu). It has since been resolved in the source tree but the package for Ubuntu has not been updated.

https://wiki.strongswan.org/issues/1429
Fixed with version 1.4.0 of the plugin.

Maintainer: Ubuntu Developers <[email protected]>
Original-Maintainer: Harald Dunkel <[email protected]>
Architecture: amd64
Version: 1.3.1-1ubuntu1

Another note is that nmcli does have the ability to import configs/profiles on some NM plugins (openvpn, etc); however this feature is not implemented in the strongswan module and last I checked there was no issue on the matter.

[conorsch]

Another note is that nmcli does have the ability to import configs/profiles on some NM plugins (openvpn, etc)

I'm able to run nmcli con import type openvpn file <username>.ovpn just fine here, on nmcli v1.6.2 under Debian Stretch. The Ubuntu package may not provide this functionality, of course; haven't checked there.

[rufoa]

Neither the n-m applet nor nmcli supports importing strongswan configs fwiw (unlike the ovpn plugin):

$ nmcli con import type strongswan file rufo.sswan 
Error: failed to import 'rufo.sswan': the plugin does not support import capability.

There is no way to provide a custom cipher suite etc using the n-m plugin, which means negotiation fails with the default Algo server config. If you enable weak crypto ("Windows 10 support") in Algo it succeeds, but this isn't ideal.

[adworacz]

I just ran into this yesterday myself, and spent 20 minutes searching the web trying to figure out what was going on.

As it stands, we can setup an Ubuntu 16.04 server with Algo, but we can't use Ubuntu 16.04 as a client, which is an unfortunately poor user experience.

It is likely worth adding a line to the README/documentation somewhere noting that this is a known issue, and it should be fixed with the release of 17.04 (I believe).

[roycewilliams]

The README has been updated to note that Ubuntu 17.04 is the minimum version supported, but a little more info about why could be useful.

[defunctio]

I've taken a deeper look into this and unfortunately this does not work with 17.04 (beta) out of the box. While the network-manager-strongswan plugin is indeed updated to 1.4.1 which resolves the original issue noted here however; charon-nm attempts to establish the connection with the default ciphers as per proposal_create_default / proposal_create_default_aead in libcharon which do not include the ciphers we use in Algo resulting in connection failure. I have created and tested some patches I've made and confirmed they do work. This will still need cleaned up and approval of the implementation method before a PR is sent to strongswan though.

This network-manager-strongswan issue which makes the plugin completely inoperable has been open for 6 months in 16.04 and marked as 'UNDECIDED' so I'm afraid it will be quite some time before we see anything anytime soon.

I may provide patches or a PPA in the near future if necessary, though I'd prefer this just be pushed through official channels.

[dguido]

Well, what's the highest cipher suite we can use? We can handle it like Windows and optionally weaken the config.

[defunctio]

See #372.
I would still like to see these ciphers as defaults in libcharon or at least updates to charon-nm and network-manager-strongswan to accept alternate ciphers.

[melizeche]

@defunctio If you can provide the patches for libcharon that would be really helpful for me

[defunctio]

I've issued a PR to Strongswan strongswan/strongswan#67 for those who want to track this.

@melizeche You can find patches for strongswan_5.5.1-1ubuntu3 for Ubuntu 17.04 here or branch for 5.5.2 here.

It's recommended to build packages in a container (LXC or docker) to avoid build-dep clutter on your production environments.

For those interested in building strongswan to test the patch under Ubuntu 17.04;

sudo apt purge \*strongswan* \*charon*
mkdir ~/src; cd src; apt source strongswan; cd strongswan-5.5.1
apt build-dep strongswan -yy
curl -s https://gist.githubusercontent.com/defunctio/a0a37ac41b7bc97fc815fa7695740259/raw/fcc627e6adad6ea1f3e1669fd607403ecebbcd64/libcharon-algo.patch | patch -p1
EDITOR=/bin/true dpkg-source -q --commit . algo.patch
DEB_BUILD_OPTIONS=nocheck dpkg-buildpackage -us -uc -b -j8
sudo dpkg -i ../*.deb
sudo apt install network-manager-strongswan

To uninstall; sudo apt purge \*strongswan* \*charon*

[defunctio]

The following PRs we have submitted to add support for proposal selection in the NM GUI have now been merged into master. This should resolve our issues above we should see the reflected changes in the next major release.

• charon-nm IKE/ESP proposal support strongswan/strongswan#69
• network manager strongswan IKE/ESP proposal support strongswan/strongswan#70

While we will never see these SRU'd to 16.04 I'll see if we can get them backported.

[imgx64]

I filed an issue about the missing .sswan import ability: https://wiki.strongswan.org/issues/2361

[defunctio]

I actually began implementing this awhile ago, it's currently incomplete and therefor not functional. Primarily it's incomplete because I wanted to store PKCS12 data with libsecret and I ran into some issues with NM plugins though apparently their IPC for passing secrets is a forked process with stdin/stdout remapping communicating via an undocumented text protocol that can easily be broken by the contents of data stored secrets...

https://github.com/defunctio/strongswan-import
https://github.com/defunctio/strongswan/tree/strongswan-import

Writing glib nm plugins conforming to C90 is... well I'll get around to finishing it before too long.

[TafariD]

Wait, so I'm trying to install algo for use as a VPN, what do I have to do to run it on Linux? I see you guys talking about the issue but I still don't know what to do :P

[defunctio]

see: https://github.com/trailofbits/algo/blob/master/docs/client-linux.md
You will need to use the ipsec cli for a client under linux for now.

[Ramblurr]

The readme conflicts with the advice to use the ipsec cli:

In order to support Linux Desktop clients, choose the "compatible" cryptography during the deploy process and use at least Network Manager 1.4.1.

Is no connection from network manager possible even with an updated/latest nm?

[rsclarke]

I was keen on getting this to work with Fedora 26 however only version 1.4.0 of the NetworkManager Applet is provided in the repository.

I have a working copy of 1.4.2 on copr (rsclarke/NetworkManager-strongswan) which you can enable and install the NetworkManager-strongswan and NetworkManager-strongswan-gnome packages giving you @defunctio's extra cipher options fields (strongswan/strongswan#70).

The IKE and ESP fields can be filled in with (for example), and assuming you opted for Windows/Linux client support when creating the server;

• IKE: aes128gcm16-prfsha512-ecp256,aes128-sha2_512-prfsha512-ecp256,aes128-sha2_384-prfsha384-ecp256
• ESP: aes128gcm16-ecp256,aes128-sha2_512-prfsha512-ecp256

I found ending the lines/fields with ! raised charon-nm[14709]: 04[CFG] algorithm 'ecp256!' not recognized in journalctl.

The only additional thing is to ensure the strongswan package is at version 5.5.3, this is available from the updates repo.

Alternatively I came across this comment using nmcli instead to enable the proposals, though I have not tried this.

[Ramblurr]

@rsclarke I also built my own packages yet I ran into SELinux denial errors. Did you get this working in F26? Did you disable or change the SELinux policies?

[rsclarke]

@Ramblurr Yes, I forgot about this. Initially there will be two denials for open and read on the keys and certificates you specify because they have the wrong file context. You can go through the loop twice and perform (as root);

# ausearch -c 'charon-nm' --raw | audit2allow -M my-charonnm
# semodule -X 300 -i my-charonnm.pp

as it indicated in the SELinux Troubleshooter.

However thanks for your prompt, there is a better way using the file contexts. I removed the module with sudo semodule -X 300 -r my-charonnm and set the appropriate file context on the keys and certificates (ipsec_key_file_t) instead. I keep these in a .algo folder in my home directory so I used the following to set the file context.

sudo semanage fcontext -a -t ipsec_key_file_t "/home/rc/.algo(/.*)?"
sudo restorecon -R -v /home/rc/.algo

This should remove the SELinux denial errors and assuming all else is configured correctly, enable it to connect.

[Ramblurr]

@rsclarke Do you not get dbus errors like this?

Oct 02 15:55:52 aquinas charon-nm[16895]: 00[LIB] openssl FIPS mode(2) - enabled
Oct 02 15:55:52 aquinas charon-nm[16895]: Failed to initialize VPN plugin: Connection ":1.170" is not allowed to own the service "org.freedesktop.NetworkManager.strongswan" due to security policies in the configuration file
Oct 02 15:55:52 aquinas charon-nm[16895]: object NMStrongswanPlugin 0x557169b1a170 finalized while still in-construction
Oct 02 15:55:52 aquinas charon-nm[16895]: 00[CFG] DBUS binding failed
Oct 02 15:55:52 aquinas charon-nm[16895]: Custom constructor for class NMStrongswanPlugin returned NULL (which is invalid). Please use GInitable instead.
Oct 02 15:55:52 aquinas charon-nm[16895]: 00[LIB] feature CUSTOM:NetworkManager backend in critical plugin 'nm-backend' failed to load
Oct 02 15:55:52 aquinas charon-nm[16895]: 00[LIB] failed to load 1 critical plugin feature
Oct 02 15:55:52 aquinas charon-nm[16895]: 00[DMN] initialization failed - aborting charon-nm

[rsclarke]

@Ramblurr My mistake, yes I am also seeing those errors now (not used in a while), despite it working when I posted 🤷‍♂️.

I removed the reverted patch as I thought the updated strongswan 5.5.3 package was providing nm-strongswan-service.conf (as in the upstream repo). However this is not the case and the NetworkManager-strongswan must still provide it. I reintroduced a similar patch (https://github.com/rsclarke/NetworkManager-strongswan/commit/1889697769963732239de5ad30c97b0554bf514f) with a slight tweak to Makefile.am as the original was failing to apply.

The copr repo has been updated with these changes as 1.4.2-2. I am no longer seeing those errors and can connect again. Hope this helps.

[navid-taheri]

Is there any cli alternative for Ubuntu instead of Strongswan networkmanager plugin?

[ivanixgames]

the documentation at https://github.com/trailofbits/algo/blob/master/docs/client-linux.md
fails for ubuntu 16.04 because the command ansible-playbook does not exist on a standard install of Ubuntu desktop.

[imgx64]

Alternatively I came across this comment using nmcli instead to enable the proposals, though I have not tried this.

I tried on Fedora Workstation 27 and it works without the copr repo.

Here's the command I ran:

nmcli c modify "your vpn name (tab completion works here)" +vpn.data 'proposal=yes' +vpn.data 'ike=aes128gcm16-prfsha512-ecp256;aes128-sha2_512-prfsha512-ecp256;aes128-sha2_384-prfsha384-ecp256' +vpn.data 'esp=aes128gcm16-ecp256;aes128-sha2_512-prfsha512-ecp256'

But note that opening the VPN dialog in the NetworkManager GUI will remove the cipher options, and you have to run the command again.

[in-in]

Am I right there is no way to use Ubuntu 16.04 as a client without any magic?

[dguido]

Pretty much. Network-Manager is not at the quality or the right out of the box configuration that we want. I hope this changes in 18.04.

You can always just setup strongswan directly with one of the client configs and that will work without much issue.

[gaviriar]

It seems like for some linux box's may not be able to connect via strongswan directly with one of the client configs as there is an issue with some kernel version.

As references here: #584

Any ideas how to resolve this issue?

[dguido]

Nope, network-manager seems like a useless endeavor. As you mentioned, you probably want to use the included client configs and set up strongswan via the command line, or do the same with wireguard.