# networkmanager-strongswan

## rickvernam

This serves to chronicle my solution to getting certificate-based IKEv2 connection via NetworkManager to a strongswan VPN server without actually installing networkmanager-strongswan.

To start, I noticed that network manager already had an option to add IPSec based VPN (strongswan), and that the network manager configuration had all the pertinent things I needed: gateway server & certificate path, as well as cert & private key for authentication.  My certs are not password protected, so I didn't need to bother with the private key password.

To be honest, I'm not entirely sure how that got to be there...but I know it was there before I installed strongswan...

So I emerged strongswan with the networkmanager useflag enabled in order to get charon-nm & configured the pertinent fields in the network manager connection editor.

However, when I tried to connect the VPN, I received an error: *Quote:*   

> The VPN service 'org.freedesktop.NetworkManager.strongswan' was not installed.

 

I therefore assumed I would need to use networkmanager-strongswan.  There is an ebuild in some overlay, but it doesn't build without tinkering and has a bunch of gnome dependencies...

I downloaded the source from strongswan site directly and looked at what files it would install, and found that two text files can be extracted and installed independent from the rest of the package:

/etc/NetworkManager/VPN/nm-strongswan-service.name

```
[VPN Connection]

name=strongswan

service=org.freedesktop.NetworkManager.strongswan

program=/usr/libexec/ipsec/charon-nm

[GNOME]

auth-dialog=/usr/libexec/nm-strongswan-auth-dialog

properties=libnm-strongswan-properties

```

/etc/dbus-1/system.d/nm-strongswan-service.conf

```
<!DOCTYPE busconfig PUBLIC

 "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"

 "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">

<busconfig>

        <policy user="root">

                <allow own="org.freedesktop.NetworkManager.strongswan"/>

                <allow send_destination="org.freedesktop.NetworkManager.strongswan"/>

                <allow send_interface="org.freedesktop.NetworkManager.strongswan"/>

        </policy>

        <policy context="default">

                <deny own="org.freedesktop.NetworkManager.strongswan"/>

                <deny send_destination="org.freedesktop.NetworkManager.strongswan"/>

                <deny send_interface="org.freedesktop.NetworkManager.strongswan"/>

        </policy>

</busconfig>

```

The auth-dialog /usr/libexec/nm-strongswan-auth-dialog does not actually exist.  Also, the fact that libnm-strongswan-properties does not exist either is, apparently, okay b/c network manager had the strongswan IPSec based VPN entry anyway.

I suppose that so long as NM doesn't have to prompt the user for auth to connect a VPN, it should work just fine.

So I created those two files manually, and it works great!

----------

## erolmutlu

Waht version a NetworkManager and strongswan ??

can you explain litle thins ?

Thanx

 *rickvernam wrote:*   

> This serves to chronicle my solution to getting certificate-based IKEv2 connection via NetworkManager to a strongswan VPN server without actually installing networkmanager-strongswan.
> 
> To start, I noticed that network manager already had an option to add IPSec based VPN (strongswan), and that the network manager configuration had all the pertinent things I needed: gateway server & certificate path, as well as cert & private key for authentication.  My certs are not password protected, so I didn't need to bother with the private key password.
> 
> To be honest, I'm not entirely sure how that got to be there...but I know it was there before I installed strongswan...
> ...

 

----------

## rickvernam

```
[ebuild   R    ] net-misc/networkmanager-1.0.12-r1::gentoo  USE="bluetooth consolekit dhclient introspection nss ppp wifi zeroconf -connection-sharing -dhcpcd -gnutls -modemmanager -ncurses -resolvconf (-selinux) -systemd -teamd {-test} -vala -wext" 3,410 KiB

[ebuild   R    ] net-misc/strongswan-5.3.4::gentoo  USE="caps constraints eap farp gcrypt gmp networkmanager non-root openssl strongswan_plugins_ccm strongswan_plugins_ctr strongswan_plugins_gcm strongswan_plugins_ipseckey strongswan_plugins_lookip strongswan_plugins_rdrand strongswan_plugins_systime-fix -curl -debug -dhcp -ldap -mysql -pam -pkcs11 (-selinux) -sqlite -strongswan_plugins_blowfish -strongswan_plugins_ha -strongswan_plugins_led -strongswan_plugins_ntru -strongswan_plugins_padlock -strongswan_plugins_unbound -strongswan_plugins_unity -strongswan_plugins_vici -strongswan_plugins_whitelist" 4,315 KiB
```

I went through a few different things before I finally stumbled upon this, so I don't really have confidence that I truly know the little things.

Nonetheless, if you have have some questions I'd be more than happy to try helping...

----------

## RayDude

Did anyone get this working? I need l2tp or strongswan to connect to my work and neither of them exist in portage.

----------

## Unb0rn

 *RayDude wrote:*   

> Did anyone get this working? I need l2tp or strongswan to connect to my work and neither of them exist in portage.

 

I have a problem with strong/libreswan too-these services just don get added to networmanager for me. 

Also, shouldn't networkmanager-openswan be replaced with much newer networkmanager-libreswan?

----------

## RayDude

That's my understanding.

I'm guessing the package is out of date and someone needs to update it. I'm not really good at that sort of thing...

----------

