On Tue, 2021-11-02 at 13:15 +0100, Petr Pisar wrote:
> V Tue, Nov 02, 2021 at 09:46:28AM +0000, Mattia Verga via devel napsal(a):
> > I was trying to set up a VPN to my work company network. It seems I need
> > to use IPSec XAuth PSK, so I found some guide in internet that says to
> > set up a libreswan VPN.
> > I'm facing several problems, first of all I'm using Plasma KDE which
> > seems to not have a GUI for setup/editing libreswan VPNs. Plasma-nm only
> > has support for openswan. I've reported that upstream and downstream. So
> > I went setting up the VPN through nmcli: it doesn't work, but that's not
> > my point here.
> >
> > I was wondering how both plasma-nm and nmcli allow to setup an openswan
> > VPN since openswan has been retired in Fedora many years ago... it also
> > seems to work (well, in some way, since the connection fails) even if
> > there's no NM plugin or openswan package installed.
> > How is it possible? Does NM bundles some openswan library itself? If so,
> > is it updated (latest Fedora openswan build was 8 years ago) or there
> > may be any security concern?
> >
> An explanation is that you mistaken IPsec as a protocol and Openswan as an
> implementation of the protocol. There are multiple implementations of IPsec.
> E.g. in Fedora we have Strongswan and Libreswan. And NetworkManager plugins
> for both of them:
>
> # dnf repoquery --qf '%{name} %{summary}' |grep IPsec
> NetworkManager-l2tp NetworkManager VPN plugin for L2TP and L2TP/IPsec
> NetworkManager-l2tp-gnome NetworkManager VPN plugin for L2TP and L2TP/IPsec - GNOME files
> NetworkManager-libreswan NetworkManager VPN plug-in for IPsec VPN
> ike-scan IKE protocol tool to discover, fingerprint and test IPsec VPN servers
> libreswan Internet Key Exchange (IKEv1 and IKEv2) implementation for IPsec
> openvswitch-ipsec Open vSwitch IPsec tunneling support
> strongswan An OpenSource IPsec-based VPN and TNC solution
>
> So the answer is that nmcli in Fedora does use Openswan. It uses Strongswan or
> Libreswan.
Petr,
your message comes back quite unclear.
I think what you mean is that because there were multiple related
implementations of IPsec all derived by the same old project that NM
decided to support them all under the name "openswan", but it is
compatible also with configuring libreswan and strongswan which were
forks of this project in the past and then developed independently.
Just to be clear, IPsec *is* a protocol, and Openswan *is* an
implementation, it's just the NM treat all of these implementation the
same and handles them all with a single plugin.
It's be nice if NM renamed it's plugin to something that just uses the
name IPsec, it would avoid a lot of confusion.
HTH,
Simo.
--
Simo Sorce
RHEL Crypto Team
Red Hat, Inc
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
