CLI Home
Archive
Articles

Fedora Core 5
NetworkManager, NetworkManager-vpnc
Wireless Driver IPW2200

Bill Moss
Updated October 27, 2006

Content

Introduction
Design Goals and Features
Supported Wireless Drivers
Installed Packages
Fedora Core System Setup
NetworkManager Setup
Access Point Settings
Broadcast and Hidden ESSIDs
Passwords and WEP Keys
Home Network, Broadcast ESSID
Campus Network, a Hidden ESSID
Context Menu
VPN Support
Configuration of Firestarter
Suspend to RAM
NAMED D-BUS Support
NetworkManager Interactions
 

Introduction

The November 8, 2004 FC3 release contained an early version of NetworkManager. On the NetworkManager homepage

  http://www.gnome.org/projects/NetworkManager/

the following statement can be found.

Networking on Linux right now is painful for the mobile desktop user, especially in comparison to other operating systems. A laptop user should never need to use the command line or configuration files to manage their network; it should "Just Work" as automatically as possible and intrude as little as possible into the user's workflow. NetworkManager attempts to make networking invisible. When moving into areas you've been before, NetworkManager automatically connects to the last network the user chose to connect to. Likewise, when back at the desk, NetworkManager will switch to the faster, more reliable wired network connection.

This article concerns the operation of NetworkManager running under Fedora Core 5 on an IBM T42 with a built-in Intel Pro 2200BG wireless adapter. NetworkManager has backends for Debian, Gentoo, Red Hat, Slackware, and SUSE.

Design Goals and Features

According to Dan Williams, the principle developer, NetworkManager was initially designed for the user who:

NetworkManager's Current List of Features includes the following.

Supported Wireless Drivers

Dan Williams posted the following note on this topic in January 2005.

  http://lkml.org/lkml/2005/1/25/296
This list of stuff that should get fixed in Linux wireless grew out of my attempt to put a GUI on top of Linux wireless with NetworkManager. I think the biggest issue here is that the Wireless Extensions API has stagnated a bit, and driver writers have gone off and done their own thing (for example, WPA support) because the WEAPI hasn't shown leadership in this area. That's fixable, and at this point doesn't seem to be a large amount of work . . . .

To work with NetworkManager, a wireless card must support WPA, and the driver must report the correct capability values to NetworkManager. A NetworkManager compatibility guide can be found at

  http://live.gnome.org/NetworkManagerHardware

The ipw2200 driver is discussed in a separate article.

Installed Packages

Here is a list of installed packages.

  http://download.fedora.redhat.com/pub/fedora/linux/core/5/i386/os/Fedora/RPMS/
  http://download.fedora.redhat.com/pub/fedora/linux/core/updates/5/i386/
      
  kernel
  kernel-devel
  NetworkManager
  NetworkManager-glib
  NetworkManager-gnome
  
  Required Packages

  chkconfig
  dbus
  dbus-glib
  hal
  bind
  dhclient
  dhcdbd
  iproute
  openssl
  caching-nameserver
  glibc
  wireless-tools
  libnl
  wpa_supplicant
  http://download.fedora.redhat.com/pub/fedora/linux/extras/5/i386/
      
  NetworkManager-vpnc

Alternatively, build CVS.

  http://www.gnome.org/projects/NetworkManager/developers/
  
  Packages Required to Build CVS
  
  dbus-devel
  hal-devel
  glib2-devel
  gtk2-devel
  libglade2-devel
  openssl-devel
  GConf2-devel
  gnome-panel-devel
  libgnomeui-devel
  gnome-keyring-devel
  gettext-devel
  pkgconfig
  libnl-devel

The latest ipw2200 version can be installed from SourceForge. More details can be found in a posted article.

VPNC, Firestarter, PAM_KEYRING

  http://download.fedora.redhat.com/pub/fedora/linux/extras/5/i386/

  vpnc
  firestarter
  
  
  http://www.hekanetworks.com
  
  pam_keyring

Fedora Core System Network

If the 'system-config-network' utility was used to setup network interfaces, the system files will look sometime like this.

  /etc/sysconfig/network-scripts/ifcfg-eth0
  DEVICE=eth0
  BOOTPROTO=dhcp
  ONBOOT=no
  TYPE=Ethernet
  HWADDR=00:0d:60:b2:19:9d
  USERCTL=yes
  PEERDNS=yes
  IPV6INIT=no

  /etc/sysconfig/network-scripts/ifcfg-eth1
  DEVICE=eth1
  BOOTPROTO=dhcp
  ONBOOT=no
  TYPE=Wireless
  HWADDR=00:0e:35:14:60:d0
  USERCTL=yes
  PEERDNS=yes
  IPV6INIT=no

If a static ip address or other network data is configured in these files, NetworkManager will honor these settings.

A FC5 bug causes eth0 to be randomly assigned rather than following the configuration files. This can play all kinds of havoc. A fix is in updates.

  yum --enablerepo=updates install initscripts

NetworkManager Setup

NetworkManager runs as a service owned by the root user. It manages wired and wireless connections and DHCP and VPN transactions. After installation, as root set this service to run in levels 3, 4, 5.

  /sbin/chkconfig --level 345 NetworkManager on

NetworkManagerDispatcher runs as a service owned by the root user. It executes scripts owned by root and placed in the directory

  /etc/NetworkManager/dispatcher.d

After installation, as root set this service to run in levels 3, 4, 5.

  /sbin/chkconfig --level 345 NetworkManagerDispatcher on

The scripts placed in /etc/NetworkManager/dispatcher.d are run when network interfaces are brought up or down. Two arguments are passed to each script by NetworkManagerDispatcher. The first argument is the interface (eth0, eth1, ...) and the second argument is either 'up' or 'down'. I am currently using this feature to control the network dependent services ntpd and firestarter (fedora-extras) using the scripts ntpd-script and firestarter-script, which are owned by root with permissions 700. The first service is the network time protocol daemon and the second service is a user friendly firewall. The configuration of the firewall for use with VPNC will be discussed below. RPM installation sets this service to run in level 3, 4, 5.

The nm-applet is autostarted by Gnome, runs in a user session, and provides a panel icon, a menu, and a context menu.

The dhcdbd service provides a dbus interface for the DHCP client dhclient. As root set the service to run in levels 3, 4, 5.

  /sbin/chkconfig --level 345 dhcdbd on

The named service in bind is now D-BUS enabled. As root set the service to run in levels 3, 4, 5 and set the DBUS option.

  /sbin/chkconfig --level 345 named on

  Add to /etc/sysconfig/named
  OPTIONS="-D"

NetworkManager stores passwords in Gnome keyring. To avoid having to login a second time, the pam_keyring utility can be used. For this to work your default keyring password must match your user password.

  Add to /etc/pam.d/gdm
  
  auth optional pam_keyring.so try_first_pass
  session optional pam_keyring.so

After installation by CVS run the following command.

  gtk-update-icon-cache -f /usr/share/icons/hicolor

Access Point (AP) Settings

Typically, APs transmit between six and ten beacon packets per second containing their ESSID, maximum transfer rate, and MAC address. If the ESSID is blanked from the beacon packets, the AP is called hidden or cloaked. If the ESSID is included in the beacon packets, the AP is said to broadcast its ESSID. You may encounter hidden APs at universities or businesses that have been using wireless for a long time. If beaconing is completely disabled, the AP is called non-beaconing. In the early days of wireless hidden APs and non-beaconing APs were considered more secure, but this is not longer the case. There is now general agreement among wireless vendors that an AP should be set to broadcast its ESSID and its authentication type should be set to open system. The Cisco whitepaper

http://www.cisco.com/en/US/products/hw/wireless/ps430/
      products_white_paper09186a00800b469f.shtml

states that

Some AP vendors, including Cisco, offer the option to disable SSID broadcasts in the beacon messages. The SSID is not designed, nor intended for use, as a security mechanism. In addition, disabling SSID broadcasts might have adverse effects on Wi-Fi interoperability for mixed-client deployments. Therefore, Cisco does not recommend using the SSID as a mode of security.

Use these settings when available.

  Broadcast ESSID: yes
  Authentication Type: Open System

Several authentication types may be available on your AP. The shared key setting (also called restricted or non-beaconing) is not recommended.

Broadcast and Hidden ESSIDs

NetworkManager setup varies slightly depending on whether or not your AP broadcasts its ESSID. My home network does broadcast its ESSID but my work network does not, so I will describe each setup separately below.

To be completely compatible with NetworkManager, the firmware and driver of your wireless adapter must be able to receive and process the beacons from wireless APs. If you wireless driver does not return a list of APs when you issue the command

  iwlist iface scan
then it is not completely compatible with Network Manager. The scans produced by the airo and ipw2200 drivers and firmware contain APs which broadcast beacon packets.

Passwords and WEP Keys

NetworkManager is now stores VPNC Passwords and Group Passwords as well as WEP keys using the Gnome Keyring. The first time NetworkManager starts Gnome Keyring, the user will be asked to set a Password for the default keyring as shown in Figure 1.

Figure 1

Thereafter, the default keyring password must be supplied when a Gnome user session starts as shown in Figure 2. Gnome Keyring can be run in a KDE session by using a startup script.

Figure 2

Home Network, Broadcast SSID

After booting, an animated panel icon appeared. I clicked on the icon and the dialog box in Figure 3 poped up.

Figure 3

Next, I clicked on 'mosswap' and the dialog box in Figure 4 poped up.

Figure 4

I input the key type and WEP key, hit the 'Login to Network' button, and had a connection in a few seconds. The appearance of the panel icon changed to the familiar four vertical bar signal strength indicator shown in Figure 5.

Figure 5

Hovering over the panel icon produced the message

  Wireless network connection to 'mosswap' (80%)

The nm-applet stores network information in Gnome GConf. I used the gconf-editor to click through the path

  /system/networking/wireless/networks/mosswap
I found the following keys and values.

  bssids              [00:01:24:F0:40:5A]
  essid               mosswap
  timestamp           1103145995
  we_cipher           16
  wep_auth_algorithm  1

Note that the WEP key is stored in the Gnome default Keyring. Next, I made a wired connection to my router and the appearance of the panel applet immediately switched to a wired connector icon. I tested the wired connection and then pulled the plug. In a few seconds, the wireless connection was re-established.

Campus Network, a Hidden ESSID

After booting, I clicked on the animated panel icon and then on 'Other Wireless Networks.' The dialog box in Figure 6 poped up. I filled in the campus ESSID cuairnet, key type and hex key, and then hit the 'Connect' button.

Figure 6

In a few seconds, the icon appearance changed to the vertical bar signal strength indicator and I had a wireless connection. Using gconf-editor, I clicked through the path

  system/networking/wireless/networks/cuairnet

and found

  bssids              [00:0F:90:7B:32:D0]
  essid               cuairnet
  timestamp           1102294128
  we_cipher           16
  wep_auth_algorithm  1

I right clicked on addresses, selected 'Edit Key', and added the MAC addresses of a couple of additional APs that are close to my office. Note that the WEP key is stored in the Gnome default Keyring. I repeated the autoswitching test by plugging in an Ethernet cable and then removing it. The transition between wired and wireless networks progressed smoothly.

Context Menu

The NetworkManager context menu and the Connection Information dialog are shown in Figure 7.

Figure 7

VPN Support

NetworkManager CVS currently supports the VPNC, OPENVPN, and PPTP. The RPM version currently supports VPNC. This section will discuss VPNC. To configure a VPN connection select 'Configure VPN...' from the 'VPN Connections' menu. The dialog box shown in Figure 8 will pop up.

Figure 8

Hitting the Add button will produce the dialog box shown in Figure 9.

Figure 9

Hitting the Forward button produces the dialog box shown in Figure 10.

Figure 10

Hitting the Forward button again produces the dialog box shown in Figure 11. A name for the connection, the gateway and the group name have been filled in.

Figure 11

Hitting the Forward button yet again produces the dialog box shown in Figure 12.

Figure 12

Hitting the Apply button and then the Close button shown in Figure 8 completes the configuration. Using the gconf-editor and clicking through the path

  system/networking/wireless/vpn_connections/clemson

reveals the following keys and values.

  last_attempt_success  check
  name                  clemson
  routes                []
  service_name          org.freedesktop.NetworkManager.vpnc
  vpn_data              [IPSec gateway,130.127.12.21,
                         IPSec ID,CUVPN]

To make a VPN connection, I selected 'clemson' from the 'VPN Connections' menu. The dialog box shown in Figure 13 appeared. I input my 'Password' and 'Group Password' which are stored in the default Gnome Keyring.

Figure 13

In a few seconds, a VPN connection was established and a small lock icon was superimposed on the panel icon. To disconnect, select 'Disconnect VPN...' from the 'VPN Connections' menu.

If the value of the routes key is an empty string as show above, the default route will be through the VPN tunnel and the local network will be accessible:

  Kernel IP routing table
  Destination    Gateway      Genmask          Iface
  130.127.12.21  192.168.2.1  255.255.255.255  eth1
  192.168.2.0    *            255.255.255.0    eth1
  default        *            0.0.0.0          tun0

If instead the value of the routes key is the string 130.127.200.0/24, only this subnet will be accessible through the VPN tunnel and the default route will be local. We have

  Kernel IP routing table
  Destination    Gateway      Genmask          Iface
  130.127.12.21  192.168.2.1  255.255.255.255  eth1
  130.127.200.0  *            255.255.255.0    tun0
  192.168.2.0    *            255.255.255.0    eth1
  default        192.168.2.1  0.0.0.0          eth1

To configure the routes key, select 'Configure VPN...' from the 'VPN Connections' menu, select 'clemson', and hit the Edit button. Figure 14 shows how to enter the address 130.127.200.0/24.

Figure 14

Finally, hit the Apply button and then the Close button as shown in Figure 6.

Configuration of the Firestarter Firewall for Use with VPNC

When using firestarter, the iptables service should be turned off. The firestarter inbound policy is to deny all. Users can open ports as need. Users are given a choice of two outbound policies: permissive and restrictive. I am currently using the permissive policy. Users can close ports as desired. The current firestarter version does not support VPN but users can add iptables rules to user-pre and user-post files. I found the following rules work with the Clemson Cisco VPN Concentrator.

  /etc/firestarter/user-pre

  VPNGATEWAY=130.127.12.21
  TUNDEV=tun0

  iptables -A INPUT -j ACCEPT -s $VPNGATEWAY -p esp
  iptables -A INPUT -j ACCEPT -s $VPNGATEWAY -p udp 
      -m multiport --sports isakmp,10000
  iptables -A INPUT -j ACCEPT -i $TUNDEV

  iptables -A OUTPUT -j ACCEPT -d $VPNGATEWAY -p esp
  iptables -A OUTPUT -j ACCEPT -d $VPNGATEWAY -p udp 
      -m multiport --dports isakmp,10000
  iptables -A OUTPUT -j ACCEPT -o $TUNDEV

If your VPN Concentrator uses nat-t, change 'isakmp,10000' to 'isakmp,4500,10000.'

Suspend to RAM

NetworkManager support for suspend to ram is provided by the pm-utils package.

NAMED D-BUS Support

If you have the bind-chroot package installed,

  Remove ALL RPMs related to 
      named, caching-nameserver, and NetworkManager
  Remove the contents of /var/named
  Update to selinux-policy-targeted version 1.27.1-13 or later
  Re-install the RPMs listed above but DO NOT re-install the 
      bind-chroot RPM.

Background: On startup, if 'named -D' detects that it cannot connect to D-BUS because, for example, it is started before the messagebus service, named will emit the syslog message

  D-BUS service disabled.

and will initiate a timer that will cause it to periodically retry connecting to D-BUS. After the messagebus service starts, named will emit the syslog message

  named[xxxx]: D-BUS service enabled.
If dhcdbd is not running when named is able to connect to D-BUS, the syslog message

  named[xxxx]: D-BUS dhcdbd subscription disabled.

will appear. Once dhcdbd has started, the syslog message

  named[xxxx]: D-BUS dhcdbd subscription enabled.

will appear.

Caveats:

NetworkManager Interactions

As shown in the diagram below, NetworkManager components communicate via D-BUS, a system message bus that allows applications to talk to each other. HAL, or Hardware Abstraction Layer, provides information to applications about existing and new hardware.

  D-BUS
  |__________________________________
  |-------- NetworkManager ----------|-- Network Cards
  |------------ dhcp-manager         |
  |------------ named-manager        |
  |------------ vpn-manager          |
  |---------------- vpn-daemons      |
  |-------------------- vpnc --------|-- VPNC
  |-------------------- openvpnc ----|-- OPENVPN
  |-------------------- pptp --------|-- PPTP
  |__________________________________|
  |
  |-------- HAL
  |-------- dhcdbd --------------------- dhclient
  |-------- named
  |-------- NetworkManagerDispatcher --- ntpd, firestarter 
  |-------- nm-applet ------------------ gconfd, gnome-session