pkgs.networkmanager_strongswan does not work with NetworkManager

[wucke13]

Issue description

Connecting to a VPN via strongswan/NetworkManager does not work. charon-nm is missing. If I remember this right, there is a flag (--enable-nm) for the configure script of strongswan build, which causes strongswan to also build the charon-nm. If this flag is not set, charon-nm will not be built. Further information on the needed compile flags for NetworkManager support can be found here. I think these should be added to the build of the pkgs.networkmanager_strongswan, as it only makes sense to have the special NetworkManager related build flags enabled for a dedicated networkmanager_strongswan package.

Steps to reproduce

Install NetworkManager with networkmanager_strongswan package. Add a valid strongswan VPN connection. Try to connect.

Technical details

Relevant nix expression:

 networking.networkmanager = {
                        enable = true;
                        packages = [ pkgs.networkmanager_strongswan ];
};

Error:

Sep 27 21:59:16 hostname NetworkManager[2445]: <warn>  [1506542356.1435] vpn-connection[0xabf120,4d128ccf-4a61-43b6-9b2b-a631d5ddd5fb,"My VPN",0]: Could not launch the VPN service. error: Failed to execute child process "/nix/store/p9jwifzhb9433nwfrq7jibkmsrsbwydp-NetworkManager-strongswan-1.4.1/libexec/ipsec/charon-nm" (No such file or directory).

• System: 17.03.1849.1e30a7c617 (Gorilla)
• Nix version: nix-env (Nix) 1.11.14
• Nixpkgs version: "17.03.1849.1e30a7c617"
• Sandboxing enabled: build-use-sandbox = false

[eqyiel]

I don't have a strongswan connection to test, but can you try something like this?

networking.networkmanager = {
  enable = true;
  packages = [ (pkgs.networkmanager_strongswan.overrideAttrs
                 (attrs: { configureFlags = [ "--enable-nm" ]; })) ];
}

If that works, maybe you can add it to this file and make a PR? https://github.com/NixOS/nixpkgs/blob/master/pkgs/tools/networking/network-manager/strongswan.nix

[wucke13]

That did not help, but I am amazed how easy it is to add custom build arguments. However, I realized that pkgs.networkmanager_strongswan is only the NetworkManager plugin. These build flags I mentioned must be added to the build of strongswan itself. And then there is a build option for the strongswan NetworkManager plugin, --with-charon=/path/to/charon-nm which must point to the charon-nm inside of nix-store path of strongswan. At the moment this build option seems to be not set, because as can be read from my error message, NetworkManager-strongswan searches for this in its own folder, not in the strongswan folder.

Apparently my build of strongswan with the custom flags fails, but I think this is some sort of namespace issue?

configure: error: Package requirements (NetworkManager gthread-2.0 libnm_util libnm_glib libnm_glib_vpn) were not met:

No package 'NetworkManager' found
No package 'gthread-2.0' found
No package 'libnm_util' found
No package 'libnm_glib' found
No package 'libnm_glib_vpn' found

Edit:
I can only strongly suggest the actual maintainer of this package build to have a quick look at the link I posted, all the relevant information is there in a short and easy to understand way

[eqyiel]

Yes, it looks like the strongswan package should have an optional argument like enableNetworkManager.

This command seems to do the right thing:

nix-build --expr 'with import <nixpkgs> {}; let strongswan = pkgs.strongswan.overrideAttrs (attrs: { buildInputs = attrs.buildInputs ++ [ networkmanager ]; configureFlags = attrs.configureFlags ++ [ "--enable-nm" ]; }); in pkgs.networkmanager_strongswan.overrideAttrs (attrs: { configureFlags = [ "--with-charon=${strongswan}/libexec/ipsec/charon-nm" ]; })'

This is untested, but the revised config would be like:

networking.networkmanager = {
  enable = true;
  packages = with pkgs; let
    strongswan = strongswan.overrideAttrs (attrs: {
      buildInputs = attrs.buildInputs ++ [ networkmanager ];
      configureFlags = attrs.configureFlags ++ [ "--enable-nm" ];
    });
  in [
    (networkmanager_strongswan.overrideAttrs (attrs: {
      configureFlags = [ "--with-charon=${strongswan}/libexec/ipsec/charon-nm" ];
    }))
  ];
};

Does that work for you?

[wucke13]

That must be close to correct, as the above command seems to work. However the config snippet throws the following error:

building Nix...
building the system configuration...
error: cannot coerce a function to a string, at /nix/var/nix/profiles/per-user/root/channels/nixos/nixpkgs/lib/types.nix:168:42

I tried alternating a bit with the brackets but did not make it work. Must be some little syntax issue?

[globin]

Updated the commit above and added brackets around:

networkmanager_strongswan.overrideAttrs (attrs: {
  configureFlags = [ "--with-charon=${strongswan}/libexec/ipsec/charon-nm" ];
})

But still untested

[wucke13]

Still not working:

error: infinite recursion encountered, at /etc/nixos/configuration.nix:31:18
(use ‘--show-trace’ to show detailed location information)

where line 31 happens to be the line containing strongswan = strongswan.overrideAttrs (attrs: {

[eqyiel]

@wucke13 @globin I don't know how to explain it but I can get rid of the infinite recursion by getting rid of with pkgs;:

networking.networkmanager = {
  enable = true;
  packages = let
    strongswan = pkgs.strongswan.overrideAttrs (attrs: {
      buildInputs = attrs.buildInputs ++ [ pkgs.networkmanager ];
      configureFlags = attrs.configureFlags ++ [ "--enable-nm" ];
    }); in [
     (pkgs.networkmanager_strongswan.overrideAttrs (attrs: {
         configureFlags = [ "--with-charon=${strongswan}/libexec/ipsec/charon-nm" ];
       }))
    ];
};

nixos-rebuild is able to continue with that modification.

[wucke13]

Maybe it is, because it replaces pkgs.networkmanager_strongswan with pkgs.pkgs.networkmanager_strongswan again and again. You know, like if a cheese cake is made up from 50 % cheese cake and 50% cheese, then its made up from 100% cheese cake if your recursion depth is big enough...

Back to the topic: That configuration does work in terms of being able to build the system, but not in terms of being able to connect to the VPN. The charon-nm is build, which is very good. However, I still get the error that charon-nm is not found, because networkmanager_strongswan is still looking inside its own store for it, despite charon-nm being build inside strongswans store. So, something inside

(pkgs.networkmanager_strongswan.overrideAttrs (attrs: {
         configureFlags = [ "--with-charon=${strongswan}/libexec/ipsec/charon-nm" ];
       }))

is still not doing what it should.

[eqyiel]

@wucke13 it may be that strongswan just needs to be added to buildInputs:

networking.networkmanager = {
  enable = true;
  packages = let
    strongswan = pkgs.strongswan.overrideAttrs (attrs: {
      buildInputs = attrs.buildInputs ++ [ pkgs.networkmanager ];
      configureFlags = attrs.configureFlags ++ [ "--enable-nm" ];
    });
  in [
   (pkgs.networkmanager_strongswan.overrideAttrs (attrs: {
       buildInputs = attrs.buildInputs ++ [ strongswan ];
       configureFlags = [ "--with-charon=${strongswan}/libexec/ipsec/charon-nm" ];
     }))
  ];
};

If that doesn't work, you will probably have to talk to someone who uses it - cc @teto, are you still having trouble using strongswan with network manager?

[eqyiel]

@wucke13 it may be worth talking to @basvandijk who authored this PR too: #27958

[wucke13]

@eqyiel the error keeps the same:

Oct 05 01:12:07 nixos NetworkManager[681]: <warn>  [1507158727.2239] vpn-connection[0x26e3300,4d128ccf-4a61-43b6-9b2b-a631d5ddd5fb,"My VPN",0]: Could not launch the VPN service. error: Failed to execute child process "/nix/store/p9jwifzhb9433nwfrq7jibkmsrsbwydp-NetworkManager-strongswan-1.4.1/libexec/ipsec/charon-nm" (No such file or directory).

For some reason, the --with-charon=${strongswan}/libexec/ipsec/charon-nm optionflag does not work. How can we check what actually is done in the NetworkManager-strongswan build? I think that the problem is logical solved, as we can force strongswan to build the charon-nm file. The only problem left is to make NetworkManager-strongswan acknowledge where it resides.

Edit:

As I can tell from the build output, the configure options are correct:

configure flags: --disable-static --disable-dependency-tracking --prefix=/nix/store/01gk57f1zdpvzswviab6mvhvhm4jyf9b-NetworkManager-strongswan-1.4.1 --with-charon=/nix/store/b1c4d1mi4qlks8lbc6b2m5g7syala17l-strongswan-5.5.3/libexec/ipsec/charon-nm 

So, either the configure options are not used on the configure.sh script, or they are not parsed correctly by that script.

[teto]

hum for me it seems to be a different problem (aka 'Could not save existing /etc/ipsec.secrets file.'); strongswan starts fine

oct. 05 12:26:15 jedha NetworkManager[715]: Starting strongSwan 5.6.0 IPsec [starter]...
oct. 05 12:26:15 jedha NetworkManager[715]: Loading config setup
oct. 05 12:26:15 jedha NetworkManager[715]: Loading conn 'nm-ipsec-l2tp-23230'
oct. 05 12:26:15 jedha ipsec_starter[23242]: Starting strongSwan 5.6.0 IPsec [starter]...
oct. 05 12:26:15 jedha ipsec_starter[23242]: Loading config setup
oct. 05 12:26:15 jedha ipsec_starter[23242]: Loading conn 'nm-ipsec-l2tp-23230'
oct. 05 12:26:15 jedha NetworkManager[715]: sh: modprobe : commande introuvable
oct. 05 12:26:15 jedha NetworkManager[715]: sh: modprobe : commande introuvable
oct. 05 12:26:15 jedha NetworkManager[715]: sh: modprobe : commande introuvable
oct. 05 12:26:15 jedha NetworkManager[715]: sh: modprobe : commande introuvable
oct. 05 12:26:15 jedha NetworkManager[715]: sh: modprobe : commande introuvable
oct. 05 12:26:15 jedha NetworkManager[715]: found netkey IPsec stack
oct. 05 12:26:15 jedha ipsec_starter[23242]: found netkey IPsec stack
oct. 05 12:26:15 jedha ipsec_starter[23260]: Attempting to start charon...
oct. 05 12:26:15 jedha NetworkManager[715]: <warn>  [1507173975.6439] vpn-connection[0x1e2e2e0,74615f38-bdb3-424b-898c-440e3f490289,"Connexion VPN 1",0]: VPN connection: failed to connect: 'Could not save existing /etc/ipsec.secrets file.'
oct. 05 12:26:15 jedha charon[23261]: 00[DMN] Starting IKE charon daemon (strongSwan 5.6.0, Linux 4.13.4, x86_64)
oct. 05 12:26:15 jedha charon[23261]: 00[CFG] PKCS11 module '<name>' lacks library path
oct. 05 12:26:15 jedha charon[23261]: 00[CFG] dnscert plugin is disabled
oct. 05 12:26:15 jedha charon[23261]: 00[NET] using forecast interface eno1
oct. 05 12:26:15 jedha charon[23261]: 00[CFG] joining forecast multicast groups: 224.0.0.1,224.0.0.22,224.0.0.251,224.0.0.252,239.255.255.250
oct. 05 12:26:15 jedha charon[23261]: 00[CFG] loading ca certificates from '/nix/store/pvhm7cnxzqny02vn9gbvl8ab47vshqqa-strongswan-5.6.0/etc/ipsec.d/cacerts'
oct. 05 12:26:15 jedha charon[23261]: 00[CFG] loading aa certificates from '/nix/store/pvhm7cnxzqny02vn9gbvl8ab47vshqqa-strongswan-5.6.0/etc/ipsec.d/aacerts'
oct. 05 12:26:15 jedha charon[23261]: 00[CFG] loading ocsp signer certificates from '/nix/store/pvhm7cnxzqny02vn9gbvl8ab47vshqqa-strongswan-5.6.0/etc/ipsec.d/ocspcerts'
oct. 05 12:26:15 jedha charon[23261]: 00[CFG] loading attribute certificates from '/nix/store/pvhm7cnxzqny02vn9gbvl8ab47vshqqa-strongswan-5.6.0/etc/ipsec.d/acerts'
oct. 05 12:26:15 jedha charon[23261]: 00[CFG] loading crls from '/nix/store/pvhm7cnxzqny02vn9gbvl8ab47vshqqa-strongswan-5.6.0/etc/ipsec.d/crls'
oct. 05 12:26:15 jedha charon[23261]: 00[CFG] loading secrets from '/nix/store/pvhm7cnxzqny02vn9gbvl8ab47vshqqa-strongswan-5.6.0/etc/ipsec.secrets'
oct. 05 12:26:15 jedha charon[23261]: 00[CFG] opening triplet file /nix/store/pvhm7cnxzqny02vn9gbvl8ab47vshqqa-strongswan-5.6.0/etc/ipsec.d/triplets.dat failed: No such file or directory
oct. 05 12:26:15 jedha charon[23261]: 00[CFG] no script for ext-auth script defined, disabled

[eqyiel]

It looks like it's working but Nix (or the configure script) is replacing /nix/store/b1c4d1mi4qlks8lbc6b2m5g7syala17l-strongswan-5.5.3/libexec/ipsec with /nix/store/p9jwifzhb9433nwfrq7jibkmsrsbwydp-NetworkManager-strongswan-1.4.1/libexec/ipsec, does it work if you just replace it with sed?

nix-build --expr 'with import <nixpkgs> {}; let strongswan = pkgs.strongswan.overrideAttrs (attrs: { buildInputs = attrs.buildInputs ++ [ networkmanager ]; configureFlags = attrs.configureFlags ++ [ "--enable-nm" ]; }); in pkgs.networkmanager_strongswan.overrideAttrs (attrs: { buildInputs = attrs.buildInputs ++ [ strongswan ]; configureFlags = [ "--with-charon=${strongswan}/libexec/ipsec/charon-nm" ]; fixupPhase = "sed -i \"s%^program=.*%program=${strongswan}/libexec/ipsec/charon-nm%\" $out/lib/NetworkManager/VPN/nm-strongswan-service.name"; })'

I haven't tried this bit, but it should look something like this:

networking.networkmanager = {
  enable = true;
  packages = let
    strongswan = pkgs.strongswan.overrideAttrs (attrs: {
      buildInputs = attrs.buildInputs ++ [ pkgs.networkmanager ];
      configureFlags = attrs.configureFlags ++ [ "--enable-nm" ];
    });
  in [
   (pkgs.networkmanager_strongswan.overrideAttrs (attrs: {
       buildInputs = attrs.buildInputs ++ [ strongswan ];
       configureFlags = [ "--with-charon=${strongswan}/libexec/ipsec/charon-nm" ];
       fixupPhase = ''
         sed -i 's%^program=.*%program=${strongswan}/libexec/ipsec/charon-nm%' $out/lib/NetworkManager/VPN/nm-strongswan-service.name
       '';
     }))
  ];
};

[wucke13]

The error persists. Maybe someone who understands more about the nix build process might debug where the problems root is located. Rebuilding and rebooting into the new generation should be sufficient test a new config, right?

Oct 06 14:15:02 zorn NetworkManager[1068]: <warn>  [1507292102.9155] vpn-connection[0xd4d100,c3770b54-737e-4153-9aed-f0e9182ba2cd,"MY VPN",0]: Could not launch the VPN service. error: Failed to execute child process "/nix/store/p9jwifzhb9433nwfrq7jibkmsrsbwydp-NetworkManager-strongswan-1.4.1/libexec/ipsec/charon-nm" (No such file or directory).

[eqyiel]

The thing is, the build is fine, but at some point during the system activation the path to strongswan is removed (see the changed program= key).

eqyiel@ayanami ~/git/personal/deployments (git)-[master] % diff -u /run/current-system/sw/lib/NetworkManager/VPN/nm-strongswan-service.name /etc/NetworkManager/VPN/nm-strongswan-service.name                :(
--- /run/current-system/sw/lib/NetworkManager/VPN/nm-strongswan-service.name    1970-01-01 09:30:01.000000000 +0930
+++ /etc/NetworkManager/VPN/nm-strongswan-service.name  1970-01-01 09:30:01.000000000 +0930
@@ -1,12 +1,14 @@
+# This file is obsoleted by a file in /nix/store/wy80jw32bglcpbp0ysjm0m7x0j4b9qjz-NetworkManager-strongswan-1.4.1/lib/NetworkManager/VPN
+
 [VPN Connection]
 name=strongswan
 service=org.freedesktop.NetworkManager.strongswan
-program=/nix/store/pir23kcvshwb5hgjrmva5b1lz4z3cizw-strongswan-5.6.0/libexec/ipsec/charon-nm
+program=/nix/store/wy80jw32bglcpbp0ysjm0m7x0j4b9qjz-NetworkManager-strongswan-1.4.1/libexec/ipsec/charon-nm

 [libnm]
-plugin=/nix/store/5bp6fzinq54gvspqw2rrjjhhs5aj3lmh-NetworkManager-strongswan-1.4.1/lib/NetworkManager/libnm-vpn-plugin-strongswan.so
+plugin=/nix/store/wy80jw32bglcpbp0ysjm0m7x0j4b9qjz-NetworkManager-strongswan-1.4.1/lib/NetworkManager/libnm-vpn-plugin-strongswan.so

 [GNOME]
-auth-dialog=/nix/store/5bp6fzinq54gvspqw2rrjjhhs5aj3lmh-NetworkManager-strongswan-1.4.1/libexec/nm-strongswan-auth-dialog
-properties=libnm-strongswan-properties
+auth-dialog=/nix/store/wy80jw32bglcpbp0ysjm0m7x0j4b9qjz-NetworkManager-strongswan-1.4.1/libexec/nm-strongswan-auth-dialog
+properties=/nix/store/wy80jw32bglcpbp0ysjm0m7x0j4b9qjz-NetworkManager-strongswan-1.4.1/lib/NetworkManager/libnm-strongswan-properties
 supports-external-ui-mode=true

[wucke13]

Is there an easy way of changing it back? Even if it gets a bit hackish, I would prefer a working VPN-Connection over a clean solution.

[eqyiel]

@wucke13 you could try overriding that file explicitly with environment.etc, like

{ config, lib, pkgs, ... }:

let
  strongswan = pkgs.strongswan.overrideAttrs (attrs: {
    buildInputs = attrs.buildInputs ++ [ pkgs.networkmanager ];
    configureFlags = attrs.configureFlags ++ [ "--enable-nm" ];
  });

  networkmanager_strongswan = pkgs.networkmanager_strongswan.overrideAttrs (attrs: {
    buildInputs = attrs.buildInputs ++ [ strongswan ];
    configureFlags = [ "--with-charon=${strongswan}/libexec/ipsec/charon-nm" ];
  });

in {
  networking.networkmanager = {
    enable = true;
    packages =  [ networkmanager_strongswan ];
  };

  environment.etc."/NetworkManager/VPN/nm-strongswan-service.name" = {
    source = "${networkmanager_strongswan}/lib/NetworkManager/VPN/nm-strongswan-service.name";
  };

  # ... other configuration.nix
}

[wucke13]

This gives me an error:

duplicate entry NetworkManager/VPN/nm-strongswan-service.name -> /nix/store/902w7hcwgc7zc8vi65rmw9l14jq9k1fa-NetworkManager-strongswan-1.4.1/etc/NetworkManager/VPN/nm-strongswan-service.name
mismatched duplicate entry /nix/store/gskgrsgw9gcbha77hksb0yhpkvz8m2pn-NetworkManager-strongswan-1.4.1/lib/NetworkManager/VPN/nm-strongswan-service.name <-> /nix/store/902w7hcwgc7zc8vi65rmw9l14jq9k1fa-NetworkManager-strongswan-1.4.1/etc/NetworkManager/VPN/nm-strongswan-service.name
builder for ‘/nix/store/djc9pi17f061fpcivn4z7fxzxqsnr2cw-etc.drv’ failed with exit code 1

I tried to put pkgs.lib.mkForce, but that did not help either. How to specify that it is save to overwrite that specific file?

source = pkgs.lib.mkForce "${networkmanager_strongswan}/lib/NetworkManager/VPN/nm-strongswan-service.name";

[eqyiel]

It looks like that won't work because of this issue: #17237 (comment)

In particular, the line here: https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/services/networking/networkmanager.nix#L256kk

Which looks like a bug anyway, because networkmanager_strongswan is not in basePackages!

[eqyiel]

Since you can't override the module, you could try adding the overridden package to nixpkgs.config.packageOverrides so that it will be your custom version everywhere it is referred to:

{ config, lib, pkgs, ... }:

rec {
  networking.networkmanager = {
    enable = true;
    packages =  [ pkgs.networkmanager_strongswan ];
  };

  nixpkgs.config = {
    packageOverrides = pkgs: let
      strongswan = pkgs.strongswan.overrideAttrs (attrs: {
        buildInputs = attrs.buildInputs ++ [ pkgs.networkmanager ];
        configureFlags = attrs.configureFlags ++ [ "--enable-nm" ];
      });
    in {
      networkmanager_strongswan = pkgs.networkmanager_strongswan.overrideAttrs (attrs: {
        buildInputs = attrs.buildInputs ++ [ strongswan ];
        configureFlags = [ "--with-charon=${strongswan}/libexec/ipsec/charon-nm" ];
      });
    };
  };
  
  # ... other configuration.nix
}

I still can't test this but it seems like it might do the right thing:

% sudo nixos-rebuild boot
building Nix...
building the system configuration...
these derivations will be built:
  /nix/store/vj9kgbmydczr3djaj8dqzl3vmmzk3iyk-etc.drv
  /nix/store/8a69lgnak93hybvn9xxcx1vyrrxgkxfr-nixos-system-ayanami.maher.fyi-18.03.git.3fe7cddc30.drv
building path(s) ‘/nix/store/bn3z4hp1c5n1m60vvcwdf6x7814sv4kn-etc’
building path(s) ‘/nix/store/wgjwydci4ysy07jc671aqkfqkm55rgs8-nixos-system-ayanami.maher.fyi-18.03.git.3fe7cddc30’
sudo nixos-rebuild boot  15.73s user 1.38s system 75% cpu 22.547 total
% grep charon /nix/store/wgjwydci4ysy07jc671aqkfqkm55rgs8-nixos-system-ayanami.maher.fyi-18.03.git.3fe7cddc30/etc/NetworkManager/VPN/nm-strongswan-service.name
program=/nix/store/pir23kcvshwb5hgjrmva5b1lz4z3cizw-strongswan-5.6.0/libexec/ipsec/charon-nm

[wucke13]

Well, this did indeed solve the actual problem. The cool thing is, that nm-applet doesn't crash with segfault when opening a VPN connection, and indeed charon-nm is called two, which is really good!

However, there comes the next issue:

Oct 17 12:04:36 nixos charon-nm[4968]: 00[DMN] Starting charon NetworkManager backend (strongSwan 5.6.0)
Oct 17 12:04:36 nixos charon-nm[4968]: 00[KNL] unable to create IPv4 routing table rule
Oct 17 12:04:36 nixos charon-nm[4968]: 00[KNL] unable to create IPv6 routing table rule
Oct 17 12:04:36 nixos charon-nm[4968]: Failed to initialize VPN plugin: Connection ":1.35" is not allowed to own the service "org.freedesktop.NetworkManager.strongswan" due to security policies in the configuration file
Oct 17 12:04:36 nixos charon-nm[4968]: object NMStrongswanPlugin 0x1f36170 finalized while still in-construction
Oct 17 12:04:36 nixos charon-nm[4968]: 00[CFG] DBUS binding failed
Oct 17 12:04:36 nixos charon-nm[4968]: Custom constructor for class NMStrongswanPlugin returned NULL (which is invalid). Please use GInitable instead.
Oct 17 12:04:36 nixos charon-nm[4968]: 00[LIB] feature CUSTOM:NetworkManager backend in critical plugin 'nm-backend' failed to load
Oct 17 12:04:36 nixos charon-nm[4968]: 00[LIB] failed to load 1 critical plugin feature
Oct 17 12:04:36 nixos charon-nm[4968]: 00[DMN] initialization failed - aborting charon-nm

I am kind of helpless with this one, as it did never appear back when I used to compile strongswan by myself. Any guesses how this could be resolved?

[eqyiel]

There's this bug report: https://bugzilla.opensuse.org/show_bug.cgi?id=1035555

I discovered that the file /etc/dbus-1/system.d/nm-strongswan-service.conf was present on Leap 42.2, but absent on Tumbleweed. Copying this file from my 42.2 system resolved the issue.

Maybe you could try to create that file (like environment.etc."/dbus-1/system.d/nm-strongswan-service.conf" = { }), I would have no idea what to put there though. Maybe you can find an example of what it's supposed to look like from another distro?

[eqyiel]

@wucke13 this perhaps? https://github.com/strongswan/strongswan/blob/master/src/charon-nm/nm-strongswan-service.conf

[wucke13]

That might do the trick, however

environment.etc."/dbus-1/system.d/nm-strongswan-service.conf" = {
text = ''
<!DOCTYPE busconfig PUBLIC
 "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
 "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
<busconfig>
	<policy user="root">
		<allow own="org.freedesktop.NetworkManager.strongswan"/>
		<allow send_destination="org.freedesktop.NetworkManager.strongswan"/>
		<allow send_interface="org.freedesktop.NetworkManager.strongswan"/>
	</policy>
	<policy context="default">
		<deny own="org.freedesktop.NetworkManager.strongswan"/>
		<deny send_destination="org.freedesktop.NetworkManager.strongswan"/>
	</policy>
</busconfig>
'';
};

Fails due to

duplicate entry dbus-1 -> /nix/store/l4ysf9jsr6d6y2841310vfcfr2nmziy0-dbus-1
mismatched duplicate entry  <-> /nix/store/l4ysf9jsr6d6y2841310vfcfr2nmziy0-dbus-1
builder for ‘/nix/store/l65z6akkch74s8p9ybc53za32x2bhgzw-etc.drv’ failed with exit code 1

It looks like dbus-1 is a symlink, that's why this fails.

[eqyiel]

Another way might be to override these lines in the strongswan derivation so that you can have the file elsewhere: https://github.com/strongswan/strongswan/blob/master/src/charon-nm/Makefile.am#L26-L27

[eqyiel]

Upon further inspection, there's an attribute packages in services.dbus that controls the files that end up in that directory. It looks like the strongswan derivation already puts that file in the right place. You could try adding services.dbus.packages = [ pkgs.strongswan ]; to your configuration?

[wucke13]

This does not work. In particular, this seems to change exactly nothing? After putting the above snippet in my config file, the following is the situation: /etc/dbus-1 is a symlink to /etc/static/dbus-1, where /etc/static is symlink to the /etc nixpkg, in which dbus-1 links to the dbus-1 nixpkg, in which there only is a session.conf and a system.conf. No such folder like system.d inside of /etc/dbus-1. However, I was not able to find any dbus related file in the strongswan nixpkg. So, strongswan is probably no generating the file as mentioned in the bug you mentionend in this post:
#29873 (comment)

[eqyiel]

@wucke13 I get that file in the output if I replace the contents of strongswan/default.nix with this:

{ stdenv, fetchurl, gmp, pkgconfig, python, autoreconfHook
, curl, trousers, sqlite, iptables, libxml2, openresolv
, ldns, unbound, pcsclite, openssl, systemd, pam, networkmanager
, enableTNC ? false, enableNM ? true }:

stdenv.mkDerivation rec {
  name = "strongswan-${version}";
  version = "5.6.0";

  src = fetchurl {
    url = "http://download.strongswan.org/${name}.tar.bz2";
    sha256 = "04vvha2zgsg1cq05cnn6sf7a4hq9ndnsfxpw1drm5v9l4vcw0kd1";
  };

  dontPatchELF = true;

  nativeBuildInputs = [ pkgconfig autoreconfHook ];
  buildInputs =
    [ gmp python iptables ldns unbound openssl pcsclite ]
    ++ stdenv.lib.optionals enableTNC [ curl trousers sqlite libxml2 ]
    ++ stdenv.lib.optionals enableNM [ networkmanager ]
    ++ stdenv.lib.optionals stdenv.isLinux [ systemd.dev pam ];

  patches = [
    ./ext_auth-path.patch
    ./firewall_defaults.patch
    ./updown-path.patch
  ];

  postPatch = ''
    substituteInPlace src/libcharon/plugins/resolve/resolve_handler.c --replace "/sbin/resolvconf" "${openresolv}/sbin/resolvconf"

    # swanctl can be configured by files in SWANCTLDIR which defaults to
    # $out/etc/swanctl. Since that directory is in the nix store users can't
    # modify it. Ideally swanctl accepts a command line option for specifying
    # the configuration files. In the absence of that we patch swanctl to look
    # for configuration files in /etc/swanctl.
    substituteInPlace src/swanctl/swanctl.h --replace "SWANCTLDIR" "\"/etc/swanctl\""
    '';

  preConfigure = ''
    configureFlagsArray+=("--with-systemdsystemunitdir=$out/etc/systemd/system")
  '';

  configureFlags =
    [ "--enable-swanctl" "--enable-cmd" "--enable-systemd"
      "--enable-farp" "--enable-dhcp"
      "--enable-openssl"
      "--enable-eap-sim" "--enable-eap-sim-file" "--enable-eap-simaka-pseudonym"
      "--enable-eap-simaka-reauth" "--enable-eap-identity" "--enable-eap-md5"
      "--enable-eap-gtc" "--enable-eap-aka" "--enable-eap-aka-3gpp2"
      "--enable-eap-mschapv2" "--enable-xauth-eap" "--enable-ext-auth"
      "--enable-forecast" "--enable-connmark" "--enable-acert"
      "--enable-pkcs11" "--enable-eap-sim-pcsc" "--enable-dnscert" "--enable-unbound"
      "--enable-af-alg" "--enable-xauth-pam" "--enable-chapoly" ]
    ++ stdenv.lib.optional stdenv.isx86_64 [ "--enable-aesni" "--enable-rdrand" ]
    ++ stdenv.lib.optional (stdenv.system == "i686-linux") "--enable-padlock"
    ++ stdenv.lib.optionals enableTNC [
         "--disable-gmp" "--disable-aes" "--disable-md5" "--disable-sha1" "--disable-sha2" "--disable-fips-prf"
         "--enable-curl"
         "--enable-eap-tnc" "--enable-eap-ttls" "--enable-eap-dynamic" "--enable-tnccs-20"
         "--enable-tnc-imc" "--enable-imc-os" "--enable-imc-attestation"
         "--enable-tnc-imv" "--enable-imv-attestation"
         "--enable-tnc-ifmap" "--enable-tnc-imc" "--enable-tnc-imv"
         "--with-tss=trousers"
         "--enable-aikgen"
         "--enable-sqlite" ]
    ++ stdenv.lib.optional enableNM [ "--enable-nm" ];

  NIX_LDFLAGS = "-lgcc_s" ;

  meta = {
    description = "OpenSource IPsec-based VPN Solution";
    homepage = https://www.strongswan.org;
    license = stdenv.lib.licenses.gpl2Plus;
    platforms = stdenv.lib.platforms.all;
  };
}

Then

% cat "$(nix-build '<nixpkgs>' -A strongswan --no-out-link)/etc/dbus-1/system.d/nm-strongswan-service.conf"
<!DOCTYPE busconfig PUBLIC
 "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
 "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
<busconfig>
        <policy user="root">
                <allow own="org.freedesktop.NetworkManager.strongswan"/>
                <allow send_destination="org.freedesktop.NetworkManager.strongswan"/>
                <allow send_interface="org.freedesktop.NetworkManager.strongswan"/>
        </policy>
        <policy context="default">
                <deny own="org.freedesktop.NetworkManager.strongswan"/>
                <deny send_destination="org.freedesktop.NetworkManager.strongswan"/>
        </policy>
</busconfig>

You can probably achieve the same thing if you move strongswan into packageOverrides so that it's the nm-enabled version of strongswan that gets put into services.dbus.packages:

nixpkgs.config.packageOverrides = pkgs: {
  strongswan = pkgs.strongswan.overrideAttrs (attrs: {
    buildInputs = attrs.buildInputs ++ [ pkgs.networkmanager ];
    configureFlags = attrs.configureFlags ++ [ "--enable-nm" ];
  });

  networkmanager_strongswan = pkgs.networkmanager_strongswan.overrideAttrs (attrs: {
    buildInputs = attrs.buildInputs ++ [ pkgs.strongswan ];
    configureFlags = [ "--with-charon=${pkgs.strongswan}/libexec/ipsec/charon-nm" ];
  });
};

services.dbus.packages = [ pkgs.strongswan ];

Would you be interested in putting together a PR if this fixes it for you?

[wucke13]

It does work!!!
The following snippet did the trick:

nixpkgs.config.packageOverrides = pkgs: {
  strongswan = pkgs.strongswan.overrideAttrs (attrs: {
    buildInputs = attrs.buildInputs ++ [ pkgs.networkmanager ];
    configureFlags = attrs.configureFlags ++ [ "--enable-nm" ];
  });
  networkmanager_strongswan = pkgs.networkmanager_strongswan.overrideAttrs (attrs: {
    buildInputs = attrs.buildInputs ++ [ pkgs.strongswan ];
    configureFlags = [ "--with-charon=${pkgs.strongswan}/libexec/ipsec/charon-nm" ];
  });
};
services.dbus.packages = [ pkgs.strongswan ];
networking.networkmanager = {
enable = true;
packages = [ pkgs.networkmanager_strongswan ];
};

Yes I would be interested in making a PR, but I think I am not experienced enough to do it on my own without a big chance of something going wrong, because of that my suggestion would be that someone else might do the PR. Anyway, have great thanks for fixing this up!

[eqyiel]

I'm glad it's working for you and hope that you feel more confident contributing in the future!

[basvandijk]

What do you think about: master...LumiGuide:networkmanager-strongswan ?

[teto]

I've had my share of problems with strongswan too (#30147)
I believe it might be more user friendly (as in "works out of the box") to forcefully enable strongswan in some cases. Otherwise there is little value to the enableStrongSwan flag; it's similar to having the user adding himself.
I've started working on a strongswan PR too (as we had different problems, they don't conflict it seems :) master...teto:strongswan_modules) and my intent is to enable strongswan when l2tp is among networkmanager's plugin.

[eqyiel]

@basvandijk that looks pretty good:

master...LumiGuide:networkmanager-strongswan#diff-036410e9211b4336186fc613f7200b12R4541 is enableTNC required here too? I don't really know what that argument does.

[eqyiel]

@teto you may be right, I noticed that networkmanager_strongswan is already referred to in the networkmanager module so it would probably be better to just do this by default.

[eqyiel]

@basvandijk would you consider sending that patch upstream?

[basvandijk]

@eqyiel sure. I'll probably have time for this coming weekend.