| Deployment GuideThis part describes how to configure the network on Red Hat Enterprise Linux. Chapter 8. NetworkManagerNetworkManager is a dynamic network control and configuration system that attempts to keep network devices and connections up and active when they are available. NetworkManager consists of a core daemon, a GNOME Notification Area applet that provides network status information, and graphical configuration tools that can create, edit and remove connections and interfaces. NetworkManager can be used to configure the following types of connections: Ethernet, wireless, mobile broadband (such as cellular 3G), and DSL and PPPoE (Point-to-Point over Ethernet). In addition, NetworkManager allows for the configuration of network aliases, static routes, DNS information and VPN connections, as well as many connection-specific parameters. Finally, NetworkManager provides a rich API via D-Bus which allows applications to query and control network configuration and state. Previous versions of Red Hat Enterprise Linux included the Network Administration Tool, which was commonly known as system-config-network after its command line invocation. In Red Hat Enterprise Linux 6, NetworkManager replaces the former Network Administration Tool while providing enhanced functionality, such as user-specific and mobile broadband configuration. It is also possible to configure the network in Red Hat Enterprise Linux 6 by editing interface configuration files; refer to Chapter 9, Network Interfaces for more information. NetworkManager may be installed by default on Red Hat Enterprise Linux. To ensure that it is, first run the following command as the root user: ~]# yum install NetworkManager 8.1. The NetworkManager DaemonThe NetworkManager daemon runs with root privileges and is usually configured to start up at boot time. You can determine whether the NetworkManager daemon is running by entering this command as root: ~]# service NetworkManager status NetworkManager (pid 1527) is running... The service command will report NetworkManager is stopped if the NetworkManager service is not running. To start it for the current session: ~]# service NetworkManager start Run the chkconfig command to ensure that NetworkManager starts up every time the system boots: ~]# chkconfig NetworkManager on 8.2. Interacting with NetworkManagerUsers do not interact with the NetworkManager system service directly. Instead, you can perform network configuration tasks via NetworkManager's Notification Area applet. The applet has multiple states that serve as visual indicators for the type of connection you are currently using. Hover the pointer over the applet icon for tooltip information on the current connection state. If you do not see the NetworkManager applet in the GNOME panel, and assuming that the NetworkManager package is installed on your system, you can start the applet by running the following command as a normal user (not root): ~]$ nm-applet & After running this command, the applet appears in your Notification Area. You can ensure that the applet runs each time you log in by clicking ⤍ ⤍ to open the Startup Applications Preferences window. Then, select the Startup Programs tab and check the box next to NetworkManager. 8.2.1. Connecting to a NetworkWhen you left-click on the applet icon, you are presented with: a list of categorized networks you are currently connected to (such as Wired and Wireless); a list of all Available Networks that NetworkManager has detected; options for connecting to any configured Virtual Private Networks (VPNs); and, options for connecting to hidden or new wireless networks.
If you are connected to a network, its name is presented in bold typeface under its network type, such as Wired or Wireless. When many networks are available, such as wireless access points, the More networks expandable menu entry appears. 8.2.2. Configuring New and Editing Existing ConnectionsNext, right-click on the NetworkManager applet to open its context menu, which is the main point of entry for interacting with NetworkManager to configure connections. Ensure that the Enable Networking box is checked. If the system has detected a wireless card, then you will also see an Enable Wireless menu option. Check the Enable Wireless checkbox as well. NetworkManager notifies you of network connection status changes if you check the Enable Notifications box. Clicking the Connection Information entry presents an informative Connection Information window that lists the connection type and interface, your IP address and routing details, and so on. Finally, clicking on Edit Connections opens the Network Connections window, from where you can perform most of your network configuration tasks. Note that this window can also be opened by running, as a normal user: ~]$ nm-connection-editor & There is an arrow head symbol to the left which can be clicked to hide and reveal entries as needed. To create a new connection, click the Add button to view the selection list, select the connection type and click the Create button. Alternatively, to edit an existing connection select the interface name from the list and click the Edit button. Then, to configure: 8.2.3. Connecting to a Network AutomaticallyFor any connection type you add or configure, you can choose whether you want NetworkManager to try to connect to that network automatically when it is available. Procedure 8.1. Configuring NetworkManager to Connect to a Network Automatically When Detected Right-click on the NetworkManager applet icon in the Notification Area and click Edit Connections. The Network Connections window appears. Click the arrow head if necessary to reveal the list of connections. Select the specific connection that you want to configure and click Edit. Check Connect automatically to cause NetworkManager to auto-connect to the connection whenever NetworkManager detects that it is available. Uncheck the checkbox if you do not want NetworkManager to connect automatically. If the box is unchecked, you will have to select that connection manually in the NetworkManager applet's left-click menu to cause it to connect.
8.2.4. User and System ConnectionsNetworkManager connections are always either user connections or system connections. Depending on the system-specific policy that the administrator has configured, users may need root privileges to create and modify system connections. NetworkManager's default policy enables users to create and modify user connections, but requires them to have root privileges to add, modify or delete system connections. User connections are so-called because they are specific to the user who creates them. In contrast to system connections, whose configurations are stored under the /etc/sysconfig/network-scripts/ directory (mainly in ifcfg-<network_type> interface configuration files), user connection settings are stored in the GConf configuration database and the GNOME keyring, and are only available during login sessions for the user who created them. Thus, logging out of the desktop session causes user-specific connections to become unavailable. Because NetworkManager uses the GConf and GNOME keyring applications to store user connection settings, and because these settings are specific to your desktop session, it is highly recommended to configure your personal VPN connections as user connections. If you do so, other non-root users on the system cannot view or access these connections in any way. System connections, on the other hand, become available at boot time and can be used by other users on the system without first logging in to a desktop session. NetworkManager can quickly and conveniently convert user to system connections and vice versa. Converting a user connection to a system connection causes NetworkManager to create the relevant interface configuration files under the /etc/sysconfig/network-scripts/ directory, and to delete the GConf settings from the user's session. Conversely, converting a system to a user-specific connection causes NetworkManager to remove the system-wide configuration files and create the corresponding GConf/GNOME keyring settings. Procedure 8.2. Changing a Connection to be User-Specific instead of System-Wide, or Vice-Versa Depending on the system's policy, you may need root privileges on the system in order to change whether a connection is user-specific or system-wide. Right-click on the NetworkManager applet icon in the Notification Area and click Edit Connections. The Network Connections window appears. If needed, select the arrow head (on the left hand side) to hide and reveal the types of available network connections. Select the specific connection that you want to configure and click Edit. Check the Available to all users checkbox to ask NetworkManager to make the connection a system-wide connection. Depending on system policy, you may then be prompted for the root password by the PolicyKit application. If so, enter the root password to finalize the change. Conversely, uncheck the Available to all users checkbox to make the connection user-specific.
8.3. Establishing Connections8.3.1. Establishing a Wired (Ethernet) ConnectionTo establish a wired network connection, Right-click on the NetworkManager applet to open its context menu, ensure that the Enable Networking box is checked, then click on Edit Connections. This opens the Network Connections window. Note that this window can also be opened by running, as a normal user: ~]$ nm-connection-editor & You can click on the arrow head to reveal and hide the list of connections as needed. The system startup scripts create and configure a single wired connection called System eth0 by default on all systems. Although you can edit System eth0, creating a new wired connection for your custom settings is recommended. You can create a new wired connection by clicking the Add button, selecting the Wired entry from the list that appears and then clicking the Create button. When you add a new connection by clicking the Add button, a list of connection types appears. Once you have made a selection and clicked on the Create button, NetworkManager creates a new configuration file for that connection and then opens the same dialog that is used for editing an existing connection. There is no difference between these dialogs. In effect, you are always editing a connection; the difference only lies in whether that connection previously existed or was just created by NetworkManager when you clicked Create. Configuring the Connection Name, Auto-Connect Behavior, and Availability SettingsThree settings in the Editing dialog are common to all connection types: Configuring the Wired TabThe final three configurable settings are located within the Wired tab itself: the first is a text-entry field where you can specify a MAC (Media Access Control) address, and the second allows you to specify a cloned MAC address, and third allows you to specify the MTU (Maximum Transmission Unit) value. Normally, you can leave the MAC address field blank and the MTU set to automatic. These defaults will suffice unless you are associating a wired connection with a second or specific NIC, or performing advanced networking. In such cases, refer to the following descriptions: - MAC Address
Network hardware such as a Network Interface Card (NIC) has a unique MAC address (Media Access Control; also known as a hardware address) that identifies it to the system. Running the ip addr command will show the MAC address associated with each interface. For example, in the following ip addr output, the MAC address for the eth0 interface (which is 52:54:00:26:9e:f1) immediately follows the link/ether keyword: ~]# ip addr1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo inet6 ::1/128 scope host valid_lft forever preferred_lft forever2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000 link/ether 52:54:00:26:9e:f1 brd ff:ff:ff:ff:ff:ff inet 192.168.122.251/24 brd 192.168.122.255 scope global eth0 inet6 fe80::5054:ff:fe26:9ef1/64 scope link valid_lft forever preferred_lft forever A single system can have one or more NICs installed on it. The MAC address field therefore allows you to associate a specific NIC with a specific connection (or connections). As mentioned, you can determine the MAC address using the ip addr command, and then copy and paste that value into the MAC address text-entry field. The cloned MAC address field is mostly for use in such situations were a network service has been restricted to a specific MAC address and you need to emulate that MAC address. - MTU
The MTU (Maximum Transmission Unit) value represents the size in bytes of the largest packet that the connection will use to transmit. This value defaults to 1500 when using IPv4, or a variable number 1280 or higher for IPv6, and does not generally need to be specified or changed.
Saving Your New (or Modified) Connection and Making Further ConfigurationsOnce you have finished editing your wired connection, click the Apply button and NetworkManager will immediately save your customized configuration. Given a correct configuration, you can connect to your new or customized connection by selecting it from the NetworkManager Notification Area applet. See Section 8.2.1, "Connecting to a Network" for information on using your new or altered connection. You can further configure an existing connection by selecting it in the Network Connections window and clicking Edit to return to the Editing dialog. Then, to configure: 8.3.2. Establishing a Wireless ConnectionThis section explains how to use NetworkManager to configure a wireless (also known as Wi-Fi or 802.1a/b/g/n) connection to an Access Point. Quickly Connecting to an Available Access PointThe easiest way to connect to an available access point is to left-click on the NetworkManager applet, locate the Service Set Identifier (SSID) of the access point in the list of Available networks, and click on it. If the access point is secured, a dialog prompts you for authentication. NetworkManager tries to auto-detect the type of security used by the access point. If there are multiple possibilities, NetworkManager guesses the security type and presents it in the Wireless security dropdown menu. To see if there are multiple choices, click the Wireless security dropdown menu and select the type of security the access point is using. If you are unsure, try connecting to each type in turn. Finally, enter the key or passphrase in the Password field. Certain password types, such as a 40-bit WEP or 128-bit WPA key, are invalid unless they are of a requisite length. The Connect button will remain inactive until you enter a key of the length required for the selected security type. To learn more about wireless security, refer to Section 8.3.9.2, "Configuring Wireless Security". In the case of WPA and WPA2 (Personal and Enterprise), an option to select between Auto, WPA and WPA2 has been added. This option is intended for use with an access point that is offering both WPA and WPA2. Select one of the protocols if you would like to prevent roaming between the two protocols. Roaming between WPA and WPA2 on the same access point can cause loss of service. If NetworkManager connects to the access point successfully, its applet icon will change into a graphical indicator of the wireless connection's signal strength. You can also edit the settings for one of these auto-created access point connections just as if you had added it yourself. The Wireless tab of the Network Connections window lists all of the connections you have ever tried to connect to: NetworkManager names each of them Auto <SSID>, where SSID is the Service Set identifier of the access point. Connecting to a Hidden Wireless NetworkAll access points have a Service Set Identifier (SSID) to identify them. However, an access point may be configured not to broadcast its SSID, in which case it is hidden, and will not show up in NetworkManager's list of Available networks. You can still connect to a wireless access point that is hiding its SSID as long as you know its SSID, authentication method, and secrets. To connect to a hidden wireless network, left-click NetworkManager's applet icon and select Connect to Hidden Wireless Network... to cause a dialog to appear. If you have connected to the hidden network before, use the Connection dropdown to select it, and click Connect. If you have not, leave the Connection dropdown as , enter the SSID of the hidden network, select its Wireless security method, enter the correct authentication secrets, and click Connect. Editing a Connection, or Creating a Completely New OneYou can edit an existing connection that you have tried or succeeded in connecting to in the past by opening the Wireless tab of the Network Connections, selecting the connection by name (words which follow Auto refer to the SSID of an access point), and clicking Edit. You can create a new connection by opening the Network Connections window, clicking the Add button, selecting Wireless, and clicking the Create button. Right-click on the NetworkManager applet icon in the Notification Area and click Edit Connections. The Network Connections window appears. Click the Add button. Select the Wireless entry from the list. Click the Create button.
Configuring the Connection Name, Auto-Connect Behavior, and Availability SettingsThree settings in the Editing dialog are common to all connection types: Connection name - Enter a descriptive name for your network connection. This name will be used to list this connection in the Wireless section of the Network Connections window. By default, wireless connections are named the same as the SSID of the wireless access point. You can rename the wireless connection without affecting its ability to connect, but it is recommended to retain the SSID name.
Configuring the Wireless Tab- SSID
All access points have a Service Set identifier to identify them. However, an access point may be configured not to broadcast its SSID, in which case it is hidden, and will not show up in NetworkManager's list of Available networks. You can still connect to a wireless access point that is hiding its SSID as long as you know its SSID (and authentication secrets). - Mode
- Set Mode to if you are connecting to a dedicated wireless access point or one built into a network device such as a router or a switch. - Set Mode to if you are creating a peer-to-peer network for two or more mobile devices to communicate directly with each other. If you use mode, referred to as Independent Basic Service Set ( IBSS) in the 802.11 standard, you must ensure that the same SSID is set for all participating wireless devices, and that they are all communicating over the same channel. - BSSID
The Basic Service Set Identifier (BSSID) is the MAC address of the specific wireless access point you are connecting to when in Infrastructure mode. This field is blank by default, and you are able to connect to a wireless access point by SSID without having to specify its BSSID. If the BSSID is specified, it will force the system to associate to a specific access point only. For ad-hoc networks, the BSSID is generated randomly by the mac80211 subsystem when the ad-hoc network is created. It is not displayed by NetworkManager - MAC address
Like an Ethernet Network Interface Card (NIC), a wireless adapter has a unique MAC address (Media Access Control; also known as a hardware address) that identifies it to the system. Running the ip addr command will show the MAC address associated with each interface. For example, in the following ip addr output, the MAC address for the wlan0 interface (which is 00:1c:bf:02:f8:70) immediately follows the link/ether keyword: ~]# ip addr1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo inet6 ::1/128 scope host valid_lft forever preferred_lft forever2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000 link/ether 52:54:00:26:9e:f1 brd ff:ff:ff:ff:ff:ff inet 192.168.122.251/24 brd 192.168.122.255 scope global eth0 inet6 fe80::5054:ff:fe26:9ef1/64 scope link valid_lft forever preferred_lft forever3: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000 link/ether 00:1c:bf:02:f8:70 brd ff:ff:ff:ff:ff:ff inet 10.200.130.67/24 brd 10.200.130.255 scope global wlan0 inet6 fe80::21c:bfff:fe02:f870/64 scope link valid_lft forever preferred_lft forever A single system could have one or more wireless network adapters connected to it. The MAC address field therefore allows you to associate a specific wireless adapter with a specific connection (or connections). As mentioned, you can determine the MAC address using the ip addr command, and then copy and paste that value into the MAC address text-entry field. - MTU
The MTU (Maximum Transmission Unit) value represents the size in bytes of the largest packet that the connection will use to transmit. If set to a non-zero number, only packets of the specified size or smaller will be transmitted. Larger packets are broken up into multiple Ethernet frames. It is recommended to leave this setting on .
Saving Your New (or Modified) Connection and Making Further ConfigurationsOnce you have finished editing the wireless connection, click the Apply button and NetworkManager will immediately save your customized configuration. Given a correct configuration, you can successfully connect to your the modified connection by selecting it from the NetworkManager Notification Area applet. See Section 8.2.1, "Connecting to a Network" for details on selecting and connecting to a network. You can further configure an existing connection by selecting it in the Network Connections window and clicking Edit to return to the Editing dialog. Then, to configure: 8.3.3. Establishing a Mobile Broadband ConnectionYou can use NetworkManager's mobile broadband connection abilities to connect to the following 2G and 3G services: Your computer must have a mobile broadband device (modem), which the system has discovered and recognized, in order to create the connection. Such a device may be built into your computer (as is the case on many notebooks and netbooks), or may be provided separately as internal or external hardware. Examples include PC card, USB Modem or Dongle, mobile or cellular telephone capable of acting as a modem. Procedure 8.3. Adding a New Mobile Broadband Connection You can configure a mobile broadband connection by opening the Network Connections window, clicking Add, and selecting Mobile Broadband from the list. Right-click on the NetworkManager applet icon in the Notification Area and click Edit Connections. The Network Connections window appears. Click the Add button to open the selection list. Select Mobile Broadband and then click Create. The Set up a Mobile Broadband Connection assistant appears. Under Create a connection for this mobile broadband device, choose the 2G- or 3G-capable device you want to use with the connection. If the dropdown menu is inactive, this indicates that the system was unable to detect a device capable of mobile broadband. In this case, click Cancel, ensure that you do have a mobile broadband-capable device attached and recognized by the computer and then retry this procedure. Click the Forward button. Select the country where your service provider is located from the list and click the Forward button. Select your provider from the list or enter it manually. Click the Forward button. Select your payment plan from the dropdown menu and confirm the Access Point Name ( APN) is correct. Click the Forward button. Review and confirm the settings and then click the Apply button. Edit the mobile broadband-specific settings by referring to the Configuring the Mobile Broadband Tab description below .
Procedure 8.4. Editing an Existing Mobile Broadband Connection Follow these steps to edit an existing mobile broadband connection. Right-click on the NetworkManager applet icon in the Notification Area and click Edit Connections. The Network Connections window appears. Select the connection you wish to edit and click the Edit button. Select the Mobile Broadband tab. Configure the connection name, auto-connect behavior, and availability settings. Three settings in the Editing dialog are common to all connection types: Edit the mobile broadband-specific settings by referring to the Configuring the Mobile Broadband Tab description below .
Saving Your New (or Modified) Connection and Making Further ConfigurationsOnce you have finished editing your mobile broadband connection, click the Apply button and NetworkManager will immediately save your customized configuration. Given a correct configuration, you can connect to your new or customized connection by selecting it from the NetworkManager Notification Area applet. See Section 8.2.1, "Connecting to a Network" for information on using your new or altered connection. You can further configure an existing connection by selecting it in the Network Connections window and clicking Edit to return to the Editing dialog. Then, to configure: Configuring the Mobile Broadband TabIf you have already added a new mobile broadband connection using the assistant (refer to Procedure 8.3, "Adding a New Mobile Broadband Connection" for instructions), you can edit the Mobile Broadband tab to disable roaming if home network is not available, assign a network ID, or instruct NetworkManager to prefer a certain technology (such as 3G or 2G) when using the connection. - Number
The number that is dialed to establish a PPP connection with the GSM-based mobile broadband network. This field may be automatically populated during the initial installation of the broadband device. You can usually leave this field blank and enter the APN instead. - Username
Enter the user name used to authenticate with the network. Some providers do not provide a user name, or accept any user name when connecting to the network. - Password
Enter the password used to authenticate with the network. Some providers do not provide a password, or accept any password. - APN
Enter the Access Point Name ( APN) used to establish a connection with the GSM-based network. Entering the correct APN for a connection is important because it often determines: how the user is billed for their network usage; and/or whether the user has access to the Internet, an intranet, or a subnetwork.
- Network ID
Entering a Network ID causes NetworkManager to force the device to register only to a specific network. This can be used to ensure the connection does not roam when it is not possible to control roaming directly. - Type
Any - The default value of Any leaves the modem to select the fastest network. 3G (UMTS/HSPA) - Force the connection to use only 3G network technologies. 2G (GPRS/EDGE) - Force the connection to use only 2G network technologies. Prefer 3G (UMTS/HSPA) - First attempt to connect using a 3G technology such as HSPA or UMTS, and fall back to GPRS or EDGE only upon failure. Prefer 2G (GPRS/EDGE) - First attempt to connect using a 2G technology such as GPRS or EDGE, and fall back to HSPA or UMTS only upon failure. - Allow roaming if home network is not available
Uncheck this box if you want NetworkManager to terminate the connection rather than transition from the home network to a roaming one, thereby avoiding possible roaming charges. If the box is checked, NetworkManager will attempt to maintain a good connection by transitioning from the home network to a roaming one, and vice versa. - PIN
If your device's SIM (Subscriber Identity Module) is locked with a PIN (Personal Identification Number), enter the PIN so that NetworkManager can unlock the device. NetworkManager must unlock the SIM if a PIN is required in order to use the device for any purpose.
8.3.4. Establishing a VPN ConnectionEstablishing an encrypted Virtual Private Network (VPN) enables you to communicate securely between your Local Area Network (LAN), and another, remote LAN. After successfully establishing a VPN connection, a VPN router or gateway performs the following actions upon the packets you transmit: it adds an Authentication Header for routing and authentication purposes; it encrypts the packet data; and, it encloses the data with an Encapsulating Security Payload (ESP), which constitutes the decryption and handling instructions.
The receiving VPN router strips the header information, decrypts the data, and routes it to its intended destination (either a workstation or other node on a network). Using a network-to-network connection, the receiving node on the local network receives the packets already decrypted and ready for processing. The encryption/decryption process in a network-to-network VPN connection is therefore transparent to clients. Because they employ several layers of authentication and encryption, VPNs are a secure and effective means of connecting multiple remote nodes to act as a unified intranet. Procedure 8.5. Adding a New VPN Connection You can configure a new VPN connection by opening the Network Connections window, clicking the Add button and selecting a type of VPN from the VPN section of the new connection list. Right-click on the NetworkManager applet icon in the Notification Area and click Edit Connections. The Network Connections window appears. Click the Add button. The Choose a Connection Type list appears. The appropriate NetworkManager VPN plug-in for the VPN type you want to configure must be installed. (refer to Section 6.2.4, "Installing Packages" for more information on how to install new packages in Red Hat Enterprise Linux 6). The VPN section in the Choose a Connection Type list will not appear if you do not have a suitable plug-in installed. Select the VPN protocol for the gateway you are connecting to from the Choose a Connection Type list. The VPN protocols available for selection in the list correspond to the NetworkManager VPN plug-ins installed. For example, if the NetworkManager VPN plug-in for openswanis installed then the IPsec based VPN will be selectable from the Choose a Connection Type list. After selecting the correct one, press the Create button. The Editing VPN Connection 1 window then appears. This window presents settings customized for the type of VPN connection you selected in Step 6.
Procedure 8.6. Editing an Existing VPN Connection You can configure an existing VPN connection by opening the Network Connections window and selecting the name of the connection from the list. Then click the Edit button. Right-click on the NetworkManager applet icon in the Notification Area and click Edit Connections. The Network Connections window appears. Select the connection you wish to edit and click the Edit button.
Configuring the Connection Name, Auto-Connect Behavior, and Availability SettingsThree settings in the Editing dialog are common to all connection types: Configuring the VPN Tab- Gateway
The name or IP address of the remote VPN gateway. - Group name
The name of a VPN group configured on the remote gateway. - User password
If required, enter the password used to authenticate with the VPN. - Group password
If required, enter the password used to authenticate with the VPN. - User name
If required, enter the user name used to authenticate with the VPN. - Phase1 Algorithms
If required, enter the algorithms to be used to authenticate and set up an encrypted channel. - Phase2 Algorithms
If required, enter the algorithms to be used for the IPsec negotiations. - Domain
If required, enter the Domain Name. - NAT traversal
- IPsec over UDP. - ESP encapsulation and IKE extensions are used to handle NAT Traversal. - No special NAT measures required. Disable Dead Peer Detection - Disable the sending of probes to the remote gateway or endpoint.
Saving Your New (or Modified) Connection and Making Further ConfigurationsOnce you have finished editing your new VPN connection, click the Apply button and NetworkManager will immediately save your customized configuration. Given a correct configuration, you can connect to your new or customized connection by selecting it from the NetworkManager Notification Area applet. See Section 8.2.1, "Connecting to a Network" for information on using your new or altered connection. You can further configure an existing connection by selecting it in the Network Connections window and clicking Edit to return to the Editing dialog. Then, to configure: 8.3.5. Establishing a DSL ConnectionThis section is intended for those installations which have a DSL card fitted within a host rather than the external combined DSL modem router combinations typical of private consumer or SOHO installations. Procedure 8.7. Adding a New DSL Connection You can configure a new DSL connection by opening the Network Connections window, clicking the Add button and selecting DSL from the Hardware section of the new connection list. Right-click on the NetworkManager applet icon in the Notification Area and click Edit Connections. The Network Connections window appears. Click the Add button. The Choose a Connection Type list appears. Select DSL and press the Create button. The Editing DSL Connection 1 window appears.
Procedure 8.8. Editing an Existing DSL Connection You can configure an existing DSL connection by opening the Network Connections window and selecting the name of the connection from the list. Then click the Edit button. Right-click on the NetworkManager applet icon in the Notification Area and click Edit Connections. The Network Connections window appears. Select the connection you wish to edit and click the Edit button.
Configuring the Connection Name, Auto-Connect Behavior, and Availability SettingsThree settings in the Editing dialog are common to all connection types: Configuring the DSL Tab- Username
Enter the user name used to authenticate with the service provider. - Service
Leave blank unless otherwise directed. - Password
Enter the password supplied by the service provider.
Saving Your New (or Modified) Connection and Making Further ConfigurationsOnce you have finished editing your DSL connection, click the Apply button and NetworkManager will immediately save your customized configuration. Given a correct configuration, you can connect to your new or customized connection by selecting it from the NetworkManager Notification Area applet. See Section 8.2.1, "Connecting to a Network" for information on using your new or altered connection. You can further configure an existing connection by selecting it in the Network Connections window and clicking Edit to return to the Editing dialog. Then, to configure: 8.3.6. Establishing a Bond ConnectionYou can use NetworkManager to create a Bond from two or more Wired or Infiniband connections. It is not necessary to create the connections to be bonded first. They can be configured as part of the process to configure the bond. You must have the MAC addresses of the interfaces available in order to complete the configuration process. Procedure 8.9. Adding a New Bond Connection You can configure a Bond connection by opening the Network Connections window, clicking Add, and selecting Bond from the list. Right-click on the NetworkManager applet icon in the Notification Area and click Edit Connections. The Network Connections window appears. Click the Add button to open the selection list. Select Bond and then click Create. The Editing Bond Connection 1 window appears. On the Bond tab, click Add and select the type of interface you want to use with the bond connection. Click the Create button. Note that the dialog to select the slave type only comes up when you create the first slave; after that, it will automatically use that same type for all further slaves. The Editing bond1 slave1 window appears. Fill in the MAC address of the first interface to be bonded. Click the Apply button. The Authenticate window appears. Enter the root password to continue. Click the Authenticate button. The name of the bonded slave appears in the Bonded Connections window. Click the Add button to add further slave connections. Review and confirm the settings and then click the Apply button.
Procedure 8.10. Editing an Existing Bond Connection Follow these steps to edit an existing bond connection. Right-click on the NetworkManager applet icon in the Notification Area and click Edit Connections. The Network Connections window appears. Select the connection you wish to edit and click the Edit button. Select the Bond tab. Configure the connection name, auto-connect behavior, and availability settings. Three settings in the Editing dialog are common to all connection types:
Saving Your New (or Modified) Connection and Making Further ConfigurationsOnce you have finished editing your bond connection, click the Apply button and NetworkManager will immediately save your customized configuration. Given a correct configuration, you can connect to your new or customized connection by selecting it from the NetworkManager Notification Area applet. See Section 8.2.1, "Connecting to a Network" for information on using your new or altered connection. You can further configure an existing connection by selecting it in the Network Connections window and clicking Edit to return to the Editing dialog. Then, to configure: Configuring the Bond TabIf you have already added a new bond connection (refer to Procedure 8.9, "Adding a New Bond Connection" for instructions), you can edit the Bond tab to set the load sharing mode and the type of link monitoring to use to detect failures of a slave connection. - Mode
The mode that is used to share traffic over the slave connections which make up the bond. The default is Round-robin. Other load sharing modes, such as 802.3ad, may be selected by means of the drop down list. - Link Monitoring
The method of monitoring the slaves ability to carry network traffic.
The following modes of load sharing are selectable from the Mode drop down list: - Round-robin
Sets a round-robin policy for fault tolerance and load balancing. Transmissions are received and sent out sequentially on each bonded slave interface beginning with the first one available. - Active backup
Sets an active-backup policy for fault tolerance. Transmissions are received and sent out via the first available bonded slave interface. Another bonded slave interface is only used if the active bonded slave interface fails. Note that this is the only mode available for bonds of InfiniBand devices. - XOR
Sets an XOR (exclusive-or) policy for fault tolerance and load balancing. Using this method, the interface matches up the incoming request's MAC address with the MAC address for one of the slave NICs. Once this link is established, transmissions are sent out sequentially beginning with the first available interface. - Broadcast
Sets a broadcast policy for fault tolerance. All transmissions are sent on all slave interfaces. - 802.3ad
Sets an IEEE 802.3ad dynamic link aggregation policy. Creates aggregation groups that share the same speed and duplex settings. Transmits and receives on all slaves in the active aggregator. Requires a switch that is 802.3ad compliant. - Adaptive transmit load balancing
Sets an adaptive Transmit Load Balancing (TLB) policy for fault tolerance and load balancing. The outgoing traffic is distributed according to the current load on each slave interface. Incoming traffic is received by the current slave. If the receiving slave fails, another slave takes over the MAC address of the failed slave. - Active Load Balancing
Sets an Active Load Balancing (ALB) policy for fault tolerance and load balancing. Includes transmit and receive load balancing for IPv4 traffic. Receive load balancing is achieved through ARP negotiation.
The following types of link monitoring can be selected from the Link Monitoring drop down list. It is a good idea to test which channel bonding module parameters work best for your bonded interfaces. - MII (Media Independent Interface)
The state of the carrier wave of the interface is monitored. This can be done by querying the driver, by querying MII registers directly, or by using Ethtool to query the device. Three options are available: - Monitoring Frequency
The time interval, in milliseconds, between querying the driver or MII registers. - Link up delay
The time in milleseconds to wait before attempting to use a link that has been reported as up. This delay can be used if some gratuitous ARP requests are lost in the period immediately following the link being reported as "up". This can happen during switch initialization for example. - Link down delay
The time in milleseconds to wait before changing to another link when a previously active link has been reported as "down". This delay can be used if an attached switch takes a relatively long time to change to backup mode.
- ARP
The Address Resolution Protocol (ARP) is used to probe one or more peers to determine how well the link layer connections are working. It is dependent on the device driver providing the transmit start time and the last receive time. Two options are available: - Monitoring Frequency
The time interval, in milliseconds, between sending ARP requests. - ARP targets
A comma separated list of IP addresses to send ARP requests to.
8.3.7. Establishing a VLAN ConnectionYou can use NetworkManager to create a VLAN using an existing interface. Currently, at time of writing, you can only make VLANs on Ethernet devices. Procedure 8.11. Adding a New VLAN Connection You can configure a VLAN connection by opening the Network Connections window, clicking Add, and selecting VLAN from the list. Right-click on the NetworkManager applet icon in the Notification Area and click Edit Connections. The Network Connections window appears. Click the Add button to open the selection list. Select VLAN and then click Create. The Editing VLAN Connection 1 window appears. On the VLAN tab, select the parent interface from the drop down list you want to use for the VLAN connection. Enter the VLAN ID Enter a VLAN interface name. This is the name of the VLAN interface that will be created. For example, "eth0.1" or "vlan2". (Normally this is either the parent interface name plus "." and the VLAN ID, or "vlan" plus the VLAN ID.) Review and confirm the settings and then click the Apply button. Edit the VLAN-specific settings by referring to the Configuring the VLAN Tab description below .
Procedure 8.12. Editing an Existing VLAN Connection Follow these steps to edit an existing VLAN connection. Right-click on the NetworkManager applet icon in the Notification Area and click Edit Connections. The Network Connections window appears. Select the connection you wish to edit and click the Edit button. Select the VLAN tab. Configure the connection name, auto-connect behavior, and availability settings. Three settings in the Editing dialog are common to all connection types: Edit the VLAN-specific settings by referring to the Configuring the VLAN Tab description below .
Saving Your New (or Modified) Connection and Making Further ConfigurationsOnce you have finished editing your VLAN connection, click the Apply button and NetworkManager will immediately save your customized configuration. Given a correct configuration, you can connect to your new or customized connection by selecting it from the NetworkManager Notification Area applet. See Section 8.2.1, "Connecting to a Network" for information on using your new or altered connection. You can further configure an existing connection by selecting it in the Network Connections window and clicking Edit to return to the Editing dialog. Then, to configure: Configuring the VLAN Tab- Parent Interface
A previously configured interface can be selected in the drop down list. - VLAN ID
The identification number to be used to tag the VLAN network traffic. - VLAN interface name
The name of the VLAN interface that will be created. For example, "eth0.1" or "vlan2". - Cloned MAC address
Optionally sets an alternate MAC address to use for identifying the VLAN interface. This can be used to change the source MAC address for packets sent on this VLAN. - MTU
Optionally sets a Maximum Transmission Unit (MTU) size to be used for packets to be sent over the VLAN connection.
8.3.8. Establishing an IP-over-InfiniBand (IPoIB) ConnectionYou can use NetworkManager to create an InfiniBand connection. Procedure 8.13. Adding a New InfiniBand Connection You can configure an InfiniBand connection by opening the Network Connections window, clicking Add, and selecting InfiniBand from the list. Right-click on the NetworkManager applet icon in the Notification Area and click Edit Connections. The Network Connections window appears. Click the Add button to open the selection list. Select InfiniBand and then click Create. The Editing InfiniBand Connection 1 window appears. On the InfiniBand tab, select the transport mode from the drop down list you want to use for the InfiniBand connection. Enter the InfiniBand MAC address. Review and confirm the settings and then click the Apply button. Edit the InfiniBand-specific settings by referring to the Configuring the InfiniBand Tab description below .
Procedure 8.14. Editing an Existing InfiniBand Connection Follow these steps to edit an existing InfiniBand connection. Right-click on the NetworkManager applet icon in the Notification Area and click Edit Connections. The Network Connections window appears. Select the connection you wish to edit and click the Edit button. Select the InfiniBand tab. Configure the connection name, auto-connect behavior, and availability settings. Three settings in the Editing dialog are common to all connection types: Edit the InfiniBand-specific settings by referring to the Configuring the InfiniBand Tab description below .
Saving Your New (or Modified) Connection and Making Further ConfigurationsOnce you have finished editing your InfiniBand connection, click the Apply button and NetworkManager will immediately save your customized configuration. Given a correct configuration, you can connect to your new or customized connection by selecting it from the NetworkManager Notification Area applet. See Section 8.2.1, "Connecting to a Network" for information on using your new or altered connection. You can further configure an existing connection by selecting it in the Network Connections window and clicking Edit to return to the Editing dialog. Then, to configure: Configuring the InfiniBand Tab- Transport mode
Datagram or Connected mode can be selected from the drop down list. Select the same mode the rest of your IPoIB network is using. - Device MAC address
The MAC address of the InfiniBand capable device to be used for the InfiniBand network traffic.This hardware address field will be pre-filled if you have InfiniBand hardware installed. - MTU
Optionally sets a Maximum Transmission Unit (MTU) size to be used for packets to be sent over the InfiniBand connection.
8.3.9. Configuring Connection Settings8.3.9.1. Configuring 802.1x Security802.1x security is the name of the IEEE standard for port-based Network Access Control (PNAC). Simply put, 802.1x security is a way of defining a logical network out of a physical one. All clients who want to join the logical network must authenticate with the server (a router, for example) using the correct 802.1x authentication method. 802.1x security is most often associated with securing wireless networks (WLANs), but can also be used to prevent intruders with physical access to the network (LAN) from gaining entry. In the past, DHCP servers were configured not to lease IP addresses to unauthorized users, but for various reasons this practice is both impractical and insecure, and thus is no longer recommended. Instead, 802.1x security is used to ensure a logically-secure network through port-based authentication. 802.1x provides a framework for WLAN and LAN access control and serves as an envelope for carrying one of the Extensible Authentication Protocol (EAP) types. An EAP type is a protocol that defines how WLAN security is achieved on the network. Procedure 8.15. For a wired connection... Either click Add, select a new network connection for which you want to configure 802.1x security and then click Create, or select an existing connection and click Edit. Then select the 802.1x Security tab and check the Use 802.1x security for this connection checkbox to enable settings configuration.
Procedure 8.16. For a wireless connection... Either click on Add, select a new network connection for which you want to configure 802.1x security and then click Create, or select an existing connection and click Edit. Select the Wireless Security tab. Then click the Security dropdown and choose one of the following security methods: , , or .
8.3.9.1.1. Configuring TLS (Transport Layer Security) SettingsWith Transport Layer Security, the client and server mutually authenticate using the TLS protocol. The server demonstrates that it holds a digital certificate, the client proves its own identity using its client-side certificate, and key information is exchanged. Once authentication is complete, the TLS tunnel is no longer used. Instead, the client and server use the exchanged keys to encrypt data using AES, TKIP or WEP. The fact that certificates must be distributed to all clients who want to authenticate means that the EAP-TLS authentication method is very strong, but also more complicated to set up. Using TLS security requires the overhead of a public key infrastructure (PKI) to manage certificates. The benefit of using TLS security is that a compromised password does not allow access to the (W)LAN: an intruder must also have access to the authenticating client's private key. Network Manger does not determine the version of TLS supported. Network Manager gathers the parameters entered by the user and passes them to the daemon, wpa_supplicant, that handles the procedure. It, in turn, uses OpenSSL to establish the TLS tunnel. OpenSSL itself negotiates the SSL/TLS protocol version. It uses the highest version both ends support. - Identity
Identity string for EAP authentication methods, such as a user name or login name. - User certificate
Click to browse for, and select, a user's certificate. - CA certificate
Click to browse for, and select, a Certificate Authority's certificate. - Private key
Click to browse for, and select, a user's private key file. - Private key password
Enter the user password corresponding to the user's private key.
8.3.9.1.2. Configuring Tunneled TLS Settings- Anonymous identity
This value is used as the unencrypted identity. - CA certificate
Click to browse for, and select, a Certificate Authority's certificate. - Inner authentication
- Password Authentication Protocol. - Challenge Handshake Authentication Protocol. - Microsoft Challenge Handshake Authentication Protocol version 2. - Challenge Handshake Authentication Protocol. - Username
Enter the user name to be used in the authentication process. - Password
Enter the password to be used in the authentication process.
8.3.9.1.3. Configuring Protected EAP (PEAP) Settings- Anonymous Identity
This value is used as the unencrypted identity. - CA certificate
Click to browse for, and select, a Certificate Authority's certificate. - PEAP version
The version of Protected EAP to use. Automatic, 0 or 1. - Inner authentication
- Microsoft Challenge Handshake Authentication Protocol version 2. - Message Digest 5, a cryptographic hash function. - Generic Token Card. - Username
Enter the user name to be used in the authentication process. - Password
Enter the password to be used in the authentication process.
8.3.9.2. Configuring Wireless Security- Security
- Do not encrypt the Wi-Fi connection. - Wired Equivalent Privacy (WEP), from the IEEE 802.11 standard. Uses a single pre-shared key (PSK). - An MD5 hash of the passphrase will be used to derive a WEP key. - Lightweight Extensible Authentication Protocol, from Cisco Systems. - WEP keys are changed dynamically. - Wi-Fi Protected Access (WPA), from the draft IEEE 802.11i standard. A replacement for WEP. Wi-Fi Protected Access II (WPA2), from the 802.11i-2004 standard. Personal mode uses a pre-shared key (WPA-PSK). - WPA for use with a RADUIS authentication server to provide IEEE 802.1x network access control. - Password
Enter the password to be used in the authentication process.
In the case of WPA and WPA2 (Personal and Enterprise), an option to select between Auto, WPA and WPA2 has been added. This option is intended for use with an access point that is offering both WPA and WPA2. Select one of the protocols if you would like to prevent roaming between the two protocols. Roaming between WPA and WPA2 on the same access point can cause loss of service. 8.3.9.3. Configuring PPP (Point-to-Point) Settings- Configure Methods
- Use point-to-point encryption (MPPE)
Microsoft Point-To-Point Encryption protocol (RFC 3078). - Allow BSD data compression
PPP BSD Compression Protocol (RFC 1977). - Allow Deflate data compression
PPP Deflate Protocol (RFC 1979). - Use TCP header compression
Compressing TCP/IP Headers for Low-Speed Serial Links (RFC 1144). - Send PPP echo packets
LCP Echo-Request and Echo-Reply Codes for loopback tests (RFC 1661).
8.3.9.4. Configuring IPv4 SettingsThe IPv4 Settings tab allows you to configure the method by which you connect to the Internet and enter IP address, route, and DNS information as required. The IPv4 Settings tab is available when you create and modify one of the following connection types: wired, wireless, mobile broadband, VPN or DSL. If you are using DHCP to obtain a dynamic IP address from a DHCP server, you can simply set Method to . Setting the MethodAvailable IPv4 Methods by Connection Type When you click the Method dropdown menu, depending on the type of connection you are configuring, you are able to select one of the following IPv4 connection methods. All of the methods are listed here according to which connection type or types they are associated with. - Method
- Choose this option if the network you are connecting to uses a DHCP server to assign IP addresses. You do not need to fill in the DHCP client ID field. - Choose this option if the network you are connecting to uses a DHCP server to assign IP addresses but you want to assign DNS servers manually. - Choose this option if the network you are connecting to does not have a DHCP server and you do not want to assign IP addresses manually. Random addresses will be selected as per RFC 3927. - Choose this option if the interface you are configuring is for sharing an Internet or WAN connection. - Wired, Wireless and DSL Connection Methods
- Choose this option if the network you are connecting to does not have a DHCP server and you want to assign IP addresses manually. - Mobile Broadband Connection Methods
- Choose this option if the network you are connecting to uses a DHCP server to assign IP addresses. - Choose this option if the network you are connecting to uses a DHCP server to assign IP addresses but you want to assign DNS servers manually. - VPN Connection Methods
- Choose this option if the network you are connecting to uses a DHCP server to assign IP addresses. - Choose this option if the network you are connecting to uses a DHCP server to assign IP addresses but you want to assign DNS servers manually. - DSL Connection Methods
- Choose this option if the network you are connecting to uses a DHCP server to assign IP addresses. - Choose this option if the network you are connecting to uses a DHCP server to assign IP addresses but you want to assign DNS servers manually.
8.3.9.5. Configuring IPv6 Settings- Method
- Choose this option if you want to disable IPv6 settings. - Choose this option if the network you are connecting to uses a DHCP server to assign IP addresses. - Choose this option if the network you are connecting to uses a DHCP server to assign IP addresses but you want to assign DNS servers manually. - Choose this option if the network you are connecting to does not have a DHCP server and you want to assign IP addresses manually. - Choose this option if the network you are connecting to does not have a DHCP server and you do not want to assign IP addresses manually. Random addresses will be selected as per RFC 4862. - Choose this option if the interface you are configuring is for sharing an Internet or WAN connection. - Addresses
- Enter a comma separated list of DNS servers. - Enter a comma separated list of domain controllers.
8.3.9.6. Configuring RoutesA host's routing table will be automatically populated with routes to directly connected networks. The routes are learned by observing the network interfaces when they are "up". This section is for entering static routes to networks or hosts which can be reached by traversing an intermediate network or connection, such as a VPN or leased line. - Addresses
- The IP address of a network, sub-net or host. - The netmask or prefix length of the IP address just entered. - The IP address of the gateway leading to the network, sub-net or host. - A network cost, that is to say a preference value to give to this route. Lower values will be preferred over higher values. - Ignore automatically obtained routes
Select this check box to only use manually entered routes for this connection. - Use this connection only for resources on its network
Select this checkbox to prevent the connection from becoming the default route. Typical examples are where a connection is a VPN or a leased line to a head office and you do not want any Internet bound traffic to pass over the connection. Selecting this option means that only traffic specifically destined for routes learned automatically over the connection or entered here manually will be routed over the connection.
8.4. NetworkManager Architecture |
| |
