[Openswan dev] Re: [PATCH] Openswan and OS X with NAT-T

Jacco de Leeuw jacco2 at dds.nl
Tue Sep 27 01:29:06 CEST 2005

Peter van der Beken schreef:

> Please find included a patch to Openswan 2.3.1 to make it interoperate 
> with OS X using NAT-T. As you probably know, Apple implemented a draft 
> version of the NAT-T RFC, only implemented it partially and with an 
> incorrect Vendor ID. With this patch I was able to connect to Openswan 
> 2.3.1 from behind a NAT, YMMV.

I don't have a Mac at hand currently but it looks interesting. With what
OS X version(s) did you connect? Did you use a PSK or certificates? KLIPS
or NETKEY? How did you work around the floating port issue?

> Note that I'm not advocating to integrate this into the official 
> distribution (the fact that Apple uses values that conflict with another 
> RFC makes it quite ugly IMHO).

It seems they made a mistake and now they are stuck with it. Even if they
were to release a fixed version, Mac clients won't upgrade overnight.
I guess they value compatibility with the current installed base more
than compatibility with the standard and other implementations.

(Or it could have been a cunning plan to lock customers into OS X Server.
Naaah, that can't be it, can it?)

Michael Richardson wrote:

>  Is there a bug report on ADC about this?

I think several people opened tickets.

> Of course, they are under no obligation to release their racoon source.

Actually, source code is available, e.g.:


... but it is under the APSL (incompatible with the GPL), it seems to be
a fork off KAME, no diffs, few comments, no CVS, no mailinglist, etc.

Jacco de Leeuw                         mailto:jacco2 at dds.nl
Zaandam, The Netherlands           http://www.jacco2.dds.nl
                     Mosquitos suck

More information about the Dev mailing list