[Openswan dev] Re: [PATCH] Openswan and OS X with NAT-T
Paul Wouters
paul at xelerance.com
Tue Sep 27 02:07:12 CEST 2005
On Tue, 27 Sep 2005, Jacco de Leeuw wrote:
> Peter van der Beken schreef:
>
>> Please find included a patch to Openswan 2.3.1 to make it interoperate with
>> OS X using NAT-T. As you probably know, Apple implemented a draft version
>> of the NAT-T RFC, only implemented it partially and with an incorrect
>> Vendor ID. With this patch I was able to connect to Openswan 2.3.1 from
>> behind a NAT, YMMV.
>
> I don't have a Mac at hand currently but it looks interesting. With what
> OS X version(s) did you connect? Did you use a PSK or certificates? KLIPS
> or NETKEY? How did you work around the floating port issue?
I don't think anyone yet knows how the magic of X.509 for IPsec in KeyChain
works. But if Peter does, please tell us. I assume PSK was used. KLIPS or
NETKEY shouldn't matter. I will test the patch on our testserver to verify
this fix works.
A quick chat with Michael about this seems like we can try and make this
work, provided the fix works, which I will test first.
>> Note that I'm not advocating to integrate this into the official
>> distribution (the fact that Apple uses values that conflict with another
>> RFC makes it quite ugly IMHO).
>
> It seems they made a mistake and now they are stuck with it. Even if they
> were to release a fixed version, Mac clients won't upgrade overnight.
They can autoupdate though :)
> I guess they value compatibility with the current installed base more
> than compatibility with the standard and other implementations.
They should value both.
Paul
More information about the Dev
mailing list