[Openswan dev] Re: [PATCH] Openswan and OS X with NAT-T

Paul Wouters paul at xelerance.com
Tue Sep 27 02:07:12 CEST 2005

On Tue, 27 Sep 2005, Jacco de Leeuw wrote:

> Peter van der Beken schreef:
>> Please find included a patch to Openswan 2.3.1 to make it interoperate with 
>> OS X using NAT-T. As you probably know, Apple implemented a draft version 
>> of the NAT-T RFC, only implemented it partially and with an incorrect 
>> Vendor ID. With this patch I was able to connect to Openswan 2.3.1 from 
>> behind a NAT, YMMV.
> I don't have a Mac at hand currently but it looks interesting. With what
> OS X version(s) did you connect? Did you use a PSK or certificates? KLIPS
> or NETKEY? How did you work around the floating port issue?

I don't think anyone yet knows how the magic of X.509 for IPsec in KeyChain
works. But if Peter does, please tell us. I assume PSK was used. KLIPS or
NETKEY shouldn't matter. I will test the patch on our testserver to verify
this fix works.

A quick chat with Michael about this seems like we can try and make this
work, provided the fix works, which I will test first.

>> Note that I'm not advocating to integrate this into the official 
>> distribution (the fact that Apple uses values that conflict with another 
>> RFC makes it quite ugly IMHO).
> It seems they made a mistake and now they are stuck with it. Even if they
> were to release a fixed version, Mac clients won't upgrade overnight.

They can autoupdate though :)

> I guess they value compatibility with the current installed base more
> than compatibility with the standard and other implementations.

They should value both.


More information about the Dev mailing list