[Openswan dev] Re: [PATCH] Openswan and OS X with NAT-T

[Peter Van der Beken]

I used PSK, I was hoping to use certificates at some point in the future 
but I don't have time to look into that right now.

Paul Wouters wrote:
> On Mon, 26 Sep 2005, Michael Richardson wrote:
>>  No, that's not the case at all.
>>  That's what vendor IDs are for --- to work around bugs in your old code.

Which is why I chose to only accept those values for that specific 
vendor ID. AFAIK it isn't used by anyone else.

> Peter's patch was backported to v2_4_X and I managed to successfully setup
> an L2TP connection on MacOSX Tiger from behind NAT.

Cool, so I wasn't halucinating ;-).

> The strange thing is the line that says:
> 
>      NAT-Traversal: Result using RFC 3947 (NAT-Traversal): both are NATed
> 
> First, we are not really using RFC 3947 but the "apple bug" version
> of it.

That's odd, I think I saw "using draft-ietf-ipsec-nat-t-ike (OS X)". Can 
you verify that it's not just the strings that are inverted by 
connecting with a RFC 3947 compliant client?

> And second, both ends are not NAT'ed, only my MacOSX was
> NAT'ed. aivd.xelerance.com, the other end, is on public IP. Is this the
> expected behaviour from the patch? After all, it does work. But I find
> the messages a bit confusing.

I noticed the same thing. When I tried to connect locally with no NAT in 
between, it also claimed to detect two NATs. The connection works, but I 
wonder why it thinks there's two NATs when there isn't any.

I'm a newbie wrt IPSEC and I need to get back to my real job, so I'm not 
going to be able to take this a lot further.

Thanks,

Peter