[Openswan Users] Apple OS X 10.4

Jacco de Leeuw jacco2 at dds.nl
Wed Apr 27 18:26:23 CEST 2005

James wrote:

> So I thought I'd take a look at IPsec. I have been able to get it working today,
> using Openswan 1.0.7 as below:

This is with KLIPS on kernel 2.4, right?

> Apr 27 13:36:18 ipcop pluto[25735]: Starting Pluto (Openswan Version 1.0.7)
> Apr 27 13:36:18 ipcop pluto[25735]:   including X.509 patch with traffic
> selectors (Version 0.9.42)
> Apr 27 13:36:18 ipcop pluto[25735]:   including NAT-Traversal patch (Version
> 0.6)
> However, the NAT-T part does not seem to want to work. I get a message like this
> in the log when I try to connect:

You may need to upgrade to Openswan 1.0.9 because I suspect that Apple is
now using NAT-T according to RFC 3947. Or perhaps they are still using
the non-standard vendor ID string "draft-ietf-ipsec-nat-t-ike". Both
are supported in 1.0.9, if I remember correctly.

Could you post the log messages (especially the vendor ID strings) that
Tiger sends?

> Apr 27 15:14:58 ipcop pluto[25735]: "RoadWarriorX509"[10]
> #21: cannot respond to IPsec SA request because no connection is known for

> conn RoadWarriorX509
>      left=
>      leftnexthop=%defaultroute
>      leftprotoport=17/1701
>      right=%any
>      rightprotoport=17/%any

Try adding:

> I am using a PSK to connect.

PSKs, NAT-T and KLIPS is a rather difficult combination...

What I am curious about is whether Apple *finally* added support for
certificates in the "Internet Connect" application. Did you notice
anything different?


Ps. I thought that Tiger's release date was the 29th? :-)
Jacco de Leeuw                         mailto:jacco2 at dds.nl
Zaandam, The Netherlands           http://www.jacco2.dds.nl

More information about the Users mailing list