[Openswan Users] Apple OS X 10.4
Jacco de Leeuw
jacco2 at dds.nl
Wed Apr 27 18:26:23 CEST 2005
James wrote:
> So I thought I'd take a look at IPsec. I have been able to get it working today,
> using Openswan 1.0.7 as below:
This is with KLIPS on kernel 2.4, right?
> Apr 27 13:36:18 ipcop pluto[25735]: Starting Pluto (Openswan Version 1.0.7)
> Apr 27 13:36:18 ipcop pluto[25735]: including X.509 patch with traffic
> selectors (Version 0.9.42)
> Apr 27 13:36:18 ipcop pluto[25735]: including NAT-Traversal patch (Version
> 0.6)
>
> However, the NAT-T part does not seem to want to work. I get a message like this
> in the log when I try to connect:
You may need to upgrade to Openswan 1.0.9 because I suspect that Apple is
now using NAT-T according to RFC 3947. Or perhaps they are still using
the non-standard vendor ID string "draft-ietf-ipsec-nat-t-ike". Both
are supported in 1.0.9, if I remember correctly.
Could you post the log messages (especially the vendor ID strings) that
Tiger sends?
> Apr 27 15:14:58 ipcop pluto[25735]: "RoadWarriorX509"[10] 212.183.131.161:44599
> #21: cannot respond to IPsec SA request because no connection is known for
> 62.49.72.126:17/1701...212.183.131.161:44599[10.16.17.32]:17/%any===10.16.17.32/32
> conn RoadWarriorX509
> left=62.49.72.126
> leftnexthop=%defaultroute
> leftprotoport=17/1701
> right=%any
> rightprotoport=17/%any
Try adding:
rightsubnet=vhost:%no,%priv
> I am using a PSK to connect.
PSKs, NAT-T and KLIPS is a rather difficult combination...
What I am curious about is whether Apple *finally* added support for
certificates in the "Internet Connect" application. Did you notice
anything different?
Jacco
Ps. I thought that Tiger's release date was the 29th? :-)
--
Jacco de Leeuw mailto:jacco2 at dds.nl
Zaandam, The Netherlands http://www.jacco2.dds.nl
More information about the Users
mailing list