[Openswan Users] Apple OS X 10.4

jamesp at hisser.org jamesp at hisser.org
Wed Apr 27 17:39:36 CEST 2005


Quoting Jacco de Leeuw <jacco2 at dds.nl>:

> James wrote:
>
> > So I thought I'd take a look at IPsec. I have been able to get it working
> today,
> > using Openswan 1.0.7 as below:
>
> This is with KLIPS on kernel 2.4, right?

I am not too sure what if I am using KLIPS - but it's definately 2.4. It's on an
IPcop 1.4 based machine, with l2tp installed.

I am in the process of configuring a 26sec based machine for hopefully better
testing, with Openswan 2.2.0 or whatever the latest version is.

> You may need to upgrade to Openswan 1.0.9 because I suspect that Apple is
> now using NAT-T according to RFC 3947. Or perhaps they are still using
> the non-standard vendor ID string "draft-ietf-ipsec-nat-t-ike". Both
> are supported in 1.0.9, if I remember correctly.

Cool. What about Openswan 2.2.0, is that likely to support it as well?

> Could you post the log messages (especially the vendor ID strings) that
> Tiger sends?

Tiger sends:

Apr 27 15:26:49 ipcop pluto[26571]: packet from 212.183.131.161:37261: ignoring
Vendor ID payload [4df37928e9fc4fd1b3262170d515c662]
Apr 27 15:26:49 ipcop pluto[26571]: "RoadWarriorX509"[3] 212.183.131.161:37261
#3: responding to Main Mode from unknown peer 212.183.131.161:37261
Apr 27 15:26:49 ipcop pluto[26571]: "RoadWarriorX509"[3] 212.183.131.161:37261
#3: transition from state (null) to state STATE_MAIN_R1
Apr 27 15:26:50 ipcop pluto[26571]: "RoadWarriorX509"[3] 212.183.131.161:37261
#3: ignoring Vendor ID payload [KAME/racoon]
Apr 27 15:26:50 ipcop pluto[26571]: "RoadWarriorX509"[3] 212.183.131.161:37261
#3: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Apr 27 15:26:51 ipcop pluto[26571]: "RoadWarriorX509"[3] 212.183.131.161:37261
#3: Main mode peer ID is ID_IPV4_ADDR: '10.16.17.32'
Apr 27 15:26:51 ipcop pluto[26571]: "RoadWarriorX509"[4] 212.183.131.161:37261
#3: deleting connection "RoadWarriorX509" instance with peer 212.183.131.161
Apr 27 15:26:51 ipcop pluto[26571]: "RoadWarriorX509"[4] 212.183.131.161:37261
#3: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Apr 27 15:26:51 ipcop pluto[26571]: "RoadWarriorX509"[4] 212.183.131.161:37261
#3: sent MR3, ISAKMP SA established
Apr 27 15:26:51 ipcop pluto[26571]: "RoadWarriorX509"[4] 212.183.131.161:37261
#4: responding to Quick Mode
Apr 27 15:26:51 ipcop pluto[26571]: "RoadWarriorX509"[4] 212.183.131.161:37261
#4: transition from state (null) to state STATE_QUICK_R1
Apr 27 15:26:52 ipcop pluto[26571]: "RoadWarriorX509"[4] 212.183.131.161:37261
#4: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Apr 27 15:26:52 ipcop pluto[26571]: "RoadWarriorX509"[4] 212.183.131.161:37261
#4: IPsec SA established

However at this point the connection hangs, until I get this about a minute
later.

Apr 27 15:27:48 ipcop pluto[26571]: "RoadWarriorX509"[4] 212.183.131.161:37261
#3: received Delete SA payload: deleting IPSEC State #4
Apr 27 15:27:48 ipcop pluto[26571]: "RoadWarriorX509"[4] 212.183.131.161:37261
#3: received and ignored informational message
Apr 27 15:27:48 ipcop pluto[26571]: "RoadWarriorX509"[4] 212.183.131.161:37261
#3: received Delete SA payload: deleting ISAKMP State #3
Apr 27 15:27:48 ipcop pluto[26571]: "RoadWarriorX509"[4] 212.183.131.161:37261:
deleting connection "RoadWarriorX509" instance with peer 212.183.131.161
Apr 27 15:27:48 ipcop pluto[26571]: packet from 212.183.131.161:37261: received
and ignored informational message

It's worth noting that the exact same configuration works fine when I connect to
the Internet using a non-NAT address. But my Vodafone 3G card provides a NAT
address.

> Try adding:
>         rightsubnet=vhost:%no,%priv

OK - did that already after my last post - and instead of the error message, I
just get the hanging connection as described above.

> > I am using a PSK to connect.
>
> PSKs, NAT-T and KLIPS is a rather difficult combination...

When I have gotmy head round it, I will be trying 2.6.11 with 26sec, and using a
certificate :)

> What I am curious about is whether Apple *finally* added support for
> certificates in the "Internet Connect" application. Did you notice
> anything different?

Yes - you can configure certificates in this application now.

Cheers

James


More information about the Users mailing list