[Openswan Users] MacOSX 10.4.2: same problems woth NAT-T and X.509

Paul Wouters paul at xelerance.com
Wed Jul 13 18:11:50 CEST 2005

On Wed, 13 Jul 2005, Jacco de Leeuw wrote:

>> Just for those who are curious about the latest MacOSX Tiger update, 10.4.2
>> that just got released. I played with it for a few hours, again without
>> any progress.
>> - NAT-Traversal is still broken. We still have not managed to interop with
>>    their broken implementation of RFC3847/3948 or any of the nat_traversal
>>    drafts.
> Could you determine what exactly goes wrong?

Michael and me tried last night. Insteaf of using any of the NAT-T drafts or
final RFC, apple is only sending one VID "draft-ietf-ipsec-nat-t-ike". As far
as we know, no draft or RFC uses that string. We tried to work around this by
forcing this VID to mean we had just received a real NAT-T VID, but regardless
of the draft method used, the apple refused to actually do NAT-T despite the

> Presumably Apple released the
> source code for their modified racoon, right? Would it be an option to get
> into some kind of dialogue with the Apple engineers? I wouldn't dare to
> speculate why they did this...

Are they using racoon? I thought they used "vpnd"? I'd love to talk to Apple,
but I do not desire to buy a Development Support Contract with them to
investigat etheir own bugs.

> I have access to a Mac running 10.3.9 but it only supports PSKs. NAT-T did not
> seem to be negotiated in when I tried it. Can you confirm this on 10.4.2? NAT-T
> with a PSK isn't particularly useful, but it's all the Panther users got...

Yes, I can confirm this.

>> - I still haven't been able to properly import and use X.509 certificates
>>    for use with L2TP/IPsec VPNs. If anyone knows what magic the certificate
>>    or KeyChainAccess.app needs, please contact me.
> Now this is really strange. This is supposed to work for Tiger clients
> connecting to Tiger server, right? I too looked around on Mac support forums
> but there is little mention of people actually using L2TP/IPsec.

Yes, I wonder if anyone has ever gotten this to work. I doubt it.


More information about the Users mailing list