[Openswan Users] Apple macOSX 10.4.3: no change :(

Jacco de Leeuw jacco2 at dds.nl
Tue Nov 1 21:30:02 CET 2005


Paul Wouters wrote:

> I just installed the apple tiger update (10.4.3).  Although the error message for
> trying to select an X.509 certificate instead of presharedkey has improved from
> "error no valid certificate found" to "no valid certificate found, use keychain
> access to import one", I am still unable to get X.509 certificates to work on
> MacOSX.

Apple has also not changed a thing in racoon since Mac OS X 10.4.0:
http://darwinsource.opendarwin.org/10.4.3/network_cmds-245.1/racoon.tproj/

I.e. still the non-standard NAT-T, still based on an old racoon that has
been discontinued. Sigh.

I don't think there is any source code for the GUI part of the Mac's VPN
client, so we can't investigate what is going on.

> How are you "using racoon"?
> I am simply trying to use Apple's GUI in Internet Connect's "L2TP/VPN"
> section. What do you use? racoon from Terminal.app?

I have been told that an alternative method is available:

   "OS X creates config-files on the fly, but the main racoon.conf is not
   touched, instead there's a line in racoon.conf that says:
   include "/etc/racoon/remote/*.conf"
   So I changed the racoon.conf just to my needs (Certificates and so on),
   and removed this include-line. With that, you can set the connection up via
   the GUI, and racoon will be called by the GUI with the correct parameters
   and the policies will be set correctly. This might be a problem if you have
   more than 1 network (different certificates) to connect to".

It's not particularly user friendly but it's better than nothing.
See this page for an example /etc/racoon/racoon.conf:
http://www.wogri.com/linux/ipsec/multiple_pages/node29.html

Jacco
-- 
Jacco de Leeuw                         mailto:jacco2 at dds.nl
Zaandam, The Netherlands           http://www.jacco2.dds.nl
                     Mosquitos suck


More information about the Users mailing list