[Openswan Users] Mac OS X 10.4.3 <-> Openswan

Jacco de Leeuw jacco2 at dds.nl
Wed Nov 23 14:28:41 CET 2005 

aram price wrote:

> I am trying to to connect my mac laptop (running OSX 10.4.3  currently) 
> to our VPN (running Linux FC3 currently).
> 
> I've attempted to create a certificate for OSX v10.4.3 using the  
> suggestion from:
>     http://www.jacco2.dds.nl/networking/freeswan-panther.html#Cert_ID
> I was able to import the resulting .p12 file into the correct Keychains:
>     Login Keychain:
>         me.foo.com cert issued & signed by our (own) CA
>         me.foo.com private key
>     X509Anchors:
>         vpn.foo.com CA issued by us
> however Internet Connect still complains that there is no valid  
> "Machine Certificate"

Perhaps I was not clear enough on my webpage but you are confusing a couple
of things. You need:

- a root certificate
- a server certificate with an ID of subjectAltName=DNS:me.foo.com
   and corresponding private key
- a client certificate and corresponding private key
   (no restrictions on the certificate's ID)

The root cert should be installed in /etc/ipsec.d/cacerts/ on the server
and in X509Anchors keychain on the Mac client.

The server certificate with the subjectAltName ID is installed only on the
Openswan server. The file location is specified with the leftcert= parameter.
The private key is installed in the location specified by the RSA line
in ipsec.secrets.

The client certificate and private key are installed in the System keychain
on the Mac client.

Certificates in the Login keychain can not be used for IPsec, only for
e-mail, web authentication, EAP-TLS etc. (as you found out).

> the second issue I'm hoping to find information about is NAT  Traversal 
> while using OSX.  from what i can tell openswan still(?)  does not 
> support the OSX NAT-T implementation.

There is some Mac support in Openswan 2.4.2 - 2.4.4 but it is not there yet.
Peter Van der Beken's second patch is still under consideration by the
Openswan team.

> is this something which is likely to change?
> are there any un-official patches or work-arounds about which enable  
> openswan to understand the OSX NAT-T implementation?

http://www.jacco2.dds.nl/networking/patches/openswan-OSX-swapNATDhashes.patch

This is Peter's patch without the parts that are already in 2.4.2 - 2.4.4.
Openswan 2.4.2 plus this patch worked for me, but I did not test it for hours
on end. You may have to set rekey=no.

Jacco
-- 
Jacco de Leeuw                         mailto:jacco2 at dds.nl
Zaandam, The Netherlands           http://www.jacco2.dds.nl
                     Mosquitos suck

More information about the Users mailing list