[Openswan Users]

Jacco de Leeuw jacco2 at dds.nl
Mon Apr 3 14:56:52 CEST 2006 

James Chamberlain wrote:

> Has anyone successfully connected a Linux client to a NAT'd OSX server 
> running vpnd? The OSX server was just updated to 10.4.5 since should 
> resolve some of the interoperability issues that I have seen others 
> complain about. Has any any tried this? Most of the entries in the list 
> are about the opposite connecting OSX clients to Linux servers.

I've put together some info on using Linux as a client:
http://www.jacco2.dds.nl/networking/freeswan-l2tp.html#Client
I've mainly tested it with Windows 2003 but the same procedure
should be valid for Mac OS X as well.

I've just tried to connect with Openswan 2.4.5rc6 to a Mac OS X Server
(probably running 10.4.3) and I don't think it worked with NAT-T:

  "L2TP-PSK2" #1: initiating Main Mode
  "L2TP-PSK2" #1: ignoring Vendor ID payload [KAME/racoon]
  "L2TP-PSK2" #1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike] 
method set to=110
  "L2TP-PSK2" #1: enabling possible NAT-traversal with method 4
  "L2TP-PSK2" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
  "L2TP-PSK2" #1: STATE_MAIN_I2: sent MI2, expecting MR2
  "L2TP-PSK2" #1: ignoring Vendor ID payload [KAME/racoon]
  "L2TP-PSK2" #1: I did not send a certificate because I do not have one.
  "L2TP-PSK2" #1: NAT-Traversal: Only 0 NAT-D - Aborting NAT-Traversal negotiation
  "L2TP-PSK2" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
  "L2TP-PSK2" #1: STATE_MAIN_I3: sent MI3, expecting MR3
  "L2TP-PSK2" #1: Main mode peer ID is ID_IPV4_ADDR: 'x.x.x.x'
  "L2TP-PSK2" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
  "L2TP-PSK2" #1: STATE_MAIN_I4: ISAKMP SA established 
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha 
group=modp1024}
  "L2TP-PSK2" #2: initiating Quick Mode PSK+ENCRYPT+UP {using isakmp#1}
  "L2TP-PSK2" #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT
  "L2TP-PSK2" #1: received and ignored informational message
  "L2TP-PSK2" #1: ignoring informational payload, type NO_PROPOSAL_CHOSEN
  "L2TP-PSK2" #1: received and ignored informational message
  "L2TP-PSK2" #1: ignoring informational payload, type NO_PROPOSAL_CHOSEN
  "L2TP-PSK2" #1: received and ignored informational message

This version of Mac OS X Server does not support RFC 3947 and the client
did not send the Vendor ID of Apple's NAT-T variant
("draft-ietf-ipsec-nat-t-ike") so the NAT-T negotiation failed.
But then I added this patch:

--- nat_traversal.c.org     2006-01-04 19:57:52.000000000 +0100
+++ nat_traversal.c     2006-04-03 11:12:08.000000000 +0200
@@ -202,6 +202,7 @@
                 if (r) r = out_vendorid(np, outs, VID_NATT_IETF_03);
                 if (r) r = out_vendorid(np, outs, VID_NATT_IETF_02);
                 if (r) r = out_vendorid(np, outs, VID_NATT_IETF_02_N);
+               if (r) r = out_vendorid(np, outs, 
VID_NATT_DRAFT_IETF_IPSEC_NAT_T_IKE);
         }
         if (nat_traversal_support_non_ike) {
                 if (r) r = out_vendorid(np, outs, VID_NATT_IETF_00);

I got a bit further because this time Openswan sent the Apple NAT-T VID:

"L2TP-PSK2" #1: initiating Main Mode
"L2TP-PSK2" #1: ignoring Vendor ID payload [KAME/racoon]
"L2TP-PSK2" #1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike] method 
set to=110
"L2TP-PSK2" #1: enabling possible NAT-traversal with method 4
"L2TP-PSK2" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
"L2TP-PSK2" #1: STATE_MAIN_I2: sent MI2, expecting MR2
"L2TP-PSK2" #1: ignoring Vendor ID payload [KAME/racoon]
"L2TP-PSK2" #1: I did not send a certificate because I do not have one.
"L2TP-PSK2" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): i am NATed
"L2TP-PSK2" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
"L2TP-PSK2" #1: STATE_MAIN_I3: sent MI3, expecting MR3
"L2TP-PSK2" #1: Main mode peer ID is ID_IPV4_ADDR: 'x.x.x.x'
"L2TP-PSK2" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
"L2TP-PSK2" #1: STATE_MAIN_I4: ISAKMP SA established 
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha 
group=modp1024}
"L2TP-PSK2" #2: initiating Quick Mode PSK+ENCRYPT+UP {using isakmp#1}
"L2TP-PSK2" #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT
"L2TP-PSK2" #1: received and ignored informational message
"L2TP-PSK2" #2: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME
"L2TP-PSK2" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
"L2TP-PSK2" #2: STATE_QUICK_I2: sent QI2, IPsec SA established 
{ESP=>0x0d5001c5 <0x560dc080 xfrm=AES_0-HMAC_SHA1 NATD=none DPD=none}

Jacco
-- 
Jacco de Leeuw                         mailto:jacco2 at dds.nl
Zaandam, The Netherlands           http://www.jacco2.dds.nl

More information about the Users mailing list