[Openswan Users] Connecting Linux client to OSX server

Jacco de Leeuw jacco2 at dds.nl
Tue Apr 4 21:41:21 CEST 2006 

Jacco de Leeuw wrote:

> James Chamberlain wrote:
> 
>> Has anyone successfully connected a Linux client to a NAT'd OSX server 
>> running vpnd?
> 
> I've just tried to connect with Openswan 2.4.5rc6 to a Mac OS X Server
> (probably running 10.4.3) and I don't think it worked with NAT-T:

The Mac server was actually running 10.3.9 but that doesn't matter,
because it doesn't support RFC 3947 either.

> This version of Mac OS X Server does not support RFC 3947 and the client
> did not send the Vendor ID of Apple's NAT-T variant
> ("draft-ietf-ipsec-nat-t-ike") so the NAT-T negotiation failed.
> But then I added this patch:
> 
> --- nat_traversal.c.org     2006-01-04 19:57:52.000000000 +0100
> +++ nat_traversal.c     2006-04-03 11:12:08.000000000 +0200
> @@ -202,6 +202,7 @@
>                 if (r) r = out_vendorid(np, outs, VID_NATT_IETF_03);
>                 if (r) r = out_vendorid(np, outs, VID_NATT_IETF_02);
>                 if (r) r = out_vendorid(np, outs, VID_NATT_IETF_02_N);
> +               if (r) r = out_vendorid(np, outs, 
> VID_NATT_DRAFT_IETF_IPSEC_NAT_T_IKE);

The patch works when connecting to a Mac server without RFC 3947 support
(10.4.3 and lower?) but it has a side effect. When connecting to Openswan
2.4.5 (supports both RFC 3947 and Apple's NAT-T variant) it will negotiate
the Apple variant. That's not good. I assume that this is because the Mac
VID is higher than the RFC VID for some reason (you would expect the
official RFC 3947 variant to always take priority, right?. So the patch
above should probably not in the standard Openswan distribution, because
Mac servers are less popular than Openswan servers.

The best solution would be to upgrade the Mac server to a more recent
version for RFC 3947 support. But I would also suggest something like
this for Openswan:

--- vendor.h.org        2005-07-26 04:05:10.000000000 +0200
+++ vendor.h    2006-04-04 14:22:41.000000000 +0200
@@ -68,8 +68,8 @@
    VID_NATT_IETF_02_N         =106,
    VID_NATT_IETF_02           =107,
    VID_NATT_IETF_03           =108,
-  VID_NATT_RFC               =109,
-  VID_NATT_DRAFT_IETF_IPSEC_NAT_T_IKE  =110,
+  VID_NATT_DRAFT_IETF_IPSEC_NAT_T_IKE  =109,
+  VID_NATT_RFC               =110,

Jacco
-- 
Jacco de Leeuw                         mailto:jacco2 at dds.nl
Zaandam, The Netherlands           http://www.jacco2.dds.nl

More information about the Users mailing list