[Openswan Users] Connecting to Openswan with OS X Leopard (10.5.1)

Schley Andrew Kutz akutz at lostcreations.com
Mon Dec 10 18:59:31 EST 2007


>  Ok, this Linux pppd probably does not have require-mppe-128 (as  
> double
>  encryption does not make sense for L2TP/IPsec). Andrew writes that  
> things
>  still don't work if he adds require-mppe-128 on the Linux server:
>  the Mac client balks that MPPE is not loaded. But what do the logs  
> look
>  like then?

The server does require MPPE, even when it is not necessary because if  
it does not the OS X client will complain that the server does not  
support MPPE even if the client itself is not loading the module  
properly. Jacco makes a good point, as I myself make in my blog, that  
MPPE is not necessary for the L2TP initiated PPP connection since the  
connection is already encrypted via IPSec. The server PPP logs say  
that the peer does not support MPPE and the OS X PPP logs say that the  
Kernel (the OS X Kernel) does not support PPP.

> - You can force loading of the MPPE module by connecting with PPTP  
> first.
>  Not everyone will be running a PPTP server in parallel with an
>  L2TP/IPsec server. Is there a way to load the MPPE module manually
>  on the Mac?

Not that I have found. I tried initiating a PPP connection manually  
from the Terminal with -require-mppe-128 but even that does not seem  
to load the "module." I use the term module loosely since the Mach  
Kernel OS X uses is monolithic and does not actually load modules in  
the way we think of when it comes to Linux.

> - How exactly does one edit the preferences plist file so that L2TP/ 
> IPsec
>  will not ask for MPPE?

Easily. Open a Terminal and type "sudo vi /Library/Preferences/ 
SystemConfiguration/preferences.plist". If you have no other VPN  
connections simply search for the text "CCPMPPE128Enabled" and change  
its value from "1" to "0". This option is not available in the GUI for  
L2TP VPN connections, only PPTP connections :(

> - Does 10.5 work? I.e. was the problem introduced in 10.5.1?

I am not sure. I do not have access to a 10.5.0 system.

> - The Apple Mac OS 10.5 Server log posted on the Apple list seems to
>  suggest that it does not work with Leopard Server either, but for
>  another reason: it rejects CCP, which is required for MPPE.


I cannot comment on this.

-- 
-a


On Dec 10, 2007, at 4:03 PM, Jacco de Leeuw wrote:

>
> Schley Andrew Kutz wrote:
>
>> http://www.lostcreations.com/blog/20071209-9
>> Leopard (10.5.1) requires MPPE-128 when negotiating L2TP/IPsec  
>> connections
>
> There have been reports on this mailinglist (in particular by Paul/ 
> Ken,
> Pepijn Oomen and Alan Whinery) but they did not mention this problem.
> But I found a thread on the Apple mailinglist which confirms the  
> problem:
> http://discussions.apple.com/thread.jspa?threadID=1224077
>
> Some questions and observations:
>
> - A Linux pppd log has not yet been posted here but there is one on
>  the Apple mailinglist. The important bit is this:
>   pppd7541: rcvd CCP ConfReq id=0x1 <mppe +H -M +S +L -D -C>
>   pppd7541: sent CCP ConfRej id=0x1 <mppe +H -M +S +L -D -C>
>   pppd7541: rcvd LCP TermReq id=0x2 \"MPPE required but peer  
> negotiation
>                                       failed\"
>  Ok, this Linux pppd probably does not have require-mppe-128 (as  
> double
>  encryption does not make sense for L2TP/IPsec). Andrew writes that  
> things
>  still don't work if he adds require-mppe-128 on the Linux server:
>  the Mac client balks that MPPE is not loaded. But what do the logs  
> look
>  like then?
>
> - You can force loading of the MPPE module by connecting with PPTP  
> first.
>  Not everyone will be running a PPTP server in parallel with an
>  L2TP/IPsec server. Is there a way to load the MPPE module manually
>  on the Mac?
>
> - How exactly does one edit the preferences plist file so that L2TP/ 
> IPsec
>  will not ask for MPPE?
>
> - Does 10.5 work? I.e. was the problem introduced in 10.5.1?
>
> - The Apple Mac OS 10.5 Server log posted on the Apple list seems to
>  suggest that it does not work with Leopard Server either, but for
>  another reason: it rejects CCP, which is required for MPPE.
>
> Jacco
> -- 
> Jacco de Leeuw                         mailto:jacco2 at dds.nl
> Zaandam, The Netherlands           http://www.jacco2.dds.nl
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2128 bytes
Desc: not available
Url : http://lists.openswan.org/pipermail/users/attachments/20071210/f44b172e/attachment-0001.bin 


More information about the Users mailing list