[Openswan Users] Apple iPhone to support L2TP/IPsec

Christian Horn chorn at fluxcoil.net
Wed Jun 27 08:34:58 EDT 2007


On Wed, Jun 27, 2007 at 02:10:05PM +0200, Jacco de Leeuw wrote:
> Christian Horn wrote:
> 
> > and the source is closed?
> Only the GUI part. You can download the source code for Apple's racoon
> version (which hasn't seen changes since Feb 2006) from:
> http://www.opensource.apple.com/darwinsource/10.4.9.ppc/network_cmds-245.16/racoon.tproj/
Great, thanks!


> > Patching OpenSwan or StrongSwan (preventing checks of the opposite ipsec-
> > peer, workarounds for a not RFC-compliant ipsec-setup) was the only way to
> > get a working ipsec-client at my workplace.
> I don't know what you mean. Mac OS X and Openswan have been interoperating
> for a while now. Are you using an old version?
The problem isnt my side but the peer: a Checkpoint FW-1. The cert it provides
doesnt have the connection to the ID the peer provides that is written down in
the ipsec-RFC. 
Its just patching checks out to make *swan work in the non-rfc-compliant
environment here.


> > Smartcards needed for authentication can also be added to mac osx infra-
> > structure,
> Haven't looked at that yet. I will have to check if my smartcard is supported
> on Mac OS X. I suppose it hooks into Keychain.App which (I hope) means that
> the VPN client can use it.
OS X comes with an ancient version of pcdcd which can connect to quite some
cardreaders, and the opensc is nice for the tools to access keys etc. as
i do it under linux.
Havent looked indepth, as my current cardreader isnt a ccid-one and not supported
under mac osx. Listed as supported for macosx, but the ppc-binary doesnt work
well on my macbook ;)


> > but changing the ipsec-code is not possible since the code is
> > closed.
> I don't think that would be the right place to add support for smartcards.
> Let's see if it works with Keychain.App first.
I think the smartcard-support isnt the problem here, connecting the reader
to pcscd and installing opensc should do that - my problem is to
'ill-patch' the ipsec-client till it works in our environment.
With the sources around it at least can be done if i manage to set up the
apporpriate environmen, compiler, and patch the source.


> > Has someone seen other ipsec-clients for the mac?
> http://www.jacco2.dds.nl/networking/openswan-macosx.html#VPN_alternatives
Thanks.

Christian


More information about the Users mailing list