[Openswan Users] Leopard IPsec initial test - failed

Pepijn Oomen oomen at piprograms.com
Tue Oct 30 19:00:32 EDT 2007

Paul Wouters wrote:

> Teh good news is that certifiacte imports are much much better, and actually work.
> No more messing with Keychain. The bad news is, the IPsec is broken:

Not sure what you did different from me, but I just succeeded 
establishing an IPsec connection from a fresh Leopard install :)

I did have some problems getting the certificate to be selectable, but 
it seems there are two ways to get it working:

1. drag & drop .p12 file onto System keychain, you will be asked for 
Administrator access
2. use sudo on Keychain Access.app

After the CA, private key and certificate are available in the system 
keychain, you *must* create a new configuration (and not just modify the 
default) to actually get it to select the certificate. I started out 
modifying the default, and while I could select the certificate, it 
never stuck.

After this, I just pressed 'Connect' and off it went.

But the connection is still not properly taken down. And it does not 
look like DPD is enabled out-of-the-box:

Oct 30 23:51:11 pandora pluto[16527]: "l2tp"[21] #84: 
NAT-Traversal: Result using RFC 3947 (NAT-Traversal): both are NATed
Oct 30 23:51:13 pandora pluto[16527]: "l2tp"[22] #85: 
STATE_QUICK_R2: IPsec SA established {ESP=>0x04d6b7bc <0x13df2b08 
xfrm=AES_128-HMAC_SHA1 NATD= DPD=none}

Pepijn Oomen.

More information about the Users mailing list