L2TP over IPSec and NAT-T

H

hmolina

Registered
Hi,

We want upgrade to Tiger, but before do it, we would like to know several things about the VPN implementation:

Is the IPSec implementation in Tiger NAT-T compliant? And which ones of the NAT-T proposal complies?

Is now possible configure VPNs using L2TP over IPSec and X509 certificates using the graphical interface?

Thanks in advance for your comments.
 
After spending a few days on this I found out that:

- When using X509 certs in "user authentication", Tiger will do PSK instead of RSA
- I cannot find a way to import a valid certificate (in pkcs11/pkcs7/pem.crt) format so that the certificate becomes avalable for "machine authentication" and "Certificiate". In keychain the cert and the CA cert show up as valid. I tried importing into login, system, and X509Certificates. The root CA is in X509Anchors.

So as far as I can see, Tiger adds a few buttons to the VPN section, but they're broken, or require special X509 options that no one including google knows about.

Paul
 
Okay, it's been a while, and I cannot find if Apple has dealt with the RFC 3947 Nat traversal
draft 8 thingee yet. My more or less uptodate tiger machines (fully patched as of the
first of the year) *still* send "draft-ietf-ipsec-nat-t-ike" as vendor ID string, rather than
the ratified RFC 3947 string.

Does anyone know if Apple is ever going to fix this? I should very much like to get
my powerbook users off their ssh-tunnels and onto the vpn, so the XP users would get
off their backs ;)
 
hmolina said:
Hi,
Is the IPSec implementation in Tiger NAT-T compliant? And which ones of the NAT-T proposal complies?
Click to expand...

Apparently, from what I've been able to gather, It's *NOT* compliant with anything
other than itself. Meaning, if you are connecting your vpn to an OS-X Server,
you'll be okay. If you are trying to connect to something else, you'll be wasting
your time.
hmolina said:
Is now possible configure VPNs using L2TP over IPSec and X509 certificates using the graphical interface?

Thanks in advance for your comments.
Click to expand...

Again, if you are staying all OS-X, probably. Otherwise, you will have major trouble.

It would be really nice if Apple would address this.
Perhaps they have, but I can't find it. There is a patch for OpenSWAN to
work around the borked Apple nat-t implementation. I don't think it'll behave
with x.509 though. PSK might work.

I am using a vpn server based on the OpenSWAN project. Apple's racoon implementatio
seems to be based on the now-obsolete KAME project. Now that the racoon code
base is being handled by the ipsec-tools project, perhaps they will update.

BTW, I don't have any trouble with all other germane vpn clients, including the
one from Redmond.

Since I have no idea what vpn server you are using, I can't really say much.
However, *if* you are using OpenSWAN, then there is hope. The ipsec2.4.5rc
incorporates Peter Van der Beken's patch to allow nat-t connections from
Apple's borked client.
Since I am running stable, I have to wait. Maybe when 2.4.5 ships stable, this
might all resolve out. But the better answer would be for Apple to ship a client
that was rfc compliant. Not draft compliant.
 
You must log in or register to reply here.
Back
Top