Flying Racoons: Clients? We don’t need no stinking clients 
9 October 2002—updated 30 October 2002
Part Three: Connecting an Mac OS X 10.2 machine to a third-party firewall
If you’ve had enough fun running IPSec from one machine to another then it is time to start connecting to firewalls and traversing NAT networks behind them. In our example here we are going to be connecting to a SonicWall Tele2, which is an affordable home/small network firewall solution. The methods we are going to use should work for all SonicWall devices and the ideas should apply to any IPSec-compliant firewall. It’s incredibly cool that we can do this without needing a proprietary VPN client, especially since SonicWall doesn’t make one for the Mac.
Here’s our setup. I’m using my laptop at my house. I connect to the Internet through a cable modem and a Snow AirPort base station running the latest version of the firmware. The IP address of my laptop is 10.0.1.2. The IP address of my AirPort’s WAN interface is irrelevant.
I’m connecting to the office SonicWall which is at 17.254.0.91. (It isn’t really at that IP address. 17.254.0.91 happens to be the address of www.apple.com, so you can try connecting to it, but it probably won’t work.) The SonicWall is running NAT and has the 192.168.0.0/24 network behind it.
The first thing you want to do is to increase the security on your SonicWall. By default, the Group VPN uses DES and MD5 encryption algorithms. The default configuration file on Mac OS X 10.2 uses 3DES and SHA1, which are more secure. Log into your SonicWall and go to the VPN configuration pane and change the algorithms. Also, you’ll want to set up a shared secret. Take a look at the screenshot for an example of this setup.
You’re done with the SonicWall so move back to the client machine. Here we’re going to use the same techniques that we talked about in Part 2 of this series. The trick here is the crafting of the security policy syntax. Also, instead of entering all of the information on the command line we’ll put it into a text file to make it easier.
In TextEdit make a plain text file that looks like this, swapping out your own information for ours.
flush; spdflush; spdadd 192.168.0.0/24 10.0.1.2/32 any -P in ipsec esp/tunnel/17.254.0.91-10.0.1.2/require; spdadd 10.0.1.2/32 192.168.0.0/24 any -P out ipsec esp/tunnel/10.0.1.2-17.254.0.91/require;
Save this file somewhere accessible on your machine. For instance, /Shared Items/vpnsetup.txt.
Now you’ll need to add your shared secret into the /etc/racoon/psk.txt file. You’ll need to do this as root. Just add a line matching up the SonicWall’s IP address with the password.
17.254.0.91 supersecretpassword
Everything should be ready. We’ll just start things running on the client machine.
sudo setkey -f /Shared\ Items/vpnsetup.txt sudo racoon -f /etc/racoon/racoon.conf
If all goes well you can now go into the Finder and connect to any or your machines on the remote network just by entering in an IP address. Since the shared secret is kept in a config file you will never be asked for it.
Finally, once you have everything going you can create a startupitem script to run these two commands whenever you start up the machine.
A couple of things to keep in mind: you need to use the actual IP addresses in the configuration files. Using DNS names will cause problems. Also, your remote network has to be a different numbered network then the one you are currently on. So, if my laptop is 10.0.1.2 I can’t create an IPSec connection to a 10.0.1.x network behind a firewall.