What does VaporSec do?

Fair enough; so what is IPSec?

A question that needs more than a humble FAQ to answer, but this answer will prevent you from being embarrassed at the next UNIX cocktail party you attend. IPSec is a method of encrypting the IP packet from the sender to the receiver so that nefarious types can’t read your information or pretend to be one of the parties in the conversation. In the industry this is called protection of authenticity and confidentiality. It is based on the IPV6 standard and has gained a large amount of popularity as of late. In the coming years the hope is that IPSec will become one of the prevalent methods of communicating across the net, eliminating much of the need for https, ssh and other secure protocols. However that day is still a long way away.

For a more technical look at IPSec, check out our series “Flying Racoons” in our articles section. Also, the freebsd.org and netbsd.org Web sites have good IPSec information in their on-line handbooks.

Great, but what does this mean for me?

Glad you asked. IPSec will allow you to access corporate firewalls so you can watch over all of your filthy lucre without others seeing. Unlike just a simple secure connection like ssh or ssl, IPSec will allow you to securely browse, or traverse, your network behind the VPN device. I personally use this to remotely manage a number of different client sites, plus gain access to my home network.

A fancy colorful graphic will be forthcoming to better illustrate this, but let me give you this real-world example: Imagine, if you will, that I connect to the Internet from home on a DSL line. Since I am cool I have a number of machines at my house; all connect to the Internet over DSL. I have an incredibly nice ISP who doesn’t care that I do this. However, my ISP does charge more for extra IP addresses. I’ve read AFP548.com’s articles on Flying Racoons, though, so I know I only need one IP address to serve all of my needs. Since I only have one public address I need to set up an internal NAT (network address translation) network to allow all of my machines to connect. To make life easy I spend $120 online to buy a Linksys BEFVP41 which acts as a basic firewall, NAT router, and most importantly an IPSec VPN device.

The next day as I lounge at the neighborhood bar, which happens to have a free wireless network, I am asked to settle a k between two patrons on whether or not the chainsaw momentarily appears on Ash’s wrong hand in Evil Dead II. I happen to have that DVD in my desktop machine at home. Now being a smart user I have blocked all incoming access on my firewall to my network, plus I am worried that certain execrables at the bar might try to listen in on my wireless connection. Without fear though, I use VaporSec to create a secure IPSec connection to my Linksys firewall. I then connect to my desktop machine on the NAT’d address of 192.168.234.23 using Apple Remote Desktop. I fast forward through the slow parts and get to where Ash takes the chainsaw into the cellar and prove that yes it did change hands. I’m now the hero of the bar and all my drinks for the rest of the morning, er... afternoon are on the house. All this because of VaporSec and IPSec.

Will VaporSec connect to my <insert your firewall or other IPSec device here>?

Maybe.

IPSec is an incredibly complicated thing. Much of it has been standardized, but many vendors pick and choose what parts of the standard they want to follow. This is more true of the more expensive implementations since those vendors feel the need to differentiate themselves from the rest of the pack. On the whole the IPSec stack in Mac OS X 10.2, the kame stack, is very robust and is frequently used as a reference implementation of IPSec. So you have a good shot, but it isn’t guaranteed.

A good rule of thumb here is that if a FreeBSD machine can connect to the device than VaporSec should be able to also. Google really comes in handy in figuring this out, too.

I’m keeping a listing of all of the devices that VaporSec has successfully worked with in the VaporSec forum in the eBBS. Check there for more information. I personally use it daily with SonicWalls and the aforementioned Linksys.

What can’t I do with VaporSec?

You won’t be able to connect to any device that needs a username. The method used to pass a username onto an IPSec device is called “xauth” and the kame IPSec stack in Mac OS X does not support that. This rules out connectivity with some popular large-scale VPN solutions, which bites.

How can I get around this?

Talk to your VPN administrator or IPSec device vendor. Many devices have what’s called a “group” or “any” VPN setting that does not require a username to connect. You could also learn Project Builder and write a new kernel extension that does this. Plus you may be able to use certificates. Some IPSec devices use them to provide authentication. This capability will hopefully be in the official release of VaporSec.

Alright, I think I have it working, but how do I tell?

This is actually tougher to find out then you might think. When working correctly IPSec is pretty transparent to the user and to the applications that are communicating over the net. This is one of the real beauties of IPSec. The only difference that you should see when connecting over IPSec is that the first connection to the remote host or nework might take 5 to 10 seconds longer to go through. This is the time needed for racoon, the key exchange program, to do its thing and make the secure connection.

I can dig that, but I want to be sure I’m connected over IPSec.

If you are connecting to an IPSec gateway, this should be easy to tell, just ping an IP address on the inside of the gateway. If you get a response you have a working IPSec connection. If you don’t you probably don’t have a connection. It’s a little harder when connecting to another host since things should be pretty much as they were before IPSec came along. In this case run “netstat -sn” and look for the “ipsec” section. This will list a running total of all of your IPSec traffic. Obviously if these numbers are going up you have an IPSec connection. Finally to be really sure you can use “tcpdump” to see for yourself what packets are being protected.

It isn’t working. How can I troubleshoot VaporSec?

First you need to find out where things are going wrong. The best way to do this is to look at the logs. Run “tail -n 500 /var/log/system.log | grep racoon” from the command line. This will look through the last 500 lines of your system log and return the lines that racoon, one of the IPSec programs, uses. While this will be rather “geeky” everything that you need to know is in here. See where the errors are coming from and try troubleshooting from there. If you are still stumped post the error lines to the VaporSec forum and we can try helping you from there.

Where does VaporSec store its goodies?

All of VaporSec’s preferences and data files are stored in /Libary/Application Support/VaporSec. The “connections.db” file contains all of the connections that you have defined in VaporSec. The “racoon.conf” file is the configuration file used by VaporSec. Feel free to edit it, which is actually the first step in troubleshooting a bum connection. In a future release of VaporSec you will be able to do the edits from the application itself. The shared secrets are kept in /etc/racoon/psk.txt.

How did you get it rebuild the connections when I change networks?

I hacked the restart-NetInfo script that the kicker bundle runs when your network settings change. The next to last line will run the VaporSec startup item that will recreate your IPSec tunnels with your new IP address. This is rather ugly, but I have been running with this hack for a while with no observed problems. VaporSec politely backs up your old restart-NetInfo script in /Library/Application Support/VaporSec and will return it to its original place if you turn off the this behavior in the preferences.

If anyone has any ideas about a better way of doing this, I’d be happy to listen.

You guys are so cool, what can I do to help?

If you are interested in some programming ideas, let us know. We have a few projects on the back burner that someone could take and run with. Most notably I keep toying with writing a controller application and queue manager for Exim.

You can write an article about something cool you have done with Mac OS X Server, UNIX, or what have you. We’ll post it with our other informative pieces at http://www.afp548.com/Articles.

If you don’t program please participate in our forums and help someone else out like VaporSec has helped you.

Finally, we accept tips over PayPal. Our account is “mactroll@afp548.com"