VaporSec on Panther talks to OpenBSD 3.4!

Now this was a headache! My setup: LAN at office (192.168.1.0/24) behind openbsd 3.4, connected to internet via cablemodem, receiving official IP via DHCP (dyndns helps out) At home: os x 10.3.2 on 17" powerbook, DHCP from cablemodem as well aim: be a part of the office-LAN while at home... i do get applescript error 2706 when starting vaporsec up, but i can click it away and don't bother. after a lot of trying, i got this far, that i could narrow my problems down to the "setkey"-part of the whole process. i could even narrow it more down to the part in the script ipsec.sh, where it tries to find out the IP of the machine it is running on in this part: ################################################################################ # # setup tunnels # this will iterate through all the interfaces and make tunnels with that IP # ################################################################################ setup_tunnels () { awk 'BEGIN {while ("ifconfig -a" | getline) { if ( /^en/ ) { sub( /:/, "") interface = $1 } if ($1 == "inet" && $2 != "127.0.0.1") { print $2 } } } ' | while read IP do make_tunnel done } the "setkey -DP" result just didn't make sense. BUT everything went fine, when i changed ifconfig -a to ifconfig -L en1 en1 being my wirelesslan-if, in use now of course the script isn't as flexible this way, but at least i got my ipsec tunnel running... it looks to me, as if there is a bug somewhere in the way the script searches and uses the IPs it finds. with the -a it did "make_tunnel" 2 times, with the "-L en1" the subroutine "make_tunnel" ran only once and did the setup correctly. maybe of interest: my openbsd configs. i did a lot of trying, until i found a working example, that played along with VaporSec. As i am no expert, theses settings might not be optimal, but for the moment they work for me. the VaporSec Settings i describe further down. OpenBSD: /etc/isakmpd/isakmpd.policy Keynote-Version: 2 Authorizer: "POLICY" Conditions: app_domain == "IPsec policy" && esp_present == "yes" && esp_enc_alg != "null" -> "true"; OpenBSD: /etc/isakmpd/isakmpd.conf [General] Default-phase-1-lifetime= 120,60:3600 Default-phase-2-lifetime= 120,60:3600 Retransmits= 5 Check-interval= 5 Exchange-max-time= 120 Policy-File= /etc/isakmpd/isakmpd.policy [Phase 1] Default= ISAKMP-clients [Phase 2] Passive-Connections= IPsec-clients [Default-main-mode] DOI= IPSEC EXCHANGE_TYPE= ID_PROT Transforms= 3DES-SHA [Default-quick-mode] DOI= IPSEC EXCHANGE_TYPE= QUICK_MODE Suites= QM-ESP-BLF-SHA-SUITE # Phase 1 peer sections ####################### [ISAKMP-clients] Phase= 1 Transport= udp Configuration= PGP-main-mode Authentication= thisisthesharedsecret # Phase 2 sections ################## [IPsec-clients] Phase= 2 Configuration= PGP-quick-mode Local-ID= default-route Remote-ID= dummy-remote # Client ID sections #################### [default-route] ID-type= IPV4_ADDR_SUBNET Network= 0.0.0.0 Netmask= 0.0.0.0 [dummy-remote] ID-type= IPV4_ADDR Address= 0.0.0.0 # Transform descriptions ######################## # Some predefined section names are recognized by the daemon, voiding the # need to fully specify the Main Mode transforms and Quick Mode suites, # protocols and transforms. # # For Main Mode: # {DES,BLF,3DES,CAST}-{MD5,SHA}[-{DSS,RSA_SIG}] # # For Quick Mode: # QM-{ESP,AH}[-TRP]-{DES,3DES,CAST,BLF,AES}[-{MD5,SHA,RIPEMD}][-PFS]-SUITE [PGP-main-mode] DOI= IPSEC EXCHANGE_TYPE= ID_PROT Transforms= CAST-SHA,3DES-SHA [PGP-quick-mode] DOI= IPSEC EXCHANGE_TYPE= QUICK_MODE Suites= QM-ESP-3DES-MD5-SUITE,QM-ESP-BLF-SHA-SUITE [PGP-aggressive-mode] DOI= IPSEC EXCHANGE_TYPE= AGGRESSIVE Transforms= CAST-SHA,3DES-MD5 # Main mode transforms ###################### [3DES-MD5] ENCRYPTION_ALGORITHM= 3DES_CBC HASH_ALGORITHM= MD5 AUTHENTICATION_METHOD= PRE_SHARED GROUP_DESCRIPTION= MODP_1024 Life= LIFE_1_DAY [CAST-SHA] ENCRYPTION_ALGORITHM= CAST_CBC HASH_ALGORITHM= SHA AUTHENTICATION_METHOD= PRE_SHARED GROUP_DESCRIPTION= MODP_1536 Life= LIFE_1_DAY # Lifetimes ########### [LIFE_1_DAY] LIFE_TYPE= SECONDS LIFE_DURATION= 86400,79200:93600 ---------VaporSec settings for this: MAIN: Mode: main Proposal Check: claim Nonce size: 16 PHASE 1 Lifetime 5 minutes DH Group 2 Encryption 3des Authentication sha1 PHASE 2 Lifetime 8 hours PFS Group 2 Encryption 3des Authentication hmac_sha1 ID Local (no entry) Remote (no entry)