[Anonymous]

[quote:babcff659f=”dima”]Hi,

Has anybody got IPSec working with X509 certificates? In particular
I am trying to connect to a Linux FreeSwan server and the client is
running MacOSX 10.2.2.
[/quote:babcff659f]

Sorry, now answer for you – but i need to do the exactly same thing, so if you find out anything about this, could you keep me updated please?

talklists AT index-s DOT de

Thanks!

[Anonymous]

[quote:da1a2497e5=”patricklang”]We have everything we need built in. I havn’t successfully created a connection yet though.[/quote:da1a2497e5]

Sounds like you have the beginnings of a recipe. Any luck creating a connection yet?

And for the VaporSec developers, do you have any comments on how to do this?

Best regards,
acronce

[Anonymous]

We have everything we need built in. I havn’t successfully created a connection yet though.

Here’s some details:
openssl does any certificate operations you need, in my case I needed to extract my keys from PKCS#12 format files

racoon handles the ISAKMP and key negotiation stuff. It needs to be aware of your certificate(s). I use a self-signed certificate, so the CA’s cert needs to be known by racoon in addition to my personal certificate for the VPN. I have these certs, havn’t figured out where they need to be yet though.

The GIF interface is needed for the tunnel, you need to configure it w/ ifconfig and the endpoints on the internet

setkey is used to set up the ESP, stuff needed to establish the tunnel between the private nets

I’ll post more info when I get it. These are all the tools, I just need to read some more docs.

http://www.daemonnews.org/200101/ipsec-howto.html seems relevant

This is all based off KAME, the same implementation used by NetBSD and FreeBSD if I remember correctly. I’m taking a crash course in KAME tonight, I’m getting a clue pretty quickly.

Please email me if you want more info as I get it. (including you vaporsec developers ;), my email is my username @mail.utexas.edu

[Anonymous]

If you are using a Mac text editor, such as BBedit, setkey will not like the linefeeds used by default. Make sure that whatever editor you are using is set to use unix linefeeds.

[Anonymous]

well, I couldn’t find anyplace to select a certificate or even import one.

I’m checking to see if its available in 10.2’s ipsec implementation.

I use Smoothwall corporate w/ smoothtunnel for the vpn/firewall, and use certificate authentication for all the road warriors.

[Anonymous]

I wanted to know if I do this just by adding a machine that I already have and is collecting dust. Right now the ABS does everything for my parents with IPSec passthru. What I wanted to know is if it were possible to use port mapping to IPsec to the tunnel server (the current dust collector) sitting on their LAN. I was trying to model this sort of like the way AppleTalk Remote Access used to work. Is that even possible?

[Anonymous]

[quote:8b9d2bbcfb=”MacTroll”]You are getting to the heart of this issue in the last post.[/quote:8b9d2bbcfb]

yes, it always helps to ask the right question, doesn’t it? and thanks to waterman for showing me that i was asking the wrong one! i just love, the way helping each other even works by asking and not only answering… 😉

[quote:8b9d2bbcfb=”MacTroll”]So the moral of all this is if you want a read/write space for a group, don’t define it yourself but let the server do the work. Otherwise use the automounting sharepoints for read only things, like fonts, or for items that everyone should be able to read/write just set the permissions accordingly.[/quote:8b9d2bbcfb]

in anticipation of some such answer 😉 i wisely set up a ‘Test Group’ / testgrp yesterday before posting my question to see whether the server will do some ‘overnight creation magic’ and lo and behold, look what happened while i was sleeping:

[code:1:8b9d2bbcfb]
Highflyer:/Volumes/Copper/Groups] admin% ll
total 16
drwxrwxrwx 14 grafik grafik 476 Nov 25 02:02 grafik
drwxrwxrwx 22 0x0A 0x5 redaktio 748 Nov 24 23:13 redaktion
drwxr-xr-x 5 tomholio testgrp 170 Nov 25 03:15 testgrp
[Highflyer:/Volumes/Copper/Groups] admin% ll testgrp/
total 0
drwxr-xr-x 5 tomholio testgrp 170 Nov 25 03:15 .
drwxrwxr-x 10 root staff 340 Nov 25 03:15 ..
drwxr-x— 2 tomholio testgrp 68 Nov 25 03:15 Documents
drwxr-x— 2 tomholio testgrp 68 Nov 25 03:15 Library
drwxrwxr-x 3 tomholio testgrp 102 Nov 25 03:15 Public
[Highflyer:/Volumes/Copper/Groups] admin%
[/code:1:8b9d2bbcfb]

of, course, when i log in from a client, i’m still just a guest. but i’ll try turning off automount and/or guest acess on the /Groups folder.

but for now i.e. today when the editors are coming in for work (yes, this is a production system…) i’ll set the folders in question to world-writeable, then they (as guests) should be able to edit their files, i hope…

[quote:8b9d2bbcfb=”MacTroll”]Again, I believe that the wonderful engineers at Apple are currently discussing this issue and coming up with a comprehensive solution. Much like the default umask and the lack of configuration options, but that is another story.[/quote:8b9d2bbcfb]

i personally can’t help but think, that something so basic as user and group rights should have been thought through to the end before launching a commercial product — this is 10.2 fcol! oh, well: love it or leave it (and no, i won’t leave it…) *eg*

oh, but do tell me more about that ‘default umask’!!! so far i’ve f found out (‘man umask’…) that it does what i want(i.e. umask 002 gives me the desired effect) but not where, i.e. a) only in the terminal and b) only for the currently logged in user.

got any wisdom on that?

thanks for your great post and the time you took to write it!

tom

[Anonymous]

I was thinking more on the lines of what type of hardware setup others were using; or are we just all waiting for that massive 3U disk monster from Apple to be released?

Cheers.

[quote:de67871a16=”Cabbage”]Dantz Retrospect Server
Set it up, set up the scripts. Never have to worry about it again

http://www.dantz.com[/quote:de67871a16%5D

[Anonymous]

Hey !

I think EmailChemy
[quote:7982586c92]
About Emailchemy

Emailchemy is a utility that helps you regain ownership of your email. Emailchemy reads email from the proprietary formats of the most popular (and many of yesterday’s forgotton) email applications and converts it to a standard, portable format that any application can use.
[/quote:7982586c92]
[url=http://www.weirdkid.com/products/emailchemy/]Weird Kid Soft[/url]

Hope this helps

Vickey[/quote][/code]

[Anonymous]

I got this same message when I tried to use diskutil to enable journalling on the file system (I was in single user mode at the time). I have no answers for you, but perhaps journalling is the issue?

[Anonymous]

Oh I forget, I’m running 10.2.2 on a PPPoE DSL connection. And my vpnsetuo.txt looks like this :

[quote:8bdd59fef0]
flush;
spdflush;
spdadd 192.168.1.0/24 xxx.xxx.117.114/32 any -P in ipsec esp/tunnel/xxx.xxx.29.199-xxx.xxx.117.114/require;
spdadd xxx.xxx.117.114/32 192.168.1.0/24 any -P out ipsec esp/tunnel/xxx.xxx.117.114-xxx.xxx.29.199/require;
[/quote:8bdd59fef0]
wich could be understood as :
[quote:8bdd59fef0]
flush;
spdflush;
spdadd R9100-LAN/24 PPPoE-IP/32 any -P in ipsec esp/tunnel/R9100PublicIP-PPPoE-IP/require;
spdadd PPPoE-IP/32 R9100-LAN/24 any -P out ipsec esp/tunnel/PPPoE-IP-R9100PublicIP/require;
[/quote:8bdd59fef0]

As you have understood the LAN behind the R9100 is on 192.168.1.x/255.255.255.0
The R9100 gets on the Net using PPTP and has a static IP.
my psk.txt file only has one line :
[quote:8bdd59fef0]
R9100-IP sharedsecretkey
[/quote:8bdd59fef0]

Could it be something wrong with my PPPoE dynamic connection ?
Is there any way to not modify the vpnsetup.txt file each time I get connected (could 0.0.0.0/32 work for any IP) ?
I’ve read some forums about IPSec on BSD 4.4, they talk about ifconfig, gifconfig, and gif0 building tunnel before making anything, do we also have to do this on OS X ?

The R9100 asks for special settings in his IKE setup, the screen looks like this :
[quote:8bdd59fef0] Negotiation… Normal

SA Use Policy… Newest SAs Immediately
Allow Dangling Phase 2 SAs: Yes
Phase 1 SA Lifetime (seconds): 28800
Phase 1 SA Lifetime (Kbytes): 0

Send Initial Contact Message: Yes
Include Vendor ID Payload: Yes
Independent Phase 2 Re-keys: Yes
Strict Port Policy: No
[/quote:8bdd59fef0]
Perhaps this could help you give me some advice…

Thanks for your help

Regards

Vickey

[Anonymous]

Thanks for the help, that was certainly the case but as I’ve rebooted since my first attemp I have a new error message :

[quote:bf009dc206]INFO: isakmp.c:1700:isakmp_post_acquire(): request for establishing IPsec-SA was queued due to no phase1 found.[/quote:bf009dc206]
and a few lines after
[quote:bf009dc206]
isakmp.c:1773:isakmp_chkph1there(): phase2 negotiation failed due to time up waiting for phase1. ESP 195.154.xxx.xxx->213.203.xxx.xxx
[/quote:bf009dc206]

These messages appear if I try to make an AFP connection from the Finder to 192.168.1.11 wich is a file server on the LAN behind the R9100.

Is there any way to verify that the R9100 asnwers on the right ports like making a
#telnet R9100-IP 500 ?

It seems that the R9100 is not answering anything to the Jaguar box…

[Anonymous]

Figured out what it was in Classic that was causing the problem – the PGPNet extension! (pretty obvious really but I’d forgotten I had tested it out about a year ago). Thanks for the articles and the help!

[Anonymous]

I have followed the instructions to set up the VPND but when I try to connect using a PPTP client I get the following message in the vpnd.log:

2002-11-07 04:56:02 ESTPPTP connection accepted <my IP Address>; leased IP 10.0.1.156 to child 22284
2002-11-07 04:56:02 ESTChild process 22284 quit with exit status 2.

Any ideas?

[Anonymous]

I’ve now figured out (partly) what was causing the problem. Something in Classic had grabbed port 500, stopping the racoon process from working properly. I found out by running racoon in debug mode:

racoon -f /etc/racoon/racoon.conf -d -d -d -F -v

Once I shut down Classic I could connect between my two Macs no problem.

So far I haven’t been able to figure out what it is in Classic that is using port 500 though. 🙁

[Author]

Posts