[pat]

Actually I haven’t (completely) secured the wireless part of my Internetaccess. Whenever I do anything else than pinging the LAN “over there”, I do it insecurely. All I do have, is a secured tunnel from my official IP, “as private IP”, to the official IP of the “LAN over there” to the private IP of its internal interface and the private range network “over there”. But anyhow. I don’t have a foolproof concept. just an idea.
(first: there may be many places, where something can go wrong / be set so that the Mac and the OpenBSDbox don’t understand each other, but the XPmachine does.. I just think of the settings of VaporSec on the Mac or /etc/isakmpd/isakmpd.conf and isakmpd.policy on the OpenBSDbox. to my experience, these are subtle things and almost everything matters 😉 As you can see here http://www.allard.nu/openbsd/openbsd/index.html ssh sentinel has a specific isakmpd.conf. If your isakmpd.conf works with the XPclient, I guess you would have to reproduce its settings excactly with VaporSec on the Mac, or you will fail for sure. But how you do this, I don’t know, as I don’t use ssh sentinel. and: do you have “pf” running and setup /etc/pf.conf accordingly? well, as you can surf with the XP, I guess you do.
It helped me a lot to keep open several terminal windows on the Mac, showing, one for each output,:
– terminalwindow1 on the Mac: tail -f /var/log/system.log (shows you every addition to this logfile as it happens)
– terminalwindow2 ont the Mac, but logged in on the OpenBSDbox, running isakmpd in the NOT-daemon-mode with “isakmpd -d -DA=70” (shows you a lot of rather cryptic output. important in so far as you at least see if anything happens at all…)
– terminalwindow3 on the Mac: ping the system I want to reach… (test for success)
with this you can see what the macinternals do when you tell VaporSec to “Vaporize” and if and how the OpenBSDbox responds. So that’s a “first level control”
But let’s assume, the problem is NOT there…).

so basically you need a tunnel from the powerbook to the openbsdbox. If you know german, maybe this would be excactly what you need:
http://www.openbsd.de/ipsec/html/index.html

automatically translated here:

http://babelfish.altavista.com/babelfish/urltrurl?url=http%3A%2F%2Fwww.openbsd.de%2Fipsec%2Fhtml%2Findex.html&lp=de_en&tt=url

maybe this helps. a more speculative, untried, only guessed way might be this:
Now you want to surf with the powerbook, having assigned it a private range IP. powerbook and OpenBSDbox being on the same private range subnet (192.168.1.0/24). this doesn’t work, you write. how about simulating “my” setup? meaning: separate the “real” IP of the powerbook from the “simulated one”. This way:
a) in the Network Control Panel you assign to your powerbook the private IP 192.168.3.1 and you set the netmask to 255.255.0.0 and the gateway to 192.168.2.1 (i assume, that’s the gateway to the internet for all your machines on the local private range network, isn’t it?)
b) In VaporSec in the “Main settings” you set “Local IP” to the IP 192.168.2.2, and in the same pane, a little further up, you set the “Remote Network” to 192.168.2.0/24 (or maybe 192.168.2.0/16 I’m not sure)
c) set the netmask of interface dc0 to 255.255.0.0 (so the XP machine (192.168.2.14) and the powerbook (192.168.3.1) are reachable for it at all)
c) assign interface fx1 the completely different private range IP 10.0.0.1 with the subnet 255.255.255.0. yes, this requires IPchanges with the printer and other computers as well and / or maybe even with the DHCP setup if you use OpenBSD as server on that interface
d) check /etc/isakmpd/isakmpd.conf for any setting of a subnetwork, make sure it is something like 192.168.0.0 with netmask 255.255.0.0

what this may may may bring:
– “isolate” the powerbooks “main” IP 192.168.3.1
– setup the tunnel between the powerbook “local IP” 192.168.2.2 and the OpenBSD interface at 192.168.2.1
– make 3.1 still reachable for 2.1 and vice versa

this is very speculative and rather likely to not work too… .:-) but maybe it does. i guess it would take about half an hour to try it. caution: if you mess around, first write down somehow the original settings, so you can easily reconstruct them… I wouldn’t like to take the blame for haveing sent you into blowing up your at least partially working setup…

[pat]

[quote:d55dd17b5e=”bryancn”]Thanks Joel – a typo of course, allowing progress to the next problem (opportunity?).

(…)

You (Pat) say you configured your client inside the router. Did you have to cope with this?[/quote:d55dd17b5e]

Did I? Not excactly inside the router. I connect a Netgear MA 102 AP to my cablemodem. The AP is on a switch to which the cablemodem is connected. why? downstairs a friend uses the same cablemodem to get his IP from the same provider and he connects to the switch too. me upstairs, i connect wirelessly.
Well, no, this way I didn’t have to cope with NAT traversal. I guess I can’t help you with that. As I connect my powerbook directly, (although via accesspoint) getting an official IP from my provider http://www.hispeed.ch and rely on the panthers firewall… By the way, I put a little more verbose record of what i did here: http://homepage.mac.com/tsup/vpn/

[Author]

Posts