Slashdot Mirror
IPsec on Mac OS X Panther?
ItsMr.Data wants to take a bite out of this issue: "I just got a new PowerBook with Airport. I wish to use it in the wireless network at the university I attend. The problem is that the university uses BlueSocket to secure the WIFI connections. The BlueSocket gateway is configured for IPsec tunnels. The client tool that BlueSocket provides does not work properly under Panther. I was told by the network department that it would be up to me to find a solution until BlueSocket comes out with an updated client. Being a poor college student, I would like to find a cheap or free solution. I have never worked with VPNs or IPsec. Do any Slashdot readers have any good ideas?"
Can't you use the Internet Connect application that ships with OS X to make an IPSec connection to their VPN? That's how I connect to my school's.
First post?
Vonal Declosion
A new Powerbook? I wish I was a poor college student.
This space intentionally left blank.
The IPSec facilities in Panther should be more than sufficient for what you need. In my experience (in very nearly the exact same situation, as well as similar ones at corporation), the hardest part is wrangling the proper information out of your support staff. First you have to find someone who know WTF you're talking about. then they have to find the information. then they (may) have to get approval to give it to you. that generally involves convincing some clueless administrative type that you're not an 3vi1 h4xx0r. and then they have to actually give it to you. and the odds of getting the info right on the first try is not so good.
my biggest bit of advice is find some friendly, knowledgeable admin, find out what she likes to drink, and buy her lots of it.
i speak for myself and those who like what i say.
When I was an organizer with NJPIRG at Rutgers, I used Bluesocket's IPSEC utility with early Developer's builds of Panther and it worked fine. YMMV.
wow. where are my mod points when i need them.
for the record, i wasn't suggesting getting anyone drunk; rather, give it as a gift. given we're talking about techies, maybe a large DIMM or ThinkGeek gift certificate would've been better, but alcohol's always worked well when we needed to grease the wheels with the landlord, or utility guy, or trash collectors, and so on.
i speak for myself and those who like what i say.
LEAP is proprietary as well. A more open standard is PEAP.
...
Yeah, the first post has a good idea. Use the Internet connection utility. It allows you to create a IPSec connection and is integrated very well with Panther.
Would that be Microsoft PEAP (PEAP-EAP-MSCHAPv2) or Cisco PEAP (PEAP-EAP-GTC)?
:-p
The lovely thing about open standards is that there can be some many ways to implement them
Windows ships with a client that supports MS PEAP. The Cisco aironet client supports Cisco PEAP. They are not really compatible. The MS PEAP client works great when authenticating against and NT Domain or an AD. The Cisco version works with more third party radius backends to authenticate clients. Designing a wireless security and authentication infrastructure can be interesting. Particularly if you want to avoid storing cleartext passwords anywhere.
The Apple Panther client supports L2TP over IPsec. I am not sure what bluesockets is doing with IPsec, but that would be a good thing for them to support.
LEAP can be configured to work with Airport (I think it works out of the box but not sure). I do know my university uses Cisco LEAP and my iBook works where I can find wireless coverage...
For reference, I have an iBook G3 with 10.2.8 and the newest Aiport drivers.
I don't know if I'd say Cisco stuff is proprietary since they're basically THE networking company. Bluesocket stuff is a niche market proprietary thing, but Cisco shit is pretty much standard. I mean for crying out loud, you're not putting netgear access points out there are you?
The IPSec VPN software that is built into panther is missing a lot of features that would make it actually useful. It does not support NAT Traversal, so you can't use it from behind a firewall or NAT device. It does not support XAUTH, which I assume is what your school is using to authenticate you.
.pcf files that describe the connection manually. Cisco has docs on their site of what each line does. I use the Cisco client under OSX to connect to my Netscreen box at home, and I use it for work too. Although, the Netscreen required messing with the .pcf file.
You may be able to use the Cisco VPN client though. The GUI for OSX is fairly unconfigurable, but you can edit the
Need Free Juniper/NetScreen Support? JuniperForum
You are right, but that would be a GOOD thing, I'd think.
...
I've tried to connect to my school's network, too, with little success. We use Cisco's VPN, and it's the same deal: no Panther-compatible client.
1 11911433687&query=cisco+vpn
Best I can do for you is this hint at macosxhints:
http://www.macosxhints.com/article.php?story=2003
I tried it, and it didn't work, but who knows...maybe the settings files for your VPN client are similar. Stab in the dark...it's all I got.
Better School
I cant try to connect with the crappy checkpoint firewall in use at the school i work at. I run panther and have tried everything. Apple needs to either update their IPsec implementation. checkpoint is so wack! Anybody have any luck with connecting to a checkpoint firewall vpn?
Hello,
I'm the software engineer responsible for the Mac client for Bluesocket. The client software *should* work with Panther. The client software isn't really client software, however, its just a frontend to the built-in IPSec support that was first made available in 10.2.
If you're having trouble, you can try emailing support@bluesocket.com. Because it is just a frontend to the built-in support, you can try this on the command line to see if you're logged in:
$ sudo setkey -D
Which will print out your tunnel status. If it comes back empty, you're not connected. If you see two tunnels, you're good to go. (the GUI will reflect this as well)
I just tested it again on my Panther box, and it works OK. As an aside, you can also ask your network admin if they support PPTP. The bluesocket box has PPTP support, and is compatible with Jaguar and Panther's PPTP client.
Thanks!
I don't have experiece with the other IPSec frontends...
But I can tell you that Vaporsec works well (http://afp548.com) -- oh and don't download the Jaguar version on the site, download the version in the forums (The major difference between the two are a few applescript bugs of no consequence, but it's nice to have a bug-free system.
And I suggest you ask your admins for the PRECISE configuration, it's not really easy to implement.
Mike
Back in my day we didn't have all these fancy wireless type connections. We were happy with the new 2400 baud modem pool and ignored the 1200 baud pool. Inside the campus ISN (predates ISDN) was the communication method preferred (with WIRES).
... we WROTE IT ourselves.
The problems over the years really haven't changed all that much. My ISN port was @ 9600 baud and I wanted the full 38,400 baud available. Hack in.
Fortunately the modem pool tied in via ISN -- need a modem? Reset a few ports and take control. Server on campus too busy? Knock 'em all offline. I can even think of a few locks on doors that didn't slow us down. Oh, and when we needed software
Hack on.
at www.equinux.com. relatively cheap considering ease of use - and they might have a student discount, if you ask (beg).
I use IPsecuritas v 1.0.3 http://www.lobotomo.com It works with Panther's built in IPSec "racoon" which is a command line tool. man racoon for more info. IPSecuritas works great and its FREE
[sarcasm]I don't know if I'd say Microsoft stuff is proprietary since they're basically THE software company.[/sarcasm]
Bluesocket is based on open industry standards. Many cisco products also support open standards, but they have been known to work in the odd bit of proprietary crap here and there. Cisco more often just do standards a bit early, before they're widely agreed upon, then bring their system in line with the ratified versions of the standards.
I suspect IHBT...
.sig: file not found
Personally, I am trying to figure out how to get internet connect and CheckPoint to play nice together (L2TP over IPSec). Does anyone know what exactly you have to set up on CP to make this happen? (Or a good resource for this information?)
Counting the months until we put in a PIX...
When did the future switch from being a promise to a threat? -C. Palahniuk
I use it for connecting to several networks and it is very good. Works with SonicWalls too, which is nice. It can be a little difficult to setup, mainly because you have to interpret the settings from whatever system they are using to select the right options in VaporSec. Took me awhile to figure out how the settings all mapped across.
The built-in IPSec client only works for very simple, very standard IPSec connections (although in the IPSec world, there's no such thing as "very standard"). I've never gotten it to work connecting to any IPSec network, but my clients don't always use the most open solutions, either.
If you want a free solution that's actually as configurable as VPN Tracker, check out IPSecuritas (http://www.lobotomo.com). It can be tricky to configure, but we got it to work with our company's Checkpoint VPN without altering anything on the firewall side. It even does DNS settings replacement. Not perfect, but better than anything else I"ve run across.
I've been using Internet Connect to connect to our school network. If that doesn't work you can use freeware VaporSec (URL: http://www.versiontracker.com/dyn/moreinfo/macosx/ 17212) which is graphical configuration of 'racoon' which is the built-in VPN in Mac OS X. You will need a alot of information from the school's network people to configure this properly.
Saying that PEAP is a more open standard than LEAP isn't going to help anybody connect to a VPN. WPA, 802.1x authentication and even WEP don't really have anything to do with PPTP or IPSEC VPN's, other than they both use encryption and some of them authenticate by username/password. If this guy's school is using Bluesocket VPN I don't think they're worried about using open standards, they've already dished out the money for this VPN solution and I'm willing to bet they'll stick with it. All that aside, I suppose you are right, LEAP is less proprietary than PEAP, I just don't think it's relevant to this situation.
It's really not that hard once you understand what ipsec is doing. Go to kame.org
Only 'flamers' flame!
Does slashdot hate my posts?
Check out IPsecuritas:s x/networking_s ecurity/ipsecuritas.html
http://www.apple.com/downloads/maco
It has connected to every VPN endpoint/router that I have tried to connect to, with the exception of point to multipoint access. VPN Tracker had to release a new racoon binary to get point to multipoint to work. (This is only an issue if you must connect from a fixed IP address and almost no one does this anymore.)
The racoon IPSec stack in OSX is based on the kame (kame.org) project. See afp548.com for a writeup on how to get the whole thing working via the command line.
Remember, IPSecuritas is just a GUI for something already built in to OSX.
This "Ask /." is one of the examples of what's great about /.: The author of the relevant software responded.
And he's at (Score:+5, Informative), you kidder.
There are no trails. There are no trees out here.
Stop doing this! Stop putting in measures that limit your students to whatever resource you are most comfortable supporting. It's just plain lazy and uncaring.
The [Australian] University of Wollongong's ITS department is in the process of doing something similar; installing a wireless system that will lock out Mac users (until someone figures out a way around it). In a school! So anyone who chooses to use a Mac gets callously dismissed with a 'Too bad. Sorry. Go buy a Windows machine.' and that's it. They can't be bothered to support you because they don't care to try.
It's unconscionable and just plain lazy.
http://www.uow.edu.au/
- I am made of meat.
Here: http://127.0.0.1
You're just jealous because the voices only talk to me.
http://www.netbsd.org/Documentation/network/ipsec/
I'm starting to think that slashdot is just another place for people to bitch and moan and attack other people for having a difference in opinion.
slashdot: news for angry elitist hackers. stuff that might otherwise matter.
You would be surprised at how responsive they can be. They typically don't know anything about technology (that's why they hire other people to do that stuff)
Explain to them that while their solution is good, it falls short on what the university should strive to provide. Tell them that universaly WiFi access helps their current students and increases their attractivness to potential students.
If you want the feature set of the Cisco client, but are afraid of setting it up, go here:/ 17119
http://www.versiontracker.com/dyn/moreinfo/macosx
It's called CiscoVPN Frontend and is supposedly a cocoa frontend for the cisco client. Never used it, but maybe it provides the compatibility you need in a candy coated GUI. Good Luck
I have tested this with a Cisco 3000 server and OS X 10.3. Works fine.
sulli
RTFJ.
This is just great. Thanks to the moderators making this tiny, itty bitty nugget of knowledge "informative", regardless of the fact that it has nothing to do with the topic of this thread, Google has now put this as the second result for "PEAP Panther" even though this thread gives no information about PEAP other than the fact that it is a standard. This is an example of why staying on topic is necessary, and moderating on topic is even more important. We all can make the web better, and staying on topic helps us do that.
I just picked up a new 15" Powerbook (what a great machine), and went through the process of getting it connected to my VPN.. Here are some things I learned along the way:
- The VPN configurable via the network settings GUI is L2TP over IPSec.. This is the same thing that Windows 2K/XP clients support. But, most security devices (Check Point VPN-1, Netscreen) use straight IPSec. It sounds like Bluesocket wants IPSec.
- MacOS X comes with IPSec from the KAME (Kah-May, Japanese for 'turtle') project. KAME is very common in *BSD platforms, and I believe it is integrated into Linux kernel 2.6. There is a ton of config/compatibility information available for KAME.
- Several GUI tools are available to help with VPN setup/usage. VPNTracker, VaporSec, and IPSecuritas. Some VPN vendors, like Cisco and Check Point also have MacOS VPN clients (which are probably expensive)
- I ended up using a set of Perl scripts I found here. This allows me to see exactly what is going on, and tweak as necessary. (I also posted a few more tips about IPSec setup at that forum)
- I found the debugging of IPSec sessions to be rather difficult. Without help from the VPN administrator, it can be very difficult to determine what is failing..
- I was able to get the VPN working when using a "shared secret" configuration for the user. Note that this is NOT the same thing as passwords. Using passwords, SecurID tokens, or other one-way authentication systems require XAUTH or other proprietary mechanisms (like Check Point's Hybrid mode). KAME does not support this. A better option, which will be more secure, is to use certificates for authentication. I haven't gotten around to trying this yet, but I have seen other reports of success.
- The VPN device had to be configured to enable "Aggressive Mode" in the IKE negotiations.
- Some NAT gateways will not pass IPSec packets. IPSec uses a different IP protocol, not TCP/UDP. So, many gateways don't know how to NAT it. KAME does not support NAT Traversal (encapsulation of the IPSec packet in a UDP packet), so when setting this up make sure you're not behind a NAT gateway.
- KAME's configuration requires you to enter your IP address. So, as you move to a new LAN or Wireless Access Point, you must reconfigure and restart the VPN. (This is one reason I used the Perl script I linked above. It determines your current IP address automatically.)