Slashdot Mirror

← Back to Stories (view on slashdot.org)

IPsec on Mac OS X Panther?

Posted by Cliff on from the getting-it-to-work dept.

ItsMr.Data wants to take a bite out of this issue: "I just got a new PowerBook with Airport. I wish to use it in the wireless network at the university I attend. The problem is that the university uses BlueSocket to secure the WIFI connections. The BlueSocket gateway is configured for IPsec tunnels. The client tool that BlueSocket provides does not work properly under Panther. I was told by the network department that it would be up to me to find a solution until BlueSocket comes out with an updated client. Being a poor college student, I would like to find a cheap or free solution. I have never worked with VPNs or IPsec. Do any Slashdot readers have any good ideas?"

37 of 84 comments (clear)

  1. Internet Connect by CptChipJew · · Score: 5, Informative

    Can't you use the Internet Connect application that ships with OS X to make an IPSec connection to their VPN? That's how I connect to my school's.

    First post?

    --
    Vonal Declosion
    1. Re:Internet Connect by Anonymous Coward · · Score: 2, Informative

      My Universety use IPsec and VPN, I use cisco VPN client for OS X.

  2. Poor? by avalys · · Score: 5, Funny

    A new Powerbook? I wish I was a poor college student.

    --
    This space intentionally left blank.
    1. Re:Poor? by Mariani · · Score: 5, Funny

      Poor after buying a Powerbook.

  3. IPSec should work fine; need config info by anothy · · Score: 4, Insightful

    The IPSec facilities in Panther should be more than sufficient for what you need. In my experience (in very nearly the exact same situation, as well as similar ones at corporation), the hardest part is wrangling the proper information out of your support staff. First you have to find someone who know WTF you're talking about. then they have to find the information. then they (may) have to get approval to give it to you. that generally involves convincing some clueless administrative type that you're not an 3vi1 h4xx0r. and then they have to actually give it to you. and the odds of getting the info right on the first try is not so good.
    my biggest bit of advice is find some friendly, knowledgeable admin, find out what she likes to drink, and buy her lots of it.

    --

    i speak for myself and those who like what i say.
    1. Re:IPSec should work fine; need config info by kerry-buckley · · Score: 5, Funny
      my biggest bit of advice is find some friendly, knowledgeable admin, find out what she likes to drink, and buy her lots of it.
      And hope she doesn't hit you when you admit that you only got her drunk "because you wanted to find out how her tunnel was configured".
  4. At Rutgers... by Fuzzle · · Score: 3, Informative

    When I was an organizer with NJPIRG at Rutgers, I used Bluesocket's IPSEC utility with early Developer's builds of Panther and it worked fine. YMMV.

    1. Re:At Rutgers... by Anonymous Coward · · Score: 4, Funny

      That's the thing though. His mileage has varied.

      5, informative?

  5. Re:Cisco.. by sinergy · · Score: 3, Informative

    LEAP is proprietary as well. A more open standard is PEAP.

    --
    ...
  6. Re:+5, Funny by Anonymous Coward · · Score: 2, Informative

    Yeah, the first post has a good idea. Use the Internet connection utility. It allows you to create a IPSec connection and is integrated very well with Panther.

  7. Re:Cisco.. by peterjhill2002 · · Score: 2, Informative

    Would that be Microsoft PEAP (PEAP-EAP-MSCHAPv2) or Cisco PEAP (PEAP-EAP-GTC)?

    The lovely thing about open standards is that there can be some many ways to implement them :-p

    Windows ships with a client that supports MS PEAP. The Cisco aironet client supports Cisco PEAP. They are not really compatible. The MS PEAP client works great when authenticating against and NT Domain or an AD. The Cisco version works with more third party radius backends to authenticate clients. Designing a wireless security and authentication infrastructure can be interesting. Particularly if you want to avoid storing cleartext passwords anywhere.

    The Apple Panther client supports L2TP over IPsec. I am not sure what bluesockets is doing with IPsec, but that would be a good thing for them to support.

  8. unfortunately by austad · · Score: 5, Informative

    The IPSec VPN software that is built into panther is missing a lot of features that would make it actually useful. It does not support NAT Traversal, so you can't use it from behind a firewall or NAT device. It does not support XAUTH, which I assume is what your school is using to authenticate you.

    You may be able to use the Cisco VPN client though. The GUI for OSX is fairly unconfigurable, but you can edit the .pcf files that describe the connection manually. Cisco has docs on their site of what each line does. I use the Cisco client under OSX to connect to my Netscreen box at home, and I use it for work too. Although, the Netscreen required messing with the .pcf file.

    --
    Need Free Juniper/NetScreen Support? JuniperForum
    1. Re:unfortunately by azpcox · · Score: 5, Informative

      Although the IPSec VPN client doesn't support NAT traversal, if you have a Linksys or something similar, they have an item called IPSec pass through which will do the NAT (technically there is no port associated with ESP traffic) for you to a single device. The UDP/500 traffic has no problem, just the ESP/AH traffic in certain instances.

      --
      What exactly do you mean by "Don't touch this button?"
  9. Good luck by cbiagini · · Score: 3, Informative

    I've tried to connect to my school's network, too, with little success. We use Cisco's VPN, and it's the same deal: no Panther-compatible client.

    Best I can do for you is this hint at macosxhints:
    http://www.macosxhints.com/article.php?story=20031 11911433687&query=cisco+vpn

    I tried it, and it didn't work, but who knows...maybe the settings files for your VPN client are similar. Stab in the dark...it's all I got.

    1. Re:Good luck by caseih · · Score: 4, Informative

      Cisco's VPN client is very much panther compatible. I use it every day. Just make sure you have the lastest version (version 4.something I believe).

    2. Re:Good luck by Glial · · Score: 2, Informative

      4.0.2 And yes, I agree, it is very much Panther compatible.

    3. Re:Good luck by good+soldier+svejk · · Score: 2, Interesting

      I also have no problems with version 3.6 under Panther, connecting to a VPN3005 (IIRC). I use Mathey Wieseck's VPNConnect 1.0.4 GUI.

      --
      It is cowardly, and a betrayal of whatever it means to be a Jew, to act as a white man

      -James Baldwin
    4. Re:Good luck by thehe · · Score: 2, Informative

      I found the, seemingly, same Cisco VPN Client for OS X that my university provides (v. 4.0.1) freely available on several web pages, of which this is one that seemed to work fine:
      http://portnetworks.com/download.html

      I use the 4.0.1 quite happily on a daily basis, with my university (NTNU in Trondheim, Norway) running IPSec, UDP style.

  10. Panther Compatibility for Bluesocket IPSec tool by Anonymous Coward · · Score: 5, Informative

    Hello,

    I'm the software engineer responsible for the Mac client for Bluesocket. The client software *should* work with Panther. The client software isn't really client software, however, its just a frontend to the built-in IPSec support that was first made available in 10.2.

    If you're having trouble, you can try emailing support@bluesocket.com. Because it is just a frontend to the built-in support, you can try this on the command line to see if you're logged in:

    $ sudo setkey -D

    Which will print out your tunnel status. If it comes back empty, you're not connected. If you see two tunnels, you're good to go. (the GUI will reflect this as well)

    I just tested it again on my Panther box, and it works OK. As an aside, you can also ask your network admin if they support PPTP. The bluesocket box has PPTP support, and is compatible with Jaguar and Panther's PPTP client.

    Thanks!

  11. Re:+1, Funny by alaeth · · Score: 3, Funny

    I find Slurpees(Squishees? whatever) and donuts work best. I somehow manage to get a PC upgrade every cycle... my co-workers are mystified ;)

    --
    Sig goes here.
  12. VaporSec by cpct0 · · Score: 5, Informative

    I don't have experiece with the other IPSec frontends...

    But I can tell you that Vaporsec works well (http://afp548.com) -- oh and don't download the Jaguar version on the site, download the version in the forums (The major difference between the two are a few applescript bugs of no consequence, but it's nice to have a bug-free system.

    And I suggest you ask your admins for the PRECISE configuration, it's not really easy to implement.

    Mike

  13. Silly Freshman by krray · · Score: 2, Funny

    Back in my day we didn't have all these fancy wireless type connections. We were happy with the new 2400 baud modem pool and ignored the 1200 baud pool. Inside the campus ISN (predates ISDN) was the communication method preferred (with WIRES).

    The problems over the years really haven't changed all that much. My ISN port was @ 9600 baud and I wanted the full 38,400 baud available. Hack in.

    Fortunately the modem pool tied in via ISN -- need a modem? Reset a few ports and take control. Server on campus too busy? Knock 'em all offline. I can even think of a few locks on doors that didn't slow us down. Oh, and when we needed software ... we WROTE IT ourselves.

    Hack on.

    1. Re:Silly Freshman by lullabud · · Score: 2, Funny

      Oh yeah? Well back in the cave man days we didn't even know what wires were, so we HAD to communicate wirelessly. I remember slaving away in front of that fire with that blanket, crafting SSP (smoke signal protocol) packets by hand. Sometimes it would take more than 10 minutes to get an initial ping back because they other side hadn't started their fire yet. Even if they had, it took over a minute just to get an intro line of chat finished. Rain storm? Night time? Don't even bother, your network was down for the count.

    2. Re:Silly Freshman by BorgCopyeditor · · Score: 2, Funny
      Oh yeah? Well, before the Lord God sorted the primordial muck into water and earth and established the firmament of the heavens to separate the waters above from the waters below, I used to have to ...

      Oh, never mind.

      --
      Shop as usual. And avoid panic buying.
  14. try VPN Tracker by garment · · Score: 3, Informative

    at www.equinux.com. relatively cheap considering ease of use - and they might have a student discount, if you ask (beg).

  15. IPSecuritas by wangooroo · · Score: 4, Informative

    I use IPsecuritas v 1.0.3 http://www.lobotomo.com It works with Panther's built in IPSec "racoon" which is a command line tool. man racoon for more info. IPSecuritas works great and its FREE

  16. Re:Cisco.. by petard · · Score: 2, Insightful

    [sarcasm]I don't know if I'd say Microsoft stuff is proprietary since they're basically THE software company.[/sarcasm]

    Bluesocket is based on open industry standards. Many cisco products also support open standards, but they have been known to work in the odd bit of proprietary crap here and there. Cisco more often just do standards a bit early, before they're widely agreed upon, then bring their system in line with the ratified versions of the standards.

    I suspect IHBT...

    --
    .sig: file not found
  17. IPSecuritas by Anonymous Coward · · Score: 3, Informative

    If you want a free solution that's actually as configurable as VPN Tracker, check out IPSecuritas (http://www.lobotomo.com). It can be tricky to configure, but we got it to work with our company's Checkpoint VPN without altering anything on the firewall side. It even does DNS settings replacement. Not perfect, but better than anything else I"ve run across.

  18. VPN and IPSec by baddawg65 · · Score: 3, Informative

    I've been using Internet Connect to connect to our school network. If that doesn't work you can use freeware VaporSec (URL: http://www.versiontracker.com/dyn/moreinfo/macosx/ 17212) which is graphical configuration of 'racoon' which is the built-in VPN in Mac OS X. You will need a alot of information from the school's network people to configure this properly.

  19. Re:Cisco.. (P|L)EAP? by lullabud · · Score: 2, Insightful

    Saying that PEAP is a more open standard than LEAP isn't going to help anybody connect to a VPN. WPA, 802.1x authentication and even WEP don't really have anything to do with PPTP or IPSEC VPN's, other than they both use encryption and some of them authenticate by username/password. If this guy's school is using Bluesocket VPN I don't think they're worried about using open standards, they've already dished out the money for this VPN solution and I'm willing to bet they'll stick with it. All that aside, I suppose you are right, LEAP is less proprietary than PEAP, I just don't think it's relevant to this situation.

  20. IPSecuritas by mikeoreilly · · Score: 4, Informative

    Check out IPsecuritas:
    http://www.apple.com/downloads/macos x/networking_s ecurity/ipsecuritas.html

    It has connected to every VPN endpoint/router that I have tried to connect to, with the exception of point to multipoint access. VPN Tracker had to release a new racoon binary to get point to multipoint to work. (This is only an issue if you must connect from a fixed IP address and almost no one does this anymore.)

    The racoon IPSec stack in OSX is based on the kame (kame.org) project. See afp548.com for a writeup on how to get the whole thing working via the command line.

    Remember, IPSecuritas is just a GUI for something already built in to OSX.

  21. Re:+5, Funny by Elwood+P+Dowd · · Score: 3, Insightful

    This "Ask /." is one of the examples of what's great about /.: The author of the relevant software responded.

    And he's at (Score:+5, Informative), you kidder.

    --

    There are no trails. There are no trees out here.
  22. Dear lazy school IT managers by BiOFH · · Score: 2, Interesting

    Stop doing this! Stop putting in measures that limit your students to whatever resource you are most comfortable supporting. It's just plain lazy and uncaring.

    The [Australian] University of Wollongong's ITS department is in the process of doing something similar; installing a wireless system that will lock out Mac users (until someone figures out a way around it). In a school! So anyone who chooses to use a Mac gets callously dismissed with a 'Too bad. Sorry. Go buy a Windows machine.' and that's it. They can't be bothered to support you because they don't care to try.

    It's unconscionable and just plain lazy.

    http://www.uow.edu.au/

    --
    - I am made of meat.
    1. Re:Dear lazy school IT managers by zbaron · · Score: 3, Interesting

      I work for a University further north in Australia and we are installing a wireless network that supports Macs as first class citizens ... it helps a lot that I do all the design work and I have a Powerbook. We are using a Cisco VPN solution as they have an excellent client that supports Mac even if its not pretty and Linux as well.

  23. Re:wow.. all these people need a gui?? by sld126 · · Score: 2, Insightful

    Not everybody has the time or interest to learn about what ipsec is. A GUI with an IP, username and password should be ALL that's needed to set up an ipsec tunnel. VaporSec, Cisco clients both give you this. If the sysadmin gives you the right info, should take all of 5 minutes to get connected. Less time than reading the first two pages of kame.org. And then on with your real work.

    Hence the OP.

    --
    You're just jealous because the voices only talk to me.
  24. Talk to the Dean? by MacFury · · Score: 2, Insightful
    Have you considering meeting with the heads of the school to tell them just how much of a problem this is?

    You would be surprised at how responsive they can be. They typically don't know anything about technology (that's why they hire other people to do that stuff)

    Explain to them that while their solution is good, it falls short on what the university should strive to provide. Tell them that universaly WiFi access helps their current students and increases their attractivness to potential students.

  25. Re:The wonders of bad moderation by sinergy · · Score: 2, Funny

    And with me typing this reply, it will now probably be the only response when somebody types in "PEAP Panther Chocolate Ovaltine"

    --
    ...