Mac OS X

The Mac is based on config and log files, racoon, and a GUI wrapper, which makes configuration very easy.

Setup a VPN(L2TP) connection:

Open Internet Connect
Click File | New
Choose L2TP over IPsec
Enter the server address, account name (user name) and password

The next step is to tweak /etc/racoon/racoon.conf because the default on the Mac is that when you connect to a L2TP/IPsec host, the config file will be generated on the fly, and racoon will be started. As special parameters are needed, my racoon.conf looks like the following for a racoon-VPN-server (This configuration ignores the on the fly-config-files):

path include "/etc/racoon" ;

# racoon will look for certificate file in the directory,

# if the certificate/certificate request payload is received.

path certificate "/etc/racoon/certs" ;

# "padding" defines some parameter of padding. You should not touch

these.

padding

{

maximum_length 20; # maximum padding length.

randomize off; # enable randomize length.

strict_check off; # enable strict check.

exclusive_tail off; # extract last one octet.

}

listen

{

}

timer

{

# These value can be changed per remote node.

counter 10; # maximum trying count to send.

interval 3 sec; # interval to resend (retransmit)

persend 1; # the number of packets per a send.

# timer for waiting to complete each phase.

phase1 30 sec;

phase2 30 sec;

}

sainfo address ::1 icmp6 address ::1 icmp6

{

pfs_group 1;

lifetime time 60 sec;

encryption_algorithm 3des, cast128, blowfish 448, des ;

authentication_algorithm hmac_sha1, hmac_md5 ;

compression_algorithm deflate ;

}

remote anonymous {

exchange_mode main;

doi ipsec_doi;

situation identity_only;

generate_policy on;

my_identifier asn1dn;

peers_identifier asn1dn;

verify_identifier on;

certificate_type x509 "mycert" "mypriv";

verify_cert off;

proposal {

encryption_algorithm 3des;

hash_algorithm sha1;

authentication_method rsasig;

dh_group modp1024;

}

sainfo anonymous {

lifetime time 28800 sec;

encryption_algorithm 3des ;

authentication_algorithm hmac_md5;

compression_algorithm deflate ;

}

For Openswan my racoon.conf looks like this:

path certificate "/etc/racoon/certs";

padding{

maximum_length 20; # maximum padding length.

randomize off; # enable randomize length.

strict_check off; # enable strict check.

exclusive_tail off; # extract last one octet.

}

# Specification of default various timer.

timer{ # These value can be changed per remote node.

counter 5; # maximum trying count to send.

interval 20 sec; # maximum interval to resend.

persend 1; # the number of packets per a send.

# timer for waiting to complete each phase.

phase1 30 sec;

phase2 30 sec;

}

remote anonymous {

exchange_mode main, aggressive;

doi ipsec_doi;

situation identity_only;

certificate_type x509 "mycert" "mypriv";

verify_cert off;

my_identifier asn1dn;

peers_identifier asn1dn;

verify_identifier off;

lifetime time 28800 seconds;

initial_contact on;

passive off;

proposal_check obey;

support_mip6 on;

generate_policy off;

nonce_size 16;

proposal {

encryption_algorithm 3des;

hash_algorithm md5;

authentication_method rsasig;

dh_group modp1024;

}

sainfo anonymous {

lifetime time 28800 seconds;

encryption_algorithm 3des, aes 128;

authentication_algorithm hmac_md5;

compression_algorithm deflate;

}

listen {

}

log debug;

Finally you copy your certificate pair (pem file and stripped rsa-key-file) to /etc/racoon/certs.

A wonderful way to let you create config-files is a free tool called IPSecuritas, which uses Mac OS X's built in racoon, but uses a GUI. With this you can do some experimentation, and tweaking, and finally use the resulting config-file (they secretly place that config-file in /tmp/ while an IPsec-connection is running, and racoon is up)

Wolfgang Hennerbichler 2004-12-21