Home Recent Changes WikiHelp
Openswan /
EquinuxVPNTracker
Login
Last modified: August 11, 2006, at 01:01 PM

Equinux VPN Tracker allows Mac OSX systems to connect to OpenSwan VPN servers. Configuration can be a bit tricky.

The interop instructions listed in this Wiki that are linked to on Equinux's site
(http://www.equinux.com/us/products/vpntracker/files/HowTo_FreeSWAN_Rev_2.0.pdf)<br> have you creating certificates on the Mac side and then exporting them as leftrsasig= and rightrsasig= lines which you then paste into /etc/ipsec.conf. This worked fine with Freeswan.

AFAICT, that method does not work with Openswan 2.1.2. You get the "No peer's CERT payload found" message on the Mac side when you try to bring the connection up.

The interop instructions also describe creating a connection with x509 certs. Their method doesn't seem to work with Openswan 2.1.2 either.

Here is what did work:

Create a CA on the Mac and use a good password.
Create and sign a certificate on the Mac for the VPN gateway.
Create and sign a certificate on the Mac for the Mac client.
Export the Mac CA as a PEM certificate.
Export the Mac client certificate as a PEM.
Export the VPN gateway certificate as a PEM and export its private key.
Copy these to your Openswan gateway machine.
Put the Mac CA cert in /etc/ipsec.d/cacerts.
Put the VPN gateway certificate in /etc/ipsec.d/certs.
Put the Mac certificate in /etc/ipsec.d/certs.
Put the VPN gateway private key in /etc/ipsec.d/private.
Edit /etc/ipsec.secrets and add gateway key password (matches CA password). i.e.

: RSA gateway.key.pem "big long password string"
Create a connection in /etc/ipsec.conf:
conn example
	#openswan gateway side
	left=192.168.0.2
	leftnexthop=192.168.0.1
	leftsubnet=10.0.0.0/8
	leftcert=gateway.cert.pem
	leftsendcert=always
	# mac client side below
	rightcert=macclient.cert.pem
	right=%any
	auto=add
	pfs=yes
	keyexchange=ike

Restart ipsec on the Openswan gateway.

Add connection to VPN tracker on the Mac, type Free/Swan x509, setting certificates to own='mac certificate you created',
and remote='verify with ca', local and remote identifier from certificates.

Save changes, cross fingers, and bring up the connection. This was tested on OSX 10.3 using VPN Tracker 2.2.7.

Powered by PmWiki
view edit upload print history