IPsec on Mac OS X Panther?

ItsMr.Data wants to take a bite out of this issue: "I just got a new PowerBook with Airport. I wish to use it in the wireless network at the university I attend. The problem is that the university uses BlueSocket to secure the WIFI connections. The BlueSocket gateway is configured for IPsec tunnels. The client tool that BlueSocket provides does not work properly under Panther. I was told by the network department that it would be up to me to find a solution until BlueSocket comes out with an updated client. Being a poor college student, I would like to find a cheap or free solution. I have never worked with VPNs or IPsec. Do any Slashdot readers have any good ideas?"

Internet Connect

[CptChipJew]

Can't you use the Internet Connect application that ships with OS X to make an IPSec connection to their VPN? That's how I connect to my school's.

First post?

Re:Internet Connect

[Anonymous Coward]

My Universety use IPsec and VPN, I use cisco VPN client for OS X.

Re:Internet Connect

[Anonymous Coward]

cisco makes one, my university uses it...try that out. I dunno how to obtain it if not from your university, but it's ipsec and works under panther

Poor?

[avalys]

A new Powerbook? I wish I was a poor college student.

Re:Poor?

[Mariani]

Poor after buying a Powerbook.

IPSec should work fine; need config info

[anothy]

The IPSec facilities in Panther should be more than sufficient for what you need. In my experience (in very nearly the exact same situation, as well as similar ones at corporation), the hardest part is wrangling the proper information out of your support staff. First you have to find someone who know WTF you're talking about. then they have to find the information. then they (may) have to get approval to give it to you. that generally involves convincing some clueless administrative type that you're not an 3vi1 h4xx0r. and then they have to actually give it to you. and the odds of getting the info right on the first try is not so good.
my biggest bit of advice is find some friendly, knowledgeable admin, find out what she likes to drink, and buy her lots of it.

Re:IPSec should work fine; need config info

[kerry-buckley]

my biggest bit of advice is find some friendly, knowledgeable admin, find out what she likes to drink, and buy her lots of it.

And hope she doesn't hit you when you admit that you only got her drunk "because you wanted to find out how her tunnel was configured".

+1, Funny

[anothy]

wow. where are my mod points when i need them.

for the record, i wasn't suggesting getting anyone drunk; rather, give it as a gift. given we're talking about techies, maybe a large DIMM or ThinkGeek gift certificate would've been better, but alcohol's always worked well when we needed to grease the wheels with the landlord, or utility guy, or trash collectors, and so on.

Re:+1, Funny

[alaeth]

I find Slurpees(Squishees? whatever) and donuts work best. I somehow manage to get a PC upgrade every cycle... my co-workers are mystified ;)

Re:IPSec should work fine; need config info

[CuriousGeorge113]

OK, so you've established the need to get reliable & useful from the support staff, but gave no insight as to what that reliable & useful information would be?

How about a clue here, where would we begin, what information do we really need to qrangle here, and why is it so sensitive that the staff would be reluctant to give it up?

Re:IPSec should work fine; need config info

[somethinghollow]

but gave no insight as to what that reliable & useful information would be.

If Sys Admins at other colleges are anything like the ones at mine, he doesn't need to list what valuable information they could give you. He doesn't have to because they don't HAVE any reliable or useful information to give. At my university, we had other people [slashdot.org] that would tell us what we needed to know. Of course, folks in my dorm/honors program were ad hoc administrators of several servers around campus, since the Sys Ad

At Rutgers...

[Fuzzle]

When I was an organizer with NJPIRG at Rutgers, I used Bluesocket's IPSEC utility with early Developer's builds of Panther and it worked fine. YMMV.

Re:At Rutgers...

[Anonymous Coward]

That's the thing though. His mileage has varied.

5, informative?

Re:Cisco..

[sinergy]

LEAP is proprietary as well. A more open standard is PEAP.

Re:Cisco..

[peterjhill2002]

Would that be Microsoft PEAP (PEAP-EAP-MSCHAPv2) or Cisco PEAP (PEAP-EAP-GTC)?

The lovely thing about open standards is that there can be some many ways to implement them :-p

Windows ships with a client that supports MS PEAP. The Cisco aironet client supports Cisco PEAP. They are not really compatible. The MS PEAP client works great when authenticating against and NT Domain or an AD. The Cisco version works with more third party radius backends to authenticate clients. Designing a wireless security and auth

Re:Cisco..

[sinergy]

You are right, but that would be a GOOD thing, I'd think.

Re:Cisco..

[grocer]

LEAP can be configured to work with Airport (I think it works out of the box but not sure). I do know my university uses Cisco LEAP and my iBook works where I can find wireless coverage...

For reference, I have an iBook G3 with 10.2.8 and the newest Aiport drivers.

Re:Cisco..

[petard]

[sarcasm]I don't know if I'd say Microsoft stuff is proprietary since they're basically THE software company.[/sarcasm]

Bluesocket is based on open industry standards. Many cisco products also support open standards, but they have been known to work in the odd bit of proprietary crap here and there. Cisco more often just do standards a bit early, before they're widely agreed upon, then bring their system in line with the ratified versions of the standards.

I suspect IHBT...

Re:Cisco.. (P|L)EAP?

[lullabud]

Saying that PEAP is a more open standard than LEAP isn't going to help anybody connect to a VPN. WPA, 802.1x authentication and even WEP don't really have anything to do with PPTP or IPSEC VPN's, other than they both use encryption and some of them authenticate by username/password. If this guy's school is using Bluesocket VPN I don't think they're worried about using open standards, they've already dished out the money for this VPN solution and I'm willing to bet they'll stick with it. All that aside, I

The wonders of bad moderation

[lullabud]

This is just great. Thanks to the moderators making this tiny, itty bitty nugget of knowledge "informative", regardless of the fact that it has nothing to do with the topic of this thread, Google has now put this as the second result for "PEAP Panther" even though this thread gives no information about PEAP other than the fact that it is a standard. This is an example of why staying on topic is necessary, and moderating on topic is even more important. We all can make the web better, and staying on topi

Re:The wonders of bad moderation

[sinergy]

And with me typing this reply, it will now probably be the only response when somebody types in "PEAP Panther Chocolate Ovaltine"

Re:The wonders of bad moderation

[lullabud]

actually, i doubt you're right, because the specific link for your comments isn't going to have all of the key phrases and links to get a high page rank, but since the post i was complaining about was moderated up enough to have it's text included on the page of the root message which does have all that info, and does have a high page rank, it shows up as #2 in the search.

Re:+5, Funny

[Anonymous Coward]

Yeah, the first post has a good idea. Use the Internet connection utility. It allows you to create a IPSec connection and is integrated very well with Panther.

Re:+5, Funny

[Elwood P Dowd]

This "Ask /." is one of the examples of what's great about /.: The author of the relevant software responded [slashdot.org].

And he's at (Score:+5, Informative), you kidder.

Corrected Link Here

[BoomerSooner]

Better School [ou.edu]

Re:Corrected Link Here

[mgs1000]

You mean there is a college at Zero-U?

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:unfortunately

[azpcox]

Although the IPSec VPN client doesn't support NAT traversal, if you have a Linksys or something similar, they have an item called IPSec pass through which will do the NAT (technically there is no port associated with ESP traffic) for you to a single device. The UDP/500 traffic has no problem, just the ESP/AH traffic in certain instances.

Re:unfortunately

[MarcQuadra]

How'd you get the Cisco VPN client working under 10.3? I've had to halt 10.3 rollout at my work because it doesn't work.

Cisco client GUI wraparound

[uncle_s]

If you want the feature set of the Cisco client, but are afraid of setting it up, go here:
http://www.versiontracker.com/dyn/moreinfo/macosx/ 17119
It's called CiscoVPN Frontend and is supposedly a cocoa frontend for the cisco client. Never used it, but maybe it provides the compatibility you need in a candy coated GUI. Good Luck

Good luck

[cbiagini]

I've tried to connect to my school's network, too, with little success. We use Cisco's VPN, and it's the same deal: no Panther-compatible client.

Best I can do for you is this hint at macosxhints:
http://www.macosxhints.com/article.php?story=20031 11911433687&query=cisco+vpn

I tried it, and it didn't work, but who knows...maybe the settings files for your VPN client are similar. Stab in the dark...it's all I got.

Re:Good luck

[caseih]

Cisco's VPN client is very much panther compatible. I use it every day. Just make sure you have the lastest version (version 4.something I believe).

Re:Good luck

[cbiagini]

Sorry for the misinformation, then! I'll give it a shot next time I'm on campus...but I can't seem to find a place that lets you download the 4.0.3 version without being on their network.

Re:Good luck

[good soldier svejk]

I also have no problems with version 3.6 under Panther, connecting to a VPN3005 (IIRC). I use Mathey Wieseck's VPNConnect 1.0.4 GUI.

Re:Good luck

[thehe]

I found the, seemingly, same Cisco VPN Client for OS X that my university provides (v. 4.0.1) freely available on several web pages, of which this is one that seemed to work fine:
http://portnetworks.com/download.html

I use the 4.0.1 quite happily on a daily basis, with my university (NTNU in Trondheim, Norway) running IPSec, UDP style.

Re:Good luck

[Glial]

4.0.2 And yes, I agree, it is very much Panther compatible.

Re:Good luck

[billatq]

I agree too. However, because it's not "panther compatible", we get to use PPTP which is nicely supported by internet connect.

Re:Good luck

[cbiagini]

Haha, okay, well then I'm a retard. There's what, five replies so far telling me that I'm wrong?

I guess I'll have to wait until my university updates the client. As of now, I can still only download the older version.

Re:IPSec VPN and CheckPoint

[pillar]

Several years ago I did work on checkpoint fw-1 and vpn-1, it was alwaya a nightmare. I could never get the vpn-1 stuff to work the way I needed it to......suppsedly it's been improved, however, I have since ditched all ties to checkpoint (thank god).

Re:IPSec VPN and CheckPoint

[-tji]

Panther does work with VPN-1.. I am using it.
But, some of the default configurations might be getting in the way.

- You must use either Certificates, or "Shared Secret" authentication. (Shared Secret is not the common way to configure users.)

- If you use Shared Secrets, gateway must be set up to support "Aggressive Mode" IKE negotiations.

See this page [macosxhints.com] for more information on Check Point and Panther.

Panther Compatibility for Bluesocket IPSec tool

[Anonymous Coward]

Hello,

I'm the software engineer responsible for the Mac client for Bluesocket. The client software *should* work with Panther. The client software isn't really client software, however, its just a frontend to the built-in IPSec support that was first made available in 10.2.

If you're having trouble, you can try emailing support@bluesocket.com. Because it is just a frontend to the built-in support, you can try this on the command line to see if you're logged in:

$ sudo setkey -D

Which will print out your tunnel status. If it comes back empty, you're not connected. If you see two tunnels, you're good to go. (the GUI will reflect this as well)

I just tested it again on my Panther box, and it works OK. As an aside, you can also ask your network admin if they support PPTP. The bluesocket box has PPTP support, and is compatible with Jaguar and Panther's PPTP client.

Thanks!

VaporSec

[cpct0]

I don't have experiece with the other IPSec frontends...

But I can tell you that Vaporsec works well (http://afp548.com) -- oh and don't download the Jaguar version on the site, download the version in the forums (The major difference between the two are a few applescript bugs of no consequence, but it's nice to have a bug-free system.

And I suggest you ask your admins for the PRECISE configuration, it's not really easy to implement.

Mike

VaporSec is excellent and free

[Rufosx]

I use it for connecting to several networks and it is very good. Works with SonicWalls too, which is nice. It can be a little difficult to setup, mainly because you have to interpret the settings from whatever system they are using to select the right options in VaporSec. Took me awhile to figure out how the settings all mapped across.

About built-in client

[Rufosx]

The built-in IPSec client only works for very simple, very standard IPSec connections (although in the IPSec world, there's no such thing as "very standard"). I've never gotten it to work connecting to any IPSec network, but my clients don't always use the most open solutions, either.

Silly Freshman

[krray]

Back in my day we didn't have all these fancy wireless type connections. We were happy with the new 2400 baud modem pool and ignored the 1200 baud pool. Inside the campus ISN (predates ISDN) was the communication method preferred (with WIRES).

The problems over the years really haven't changed all that much. My ISN port was @ 9600 baud and I wanted the full 38,400 baud available. Hack in.

Fortunately the modem pool tied in via ISN -- need a modem? Reset a few ports and take control. Server on campus too bus

Re:Silly Freshman

[lullabud]

Oh yeah? Well back in the cave man days we didn't even know what wires were, so we HAD to communicate wirelessly. I remember slaving away in front of that fire with that blanket, crafting SSP (smoke signal protocol) packets by hand. Sometimes it would take more than 10 minutes to get an initial ping back because they other side hadn't started their fire yet. Even if they had, it took over a minute just to get an intro line of chat finished. Rain storm? Night time? Don't even bother, your network was

Re:Silly Freshman

[BorgCopyeditor]

Oh yeah? Well, before the Lord God sorted the primordial muck into water and earth and established the firmament of the heavens to separate the waters above from the waters below, I used to have to ...

Oh, never mind.

Re:Silly Freshman

[MalleusEBHC]

We were happy with the new 2400 baud modem pool and ignored the 1200 baud pool. Inside the campus ISN (predates ISDN) was the communication method preferred (with WIRES).

Be honest, who else just asked themselves what WIRES was an acronym for?

Bah, I hope I'm not the only moron who has been up till 5 AM coding all week.

try VPN Tracker

[garment]

at www.equinux.com. relatively cheap considering ease of use - and they might have a student discount, if you ask (beg).

IPSecuritas

[wangooroo]

I use IPsecuritas v 1.0.3 http://www.lobotomo.com It works with Panther's built in IPSec "racoon" which is a command line tool. man racoon for more info. IPSecuritas works great and its FREE

Re:try VPN Tracker

[hankster164]

I tried VPN tracker. No go with checkkpoint firewall. even thought their site explains it in plain english. You would have to have shell access to firewall in order to get the firewalls security cert. then you could do VPN.

Checkpoint VPN help, anyone?

[tholomyes]

Personally, I am trying to figure out how to get internet connect and CheckPoint to play nice together (L2TP over IPSec). Does anyone know what exactly you have to set up on CP to make this happen? (Or a good resource for this information?)

Counting the months until we put in a PIX...

Re:Checkpoint VPN help, anyone?

[libra-dragon]

That's funny, I was counting the months until we get rid of our PIXes...

Re:Checkpoint VPN help, anyone?

[-tji]

I don't know if the L2TP config will work.. I briefly tried it, but moved on to straight IPSec since that's what most security products use (L2TP/IPSec is more of a Microsoft thing).

Check Point and Panther do work together, but there are some caveats which may require cooperation from the VPN admin to work out.

See this page [macosxhints.com] for more information.

IPSecuritas

[Anonymous Coward]

If you want a free solution that's actually as configurable as VPN Tracker, check out IPSecuritas (http://www.lobotomo.com). It can be tricky to configure, but we got it to work with our company's Checkpoint VPN without altering anything on the firewall side. It even does DNS settings replacement. Not perfect, but better than anything else I"ve run across.

VPN and IPSec

[baddawg65]

I've been using Internet Connect to connect to our school network. If that doesn't work you can use freeware VaporSec (URL: http://www.versiontracker.com/dyn/moreinfo/macosx/ 17212) which is graphical configuration of 'racoon' which is the built-in VPN in Mac OS X. You will need a alot of information from the school's network people to configure this properly.

wow.. all these people need a gui??

[josepha48]

I configured ipsec using spdadd and scripts ... Mac uses racoon, and there is a pretty simple configuration file. I'd think that they would tell you what the config file needed to be and say use this config file and change IP addresses.

It's really not that hard once you understand what ipsec is doing. Go to kame.org

Re:wow.. all these people need a gui??

[sld126]

Not everybody has the time or interest to learn about what ipsec is. A GUI with an IP, username and password should be ALL that's needed to set up an ipsec tunnel. VaporSec, Cisco clients both give you this. If the sysadmin gives you the right info, should take all of 5 minutes to get connected. Less time than reading the first two pages of kame.org. And then on with your real work.

Hence the OP.

IPSecuritas

[mikeoreilly]

Check out IPsecuritas:
http://www.apple.com/downloads/macos x/networking_s ecurity/ipsecuritas.html

It has connected to every VPN endpoint/router that I have tried to connect to, with the exception of point to multipoint access. VPN Tracker had to release a new racoon binary to get point to multipoint to work. (This is only an issue if you must connect from a fixed IP address and almost no one does this anymore.)

The racoon IPSec stack in OSX is based on the kame (kame.org) project. See afp548.com for a writeup on how to get the whole thing working via the command line.

Remember, IPSecuritas is just a GUI for something already built in to OSX.

Dear lazy school IT managers

[BiOFH]

Stop doing this! Stop putting in measures that limit your students to whatever resource you are most comfortable supporting. It's just plain lazy and uncaring.

The [Australian] University of Wollongong's ITS department is in the process of doing something similar; installing a wireless system that will lock out Mac users (until someone figures out a way around it). In a school! So anyone who chooses to use a Mac gets callously dismissed with a 'Too bad. Sorry. Go buy a Windows machine.' and that's it. They can't be bothered to support you because they don't care to try.

It's unconscionable and just plain lazy.

http://www.uow.edu.au/

Re:Dear lazy school IT managers

[zbaron]

I work for a University [griffith.edu.au] further north in Australia and we are installing a wireless network that supports Macs as first class citizens ... it helps a lot that I do all the design work and I have a Powerbook. We are using a Cisco VPN solution as they have an excellent client that supports Mac even if its not pretty and Linux as well.

Talk to the Dean?

[MacFury]

Have you considering meeting with the heads of the school to tell them just how much of a problem this is?

You would be surprised at how responsive they can be. They typically don't know anything about technology (that's why they hire other people to do that stuff)

Explain to them that while their solution is good, it falls short on what the university should strive to provide. Tell them that universaly WiFi access helps their current students and increases their attractivness to potential students.

Re:Talk to the Dean?

[BiOFH]

They're quite aware of it. Their response to one unit that recently invested in iBooks and the like was along the lines of 'too bad, this is how it is, buy a PC next time'.

FWIW, I should note that I don't work there any longer.

Cisco IPSec VPN client

[sulli]

I have tested this with a Cisco 3000 server and OS X 10.3. Works fine.

I just went through the same thing...

[-tji]

I just picked up a new 15" Powerbook (what a great machine), and went through the process of getting it connected to my VPN.. Here are some things I learned along the way:

- The VPN configurable via the network settings GUI is L2TP over IPSec.. This is the same thing that Windows 2K/XP clients support. But, most security devices (Check Point VPN-1, Netscreen) use straight IPSec. It sounds like Bluesocket wants IPSec.

- MacOS X comes with IPSec from the KAME (Kah-May, Japanese for 'turtle') project. KAM