Joined: 09 Oct 2002
Location: Lausanne, Switzerland
|Posted: Fri Mar 10, 06 14:30 Post subject: How do I use the IPSec client of MacOSX?
|Configuring the MacOSX 10.2-10.4 IPSec client to connect to a secured network requires a detailed configuration. Fortunately there is a free software called IPSecuritas at http://www.lobotomo.com/ that makes it extremely simple to build the IPSec policy. Simply follow the instructions at the site except use a preshared key instead of a PKI certificate (a PKI certificate should also work but it has not been tested yet.)
- download and install the IPSecuritas program
- start the IPSecuritas program and click New
- give a name to this new connection (for example My VPN)
- enter the remote IP address or domain name of the remote IPSec gateway (for example ipsecgateway.example.com)
- enter the IP subnet of the remote protected network (for example 220.127.116.11/8)
- select Phase 1 and change the encryption to AES 128 (at least 3DES) or higher
- select Phase 2 and set PFS Group to None (it is possible to use but in this example it is turned off.)
- also on the Phase 2 page, set encryption to AES (or optionally 3DES, Blowfish, Cast 128)
- select ID/Auth and set the Preshared Secret to "firewall"
- select Options and activate Autostart
- click okay to save the connection
- select the new My VPN connection and click the Start IPSec button
- try to ping something on the remote network (for example 18.104.22.168), or visit a web page on the remote network
- Optionally close the connection by selecting the new My VPN connection clicking on the Stop IPSec button
Additional preferences are available in the IPSecuritas preferences screen. By default NAT-Traversal is already supported so you should be able to make a connection through a NAT firewall.
Screenshots of the MultiCom Configuration are available below.
- IPSec Global Panel Create the new connection, enter in the IP parameters of the local side of the network with the Remote Address is 0.0.0.0/0 and Remote Gateway is 0.0.0.0, and activate Allow Subnet. This allow any IP address to try and connect and as many connections as the purchased IPSec license allows. Be sure that both IPSec and the connection are enabled.
- IPSec Keys Panel Add the Preshared key, in this example "firewall" without any local/ remote IDs.
- IPSec IKE Panel Choose the Preshared Key and for simplicity deactivate Perfect Forward Security (PFS) and Dead Peer Detection (DPD).
- IPSec Options Panel Enable NAT-Traversal.
- NAT Interface Panel If the Securewall is active then be sure to redirect UDP 500, UDP 4500 & ESP traffic to internal. Otherwise this traffic will not be allowed to the Firewall.
- Monitor IPSec Details Panel After a connection is made the Monitor can show the status.
- Monitor IPSec Summary Panel If more than one IPSec connection is active all of them can be shown in the Summary Panel.
- Monitor Routes Panel For each successfully connected IPSec client there will be a new routing entry in the routing table to tell the Firewall to send that traffic to the IPSec service for encryption and delivery.