Chapter 8
In the Phase 1 tab, make sure you use at least Mod1024 (2) Phase 2 tab, select Mod1024 (2) for PFS Group, and 3DES
and 3DES for encryption, and in the or AES for Encryption.
In the id/Auth tab, choose Certificate for Local and Remote identifier. You should not specify or type the DN information. Select Certificates for Authentication and select your imported certificates. Use the CA certificate you imported as Remote. This is a little counterintuitive, because the remote has another certificate itself (in our case with CN=west.xelerance.com).
You should not need to change anything in the Options tab. You can select the Preferences option of IPSecuritas to enable Verbose Debug information. The log and configuration files will all appear in /tmp. You can also use different DNS servers when the IPsec tunnel is active to assist in resolving host names that are only available in the internal DNS system of the remote network.
VPNtracker
VPNtracker is another popular VPN product for Mac OS X. It is straightforward in use, and supports PSK, X.509, and even SecureID cards. We will first show how to configure PSK and then how to configure VPNtracker for X.509. VPNtracker comes with default settings for a wide range of vendors. Click the New button to open the configuration screen.
Select Linux in the Vendor dropdown. Two entries will appear, Linux FreeS/WAN and Linux FreeS/WAN (X.509). For PSK, select the non-X.509 FreeS/WAN entry. Make sure to deselect Client Provisioning (Mode-Config), unless you are configuring for XAUTH.
193
Interoperating with Microsoft Windows and Apple Mac OS X
Double-click the Linux FreeS/WAN entry. Here you can edit the general Phase 1 options. The defaults should all be fine. Click Phase 1 Proposal.
By default, AES is not checked. You may want to enable this. In the Hash Algorithm box, you might want to change MD5 for SHA1, or at least add SHA1 to MD5. SHA1 is considered to be slightly more secure than MD5. You could also add Group 5 to the Diffie-Hellman Groups.
194
Chapter 8
Click the Phase 2 button. Here VPNtracker strangely only has DES selected. Unselect DES, and select 3DES and optionally the AES choices. You can change the PFS group to Group 5 if you wish to have some extra crypto strength. Select OK and then open the Network tab.
Select Host to Network in the Topology dropdown. Fill in the remote VPN gateway, the remote subnet, and the remote subnet's netmask.
Select the Authentication tab. Click on Edit... next to the selected Pre-shared Key option. Fill in the PSK and click OK. Now we can move to the Identifiers tab.
If you are just using IP addresses, you can select the two endpoint IP address options. If you are using leftid= and rightid= in the connection on the Openswan side, then select the custom box where you can fill in the IDs. If you also want to set internal DNS servers, you can configure them in the DNS tab.
Click OK when done, and you can now click on Start VPN to bring up the tunnel.
195
Interoperating with Microsoft Windows and Apple Mac OS X
When using X.509 instead of PSK, things are a little more complicated because we need to import the certificates. The easiest way is to have three separate files, the X.509 certificate, the private key, and the CA certificate. Again, select New to create a new connection.
This time, double-click the Linux FreeS/WAN (X509) entry. Just as for the PSK-based connections, you can leave the Phase 1 General defaults, but make sure to unselect DES and select 3DES and optionally AES in the tabs for Phase 1 Proposal and Phase 2. Click OK and then select the
Network tab.
These options are the same as for PSK. Select a topology of Host to Network, fill in the remote VPN gateway, the remote subnet, and the remote subnet's netmask. Select the Authentication tab.
Select Certificates, and click on the Edit... button. Since you have not imported anything yet, click on the Edit Certificates... button to start the Certificate Manager.
Click Import..., and use the Browse… buttons to point to your public certificate and private key files, then click Import.
196