Re: Problems with pf, ipsec nat-t, l2tp

[Thor Lancelot Simon <tls%panix.com@localhost>]

On Sat, Sep 05, 2009 at 01:18:25PM +0100, Matthias Scheler wrote:
> On Fri, Sep 04, 2009 at 03:18:12PM -0700, Alex Barclay wrote:
> > I'm having some difficulty configuring IPSec NAT-T l2tp from a Mac
> > (client) to NetBSD (server).
> 
> If I remember correctly NetBSD does not support L2TP at the moment.
> And I don't think you need L2TP anyway. Windows 2000 and XP (and newer
> versions?) use L2TP over IPSec transport mode by default to support
> some of Micosoft's weird legacy protocol and to allow network browsing.
> In most cases IP routing should be good enough and you don't need L2TP.

You need L2TP if you want to use Apple's canned "VPN connection"
configuration tool (part of the Network preferences pane and also
one of the menu options in "Internet Connect" in any modern OS X).  If
you tell it to use IPsec, it uses L2TP to be more compatible with VPN
headend boxes configured for Windows XP clients.

I believe Microsoft can now use normal tunnel-mode IPsec with hybrid
authentication, to do most of what they wanted L2TP for.  But OS X can't.

The best thing to do is to use IPSecuritas as your configuration interface
for the OS X IPsec.  Then you don't have to cobble together a bunch of
shell scripts to sense the network state and adjust the configuration
files for ipsec, racoon, etc. automatically -- the IPSecuritas guys have
done that for you already -- but you also can use standard IPsec using
the built-in OS X implementation without having to use L2TP on the other
end.

Thor