Topics include: programming, Apple, Unix, gadgets, large-scale web sites and other nerdy stuff.

How to set up IPSec VPN access on Mac OS X

2008-06-18 08:42:15

Most firewalls now support IPSec tunnels for VPN access. My experience has been that you need to buy some client that matches the firewall, and of course that means it has to support the OS you are running. That means that Mac support is hard to come by on the vast majority of firewalls. Cisco supports Mac with their client, but there are two problems with that: Cisco is darn expensive, and their software is ugly.

A little bit of research turned up some interesting stuff. First, OS X has IPSec support (via "kame/raccoon") built-in. Unfortunately, there's no GUI or wizard, so configuration requires knowledge that is pretty unattainable to non-network programming geeks, and an inconvenient learning curve for the geeks. Second, there are at least two solutions available to configure IPSec on Mac with various documentation for different firewalls.

One is VPN Tracker, which is a commercial product that costs between $150-$250. It appears to have a very good UI, a great web site, lots of documentation and a responsive support staff. The documentation and support is important because there are hundreds of firewalls out there, and they all have their own specific ways of setting up IPSec tunnels. VPN Tracker seems to have pretty good coverage: every VPN-capable firewall I've seen is on the list. I was not able to get the trial version working with either our Fortigate-60 or our Netscreen-50 here at work, but I might be able to; their support staff has contacted me with some questions. I'm pretty confident I could get it to work.

The other solution I found is IPSecuritas. It's totally free, which is kind of mind-blowing as the software and website is maybe 95% as nice/slick as VPN Tracker. There seems to be a lot less documentation on various firewalls, but there's a community-driven mechanism where people can post their solutions. I was able to get IPSecuritas working through our NetScreen 50 with the help of this web page. (And, I think I'd be able to go back and get the VPN Tracker working as well. The documentation for VPN tracker didn't include policy changes, which I thought was odd at the time. Turns out it was odd: you need to add policies to allow the tunnel from the internet to your LAN.)

One disappointment is that the IPSecuritas software promises "split DNS." The idea is that for hostnames internal to your LAN, it will send requests into the LAN DNS server, and for others, it will use the DNS server of where ever you are. It doesn't work for me. This seems part of the larger problem I have with DNS on Leopard: it is exceedingly difficult to override a DNS server that comes with a DHCP address. I'm trying to figure out the story behind that.