Vaporsec 1.0 on mac os 10.3.2 <-> OpenBSD 3.4

Maybe someone out there can use my experience? However. That's how I made my Mac OS 10.3.2 17" powerbook, running VaporSec 1.0 (as of today, the 1.0 off the afp548.com-website is designed for OS 10.2, not yet 10.3) with an official IP received from my cable-internet-provider via DHCP (so no NAT traversal here, sorry), wirelessly connected via accesspoint, talk to the OpenBSD 3.4 gateway, having its official IP on one interface from DHCP as well (dyndns helps out) via ipsec and got access to / became a part of the private-IP-range LAN (192.168.1.0/24) behind its second interface, hidden / connected via NAT.
First published on Dec. 26 2003, last updated 3 january 2004. Who am I anyway? See at the bottom of this page if you really care...
You need:
On the OpenBSD side
On your Mac
Warning: My configuration uses "shared secrets". As far as I understood, this means, anyone who knows this "secret" and gets the other settings right, can enter the vpn-gateway. No certificates or keys exchanged manually or other ways that would give enhanced security. Why not? Haven't had the patience yet to try that out... Maybe you have?

Places that were and are helpful:
For comments you can reach me at my sourceforge address or participate in this discussion inside afp548.com's BB about my suggestions.
Here comes the OpenBSD side first:
That's what my /etc/pf.conf looks like, based on http://www.openbsd.org/faq/pf/example1.html, plus the vpn part.
# macros
int_if = "de0"
ext_if = "de1"
vpn_if = "enc0"

tcp_services = "{ 22, 113 }"
icmp_types = "echoreq"

priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"

# options
set block-policy return
set loginterface $ext_if

# scrub
scrub in all

# nat/rdr
nat on $ext_if from $int_if:network to any -> ($ext_if)
#for outgoing ftp-connections:
rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021

# filter rules
block all
#
#
#
#
# vpn part : watch out for redundancy or a door too open. I did a lot of 
# "copy-paste" and am no absolute master of "pf"
# vpn part start------------- 
#
pass in quick on $ext_if inet proto udp from any to ($ext_if) port isakmp keep state
pass out quick on $ext_if inet proto udp from ($ext_if) to any port isakmp keep state
# esp traffic

pass in quick on $ext_if inet proto esp from any to ($ext_if)
pass out quick on $ext_if inet proto esp from ($ext_if) to any

pass in quick on $vpn_if proto ipencap all

pass out quick on $vpn_if all
pass in  quick on $vpn_if all
#
#
#end of vpn part-----------
#
pass quick on lo0 all

block drop in  quick on $ext_if from $priv_nets to any
block drop out quick on $ext_if from any to $priv_nets

pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services flags S/SA keep state

pass in inet proto icmp all icmp-type $icmp_types keep state

pass in  on $int_if from $int_if:network to any keep state

pass out on $int_if from any to $int_if:network keep state

pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state
And here come two other very important parts that gave me big headaches, until i found working examples... 
/etc/isakmpd/isakmpd.policy 

Keynote-Version: 2 
Authorizer: "POLICY" 
Conditions: app_domain == "IPsec policy" && 
esp_present == "yes" && 
esp_enc_alg != "null" -> "true";
Now for isakmpd.conf there may be better settings possible. That's what works for me. I didn't have the nerve for still more trial and error, once things worked... Maybe you know better, which is rather likely, as I am really no expert!
/etc/isakmpd/isakmpd.conf 

[General] 
Default-phase-1-lifetime= 120,60:3600 
Default-phase-2-lifetime= 120,60:3600 
Retransmits= 5 
Check-interval= 5 
Exchange-max-time= 120 
Policy-File= /etc/isakmpd/isakmpd.policy 

[Phase 1] 
Default= ISAKMP-clients 

[Phase 2] 
Passive-Connections= IPsec-clients 



[Default-main-mode] 
DOI= IPSEC 
EXCHANGE_TYPE= ID_PROT 
Transforms= 3DES-SHA 

[Default-quick-mode] 
DOI= IPSEC 
EXCHANGE_TYPE= QUICK_MODE 
Suites= QM-ESP-BLF-SHA-SUITE 

# Phase 1 peer sections 
####################### 

[ISAKMP-clients] 
Phase= 1 
Transport= udp 
Configuration= PGP-main-mode 
Authentication= thisisthesharedsecret 

# Phase 2 sections 
################## 

[IPsec-clients] 
Phase= 2 
Configuration= PGP-quick-mode 
Local-ID= default-route 
Remote-ID= dummy-remote 

# Client ID sections 
#################### 
[default-route] 
ID-type= IPV4_ADDR_SUBNET 
Network= 0.0.0.0 
Netmask= 0.0.0.0 

[dummy-remote] 
ID-type= IPV4_ADDR 
Address= 0.0.0.0 


# Transform descriptions 
######################## 
# Some predefined section names are recognized by the daemon, voiding the 
# need to fully specify the Main Mode transforms and Quick Mode suites, 
# protocols and transforms. 
# 
# For Main Mode: 
# {DES,BLF,3DES,CAST}-{MD5,SHA}[-{DSS,RSA_SIG}] 
# 
# For Quick Mode: 
# QM-{ESP,AH}[-TRP]-{DES,3DES,CAST,BLF,AES}[-{MD5,SHA,RIPEMD}][-PFS]-SUITE 

[PGP-main-mode] 
DOI= IPSEC 
EXCHANGE_TYPE= ID_PROT 
Transforms= CAST-SHA,3DES-SHA 

[PGP-quick-mode] 
DOI= IPSEC 
EXCHANGE_TYPE= QUICK_MODE 
Suites= QM-ESP-3DES-MD5-SUITE,QM-ESP-BLF-SHA-SUITE 

[PGP-aggressive-mode] 
DOI= IPSEC 
EXCHANGE_TYPE= AGGRESSIVE 
Transforms= CAST-SHA,3DES-MD5 

# Main mode transforms 
###################### 

[3DES-MD5] 
ENCRYPTION_ALGORITHM= 3DES_CBC 
HASH_ALGORITHM= MD5 
AUTHENTICATION_METHOD= PRE_SHARED 
GROUP_DESCRIPTION= MODP_1024 
Life= LIFE_1_DAY 

[CAST-SHA] 
ENCRYPTION_ALGORITHM= CAST_CBC 
HASH_ALGORITHM= SHA 
AUTHENTICATION_METHOD= PRE_SHARED 
GROUP_DESCRIPTION= MODP_1536 
Life= LIFE_1_DAY 

# Lifetimes 
########### 

[LIFE_1_DAY] 
LIFE_TYPE= SECONDS 
LIFE_DURATION= 86400,79200:93600
With all this in place, just enter "isakmpd" at the login-prompt. or "isakmpd -d -DA=70" if you want to see what's going on.
And now for the VaporSec part:
Downoad it and first try to setup your connection according to my data further down at "The setup of VaporSec according to the config-files on OpenBSD".
Remeber, as I mentioned in the beginning: If you have only one "en" ethernet interface, it is possible that you don't have to change anything and your connection will be ok right out of the box this way. If not, if maybe you use a Mac laptop with an airport card, you will have two "en" ethernet interfaces: the one representing the wired one and the other for the airport-card. Then it is very likely, that you have to do the following change: Find the VaporSec apllication and "enter the application" via right-clicking or ctrl-left-click and selecting "show content of package" (or similar... in german it says: "Paketinhalt anzeigen" and then look for the shell-script ipsec.sh:

Drag it to your favorite texteditor.
Look for the lines that say:
################################################################################
#
# setup tunnels
# this will iterate through all the interfaces and make tunnels with that IP 
#
################################################################################

setup_tunnels () {
awk 'BEGIN {while ("ifconfig -a" | getline) 	{
	if ( /^en/ || /^ppp/ ) {
		sub( /:/, "")
		interface = $1
		}
	if ($1 == "inet" && $2 != "127.0.0.1") {
		print $2
		}
}
}
' | while read IP
do
make_tunnel
done
}
Now we have to change one small bit according to your personal setup, instead of using this script in its original version, in which it is supposed to find the IP adress of your machine by itself. With me, it didn't. As I have two "en" interfaces but only one with an assigned IP, "setup_tunnels" calls "make_tunnel" twice, of them one time without a sensible IP. And as a consequence, it did "setkey" the wrong way. Which as a result kept my connection from working. BUT with this little twist things turned out well:
Find the name of the interface you are using by entering "ifconfig -a" in a terminal-window, which is likely to give you something similar to this:
ifconfig -a
lo0: flags=8049 mtu 16384
        inet6 ::1 prefixlen 128 
        inet 127.0.0.1 netmask 0xff000000 
gif0: flags=8010 mtu 1280
stf0: flags=0<> mtu 1280
en1: flags=8863 mtu 1500
        inet6 fe80::203:93ff:feec:48da prefixlen 64 scopeid 0x4 
        inet 123.456.789.169 netmask 0xfffff800 broadcast 123.456.789.255
        ether 00:03:93:ec:48:da 
        media: autoselect status: active
        supported media: autoselect
en0: flags=8822 mtu 1500
        tunnel inet  --> 
        ether 00:0a:95:a0:11:5c 
fw0: flags=8822 mtu 4078
        tunnel inet  --> 
        lladdr 00:0a:95:ff:fe:a0:11:5c 
        media: autoselect  status: inactive
        supported media: autoselect
This told me, I am using interface en1. This is the wirelessLAN-card inside my powerbook. So then I changed the following line of the above script:
awk 'BEGIN {while ("ifconfig -a" | getline) 	{

to
awk 'BEGIN {while ("ifconfig -L en1" | getline) 	{

and saved ipsec.sh where it was: inside the application-bundle of VaporSec. Now what does this change inside ipsec.sh do? It reduces the output of ifconfig to that of interface en1, similar to this:
ifconfig -L en1
en1: flags=8863 mtu 1500
        inet6 fe80::203:93ff:feec:48da prefixlen 64 scopeid 0x4 
        inet 123.456.789.123 netmask 0xfffff800 broadcast 123.456.789.255
        ether 00:03:93:ec:48:da 
        media: autoselect status: active
        supported media: autoselect
And following it, the subroutine "make_tunnel" is called only once with the IP of en1. YOU have to take the name of the interface YOU are using. I guess en0 would be the wired-ethernet interface. Then save ipsec.sh with the change according to your setup done.

The setup of VaporSec according to the config-files on OpenBSD

Then start VaporSec. In its current version it will first claim an Applescript error called 2706 occured. Just click OK and don't worry. Then identify with your Admin-password. Whenn you click "Add", you can add a new tunnel. What parameters to take? Well, that's what worked for me on the Mac side with OpenBSD 3.4 on the other, using isakmpd.policy and isakmpd.conf as mentioned above. The "Shared Secret" must be the same as you enter on the OpenBSD-side in /etc/isakmpd/isakmpd.conf at this place as "Authentication":
# Phase 1 peer sections
#######################

[ISAKMP-clients]
Phase=                  1
Transport=              udp
Configuration=          PGP-main-mode
Authentication= thisisthesharedsecret

Main settings:

Settings for Phase 1:

Settings for Phase 2:

"Local" and "Remote" i leave empty:


Now with all that in place and ipsec on my machine 
[123.MY.OFFICIAL_IP.234:~] patrikts% uname -a
Darwin 123.MY.OFFICIAL_IP.234.dclient.hispeed.ch 7.2.0 Darwin Kernel Version 7.2.0: Thu Dec 11 16:20:23 PST 2003; root:xnu/xnu-517.3.7.obj~1/RELEASE_PPC  Power Macintosh powerpc
running, I have these interfaces: 
[123.MY.OFFICIAL_IP.234:~] patrikts% ifconfig -a
lo0: flags=8049 mtu 16384
        inet6 ::1 prefixlen 128 
        inet6 fe80::1 prefixlen 64 scopeid 0x1 
        inet 127.0.0.1 netmask 0xff000000 
gif0: flags=8051 mtu 1280
        tunnel inet 192.168.1.222 --> 127.0.0.1
        inet 192.168.1.222 --> 192.168.1.0 netmask 0xffffffff 
stf0: flags=0<> mtu 1280
en1: flags=8863 mtu 1500
        inet6 fe80::203:93ff:feec:48da prefixlen 64 scopeid 0x4 
        inet 123.MY.OFFICIAL_IP.234 netmask 0xfffff800 broadcast 123.MY.OFFICIAL_IP.255
        ether 00:03:93:ec:48:da 
        media: autoselect status: active
        supported media: autoselect
en0: flags=8822 mtu 1500
        tunnel inet  --> 
        ether 00:0a:95:a0:11:5c 
fw0: flags=8822 mtu 4078
        tunnel inet  --> 
        lladdr 00:0a:95:ff:fe:a0:11:5c 
        media: autoselect  status: inactive
        supported media: autoselect 
gif1: flags=8010 mtu 1280
[123.MY.OFFICIAL_IP.234:~] patrikts%
and that's what setkey tells me 
[123.MY.OFFICIAL_IP.234:~] patrikts% sudo setkey -DP
Password:
192.168.1.0/24[any] 192.168.1.222[any] any
        in ipsec
        esp/tunnel/123.OPENBSD.OFF_IP.234-123.MY.OFFICIAL_IP.234/require
        spid=33 seq=1 pid=9549
        refcnt=1
192.168.1.222[any] 192.168.1.0/24[any] any
        out ipsec
        esp/tunnel/123.MY.OFFICIAL_IP.234-123.OPENBSD.OFF_IP.234/require
        spid=32 seq=0 pid=9549
        refcnt=1
[123.MY.OFFICIAL_IP.234:~] patrikts%
and now although 123.MY.OFFICIAL_IP.234 is an official IP, I can ping that private-range-IP "over there": 
[123.MY.OFFICIAL_IP.234:~] patrikts% ping 192.168.1.254
PING 192.168.1.254 (192.168.1.254): 56 data bytes
64 bytes from 192.168.1.254: icmp_seq=0 ttl=255 time=53.48 ms
64 bytes from 192.168.1.254: icmp_seq=1 ttl=255 time=89.208 ms
64 bytes from 192.168.1.254: icmp_seq=2 ttl=255 time=84.082 ms
64 bytes from 192.168.1.254: icmp_seq=3 ttl=255 time=38.343 ms
64 bytes from 192.168.1.254: icmp_seq=4 ttl=255 time=100.766 ms
^C
--- 192.168.1.254 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 38.343/73.175/100.766 ms
[123.MY.OFFICIAL_IP.234:~] patrikts%
QED, quod erat demonstrandum, as the ol' romans said in this case...
P.S. This mainly prooves that I can ping the internal interface of the OpenBSD firewall... what remains to be seen: how much I really became a part of the LAN "over there", meaning, how much I have the same possibilities as if I were there with my powerbook, connected directly. Will my machine see the shared printers, appear in and see others in rendezvous etc. pp.? This I couldn't yet test, as the office is deserted these days and no other Macs or printers are running there at the moment. This will change after January 5.