I was reading the comp.sys.mac.comm usenet forum when I spotted this message supposedly from SonicWall tech support. I thought you guys who have Macintoshes using MacPGP/PGPNet would be interested to know why your MacPGP/PGPNet IPSec VPN Clients suddenly stopped working with SonicWall's firmware 6.2.0.0. Now that NAI/McAfee have shitcanned MacPGP, all this is academic but at least we can console ourselves that we know WHY it broke!!!
>I hope I can clarify some issues that you bring up and > >hopefully help you out. > >First, concerning support for Macintosh and VPN. Officially, SonicWall > >has never offered any kind of support for Macintosh VPN clients, and has > >never recommended any third-party VPN product. Simply posting > >interoperability instructions showing how to use the SonicWall with > >another VPN client does not constitute a recommendation of that product. > >Indeed, the instructions for connecting the MacPGP VPN client to the > >SonicWall state very clearly that the only VPN client supported is our > >own SonicWall VPN client. Unfortunately, as you know, there is no > >SonicWall VPN client for Macintosh. > >When it was discovered that the v6.2.0.0 firmware broke compatibility > >with the MacPGP client it was decided to pull these instructions from > >our website. The feeling was that it was improper to keep the > >instructions posted given that compatibility was broken. It would have > >been unfair to have left the instructions up given that they no longer > >worked. > >Having written the instructions for connecting the MacPGP client to the > >SonicWall and having studied why compatibility broke with v6.2.0.0 I am > >able to detail the actual problem. > >It's important to know that there are two types of IKE negotiation: main > >mode and aggressive mode. Main mode is used whenever each IPSec endpoint > >(i.e. gateway device) knows the IP address that the other (another > >gateway or a client installed on a PC, Mac, etc.) will be coming from. > >This mode is not suitable for roaming clients because the gateway device > >does not know in advance what IP address they will be coming from. > >Instead, aggressive mode is used. Instead of using the IP addresses as > >part of the IKE authentication process another predefined piece of > >information, such as a unique identifier, is used instead. > >The SonicWall's predefined GroupVPN security association is designed to > >accept roaming clients, and therefore uses aggressive mode IKE to > >negotiate a connection with those clients. The problem is that the > >MacPGP client wants to use main mode. An IKE negotiation cannot occur > >when the two sides are not using the same IKE mode. > >The reason this worked before the v6.2.0.0 release was a bug in the > >SonicWall's IKE implementation. Even though the SonicWall should have > >been accepting only aggressive mode IKE negotiations from clients it was > >also improperly accepting main mode negotiations. This means that a key > >piece of information that must be compared and authenticated during the > >negotiation process was not. A bug that allowed improper IKE > >negotiations to succeed could not stay, even if it meant breaking > >compatibility. > >(As a side note, v6.2.0.0 didn't just affect MacPGP users. Windows 2000 > >and XP users who were using the built-in IPSec client were also shut > >out. This client also uses main mode IKE. XP users were just as stuck as > >Mac users because until just recently there was no other IPSec VPN > >client available for XP.) > >I had been hoping to work with the MacPGP client with the v6.2.0.0 > >firmware in order to see if there was a way to get the two to work > >together and make new screenshots to reflect changes that had been made > >with the v7.1 MacPGP client. Unfortunately, by the time I was able to > >start work on this NAI had pulled the MacPGP package from distribution. > >Even if I did have a current MacPGP package and could get it to work > >properly, it would not make sense to work on interoperability > >instructions for a client that is no longer distributed. > >As it stands right now, to my knowledge, there is not a single generic > >IPSec VPN client available for the Mac (every currently available Mac > >IPSec client is tied to specific platform, e.g. Cisco's client). > >Unfortunately, developing our own Mac VPN client is just not possible at > >this time. We have seen very little demand for a Mac VPN client, and > >none for a *nix-based client that could provide the basis of a port on > >Mac OS X. All the VPN support requests we have seen from *nix users are > >those already using Free S/WAN and looking for information to get it > >working with the SonicWall. To my knowledge Free S/WAN is not available > >for Mac OS X, and even if it were a recompile of the Mac OS X kernel, > >using Darwin source, would be required to use the two together. I don't > >know if that's even possible. > >Being a longtime Mac user myself, I'd also like to see a Mac IPSec VPN > >client that could be used with the SonicWall (My original desire to see > >this is what prompted me to write the interoperability document for > >MacPGP). I'd especially like to see one for Mac OS X. (I've heard rumors > >that Apple is working on this, but don't know anything more.) If/when a > >Mac OS X IPSec VPN client is released I hope that I will get a chance to > >work with it to test compatibility with the SonicWall and, if things go > >well, write up some instructions detailing the proper setup. Given the > >state of Mac OS 9.x I see little point in pursuing anything that might > >come up for it, especially given that any such adapter would probably > >not work under Mac OS X classic mode. > >As for other aspects of Macintosh compatibility, let me touch on those > >briefly: > >General Internet Access Support: Of course this works fine, as will any > >OS that uses IP. > >Administrative Interface: There have been some issues with using current > >Netscape Navigator/Communicator/Mozilla and Internet Explorer Mac > >browsers with the SonicWall. Most of these problems have been taken care > >of with the v6.3.0.0 firmware that was just recently released. Full, > >problem-free compatibility with current Mac browsers is expected in the > >v6.4.0.0 firmware release (assuming all goes well and subject to > >change). Netscape Navigator/Communicator v4.7.x is known to be fully > >compatible at this time, and operates just fine under Mac OS X classic > >mode (this is what I use myself). > >Anti-Virus: SonicWall does not offer an anti-virus client for the Mac. > >It is highly recommended that a separate anti-virus package be purchased > >for any Macs. > >If you wish you may post this response to the newsgroup thread you > >mentioned. I only ask that you post it in its entirety and that my > >e-mail address not be included (I don't care for spam any more than > >anyone else). > >Please let me know if you have any further questions regarding this > >issue. > > > >-- > >Kevin Chval > >Senior Technical Support Engineer --- [This E-mail scanned for viruses by Declude/F-Prot Virus] =================================================================================================== To unsubscribe, send email to [EMAIL PROTECTED] In the body of the email put the following: unsubscribe sonicwall your_name The archive of this list is at http://www.mail-archive.com/sonicwall%40peake.com/
