Linux interoperability

This page provides information about interoperability between macOS and Linux systems.

Linux and OS X filesystems

 * OS X can mount (as read-only) Linux ext2 filesystems with the free utility ExtFSManager.
 * Linux can mount (as read-only) OS X HFS+ filestystems if the appropriate kernel module is loaded.

VPN between Mac and Linux machines
Natively, OS X supports virtual private networks (VPNs) using L2TP over IPsec. However, Linux is typically configured for straight IPsec, and requires additional steps to enable L2TP. This description allows the Mac to be configured to run a straight IPsec VPN, without the added overhead of L2TP.

A transport mode VPN is described, in which all of the participating hosts are on the same LAN. This is useful for wireless networks, since the original wireless encryption protocol (WEP) is very weak, and even the more secure WPA has reportedly been partially cracked. Tunnel mode, on the other hand, is typically used for connecting a remote machine to a LAN via the Internet; this configuration is also achievable in both OSes.

Configuring the VPN on OS X

 * See: Virtual private network: VPNs for Mac

Configuring the VPN on Linux
Linux distributions typically use OpenSWAN for VPN implementation, while OS X uses racoon. These two systems share the same underlying protocol (ipsec) and can interoperate. Assuming a 2.6.x Linux kernel, the following is an example of a Linux ipsec.conf file, typically located at /etc/ipsec.conf but this may vary from one distribution to another:

version 2.0    # conforms to second version of ipsec.conf specification config setup forwardcontrol=yes interfaces=%defaultroute nat_traversal=no virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16 overridemtu=1400 uniqueids=yes conn %default keyingtries=20 rekey=no compress=yes disablearrivalcheck=no authby=secret conn wireless type=transport left=%defaultroute right=%any esp=3des-sha1-96 espenckey=0x0123_4567_89ab_cdef_0246_8ace_1357_9bdf_1234_5678_9abc_def0 espauthkey=0x1234_5678_9abc_def0_2468_ace0_1357_9bdf spi=0x300 auto=add pfs=yes include /etc/ipsec.d/examples/no_oe.conf
 * 1) Add connections here
 * 1) Disable Opportunistic Encryption

The connection called "wireless" (any name will do) specifies a transport (as opposed to tunnel) connection. The choices for espenckey, espauthkey, and spi are arbitrary hexadecimal numbers.

The included file no_oe.conf is probably found in most distributions. If it is missing, the following will do:

conn block auto=ignore conn private auto=ignore conn private-or-clear auto=ignore conn clear-or-private auto=ignore conn clear auto=ignore conn packetdefault auto=ignore

The line "authby=secret" tells OpenSWAN to use a secret key for authentication; the key is provided in a file /etc/ipsec.secrets, which should have root access only, and should contain a line of this form (replace the IP address with the IP address of the target Mac, and the string in quotes with some random string of characters):

%any 192.168.1.101 : PSK "ThisShouldBeACrypticString"

This file requires a line for each target machine. The secret string must also be configured on the target machine to match the string of the Linux machine.

Nate Carlson's web site has more helpful information, including setting up certificates (an alternative to the use of secret keys, not necessary but preferable when more than two or three machines are involved in the VPN).

The init files of the Linux machine should be configured to start the ipsec process automatically on booting.