• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

Need advice: IPSec encryption for wireless network

J

joey2k

Member
As stated, I need advice on how to encrypt my LAN traffic so some punk doesn't AirSnort me, hook into my 802.11b network, and have access to anything and everything he (or she!) wants.

I'm looking for a good book or Internet site that answers my questions about IPSec in a LAN. It seems most are geared toward setting up a VPN.

Anyone have any advice, or experience in doing this? I'm already very comfortable setting up networks, configuring VPNs, administering linux and windows, etc. I just haven't found a resource that gives a good explanation about how IPSec actually works and examples of setting different network scenarios. I'd be willing to shell out $50 at Barnes & Noble for something like this.

Thanks
-- Joel
 
For Win2k, you might want to check here. Good luck; I've been looking into doing this, too and have to get around to it one of these days. 😱
 
An IPSec tunnel over a LAN *IS* a VPN - Just not a remote access solution. Anything you find for a VPN should be applicable to your situation.

You'll need to get some kind of VPN server on your network, should that be a Linux box or a little hardware router/firewall that can handle it, like a PIX.

If I had to do it, I'd do..

Wireless PC -> air -> AP -> Outside (VPN Router) Inside -> Ethernet segment with your PC's -> Internet router -> Internet.

A bit more complex, but doable. Also protects you from drive-by's accessing your network.

- G
 
Thank you so much for all your replys. They have been very enlightening.

I have a few follow-up questions which I'm sure the experts here can answer with ease 🙂.

I REALLY like the idea of setting up a VPN server between the access point and the router, but I happen to have an all-in-one linksys router with the wireless built in. That makes my setup less flexible. Any possibilty of implementing your solution with my all-in-one router/AP?

You say IPSec is basically a VPN, even in a LAN...
Does that mean I need to setup a VPN between each computer (3 computers = 3 VPNs), or can the linux box run the VPN server (freeswan) and the other two computers connect to it?
Once communication between two computers is encrypted, how to I prevent any unencrypted connections to made besides those to the Internet? Setup a firewall on each computer to only allow IPSec traffic? (this question shows my lack of understanding of how IPSec actually works 🙂 )

I currently have one workstation wired to the router, one notebook with wireless card, and one server wired to router that, among other things, provides my entire network with a VPN connection to another network across the Internet (uses openvpn).

My ideal solution would accomplish the following goals:
* Access to the Internet would require nothing more than the Linksys router. I don't want to turn on another computer if I only want to access the Internet.
* Access to any type of file sharing (or other services, such as internal web servers) between my workstation, laptop and server would require IPSec (or some other equivalent security measure). I'm willing to require my server to be on to file share with other computers. (It has to be turned on for my VPN already).

Once again thanks for all your replies!!
-- Joel
 
Originally posted by: Garion
An IPSec tunnel over a LAN *IS* a VPN - Just not a remote access solution. Anything you find for a VPN should be applicable to your situation.

You'll need to get some kind of VPN server on your network, should that be a Linux box or a little hardware router/firewall that can handle it, like a PIX.

If I had to do it, I'd do..

Wireless PC -> air -> AP -> Outside (VPN Router) Inside -> Ethernet segment with your PC's -> Internet router -> Internet.

A bit more complex, but doable. Also protects you from drive-by's accessing your network.

- G
Click to expand...

My personal sollution right now (VPN-less at the moment, but thats a "linksys changed the chipset in their wmp11 cards so the new one I purchased will not work in my environment" issue...) is something like:
wireless Mac->air->firewall<-server machines

I also block all ips from accessing the firewall except the ip of my Mac, and will be implimenting MAC based filtering when I figure it out. Im lucky that my firewall's wireless range does not extend much past the house.

 
Originally posted by: joey2k
Thank you so much for all your replys. They have been very enlightening.

I have a few follow-up questions which I'm sure the experts here can answer with ease 🙂.

I REALLY like the idea of setting up a VPN server between the access point and the router, but I happen to have an all-in-one linksys router with the wireless built in. That makes my setup less flexible. Any possibilty of implementing your solution with my all-in-one router/AP?

You say IPSec is basically a VPN, even in a LAN...
Does that mean I need to setup a VPN between each computer (3 computers = 3 VPNs), or can the linux box run the VPN server (freeswan) and the other two computers connect to it?
Once communication between two computers is encrypted, how to I prevent any unencrypted connections to made besides those to the Internet? Setup a firewall on each computer to only allow IPSec traffic? (this question shows my lack of understanding of how IPSec actually works 🙂 )

I currently have one workstation wired to the router, one notebook with wireless card, and one server wired to router that, among other things, provides my entire network with a VPN connection to another network across the Internet (uses openvpn).

My ideal solution would accomplish the following goals:
* Access to the Internet would require nothing more than the Linksys router. I don't want to turn on another computer if I only want to access the Internet.
* Access to any type of file sharing (or other services, such as internal web servers) between my workstation, laptop and server would require IPSec (or some other equivalent security measure). I'm willing to require my server to be on to file share with other computers. (It has to be turned on for my VPN already).

Once again thanks for all your replies!!
-- Joel
Click to expand...

If you had a VPN server, your wireless machine would connect to it over IPSEC and the other machines on the network would not necessarily have to have a VPN to it.
 
I use a generic access point with wep and all management services disabled attached via a crossover cable to an interface in my freebsd gateway/firewall. I've set up the freebsd box to be an ipsec security gateway which only allows encrypted packets and IKE over the interface the access point is attached to. It does allow (unencrypted) dhcp requests through, but I have set up my dhcp server on the freebsd box to only give out IPs to known mac addresses.

Authentication right now is done via a preshared key, and all traffic between the client and server is required to be encrypted. This keeps unauthenticated clients off my wireless segment (because I know everyone is trying to hax0r me!) and provides excellent security.

On the client side, I use a lucent pcmcia gold card in my laptop running windows XP. Although XP has ipsec support built in, it is pretty much useless for setting up tunnel mode which is what is needed to connect to a network "beyond" the ipsec endpoint (ie. the internet), so I use a 3rd party vpn client: SSH-Sentinel. Once encrypted traffic hits the vpn endpoint after travelling over the wireless connection, it is decrypted and directed to where it needs to go by the freebsd gateway - either to computers on my wired segment or hosts on the internet.

And for the curious, more info on the server. FreeBSD 4.7 w/ ipsec and ipfilter compiled into kernel. Has 4 network interfaces (internet segment, 2 wired segments, and wireless segment). Runs ipf/ipnat and racoon -which is able to generate ipsec policies based on client requests - very useful for clients with dynamic IPs or if you don't want to bother with setting up static ipsec policies.

I never bothered to test throughput before all this, but with the current setup I am able to get about 4 Mbit/sec throughput on the wireless segment with 128 bit rijndael encryption from across the room.

I realize this is very much overkill for a home setup, but I thought it was a good learning experience setting it all up. In terms of cost, I already had all the hardware sitting around, so all that the project used was my time - about half a weekend.

~bex0rs

Note: I copied that from another post I made here, so not all of it may apply. Ask if you have any questions. This setup also only requires one computer which acts as the vpn endpoint AND gateway/firewall, so you could ditch the linksys.
 
Wow. Thanks for the information. I'll definitely keep this thread in my bookmarks for the next time I have a weekend to burn.

I'm comfortable with linux but have never used a bsd before. How complex was the setup of IPSec on the bsd box? Did it require lots of customization/patching/hacking or was it pretty much just configuration?

-- Joel
 
Setting up IPSEC didn't take too long - most of the time I spent on the project involved reading various tutorials online but I didn't really find a single guide that covered everything I ended up doing.

I started out using FreeBSD 4.4 and was able to get the vpn working with racoon (the userland IKE daemon) using static IPSEC policies (ie. by hard coding IP addresses), but apparently the kernel portion of the ipsec code and racoon did not play well together for creating dynamic policies. This is not really a big problem for a small home lan setup since you will probably keep track of the IPs on your wireless segment or set up your dhcp server to give out "static" IPs, but I wanted to set up my server to also handle IPSEC over the internet for when I'm on campus or at a friends house with my laptop (and not necessarily connecting over wireless).

Since the IPSEC policy on the server needs the "client" IP, it is much more convenient to have the policy generated dynamically rather than having to SSH to the server first and manually create the policy taking note of your current [client] IP. I figured that it wouldn't hurt to see if this issue was resolved with the newer KAME code in FreeBSD 4.7 and it turned out it was. So in the end, all I really ended up needing to do was recompile my kernel with IPSEC support and edit a few options in racoon.conf - most notably to tell racoon to listen for requests only and to have it generate policies based on client requests.

As long as you know what you are doing with the client side configuration, dynamic policy generation on the server shouldn't be a problem. Again I'll suggest that you check out SSH-Sentinel since the built in IPSEC support in 2k/XP (if that is what your client is running) sucks. I would imagine that FreeS/WAN is also able to automatically generate ipsec policies based on client requests, but I am more comfortable working in FreeBSD.

The other component of the VPN endpoint box is that it is my gateway/firewall for all the computers on my home network. I'm using ipf/ipnat to handle nat and firewalling. The interface that connects to the access point only allows in UDP on port 500 for key exchange and ESP packets so even if someone was able to figure out my wireless segment IP scheme, any unencrypted and unauthenticated packets would be dropped. For authenticated clients, the packets are decrypted on the server and either routed across interfaces to my wired segment or NAT'd and sent over the internet.

If you decide to go with FreeBSD, I'd be happy to send along my SSH-Sentinel, ipf, ipnat, and racoon configuration files to look over, or perhaps if there is suffient interest from others I'll put up some quick tutorial on the web.

~bex0rs
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top