Christian Weisgerber <[EMAIL PROTECTED]> wrote: > Okay, this is as good an opportunity as any to write down what I > did to my wireless a while ago:
Meanwhile, ipsecctl has gained support for pre-shared key authentication. So in 3.9, things are simpler still: Configure dhcpd on the gateway (172.16.1.1) to always give the same address (172.16.1.99) to my laptop, based on its MAC address. Start up "isakmpd -K" on both machines. No isakmpd configuration. None. On the gateway, create a one-line /etc/ipsec.conf: ike esp from any to 172.16.1.99 psk "secretpassphrase" On the laptop, create a one-line /etc/ipsec.conf: ike esp from ral0 to any peer 172.16.1.1 psk "secretpassphrase" Run "ipsecctl -f /etc/ipsec.conf" on both machines. Congratulations, you have set up IPsec. Repeat the same procedure for additional wireless clients. Wait a moment, you say, does that mean that two hosts on the wireless will talk to each other through the IPsec gateway rather than directly? That's right, but in infrastructure mode, i.e., if you use an access point, the packets already cross the air twice (host 1 -> AP -> host 2). Looping them through the gateway doesn't add appreciable overhead. The wireless clients only need to talk ISAKMP (to authenticate and renegotiate keys) and ESP to the gateway. Block everything else on the gateway: block return on $wlan all pass in on $wlan proto esp to $wlan keep state pass out on $wlan proto esp from $wlan keep state pass in on $wlan proto udp to $wlan port isakmp keep state pass out on $wlan proto udp from $wlan port isakmp keep state Actually, there is one more thing, and it's important. With the setup above, you will run into MTU issues with hosts behind the gateway. The symptom is that bulk data transfers _to_ the wireless host will be redicuously slow or stall completely. There must be a better way, but in the meantime TCP MSS clamping on the gateway works: scrub in on enc0 all max-mss 1318 As far as pf is concerned, all decoded IPsec traffic is from the enc0 interface. If you use the "antispoof" directive, make sure to add a pass rule for traffic on enc0. -- Christian "naddy" Weisgerber [EMAIL PROTECTED]
