Re: Windows XP/2K, IPSec and Certificates

[Scott G. Kelly]

The access point you refer to does not support IPsec or WPA - it only 
supports WEP. If this is not acceptable, you either need a better access 
point, or you'll have to use IPsec. If you want to use the native IPsec 
implementation in windows, you'll need to use IPsec+L2TP, and you'll 
need some sort of VPN gateway which supports L2TP/IPsec to place between 
the access point and the wired network, e.g.



     |
  +--+--+          |    |            +---------+
  |     |        +-+----+-+       |  |   VPN   |
  |     |        | access |       |--| gateway |----[LAN]
  +-----+        | point  |-------|  +---------+
 /     /         +--------+       |
+-----+
wireless
user system
You may be able to use a win2k system with 2 interfaces for the vpn 
gateway system. If you don't understand the issues here, you may be in 
over your head. In any event, I think this is probably not a topic for 
this list, as it's not really an openssl problem. If you want to contact 
me off-list for further info, that's fine.

Scott

Paul R. Adams wrote:
"Ken Ballou" <[EMAIL PROTECTED]> wrote in
message news:[EMAIL PROTECTED]
Actually, you should be able to configure IPsec to use a "pre-shared
secret"

for authentication.

It takes two to tango.  Your Windows system is one endpoint for IPsec.
What's

the other?  Does your wireless access point implement IPsec?

You may very well find configuring IPsec to be a headache.  You may also
find configuring IPsec to use certificates for authentication (especially
certificates you generate yourself) to be a migraine headache.
                   - Ken


Maybe I'm accidentally mixing terms...  I assume (which is probably
incorrect) that IPsec == 802.1X.
What I'm seeing is that on the "Properties" for the connection there is an
"Authentication" tab.  That tab has a check box to enable 802.1X and allows
you to select an EAP type.  The default is "Smart Card or other Certificate"
but there are other choices "MD5 Challenge" and PEAP.  There is a button to
configure advanced options which include setting where the certificate come
from (smart card or certificate on this computer), setting "Trusted Root
Certificates", ect.
Using "gpedit.msc" I did see you can set IPsec to a "pre-shared secret" but
that only covers authentication with the network not encryption.  The
problem is that the machines that I have to work with are XP Home machines
which, if I remember correctly, doesn't have this file.
Hopefully this answers your last questions:  I want to encrypt all the data
between 3 machines (currently 3 maybe more soon).  I have been informed from
several places that WEP is not enough because of some fundamental flaws in
the protocol (which may not be solved with WPA).  I need the process of
encrypting the transported data to be as transparent as possible because the
reciepients of this system are not "tech savvy".  The given budget
constraints (or more appropriatley the lack of any funds) the WAP is
produced by Linksys ( BEFW11S4), which I don't believe is capable of being
an IPsec endpoint.


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]