Re: tutorial for securing wifi networks with ipsec and openbsd, somewhere?
For those who are interested and have wifi windows xp clients. Recently I came across a tool called smartvpn dial-up connection management from draytek. It is a freeware (ipsec) client that makes it very simple to configure ipsec on windows 2k/xp. You will not have to use mmc + ipsec policy editor or ipseccmd.exe. It is available here: http://217.160.102.141/data/RouterTools/win/SmartVPN/SMARTVPN09_05.zip I just tried to get this file and ooops, it didn't work. Error 404: Datei nicht gefunden! Das angegebene Dokument konnte auf diesem Server leider nicht gefunden werden. I did find a version of the DrayTek SmartVPN client on the company FTP site here, ftp://ftp.draytek.com/tools/VPN/3.2.5/VPN.zip Is this the same one? diana
Re: tutorial for securing wifi networks with ipsec and openbsd, somewhere?
Christian Weisgerber [EMAIL PROTECTED] wrote: Meanwhile, ipsecctl has gained support for pre-shared key authentication. So in 3.9, things are simpler still: Sounds great and thx a lot for your help :-)) For those who are interested and have wifi windows xp clients. Recently I came across a tool called smartvpn dial-up connection management from draytek. It is a freeware (ipsec) client that makes it very simple to configure ipsec on windows 2k/xp. You will not have to use mmc + ipsec policy editor or ipseccmd.exe. It is available here: http://217.160.102.141/data/RouterTools/win/SmartVPN/SMARTVPN09_05.zip This tool does the following (based on your configuration choices), it dynamically creates the policies and activate/deactivate them when you need or don't need them anymore. I don't see a reason why it shouldn't not work with an openbsd ipsec gateway. Have a look at the client's ipsec tunnel mode (I think this is the one you will use) of the client. I personally did not have the opportunity to test it with openbsd (as I'm an ipsec novice) but I will make the test with openbsd current as soon as I can ... Regards Didier fyi: I am using this now with WinXP SP2 connected to my wireless LAN. This is the ipsec.conf entry that works for me: ike esp from any to $XP_LAPTOP_IP main auth hmac-sha1 enc 3des \ quick auth hmac-sha1 enc 3des \ psk secretkey I found it very easy to use, the ipseccmd.exe from SP2 chrashes every time and Softremote is too complex. Regards gp
Re: tutorial for securing wifi networks with ipsec and openbsd, somewhere?
On Mon, 6 Feb 2006 23:49:50 + (UTC), Christian Weisgerber wrote: Christian Weisgerber [EMAIL PROTECTED] wrote: Okay, this is as good an opportunity as any to write down what I did to my wireless a while ago: Meanwhile, ipsecctl has gained support for pre-shared key authentication. So in 3.9, things are simpler still: Configure dhcpd on the gateway (172.16.1.1) to always give the same address (172.16.1.99) to my laptop, based on its MAC address. Start up isakmpd -K on both machines. No isakmpd configuration. None. On the gateway, create a one-line /etc/ipsec.conf: ike esp from any to 172.16.1.99 psk secretpassphrase On the laptop, create a one-line /etc/ipsec.conf: ike esp from ral0 to any peer 172.16.1.1 psk secretpassphrase Run ipsecctl -f /etc/ipsec.conf on both machines. Congratulations, you have set up IPsec. Repeat the same procedure for additional wireless clients. Wait a moment, you say, does that mean that two hosts on the wireless will talk to each other through the IPsec gateway rather than directly? That's right, but in infrastructure mode, i.e., if you use an access point, the packets already cross the air twice (host 1 - AP - host 2). Looping them through the gateway doesn't add appreciable overhead. The wireless clients only need to talk ISAKMP (to authenticate and renegotiate keys) and ESP to the gateway. Block everything else on the gateway: block return on $wlan all pass in on $wlan proto esp to $wlan keep state pass out on $wlan proto esp from $wlan keep state pass in on $wlan proto udp to $wlan port isakmp keep state pass out on $wlan proto udp from $wlan port isakmp keep state Actually, there is one more thing, and it's important. With the setup above, you will run into MTU issues with hosts behind the gateway. The symptom is that bulk data transfers _to_ the wireless host will be redicuously slow or stall completely. There must be a better way, but in the meantime TCP MSS clamping on the gateway works: scrub in on enc0 all max-mss 1318 As far as pf is concerned, all decoded IPsec traffic is from the enc0 interface. If you use the antispoof directive, make sure to add a pass rule for traffic on enc0. I see no reason why you should be able to answer this question as I don't expect you to know about how windows does things but on the off-chance that you or a kind lurker does know: Is there a way to let a client using XP connect as simply as that? Alternatively, as windows is rarely simple, a way to let XP connect to the same setup? Thanks, Rod/ -- Christian naddy Weisgerber [EMAIL PROTECTED] From the land down under: Australia. Do we look umop apisdn from up over? Do NOT CC me - I am subscribed to the list. Replies to the sender address will fail except from the list-server.
Re: tutorial for securing wifi networks with ipsec and openbsd, somewhere?
Christian Weisgerber [EMAIL PROTECTED] wrote: Meanwhile, ipsecctl has gained support for pre-shared key authentication. So in 3.9, things are simpler still: Sounds great and thx a lot for your help :-)) For those who are interested and have wifi windows xp clients. Recently I came across a tool called smartvpn dial-up connection management from draytek. It is a freeware (ipsec) client that makes it very simple to configure ipsec on windows 2k/xp. You will not have to use mmc + ipsec policy editor or ipseccmd.exe. It is available here: http://217.160.102.141/data/RouterTools/win/SmartVPN/SMARTVPN09_05.zip This tool does the following (based on your configuration choices), it dynamically creates the policies and activate/deactivate them when you need or don't need them anymore. I don't see a reason why it shouldn't not work with an openbsd ipsec gateway. Have a look at the client's ipsec tunnel mode (I think this is the one you will use) of the client. I personally did not have the opportunity to test it with openbsd (as I'm an ipsec novice) but I will make the test with openbsd current as soon as I can ... Regards Didier
Re: tutorial for securing wifi networks with ipsec and openbsd, somewhere?
Christian Weisgerber [EMAIL PROTECTED] wrote: Okay, this is as good an opportunity as any to write down what I did to my wireless a while ago: Meanwhile, ipsecctl has gained support for pre-shared key authentication. So in 3.9, things are simpler still: Configure dhcpd on the gateway (172.16.1.1) to always give the same address (172.16.1.99) to my laptop, based on its MAC address. Start up isakmpd -K on both machines. No isakmpd configuration. None. On the gateway, create a one-line /etc/ipsec.conf: ike esp from any to 172.16.1.99 psk secretpassphrase On the laptop, create a one-line /etc/ipsec.conf: ike esp from ral0 to any peer 172.16.1.1 psk secretpassphrase Run ipsecctl -f /etc/ipsec.conf on both machines. Congratulations, you have set up IPsec. Repeat the same procedure for additional wireless clients. Wait a moment, you say, does that mean that two hosts on the wireless will talk to each other through the IPsec gateway rather than directly? That's right, but in infrastructure mode, i.e., if you use an access point, the packets already cross the air twice (host 1 - AP - host 2). Looping them through the gateway doesn't add appreciable overhead. The wireless clients only need to talk ISAKMP (to authenticate and renegotiate keys) and ESP to the gateway. Block everything else on the gateway: block return on $wlan all pass in on $wlan proto esp to $wlan keep state pass out on $wlan proto esp from $wlan keep state pass in on $wlan proto udp to $wlan port isakmp keep state pass out on $wlan proto udp from $wlan port isakmp keep state Actually, there is one more thing, and it's important. With the setup above, you will run into MTU issues with hosts behind the gateway. The symptom is that bulk data transfers _to_ the wireless host will be redicuously slow or stall completely. There must be a better way, but in the meantime TCP MSS clamping on the gateway works: scrub in on enc0 all max-mss 1318 As far as pf is concerned, all decoded IPsec traffic is from the enc0 interface. If you use the antispoof directive, make sure to add a pass rule for traffic on enc0. -- Christian naddy Weisgerber [EMAIL PROTECTED]
Re: tutorial for securing wifi networks with ipsec and openbsd, somewhere?
Didier Wiroth [EMAIL PROTECTED] wrote: I've read man ipsec and vpn. Unfortunately I'm totally new to ipsec and have no ipsec experience. I'm looking for tutorials with samples, URLs or anything else, where I can find additional info on how to secure wifi networks with openbsd's: ipsec and authpf. Okay, this is as good an opportunity as any to write down what I did to my wireless a while ago: Configure dhcpd on the gateway (172.16.1.1) to always give the same address (172.16.1.99) to my laptop, based on its MAC address. Exchange public keys: Copy /etc/isakmpd/private/local.pub from the gateway to /etc/isakmpd/pubkeys/ipv4/172.16.1.1 on my laptop, and the laptop's .../local.pub to .../172.16.1.99 on the gateway. Start up isakmpd -K on both machines. No other isakmpd configuration. None. On the gateway, create a one-line /etc/ipsec.conf: ike esp from any to 172.16.1.99 On the laptop, create a one-line /etc/ipsec.conf: ike esp from ral0 to any peer 172.16.1.1 Run ipsecctl -f /etc/ipsec.conf on both machines. Congratulations, you have set up IPsec. Repeat the same procedure for additional wireless clients. Wait a moment, you say, does that mean that two hosts on the wireless will talk to each other through the IPsec gateway rather than directly? That's right, but in infrastructure mode, i.e., if you use an access point, the packets already cross the air twice (host 1 - AP - host 2). Looping them through the gateway doesn't add appreciable overhead. The wireless clients only need to talk ISAKMP (to authenticate and renegotiate keys) and ESP to the gateway. Block everything else on the gateway: block return on $wlan all pass in on $wlan proto esp to $wlan keep state pass out on $wlan proto esp from $wlan keep state pass in on $wlan proto udp to $wlan port isakmp keep state pass out on $wlan proto udp from $wlan port isakmp keep state Actually, there is one more thing, and it's important. With the setup above, you will run into MTU issues with hosts behind the gateway. The symptom is that bulk data transfers _to_ the wireless host will be redicuously slow or stall completely. There must be a better way, but in the meantime TCP clamping on the gateway works: scrub in on enc0 all max-mss 1318 As far as pf is concerned, all decoded IPsec traffic is from the enc0 interface. If you use the antispoof directive, make sure to add a pass rule for traffic on enc0. -- Christian naddy Weisgerber [EMAIL PROTECTED]
tutorial for securing wifi networks with ipsec and openbsd, somewhere?
hello, I've read man ipsec and vpn. Unfortunately I'm totally new to ipsec and have no ipsec experience. I'm looking for tutorials with samples, URLs or anything else, where I can find additional info on how to secure wifi networks with openbsd's: ipsec and authpf. In advance, many thanks for any kind of help!!! Best regards Didier -- Ministry of Higher Education CEDIES rte d'Esch, 211 L-1471 Luxembourg Tel: (+352) 478-8669 Fax: (+352) 455656 Pgp key: http://www.cedies.public.lu/pgp-keys/ --
Re: tutorial for securing wifi networks with ipsec and openbsd, somewhere?
Original message Date: Tue, 24 Jan 2006 21:35:31 + (GMT) From: Didier Wiroth [EMAIL PROTECTED] Subject: tutorial for securing wifi networks with ipsec and openbsd, somewhere? To: misc@openbsd.org hello, I've read man ipsec and vpn. Unfortunately I'm totally new to ipsec and have no ipsec experience. I'm looking for tutorials with samples, URLs or anything else, where I can find additional info on how to secure wifi networks with openbsd's: ipsec and authpf. look at the manual page for vpn(8) and get a basic setup like the example at the end working. from there it's not too hard to get other setups working. cheers, jake In advance, many thanks for any kind of help!!! Best regards Didier -- Ministry of Higher Education CEDIES rte d'Esch, 211 L-1471 Luxembourg Tel: (+352) 478-8669 Fax: (+352) 455656 Pgp key: http://www.cedies.public.lu/pgp-keys/ --
Re: tutorial for securing wifi networks with ipsec and openbsd, somewhere?
I try to avoid nat unless there's a good reason to use it (like me being to cheap to pay for 8 addresses at home) so I'm going to assume that you're using real (not rfc1918) address space. It complicates this sort of setup, but only slightly. This is based on lessons learned running an authenticated, vpn-able wireless net. First off, get a chunk of network to be used for wireless. It should be obvious that you don't want your wireless and wired nets to be bridged. Unless the wired and wireless space is a totally free-for-all public access area already littered with compromised virus run-time platforms... Then, configure a machine as the typical internet gateway - routing, dhcp, possibly a DNS cache, possibly a web cache... While thinking about setting up caches, be sure to read up on cache poisoning, and tunneling IP through DNS requests. You'll probably want to set a fairly short lease time in dhcp to cope with people who just wander off or suspend their laptops without releasing their IP addresses. Pay attention to authpf(8), especially the part about how to set up sshd. Set up PF to deal with unauthenticated and/or unprotected connections. We disallow unauthenticated traffic, and allow harmless services without a vpn and everything with a vpn. Harmless is http (our users are pretty good about not exposing their local passwords over http), anonymous ftp (as enforced by ftp-proxy), ssh, chat services and ssl(pop,imap,http,smtp). And IKE/IPSec. That makes 90% of what people want easily available: web surfing, webmail and fat client email. You'll want to learn about filtering on the enc(4) interface. Here's where you do want to make use of nat: use rdr to snarf unauthenticated http and redirect it into a local webserver that explains the rules and procedures for network access. We've found it useful to make syslog to keep authpf logs in /var/log/authpf, and keep authpf and pf logs for at least 30 days, rotated at midnight. It makes abuse investigations a bit quicker when you know where to look for logs. Set up isakmpd to allow aggressive mode connections. There are a number of pages up that give example isakmpd.conf files for aggressive mode that interoperates with windows (I assume you'll have lots of windows laptops). See www.allard.nu/openbsd Now you can hook authpf into pf.conf. You can either refer to the authpf_users table and do something like this: no rdr from authpf_users pass in log quick on $int_if from authpf_users keep state or use the anchors. rdr-anchor authpf/* nat-anchor authpf/* binat-anchor authpf/* # your ruleset here anchor authpf/* Under load (200 simultaneous users) you'll probably have better results using the table method. That's what we're doing on our wireless gateway. Things to read: httpd(8), named(8), dhcpd(8), pfctl(8), authpf(8), sshd(8), newsyslog(8), syslog.conf(5), isakmpd(8) ... and the pages they reference. On 1/24/06, Didier Wiroth [EMAIL PROTECTED] wrote: hello, I've read man ipsec and vpn. Unfortunately I'm totally new to ipsec and have no ipsec experience. I'm looking for tutorials with samples, URLs or anything else, where I can find additional info on how to secure wifi networks with openbsd's: ipsec and authpf. In advance, many thanks for any kind of help!!! Best regards Didier -- Ministry of Higher Education CEDIES rte d'Esch, 211 L-1471 Luxembourg Tel: (+352) 478-8669 Fax: (+352) 455656 Pgp key: http://www.cedies.public.lu/pgp-keys/ -- -- GDB has a 'break' feature; why doesn't it have 'fix' too?
