Re: Wifi ipsec freebsd
Hello, I too have set up a ipsec secured wireless network and this article helped clarify some of the points that were a bit hazy. Tunnel vs. transport mode was something I never fully understood. I did notice that when using transport mode only the packets between the 2 participating hosts were encrypted (tcpdump reveals all) and everything else (broadcast included) was still in the clear. Your guide has helped explain this. Well done on a structured, concise article. Matthew Faircliff On Tue, Nov 25, 2003 at 11:25:34AM -0800, Timothy Ham wrote: Date: Tue, 25 Nov 2003 11:25:34 -0800 (PST) From: Timothy Ham <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Wifi ipsec freebsd After a few days of struggling, I have successfully set up an ipsec connection over wifi between a FreeBSD gateway and a Windows laptop. Since I had to search for the information I needed all over the net, I have written a step-by-step set-up guide to help anyone else trying to secure their wifi connection. I hope this is useful. Thanks for your attention. -Begin Guide- FreeBSD Wi-Fi IPsec easy-setup guide Timothy Ham Nov 23, 2003 Version 1.0 The latest version of this file can be found at: http://sahara.lbl.gov/~tham/wifi-ipsec.txt 0. Abstract --- An IPsec tunneling connection was set up between a MS-Windows host with wireless ethernet and a FreeBSD NAT gateway. This setup allowed the mobile host to have a secure and encrypted connection over an inherently insecure wi-fi radio network. 1. Introduction --- Recently I have purchased a "Wireless Bundle", consisting of a wireless NAT router and a PCMCIA 802.11b card, for not a lot of money (I love cheap hardware). Being a consumer device, it was very easy to set up and to get it working with my existing home LAN. But difficulties arose when I tried to secure the connection, and also when I tried to protect the rest of my LAN from any intrusion through the wireless access point. The choice of IPsec over WEP was for me obvious. Besides WEP being insecure (secret key can be recovered easily), my PCMCIA card had a buggy firmware, which kept dropping connections when WEP was turned on. The problem was well documented on various web boards and the manufacturer had no updates to fix the problem (I hate cheap hardware). As such, I was left with a superior, but harder to setup, choice. There were some resources available on the web to set up IPsec VPN, but none of them were specific enough for my case. As such, I thought I would share my experience hoping it will be useful for others. 2. Isolating the Wireless LAN - My existing home LAN was as follows. I had a dual-homed FreeBSD NAT gateway with dhcpd running to dole out private IP address to any machine connected to the LAN. A guest could come by and connect their laptop to the LAN and surf the web. A typical setup. The first step was segregating the wireless LAN from the rest of my home LAN. I made this easy by installing another ethernet card ($10) into the FreeBSD box, and giving it a separate address space. For example, my existing LAN was using 192.168.1.x. The new ethernet card has 192.168.2.1. With proper firewall rules and IPsec, this segment can be isolated from the rest of my home LAN. Because my wireless access point is sold as a router/switch (it was much cheaper than a stand-alone access point--go figure) its router functions (DHPCD, NAT) had to be disabled. It had a web interface to change its settings. I also gave the wifi net a name. The router had 4 ethernet ports labled "LAN", and one port labled "WAN". Since I'm just using the wireless/switch portion, I connected my new ethernet card (192.168.2.1) to one of the "LAN" ports. The laptop was given a permanent IP of 192.168.2.10. 3. Transport Mode vs Tunnel Mode This part had confused me a great deal because the literature out there (including the FreeBSD handbook) mentions IPsec tunnels in terms of VPNs--that is, two gateway machines connecting two sub-nets over a secure tunnel using a virtual interface gif. So at first, I thought what I wanted was a transport layer, that encrypted packets end-to-end. But this is *not* what you want. All packets between the laptop (host) and the gateway (192.168.2.10<->192.168.2.1) were encrypted. However, any other packets destined to the rest of the internet were not (192.168.2.10->www.yahoo.com). This is not what you want. What you *do* want is a encrypted tunnel between the host and the gateway that carries packets from the host to the rest of the internet. Here is what should happen: Any outgoing packet from the host to anywhere (192.168.2.10->www.yahoo.com) should be encrpyted and encapsulated in another packet designated to the gateway (192.168.2.10->192.168.2.1). Once the gateway receives the packet, it is decrypted and forwarded
Re: Wifi ipsec freebsd
> After a few days of struggling, I have successfully set up an ipsec > connection over wifi between a FreeBSD gateway and a Windows laptop. > Since I had to search for the information I needed all over the net, I > have written a step-by-step set-up guide to help anyone else trying to > secure their wifi connection. I hope this is useful. [snip] Tim, could you consider submitting this to the documentation team? It would make a great article! http://www.freebsd.org/docproj/submitting.html -- Cordula's Web. http://www.cordula.ws/ ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Wifi ipsec freebsd
After a few days of struggling, I have successfully set up an ipsec connection over wifi between a FreeBSD gateway and a Windows laptop. Since I had to search for the information I needed all over the net, I have written a step-by-step set-up guide to help anyone else trying to secure their wifi connection. I hope this is useful. Thanks for your attention. -Begin Guide- FreeBSD Wi-Fi IPsec easy-setup guide Timothy Ham Nov 23, 2003 Version 1.0 The latest version of this file can be found at: http://sahara.lbl.gov/~tham/wifi-ipsec.txt 0. Abstract --- An IPsec tunneling connection was set up between a MS-Windows host with wireless ethernet and a FreeBSD NAT gateway. This setup allowed the mobile host to have a secure and encrypted connection over an inherently insecure wi-fi radio network. 1. Introduction --- Recently I have purchased a "Wireless Bundle", consisting of a wireless NAT router and a PCMCIA 802.11b card, for not a lot of money (I love cheap hardware). Being a consumer device, it was very easy to set up and to get it working with my existing home LAN. But difficulties arose when I tried to secure the connection, and also when I tried to protect the rest of my LAN from any intrusion through the wireless access point. The choice of IPsec over WEP was for me obvious. Besides WEP being insecure (secret key can be recovered easily), my PCMCIA card had a buggy firmware, which kept dropping connections when WEP was turned on. The problem was well documented on various web boards and the manufacturer had no updates to fix the problem (I hate cheap hardware). As such, I was left with a superior, but harder to setup, choice. There were some resources available on the web to set up IPsec VPN, but none of them were specific enough for my case. As such, I thought I would share my experience hoping it will be useful for others. 2. Isolating the Wireless LAN - My existing home LAN was as follows. I had a dual-homed FreeBSD NAT gateway with dhcpd running to dole out private IP address to any machine connected to the LAN. A guest could come by and connect their laptop to the LAN and surf the web. A typical setup. The first step was segregating the wireless LAN from the rest of my home LAN. I made this easy by installing another ethernet card ($10) into the FreeBSD box, and giving it a separate address space. For example, my existing LAN was using 192.168.1.x. The new ethernet card has 192.168.2.1. With proper firewall rules and IPsec, this segment can be isolated from the rest of my home LAN. Because my wireless access point is sold as a router/switch (it was much cheaper than a stand-alone access point--go figure) its router functions (DHPCD, NAT) had to be disabled. It had a web interface to change its settings. I also gave the wifi net a name. The router had 4 ethernet ports labled "LAN", and one port labled "WAN". Since I'm just using the wireless/switch portion, I connected my new ethernet card (192.168.2.1) to one of the "LAN" ports. The laptop was given a permanent IP of 192.168.2.10. 3. Transport Mode vs Tunnel Mode This part had confused me a great deal because the literature out there (including the FreeBSD handbook) mentions IPsec tunnels in terms of VPNs--that is, two gateway machines connecting two sub-nets over a secure tunnel using a virtual interface gif. So at first, I thought what I wanted was a transport layer, that encrypted packets end-to-end. But this is *not* what you want. All packets between the laptop (host) and the gateway (192.168.2.10<->192.168.2.1) were encrypted. However, any other packets destined to the rest of the internet were not (192.168.2.10->www.yahoo.com). This is not what you want. What you *do* want is a encrypted tunnel between the host and the gateway that carries packets from the host to the rest of the internet. Here is what should happen: Any outgoing packet from the host to anywhere (192.168.2.10->www.yahoo.com) should be encrpyted and encapsulated in another packet designated to the gateway (192.168.2.10->192.168.2.1). Once the gateway receives the packet, it is decrypted and forwarded to www.yahoo.com. A returning packet (www.yahoo.com->192.168.2.10) should be encrypted and encapsulated by the gateway and sent to the host (192.168.2.1->192.168.2.10). The host will decrypt the packet and read the contents. The existing NAT machinery will handle the private IP address translation at the public internet interface. 4. Setting up the Gateway - With the above in mind, here is how the gateway was set up. A. Recompile the kernel with IPsec support by adding the following to the kernel config file: options IPSEC options IPSEC_ESP Recompile, reinstall, and reboot with the new kernel. Add the following to /etc/rc.conf ipsec_enable="YES" ipsec_file="/etc/ipsec.conf" B. Setup