Hello,
I too have set up a ipsec secured wireless network and this article
helped clarify some of the points that were a bit hazy.
Tunnel vs. transport mode was something I never fully understood. I did
notice that when using transport mode only the packets between the 2
participating hosts were encrypted (tcpdump reveals all) and everything
else (broadcast included) was still in the clear. Your guide has helped
explain this.
Well done on a structured, concise article.
Matthew Faircliff
On Tue, Nov 25, 2003 at 11:25:34AM -0800, Timothy Ham wrote:
Date: Tue, 25 Nov 2003 11:25:34 -0800 (PST)
From: Timothy Ham [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: Wifi ipsec freebsd
After a few days of struggling, I have successfully set up an ipsec
connection over wifi between a FreeBSD gateway and a Windows laptop.
Since I had to search for the information I needed all over the net, I
have written a step-by-step set-up guide to help anyone else trying to
secure their wifi connection. I hope this is useful.
Thanks for your attention.
-Begin Guide-
FreeBSD Wi-Fi IPsec easy-setup guide
Timothy Ham tham (at) socrates berkeley edu
Nov 23, 2003
Version 1.0
The latest version of this file can be found at:
http://sahara.lbl.gov/~tham/wifi-ipsec.txt
0. Abstract
---
An IPsec tunneling connection was set up between a MS-Windows host
with wireless ethernet and a FreeBSD NAT gateway. This setup
allowed the mobile host to have a secure and encrypted connection
over an inherently insecure wi-fi radio network.
1. Introduction
---
Recently I have purchased a Wireless Bundle, consisting of a
wireless NAT router and a PCMCIA 802.11b card, for not a lot of
money (I love cheap hardware). Being a consumer device, it was
very easy to set up and to get it working with my existing home LAN.
But difficulties arose when I tried to secure the connection, and
also when I tried to protect the rest of my LAN from any intrusion
through the wireless access point.
The choice of IPsec over WEP was for me obvious. Besides WEP being
insecure (secret key can be recovered easily), my PCMCIA card had
a buggy firmware, which kept dropping connections when WEP was
turned on. The problem was well documented on various web boards
and the manufacturer had no updates to fix the problem (I hate
cheap hardware). As such, I was left with a superior, but harder
to setup, choice.
There were some resources available on the web to set up IPsec
VPN, but none of them were specific enough for my case. As such,
I thought I would share my experience hoping it will be useful
for others.
2. Isolating the Wireless LAN
-
My existing home LAN was as follows. I had a dual-homed FreeBSD
NAT gateway with dhcpd running to dole out private IP address to
any machine connected to the LAN. A guest could come by and connect
their laptop to the LAN and surf the web. A typical setup.
The first step was segregating the wireless LAN from the rest
of my home LAN. I made this easy by installing another ethernet
card ($10) into the FreeBSD box, and giving it a separate address
space. For example, my existing LAN was using 192.168.1.x.
The new ethernet card has 192.168.2.1. With proper firewall
rules and IPsec, this segment can be isolated from the rest of my
home LAN.
Because my wireless access point is sold as a router/switch (it
was much cheaper than a stand-alone access point--go figure) its
router functions (DHPCD, NAT) had to be disabled. It had a web
interface to change its settings. I also gave the wifi net a
name. The router had 4 ethernet ports labled LAN, and one port
labled WAN. Since I'm just using the wireless/switch portion,
I connected my new ethernet card (192.168.2.1) to one of the LAN
ports.
The laptop was given a permanent IP of 192.168.2.10.
3. Transport Mode vs Tunnel Mode
This part had confused me a great deal because the literature
out there (including the FreeBSD handbook) mentions IPsec tunnels
in terms of VPNs--that is, two gateway machines connecting two
sub-nets over a secure tunnel using a virtual interface gif. So
at first, I thought what I wanted was a transport layer, that
encrypted packets end-to-end. But this is *not* what you want.
All packets between the laptop (host) and the gateway
(192.168.2.10-192.168.2.1) were encrypted. However, any other
packets destined to the rest of the internet were not
(192.168.2.10-www.yahoo.com). This is not what you want. What
you *do* want is a encrypted tunnel between the host and the
gateway that carries packets from the host to the rest of the
internet.
Here is what should happen:
Any outgoing packet from the host to anywhere
(192.168.2.10-www.yahoo.com) should be encrpyted and encapsulated
in another packet designated to the gateway
(192.168.2.10-192.168.2.1). Once the gateway receives the
packet, it is decrypted and forwarded to www.yahoo.com.
A returning packet (www.yahoo.com
