Note: This archive passes through spamassassin. Every mail marked with the subject "*****SPAM*****" has exceed a certain threshold of spam-like behaviour.

[Users] Local 802.11 network help...

From: Brad Colbert (brad_at_rni.net)
Date: Fri Mar 29 2002 - 19:00:43 CET

Next message: Rosso Rosso: "[Users] How to design a IPSec topology in a mixed Linux/W2K wireless network?"
Previous message: Andreas Steffen: "Re: [Users] No acceptable response to our first IKE message"
Next in thread: Sanjiv Bawa: "[Users] http://vpn.ebootis.de does not work - WHere is ipsec.exe"
Reply: Sanjiv Bawa: "[Users] http://vpn.ebootis.de does not work - WHere is ipsec.exe"
Reply: Nate Carlson: "Re: [Users] Local 802.11 network help..."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi folks,

Im trying to set up my Linux 802.11 AP with Ipsec to better
secure my wireless network. I'm new to IPSec and FreeSwan
and I know enough routing and NAT to so accomplish what I
need.

My setup is this...

                           192.168.1.15 192.168.2.1 192.168.2.4
            DHCP ---[Linux 802.11AP]~~~[laptop]
          ?.?.?.? |
                      192.168.1.1 | 192.168.2.100
==[Cbl Mdm]---[LinkSys Fwall/Rtr]---[Workstation]

Legend:
= Cable connection
- Ethernet
~ Wireless

The Linux 802.11AP machine has an ethernet device with 192.168.1.15
and a wireless device 192.168.2.1. It was NATing from the wireless
device to the ethernet device basically to not expose directly my
private address space to the world.

What I would like to do it run IPSec on the wireless link between the
laptop and the Linux AP. I've found no examples that I can decipher
that represent my setup. My ipsec.conf entries on both machines look
like the following:

LinuxAP:

config setup
# THIS SETTING MUST BE CORRECT or almost nothing will work;
# %defaultroute is okay for most simple cases.
# interfaces=%defaultroute
interfaces="ipsec0=wlan0"
# Debug-logging controls: "none" for (almost) none, "all" for lots.
klipsdebug=none
plutodebug=none
# Use auto= parameters in conn descriptions to control startup actions.
plutoload=%search
plutostart=%search
# Close down old connection when new one using same ID shows up
uniqueids=yes

conn ap-laptop
authby=rsasig
# Left security gateway, subnet behind it, next hop toward right.
left=192.168.2.1
leftsubnet=0.0.0.0/0
leftnexthop=
# RSA 2048 bits ap.dude.net Sat Mar 23 12:22:03 2002
leftrsasigkey=0sAQ...
# Right security gateway, subnet behind it, next hop toward left.
right=192.168.2.4
rightsubnet=0.0.0.0/0
rightnexthop=
# RSA 2048 bits otis.rni.net Fri Mar 22 21:59:38 2002
rightrsasigkey=0sAQ...
# To authorize this connection, but not actually start it, at startup,
# uncomment this.
auto=add

Laptop:

config setup
# THIS SETTING MUST BE CORRECT or almost nothing will work;
# %defaultroute is okay for most simple cases.
interfaces="ipsec0=eth1"
# Debug-logging controls: "none" for (almost) none, "all" for lots.
klipsdebug=none
plutodebug=none
# Use auto= parameters in conn descriptions to control startup
plutoload=%search
plutostart=%search
# Close down old connection when new one using same ID shows up.
uniqueids=yes

conn ap-laptop
authby=rsasig
# Left security gateway, subnet behind it, next hop toward right.
left=192.168.2.1
leftsubnet=0.0.0.0/0
leftnexthop=
# RSA 2048 bits colbert.homeip.net Sat Mar 23 12:22:03 2002
leftrsasigkey=0sA...
# Right security gateway, subnet behind it, next hop toward left.
right=192.168.2.4
rightsubnet=0.0.0.0/0
rightnexthop=
# RSA 2048 bits otis.rni.net Fri Mar 22 21:59:38 2002
rightrsasigkey=0sA...
# To authorize this connection, but not actually start it, at startup,
# uncomment this.
auto=add

I was able to get to a point were I up'd ap-laptop and had ipsec
interface routes all over the place...

Laptop:

laptop% ipsec look
laptop.dude.net Fri Mar 29 09:05:36 PST 2002
0.0.0.0/0 -> 0.0.0.0/0 => tun0x1002_at_192.168.2.1
esp0x1454aaff_at_192.168.2.1 (2)
ipsec0->eth1 mtu=16260(1443)->1500
esp0x1454aaff_at_192.168.2.1 ESP_3DES_HMAC_MD5: dir=out src=192.168.2.4
iv_bits=64bits iv=0xfe0455f8bec5a75e ooowin=64 seq=1 alen=128 aklen=128
eklen=192 life(c,s,h)=bytes(168,0,0)addtime(3741,0,0)usetime(3760,0,0)
idle=77
esp0x81f5d1c3_at_192.168.2.4 ESP_3DES_HMAC_MD5: dir=in src=192.168.2.1
iv_bits=64bits iv=0x96ff7ae5b29600d1 ooowin=64 seq=1 bit=0x1 alen=128
aklen=128 eklen=192
life(c,s,h)=bytes(261,0,0)addtime(3741,0,0)usetime(3810,0,0) idle=27
tun0x1001_at_192.168.2.4 IPIP: dir=in src=192.168.2.1
policy=0.0.0.0/0->0.0.0.0/0 flags=0x8<>
life(c,s,h)=bytes(261,0,0)addtime(3741,0,0)usetime(3810,0,0)
idle=27tun0x1002_at_192.168.2.1 IPIP: dir=out src=192.168.2.4
life(c,s,h)=bytes(136,0,0)addtime(3741,0,0)usetime(3760,0,0) idle=77
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 192.168.2.1 0.0.0.0 UG 40 0 0 ipsec
0 0.0.0.0 192.168.2.1 128.0.0.0 UG 40 0 0 ipsec0
128.0.0.0 192.168.2.1 128.0.0.0 UG 40 0 0 ipsec0
192.168.2.0 0.0.0.0 255.255.255.0 U 40 0 0 eth1
192.168.2.0 0.0.0.0 255.255.255.0 U 40 0 0 ipsec0

What a mess ;)

Thanks,

Brad
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

Next message: Rosso Rosso: "[Users] How to design a IPSec topology in a mixed Linux/W2K wireless network?"
Previous message: Andreas Steffen: "Re: [Users] No acceptable response to our first IKE message"
Next in thread: Sanjiv Bawa: "[Users] http://vpn.ebootis.de does not work - WHere is ipsec.exe"
Reply: Sanjiv Bawa: "[Users] http://vpn.ebootis.de does not work - WHere is ipsec.exe"
Reply: Nate Carlson: "Re: [Users] Local 802.11 network help..."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:19:47 CEST