Hi Folks,
What are we using to secure single point-to-point links? - viz WEP, but actually secure..
AIUI, Ad-Hoc mode must be used for backbones, but this leaves security to be done at the IP level - not really good enough.
I have read-up on IPSec, but that seems to be about tunneling all the routers to a central point, or maintaining multiple IPsec dedicated links per router, which is either horribly wasteful on bandwidth, or horribly complicated to configure/maintain.
8-/ I wonder with the opportunistic approach might be used - with each router IPSec forward to the next one.
anyone doing this ? I need a few pointers.
It's possible to create IPSec tunnels (host-subnet or subnet-subnet) where the far end is the whole internet, but that can get pretty complicated with even a single wireless link if you've got multiple networks on either end and/or implement masquerading (the firewall rules and routing tables can get pretty ugly).
I recently tried setting up something like this between a couple of Dachstein boxes, and I've since fallen back to simply firewalling both ends of the wireless link and treating it like a hostile network. It would be possible with my current setup for someone to DoS my wireless link (always a possability with a big enough noise generator), sniff my traffic (possible once it gets on the internet anyway, although the wireless traffic is a lot easier to sniff if you're physically close to me) or to manage access to the wireless link itself (which would allow them to attempt to hack the admin passwords on my AP's, or gain internet access, but *NOT* allow them to attack any of my secured networks).
I think probably the easiest method for doing what you want is to set up a GRE tunnel over a host-host IPSec tunnel between two routers/firewalls on either end of the link. You can pipe routing protocols (RIP, BGP, etc) across the GRE tunnel, and drop anything that doesn't come in over the IPSec interfaces (other than IPSec and IKE traffic itself, obviously).
Some details on crafting this sort of setup can be found in the current FreeS/WAN documentation and mailing list archives. I intend to set something like this up eventually, but I don't want to go through the effort until after I upgrade to Bering...
-- Charles Steinkuehler [EMAIL PROTECTED]
------------------------------------------------------- This SF.net email is sponsored by: VM Ware With VMware you can run multiple operating systems on a single machine. WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the same time. Free trial click here: http://www.vmware.com/wl/offer/345/0 ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
