Charles Steinkuehler wrote:
I recently tried setting up something like this between a couple of Dachstein boxes, and I've since fallen back to simply firewalling both ends of the wireless link and treating it like a hostile network. It would be possible with my current setup for someone to DoS my wireless link (always a possability with a big enough noise generator), sniff my traffic (possible once it gets on the internet anyway, although the wireless traffic is a lot easier to sniff if you're physically close to me) or to manage access to the wireless link itself (which would allow them to attempt to hack the admin passwords on my AP's, or gain internet access, but *NOT* allow them to attack any of my secured networks).
Thanks Charles, Eric,
I'm really surprised there isn't a simple solution.. what about a ssh tunnel ? I'm not an expert on those, but I cannot imagine I can tunnel two scopes over a ssh tunnel...
You could use an ssh tunnel, but you'll run into routing problems similar (if not worse) to the issues with using an IPSec tunnel to 0/0 (the whole internet).
Plus, you'll have the tcp over tcp issue, which can get ugly if you have any packet loss, and you did mention this is for a wireless link.
Sidebar: TCP is a guaranteed connection protocol...the low-level IP stack keeps track of packets, so lost/garbled packets are retransmitted, and the application layer is presented with a nice, consistent, everything in order datastream. The low-level methods to do this, however, do not "stack" well, which is what you're doing when you run one tcp connection (say an http connection to a remote webserver) over another tcp connection (like your proposed ssh tunnel).
I think probably the easiest method for doing what you want is to set up a GRE tunnel over a host-host IPSec tunnel between two routers/firewalls on either end of the link. You can pipe routing protocols (RIP, BGP, etc) across the GRE tunnel, and drop anything that doesn't come in over the IPSec interfaces (other than IPSec and IKE traffic itself, obviously).
! that sounds even more complicated.. I think some more reading / study is in order. 8-/
:) It's not really as complex as it sounds, and depending on your situation, you may be able to get by with just a conventional ipsec tunnel to the whole internet encrypting your wireless traffic.
Ipsec tunnels are pretty paranoid about security (imagine that), and won't pipe traffic if *BOTH* endpoints don't match the tunnel specifications. This means that you cannot use an ipsec link between two boxes to route arbitrary additional traffic (ie use the ipsec link like a generic point-point link or route). That's where gre comes in.
By building a point-point IPSec tunnel (which is typically the simplest to setup and maintain), *THEN* putting a gre tunnel over that, you can treat the IPSec link like any other network connection and route traffic down it using normal routing tools (including manual routing, or automated routing protocols like RIP & BGP).
A -+ +-E B -+ +-F C -+ +-G D -+--X---Y-+-H
For example, in the above, assume X and Y are two routers, ABCDEFGH are all networks hooked to those routers, and we want to encrypt all traffic between all networks that goes over the link between X and Y with IPSec.
This would require 16 seperate subnet/subnet tunnel specifications if you only use IPSec tunnels (possible, but clumsy).
By creating a single host-host tunnel between X and Y, the two routers can then talk to each other, but they cannot route other network traffic down the link (since the source/destination IP's don't match the tunnel specification).
The addition of GRE allows the encapsulation of arbitrary traffic into point-point traffic which *WILL* go across the host-host XY IPSec tunnel.
I don't know enough about your setup to know if using an IPSec tunnel with a 0/0 endpoint will work well for you, or if you'll need something a bit more complex...
-- Charles Steinkuehler [EMAIL PROTECTED]
------------------------------------------------------- This SF.net email is sponsored by: VM Ware With VMware you can run multiple operating systems on a single machine. WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the same time. Free trial click here: http://www.vmware.com/wl/offer/345/0 ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
