I researched using a VPN to secure our wireless and used a similar topology,
but a little more tightened. We plan on doing something more like:
<<-------------------------------VPN----------------------------------->>
Laptop ---> Access Point ---> Dedicated Router ---> Dedicated VPN Gateway
---> Internal Network ---> Firewall ---> Internet
The VPN client(Nokia) default filter for traffic not intended for
the gateway is set to drop. They can only talk to the gateway. The Dedicated
Router has a default gateway of the VPN's external interface and a static
route to get there so all traffic goes to the gateway. The Dedicated VPN
gateway must be configured to protect any host so the wireless clients can
have Internet access. When configured this way, a rogue user that does
manage to get on the access point can only traverse the physical route to
the Dedicated VPN Gateway. He can not get through without a Client and
policy with proper authentication. He cannot talk to any other wireless
clients if they are all logged in to the VPN with a default drop traffic
filter set.
Ross Barnes, CCNA
-----Original Message-----
From: Clinton McDonald [mailto:[EMAIL PROTECTED]]
Sent: Thursday, June 27, 2002 6:49 PM
To: [EMAIL PROTECTED]
Subject: Wireless VPN cracking.
Hello all..
I've got a couple of (hopefully!) quick questions regarding a wireless
VPN.
I have set up a pix to terminate a VPN for our wireless users, to keep
all their network traffic secure. It looks vaguely like this:
<<----------VPN--------------->>
Laptop ---> Access Point ---> Pix ---> Switch ---> Server
172.16.0.1 10.1.1.11
The laptop is running the Cisco Secure VPN Client (3.5), and when the
VPN is connected, the Pix assigns the addresses 10.0.0.90-10.0.0.99 to
VPN users for the internal (wired) network. When the traffic gets to
the Pix, the VPN is terminated there, and there is no encryption on the
wired part of the network.
My theory is that if anyone is sitting out in the car park with a laptop
with a wireless card, they can associate to the access point all they
like, but if they are not authorised VPN users, the Pix will drop their
traffic, and thus, stop them from getting into the internal (wired)
network.
Questions are:
1. Can someone in the car park crack into a VPN users laptop
somehow, and then get into the network (ie, bypass the pix and connect
via the other laptop?
2. If I ping from the server, to 10.0.0.90 (the VPN user), I get a
response. Should this be so?
Thanks in advance..
Clinton McDonald CCNA
