I researched using a VPN to secure our wireless and used a similar topology, but a little more tightened. We plan on doing something more like:
<<-------------------------------VPN----------------------------------->> Laptop ---> Access Point ---> Dedicated Router ---> Dedicated VPN Gateway ---> Internal Network ---> Firewall ---> Internet The VPN client(Nokia) default filter for traffic not intended for the gateway is set to drop. They can only talk to the gateway. The Dedicated Router has a default gateway of the VPN's external interface and a static route to get there so all traffic goes to the gateway. The Dedicated VPN gateway must be configured to protect any host so the wireless clients can have Internet access. When configured this way, a rogue user that does manage to get on the access point can only traverse the physical route to the Dedicated VPN Gateway. He can not get through without a Client and policy with proper authentication. He cannot talk to any other wireless clients if they are all logged in to the VPN with a default drop traffic filter set. Ross Barnes, CCNA -----Original Message----- From: Clinton McDonald [mailto:[EMAIL PROTECTED]] Sent: Thursday, June 27, 2002 6:49 PM To: [EMAIL PROTECTED] Subject: Wireless VPN cracking. Hello all.. I've got a couple of (hopefully!) quick questions regarding a wireless VPN. I have set up a pix to terminate a VPN for our wireless users, to keep all their network traffic secure. It looks vaguely like this: <<----------VPN--------------->> Laptop ---> Access Point ---> Pix ---> Switch ---> Server 172.16.0.1 10.1.1.11 The laptop is running the Cisco Secure VPN Client (3.5), and when the VPN is connected, the Pix assigns the addresses 10.0.0.90-10.0.0.99 to VPN users for the internal (wired) network. When the traffic gets to the Pix, the VPN is terminated there, and there is no encryption on the wired part of the network. My theory is that if anyone is sitting out in the car park with a laptop with a wireless card, they can associate to the access point all they like, but if they are not authorised VPN users, the Pix will drop their traffic, and thus, stop them from getting into the internal (wired) network. Questions are: 1. Can someone in the car park crack into a VPN users laptop somehow, and then get into the network (ie, bypass the pix and connect via the other laptop? 2. If I ping from the server, to 10.0.0.90 (the VPN user), I get a response. Should this be so? Thanks in advance.. Clinton McDonald CCNA