Subject: Re: IPsec question
To: Dave Huang <khym@azeotrope.org>
From: Luke Mewburn <lukem@wasabisystems.com>
List: netbsd-help
Date: 01/15/2002 18:19:27
On Mon, Jan 14, 2002 at 03:05:43PM -0600, Dave Huang wrote:
| I've read the IPsec FAQ on netbsd.org, but I'm still not sure what the
| best way to do what want is... what I want to do is use IPsec to encrypt
| my 802.11 traffic (since everyone says WEP is pretty useless). I have a
| Linksys WAP11 access point, a NetBSD machine on the Ethernet, and a
| WinXP laptop with 802.11 card. I also have a block of 8 public IP
| addresses and would like to avoid any sort of NAT if possible.
|
| Now, it looks like if I set up IPsec transport mode, I can encrypt
| traffic between two specific machines, such as my laptop and one of my
| NetBSD machines. However, I can't encrypt traffic to a machine that I
| have no control over, such as traffic between my laptop and some random
| website.
|
| IPsec tunnel mode looks like it can encrypt all traffic to/from my
| laptop, but it doesn't look like I can use it with my network
| configuration. I don't have a VPN gateway on the wireless side, and even
| if I did, it'd defeat the purpose, since traffic between my laptop and
| the VPN gateway would go over the air.
|
| What I seem to need is something like tunnel mode, but with the laptop
| acting as its own VPN gateway...
|
| So, what can I do? :) If it'll help, you can assume the laptop is
| running NetBSD too; I can boot it into NetBSD and get things working
| there, then try to translate the settings over to WinXP.
Hi Dave.
My laptop is running along the lines of how you require.
My config is something like this (with an airport not shown):
laptop server/router
192.168.69.13 <--- 802.11 ---> 192.168.69.1
On the laptop, I have the following:
/etc/rc.conf:
ipsec=YES
/etc/ipsec.conf:
add 192.168.69.1 192.168.69.13 esp 691 -E rijndael-cbc
0x-256-bits-of-cipher-number-1 ;
add 192.168.69.13 192.168.69.1 esp 693 -E rijndael-cbc
0x-256-bits-of-cipher-number-2 ;
spdadd 192.168.69.13/32 0.0.0.0/0 any -P out
ipsec esp/tunnel/192.168.69.13-192.168.69.1/require;
spdadd 0.0.0.0/0 192.168.69.13/32 any -P in
ipsec esp/tunnel/192.168.69.1-192.168.69.13/require;
On the server I have the following:
/etc/rc.conf:
ipfilter=YES
ipsec=YES
/etc/ipf.conf
#
# fxp0 is the interface with the airport for 802.11
#
block in log on fxp0 all
block out log on fxp0 all
pass in quick on fxp0 proto ah from any to 192.168.69.1/32
pass in quick on fxp0 proto esp from any to 192.168.69.1/32
pass out quick on fxp0 proto ah from 192.168.69.1/32 to any
pass out quick on fxp0 proto esp from 192.168.69.1/32 to any
#
# other rules to allow dhcp requests too, but that's irrelevant
#
/etc/ipsec.conf:
add 192.168.69.1 192.168.69.13 esp 691 -E rijndael-cbc
0x-256-bits-of-cipher-number-1 ;
add 192.168.69.13 192.168.69.1 esp 693 -E rijndael-cbc
0x-256-bits-of-cipher-number-2 ;
spdadd 192.168.69.13/32 0.0.0.0/0 any -P in
ipsec esp/tunnel/192.168.69.13-192.168.69.1/require;
spdadd 0.0.0.0/0 192.168.69.13/32 any -P out
ipsec esp/tunnel/192.168.69.1-192.168.69.13/require;
All traffic from the laptop to the server, or any other host accessed
via the server as a router is encrypted. If I run
tcpdump -i wi0 not esp
the only traffic that isn't encrypted is the arp traffic for the
laptop, the airport, and the server.
More info can be found at:
http://www.netbsd.org/Documentation/network/ipsec/#sample_leaftunnel
Hope that helps,
Luke.
--
Luke Mewburn <lukem@wasabisystems.com> http://www.wasabisystems.com
Luke Mewburn <lukem@netbsd.org> http://www.netbsd.org
Wasabi Systems - NetBSD hackers for hire
NetBSD - the world's most portable UNIX-like operating system