ipsec/wifi/freebsd gateway

liven

Has anyone ever set this up? I am working on it as I type this (racoon is installing).

The goal is to encrypt all wifi traffic with IPSEC tunnel.

The issue is I don't know if the fact that my wifi ap is a router is going to be a problem. I am wondering if I need a wifi AP that is just more of a hub or switch....

Anyway if anyone has any input on this please let me know. I will post results as I move through this project.


Man see what 5 days off of work will do to a geek...

anyway

JDMurray

A Wireless Access Point acts like a half-duplex hub. Make sure that you have "IPSec pass-through" enabled on your WAP.

liven

Thanks for the heads up!

I don't have that setting on my wifi router.

BUT I DIDN'T NEED IT!!!!

I got it working!!!!

WOot!

Took a couple of hours but I got it.


I will post the steps later if anyone is interested.

liven

Man this is pretty awsome...

I have been testing the heck out of it and it works really well.


All lan wifi traffic is 100% encrypted. But the traffic leaving the external router interface heading to the internet is not encrypted (unless it is meant to be). Then coming back to my router it is uncrypted but then gets re-encrypted as it is handed off to the wifi segment.

This blows Wep, WPA and all that stuff out the water!

I wrote up the instructions in a rather hasty manner. But they should be enough to help someone if they desire to do the same thing.

Of course you will need to first build a freebsd router/firewall. Which I could probably help someone with if they asked nicely.

Anyway just thought i would share something cool if anyone wants details let me know.

JDMurray

The IPSec pass-through is only needed if you are receiving IPSec traffic from the Internet. It doesn't have an affect on the traffic on your local wireless LAN. In fact, IPSec is handled only by the network hosts and is transparent to the access point.

liven

JDMurray wrote:

The IPSec pass-through is only needed if you are receiving IPSec traffic from the Internet. It doesn't have an affect on the traffic on your local wireless LAN. In fact, IPSec is handled only by the network hosts and is transparent to the access point.

Exactly!!!

This was my first time building something like this from the ground up. There are a lot of little parts to get working right, so it kinda overloaded my brain at first. However I got it after a few hours so it is cool.

I just wanted an extra layer of security on my Wifi lan. The rest of my network is pretty secure. I know it is difficult to make a network 100% impregnable. But I feel like it is easier to lock down wired networks in comparison to wifi.


Anyway that JD, take care bro!

sprkymrk

Liven:

Go ahead and post some general steps on what you did. You don't need to post a step-by-step "How-to", but I'm curious what the main steps are. If you post something simple, we can always ask for more details about particulars.

It sounds like you're pretty enthused about this, so I'm more than willing to learn more about what you did.

Thanks.

Slowhand

I'll second sprkymrk on this, I'd love to get an idea of the process you followed to set this up. I'm a fan of FreeBSD, I've got a box running here at the house, and I wouldn't mind another learning-project to do with it.

seuss_ssues

http://www.onlamp.com/pub/a/bsd/2004/10/21/wifi_ipsec.html

http://ezine.daemonnews.org/200401/wifi-ipsec.html

^ ive never done the forementioned setup but after skimming those it doesnt look to bad.

liven

I will post steps tomorrow or soon!

Sorry with all the holiday stuff I have been busy.

The hardest part was the fact that all the software in the tutorials is outdated. There are new projects that can be used to get the job done.

Knowledge of TCPdump is good to prove to yourself that the setup really works.

Bottom line is if you have wifi at home, and really want to make sure your lan wifi traffic is secure, AND if you believe IPSEC is secure (more secure than wep, wpa etc...) then this is the method to use.

Details soon.

If your good with freebsd, linux, or unix, and good at simple hacking your good to go!

JDMurray

liven wrote:

Bottom line is if you have wifi at home, and really want to make sure your lan wifi traffic is secure, AND if you believe IPSEC is secure (more secure than wep, wpa etc...) then this is the method to use.

The downside for IPSec or VPN on a wireless LAN is the greater amount of packet traffic that is generated by it. WEP, WPA, etc. are used to provide privacy without increasing the number of packet on the network, which is preferred for lower-bandwidth WLANs. With 802.11n, which is 5x the data rate of 802.11a/g, IPSec doesn't add a noticeable performance problem.

Secure Your Wireless with IPsec

liven

JDMurray wrote:

liven wrote:

Bottom line is if you have wifi at home, and really want to make sure your lan wifi traffic is secure, AND if you believe IPSEC is secure (more secure than wep, wpa etc...) then this is the method to use.

The downside for IPSec or VPN on a wireless LAN is the greater amount of packet traffic that is generated by it. WEP, WPA, etc. are used to provide privacy without increasing the number of packet on the network, which is preferred for lower-bandwidth WLANs. With 802.11n, which is 5x the data rate of 802.11a/g, IPSec doesn't add a noticeable performance problem.

Secure Your Wireless with IPsec

Perhaps,

However I have noticed absolutely no issues with performance. Not even downloading large files. The load on my firewall/router/ipsec server doesn't even budge (and its only a p3 with 1/2 gig of ram).

I guess it really depends on what kind of stuff you do on you WLAN. I pretty much use my to connect to my servers and browse the web etc. Like I said I have not really noticed a performance hit at all.

And if I need to dll something large and feel like I am getting latency created by the tunnel then I will just dll it to one of my wired servers.

Like I said this it not a perfect solution. I just feel like it is a heck of a lot more secure than most of the standard wifi solutions. It was free for me to setup, fits perfectly into my current setup.

Sure if someone wants to try to hack it and they have plenty of time, I am sure they will be able to. But at least some bloke can't park his car outside my house and see what I am doing on my wifi. Sure they can see stuff as it leaves my router. That is if they can get a promisc device on the line some how. Anything is possible.

I just really prefer the built in security of freebsd. Plus I am big time fan of IPF as a firewall, and since I can get a firewall, router and ipsec tunnel on one box for free this is a perfect for my lan.

liven

Oh the basic steps are some what close to the those listed in the links others have posted.

But you will notice these things:


The links are really based off an article that is over 3 years old at its latest revision.


1) racoon doesn't really exist anymore, it is now ipsec-tools (the daemon is still called racoon though)

2) file permissions are very important and this is not mentioned in the linked article

3) the config files in the article are not very accurate in my opinion. They may work for some but didn't work for me. Had to make my own which looked very different

4) You have to get a dual homed box ( I preffer 3 nics, that way a sudo DMZ just for wifi can be built) with router capabilities working. While your at it you might as well make it a firewall. This is not covered in that article (firewall or routing). Not that either one is really difficult, but they are just not covered there. IMO build an open source router is much easier then building a quality firewall, but that is just my opinion. THIS IS NOT MEANT TO BE AN ENTERPRISE SOLUTION. So in all probability a cicso router would perform better, that being said I get the same performance from this home built router as I do all of my cisco routers.



Once again this is just a little thing I like for my home network. I think it works REALLY well, makes me feel safer and was a fun weekend project.

Start with the article that was stated by JD, and move on from there. The freebsd handbook is a good resource for the firewall and router.

I have tons of tips for securing freebsd (there are tons of online resources for this as well).


Happy HOLIDAYS

JDMurray

liven wrote:

Like I said I have not really noticed a performance hit at all.

How have you verified that your wireless network is actually IPSec-protected? And did you record an initial performance baseline to compare with network performance after IPSec was enabled?

liven

JDMurray wrote:

liven wrote:

Like I said I have not really noticed a performance hit at all.

How have you verified that your wireless network is actually IPSec-protected? And did you record an initial performance baseline to compare with network performance after IPSec was enabled?

TCPDUMP to verify that IPsec is encrypting data transfer.

The tunnels run from the laptops to the inside of my LAN router. The outside of my lan router goes directly to my ISP router.

I run **** on the inside and outside router interfaces and pipe the output to files. Before running each **** I clear all the history and cache on the test laptop. THen I visit the exact same websites while monitoring each interface.

Then I vi or grep each file (inside interface is inside.txt and outside interface is outside.txt) for key words like: google, espn, yahoo.

The key words are all visible on the outside interface but none of them show up on the files for the inside interface.


I use tcpdump with these options:

-x -X -s 14400

to view the details of the traffic. On the outside interface everything is in the clear. On the inside interface, nothing is human readable.

I have been reading that IPsec is crackable, especially if the preshared keys are intercepted. And I am using preshared keys at the moment. However I have no idea how to crack IPsec on my own. Where WEP is rather easy to break, not to sure about WPA. JD if you know how or a tool exists, please share I just like to test my setup as many ways possible. Also I am going to look into using RSA/DSA style keys for the ipsec tunnels. This should make them much more secure.





Speed tests.

I have several laptops on the wifi. I have dll'd large files, moved large files across my lan, and done speakeasy type speed tests.

IPsec laptop 2400kbps average down and 400 average up.

None IPsec laptop 2600kbps average down and 400 average up.

So yes there is a slight slow down. And this is just one laptop at a time. So it will probably be much worse if there were a lot of machines using IPSec instead of just one or two at a time. And there is also the variance of the wifi to consider (currently using 802.11g). Although I try to test with the two laptops in the same place at the same time in hopes of eliminating signal issues.

Perhaps later I will try with multiple machines at the same time. But like I said this is more than enough performance for the things I do on my wifi lan. If I really need to dll a large file from the inet I just dll to one of my wired servers. This way I don't have to worry about keeping the laptops running and the latency of my wifi. Then I can hard wire a laptop to one of the switches if I need to get the large file onto one of my laptops.

I am quiet sure there are better ways of doing things. And this setup probably will not work for everyone. But it seems to be working for me.

JDMurray

I was going to suggest using Wireshark to test. Its display indicates if layer 3 traffic is using IPSec protocols.

liven wrote:

JD if you know how or a tool exists, please share I just like to test my setup as many ways possible.

A real basic brute force password cracking tools for IPSec (IKE) is IKECrack. It's a good tool to experiment with. The only other IKE tool I know of is IKE-scan, but I have never used it. Check if there are any others on sourceforge.net.

liven wrote:

Also I am going to look into using RSA/DSA style keys for the ipsec tunnels. This should make them much more secure.

IPSec's configuration is what make it secure or not. A weak password makes the best security mechanisms and protocols vulnerable.

liven

I know wireshark is more robust than TCPdump, but it is essentially the same thing. And TCPdump is clearly labling the packets as being protected by ipsec. I would use wireshark, but I have no GUI installed on my router so running wireshark on the router is not possible. However if wireshark is anything like etherreal I can upload the raw **** files into it.


I agree that the week passwords are the bane of all security systems. That is why I am going to see if I can replace the preshared key with something more robust.

shednik

This is all very interesting...def going to try some of this out