[ previous ] [ next ] [ threads ]
 From:  Jim McBeath <jimmc at macrovision dot com>
 To:  Magne Andreassen <magne dot andreassen at bluezone dot no>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] wireless+IPsec+RedHat9?
 Date:  Tue, 2 Dec 2003 22:25:59 -0800
On Tue, Dec 02, 2003 at 01:19:56PM +0100, Magne Andreassen wrote:
> Jim McBeath wrote:

> > Is it possible to use IPsec in bridge mode, or do I need to assign the
> > wireless card its own subnet and use routing?   Can I set up a tunnel
> > from my wireless client to the m0n0wall box, have the packets 
> > decrypted on the m0n0wall box, and then route/nat/firewall 
> > them from there the same as for a wired connection?  Pointers 
> > to documentation on how to do either of these would be appreciated.
> > 
> You must assign own subnet for wireless, optionally set up dhcp for it, 
> and add some rules for wireless to allow PPTP traffic(TCP 1723 and GRE):
> http://m0n0.ch/wall/list/?action=show_msg&actionargs[]=7&actionargs[]=04
> (you dont have to add rules for DHCP anymore)

Your referenced post makes it sound so easy, and I'm sure it would be
if I already had some experience with PPTP, but as it is, I am still
mystified by it.

Your comments from that post:
> So what i am thinking:
> -DHCP on wireless interface. (not possible in m0n0wall(...yet))

This step I got, and it works fine without PPTP.  I'm still unclear as
to when and how PPTP gets started on my wireless connection, and when
the DHCP address is supposed to get handed out.

> -Enable PPTP server in m0n0wall.

Here's where I need some documentation.  (Has anybody started on that
m0n0wall manual yet?)  On the PPTP page in m0n0wall, I checked the "Enable
PPTP Server" box.  What am I supposed to enter for the "Server address"
and the "Remote address range"?  Should the Server address be the address
of the m0n0wall wireless port, a made-up number, or what?  Likewise, does
it matter what the Remote address range is?  Does it need to match the
range of IP addresses handed out by the DHCP server, or does it need to be
something different?  I checked the "Require 128-bit encryption box", but I
don't see anything (such as on the client side) else about encryption size.

On the client side, I installed pptp-linux and pptp-php-gtk-setup, which
gives me a screen with a set of tabs that, like FreeS/WAN, don't quite
seem to match up against the data specified in m0n0wall.  For the Server
name, should this be a name that resolves to the m0n0wall wireless port,
or a name that resolves to the "Server address" specified in m0n0wall
(if that is supposed to be different)?  In the Routing tab, I think I
am supposed to select the "All to tunnel" option, but then should I set
the Public Network Interface to eth1 (which is how my wireless card shows
up), or ppp0 (which gets added by PPTP)?  In the Encryption tab I checked
"Require MPPE", but I don't see anything that tells it I always want to
use 128 bits.

> -Add some firewall rules on wireless interface:
>	GRE Wireless net * * *				- for VPN
>	TCP Wireless net * * 1723			- for VPN

I assume the above two rules allow a wireless client talking PPTP to connect
to the PPTP server.  Can I still control the rules for connections coming
through PPTP on the wireless interface, or do they necessarily have open
access to everything once they come out of the PPTP server on m0n0?

>	UDP * 68 wi-ip 67					- DHCP
>	UDP * 68 67			- DHCP
>	UDP wi-ip 67 * 68					- DHCP

I think your other comments above mean these lines are not needed.

If there are some documents that do a good job of explaining this stuff,
I would be happy to go off and read them.  So far I haven't found them.