[ previous ] [ next ] [ threads ]
 
 From:  Jim McBeath <monowall at j dot jimmc dot org>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] PPTP/IPSEC over wireless to m0n0wall
 Date:  Sun, 3 Oct 2004 22:11:05 -0700
On Sun, Oct 03, 2004 at 10:48:33AM -0400, Louis wrote:
> Also would like to get this working with a linux client, the info is 
> pretty sketchy in regard to specific m0n0 docs for this, does anyone 
> have a pointer/howto for connecting using sing PPTP or IPSEC from linux 
> client.

I was never able to get PPTP working on my Linux laptop talking to
m0n0wall.  Since IPsec is more secure, I decided to forget about PPTP
and just work on IPsec.

I finally figured out how to get IPsec over wireless working from my Linux
laptop to a wireless AP in m0n0wall.  The trick was to use the same IP
address as both the tunnel endpoint and the network on the laptop side.

On the m0n0wall (i.e. wireless server) side, set up IPsec using the normal
procedure for setting up a VPN, with these changes:
S1. select your wireless interface rather than WAN as the interface.
    For this example, say it's IP address is 192.168.100.1.
S2. Use network 0.0.0.0/0 as the local subnet.  This will allow the wireless
    client to talk to and receive connections from any IP address.  If you
    want to limit it to, say, your LAN, you could use your LAN network
    address here instead.
S3. Use your client IP address as the remote subnet.  For example, if your
    wireless client is at 192.168.100.10, use 192.168.100.10/32 as the
    remote subnet.
S4. Use your client IP address as the remote gateway, for example
    192.168.100.10.  Note that you are using the same IP address for both
    the remote subnet and the remote gateway.

The setup you use on the wireless client has to match the m0n0wall setup.
C1. The local interface is the wireless client's IP address,
    as specified in S4.
C2. The local subnet is the same as m0n0wall's remote subnet, as specified
    in S3.
C3. The remote subnet is 0.0.0.0/0, or whatever network you specified in S2.
C4. The remote gateway is the m0n0wall AP's IP address (equivalent of S1).

The rest of the IPsec parameters (negotiation, encryption, hash, DH key,
pre-shared key, phase 2 items) specified on the client must match those
specified on the m0n0wall IPsec page.

My wireless client is a Linux laptop running Fedora Core 2, which uses
kernel 2.6.  This allows me to run racoon.  I followed the directions
given in <http://www.ipsec-howto.org/x247.html> for "Automatic keyed
connections using racoon" using pre-shared keys, plugging in the values
that matched my m0n0wall IPsec configuration.  The four IP addresses used
in /etc/ipsec.conf are the same four addresses used in S1-S4 and C1-C4
above; just as in those cases, two of the four addresses will be the same
(your wireless client IP address).  Likewise, these four IP addresses
are used in the racoon.conf file, and of course two of them are the same.

It's a bit of a hassle to bring it up: after plugging in my wireless card,
I run "setkey -f /etc/ipsec.conf" and "racoon -f /etc/racoon.conf".
To bring it down, I kill the racoon process and "cardctl eject" the
wireless card.

I use m0n0wall's DHCP server to assign an IP address to my wireless client,
with a special IP address reserved to the MAC address of my wireless
client, and with the "deny unknown clients" option set.  I then use that
IP address in my IPsec rules.  I also use WEP, so that the honest people
can see right away that I don't have an open network.

Unless I have missed something, in order to compromise my wireless security
someone would to
H1. Crack my WEP code,
H2. Spoof my MAC address, and
H3. Crack my IPsec encryption.
The first two are not terribly difficult to do, but should be enough to
keep out casual snoopers.  I am hoping the third will be enough to keep
out the more serious hackers.  If anyone has noticed any holes in my
setup or knows of any weaknesses, I would appreciate hearing about them.

--
Jim McBeath