[ previous ] [ next ] [ threads ]
 
 From:  Chet Harvey <chet at pittech dot com>
 To:  Louis <m0n0 dot ch at hourfollowshour dot org>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Am I encrypted? (PPTP over OPT1 Wireless)
 Date:  Thu, 14 Oct 2004 11:03:55 -0400
PPTP is not the tunneling "choice" for encrypted tunnels but it does a decent 
job. 128 bit encryption via OpnSSL. How it works is the "tunnel" is encrypted 
by the software on your system and started at the interface. It is then 
decrypted at the endpoint interface on the other side.

That said, you are sending packets across open airwaves which makes it easier 
to "sniff" and decrypt than on old school cat5. You didnt specify if you had 
WEP or WPA enabled which would help somewhat.

Personally I would IPSec to the m0n0wall via wireless instead of WEP.

That was the Long winded answer to your question, short answer is most likely 
yes. Is it the best you can do, probably not.

Chet Harvey
Pitbull Technologies <http://www.pittech.com/> 
Protecting your Digital Assets
703.407.7311


Quoting Louis <m0n0 dot ch at hourfollowshour dot org>:

> 
> I am connecting wirelessly to my Soekris 4521 wireless OPT1 interface 
> from my laptop (Fedora Core 2).
> 
> OPT1 10.10.10.1
> PPTP 10.10.111.254
> 
> I then connect using PPTP [http://pptpclient.sourceforge.net/], I 
> configure it to point to my 'external' WAN IP address.  Everything seems 
> to work fine.  I know I am going through the PPTP interface because I 
> have full external connectivity.  If I just connect to wirelessly 
> without using the PPTP client I see only connections that I have allows 
> for in the firewall rules for the OPT1 interface.
> 
> I don't have another wireless client available at the moment to sniff 
> traffic, but I want to be sure traffic is really encrypted over the PPTP 
> tunnel, based on the above info, is it?  Am I following the right 
> procedure above or can/should I be doing something different or better?
> 
> Wireless Client netstat -rn below:
> # netstat -rn
> Kernel IP routing table
> Destination     Gateway         Genmask         Flags   MSS Window  irtt 
> Iface
> my.ext.ip.here 10.10.10.1      255.255.255.255 UGH       0 0          0 ath0
> 10.10.111.254   0.0.0.0         255.255.255.255 UH        0 0          0 
> ppp0
> 169.254.0.0     0.0.0.0         255.255.0.0     U         0 0          0 
> ath0
> 10.0.0.0        0.0.0.0         255.0.0.0       U         0 0          0 
> ath0
> 0.0.0.0         0.0.0.0         0.0.0.0         U         0 0          0 
> ppp0
> 
> Louis
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> 
>