Securing Wireless Networks with IPSEC and FreeBSD

GoldenScrewdriver writes: "A colleague of mine has written an excellent article on how to secure your wireless network using an IPSEC VPN tunnel, NAT, and a FreeBSD firewall. With the inherent weaknesses of WEP, I thought this article might be interesting to those who prefer some privacy on their wireless link." If this might fit your situation, you might also find this earlier article interesting as well.

Just the info I've been looking for!

[sclatter]

At work I've been running an IPsec VPN on FreeBSD for quite a while now. It's a great thing-- sort of tricky to set up but runs like top once it's up. I never was able to figure out how to work NAT into the picture, though. On Linux NAT and firewalling and FreeS/WAN are very well integrated, but on FreeBSD we use KAME which has a very IPv6 sensibility. No need for NAT in IPv6, so it just doesn't seem to play nice.

This article explains the trick to it-- run NAT on the internal interface! Should have thought of that! :-)

BTW, if anyone is curious KAME to FreeS/WAN VPNs work just fine. Ours was set up that way for quite some time.

Another misleading article.

[Rick the Red]

Sheesh! This is getting out of hand. GoldenScrewdriver writes

"A colleague of mine has written an excellent article on how to secure your wireless network using an IPSEC VPN tunnel, NAT, and a FreeBSD firewall. With the inherent weaknesses of WEP, I thought this article might be interesting to those who prefer some privacy on their wireless link."

OK, I admit, I missed the last word there, "link", and concentrated on the previous phrase "wireless network", which also appears in the subject ("Securing Wireless Networks with IPSEC and FreeBSD"). But, true to Slashdot form lately, this is not about securing wireless networks, it's about securing a wireless link between your firewall and your ISP. Yeah, right -- that applies to what, five people? V.s. hundreds running actual wireless LANs on the other side of the firewall?

GIVE US A FUCKING BREAK. PLEASE make the subjects reflect what the story's really about, so we won't waste our time!

"If this might fit your situation, you might also find this earlier article interesting as well."

No, I didn't. That earlier article had nothing about encrypting wireless LANs, other than the helpful suggestion that you might want to consider it, and concludes with "Configuring IPsec is beyond the scope of this article." No shit.

Re:My experiences with Windows XP Professional

[lyberth]

Come on make up a new story.
yadi yadi yadi

Re:My experiences with Windows XP Professional

[glenmark]

XP? Hate to break it to you, but XP is not a server OS. It does not provide server functionality. The follow-on to Windows 2000 server, .NET server, is yet to be released.

Re:My experiences with Windows XP Professional

[Qrlx]

Wow, that story is just so unbeleivable it's not even close to sounding right. 3 days to recover the admin password on Win XP Pro? First of all, XP setup makes you type in the admin password when you set it up, so Dell not sending you the password makes perfect sense since YOU TYPED IT IN. Second, if the box is on the domain, then the Domain Admin account was added to the Local Administrators group when it joined the domain. So just log in as domain administrator. Plus there is no account called "Computer Administrator." Third, it's a workstation, and you're at a fortune 500 company, so just re-image the thing. You're a fortune 500 company, I hope you have a better way of rolling out workstations than installing all those apps by hand. Hell you could get Dell to install the image of your choice on those boxes, troll. Fourth, Windows XP doesn't by default check the "Automatically adjust my clock for daylight savings time" checkbox under the date and time control panel, so it was probably only 2 days and 23 hours that you were without your precious little Dells. Time enough for me to read your post again and actually emit a tiny little peep of laughter.

That thing about the daylight saving time is true, by the way. Sucks.

interoperability with windows

[Jeff Probst]

I have my FreeBSD server setup for a leaf node tunnel as specifed in NetBSD's examples [netbsd.org]. I can get my freebsd laptop to work with the tunnel but am unable to configure the same laptop in windows to work with the tunnel.

The article goes about the tunnel process in a different manner, but it still does not say anything about interoperability with win2k. Could the authors (or someone else) comment on how to get an IPSec replacement for WEP that works with both FreeBSD and Win2k.

I'm aware of this [daemonnews.org] article, but it uses transport mode and is inadequate as a WEP replacement.

Thanks in advance.